topic Re: Clean Firewall Policies in General Topics

Clean Firewall Policies

tombombadil — Fri, 25 Oct 2024 07:15:27 GMT

Hello all,

I am thinking of how can i clean/organize my firewall policies. Many rules seem to be mixed up within each other. Do you have any suggestions to make it more appealing to the eye? How should I organize my rules?

Re: Clean Firewall Policies

SutareMayur — Fri, 25 Oct 2024 07:49:34 GMT

Hi @tombombadil

Firewall security policies is a bit complex and lengthy process because you can't delete/update any rules right away. This might create an issue or outages at times. Though it is a lengthy process, if you follow right process, eventually you can optimize the ruleset.

I would recommend you to look for below rules first and see if you really need those rules. At times, you might need to monitor the rules for some time period to see if is it really being used.

Also, when you find any rule to be clean up as not used since long or never used at all, DO NOT DELETE SUCH RULE/S RIGHT AWAY. BEST PRACTICE IS TO DISABLE IT FOR SOME PERIOD AND SEE IF ANYONE REPORTS ANY ISSUES. IF NOTHING COMES THEN YOU CAN DELETE IT.

1. Check for Over permissive rules. E.g. rules with ANY ports/apps and/or source/destinations.

2. Check for unused or not used in recent time rules based on the hit counts on the rule.

3. Check and try to use Security Policy Optimizer. This will help you to optimize your rule base efficiently.

Security Policy Optimizer

Security Policy Optimization

Hope it helps!

Re: Clean Firewall Policies

tombombadil — Fri, 25 Oct 2024 08:16:25 GMT

Hi @SutareMayur,

Thanks for your advices. After the cleaning my rules, I want to order them and I want to collect my rules in subfields. Such as, SSL VPN rules will be in part, LAN-WAN rules in a part. How can I organize my rule base ?

Re: Clean Firewall Policies

OtakarKlier — Tue, 29 Oct 2024 16:58:05 GMT

Hello,

This is a question a lot of people have. The answer is it depends. Lots of ways doing this but the main thing to remember is that the firewall reads the rules from top to bottom left to right. Meaning once a policy is matched, it gets applied. I do the following:

Main blocking policies - i.e. block IP's by geolocation, countries, then dynamic block lists that are built into the firewall. Block applications I know we dont want, ie TOR. This is for both inbound and outbound traffic.
Traffic I know I want to allow, ie VPN tunnels, client VPN etc.
Then I create a policy at the botton, for DENY ALL
Then create policies for traffic I want as an exception for the DENY ALL

I know its pretty general but grouping policies can become cumbersome and complicated. Also can inadvertently allow bad traffic or block legit traffic.

Regards,