Building New Polices for New Firewall Implementations

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Building New Polices for New Firewall Implementations

L4 Transporter

Is anyone using simple applicaiton filter groups to build policies for new firewalls? I find myself looking at tap traffic all day trying to build policies on what I see users hitting and its cumbersome. Is anyone just creating a applicaiton filter called business applicaitons and adding all the business applications to it, risk level 1-4 maybe or even level 1-3? I mean google docs is set as a risk 5, not sure how that is? If i started building policies based on what I see in the tap traffic I could be building policies for months. What is the recommendation for this?

2 REPLIES 2

Cyber Elite
Cyber Elite

@s.williams1,

First let me address the risk 5 on Google Docs, as it's a way to exfill data from your network it is rightfully a threat within the network. A computer uploading or editing a large amount on Google Docs or Dropbox could possibly be an indication of a compromise. 

I would highly recommend that you setup Application Filters if this is your first deployment, application groups would be a good fit as well. Create an application group for all of the traffic that you legitimately want to deny from your traffic (peer-to-peer and such) that can be used in a deny rule. Then create a group or filter for business sanctioned traffic, traffic that you know about and expect in your enviroment.  

This should get you in a good point where you can simply find anything that doesn't meet those filters and build additional rules for them. Usually you'll find a bunch of stuff on the internal network that isn't running on what the app-id considers application-default ports, so keep that in mind. Services such as SQL are likely not utilizing the standard tcp/1433 udp/1433 and udp/1434 that the mssql-db and mssql-mon app-ids have listed. 

 

The biggest piece of advice I can likely give to someone deploying these in a new enviorment is to not fully dive into the 'zero trust' stuff if your business requirements allow it. Deploying a new firewall into an enviroment that has never had layer-7 capabilities in a true zero trust configuration will break a lot of stuff you aren't expecting. Work into the zero trust configuration as you know how your traffic is actually going to get identified and what is and is not running on the default ports. 

 

Ya and really that can only be done by digging into logs of daily traffic patterns. I mean I am going to miss stuff for sure, so tickets will come for things that people could access the day before "Go live" but I am trying not to stress myself out with knowing every single thing I need to allow. I mean what I did for a small site running a PA-500 was create an allow all policy and move it to the bottom right before clean up rule, then watched traffic for days and build policies above the allow all to see what was still getting caught by the allow all, but again this was a small site. Now looking at a datacenter replacement where almost 85% of internet traffic is going I don't have that kind of time.

  • 1855 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!