Clean Firewall Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clean Firewall Policies

L1 Bithead

Hello all,

 

I am thinking of how can i clean/organize my firewall policies. Many rules seem to be mixed up within each other. Do you have any suggestions to make it more appealing to the eye? How should I organize my rules?

3 REPLIES 3

L6 Presenter

Hi @tombombadil 

Firewall security policies is a bit complex and lengthy process because you can't delete/update any rules right away. This might create an issue or outages at times. Though it is a lengthy process, if you follow right process, eventually you can optimize the ruleset.

 

I would recommend you to look for below rules first and see if you really need those rules. At times, you might need to monitor the rules for some time period to see if is it really being used.

 

Also, when you find any rule to be clean up as not used since long or never used at all, DO NOT DELETE SUCH RULE/S RIGHT AWAY. BEST PRACTICE IS TO DISABLE IT FOR SOME PERIOD AND SEE IF ANYONE REPORTS ANY ISSUES. IF NOTHING COMES THEN YOU CAN DELETE IT.

 

1. Check for Over permissive rules. E.g. rules with ANY ports/apps and/or source/destinations.

2. Check for unused or not used in recent time rules based on the hit counts on the rule.

3. Check and try to use Security Policy Optimizer.  This will help you to optimize your rule base efficiently.

 

Security Policy Optimizer

Security Policy Optimization

 

Hope it helps!

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L1 Bithead

Hi @SutareMayur,

Thanks for your advices. After the cleaning my rules, I want to order them and I want to collect my rules in subfields. Such as, SSL VPN rules will be in part, LAN-WAN rules in a part. How can I organize my rule base ? 

Cyber Elite
Cyber Elite

Hello,

This is a question a lot of people have. The answer is it depends. Lots of ways doing this but the main thing to remember is that the firewall reads the rules from top to bottom left to right. Meaning once a policy is matched, it gets applied. I do the following:

  1. Main blocking policies - i.e. block IP's by geolocation, countries, then dynamic block lists that are built into the firewall. Block applications I know we dont want, ie TOR. This is for both inbound and outbound traffic.
  2. Traffic I know I want to allow, ie VPN tunnels, client VPN etc.
  3. Then I create a policy at the botton, for DENY ALL
  4. Then create policies for traffic I want as an exception for the DENY ALL

I know its pretty general but grouping policies can become cumbersome and complicated. Also can inadvertently allow bad traffic or block legit traffic.

 

Regards,

 

 

  • 590 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!