SolarWinds Firewall Security Manager Frequently Asked Questions

Installation and Licensing

• How is Firewall Security Manager licensed?
• Which vendors does Firewall Security Manager support?
• How do I upgrade my number of firewalls?
• Can I install Firewall Security Manager on more than one workstation?
• How does Firewall Security Manager collect and store data?

Firewall Rule Cleanup and Optimization

• How do I use Firewall Security Manager to find and clean up unnecessary rules?
• How do I use Firewall Security Manager to find and clean up unnecessary objects?
• How do I use Firewall Security Manager to get usage data about my firewall rules?
• How do I use Firewall Security Manager to optimize my rulebase for better performance?

Firewall Operations Management/Change Support

• How do I use Firewall Security Manager to find ACL rules that match a given service, source, or destination address in my firewalls?
• How do I use Firewall Security Manager to find ACL rules that refer to a service or address object in my firewalls?
• How do I use Firewall Security Manager to quickly find the member and containing object hierarchy of a service or address object?
• How do I use Firewall Security Manager to quickly find all service objects and object groups that match a port range?
• How do I use Firewall Security Manager to quickly find all address objects and object groups that match an ip address or a subnet?

How is Firewall Security Manager licensed?

Firewall Security Manager (FSM) is licensed based on the number of devices (firewalls and routers) that you want to analyze. The lowest license tier you can purchase is up to 2 firewalls. For pricing information you can request a quote.

Which vendors does Firewall Security Manager support?

Firewall Security Manager supports the following firewall products:

• Cisco Security Appliances: PIX, ASA, FWSM, ASA 8.3
• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series
• Juniper firewalls: Netscreen, SSG, ISG
• Check Point^TM products: SmartCenter NG/NGX, Security Management R70
• Check Point^TM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris

How do I upgrade my number of firewalls?

As long as you are under active maintenance you can upgrade your license to any higher tier simply based on the current list price difference between the tiers. Please contact sales@athenasecurity.net.

Can I install Firewall Security Manager on more than one workstation?

Firewall Security Manager can be installed on as many workstations as needed but may only analyze and manage up to the number of firewalls licensed. I.e. if you have 4 firewalls to manage you must purchase a license for up to 4 firewalls regardless of the number of workstations you plan to install the client on.

How does Firewall Security Manager collect and store data?

Firewall Security Manager uses the configuration files of supported firewall devices to perform analysis. The configuration files are imported from the local host's filesystem and must be obtained from the firewall device independently of Firewall Security Manager.

For help on obtaining configuration files you can also download the Firewall Security Manager Data Collection Guide.

How do I use Firewall Security Manager to find and clean up unnecessary rules?

Firewall Security Manager identifies unnecessary rules as those rules whose functionality is covered by one or more preceding or succeeding rules in the rule base. Removing these rules will not have any impact on the behavior of the firewall. Firewall Security Manager flags these unnecessary rules in the Redundant and Shadowed Rules section of the Firewall Cleanup and Optimization report. Redundant rules are rules that have the same rule action as the rules that cover it. Shadowed rules are rules that have a different action than the rule or rules that cover it. This could indicate a potential misconfiguration since the intent of the rules is in conflict.

Firewall Security Manager identifies rules that are made redundant or shadowed by one or several rules, each of which covers only a portion of the redundant rule. Redundant rules either both precede and following a given rule.

A rule may be made redundant by rules that either precede or follow it. We have noticed that more than 50% of the redundant rules actually are covered by rules that follow it. This might typically happen when there are a lot of specific rules and then a general rule that covers all the specific case and more is added to the rule base.

The Redundant and Shadowed Rules section of the Firewall Cleanup and Optimization report shows the unnecessary rules and the rules that cover them. Each individual rule that is unnecessary is identified with a comment. For example, "Redundant to <10, 20>" or "Shadowed by <40, 50>". The number in the comment refers to the rule number (or line number) of the access list statement in the rule base that covers the redundant or shadowed rule.

You may also wish to eliminate Disabled rules and/or Time inactive rules listed under the corresponding section header in the Rule Cleanup and Optimization report.

Note: There are instances where you may not want to remove a rule, despite the fact that it is redundant because it is covered by a rule below it. The reason is that the redundant rule may be inserted for a purpose, i.e. to log packets to specific destination specified in the rule, to perform application inspection, or to improve performance. In such cases, leave the rule as is.

How do I use Firewall Security Manager to find and clean up unnecessary objects?

Firewall Security Manager identifies all address and service objects that have not been used in any of the ACL and NAT rules within the firewall. Unused objects are determined by analyzing the membership hierarchy of group objects used in a rule. The sections Unused Network Objects, Unused Network Group objects, Unused Service Objects and Unused Service Group Objects in the Firewall Cleanup and Optimization report list all the unused objects in the firewall configuration.

How do I use Firewall Security Manager to get usage data about my firewall rules?

Firewall Security Manager aggregates the rule usage data from firewall logs or access list hit counts. This means that you can use daily or weekly logs over an extended period of time to get an accurate picture of rule usage. Firewall Security Manager uses this data to present a report showing the most used rules, unused rules and an optimized rule order for better firewall performance. The aggregated rule usage data can be found in the Most Used Rules, Unused Rules and Optimized Rule Order sections of the Firewall Cleanup and Optimization report.

For Check Point and Juniper NetScreen firewalls, the firewall logs are used for determining rule usage. Any rule which has a tracking option and is not found in the firewall log data is marked as unused.

For Check Point firewalls, Rule UID in the firewall log data is used to identify the used rules in the firewall rule base. For Netscreen firewalls, policy ids in the firewall syslog data is used to identify the used rules in the firewall rule base.

For Cisco PIX/ASA/FWSM firewalls, access list hit counts are used for determining rule usage. Any rule that has a hit count of zero is considered as unused. The access list hit counts can be obtained by using the command "show access-list". The access list hit counts are reset when the firewall is restarted. The hit counts can also be reset explicitly using the command clear access-list [id] counters.

If SolarWinds NCM system is being used as the source of importing firewall configuration data, Firewall Security Manager automatically downloads the access list hit count from the firewall using Orion NCM system.

How do I use Firewall Security Manager to optimize my rulebase for better performance?

Firewall Security Manager combines the rule usage data from the firewall logs with the rule order dependency analysis to compute an optimized rule order that improves the performance of the firewall. Rules are reordered based on usage and taking into account order dependencies. Order dependent rules are those rules that overlap with each other and have opposite actions (for example permit and deny). The optimized rule order preserves the original firewall behavior.

You should run Firewall Security Manager to determine the optimized rule order after you have completed rule cleanup involving unnecessary or unused rules.

Order dependent rules are listed in the Rule Order Dependencies section of the Firewall Cleanup and Optimization report. The new optimized rule order can be found in the Optimized Rule Order section of the report.

How do I use Firewall Security Manager to find ACL rules that match a given service, source, or destination address in my firewalls?

Using the Rule Search feature in Firewall Security Manager, you can quickly search for ACL rules across multiple firewalls by using service, source, and destination. Source and destinations can be ip address ranges or object names. The search value for a service can be an object name, or a port value, a port range for TCP/UDP services, or a protocol range. If any of the 3 search parameter(s) is omitted, they will not be used in the search.

The search feature provides an option for a partial or an exact match of the search parameter values, with an exact match being the default.

A partial match is very useful to search for occurrences of a specific address, service, or object in a rule. This is very useful when the service is part of an object definition, and you do not know the object name.

An exact search is useful if you are searching for rules that contain the entire input as is or as part of a larger aggregation such as a group object. For example, when you are searching for a range value or "Any", you may not want to see rules that match partially with the range value used in the search and instead find rules that exactly contain all your search values.

You can also restrict the search to return only allow or deny rules.

The results are presented in a uniform tabular view for all firewall types.

How do I use Firewall Security Manager to find ACL rules that refer to a service or address object in my firewalls?

Using the Rule Search feature in Firewall Security Manager, and enter the service or address object appropriately. You may further narrow your search by specifying other address and/or service parameters as well, and you can also search across multiple firewalls in a single step. If any of the three parameter are omitted, then they are not used in the search. You can also restrict the search to return only allow or deny rules.

The search results will also include rules that refer to the object groups that contain the object names specified in the search. This will give the ability to understand the full impact of the object that you are looking for, on the ACL rules.

How do I use Firewall Security Manager to quickly find the member and containing object hierarchy of a service or address object?

Using the Object Search feature in Firewall Security Manager, you can use a service or address object name to quickly search objects across multiple firewalls in the inventory. The searching for the objects using the object name will be done using a prefix match i.e., you do not need to specify the complete object name when searching for objects, which is helpful if the object name is long or you are not sure of its complete name. The search will return all objects matching the object name including any object groups containing the object in the member hierarchy.

The results will be presented in a Tree table uniform for all firewall types showing the complete hierarchy of object groups down to the lowest level with the ability to expand and view any member object definition in the hierarchy. All the objects that matched the name are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for while at the same time having information about object groups refer to the object you are looking for.

How do I use Firewall Security Manager to quickly find all service objects and object groups that match a port range?

Using the Object Search feature in Firewall Security Manager, you can use a service port range to quickly search service objects across multiple firewalls in the inventory. The search will return all service objects matching the port range including all object groups containing the matched service object in the member hierarchy. All the service objects that matched the port range are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for; while at the same time having information about object groups refer to the object you are looking for.

The search has an option to return objects that match only part of the port range. By default only objects that match the complete port range are returned.

How do I use Firewall Security Manager to quickly find all address objects and object groups that match an ip address or a subnet?

Using the Object Search feature in Firewall Security Manager, you can use an ip address subnet mask to quickly search address objects across multiple firewalls in the inventory. The search will return all address objects matching the ip address mask including all object groups containing the matched address object in the member hierarchy. All the address objects that matched the ip address mask are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for; while at the same time having information about object groups refer to the object you are looking for.

The search has an option to return objects that match only part of the ip address mask. By default only objects that match the complete ip address mask are returned.