Remove your unnecessary firewall rules to increase performance and rulebase efficiency. Athena's rule cleanup solution analyzes firewall configs and logs to isolate redundant, covered and unused rules and objects. Designed to find more rules for removal than any other solution, you can resolve your firewall complexity in minutes — right from your desktop!

Discover why so many network engineers find Athena's rule cleanup solution to be the most comprehensive and easy to use.

Most engineers will agree that keeping firewall rulebase clutter-free is good practice. The benefits of rule/object cleanup are not only for improving maintainability, but also overcome rule limits imposed by firewalls and the performance of the firewall. Automating this process using Athena ensures that all of your unnecessary rules and objects are safely removed, without causing an adverse impact on existing service availability or exposing the business to unauthorized traffic.

Athena's rule/object cleanup solution analyzes firewall configs and logs to isolate redundant, covered and unused rules as well as how objects are being used on a per-rule basis and also globally for each object. All cleanup reports are provided with commented and well structured scripts to make the complete process painless and simple.

Structural Rule Analysis: This maximizes your opportunity for cleanup by catching every possible case of redundancy that can accumulate over time (the main reason a rulebase becomes bloated and overly complicated). Structural redundancies represent errors in the configuration that play no role in the firewall's behavior and can be immediately removed for gaining an instant boost to rulebase efficiency. Examples of redundancies Athena automatically finds for you include:

• Generalized rules that cover a number of more specific rules already existing in the firewall.
• Rules that are added without realizing that together, one or more rules preceding or succeeding the new rule already handle the functionality being addressed by the new rule.
• Rules that are added as a special case of one or more subsequent rules to exhibit special behavior (often temporarily).

Rule/Object Usage Analysis: Athena will also find stale rules based on rule hit counts and traffic data captured in the firewall logs. This is useful to remove temporary rules and rules that are no longer needed because the business purpose for the rule went away. In the absence of rule documentation, rule usage analysis is the only reliable way to identify such rules.

FirePAC rule usage analysis looks at the hit counts and the traffic data for a given log period and computes the rule and object usage for all the rules (only those with logging enabled for Check Point and NetScreen firewalls). Using this data, FirePAC reports the following:

1. ACL rules that were never used in the given log period. You can remove entire ACL rules using this report.
2. Network and Service objects that are not used in a rule. You can narrow each rule for which usage is available using this report.
3. Members of Network and Service object groups that are not used in any rule. You can remove entire objects and in some cases narrow the definition of object groups by removing unused members using this report.
4. Most used rules and objects for the given log period.

When used in conjunction with Athena's Rule Tracker for keeping business purpose documentation associated with individual rules, the Rule/Object usage analysis becomes an especially powerful tool for identifying rules that have outlived their usefulness and should be removed.

Rule Re-ordering: Once cleanup is completed, additional improvements in performance can be achieved by using the same traffic log data to determine the most used rules and objects. Athena provides automated reordering recommendations by taking into account all rule dependencies so that the firewall's behavior is not adversely impacted. This can also be helpful to determine which rules can be combined to reduce the size of the rulebase.

technical info

whitepapers