Query and Reporting from Firewall rule base

Unanswered Question

In large organizations where firewall policies develope over a long period of time, sometimes the result of merging rules from two or more firewall, organizational and contract chages etc; rules can get quite unmanageable. I am wondering if Cisco firewall management software has tools that would help in these situations.

Being able to answer simple questions like "To what IP addresses is TCP 1521 allowed" is one thing. Being able to do complex merge and union operations is another. Even the ability to export into Excel with group object members expanded would allow some of this type of management even if the software itself did not offer it.

So.... anybody know what Cisco has in this regard?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Sat, 02/06/2010 - 04:22

In large organizations where firewall policies develope over a long period of time, sometimes the result of merging rules from two or more firewall, organizational and contract chages etc; rules can get quite unmanageable. I am wondering if Cisco firewall management software has tools that would help in these situations.

Being able to answer simple questions like "To what IP addresses is TCP 1521 allowed" is one thing. Being able to do complex merge and union operations is another. Even the ability to export into Excel with group object members expanded would allow some of this type of management even if the software itself did not offer it.

So.... anybody know what Cisco has in this regard?

Hi ,

If you access the firewall via ASDM you can export the whole rule base to csv /html format for analysing and finding some rule with specific port.

When you connect a firewall using ASDM in the firewall tab in thr front page itself you can the export option for whole rule base in two format csv or html.

Hope to help

If helpful do rate the post

Ganesh.H

gibrice Fri, 02/12/2010 - 10:56

Hi Duane,

     While this isn't neccesarily a Cisco provided manangement tool, Tufin SecureTrack can do what you are asking for in a Cisco environment.  Analysis queries can find whether a device can get to a server on 1521, or whether 1521 is open to a certain network, or even if any port other than 1521 is open to a from one device to another.  The data can be queried in many forms.

     The compare funtion is a diff on steroids.  Objects are collected, tracked and can be viewed.

HTH

Gil Brice

AndrewKalat Mon, 03/01/2010 - 12:08

Good day Duane,

While at risk of jumping on the "me too" bandwagon, I also work for a company that provides a great tool that can do what you are asking as well as lot of great optimization, risk and compliance reporting, and clean up of Cisco ACL policies. Again, not a Cisco suppiled tool, but we work closely with them on it. You can check it out our Algosec Firewall Analyzer by following the link.

In the interest of full disclosure, I work as a Sales Engineer for Algosec.

Thanks,

Andrew Kalat

Actions

This Discussion