Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall analizer for Policy Optimization and Cleanup

Hi there,

I am looking for a firewall analizer which includes a feature for Policy Optimization and Cleanup.  If available, I would prefer an open source one, but I can look for another one.  I was wondering if you have any recommendations.

Thanks in advance for your help.

Regards,

Paula

3 REPLIES
Hall of Fame Super Silver

Firewall analizer for Policy Optimization and Cleanup

Several companies make such products:

http://www.firemon.com/products/securitymanager/

http://algosec.com/en/products/firewall_analyzer

I've not used them myself.

Bronze

Firewall analizer for Policy Optimization and Cleanup

I think the original poster asked for recommendations from folks with actual experiences using the products.

Yes, I've used both Firemon, Algosec and Tufin products for firewall optimization and clean up.  All of the products rely heavily on the firewall logs.  The more archive log you have, the better the product is at optimizing and cleanup your rule base.

Ranking based on my opinion:

Tufin:  Excellent with checkpoint firewall, just OK for Cisco ASA firewall.  Tufin is an appliance

Firemon:  Really good with Cisco Pix firewalls.  Firemon is an appliance (a bundle of CentOS and Firemon Application)

Algosec:  OK with Cisco Pix IOS firewalls.  Algosec runs on Redhat Enterprise Linux

Cisco Employee

Firewall analizer for Policy Optimization and Cleanup

Paula,

If you are a CSM customer, it currently has a couple of embedded tools for firewall policy analysis and rule consolidation.  I've found them to be incredibly handy in the past, particularly when performing routine audits/reviews.  Within the access policies section, you can perform the following:

1)Analysis - Analyzes the policy for duplicate/overlapping rules

2)Combine - Finds duplicate access control entries and presents you with the option of combining

3)Hit Count - Examine the usage of one or more rules

See the following doc for more information on these features:

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.2/user/guide/fwaccess.html

Thanks,

Christopher

3355
Views
0
Helpful
3
Replies
CreatePlease login to create content