topic Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC in Network Security

Recommendation for developing baseline firewall rules based ONLY on logs from FMC

damode — Fri, 21 Feb 2020 17:33:45 GMT

Hi all, We have recently deployed some firewalls in a client's network which was initally an "open" network.

Based on the design of these new firewalls put in place to implement proper segmentation, I have been tasked with developing baseline firewalls rules.

Because the network was initially open, there is no way I could possily use any existing rules because there were no rules! Plus getting the expected traffic flow information between each zones from the relevant teams of the client is not possible for unknown reasons. They do not have that sort of visibility. So the responsibility is all upon me to somehow develop this baseline firewall rules based on just looking at the traffic logs. Without no surprise, this is a humongous task.

Hence, I am wondering if there is any better or more efficient and faster way to do this ? I dont want to go through the logs line by line to determine what firewall rule should I create ?

Does anyone know if there's any such feature or dashboard/report in FMC where I can get the visibility of the high traffic patterns from all zones, which can eventually help me build this firewall policy ?

For e.g a list of traffic flows which tells me there is high amount of traffic between zone A to zone B and so on.

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

Francesco Molino — Mon, 07 Oct 2019 03:28:35 GMT

Hi

This is always a difficult task but you can have the visibility when connecting to FMC and looking at the dashboard or creating few reports on the reporting tab. You can also check the context explorer which will give you source hosts and destination and applications.
You will need to start with the most used applications and then narrow down the logs after few days by filtering all events matching the default open rule. Few back and forth here to be able to construct few rules before moving the default to a deny statement.

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

Marvin Rhoads — Mon, 07 Oct 2019 10:19:48 GMT

They might be better off running a Stealthwatch POV with the FTD device as a source for the Netflow records.

Stealthwatch is much better at capturing and visualizing flows as it has a lot of built-in reporting and customizing the output is quite easy from the Stealthwatch Management Console (SMC).

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

damode — Thu, 10 Oct 2019 22:42:15 GMT

That sounds like a great idea. Thanks!

I am currently exploring how I can do this via reports. Incase, if you already know, can you please advise if there's a place from where I can get a list of porys/protocols regularly accessed from a security zone and to destination zone, apart from logs?

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

Francesco Molino — Fri, 11 Oct 2019 01:52:40 GMT

If you go into the report menu you should be able to explore different reports and find which one fits your need.
Let me check it and come back to you.

I've not mentioned stealthwatch in my previous answer and if you're able to to add this piece then it would much more helpful.

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

damode — Thu, 24 Oct 2019 01:22:31 GMT

Answering my own question here. I was finally able to figure out a way to do this after spending a lot of time studying the FMC features.

To find out what interfaces are carrying most of the traffic, the Traffic by Ingress/Egress Security Zone panel can be used within the context explorer page under Analysis. If there are multiple firewalls, you can drilldown by using filter option at top left. There you can mention the firewall name in the device option. On top right, choose your preferred timeline next to Show the last: field.
Once you have done that, go to Analysis --> connections --> Table View of Connection Events. Edit and apply the search based on below filters,
- enter device name, (firewall you are working on)
- ingress zone (based on what your finding in step 1)
- egress zone (based on what your finding in step 1)
Choose appropriate timeline (top right). I prefer static - 1 month for tuning purpose.
Select interesting fields,
- Click on x icon next to any of the field name
- Check next to All Columns to select all
- Uncheck to unselect all columns
- Check
  - Ingress Zone
  - Ingress Interface
  - Egress Zone
  - Egress Interface
  - Destination Port / ICMP Code
- Click Apply
Once the page is loaded, select Count (extreme right field) to sort in descending order. Thats where you will see the high traffic flow information.

Hope this helps anyone who is working on similar thing

If anyone knows more efficient way of doing this, feel free to share!