cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

266
Views
5
Helpful
4
Replies
Beginner

Recommendation for developing baseline firewall rules based ONLY on logs from FMC

Hi all, We have recently deployed some firewalls in a client's network which was initally an "open" network.

 

Based on the design of these new firewalls put in place to implement proper segmentation, I have been tasked with developing baseline firewalls rules.

 

Because the network was initially open, there is no way I could possily use any existing rules because there were no rules! Plus getting the expected traffic flow information between each zones from the relevant teams of the client is not possible for unknown reasons. They do not have that sort of visibility. So the responsibility is all upon me to somehow develop this baseline firewall rules based on just looking at the traffic logs. Without no surprise, this is a humongous task.

 

Hence, I am wondering if there is any better or more efficient and faster way to do this ? I dont want to go through the logs line by line to determine what firewall rule should I create ?

 

Does anyone know if there's any such feature or dashboard/report in FMC where I can get the visibility of the high traffic patterns from all zones, which can eventually help me build this firewall policy ?

For e.g a list of traffic flows which tells me there is high amount of traffic between zone A to zone B and so on.

Everyone's tags (2)
4 REPLIES 4
VIP Advisor

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

Hi

This is always a difficult task but you can have the visibility when connecting to FMC and looking at the dashboard or creating few reports on the reporting tab. You can also check the context explorer which will give you source hosts and destination and applications.
You will need to start with the most used applications and then narrow down the logs after few days by filtering all events matching the default open rule. Few back and forth here to be able to construct few rules before moving the default to a deny statement.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

That sounds like a great idea. Thanks!

 

I am currently exploring how I can do this via reports. Incase, if you already know, can you please advise if there's a place from where I can get a list of porys/protocols regularly accessed from a security zone and to destination zone, apart from logs?

VIP Advisor

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

If you go into the report menu you should be able to explore different reports and find which one fits your need.
Let me check it and come back to you.

I've not mentioned stealthwatch in my previous answer and if you're able to to add this piece then it would much more helpful.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Hall of Fame Master

Re: Recommendation for developing baseline firewall rules based ONLY on logs from FMC

They might be better off running a Stealthwatch POV with the FTD device as a source for the Netflow records.

Stealthwatch is much better at capturing and visualizing flows as it has a lot of built-in reporting and customizing the output is quite easy from the Stealthwatch Management Console (SMC).