Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
25
Helpful
5
Replies

Suggestions for Narrowing Down Permit Any Any Rule

Go to solution
vdj2008
Level 1
Level 1

‎03-19-2018 01:08 PM - edited ‎02-21-2020 07:32 AM

Hello All,

 

One of our company's firewalls has a "permit any any" rule and I've been tasked with auditing the connections.  The goal is to get rid of the permit any any but I'm not sure what will be the best way to do this.  We have 4k+ live connections.  Any suggestions?

 

Any help is much appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
James Leinweber
Level 4
Level 4

‎03-19-2018 01:25 PM

The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hate, you can switch to "deny any any". Not that on firmwares 9.x "any" is dual-protocol, IPv4 and IPv6, so these sorts of rules will have weird cross-protocol NAT mappings in their full expansions. You may want to try separate IPv4-only and IPv6 only rules "permit any4 any4" and "permit any6 any6". I'm OK with "deny any any" :-)

View solution in original post

5 Replies 5

Go to solution
James Leinweber
Level 4
Level 4

‎03-19-2018 01:25 PM

The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hate, you can switch to "deny any any". Not that on firmwares 9.x "any" is dual-protocol, IPv4 and IPv6, so these sorts of rules will have weird cross-protocol NAT mappings in their full expansions. You may want to try separate IPv4-only and IPv6 only rules "permit any4 any4" and "permit any6 any6". I'm OK with "deny any any" :-)

Go to solution
vdj2008
Level 1
Level 1
In response to James Leinweber

‎03-19-2018 02:21 PM

Thank you so much.  That helps alot

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-19-2018 01:27 PM

Hi,

I assume this is traffic leaving your network (eg user internet access)?

I'd start by explicitly creating rules above the permit ip any any rule for traffic you know about. Eg http, https, dns etc. You should start to see the hit counters increase.

 

I'd then start logging (to syslog ideally) the permit ip any any traffic and determine what you want to allow and then again create additional rules to permit that traffic.

 

Eventually you will have created rules for all the traffic you want permitting, at which point you can change to a deny ip any any.

 

HTH

Go to solution
vdj2008
Level 1
Level 1
In response to Rob Ingram

‎03-19-2018 02:22 PM

Thank you for the quick reply! Very helpful
0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to vdj2008

‎03-20-2018 02:22 AM

As a side note to this thread, it would not hurt to rate useful posts.
It will be to everyone's benefit.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card