03-19-2018 01:08 PM - edited 02-21-2020 07:32 AM
Hello All,
One of our company's firewalls has a "permit any any" rule and I've been tasked with auditing the connections. The goal is to get rid of the permit any any but I'm not sure what will be the best way to do this. We have 4k+ live connections. Any suggestions?
Any help is much appreciated!
Solved! Go to Solution.
03-19-2018 01:25 PM
03-19-2018 01:25 PM
03-19-2018 02:21 PM
Thank you so much. That helps alot
03-19-2018 01:27 PM
Hi,
I assume this is traffic leaving your network (eg user internet access)?
I'd start by explicitly creating rules above the permit ip any any rule for traffic you know about. Eg http, https, dns etc. You should start to see the hit counters increase.
I'd then start logging (to syslog ideally) the permit ip any any traffic and determine what you want to allow and then again create additional rules to permit that traffic.
Eventually you will have created rules for all the traffic you want permitting, at which point you can change to a deny ip any any.
HTH
03-19-2018 02:22 PM
03-20-2018 02:22 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide