One of our company's firewalls has a "permit any any" rule and I've been tasked with auditing the connections. The goal is to get rid of the permit any any but I'm not sure what will be the best way to do this. We have 4k+ live connections. Any suggestions?
Any help is much appreciated!
Solved! Go to Solution.
I assume this is traffic leaving your network (eg user internet access)?
I'd start by explicitly creating rules above the permit ip any any rule for traffic you know about. Eg http, https, dns etc. You should start to see the hit counters increase.
I'd then start logging (to syslog ideally) the permit ip any any traffic and determine what you want to allow and then again create additional rules to permit that traffic.
Eventually you will have created rules for all the traffic you want permitting, at which point you can change to a deny ip any any.