cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
25
Helpful
5
Replies

Suggestions for Narrowing Down Permit Any Any Rule

vdj2008
Beginner
Beginner

Hello All,

 

One of our company's firewalls has a "permit any any" rule and I've been tasked with auditing the connections.  The goal is to get rid of the permit any any but I'm not sure what will be the best way to do this.  We have 4k+ live connections.  Any suggestions?

 

Any help is much appreciated!

1 Accepted Solution

Accepted Solutions

James Leinweber
Enthusiast
Enthusiast
The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hate, you can switch to "deny any any". Not that on firmwares 9.x "any" is dual-protocol, IPv4 and IPv6, so these sorts of rules will have weird cross-protocol NAT mappings in their full expansions. You may want to try separate IPv4-only and IPv6 only rules "permit any4 any4" and "permit any6 any6". I'm OK with "deny any any" :-)

View solution in original post

5 Replies 5

James Leinweber
Enthusiast
Enthusiast
The first step is to crank up the logging and see what is hitting it. Then add rules in front of it for traffic you want to allow. When the usage count of the "permit any any" rule stops increasing, or all the remaining traffic is something you hate, you can switch to "deny any any". Not that on firmwares 9.x "any" is dual-protocol, IPv4 and IPv6, so these sorts of rules will have weird cross-protocol NAT mappings in their full expansions. You may want to try separate IPv4-only and IPv6 only rules "permit any4 any4" and "permit any6 any6". I'm OK with "deny any any" :-)

Thank you so much.  That helps alot

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi,

I assume this is traffic leaving your network (eg user internet access)?

I'd start by explicitly creating rules above the permit ip any any rule for traffic you know about. Eg http, https, dns etc. You should start to see the hit counters increase.

 

I'd then start logging (to syslog ideally) the permit ip any any traffic and determine what you want to allow and then again create additional rules to permit that traffic.

 

Eventually you will have created rules for all the traffic you want permitting, at which point you can change to a deny ip any any.

 

HTH

Thank you for the quick reply! Very helpful

Florin Barhala
Frequent Contributor
Frequent Contributor
As a side note to this thread, it would not hurt to rate useful posts.
It will be to everyone's benefit.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers