Firewall rule-based analyser

cyberpete · ‎11-04-2012

I am managing a mixture of ASA and FWSM Firewalls.
I there a cisco tool that can sanity check the rule base ... in terms of identifying redundant or shadowed rules etc., and other sub optimal configuration issues within the rule base?
I have a lot of rules to go through manually and this would save lot of time.
if there is not such a cisco (free) tool then does anyone have any good experience of a commercially available Firewall rule-based analyser tool?
thanks in advance..
Peter

Sent from Cisco Technical Support iPad App

Marcin Latosiewicz · ‎11-04-2012

Peter,

CSM has a built in tool to analyze overlap etc. FWSM has a built in ACL optimizer (based on CSM's code AFAIR).

CSM is not free, but in FWSM 4.x you get this feature integrated into code.

M.

david.tran · ‎11-04-2012

I used CSM before while it "may" have what you're looking for. It lacks the features what other 3rd parites have so you need to be careful about this.

There are other vendors that specialize in this kind of things. I've personally used Firemon, Tufin (only for Checkpoint) and FirePAC. Those products are specifically designed for this kind of thing.

cyberpete · ‎11-06-2012

Thanks - The prolific existence of 3rd party apps indicates weak intrinsic capability of native support within these devices.

Marvin Rhoads · ‎11-06-2012

Yes, the only Cisco add-on for this is in CSM. I have also used FirePAC (now SolarWinds Firewall Service Manager or FSM since they acquired Athena this past August).

Both CSM and FSM offer free evaluation versions. In my experience FSM is quite a bit easier to download and install. As a more focused product it exposed the rule analysis toolset much more effectively than CSM.