Join Log in
Score:0
Dmitry avatar Server

Managing and review of firewall rules

jp flag
Dmitry

I have 2 questions on best practices for managing and reviweing of firewall rules.

Our company uses PaaS from a hosting provider, they are managing firewalls (Fortigate). We need to know which rules we have and organize the process of firewall rule changes. Obviously the firewall is shared and we will not have access to it's UI.

The problem of ordering the rules: As of now we have a google sheet for ordering new rules. The sheet has unique ruleID, category of source and destination traffic, source address group, destination address group, port group, action and an auto-generated comment which basically contains rule ID and category of source and destination to simplify review. So the rules when we request them look like:

"----Rule# id3205----
ansible-prod --> db-stage ==via== ssh
Comment:  [Rule# id3205] Solution [Staging] : Ansible --> DB"

So far so good, all clear and neat.

The problem is that the hosting provider can not add different subnets in one address group. As I understood that is since they bound an address group to an interface in the firewall policy and if VLAN of the interface doesn't match VLAN of a subnet in the address group that doesn't work. So we need to use a lot of small address groups --> more rules are needed. We have few thousands of firewall rules which we need to manage and review and the number is growing. We are trying to use rules for subnets but it doesn't help too much :)

Another problem is that there are multiple partitions in the firewall and if we order access from SubnetA to SubnetB and they belong to 2 partitions, then one rule which we requested becomes 2 rules in the firewall. So our requested rules do not match the real setup in the firewalls.

The problem of firewall review Since we don't have access to the firewall, we can only ask the provider to export the rules for us. But as I wrote above - one rule may become 2 rules in 2 different partitions. So it is quite difficult to track.

Plus in later version of Fortigate, the vendor removed Policy hits counters, so it seems that we are blind now and don't know if a specific rule is heavily used or not.

Questions

I'd like to ask the community if there are any best practices for managing and requesting firewall rules when one don't have access to the console of the firewall and how you perform firewall review? Maybe someone can share how you manage firewall rules in general?

Thanks a lot.

37
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.