Very Complex firewall rules?

Hi there,

currently I am searching for a nice tool (OSS/commercial) to do some jobs on my checkpoint firewall rules (cpdb2html generated a 348 page file):

1. Aggregation of rules - Let's say every server in a subnet has ssh enabled then I would like to create ONE rule for the whole environment and remove the dupes.
2. Visualization - I'd like to have a nice graph of my subnets where I can see the hosts and the ports which are openend.

I am no firewall administrator and I only saw the checkpoint GUI once - so maybe I am missing something obvious here.

Anyone?

Thanks and Kind Regards,
Ruediger G. Biernat

SolSoft

Hi everybody.

As far as i've understood your request, ExaProtect SolSoft is answering your issues.quite well.
You can:

  • Visualize your networks on a map-like representation.
  • Draw flux between networks/computer to allow services between them

When the modification are ok, press a button and the software

  • Computes and optimizes rules
  • Pushs them on the firewalls

But it's not totaly automatic You can :

  • Confirm the modifications before pushing them
  • Rollback to any previous configuration

Some rulebase analysis software

I am sorry the products that I suggest below don't help with the visualization aspects, but they are purely from Checkpoint firewall rulebase analysis perspective.

Products: SecureTrack (Tufin) and AlgoSec.

These products can give you a list of rules which are being shadowed by other rules. The shadowed rules are those rules which are not needed and which, if deleted would not affect the access in anyway, since a given packet would match at least one other rule at the top of the rulebase even before hitting this shadowed rule. Thus the shadowed rule is actually not needed anymore.

So a product such as Tufin can help you do that.
I know this is not exactly what you are looking for, but still though you might be interested.

Sun

FWdoc

This tool (http://www.wyae.de/software/fwdoc/) may help you in aggregation of rules. It also support converting rules to other formats for easier manipulation.

Maybe CSV output and afterglow could do the trick.
Hope this helps...

Chema.

Phired/FwViz

I've done some research into firewall visualization (specifically Cisco PIX). I could easily mod my Python-fu to probably due Check Point as well, given a parseable rule format. You can check out a recent presentation here and see if it might interest you.

re: Phired/FwViz

Hi dacort:

Is the code that you developed publicly available?

Thanks,

Aaron

Aaron - I was hoping it

Aaron - I was hoping it would be at this point, but unfortunately not yet.