Firewall Rule Set Review

What are these rules..? 

How do I secure my infrastructure with these rules..? 

Are my rules set right..?    Hmmm..! Confusing...

Let's find out!

We see that more often rules are stacked onto the firewall, ACLs are designed on the switches and nobody returns to tidy up. Firewall rules are included, furthermore none expelled, which puts the system and firewall in danger. Security experts regularly utilize the expression "security disintegration" to portray the condition whereby the security of a framework diminishes after some time."

Auditors check the switch, firewall arrangement, and make suggestions to unite tenets or ACLs wherever conceivable. Notwithstanding, there is as yet a need to survey the approach and evacuate out of date rules, administrations, reposition for execution, and strategy consistency.

This blog clarifies the significance of regular audits and tidies up, and recommendations for a procedure to do as such and great practices to make the Rule Review is less demanding. Sellers are offering electronic items to help with this kind of audit for example Lumeta. Some additional merchants offer to play out this undertaking for you at a cost. Robotized items and sellers administrations can help; however, they can't substitute for the information of the system, explore, and client interface. It is a dreary and challenging undertaking and requires time and exertion. Erasing tenets could break an association, and any blackouts could be exorbitant.

Nonetheless, it is imperative that these surveys be performed cautiously and routinely. Consequently, a procedure to persistently tidy up out of date principles and ACLs ought to be set up. Proper documentation and a standard change process are moreover critical when the time comes to expel an old standard.

Most precedents allude to Checkpoint and Cisco PIX Firewalls, however, apply to most any firewall products.

What is the Firewall rule review?

There are vulnerability assessments, to guarantee that the firewall isn't defenseless against the most recent adventures. There are legitimate reviews that check for vulnerabilities, firewall programming arrangement, and Security Policy. Also, they ensure that the latest patches are introduced for firewall programming and OS. Nonetheless, there is as yet a requirement for a Rule Review performed by the Firewall Administrator, or potentially Network Security Officer focuses on transit rules are arranged. Venture through the firewall runs one by one to ensure that they are in the correct request. 

  • Check if how the principles are composed makes evident openings, Example: powerless administrations or tenets that have a scope of ports or all ports/all conventions. 
  • Check for out of date rules, decides that ought to have been brief, or determines that is never again utilized. 
  • Guarantee that appropriate desk work is set up for contact data and a reason for the first standard. 
  • Endeavor to solidify rules when conceivable. Example: helpless administrations or principles that have a scope of ports or all ports/all conventions. 
  • Check for old principles, decides that ought to have been impermanent, or decides that is never again utilized. 
  • Guarantee that legitimate administrative work is set up for contact data and a reason for the first standard. Endeavor to solidify the rules whenever possible.
  • Check for accessibility for defenselessness or bugs in the existing equipment and programming discharge.
  • Total audit of all the equipment, gadgets related.
  • Survey of records set up on the firewall and the working framework 
  • Check for conceivable equipment or programming glitch in the firewall and OS logs. 
  • Audit the remarks for every one of the guidelines in the rule set for an appropriate avocation.
  • Check for vulnerabilities in the encryption and hashing process. 
  • Check if the principles give the least conceivable benefits. 
  • Survey the merchants authorizing 
  • Survey the firewall for the empowered administrations 
  • Audit in general firewall arrangement and guideline sets sent to the firewall.
  • Suggestions identified with enhancement in security given by the firewall and in the general gadget arrangement

Requirement Gathering:

Requirement gathering plays a crucial role before performing the Firewall Ruleset Review of any organization.

  • Type of Organization: Tester should know what kind of organization he will be performing FRR. Whether it is an ISP, Finance company, product based or service based company. 
  • Network layout: Reviewer should always look after the Network Architecture and IP Schema of the organization he is performing FFRR. Network Architecture should provide the basis or a common understanding of the Data Flow, Network Devices, IDMZ, EDMZ zones and the criticality of the devices placed in these zones.
  • VLAN Information: Reviewer should get the VLAN and subnet information from the organization to perform the detailed analysis of the rules configured on the Firewalls. Generally, Firewalls are configured either from the GUI or CLI. If the firewall is configured through CLI, the reviewer should ask for the access-lists and rules configured on the firewall.
  • Firewall Model: Old Firewalls such as Cisco ASA, Checkpoint R77 Series, etc. Do not support IPS/IDS feature whereas New Generation firewalls such as Cisco FTD, Checkpoint has all the features available. The reviewer should have the necessary information about Firewall models on which he/she will be performing the FRR.

Risk Assessment Matrix:

Before starting with the FRR, the Reviewer should consider the below Risk Calculation Matrix.

Assessment Approach:

  • Any to Any Rule:- Rule, which is configured from any source to any destination, allowing any protocol should always be marked as - “High Observation." 
  • Subnet or IP address having access to any service or any port should be considered as “Medium observation” and justification for the same should be requested from the organization.
  • URL filtering: In next-generation firewalls, web Url filtering should be configured and applied to the rules set. If not, the “High Observation“ should be raised and should be requested for justification.
  • Privilege Level: Reviewer needs to check Privilege level of the users accessing the firewall and if found all the users are provided with “Superuser” privilege, then “High observation” should be raised and should be requested for justification.
  • The reviewer should check whether the Firewall is not accessed from any public IP and should not have default credentials. If found, “High Observation” should be raised.
  • If ‘Guest’ WiFi profile is configured, the reviewer should check the access permissions and type of access provided to the guest profile. If Full internet access is provided, then “High Observation” should be raised.
  • The reviewer should have basic knowledge of the Access groups and their roles which are configured on the firewall. Having basic knowledge of those access groups gives the reviewer the basic idea of the user groups set.


Logs ought to be documented for whatever length of time that the plate space will permit. Checkpoint gives a utility that -changes over the records in ASCII. This utility can be utilized in content to pack those documents using "gzip" and store the logs by date. Supplement A is a case of content that a partner wrote to dump logs to ASCII and store them compacted with "gzip" and named by date. They are then simple to see utilizing "zgrep" on Unix. In the case of utilizing Windows, sort, and view ASCII logs documents with Notepad and Excel. If the record isn't excessively vast, MS Access can also be used, and we can also use some third-party log analyzer.


Reports on the execution and utilization of the firewall ought to be pulled and put away for roughly two months. These reports ought to incorporate the firewall rules and their usage. This will prove to be useful while investigating the guidelines to discover those that are never again required. An ordinary reinforcement of the standard bases ought to likewise be put away for 2 months.

Purposes behind the audit:

  • Obsolete tenets can be utilized to acquire unapproved get to. 
  • Rule position can enhance the execution of the firewall.
  • Use of gatherings can cause execution issues.
  • The improper arrangement of a standard can put the firewall or potentially organize in danger. 

The Firewall rule change process can help:

Guidelines and procedures for firewall rule changes will help the executives to roll out the improvements in a uniform way.

  • Naming guidelines for items (has, systems, gatherings, administrations, and so forth). 
  • Research the standard change ask for and what it intends to the earth. 
  • The process to audit existing guidelines for conceivable combination.
  • Implement a formal procedure for asking for firewall rule changes. 
  • Document rule changes and requestor data.
  • Compress and store sign in a simple to parse configuration, for example, ASCII.
  • Archive measurement for firewall rule use, execute, and duplicates of the standard base. 

Firewall Rule Review: 

  • Needs to be performed by somebody with the learning of nature.
  • Document the advancement.
  • Check firewall rule use reports and logs to discover out of date rules. 
  • Contact requestor and use the Change Control Process to erase old guidelines. 
  • Check for the consistent request of the standards. 
  • Check the rule arrangement for execution.
  • Check for old gatherings and articles. 
  • Consolidate rules where conceivable.


The Firewall Rule Review is taking a gander at the setup, position, and tidy up the main bases. Ought to be done on a consistent view of "security disintegration" which is caused by the inappropriate upkeep of the firewall and putting the framework in danger.

Article Link: