I need to review firewall rules of a CheckPoint firewall for a customer (with 200+ rules).
I have used FWDoc in the past to extract the rules and convert them to other formats but there was some errors with exclusions. I then analyze them manually to produce an improved version of the rules (usually in OOo Calc) with comments.
I know there are several visualization techniques but they all go down to analyzing the traffic and I want static analysis.
So I was wondering, what process do you follow to analyze firewall rules? What tools do you use (not only for Checkpoint)?
Recently, the guys at matasano have released Flint, a firewall rules checker. It's GPL and runs on sinatra.
(source: runplaybook.com)
Looks very promising.
Although I haven't tried it yet. There's only support for PIX/ASA firewalls, but they will be adding others in the future.EDIT:
I have installed it and tested it. Installation is very simple. As for the analysis, I fed it with a complex firewall configuration and it took a long time to analyze. Results were mostly correct, but there were parsing errors.
Overall, this is an initial release of a promising tool. And it was what I was looking for with this question in the first place.
Playbook might be what you're looking for. I haven't run it, but it looks interesting.
I spent a considerable amount of time searching for a low to no cost static analyzer last fall.
The closest I found was a university research project called Fireman Which I never tried to get working.
Currently I'm doing a major clean-up and audit by hand, and verifying against historical NMAP scans and log data.
If there's a better way that's cheap and effective, I'd love to hear about it.
I know two tools to analyze fw rules : SkyBox and RedSeal
It's commercial tools.
The best solution I have seen is Checkpoint's web visualization tool.
Windows Download Link: https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=10708
You can export to HTML for viewing, or XML if you want to do something with the data. It also exports information about the objects in the rules, in case they are super obfuscated.
Have fun! :D