Configuring to View Unused Firewall Rules

In a Firewall device, there could be numerous rules/access-list defined to secure the network from external attacks. Out of the rules/access-list configured, there could be certain rules which would be most used and certain which are least used or never used. Firewall Analyzer captures the most used rules in the Top Used Rules as they would be available in the logs generated by Firewall. But, to get the Unused Rules, one needs to configure the Firewall Analyzer to fetch the complete rules from the device. Once, Firewall Analyzer fetches the complete rules configured in the Firewall, it can provide the Unused Rules view.

To view Unused Firewall Rules, configure the Firewall Analyzer by following the steps given below:

In the Firewall Analyzer web client, select the Settings tab.
In Settings screen, select the System Settings > Device Rule link. Device Rule Info page appears.
On the top, there are two links provided to add device info to fetch rules and to delete the device info. The links are:
1. Add Device Info
2. Delete Device Info

Add Device Info

Click the Add Device Info link to add the device information to fetch the rules using Telnet or SSH. The Enter Device Details screen opens up.
In the Enter Device Details screen, select the Firewall device in the Select Device drop down list.
In the Fetch Rules section, there will be two options to fetch rules
1. From Device
2. From File

Select the option as per your requirement.

Fetching the rules directly from the device is supported for the following devices only:

Cisco
Fortigate
Netscreen

For the rest of the devices, please use the Fetch Rules > From File option.

Fetch Rules > From Device

In the From Device tab, select the protocol (Telnet or SSH) in the Protocol drop down list.
Enter the Device Info. The Device Info has been split into two sections:

Primary Info - deal with parameters that are necessary to establish communication with the device. Details such as Login Name, Password, Prompt, Enable UserName, Enable Password and Enable Prompt are classified as basic details.
Secondary Info - certain parameters usually take standard values. All such parameters have been classified under 'Secondary Info'. Port, login prompt, enable user prompt, password prompt, enable password prompt values are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details.

Primary Info

Device Info	Description
Login Name	While establishing connection with a device, if the device asks for a Login Name, set a value for this parameter. This parameter is Optional.
Password	To set the Password for accessing the device.
Prompt	The prompt that appears after successful login.
Enable UserName	When entering into privileged mode, some devices require UserName to be entered. Provide the username if prompted; otherwise leave this field empty.
Enable Password	This is for entering into privileged mode to perform configuration operations like backup/upload. This parameter is mandatory.
Enable Prompt	This is the prompt that will appear after going into enable mode.

Both Primary and Secondary credentials (Login Name and Password) of the Firewalls are encrypted and stored in the Firewall Analyzer.

Secondary Info

Click the link Secondary Info to view/enter values for these parameters. All the parameters are usually assigned with certain Standard Values by default. Such standard values have been filled for these parameters. Most of the devices would work well with these values and you need not edit these details unless you want to provide different set of details.

Device Info	Description
IP Address	IP Address of the Firewall device to which the Firewall Analyzer will connect through FTP. See Note below.
Port (Telnet/SSH)	Port number of Telnet/SSH - 23 (for Telnet) and 22 (for SSH) by default.
Login Prompt	The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, Login:
Password Prompt	The text displayed on the console when asking for password. For example, Password:
Enable User Prompt	The text displayed on the console when asking for Enable UserName. For example, UserName:
Enable Password Prompt	The text displayed on the console when asking for password. For example, Password:

The command to be executed, to fetch the Firewall rules is displayed in the Command field.
Select whether the rules are fetched once or periodically.
1. Select Once radio button to fetch the rules once.
2. Select Periodic radio button to fetch the rules periodically. The periodicity option opens up. Select the periodicity of rules fetching from the combo boxes given in: Every <1 to 31> day(s) @ <0 to 23> Hrs <0 to 50> Min. (For example: If you configure like Every 10 day(s) @ 2 Hrs 30 Min, the rules will be fetched from the device, every 10 days at 02:30 AM)
Click Test Now button, to test the validity of the device info; otherwise, click Save button to apply the values. Click Cancel to cancel the adding device info operation.

If the Firewall Analyzer is not receiving the logs directly from the Firewall device (i.e., the logs are received from a log forwarder tool), to fetch the rules from the Firewall device, configure the IP Address of the actual Firewall. Configure the IP Address, using Secondary Info > IP Address field.

Fetch Rules > From File

In the From File tab, enter the file name with absolute path of the file which contains the rules details of the Firewall device. Alternatively, click the Browse button to locate the file.
Click Import button to import the file. Click Cancel to cancel the rules details file importing operation.

User should create a file containing rules details.
The file should contain rule name and description in comma separated format.
Each rule should be in a new line.

Delete Device Info

To delete the Device Info from the list of Device Details table, select the check boxes of the respective Device Info entries and click the Delete Device Info link.

Testing the validity of device info

Device Info values entered through the Firewall Analyzer GUI should be accurate. Otherwise, Firewall Analyzer will not be able to establish connection with the device. To ensure the correctness of device info values, Firewall Analyzer provides the testing option. After entering the device info, you can test the values during which Firewall Analyzer will indicate if the values entered are valid. It will pinpoint the invalid values and you can carryout corrections accordingly.

To test the validity of device info, follow the procedure given below:

After providing the device info, click Test Now button.

This updates the device info values in the database and then carries out the testing. The result of the testing will be shown in a separate window as below:

The testing result indicates valid device info values with a green 'tick' mark. The invalid values are marked as red cross marks. You need to change the invalid values. Alongside, the CLI command execution result (through which Firewall Analyzer ascertains the validity of device info values) is also displayed.

Devices Details

After entering and saving the Device Info values through the Firewall Analyzer GUI, the device, with details to fetch rules, is listed in the Device Details table. The details of the columns of the Device Details table are:

Device Details	Description
Status	The status of fetching device rules/access control of the Firewall device
Devices Name	The names of the devices for which the rules will be fetched
Device Type	The type of Firewall device (Manufacturer Info, Model name/number etc.)
Edit	An icon to edit the details of the rules fetching info of the device. Click icon to edit the device info.
View Rules	An icon to view the rules fetched from the device. Click icon to view the device rules.
Unused Rules	An icon to view the rules fetched from the device, which were not used. Click icon to view the unused rules of the device.
Last Update On	The time when the rules of the device were updated last.