360-FAAR is an open source, firewall policy analysis and manipulation tool capable of automating many large operations tasks. 360-FAAR can be downloaded and used for free under the terms of the GPLv3 license, it is also available as a commercial product called 360-FAAR Enhanced.
360-FAAR has many uses, these include:
* Policy Cleanup,
* Rule Translation,
* Log Analysis,
* Object Analysis.
360-FAAR is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge policies, translate connectivity rules (ACL's and Policy Entries) and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!
This version is suitable for large enterprise networks and firewalls. The 'Enhanced' version is capable of far greater security, and maintains the existing rulebase / firewall policy structure. The open source version will meet most small to medium sized companies needs.
360-FAAR requires no extra hardware on your network, it can be run from any server with a standard instalation of Perl.
* Minimum 50MB but at least 2GB of memory is recommended for small to medium sized firewall analysis jobs.
* A standard instalation of Perl 5.8 or higher with Text::Shellwords and IO::Handle modules available.
* Terminal Access. Running in a 'screen' session is recommended.
* Windows / Linux / FreeBSD / Solaris / OSX.
360-FAAR Enhanced Requires:
* The above list.
* MongoDB / MongoDB Perl Bindings.
360-FAAR reads the firewall configs and log files OFFLINE and requires no connectivity to the firewall infrastructure it is analysing, there is no installation or uninstallation procedure, 360-FAAR is a single file Perl script. 360-FAAR writes the suggested new firewall policies in text to the command line so that they can be coppied and pasted to the firewalls that require new policies.
Existing Firewall Policy Rulebase configurations can be loaded in the following formats:
Supported CMD Languages:
* Checkpoint Firewall-1: 'odumper/ofiller' CSV text file. Logexported text logs. FWDoc format NATs CSV.
* Cisco ASA Firewall: 'show run' format text file. Syslog format text logs.
* Netscreen ScreenOS6: 'get config' format text file. Syslog format text logs.
When reading odumper format commands 360-FAAR also requires an FWDoc CSV format NAT translation file to load Firewall-1 NATs.
New Firewall Policy Rulebase are generated automatically by comparing all connectivity found in the log files to the current firewall configurations loaded. The new firewall policies are output in each firewalls native command language:
Supported CMD Languages:
* Checkpoint Firewall-1: dbedit and odumper/ofiller CSV files.
* Cisco ASA Firewall: 'show run' access-list and object CMDs to STDOUT
* Netscreen ScreenOS6: 'get config' policy and object CMDs to STDOUT.
When outputting dbedit commands 360-FAAR also writes an odumper/ofiller format CSV that can be used as a template for translation to many firewalls that can be read in buildobj mode.
Data Driven Analysis
360-FAAR uses a 100% data driven model and all internal processing is done using binary CIDR IP address matching. There is no subjectivity within the analysis or the solution!
WooterWoot (Build FW-1, Cisco and Netscreen Policy From Logs)
A log analysis tool that outputs its results as new firewall configs.
The project WooterWoot (Build FW-1, Cisco, Netscreen Policy From Logs) is, in comparison to 360-FAAR, a much simpler project. It is designed to be able to quickly and simply build new policies for firewalls in small or test networks based on the connectivity seen in the logs. It can however be used in conjunction with 360-FAAR to initially build a new policy which 360-FAAR can then rationalize using existing groups and rules pulled from existing firewall infrastructure.
Read the 360-FAAR User Guide here
Read more here.