Firewall Log Analysis


Firewall logs are an essential tool in managing the firewall. They contain all of the data that administrators need to evaluate network traffic and firewall behavior. But when firewalls are producing hundreds of thousands of logs, that critical data is buried and becomes almost entirely inaccessible.

FireMon® Security Manager's log analysis feature meets two specific firewall management goals that are nearly impossible to achieve by manually looking at logs. First, FireMon reduces unnecessary access by watching logs over a long period of time to see which rules and objects have not been used. Second, FireMon creates better rules from existing broad rules by analyzing the traffic that traverses a single firewall, analyzing the pattern of valid traffic, and recommending improvements.

Key Benefits
  • Quickly reduce the access provided by broad and non-compliant rules in the firewall.
  • Investigate and remove rules and objects not in use.
  • Find the most optimized order for rules to improve performance.
  • Increase compliance by removing permissive "Any" objects from rules.
Key Features
Rule Usage Report

Clean Up Unnecessary Access
Continuous firewall access requests lead to new rules and new access. And, over time, firewall policies tend to grow very large and complex. FireMon provides the usage information security engineers need to clean up legacy policies by removing dormant access.

  • Rules that are in use are shown in order along with the utilization of the objects placed in the rule.
  • Unused rules are specifically indicated along with their last used date.
  • Data is kept over long periods of time for accurate reporting and can be investigated with a graphical histogram.
Traffic Flow

Analyze Traffic Flow Through Rules
Rules that allow more traffic than is necessary are common. The worst case is when you have to quickly bring together two networks but you have little idea of the traffic traversing the network boundary.

FireMon takes a detailed look at the traffic flowing over a single rule, even if it is an any-any-any-accept rule, and intelligently analyzes the traffic. The analysis results present smart-groups of access, which can be validated and created as separate rules. Through a refinement process, the accurate, correct traffic can be understood and defined, and all other traffic can be dropped.