The Best of Firewall Management – TFA for Applications

Jody Brazil

In this series, FireMon leadership shares their favorite features of the latest release of our device and policy management solution, Security Manager.

Jody Brazil, co-founder and chief product strategist, has overseen development of our flagship product since the beginning. He explains how TFA with application support is helping customers get more out of their NGFW investment.

Traffic Flow Analysis continues to be a differentiating and demanded feature of the FireMon product suite. In fact, there are so many great advancements in TFA, I can’t fit them all into a reasonable sized blog post, so I will have to break it up. For this post, I will focus on one of TFA enhancements made to TFA in Security Manager Version 8 – application awareness.

Applications to the data set. This is not a trivial addition with just incremental value, this is a huge advancement for TFA. The addition of application data in TFA allows a user to identify which applications are being used in a rule and between sources and destinations.

Just as with the traditional TFA, FireMon presents the data as a list (a list of all applications in use for the monitored traffic) as well as in a flow.” A flow is a set of common tuples (source, destination, service and application). All the traffic monitored can be broken into flows that can be used to create more refined rules in a policy.

In the screenshot above, you can see 6 flows associated with the captured traffic. The highlighted column shows the identified application used in each flow.

Why does it matter?

There is significant value to seeing applications in the flow to enable a user to more effectively refine their security policy. Security technology manufacturers like Palo Alto Networks have built their business on the concept of an enhanced firewall that doesn’t just control access based on port and protocol, but on application. However, rules often aren’t configured to enforce application control. This happens for a couple of reasons:

    • Migrations: Users are generally migrating from a legacy technology to the next-generation firewall. The original rules didn’t have applications, so the migrated rules will not either. The effort to change these rules is significant, but it is also hard to do without better information – information that FireMon can provide.

    • Adoption: This is still a relatively new technology. Administrators are just getting familiar with it and sometimes overlook application definition when creating rules. Fixing these rules after the fact is hard to do without good data.

    So, if you’re using a next-generation firewall, make sure you to take advantage of application controls throughout your policies. Use TFA with application awareness to improve your firewall policies and to get more value out of the upfront investment you made in NGFWs.