Firewall Policy History Report

Jody Brazil

Internally at Secure Passage, we use FireMon to manage changes to all of our production and test devices.  Not only does it help us better manage those devices, but also it helps us create a better product by seeing problems and opportunities that we can address with the product.

A couple of weeks ago, I was attempting to SSH to one of our firewalls to help Support answer a customer question.  I was unable to connect.  I quickly turned to FireMon to verify connectivity and found that the firewall was blocking my access.  I could fix the problem easy enough, but I was interested to know when and why that access got changed.  I immediately looked to FireMon, but was frustrated that I didn’t have a really quick way to figure this out.  Of course the data was there, I just had to know where to look.  If I knew when it happened, I could look at the change report.  If I knew which rule used to accept this traffic (which I did in this case), I could look at the rule and the change log, and identify exactly what changed and when it happened.

However, what if I didn’t know either of those things or I just wanted a faster way to find the information?  I posed this question to our development team a couple weeks ago, and last Friday, one of our developers took up the challenge.  Mark created the Policy Test History Extension:

This Extension will evaluate your history of access and identify exactly when it stopped working, permitting you to identify the change that took place and all the details about the change, including who made the change.  It’s a great new feature.  Check it out some time.