As thousands of tickets (change requests) are processed by the firewall operations team, and organizational security objectives evolve over time, the underlying rule base that contains the firewall policy becomes extremely large and intricate. In fact, many of the rules and objects in a typical Firewall rule base are obsolete. These unused rules represent a potential security hole and should be eliminated. But firewall operators do not have an easy way of identifying these rules using standard administration tools.

In addition to security risks, a bloated rule base can have a major impact on performance. The entire rule base is parsed from top to bottom with every network connection, and as the rule base grows, hardware requirements also increase. Overly complex rule bases are difficult to maintain and must be cleaned up regularly.

SecureTrack Rule Usage analysis records traffic logs from Firewall modules to provide statistical analysis on the actual use of each of the rules over different time spans. Reviewing each Firewall's entire rule base with this information empowers you to optimize your Firewall's operation and clean up unused rules. Firewall Policy Optimization then uses the data it retrieved to determine which rules fall into the following categories:

Click to View

Unused rules - may be removed upon examination Most-used rules - may be moved higher for optimal performance Least-used rules - may be moved lower for optimal performance Rules with no tracking - log tracking may be added as needed Rules with unused objects - unused objects may be removed upon examination Rules with partially used objects - log tracking may be added as needed

SecureTrack also analyzes the usage of NAT rules and displays them in these categories:

Unused NAT rules Most-used NAT rules Least-used NAT rules

Rule, Object and NAT usage reports can be scheduled and sent periodically via email, or viewed directly via the web interface.

How Firewall Policy Optimization improves Firewall rule base performance

With every new connection, the Firewall scans all the rules, looking for a rule with an exact match for the connection. As your rule base grows larger, the performance of your Firewall necessarily degrades. With a longer rule base, the Firewall must scan more rules in order to match a new network connection with the correct rule. This activity can impair Firewall throughput and response time.

The good news is that with SecureTrack Firewall Policy Optimization, you can improve Firewall performance. Improved rule match lookup time and quicker policy installs can be accomplished by using SecureTrack Firewall Policy Optimization to discover actual rule usage in each policy. After careful consideration, you can remove unused rules and reorder rule placement according to usage statistics.

Technical Notes on Rule, Object and NAT usage reports

External Log Servers
SecureTrack supports external Log Servers. This includes Provider-1 Customer Log Modules (CLM) and multiple Log Servers on a single Management Server. When external Log Servers are used for traffic logging, SecureTrack will connect to each Log Server to receive the traffic logs.

Keeping track of changing rule numbers
Each rule's internal unique identifier (UID) is used for matching traffic logs with corresponding rules. Rule, Object and NAT usage reports will remain correct even when rule numbers change over time.

Moving Firewall rules for optimization purposes
Changing a rule's order within the rule base for optimization purposes should only be done after careful consideration by a qualified security manager, as the order of certain rule groups may need to be preserved.