Posted on Jan 31st, 2016 by Reuven Harrison

Firewall rules must be documented but it's rarely done correctly. For a busy security administrator, the effort it takes to find the business justification for hundreds of rules and access lists that were entered by admins long-gone is an insurmountable task. And there are additional challenges - most enterprise firewalls just don't have the features required to complete a thorough documentation project. A single 'Comments' field with a length limit cannot contain the required critical information for proper documentation, and reporting capabilities are usually non-existent.

Assuming you've somehow managed to document your rules, how do you maintain them? Each and every policy change must be supplemented by the relevant documentation, but will admins really remember to document during an urgent change request?

If this sounds all too familiar, don't panic, you're in good company. Most enterprises including some of the largest organizations and service providers in the world, have similar challenges.

Realizing the importance of firewall rule documentation, we have provided a solution within our firewall policy management suite.

Although it's been there for quite a while, we've recently added some important capabilities.

You can now maintain centralized rule documentation across major enterprise firewalls with five fields per rule or ACL:

  • Technical owner
  • Ticket ID
  • Business owner
  • Expiration date
  • Description

Rule metadata can now be edited manually or injected automatically via SecureChange access requests.

Advanced filtering enables you to identify rules across firewalls that match certain criteria. These may include rules owned by a certain person, rules that are about to expire or even rules that are not associated with a ticket and are therefore not justified by business. This is particularly important because they present a real challenge for PCI DSS compliance.

You can generate reports and you can also trigger alerts for rules that are about to expire to kickoff the re-certification process.

What about home grown documentation systems? Our professional services team is readily available to migrate the data or even to integrate both systems.

Rule documentation has never been a fun task, but now you can tackle it more easily and improve your security.