Question

Compliance and NGFW Policy Audit?

  • 22 August 2022
  • 2 replies
  • 51 views

 

Has anyone done NFGW Policy Audit with NetBrain automation (Rule Compliance, Access Compliance, Configuration Compliance) ?

NetBrain collects the configuration, but there doesn't seem to be a build-in check relevant for businesses.

Deleting unused rules also needs log information, but perhaps doable?

 

SD-WAN, NFGW, and Cloud FW are usually under the special control and ownership of companies, i.e., there is interest, while the operator holds the WAN configuration. Even outsourced FW management, business need to audit compliance regulary.

 

Of course, one option is to choose a separate FW Policy audit software, but if you have all config and digital twin it could be part of NB solution by default?


2 replies

Userlevel 1

Hi Hannu,

               NetBrain is Highly Customizable platform for building automations. you can build Automation for this requirement using Network Intent [NI] & Network Intent Cluster [NIC] which is No-Code/Low-Code feature available in NetBrain.

NI Example for Checking FW Policy Compliance:

  • Step1: You need to retrieve output of relevant CLI Command for FW Policy Check then Define Variables as mentioned in below snip.

 

  • Step2:  You need to Define Diagnosis which will verify FW Policy compliance and check for any deviations from Baseline data.  In this Section we can also configure Diagnosis Notes and alerts in case of FW Policy non-compliance.

 

In this Example I have shown you the CLI command Diagnosis for FW Policy Compliance check and similarly you can build FW Rule Compliance, Access Compliance. For this, you need relevant CLI commands then you can create parsers / Define Variables [Step 1 in NI] and Define Diagnosis [Step 2 in NI].

As the Network intent is Device specific, we can create NIC [Network Intent Cluster] to replicate the NI Logic across all list of Devices on which we would like to check FW Policy Compliance. 

  • Below snip shows the NIC in which we are able to replicate the NI Logic to 6 devices.

 

I Hope this answered your question. Please raise a support case for any further assistance.

Thank you.!

 

Thanks

 

At least its doable in theory ;-)

 

Large enterprise customers are worried about FW policy audits, since SD-WAN and local Internet breakout means hundreds of Internet Firewalls. If company has grown using acquisitions, its multi-vendor environment and wild west.

 

Best regards

Reply


Community |  Ideas

Facebook |  Instagram |  Youtube |  Twitter |  LinkedIn
Privacy & Security Statement  |  Terms & Conditions |  Impressum  |  UK Modern Slavery Statement