1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Products

Free Firewall Tools

Enterprise Analytics Tools

Athena FirePAC Frequently Asked Questions

Installation and Licensing

Firewall Rule Cleanup and Optimization

Firewall Operations Management/Change Support

How is FirePAC licensed?

FirePAC is a desktop software product with licensing based on the number of firewalls to analyze.

For a multi-user license, please call us at (630) 629-0600 x18.

A license allows for unlimited use on registered firewalls. FirePAC identifies registered firewalls by primary IP address. You must provide Athena Security with the IP addresses of the firewalls that will be analyzed by FirePAC at the time that your license is generated.

Which vendors does FirePAC support?

FirePAC supports the following firewall products:

  • Cisco security appliances (PIX, ASA, FWSM)
  • Juniper Netscreen Series, ISG Series, SSG Series
  • Check PointTM products: SmartCenter NG/NGX, Security Management R70
  • Check PointTM platforms: Secure Platform, IPSO, Crossbeam, Linux, Solaris
How do I upgrade my number of firewalls?

Additional firewalls can be added to your account at anytime. You will have to provide Athena Security with the primary IP address for each new firewall to be analyzed. A new license key is generated for use across the existing and newly added firewalls.

Can I install FirePAC on more than one workstation?

You can install and use FirePAC on any machine, but only for the licensed firewalls.

How does FirePAC collect and store data?

FirePAC uses the configuration files of supported firewall devices to perform analysis. The configuration files are imported from the local host's filesystem and must be obtained from the firewall device independently of FirePAC.

For help on obtaining configuration files you can also download the FirePAC Data Collection Guide.

How do I use FirePAC to find and clean up unnecessary rules?

FirePAC identifies unnecessary rules as those rules whose functionality is covered by one or more preceding or succeeding rules in the rule base. Removing these rules will not have any impact on the behavior of the firewall. FirePAC flags these unnecessary rules in the Redundant and Shadowed Rules section of the Firewall Cleanup and Optimization report. Redundant rules are rules that have the same rule action as the rules that cover it. Shadowed rules are rules that have a different action than the rule or rules that cover it. This could indicate a potential misconfiguration since the intent of the rules is in conflict.

FirePAC identifies rules that are made redundant or shadowed by one or several rules, each of which covers only a portion of the redundant rule. Redundant rules either both precede and following a given rule.

A rule may be made redundant by rules that either precede or follow it. We have noticed that more than 50% of the redundant rules actually are covered by rules that follow it. This might typically happen when there are a lot of specific rules and then a general rule that covers all the specific case and more is added to the rule base.

The Redundant and Shadowed Rules section of the Firewall Cleanup and Optimization report shows the unnecessary rules and the rules that cover them. Each individual rule that is unnecessary is identified with a comment. For example, "Redundant to <10, 20>" or "Shadowed by <40, 50>". The number in the comment refers to the rule number (or line number) of the access list statement in the rule base that covers the redundant or shadowed rule.

You may also wish to eliminate Disabled rules and/or Time inactive rules listed under the corresponding section header in the Rule Cleanup and Optimization report.

Note: There are instances where you may not want to remove a rule, despite the fact that it is redundant because it is covered by a rule below it. The reason is that the redundant rule may be inserted for a purpose, i.e. to log packets to specific destination specified in the rule, to perform application inspection, or to improve performance. In such cases, leave the rule as is.

How do I use FirePAC to find and clean up unnecessary objects?

FirePAC identifies all address and service objects that have not been used in any of the ACL and NAT rules within the firewall. Unused objects are determined by analyzing the membership hierarchy of group objects used in a rule. The sections Unused Network Objects, Unused Network Group objects, Unused Service Objects and Unused Service Group Objects in the Firewall Cleanup and Optimization report list all the unused objects in the firewall configuration.

How do I use FirePAC to get usage data about my firewall rules?

FirePAC aggregates the rule usage data from firewall logs or access list hit counts. This means that you can use daily or weekly logs over an extended period of time to get an accurate picture of rule usage. FirePAC uses this data to present a report showing the most used rules, unused rules and an optimized rule order for better firewall performance. The aggregated rule usage data can be found in the Most Used Rules, Unused Rules and Optimized Rule Order sections of the Firewall Cleanup and Optimization report.

For Check Point and Juniper NetScreen firewalls, the firewall logs are used for determining rule usage. Any rule which has a tracking option and is not found in the firewall log data is marked as unused.

For Check Point firewalls, Rule UID in the firewall log data is used to identify the used rules in the firewall rule base. For Netscreen firewalls, policy ids in the firewall syslog data is used to identify the used rules in the firewall rule base.

For Cisco PIX/ASA/FWSM firewalls, access list hit counts are used for determining rule usage. Any rule that has a hit count of zero is considered as unused. The access list hit counts can be obtained by using the command "show access-list". The access list hit counts are reset when the firewall is restarted. The hit counts can also be reset explicitly using the command clear access-list [id] counters.

If SolarWinds Orion NCM system is being used as the source of importing firewall configuration data, FirePAC automatically downloads the access list hit count from the firewall using Orion NCM system.

How do I use FirePAC to optimize my rulebase for better performance?

FirePAC combines the rule usage data from the firewall logs with the rule order dependency analysis to compute an optimized rule order that improves the performance of the firewall. Rules are reordered based on usage and taking into account order dependencies. Order dependent rules are those rules that overlap with each other and have opposite actions (for example permit and deny). The optimized rule order preserves the original firewall behavior.

You should run FirePAC to determine the optimized rule order after you have completed rule cleanup involving unnecessary or unused rules.

Order dependent rules are listed in the Rule Order Dependencies section of the Firewall Cleanup and Optimization report. The new optimized rule order can be found in the Optimized Rule Order section of the report.

How do I use FirePAC to find ACL rules that match a given service, source, or destination address in my firewalls?

Using the Rule Search feature in FirePAC, you can quickly search for ACL rules across multiple firewalls by using service, source, and destination. Source and destinations can be ip address ranges or object names. The search value for a service can be an object name, or a port value, a port range for TCP/UDP services, or a protocol range. If any of the 3 search parameter(s) is omitted, they will not be used in the search.

The search feature provides an option for a partial or an exact match of the search parameter values, with an exact match being the default.

A partial match is very useful to search for occurrences of a specific address, service, or object in a rule. This is very useful when the service is part of an object definition, and you do not know the object name.

An exact search is useful if you are searching for rules that contain the entire input as is or as part of a larger aggregation such as a group object. For example, when you are searching for a range value or "Any", you may not want to see rules that match partially with the range value used in the search and instead find rules that exactly contain all your search values.

You can also restrict the search to return only allow or deny rules.

The results are presented in a uniform tabular view for all firewall types.

How do I use FirePAC to find ACL rules that refer to a service or address object in my firewalls?

Using the Rule Search feature in FirePAC, and enter the service or address object appropriately. You may further narrow your search by specifying other address and/or service parameters as well, and you can also search across multiple firewalls in a single step. If any of the three parameter are omitted, then they are not used in the search. You can also restrict the search to return only allow or deny rules.

The search results will also include rules that refer to the object groups that contain the object names specified in the search. This will give the ability to understand the full impact of the object that you are looking for, on the ACL rules.

How do I use FirePAC to quickly find the member and containing object hierarchy of a service or address object?

Using the Object Search feature in FirePAC, you can use a service or address object name to quickly search objects across multiple firewalls in the inventory. The searching for the objects using the object name will be done using a prefix match i.e., you do not need to specify the complete object name when searching for objects, which is helpful if the object name is long or you are not sure of its complete name. The search will return all objects matching the object name including any object groups containing the object in the member hierarchy.

The results will be presented in a Tree table uniform for all firewall types showing the complete hierarchy of object groups down to the lowest level with the ability to expand and view any member object definition in the hierarchy. All the objects that matched the name are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for while at the same time having information about object groups refer to the object you are looking for.

How do I use FirePAC to quickly find all service objects and object groups that match a port range?

Using the Object Search feature in FirePAC, you can use a service port range to quickly search service objects across multiple firewalls in the inventory. The search will return all service objects matching the port range including all object groups containing the matched service object in the member hierarchy. All the service objects that matched the port range are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for; while at the same time having information about object groups refer to the object you are looking for.

The search has an option to return objects that match only part of the port range. By default only objects that match the complete port range are returned.

How do I use FirePAC to quickly find all address objects and object groups that match an ip address or a subnet?

Using the Object Search feature in FirePAC, you can use an ip address subnet mask to quickly search address objects across multiple firewalls in the inventory. The search will return all address objects matching the ip address mask including all object groups containing the matched address object in the member hierarchy. All the address objects that matched the ip address mask are highlighted in bold in the results tree including the cases where the objects appear as members in an object group. This quickly lets you get to the objects you are looking for; while at the same time having information about object groups refer to the object you are looking for.

The search has an option to return objects that match only part of the ip address mask. By default only objects that match the complete ip address mask are returned.