Firewall Rule Detection & Provisioning using AppViewX
Challenge:
One of the age-old and unsolved challenges in the firewall world is to find a way to deploy firewall rules quickly to cater to rapid development and at the same time not cause an outage. Many have tried giving access to developers, who end up creating a storm of rules which result in outages. Many still have the network teams in the middle as the checkpoint and this becomes a bottleneck for rapid app deployments. There is again the complexity of the data/intelligence stored in spreadsheets, locked inside the heads of senior engineers who know every twist and turn of their network. There has to be a better way, I am here to say — there is!
AppViewX enables the Requestor, Network team / Application Team to efficiently discover firewall rule(s) between multiple IPs (source/destination), and if required proceed to create or print the rule that permits the connection.
Isn’t this just what the doctor ordered?
Pre-Requisites ( Some Housekeeping )
All Firewalls in scope should be in the managed state in AppViewX’s Inventory. Network Zone (Subnet) details need to be provided to AppViewX for use in Rule discovery.
Solution Approach
- Details (Source-IP, Source-Port, Destination-IP, Destination-Port, and Protocol) are captured on the AppViewX Form
- For Bulk Requests, a .csv file can be uploaded into the AppViewX system.
2. AppViewX crunches the data from the .csv file containing the list of network subnets. It parses the details in its Rule database and finds the rules where the source IP / destination IP subnets are already referenced. Then, it uses that rule to understand whether the traffic is already allowed or not.
- If the traffic is not allowed, AppViewX will go ahead and submit the rule creation/modification request on the firewalls concerned and send it to the Firewall team for review.
3. Once the firewall team reviews & approves the rules to be created/modified, the request is implemented and closed post the notification.
4. This approval is again optional and can be set to auto-approval.
5. Additionally AppViewX will create a new change ticket in ServiceNow/ITSM tool with the change window specified and notify the respective CAB for approvals.
6. Once the approvals are done, AppViewX will auto-implement the change at the scheduled time after checking the status of the Change Request in ServiceNow. If the Change Request is not approved, AppViewX will not implement the Request.
How Does this All Happen?
All this is due to the power of the automation engine running on AppViewX and the most popular Python programming skills of our brightest developers who brought this solution to life.
Firewall Rule Detection Challenge Solved!
Contact me for more details on this and I will be happy to give you a demo sometime.
