SolarWinds Firewall Security Manager Quick Start Guide

SolarWinds

Firewall Security Manager

Quick Start Guide

F

S

M

No part of this document may be reproduced by any means nor modified, decompiled,

disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of SolarWinds. All right, title, and interest in

and to the software and documentation are and shall remain the exclusive property of SolarWinds and its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND

DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS

SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, the SolarWinds & Design, ipMonitor, LANsurveyor, Orion, and other

SolarWinds marks, identified on the SolarWinds website, as updated from SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark Office and may be registered or pending registration in other countries. All other SolarWinds trademarks may be common law marks or registered or pending registration in the United States or in other countries. All other trademarks or registered trademarks contained and/or mentioned herein are used for identification purposes only and may be trademarks or registered trademarks of their respective companies. Microsoft®, Windows®, and SQL Server® are registered trademarks of Microsoft Corporation in the United States and/or other countries.



About SolarWinds

SolarWinds, Inc develops and markets an array of network management, monitoring, and discovery tools to meet the diverse requirements of today’s network management and consulting professionals. SolarWinds products continue to set benchmarks for quality and performance and have positioned the company as the leader in network management and discovery technology. The SolarWinds customer base includes over 45 percent of the Fortune 500 and customers from over 90 countries. Our global business partner distributor network exceeds 100 distributors and resellers.

Contacting SolarWinds

You can contact SolarWinds in a number of ways, including the following:

Team Contact Information

Sales

1.866.530.8100

www.solarwinds.com

Technical Support www.solarwinds.com/support

User Forums thwack.com

Conventions

The documentation uses consistent conventions to help you identify items throughout the printed and online library.

Convention Specifying

Bold Window items, including buttons and fields. Italics Book and CD titles, variable names, new terms

Fixed font File and directory names, commands and code examples, text typed by you

Straight brackets, as

in [value] Optional command parameters Curly braces, as in

{value} Required command parameters Logical OR, as in

value1|value2

Exclusive command parameters where only one of the options can be specified



SolarWinds Firewall Security Manager Documentation Library

documentation library:

Document Purpose

Online User Guide

Provides context-sensitive help for the user interface as well as an online reference manual for FSM users and administrators.

Evaluation Guide

Targeted to users evaluating FSM. Provides installation, setup, and common scenarios for which FSM provides a simple, yet powerful, solution.

Quick Start Guide

Provides installation, setup, and common scenarios for which FSM provides a simple, yet powerful, solution.

Release Notes

Provides late-breaking information, known issues, and updates. The latest Release Notes can be found at www.solarwinds.com.

iv  SolarWinds Firewall Security Manager Documentation Library

Contents

SolarWinds Firewall Security Manager Documentation Library ... iv

Chapter 1

Introduction ... 1

Integrating with SolarWinds NCM ... 2

Chapter 2

Installing Firewall Security Manager ... 3

Requirements ... 3

Deployment Best Practices ... 4

Installing the FSM Server ... 4

Importing Firewall Configurations ... 5

Connecting to the Device ... 7 Importing from SolarWinds NCM ...

8Installing FSM Clients ... 9 FSM Licensing ... 10 Chapter 3 Getting Started ... 13

 Viewing and Querying Firewall Details ... 13

Using Packet Tracer ... 14

Optimizing Firewalls... 15

Running and Scheduling FSM Reports ... 16

Running PCI Analysis Reports ...

17Running the Security Audit Report

... 18

Scheduling FSM Batch Reports ... 19 Using Change Advisor ... 20

Configuring Change Advisor Users ... 20

Contents v Configuring a Name Server ... 21 Submitting a Change Request ... 22 Managing Change Requests ... 23

 1

Chapter 1

Introduction

SolarWinds Firewall Security Manager (FSM) is a versatile firewall and router management tool that provides comprehensive solution sets for audit and daily operational tasks. Use FSM to view and query device configurations in a normalized format, compare configuration versions, and model configuration changes before implementing them. Use reports in FSM to analyze compliance with enterprise and industry standards.

The following illustrates the components of an FSM installation.

FSM Server

The FSM server consists of the database server, which all clients share, the SolarWinds License Manager, an FSM client, and the FSM web server, which provides the web-based interface for Change Advisor.

FSM Clients

The FSM client software analyzes the configurations and log data the FSM server collects for your managed devices. For additional information, see "Deployment Best Practices" on page 4.

FSM Change Advisor Web Console

The FSM Change Advisor web console provides a web-based interface to enter and review change requests for the managed firewalls. For additional information, see "Using Change Advisor" on page 20.

2 

Integrating with SolarWinds NCM

SolarWinds NCM is a network configuration change management software that allows you to back up, analyze, and modify the configuration files on all of your network devices. This includes firewalls and firewall-capable routing devices. The following describes how you FSM and NCM can work together to help you collect, analyze, and update your device configurations without ever having to go to the command line or manually access the device itself.

Collecting the Configuration Files

In FSM you have several options for collecting configurations files: • connect directly to a Cisco or Juniper NetScreen device • connect to a Check Point management server

• import configuration files from your company's file system

You can also connect to your NCM server to import configuration files from multiple devices. This allows you to leverage what NCM has already done for you and streamline the initial import process in FSM.

Analyzing the Configuration Files

After you have the configuration files in FSM, you can analyze your firewall rules in human-readable tables, compare different versions of configuration files, and even generate reports to tell you what rules are not being used or open your network for security risks. Using the various tools and reports in FSM, you can easily identify what needs to be changed on what devices, and then test those changes in an offline change-modeling environment to ensure your changes will not have any adverse effects.

Updating the Device Configurations

After you have identified what needs changing, FSM generates change scripts with the proposed changes. These scripts are fully editable, so you can

implement only what you want and customize where necessary. After you have finalized the scripts, use NCM to execute it on the target devices.

For additional information about SolarWinds NCM, visit www.solarwinds.com/network-configuration-manager.aspx

Installing Firewall Security Manager  3

Chapter 2

Installing Firewall Security Manager

Install FSM on a server that meets or exceeds the minimum requirements. After you install the FSM server, configure additional FSM clients as necessary. This section addresses the following topics regarding the initial setup:

• Requirements

• Deployment Best Practices • Installing the FSM Server

• Importing Firewall Configurations • FSM Licensing

Requirements

The following table provides the minimum requirements for SolarWinds FSM. Software/Hardware Requirements

Operating System

Install FSM on a 32- or 64-bit computer running any of the following operating systems:

• Windows Server 2003 or later (including SP2) • Windows Server 2003 R2 or later (including SP2) • Windows Server 2008 or later (including SP2) • Windows Server 2008 R2 or later (including SP1) • Windows Server 2012

• Windows 7 (clients only) • Windows 8 (clients only)

Internet Browser (Change Advisor web console)

The FSM Change Advisor web console is compatible with the following Internet browsers:

• Microsoft Internet Explorer versions 7 and higher • Mozilla Firefox versions 14 and higher

• Google Chrome versions 20 and higher • Apple Safari Mobile

Note: SolarWinds does not support administrative functions for the FSM Change Advisor web console on Apple Safari Mobile.

CPU Speed Pentium 2 GHz equivalent or faster (x86, x64, or AMD64) _{Dual Core recommended}

Memory

2 GB RAM for 32-bit installations 4 GB RAM for 64-bit installations

4  Installing Firewall Security Manager Software/Hardware Requirements

Hard Drive Space

1 GB

10 GB of temp space

50 GB of temp space for large firewall configurations 50 GB of temp space for the Usage Analysis task Adobe Acrobat Reader Version 6.0 or later

Microsoft Excel Microsoft Office 2007 or later

Ports

FSM uses the following ports for communication: • 3050 (TCP) for access to the shared database • 4568 (TCP) for license manager

• 45680 (TCP) for license manager

• 8080 (TCP) for access to the Change Advisor web server • 48080 (TCP) for access to the Change Advisor web server

(express install only)

• 17778 (TCP) for access to a SolarWinds NCM server if you are using one to import device configurations into FSM Note: All ports except for the NCM port are fully configurable in the licensed version of this product.

Deployment Best Practices

Install the FSM server on a dedicated server-class host. FSM automatically installs a client on this server. Use this client primarily to configure automatic imports of device configurations.

Although an FSM client is already installed on the FSM server, the best practice is to install a remote FSM client to perform analysis tasks from a computer other than the FSM server. Additionally, you can install multiple remote clients if you need to perform different analysis tasks at the same time. For example: • If you have more than one network engineer

• If you run Impact Monitor

• If you need to poll devices on a regular basis

• If you want a dedicated report server for analysis reports For additional information, see "Installing FSM Clients" on page 9.

Installing the FSM Server

Complete the following procedure to install the FSM server. To install the FSM server:

1. Temporarily disable any antivirus software.

2. Extract the contents of the ZIP file you downloaded from the SolarWinds Customer Portal.

Installing Firewall Security Manager  5 4. Select an installation type, and then click Next. For the sake of this guide,

select Express Install – Recommended to install FSM with default settings. Note: The Express installation option creates the FSM database with a default password. If you want to change this password during the installation, select the Advanced option. Otherwise, you can change the password manually at any time. For additional information, see the help topic, Changing the FSM Database Password.

5. Enter your email address, and then click Next.

6. Accept the End User License Agreement (EULA), and then click Next. 7. After the installer finishes running the installation files, click Next. 8. After the installer finishes configuring FSM, click Next.

9. On the summary screen, review the list of installed components, and then click Done.

Importing Firewall Configurations

After you launch the FSM client for the first time, the application displays the Import Firewall Configurations wizard. This task stores the configuration files for the firewalls you import on the FSM server, which allows you to access the files offline for reporting and change modeling tasks.

FSM currently supports configurations from the following devices: • Cisco security appliances: PIX, ASA, FWSM, ASA 8.3 • Cisco IOS routers: version 12.0 to 12.14, excluding X* series • Juniper firewalls: Netscreen, SSG, ISG

• Check Point products: SmartCenter NG/NGX, Security Management R70 to R75 running on any platform, including: o SecurePlatform

o Check Point IPSO (formerly Nokia) o Crossbeam o Linu x o Solaris o Win dows

6  Installing Firewall Security Manager

For additional information about the devices we support, see the KB article, FSM Supported Devices.

When you import device configurations, the wizard presents the following import method options:

Import from FileSystem

Imports the configuration files for a single device from any locally accessible filesystem. This option requires that you have extracted the configuration files from the device and have them available.

Connect to Device

Connects to a specific device to extract the current configuration files. This option requires that you have network connectivity to the device and the appropriate credentials.

Import from NCM Repository

Imports the configuration files for one or more devices from a SolarWinds Network Configuration Manager (NCM) repository. FSM currently supports SolarWinds NCM versions 5.x, 6.x, and 7.x. This option requires network connectivity to the NCM server and the appropriate credentials.

Import from Check Point Management Server

Imports the configuration files for one or more Check Point firewalls from the Check Point management server. This option requires network connectivity to the Check Point management server and the appropriate credentials. This guide covers two import scenarios:

• Connecting to the Device • Importing from SolarWinds NCM

For additional information about importing device configurations from a file system, see the help topic, Data Collection Guide for Configs.

For additional information about importing device configurations from a Check Point management server, see the help topic, CPMI Connection Parameters.

Connecting to the Device

Use the following procedure if you want FSM to connect directly to your devices to retrieve their configuration files. This option requires that you have network connectivity to the device and the appropriate credentials.

To import firewall configurations directly from the device: 1. In the Import Firewall Configurations window, click Next.

2. On the Import New Firewall screen, complete the Device Information section as appropriate (optional).

Installing Firewall Security Manager  7 4. In the Select Firewall Type section, select the type of device

configuration you want to import. For the sake of this example, select Cisco Security Appliance (PIX/ASA/FWSM).

5. Click Next.

6. On the Firewall Connection Parameters screen, complete the Connection Parameters section:

a. In the Device name or IP Address field, enter the hostname or IP address of the device.

b. If you are connecting to the device using SSH, enter the appropriate username in the Username field.

c. If you provided a username in the previous step, enter the corresponding password in the Password field.

d. In the Transfer configs using field, select the transfer protocol. Note: FSM currently supports SSH 2 or Telnet. If your device uses SSH 1 or SSH 1.5, select Telnet as the transfer protocol.

e. If you use a non-standard port for the protocol you selected, modify the default value in the Port field.

7. In the Firewall Command Template Parameters section, enter the appropriate values in the Value column, and then press Enter. For this example, enter the Enable password in the Value column for that parameter. Notes:

• After importing the firewall's configurations, FSM stores these credentials to retrieve configuration updates.

• The device command template uses additional parameters, which the wizard hides by default. If you have trouble connecting to a device, select Show internal command template parameters with default values, and modify the default parameters as necessary to mitigate the issue.

8. Click Finish.

After you import a firewall, FSM adds it to the Firewall Inventory. For additional information, see "Viewing and Querying Firewall Details" on page 13.

Importing from SolarWinds NCM

Use the following procedure if you want to import your device configuration files from a SolarWinds Network Configuration Manager (NCM) server. This

procedure works with NCM version 7.x and higher. For information about earlier versions, see the help topic, NCM Connector Setup for NCM 6.x.

For additional information about SolarWinds NCM, visit www.solarwinds.com/network-configuration-manager.aspx Requirements

8  Installing Firewall Security Manager

The procedure in this section requires the following: • Network access to the NCM server over port 17778 • The IP address of the NCM server

• The username and password of an NCM user with Execute Script permissions. NCM roles with this permission include:

o Administrator o Engineer o

WebUploader

Procedure

Complete the following procedure from an FSM client to import device configurations from a SolarWinds NCM server.

To import firewall configurations from an NCM server: 1. In the Import Firewall Configurations window, click Next.

2. On the Import New Firewall screen, complete the Device Information section as appropriate.

3. In the Select Import Method section, select Import from NCM Repository. 4. Click Next.

5. On the NCM Repository Connection Parameters screen, complete the Connection Parameters section:

a. In the Server URL field, enter https://serverIP:17778, where serverIP is the IP address of the NCM server.

b. In the Username field, enter the username for an NCM user with Execute Script permissions.

c. In the Password field, enter the password for the NCM user. 6. Click Next.

7. After the wizard imports the list of available devices, select the devices you want to import.

Note: FSM only imports configuration files from supported Cisco or

NetScreen devices. The wizard does not allow you to proceed if you select a device with the type, "Unknown."

8. If the wizard returns a supported device with an Unknown type, click the Type field for that device, and then select the correct device type from the menu. To fix this issue on the NCM side, enable SNMP on the device, or manually select the device type in the node settings.

Installing Firewall Security Manager  9 10. On the Firewall Import Status window, review the results of the import, and

then click Complete Import.

Note: Warning messages in this window do not affect FSM's ability to analyze the device configurations.

After you import a firewall, FSM adds it to the Firewall Inventory. For additional information, see "Viewing and Querying Firewall Details" on page 13.

Installing FSM Clients

The FSM server includes the FSM client automatically. Install additional FSM clients to connect to the FSM server remotely, facilitate regular device polling, or to use as a report server.

To install an FSM client:

1. Temporarily disable any antivirus software.

2. Ensure the FSM server is accessible from the client over the required ports. Temporarily disable the firewall on the FSM server or create the applicable firewall rules to allow client connectivity. For additional information, see "Requirements" on page 3.

3. Using the same installer media you used to install the FSM server, run setup.exe.

10 

5. Enter your email address, and then click Next.

6. Accept the End User License Agreement (EULA), and then click Next. 7. Browse to a custom installation folder or accept the default, and then click

Next.

8. After the installer finishes installing the FSM client, click Next. 9. On the Local database configuration screen, click Test Connection.

Note: If you specified a new password for the FSM database either during the initial server installation or anytime thereafter, enter it here before testing the connection.

10. If the test is successful, click OK, and then click Next.

11. On the Shared database configuration screen, complete the information for the FSM server:

a. Enter the IP address of the FSM server in the IP-Address of the server field.

b. If you changed the shared database password, enter it in the Shared database password field.

c. Click Test Connection.

12. If the test is successful, click OK, and then click Next.

13. After the installer finishes configuring the FSM client, click Next.

14. On the summary screen, review the list of installed components, and then click Done.

FSM Licensing

SolarWinds licenses the FSM server according to the number of devices it manages. Managed devices include all firewall and firewall-capable routing devices. When you install the FSM server, it automatically starts a 30-day trial period.

When you are ready to enter your licensing information, open the SolarWinds License Manager and complete the appropriate licensing procedure: To access the SolarWinds License Manager:

1. In the FSM client, click Help > License Manager.

2. If you need to purchase a license, click Buy Now to navigate to the SolarWinds website.

3. If you already have a license, click Enter Registration Key, and then complete one of the following procedures.

Installing Firewall Security Manager

 11 • Licensing Servers without Internet Access

Licensing Servers with Internet Access

Complete the following procedure to license your FSM server if it has access to the Internet.

Note: If your FSM server accesses the Internet through a proxy server, complete the procedure for activating without Internet access instead. To license FSM on a server with Internet access:

1. On the Add License window, select I have internet access and an activation key.

2. Click the http://customerportal.solarwinds.com link to access the customer portal on the SolarWinds web site.

3. Log on to the portal using your SolarWinds customer ID and password. 4. On the left navigation bar, click License Management.

5. Navigate to your product, choose an activation key from the Unregistered Licenses section, and then copy the activation key.

6. If you cannot find an activation key in the Unregistered Licenses section, contact SolarWinds customer support.

7. Return to the Add License window, and then enter the activation key in the Activation Key field.

8. Click Next.

9. Enter your email address and other registration information, and then click Next.

Licensing Servers without Internet Access

Complete the following procedure to license your FSM server if it does not have access to the Internet, or if it accesses the Internet through a proxy server. To license FSM on a server without Internet access:

1. On the Add License window, select This server does not have internet access, and then click Next.

2. Click Copy Unique Machine ID.

3. Paste the copied data into a text editor document.

4. Transfer the document to a computer with Internet access.

Installing Firewall Security Manager 5. On the computer with Internet access, complete the following steps:

a. Browse to

12 

nt.aspx, and then log on to the portal with your SolarWinds customer ID and password.

b. Navigate to your product, and then click Manually Register License. c. If the Manually Register License option is not available for your

product, contact SolarWinds customer support.

d. Provide the Machine ID from Step 3, and then download your license key file.

6. Transfer the license key file to the FSM server.

7. Return to the Activate FSM window, browse to the license key file, and then click Next.

Installing Firewall Security Manager

 13

Getting Started

This chapter addresses some initial configuration steps along with a few common use cases for FSM. Review the following sections to get started:

• Viewing and Querying Firewall Details • Using Packet Tracer

• Optimizing Firewalls

• Running and Scheduling FSM Reports • Using Change Advisor

Viewing and Querying Firewall Details

After you import your devices, FSM lists them in the Firewall Inventory pane of the console.

To view a firewall's details:

1. Select the firewall in the Firewall Inventory pane. 2. Click File > View Details.

FSM displays the details under dedicated tabs in the right pane. The following define the sub-tabs on the details view. Use the filter fields at the top of the first four tabs to apply custom filters and query the configuration file.

Security Rules

The Security Rules tab of the details view displays all of the access control list (ACL) rules in the device configuration. Click an object in the Source, Destination, or Service column to view the object's definition in a separate dialog. Click outside of the definition dialog to close it.

NAT Rules

The NAT Rules tab of the details view provides a representation of the network address translation (NAT) rules in the device configuration. It displays the object's source, destination, and services before and after translation. Click an object in the Source, Destination, or Service column to view the object's definition in a separate dialog. Click outside of the definition dialog to close it.

14  Getting Started

Note: The entry, Original, in the translation (Trns.) columns indicates the NAT rule left the original value unchanged.

Network Objects

The Network Objects tab of the details view displays all the network address objects in the device configuration. This tab displays network object groups as collapsed tree lists. Click [+] next to the group name to expand the list and view the member objects.

Service Objects

The Service Objects tab of the details view displays all the service objects in the device configuration. This tab displays service object groups as collapsed tree lists. Click [+] next to the group name to expand the list and view the member objects.

Interfaces

The Interfaces tab of the details view displays a table of all the network interfaces identified in the device configuration. Select the checkbox in the PCI Zone column to indicate the selected zone leads to a PCI network. This is useful when preparing for a PCI audit.

FSM assigns a default zone to each of these interfaces. Click the Zone field to modify the zone assigned to a specific interface. To create custom zones, click Window > Preferences, and then specify the custom zones in the Zone Definitions section.

Native Configs

The Native Configs tab of the details view displays the native configuration file FSM imported from the device. This is exactly what you would see if you viewed the configuration file from the command-line interface (CLI).

Problems

The Problems tab of the details view displays general status messages from FSM regarding the configuration import process. Most notably, this tab displays errors or warnings if FSM is not able to translate any part of the configuration. These problems may or may not impact analysis.

Using Packet Tracer

Packet Tracer traces a packet's path through a Layer 3 network. This is useful when evaluating configuration changes or troubleshooting issues. To do this, Packet Tracer performs two steps:

1. It finds all routable paths between the source and destination addresses in the packet using the network address translation (NAT) rules on all the devices along each path.

2. It evaluates the access control lists (ACL) of each device along a path to locate a routable path for the packet that is not blocked by the ACL.

 15 Complete the following procedure to specify the path you want Packet Tracer to evaluate.

To run Packet Tracer for a specific path:

1. In the FSM client, click the Query menu, and then select Packet Tracer. 2. In the Packet Tracer window, enter the required information:

• Source IP Address • Destination IP Address • Protocol

• Port (number or service name) 3. Click Run.

4. In the Save As dialog, specify a name and location for the output file, and then click Save.

For additional information about the Packet Tracer report, see the help topic, Packet Tracer.

Optimizing Firewalls

Use the Rule/Object Cleanup task with supported Cisco or Juniper firewall configurations to optimize your firewalls. The task generates a report that informs you of rules or objects in the selected firewall that you may want to remove or revise. This task also generates a new configuration file and a clean-up script, which you can edit and apply as necessary.

The Rule/Object Cleanup task consists of two primary options: Redundant and Shadowed rules analysis

This option checks the firewall configuration to identify redundant or shadowed rules and unreferenced network or service objects. Redundant rules are those covered by other rules that have the same action. Shadowed rules are those covered by other rules that have the opposite action. Find these results in the Structural Rule and Object Cleanup section of the Firewall Cleanup report.

Getting Started Log Usage Analysis

This option checks the firewall log to identify unused rules, network objects, or service objects. Find these results in the Usage-Based Rule and Object Cleanup section of the Firewall Cleanup report.

Optionally, FSM can recommend the most optimal order for the firewall rules based on usage. If you select Include optimal rule ordering, FSM puts the

16  Getting Started

most-used rules as close to the top of the configuration without changing the behavior of the firewall. This option is memory and compute intensive. To complete the Rule/Object Cleanup task:

1. In the FSM client, select one or more devices from the Firewall Inventory to clean up.

2. Click Optimize > Rule/Object Cleanup.

3. On the Rule/Object Cleanup dialog, select one or both options. 4. Click OK.

5. If you selected the Log Usage Analysis option, enter or browse to the folder that contains the firewall log files, and then click Generate Report. Note: FSM can import one or more individual log files or archives that contain log files. If you want to import multiple log files or archives, ensure they are in the same folder.

6. On the Generate Report screen, enter or browse to the location you want FSM to use for the output.

7. In the Report Format menu, select the format you want FSM to use for the Firewall Cleanup report.

8. Click OK.

After FSM generates the output, it opens the report. FSM saves the new configuration file and clean-up script in the same output folder.

Running and Scheduling FSM Reports

FSM uses reports to perform a variety of tasks. For example, the Rule/Object Cleanup task discussed previously (see "Optimizing Firewalls" on page 15) generates one or two reports, depending on the cleanup functions you choose. FSM also provides a variety of reports for audit and compliance purposes. The topics in this section address how to prepare for and run two common audit reports. These sections are:

Getting Started  17 • Running the Security Audit Report

• Scheduling FSM Batch Reports

For additional information about reporting in FSM, see the help topic, Batch Reports dialog.

Running PCI Analysis Reports

The Payment Card Industry (PCI) analysis reports assess whether firewalls protecting cardholder data comply with the PCI Data Security Standard (DSS). These reports are only applicable to the interfaces that protect cardholder data. FSM considers those interfaces to fall within the PCI Zone – a designation you apply to the appropriate firewalls.

Prerequisite

As stated previously, the PCI analysis reports only apply to interfaces you designate as being in the PCI Zone. You make this designation on the Interfaces tab of the Firewall Details view.

To designate an interface as being in the PCI Zone:

1. In the FSM client, open the Firewall Details view for the firewall you want to modify.

2. Click the Interfaces tab.

3. In the PCI Zone column, select each interface you want FSM to evaluate when you run the PCI analysis reports.

Report Procedure

Run all of the PCI analysis reports on multiple firewalls individually, or as a batch and schedule them to run at a later time. For additional information about the latter option, see "Scheduling FSM Batch Reports" on page 19.

To run all of the PCI analysis reports at once:

1. In the FSM client, select the firewall(s) you want to analyze for PCI compliance.

2. Click the Audit menu, and then select Assess PCI Compliance.

3. In the PCI Checks Report window, click Browse to specify an output folder, and then click OK.

For additional information about the reports this task generates, see the help topic, PCI Analysis Reports.

Running the Security Audit Report

The Security Audit report assesses the selected firewalls using a customizable list of security checks. The report lists all of the security checks that found dangerous or potentially risky services the firewall is allowing.

18  Getting Started Prerequisite

The Security Audit report only applies to firewalls considered to be a "perimeter" firewall. Such firewalls control access between an external zone (such as the Internet), an internal zone (such as a corporate network), and a demilitarized zone (DMZ). Perimeter firewalls dedicate each interface to a specific zone. You can change the zones assigned to each interface on a perimeter firewall on the Interfaces tab of the Firewall Details view.

To change the zones dedicated to a firewall's interfaces:

1. In the FSM client, open the Firewall Details view for the firewall you want to modify.

2. Click the Interfaces tab.

3. In the Zone column, click the cell for the interface you want to reassign, and then select a new zone from the menu.

Additionally, you have the option to customize the list of security checks before you run the Security Audit report. If you choose not to customize the list, FSM provides two pre-configured lists by default:

Standard

This catalog is based on a collection of guidelines and recommendations from a variety of security authorities. Sources include NIST 800-41 Guidelines on Firewalls and Firewall Policy, the National Security Agency (NSA), and the SANS Institute Firewall Checklist.

STIG

This catalog is based on the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Cisco routers. SolarWinds recommends you use the Standard catalog unless you are specifically required to comply with the DISA STIG.

For information about how to customize the security check catalogs, see the help topic, Security Check Catalog Editor.

Report Procedure

Run the Security Audit report on demand, or schedule it to run at a specific time. For additional information about the latter option, see "Scheduling FSM Batch Reports" on page 19.

To run the Security Audit report on demand:

1. In the FSM client, select the firewall(s) you want to audit.

2. Click the Audit menu, and then select Evaluate Security Checks. 3. In the Firewall Checks Report window, click Browse to specify an output

folder.

Getting Started  19 For additional information about the reports this task generates, see the help topic, Security Audit Report.

Scheduling FSM Batch Reports

The previous sections illustrate how you can run individual reports or groups of related reports on demand. FSM also provides functionality to schedule a custom batch of reports to run at a specific time. This allows you to schedule reports to run once or as part of a recurring schedule.

To schedule batch reports in FSM:

1. In the FSM client, select the firewall(s) for which you want to schedule the reports.

2. Click the Reports menu, and then select Batch Reports.

3. In the Generate Batch Reports window, select the reports you want to schedule. Notes:

• Some reports are not available in all formats. You cannot select a report if it does not support the format at the bottom of the window.

• Some reports automatically trigger related reports. If you select such a report, it automatically selects all related reports.

4. If you selected the Rule/Object Cleanup – Log Usage Analysis report, click Next, and then click Browse to specify the location of the firewall's log files.

5. Click Schedule Report.

6. In the Browse For Folder window, select the output folder for the scheduled reports, and then click OK.

7. In the Schedule Reports window, specify the schedule and recurrence options according to your preferences, and then click OK.

For additional information about the schedule and recurrence options, see the help topic, Schedule Report Generation.

Using Change Advisor

Change Advisor is a web interface for submitting and reviewing requests to change firewall configurations. To allow users to submit and/or approve requests, you must first configure user accounts from the administrative section of the web console. This section addresses the following procedures:

• Configuring Change Advisor Users • Configuring a Name Server • Submitting a Change Request • Managing Change Requests

20  Getting Started

Configuring Change Advisor Users

There are three types of user accounts in Change Advisor. Select from the following account types when you configure new Change Advisor users. Network Engineer

The Network Engineer account type has permissions to both submit Change Advisor requests and view all requests from all users. Change Advisor Administrator

The Change Advisor Administrator account type has permissions to add and modify Change Advisor users, and configure name servers. Users of this type cannot submit or review Change Advisor requests.

User

The User account type has permissions to add new Change Advisor requests and edit requests they have submitted.

To configure Change Advisor users:

1. Open Change Advisor from within the FSM application: Click the Analyze Change menu, and then select Open Change Advisor.

Note: You can also access the Change Advisor website at http://ipAddressOrHostname:48080/fsm/login.jsp, where

ipAddressOrHostname is the IP address or hostname of the FSM server. 2. Log in for the first time with the default credentials:

a. In the Username field, enter admin. b. In the Password field, enter admin. c. Click Sign In.

3. On the User Accounts homepage, click New User Account.

4. On the New User Account page, complete the form with the appropriate information.

5. Click Update Account.

Configuring a Name Server

Change Advisor uses a name server to resolve IP addresses with DNS hostnames. It presents these hostnames in the Change Request interface so users can easily select the systems they need to connect.

Alternatively, if you want to manually import a list of known hosts, see "Importing Known Hosts" on page 21.

To configure a name server:

1. Log into the Change Advisor web console as a Change Advisor Administrator.

Getting Started  21 3. On the Configure Name Server tab, click Add Server.

4. Complete the Add Name Server form for the name server.

Note: The fields are different, depending on the type of name server you select.

5. Click Save Changes. Importing Known Hosts

Complete the following procedure to manually import known hosts to the Change Advisor web server. This function accepts XLS files with the following columns: • Host Name

• IP Address

• Department/Location • Description

• Company

Note: FSM generates a similar file when you click Export Known Hosts on the Settings page of the Change Advisor web console. Use this function to modify existing data or add new hosts. The Import File function overwrites the existing known hosts data on the Change Advisor server.

To import known hosts:

1. Log into the Change Advisor web console as a Change Advisor Administrator.

2. Click Settings.

3. Click the Import Known Hosts tab.

4. Click Choose File, and then browse to the file you want to import. 5. Click Import File.

Submitting a Change Request

Use the Change Advisor web console to enter requests to change firewall

configurations. Only users in the Network Engineer and User roles have access to this function.

To submit a new change request:

1. Log into the Change Advisor web console as a User or Network Engineer. 2. Click New Change Request.

3. On the Change Request page, enter a subject and business purpose for the change request.

22  Getting Started

5. Add a packet to the request to give the Network Engineer as much information as possible about the request: a. Click Add Packet.

b. In the Add Packet window, select the source that requires the change request.

c. Click Populate Src.

d. Select the destination that the source needs to reach. e. Click Populate Dst.

f. In the Protocol menu on the right, select the protocol the connection will use.

g. In the Service field, enter the service the connection will use. h. Click Add Packet.

Note: Users in the User role cannot edit a packet after adding it to a change request.

6. Click Submit.

Managing Change Requests

Use the FSM client to manage change requests users have submitted through the Change Advisor web console. When a user submits a change request, FSM uses the packet details to run Packet Tracer and identify any blocks or gaps in the current configurations.

After FSM analyzes the request, it returns the appropriate status in the Change Advisor web console. Depending on the status, the engineer completes the request by:

• Adding Detail to the Change Request • Reviewing the Change Request

For detailed information about the statuses in the Change Advisor web console, see the help topic, Change Request Status.

Adding Detail to the Change Request

Complete this step for change requests with the Request Normalization status. This status means the request does not include sufficient information for FSM to review the request and recommend a change (if any). At this stage, an engineer must edit the request to provide the necessary information before FSM can proceed.

To edit a Change Advisor request:

1. Log into the Change Advisor web console as a Network Engineer. 2. Click the Details link next to the request you want to edit.

3. If you want to change the Subject, Business Purpose, or Status of the request, click Edit, and then complete the Edit Request form.

Getting Started  23 Note: At this point, you have the option to change the status to Closed. Consider this if you will not implement the change, or if the requestor did not provide sufficient information.

4. If the request is missing information in the Request Details section, click the pencil icon next to the incomplete details, and then complete the Edit Packet form.

Note: Change Advisor needs the source and destination IP addresses and service to proceed.

5. If you want to add a note to the request, click Add Note, and then complete the Add Note form.

After Change Advisor has enough information to proceed, FSM runs Packet Tracer again and returns a new status according to the results. If the request requires a change to the current configurations, the engineer must review the request to determine an implementation plan. If the request does not require a change, FSM automatically changes the status to Completed in Change Advisor. Reviewing the Change Request

Complete this step for change requests that require some kind of change to the current configuration. This step assumes FSM was able to analyze the change request and provide a recommendation. In this step, the engineer reviews the recommendation from FSM and tests the change in a change modeling session. To review a Change Advisor recommendation:

1. Log into the Change Advisor web console as a Network Engineer. 2. Click the Details link next to the request you want to review.

3. In the Analyze Request section, click View Packet Tracer Report, and then review the report Change Advisor downloads:

a. Open the Packet Tracer report in an XLS editor or viewer. The most common editor is Microsoft Excel.

b. In the Packet Tracer report, click the hyperlink next to Trace Result Summary.

c. Review the packet details in the report. This indicates whether there is a routable path for the request, and what rules (if any) are currently blocking the packet.

d. Return to the Change Advisor web console to proceed.

4. If you want to analyze the security risk of a change request, click View Security Risks Report, and then review the Security Risk Analysis page: a. In the Security Violations section, click Show in the Details column.

b. If you want to re-run the risk assessment against another security catalog, select a different catalog in the Use Selected Security Catalog menu, and then click Assess Risks.

24  Getting Started

c. Click the Back button in your browser to return to the request details page.

5. If you want to add a note to the change request, click Add Note, and then complete the Add Note dialog.

6. If you will implement the change request, open the FSM client to

complete a change modeling session. For additional information see the help topic, Change Modeling Session.

7. After you have decided how to address the change, set the appropriate status in Change Advisor:

a. In the Change Advisor web console, click Edit next to the change request.

b. In the Request Status menu, select Completed or Closed.

These statuses generally indicate that you have completed the change request. Use the notes in the request to indicate whether or not you have implemented any change. The following define these two "final" statuses:

Completed

Use this status if you want the requestor to verify your change. Requests with this status remain visible to both the requestor (User role) and engineer (Network Engineer role).

Closed

Use this status after you are satisfied you have sufficiently addressed the change request. Requests with this status no longer show up in the change request list for users in the Network Engineer role.