_____ \ / /\ _ \ _ / _ \ / _ \
( </ __ \ / /\ \ ______ | __)/ /\ \ / /_\ | _/
/ \ |\ \ _/ \ // | / | / | \ |
/__ /_____ / _____ / ___ /_| /_| /___| /
/ / / / / / /
The latest version of this code can be found at http://sourceforge.net/projects/faar/
360-FAAR is an open source firewall analysis, policy rebuild and configuration tool. It is intended to provide a toolkit for firewall engineers and analysts to use to plan, analyse and implement complex network changes in enterprise brown field environments and to provide the detailed analysis to be confident in the integrety of the security changes generated.
360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco PIX/ASA or ScreenOS commands, and its one file!
Read Policy and Logs for:
Checkpoint FW1 (in odumper.csv / logexport format), Netscreen ScreenOS (in get config / syslog format), Cisco ASA (show run / syslog format),
360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.
360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.
TRY: 'print' mode. One command, and spreadsheet for your audit needs!
* WRITTEN IN SIMPLE Perl - NEEDS ONLY STANDARD MODULES - IS ONE FILE
*
* Build new rulebases from scratch with a single 'any' rule and log files.
* Reverse lookup Names for IP's and /27 blocks and use these in the policies built.
* Read many logfiles by specifying the directory and an optional regex to match names.
* Switch the processing into DROPS mode and process drop log entries for further analysis.
* Output pre processed logs in JSON and read later and process more logs into the same config.
* Easy to Edit Menu Driven Text Interface
* Capable of manipulating tens of thousands of rules, objects and groups
* Handles infinitely deep groups
* Capable of CIDR filtering connectivity in/out of policy rulebases.
* Capable of merging rulebases.
* Identifies existing connectivity in rulebases and policies
* Automatically performs cleanup if a log file is provided.
* Keeps DR connecitvity via any text or IP tag
* Encryption rules can be added during policy moves to remove the "merge from" rules for traffic that would be encrypted by the time it reached the firewall on which the "merge to" policy is to be installed - sounds complicated but its not in practice - apropriate ike and esp rules should be added manually
* Runs consistency checks on its own objects and rule definitions
* Extendable via a simple elsif in the user interaction loop section.
*
* EASY TO EXECUTE:
* ./360-faar.pl od=|ns=|cs=configfile[,logfile,natsfile] [logparse=normal|drops] [json=in|out]
*
* CONFIG TYPES: - cisco soon!
* od = logexported logs, object dumper format config, fwdoc format nat rules csv
* ns = syslog format logs, screenos6 format config, nats are included in policy but not processed fuly yet, fwdoc format nats can be used though
* cs = cisco asa syslog file, cisco ASA format config, - not ready yet
*
* OUTPUT TYPES:
* od = output an odumper/ofiller format config to file, and print the dbedit for the rulebase creation to screen
* ns = outputs netscreen screenos6 objects and policies (requires a netscreen config or zone info)
* cs = cisco asa format config - running and almost ready...
*
* JSON OPTIONS:
* in = read logjson.txt and more logs, output logjson.txt
* out = output logjson.txt
*
* LOG PARSE OPTIONS:
* normal = process in ACCEPT mode, profile and group ACCEPT LOG PROFILES
* drops = process in DROP mode, profile and build DROP LOG PROFILES (with 'res' and 'ures' and 'name' modes)
*
* By default 360-FAAR accepts as many configs as you enter the command line.
* Make an empty file called "fake" and and use this as the file name for logfiles if you want to process a config with NATS but no logfile.
* Log file headders in fw1 logexported logs are found automatically so many files can be cated together
*
* FUTHER PROCESSING AND MANUAL EDITING:
* Output odumper/ofiller format files and make them more readable (watchout for spaces in names) using the numberrules helper script
* Edit these csv's in Openoffice or Excell using any of the object or group definitions from the three loaded configs.
* You can then use this file as a template to translate to many different firewalls using the 'bldobjs' mode
* Further resolve IP networks to names with the helper scripts and DNS / whois.
The purpose of this script is to provide detailed analysis of a firewalls configuration by combining logs and config
#---------------------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------------------
- Many similar typed configs can be "cat'ed" together for comparison via 'print' modes or duplicates Data::Dumper prints
#---------------------------------------------------------------------------------------------------
This script is hopefully written in a way that will make its workings understandable to firewall and network engineers
#---------------------------------------------------------------------------------------------------
The latest version of this code can be found at http://sourceforge.net/projects/faar/
#---------------------------------------------------------------------------------------------------
Version v0.6.3 - This release updates the config pasers to permit you to specify the default service
Version v0.6.2 - This release fixes the bug in the cisco asa drop log parser that missed %ASA-6-106100
Version v0.6.1 - This release fixes the bug in the output stage of 'bldobj' mode that was causing faar
Version v0.6.0 - This release hacks backwards some more of the functionality in SuperFAAR. Some of it
Contact dan@360-faar.pl or +447960028070 for details.
Version v0.5.8 - This release updates the log parsers so less supurious and source ports are resolved.
Version v0.5.6 - This release updates the bloobj mode to fix the bug introduced "for names with spaces"
01/12/2015 It also changes the default options for 'res' mode to make them more useable and include this option.
log connectivity matching an IP 'any' object in a rulebase, and uses these new objects in the rules generated.
The second will only generate new objects for the matching networks from the logs and rules that were destinations
outside of the ten net (it will need to be added to the config bundle for the rule to parse, so will match for
The reason this has not been back ported before is because it "polutes" the network objects tree with objects
that do not exist in original config. Its a one time change once the objects are added they can be removed
without reloading the configs. SuperFAAR can delete a config from memory and reload from the database if required.
If you want to change the mask length of the new objects search '00000' and change the values to what you require.
SuperFAAR has several options for this and also options to make a rulebase more specific when required.
Also SuperFAAR contains newly generated object rules from 'any' rule matches, within the rulebase section
in which they have been generated. This combined with maintaing rulebase section headers and rule type specificity
Version v0.5.0 - This release back ports the config parsers from the Enterprise Edition SuperFAAR. These parsers are greatly
improved from the last release. This release only back ports the config parsers for the existing config parsers.
new config parsers (for other firewall manafacturers) are only be available in the Enterprise Releases:
- This release also updates the output config writer subs to their latest version before the integrated output and
translation subs were dropped in favour of cleaner seperated translation and output subs as in SuperFAAR and
360-FAARen, these new subs also handle rulebase structure and output sections and headers (not supported in this version).
- The following bug fix has also been added, which is to correct the processing of default service ranges added
to the ordered ports list from the parsers. This should greatly improve the quality of the ports hash
this bug fix is unnecessary in SuperFAAR and 360-FAARen as the process has been simplified and the code the bug
- The default Cisco objects have been updated to include the 'any4' net object, to be able to parse ASA9.3+ IPv4 configs.
- The reason the parsers have been back ported is so that the open source algorithms can be used with more modern
- The algorithms already opensourced herin are sufficient for most small to medium firewall configuration situations,
and can be used for IP translation (bldobj mode), rulebase simplification (rr mode) and object ananlysis (print modes).
For use with the open source version configurations can be split into rulebase sections and processed seperatily,
new groups can be added to input configs to create differently built rulebases, which can then be added together,
IMPORTANT - If you require Enterprise firewall analysis please consider looking at SuperFAAR, its probably not as much as you think!
- If you require demo version please contact dan@360-faar.com, we will need to sign mutual NDA's after which I can provide
demo software (the current version of SuperFAAR without the output config writers or database back end).
- If you require support during the demo period its free for the period fo the demo - currently we have no outstanding
bugs, this is not because there are none, but that every bug found has been resolved to our customers satisfaction.
- Also, if you are using this for production use you should note the BETA status of the project, that status is justified
which is why the algorithms have been rewritten for the Enterprise Releases SuperFAAR and 360-FAARen.
Version v0.4.6 - This release correctly translates output netscreen group names in comment lines and comments are output last.
- Netscreen rules 'name' strings are added with rule descriptions and net ranges are translated as ranges.
- 'rr' mode 'nat' defaults added - the same as 'yes' defaults with CIDR filter NAT translations switched on.
Version v0.4.4 - This release adds the "resolve services from 'Any' objects" option to the 'rr' mode.
This new 'rr' mode option requires that a log file is loaded and that the output policy is filtered using it.
When connectivity is found in the logs that matches a policy instance with the 'Any' service specified, the
proto and port from the logs are used in the output policy and resolved objects are not added to the source
- Unknown service definitions are not output but are used in rules - cisco output uses unknown-proto in rules.
- Also, this release adds the "resolve 'Any' network objects to known nets" option to thr 'rr' mode.
This new 'rr' mode 'log' default resolves binary objects from the logs using all existing network objects
Version v0.4.3 - This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top.
BEWARE: Hit count rules are not 100% reliable at present!!! Hit counts can be multiplied for multi IP objects.
- The defaults for 'rr' mode rule builds have been changed - say no to ALL DEFAULTS to see new default options.
- Added 'log' defaults to 'rr' mode, this selects the same new defaults but chooses 'yes' in filter with logs.
- Rules that are not logged with a rule number in checkpoint are now listed as rule 0 which hopefully resolves
Version v0.4.2 - This release adds the 'cl' option to clean/filter original rules, in 'rr' mode, and allows output of service.
Version v0.4.1 - This release adds the 'mergelog' mode. This mode allows you to add binary log entries from one
- Also, all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed
for each rationalization. Entering '0' now adds all options and '.' chooses the default if availble.
Version v0.4.0 - This release changes the command line options and permits you to process as many configs as you choose
Version v0.3.9 - release permits you to to choose they types of rules and which rule actions to include in the
Version v0.3.8 - This release adds Cisco ASA 8.3+ object NAT to the cisco reader section for static and dynamic NAT.
- Runnig the script with '--help' or '-h' or 'h' in the first arguement now prints the simple help screen.
- Two new options have been added to the 'rr' mode filters, to allow encryption rules from the merge from and to
- Matches output during 'rr' mode filtering are now listed using the source config bundle object names instead of
- Access lists using proto groups, specifying only protocol details or using 'any' services are now handled.
- Protocol group-objects are written and used in rules for service groups with different protocols specified within them.
Version v0.3.6 - This release resolves many of the problems with the filter sections, many of the undefined warnings are resolved.
- Both the speciffic and the subnet 'rr' mode filter sections have been upgraded to fix many of the issues related to
Version v0.3.5 - This release introduces three new sub routines that are used to run much stronger consistency checks against the
internal network and service object, group and rule definitions after each round of processing. These new tests
provide much greater visibility of incomplete objects and rules and give details of any missing object elements.
- The netscreen reader now reads "interface dip" and rule "dip-id" statements and adds appropriate objects
- Warnings are printed for unknown cisco object group-objects found in policies during the config read.
- NAT SRC DST translations in 'rr' mode now support range objects using the range start address only and network
Version v0.3.4 - This release resolves Cisco ICMP default services with out printing stringified hash references in the cs output
- The cisco output writer uses 'object' in access-lists instead of IP NM, as well as listing range objects using 'range'
in access-lists as well as groups. I should probably just use 'object' but the key word is easily changed and
Version v0.3.3 - This release adds Cisco ASA static nat statements to the nats table for IP IP NM and access-list nats.
- The < and > range identifiers used in ports are now striped before printing out Netscreen policies in rr mode.
Version v0.3.2 - This release reads Netscreen interface vip statements and adds them to the NATs table
- The Cisco internal rule object type definitions that are added to rulebases built from ASA or PIX configs
- Further consistency checks have been added to the policy build sections to more easily identify problem objects.
- The NEW helper script htmlprintcsv.pl converts the 'print' mode output CSV file to HTML, run the script for info.
Version v0.3.1 - This release cleans up the output in the new columns, so that speciffic VPN and negation usage is easier to see.
The Cisco ASA/PIX reader has been upgraded so that it prints more user friendly info during the config read
Version v0.3.0 - This release further updates the 'print' and 'fltprint' mode spreadsheets to include VPN tunnel usage info
Version v0.2.9 - This release further upgrades the NAT analysis capabilities, more NAT details are listed in 'print' mode
Version v0.2.8 - This release adds new columns to the 'print' mode spreadsheets to list the policy and log NAT translations.
The NAT rule processing is further updated to include log and policy information in the network objects.
Version v0.2.7 - This release completely dropps the previous NAT methodology and integrates NATs into the rule processing subs
and also sports a rewrite of the NAT structures and nat rule processing, this new method is much more robust
Version v0.2.6 - Corrected MIP interface NAT ANY service name and added nat dst ip statements to NATs tables
- Correctly reads disabled rules in netscreen and adds further checks to the rr mode rulebase builters
- This release also resolves netscreen MIP(ipaddr) objects from interface mip statements and adds them to the NATs
- Issues resolved: incorrect protocol definitions (used when merging between checkpoint - netscreen) are skipped,
Version v0.2.4 - Further updates the cisco policy writer and resolves issues with service group access lists
Version v0.2.2 - Added object output to dbedit text in od mode, and NOTE: statements to the policy reader sections.
Version v0.2.1 - Removed default service definitions that were not recognised in FW-1 r75.10 and caused dbedit policy build to fail.
- Signigicantly upgraded the cisco object readers and writers and added more object checks to the netscreen and odumper
Version v0.1.9 - Log to binary log conversion now writes log and rule usage hits to netobjects and 'print' mode prints this info
- The log object resolution matches to the most specific CIDR range, to properly match traffic to rules use 'rr' mode
Version 0.1.8.1- Updated netscreen obj reader to flag DNS names in set address cmd's and capture service timeout cmd's
- Thanks to M.T. for flagging these issues so concicely!! Let me know if you want your name here if you read this.
Version 0.1.7.1- Fixed underfined warning in checkpoint log file reader for logs without service_id field.
Version v0.1.7 - Fixed autovivication problem in bin log zone check, rule comments on original filtered rules, netscreen
Any object name fixed, cisco apen protocol rules improved, add_srvc protocol issue fixed and log reader added.
Version v0.1.6 - Bug Fixed and improved 'print' mode, fixed duplicate issue in cs mode, and many more bugs fixed in
in the cisco asa rule reading, as well as fixing misses in the binary log translation service matches.
- the improved print mode gives object duplicates, supernets, subnets, hosts on nets, rule obj usage etc.
Version v0.1.5 - ASA/PIX reader working well, new 'print' mode working, better named and organised subs
Version v0.1.3 - better bldobj mode and notes and zone mappings sorted in netscreen out, and groups translated
#---------------------------------------------------------------------------------------------------