Monitoring a firewall is mostly concerned with the monitoring of a firewall’s rules. The core of a firewall is really its rules and making sure that these do not conflict with various business processes or another firewall rule is the primary check to have correctly set up. Rules should not override each other, as this causes all sorts of random behaviors that are hard to monitor later. Firewall monitoring software is capable of checking rules as soon as they are implemented.
Not only should rules not be in conflict with other rules, but rules that are no longer required should also not be kept. This can be a security risk, mainly because it can result in ports from a very old rule being left open, a situation that may not have been detected by administrators. Without proper firewall monitoring, such detection is not an easy task. Checking that all rules are actually being correctly applied and that they are required by the policies in use is an important task for the firewall monitoring service.
Firewall log monitoring is the practice of monitoring the logs generated by the firewalls. These provide plenty of insight on how the firewall is performing, what is being blocked, and if any rules are not being triggered. As well as the usefulness of catching outdated rules, perusing the logs can be informative in various other situations.
For instance, knowing which rules are being most often triggered can not only inform the administrators of the traffic trends, and their changes, but enable them to detect many unusual behaviors. A firewall port that was never used and which suddenly becomes very active, can be grounds for treating this new traffic as suspicious. Similarly, ‘false positives’ can also be found in the firewall logs. These are sources of traffic that interact with the firewall, but should not.
Firewall log monitoring is supported by the vast majority of firewall monitoring systems. And, if it is not supported, it is good practice to check the logs manually.
Firewall monitoring tools are not only about rule-checking, but also about collecting a series of metrics that help administrators understand how the firewall is performing. Namely, parameters that inform how the traffic on a network is moving are normally within firewall monitors’ tasks. These parameters include the origin and destination of traffic, the bandwidth used, the active sessions, what ports are being used, and whether the ports match any firewall rule.
The ports are especially relevant. They are at the core of the firewall rules and therefore the foremost metric that indicates whether a rule is being applied, or not. By ‘ports' we mean not just the TCP/UDP ones, but the physical ports on a hardware firewall as well. This activity complements port monitoring, which deals with ports only.
Through matching active sessions with their ports, it is possible to identify traffic that is passing through but should not actually be allowed. Such data can require an update of firewall rules. In the opposite case, traffic being blocked at a port may be a signal to the administrator that this traffic should in fact be allowed. Once the firewall monitoring is active, notifications are triggered for both of these cases, and the responsible team can act upon them accordingly.
Another important metric to collect is simply the status of the firewall rules at a given moment. By saving it the firewall monitoring service can notify of any changes. Most changes will be routine, but occasionally a team member can change the firewall rules without informing other members. Knowing what has been changed and why can quickly identify the responsible person.
