Hi Dave,
I have created a password protected php front-end with ssl for various
firewall logging and change information. This is for checkpoint only sorry
no pix information.
I use php, perl, mysql, apache with mod_ssl and openssl.
we currently do the following.
extract the rules file from downloaded backups and run with fwrules
downloadable from www.phoneboy.com in the downloads section. This creates an
html file which is stored and can be accessed over the secure connection,
this runs everyday. The html file that fwrules creates is a very detailed
and very accurate representation of your rulebase it is a very good script.
if your firewall runs on Nokia ipso you can use the summary.tcl file in the
/web/cgi-bin directory to output html file of your current firewall config.
you can script this to do it daily. This can help if you need to rebuild the
firewall.
run an md5 check on the rulebase and alert if is different from the stored
md5 checksum.
dump logs into a mysql database and run a custom script to output a monthly
report detailing
number of packets dropped and accepted by day, source, destination and
service.
outputs these reports in a bar graph format using the GD module for perl.
include the cpmgmt.aud file in the backups. Extract the information from
this file, parse and output in a password protected php file. The cpmgmt.aud
file contains all access to the firewall and when rulebase was installed.
Use the Mysql database to store details about your firewall ie. hostname,
md5 checksum etc. You can also create a table detailing changes and have
this updateable/viewable from a password protected php file.
I can't forward on any files for you to look at for obvious reasons, but
these are a few ideas to get you going. There is a lot of information you
can extract from your firewall so you could maybe combine your change
control idea with a whole administration centre for your firewall(s).
hope this helps a little.
cheers
Leon.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On Behalf Of crypto
isakmp
Sent: 17 October 2002 01:58
To: [EMAIL PROTECTED]
Subject: [FW-1] Change management tools and techniques
What tools are you using to manage fw-1, access routers, <insert other
security device> changes?
I am currently working with an excel spreadsheet but am considering the
benefits of creating an access or sql database to track changes to rules,
objects etc. Long term goal is to write a php front-end with ssl to provide
the network team with a web-based change management facility. Then as soon
as a rule or access-list change is made, the change can be manually updated
in the change-management database.
Are there any opensource or commercial products out there already providing
this functionality?
Keep in mind the tool needs to cover rules, objects, nats plus router
reflexive lists, ios firewall configs, pix configs, ids configs etc.
Appreciate all experiences you may have.
Regards
Dave
_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
