Firewall Best Practices Every Enterprise Should Follow

Biggest Firewall Deployment Challenges

The pace of technology change has outpaced the human ability to keep up with it. Indeni’s latest research identified three common challenges with firewall deployment and maintenance.

Firewall Advancements Are Outpacing Engineers’ Knowledge

Engineers who have used one type of firewall for years are very comfortable navigating the user interface and even using CLI commands. In fact, 72% rate their understanding of devices a 7 or greater (10 being the highest). Interestingly though, when pressed to find the cause of an issue, very few (only 15%) can identify the root cause. One of the reasons for this is that firewall vendors are introducing new capabilities all the time. For example, many of the releases in 2018 enabled users to support virtual devices, private and public cloud deployments. With little or no documentation coinciding with the release, it is very difficult for operators to stay abreast of these advancements. The skills, or knowledge gap, is further pronounced when reviewing IT project output.

54%
firewall engineers complete 0 to 2 projects per month
27%
firewall engineers complete over 21 projects per year
41%
firewall engineers say it takes up to 6 months to get a new firewall engineer up to speed

Engineers Get Many Alerts But Few Actionable Insights

With access to so many network monitoring, network management and analytics tools, it is surprising that only a small group of engineers are monitoring their firewall performance and firewall configurations on a daily basis. Our report shows the most common method of collecting information is through SNMP and Syslog. These two data types provide a view of “what’s happening on the network now” (SNMP) and “what happened in the past” (Syslog). These two metrics together suggest that SNMP and Syslog data sources alone are not actionable enough for today’s engineers. If the information provided more context or actionable data, it is likely more engineers would use these tools in their day-to-day operations.

34%
of engineers are analyzing firewall performance daily
21%
of engineers review configurations daily
41%
of engineers need at least a full workday to demonstrate a firewall met the system performance and stability standards for their organization during an outage

Firewall Maintenance Is More Reactive Than Proactive

To use the Franklin Covey time management framework, today’s firewall engineer or systems administrator is spending more time on urgent and important tasks, and not enough time in the important-but-not-urgent category. Our data shows that survey respondents are extremely responsive to critical issues and outages; 97% responding to critical issues within 24 hours. Even with that kind of speed, engineers are still falling behind. As the organization scales to 100 firewalls, the bandwidth demands to demonstrate compliance also increases. If organizations are unable to find a balance between day to day operations and delivering new projects, demonstrating compliance will become an even greater burden.

30%
of firewall engineers cite “eliminating errors and unplanned work” as their biggest pain point
29%
of engineers have limited time to take on new projects
63%
require a week or less to demonstrate compliance

Most Common Causes of Firewall Outages

42%
Human Error
31%
Device
Performance
19%
Configuration
Drift
16.3%
Other

Most Common Sources Of Issues Within Firewalls

Indeni estimates the respondents who are unable to identify what function or capability within a firewall are those individuals who are not routinely checking the performance and configuration health of their devices. If individuals validated device-specific settings aligned with best practices, they would be better able to articulate and proactively address these issues.

DOWNLOAD THE FULL REPORT

VPN Related
15.3%
Packet Drop
12.4%
CPU Related
9.0%
I can’t say for certain
8.9%
Misconfigured/unsynced HA Pairs
8.0%
SSL Decryption issues
7.7%
Certification connections
6.8%
Interface errors
6.8%
Concurrent connections
6.0%
License expiration
4.9%
ARP usage
2.9%
Bond interfaces
2.6%
All of the above
1.6%
None of the above
7.0%

Firewall Best Practices For Every Organization

Ensure proper firewall setup.

The specifics of firewall deployment may differ depending on your vendor, but there are a few general best practices that apply to every type of hardware. These recommendations from PCI compliance partner Security Metrics are a good place to start:

  • Secure your firewall.

    Delete or disable any default accounts and passwords, and set new passwords that are complex. Then, disable simple network management protocol to minimize security risks.

  • Architect your firewall zones and IP addresses.

    Structure your network so similar assets are grouped together based on sensitivity level and function. All servers accessed directly from the internet should be grouped together and separated from internal servers. While having more zones generally improves security, keep in mind that they also require time and effort to manage.

  • Set firewall rules.

    Determine which network traffic needs to flow in and out of each zone using an access control list. Disable firewall administration interfaces from public access and all unencrypted protocols, including HTTP connections.

  • Configure other firewall services.

    If your firewall has other capabilities (such as acting as a dynamic host configuration protocol), configure the services you want to use and disable any extra services you don’t want.

  • Test firewall configuration.

    Ensure your firewall is blocking inbound and outbound traffic according to your firewall rules, and scan for vulnerabilities.

Use network automation to reduce manual tasks.

Maintaining firewalls and other network devices involves many tedious, time-consuming tasks. If you have more than a few firewalls, you potentially have dozens of firewall licenses that are set to expire at any given time. You also may need to enable and disable various features to deploy new services, validate configuration and maintain high availability. Keeping up with all these firewall maintenance activities not only keeps you from other important projects, but they also introduce a greater potential for human error.

Network automation replaces many of these manual tasks with automated scripts. They can run commands without the need to type them in, identify issues and assess the health of your devices. An effective network automation system reduces costs and errors while offering deeper insights into performance.

Install required hotfixes and remove redundant ones.

To prevent network downtime and security breaches, it’s critical to make sure your devices are patched with the latest versions and hotfixes. You can type in manual commands to find currently installed hotfixes, install new ones and remove redundant ones. However, this requires knowing when and where to look. A network automation platform can identify which hotfixes should be installed on your specific firewalls and which ones you don’t need.

Use an in-depth firewall monitoring system to track performance.

As your organization grows, managing firewall capacity becomes increasingly important. You need to constantly monitor your device load metrics, including packets accepted, dropped, logged and rejected per second.

A network monitoring system checks for slowdowns and other issues 24 hours a day, seven days a week. Advanced network monitoring can also check network response time and availability, notify you when you are close to reaching capacity limits and more.

Conduct a regular audit of the firewall’s configurations.

As we’ve seen in our own research, nearly 1 in 5 firewall issues are related to configuration drift. This could be as simple as a lack of clock synchronization between devices, or it could be a more serious issue — such as an open port that isn’t documented in your security policy.

That’s why it’s so important to check configurations regularly, especially those related to redundancy and failover to ensure that no firewall becomes a single point of failure.

These issues are also easier to detect if you’re using a network monitoring system.

Are you using firewalls from Check Point or Palo Alto Networks?

See how you’re doing with industry compliance and firewall best practices.

Get a Firewall Assessment

How Automation Increases Compliance and Uptime

As you know all too well, keeping up with all these tasks can be so time-consuming that many engineers fall behind on more strategic priorities.

Security infrastructure automation eliminates many of the manual tasks associated with monitoring and validating devices. Indeni’s security automation platform helps you detect, triage and remediate many types of issues.

  • Ensuring devices are configured according to firewall vendor best practices
  • Identifying issues with high availability, ensuring you will always have a backup in case of a device failure
  • Identifying regulatory compliance issues
  • Monitoring performance of firewalls and load balancers
  • Continuously assessing device health
  • Notifying you of firewall maintenance tasks, such as upcoming license expirations or out-of-date software

Rather than bombarding you with alerts, our platform performs common troubleshooting tasks to help you prioritize issues.

For instance, if your network is not correctly logging data, it could be due to several factors. Indeni’s Auto-Triage feature examines each of these issues to give you more context into what went wrong.

Our infrastructure automation playbooks are developed and continually updated by a global community of experts, ensuring you are always using the latest firewall best practices. Learn more about how we support your firewalls from Check Point, Palo Alto Networks and Fortinet.

Automation Solutions For Check Point Firewalls

Check Point customers use Indeni to automate repetitive network and security tasks such as ongoing maintenance, best practices, high availability validation, compliance and more.

  • Indeni connects to Check Point devices through the native protocol, including SSH and API
  • The platform collects data 24/7 by automatically running commands administrators usually run manually, continuously validating your Check Point devices are operating as intended
  • When our platform finds a configuration issue, it notifies you in real time and recommends the best course of action to resolve it.
  • Indeni’s Knowledge Library gives you access to the latest automation scripts and remediation steps, sourced by global industry experts

Explore more solutions for Check Point

Get help with Check Point firewall configuration, design and troubleshooting

Get advanced troubleshooting guides from Check Point

Get answers from the Check Point community

Automation Solutions For Palo Alto Network Firewalls

Indeni improves the reliability of Palo Alto Network firewalls while reducing the administrative overhead costs of maintaining them.

  • Quickly identify issues with device-specific health checks applied using XML APIs and SSH
  • Analyze devices continuously, including the state of devices, configuration and deviation from best practices
  • Solve complicated problems quickly with alerts that include context, history, impact and recommendation remediation steps

Explore more solutions for Palo Alto

Get Palo Alto firewall deployment help

Explore best practices for Palo Alto firewalls

Create best practice security profiles for the internet gateway

Automation Solutions For Fortinet FortiGate Firewalls

Indeni automatically detects issues related to Fortinet FortiGate firewalls and tells you how to fix them.

  • Ensure high availability by constantly detecting unreadiness, identifying cluster synchronization issues and more
  • Assess device health by comparing expectations against the current status
  • Validate best practices from experienced Fortinet users
  • Complete often overlooked maintenance tasks, such as renewing licenses, SSL certificates and log service

Explore more solutions for Fortinet

Get more Fortinet firewall best practices

Ensure high availability with Fortinet firewalls

Use best practices for advanced routing

Improve Fortinet firewall performance

Indeni automates firewall best practices by combining security infrastructure automation with a dynamic collection of playbooks from global experts.

Indeni automates firewall best practices by combining security infrastructure automation with a dynamic collection of playbooks from global experts.

Try Indeni Today

Request a live demo with one of our experts (and ask as many questions as you want)
Download a free trial and monitor up to five devices for 30 days
Get familiar with our user interface without downloading or installing anything