1. Technical Field
This disclosure relates generally to computer system networks and network management in a data processing system and more specifically to firewall event reduction for rule use counting in managing the network of the data processing system.
2. Description of the Related Art
To monitor and manage networks, firewall administrators require knowledge of the frequency of the rules applied to devices being hit by traffic. The frequency information is useful for re-ordering and prioritizing rules for firewall optimization, detecting anomalous patterns due to rules firing more than expected and to issue reports demonstrating security policy compliance and security posture.
Traditionally, to determine a number of times a given firewall rule has been hit, the administrator must connect to each individual device in a network and view the rules on the device and a count of the rule hits. The manual process has several limitations. The process is time-consuming because the administrator must connect to each device one-by-one. Further for many devices when a rule-set is modified the modification re-sets the counter, regardless of whether the modification is material to the rule function. The administrator therefore must note the count before and after the rule change, denote the rules as being the same rule (even though they are different to the system) and summarize the counts in a report.
To reduce effort, firewall administrators typically use external tools to monitor and track use of firewall rules on a network. However, the tools routinely function in the same way because the tools communicate with a device on an interval and query the respective device for a count, and accordingly are subject to the same limitations as the previously described method with respect to detecting a rule as being the same although the system views the rule as modified. Gathering count information requires the monitoring system to connect to and query all the devices throughout the network, which is not always feasible.
In another example solution, some tools feed firewall rule logs into a system, which runs the logged events through a topological model created using a configuration of the firewalls, and count the rules, as the rules would be hit according to the model. However this example solution is not a real-time solution. Creating a real time solution would be very resource-intensive, because a centralized system must be able to process logs from all firewalls in the network through the topological model.