Auditing firewall rules with NQE

Userlevel 3

You can use NQE to examine the firewall rules in all firewalls in a network. However, you will need to use a different approach depending on what you want to audit in your security rules.

Forward Enterprise collects and parses the ACLs and security rules from all devices: firewalls, routers, switches, and so on. The data is then parsed and normalized. This data is stored in a database in a custom format that allows the Forward application to perform path analysis.

The following NQE query uses the Forward Enterprise aclEntry object to provide consistent output from any vendor Firewall. Note that the scope of device types in the output is limited by using the where statement and filtering to DeviceType.FIREWALL.

This query will work for every ACL/security rule on any Firewall in the network. However, because the query is working on normalized data, each security rule in a firewall may be broken up into multiple aclEntry objects. The results of this query may therefore have multiple lines with the same “Rule Name”. One aclEntry could show traffic permitted for TCP port 80, while another aclEntry could show ICMP traffic being permitted on the same rule from the firewall.


foreach device in network.devices
where device.platform.deviceType == DeviceType.FIREWALL
foreach aclEntry in device.aclEntries
select {
"Rule Name":,
"Source IPs": aclEntry.headerMatches.ipv4Src,
"Destination IPs": aclEntry.headerMatches.ipv4Dst,
"Protocol": max(aclEntry.headerMatches.ipProtocol),
"Destination Ports": aclEntry.headerMatches.tpDst,
"Action": when aclEntry.action is
PBR -> "PBR";

While this provides an accurate model, it may not be the most intuitive way to list firewall rules.

An alternate approach would be to parse the raw data collected from the devices of a certain hardware model and OS. In this way, the user could display the NQE query output in a table where each line represents a single security rule.

The following NQE query is designed to parse the security rules from a Palo Alto firewall by looking for a defined pattern in the config hierarchy and assigning the data for each rule entry to a series of variables. The select statement creates a table of entries that are based on each unique block of data that matches the pattern.

This output may be more readable than iterating through the normalized data, but the script will have to be customized for every type of firewall in the network. Even devices of the same type could deviate from the pattern (For example, not all Palo Alto firewalls will have the “rule-type” setting). The output results of the NQE query should be compared against a sample device of each type of config to ensure that no data pattern is missing.

pattern =
{vsysName: string}
rule-type {ruletype:string}
description {description: string}
source {srcIps: string}
from {fromZone:string}
to {toZone:string}
destination {dstIps:string}
application {app:string}
service {service:string}
action {action:string}

foreach device in network.devices
where device.platform.os == OS.PAN_OS
foreach match in blockMatches(device.files.config, pattern)

select {
os: device.platform.os,
"Rule Name":,
"Source IPs":,
"Dest IPs":,
"from Zone":,
"to Zone":,





0 replies

Be the first to reply!