Skip to main content

Is it possible to write a Forward NQE query that will produce a list of firewall rules that have not been used in the last 90 / 180 / 365 days (based on hit count)?  It would be helpful to have firewall name, the rule ID numbers, and last used date/time if possible.

@john_hayes this should give you the results you’re looking for with the rule ID, timestamp of when it was last used, and if the days since are greater then 90/180/365. 

/**
 * @intent Verifies that active firewalls have no unused security rules
 * @description This query considers a rule to be unused if it last processed 
 * a packet more than 30 days ago. This query only applies this check to 
 * firewalls that are not in BACKUP or STANDALONE_INACTIVE HA operation modes.
 * To avoid flagging rules that are designed to be used infrequently 
 * (for example, because it is provisioned for a failover scenario), add the 
 * name of the rule to the expectedUnusedRules list.
 * 
 * All time durations are measured relative to the snapshot collection
 * time of the device.
 */

activeModes = dHaOperationMode.BACKUP, HaOperationMode.STANDALONE_INACTIVE];

@query
query(expectedUnusedRules: List<String>) =
  foreach device in network.devices
  where device.platform.deviceType == DeviceType.FIREWALL
  where device.ha.clusterHa?.operationMode not in activeModes
  let now = if isPresent(device.snapshotInfo.collectionTime)
            then device.snapshotInfo.collectionTime
            else device.snapshotInfo.backfillTime
  // Note that `distinct` is used because currently a single
  // firewall rule may be modelled as several AclEntry records.
  // However, this query should count number of firewall rules.
  let unusedRules = (foreach aclEntry in device.aclEntries
                     where aclEntry.name not in expectedUnusedRules
                     let lastUsed = aclEntry.lifecycleData?.lastUsed
                     where isPresent(lastUsed)
                     let days = if now - lastUsed > days(365) then 365
                                else if now - lastUsed > days(180) then 180
                                else if now - lastUsed > days(90) then 90
                                else 0
                     where days > 0           
                     select distinct { name: aclEntry.name, lastUsed, days })
  foreach rule in unusedRules                     
  select {
    Device: device.name,
    "Rule ID": rule.name,
    lastUsed: rule.lastUsed,
    days: rule.days,
    OS: device.platform.os
  };

 

Reply


Badge winners

  • Community Contributor
    AricaFNhas earned the badge Community Contributor
  • NQE Collaborator
    gbaronhas earned the badge NQE Collaborator
  • Community Contributor
    CarlBhas earned the badge Community Contributor
  • Community Contributor
    gbaronhas earned the badge Community Contributor
  • Community Contributor
    Christopherhas earned the badge Community Contributor
Show all badges
Terms of UseCookie settings