360-FAAR Firewall Analysis Audit Repair

360-FAAR Firewall Analysis Audit Repair is an open source software written in Perl, designed as a firewall policy manipulation command-line utility.

It can compare to logs, translate, merge and output firewall commands for new policies, filter logs, read policy for Checkpoint FW1, Netscreen ScreenOS and Cisco ASA.

What is new in this release:

• This version fixes netscreen group name translation bugs.
• Empty groups are not matched in build_rules subs.
• Comments are output in 'set name' statements in policy id mode for netscreen rulebases.
• Netscreen rule 'name' strings are added with rule descriptions, and net ranges are translated as ranges.
• Some default services have been updated with a few new services definitions.
• 'rr' mode 'nat' defaults have been added, the same as 'yes' defaults with CIDR filter NAT translations switched on.

What is new in version 0.4.5:

• This release fixes rulebase output bugs when using the 'cl' option in 'rr' mode.
• Netscreen rulebase numbers now otput usable rule numbers in 'cl' rulebases.
• Also, hopefully the ctrl-c panic when reading logs is fixed.
• 'rr' mode 'log' defaults now switch off 'Any' rule to object and service object resolution.
• 'rr' mode 'res' defaults now switch on most resolution and matching options.

What is new in version 0.4.4:

• This version adds the "resolve services from 'Any' objects" and the "resolve 'Any' network objects to known nets" option to the 'rr' mode.
• These new 'rr' mode options require that a log file is loaded and that the output policy is filtered using it.
• When connectivity is found in the logs which matches a policy instance with the 'Any' service specified, the proto and port or known supernet from the logs are used in the output policy.
• Resolved objects are reported during the rule build stages and should be added manually.

What is new in version 0.4.3:

• This release adds the 'hc' option to build rules in 'rr' mode and arrange the most hit new rules at the top.
• BEWARE: Hit count rules are not 100% reliable at present!!! Hit counts can be multiplied for multi IP objects.
• - 'cl' mode rules now use the original global rule number instead of incrementing it by 1.
• - The defaults for 'rr' mode rule builds have been changed - say no to ALL DEFAULTS to see new default options.
• - Added 'log' defaults to 'rr' mode, this selects the same new defaults but chooses 'yes' in filter with logs.
• - Nat rule dots printing is more frequent to give better visual output.
• - Less dots are printed for log to rule matches in 'rr' mode.
• - 'load' mode now doesnt try to load logs and nats from '.' when you skip loading these files
• - Rules that are not logged with a rule number in checkpoint are now listed as rule 0 which hopefully resolves the non numeric sort errors in 'rr' mode.

What is new in version 0.4.2:

• This version adds the 'cl' option to clean/filter original rules, in 'rr' mode, and allows output of service priority rules as well as the original dst src priority rule build.
• The 'rr' mode menu has been simplified further.
• Starting the script without any options now starts load mode to add at least one config.
• This release fixes a bug in the 'any' object matching, any should now be matched from logs.
• The rashfilter hash tree format has been changed to match the order of the other rule processing hashes: mergebase, filterbase, and rulegroups; this should reduce memory use slightly.

What is new in version 0.4.1:

• This release adds the 'mergelog' mode. This mode allows you to add binary log entries from one # config with another, this does not update the information output by 'print' mode but does update # the binary log information used by 'rr' mode.
• This release also significantly updates the user interface. You can now choose options using an # option number instead of the text value.
• Help is no longer printed if you start the script without any options. This allows all configs to # be loaded from the 'load' menu instead of specifying them on the command line.
• Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switches off.
• The netscreen output stage now uses a default zone if none are specified.
• Also, all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed # for each rationalization. Entering '0' now adds all options and '.' chooses the default if availble.

What is new in version 0.4.0:

• This version changes the commandline options and permits you to process as many configurations as you choose.
• All code has been refactored into subroutines.
• Three new modes have been added. "load" mode allows you to load new configuration bundles into an already running instance of 360-FAAR, "copylog" mode associates a log file from one configuration with another loaded or new configuration, and "help" mode prints information about all of the other modes.
• Undefined warnings have been resolved when using CTRL-C to exit the user loop.

What is new in version 0.3.9:

• This version permits you to to choose the types of rules and which rule actions to include in the rule rationalization mode.
• Both the 'merge from' and 'filter' rulebases rule types can be chosen.
• The 'rr' mode rule unwrap code has been optimized.

What is new in version 0.3.8:

• This version adds Cisco ASA 8.3+ object NAT to the cisco reader for static and dynamic NAT.
• Network objects, ranges, and IPs are translated.
• Running the script with "--help" or "-h" or "h" prints the simple help screen.
• Two new options have been added to the "rr" mode filters, to allow encryption rules from the "merge from" and "merge to" rulebases to be used to mask later rules in the merge from rulebase.
• Connectivity matches output during "rr" mode filtering are now listed using the source configuration bundle object names instead of the binary CIDR IP's.
• This release resolves the menu infiniteloop issue.

Requirements:

• Perl