Absent Member.
Absent Member.
272 views

If “Deny Any Any” rules was disabled or “Permit Any Any ”deleted .

Hello,

Is it possible to know when ANY ANY rule is disabled on firewall or Permit any any rule is deleted. I would really appreciate if I could get any help from you guys on this.

regards,

Mohammed.

Labels (1)
Tags (1)
0 Likes
2 Replies
Absent Member.
Absent Member.

Hi Mohammed,

i think this question is more like a firewalling question. You could know about it and do all the ArcSight stuff with such an event if it is created within your firewall audit protocols.

So question is, does your firewall support this level of granularity to write rule enabling/disabling/creation including all the details you need to know (in your case, which rule was modified and which objects - like any/any/any drop - are bound within this rule).

Check with your firewall vendors documentation where such events get recorded and if arcsight smartconnector does map that log source and event fields.

If not, check, if your firewalls audit events are stored in a fashion, a flex connector could get to it (xml, database, file, trap creation on firewall....).

Possibly not your expected solution, but i think, best, one could say on that question.

Hope, that helps you a step further,

Markus

0 Likes
Absent Member.
Absent Member.

Dear Markus,

Thank you so much for replying, yeah its regarding firewall auditing we have in our organization Sidewinder, Cisco and Juniper firewalls.I will ask for the documention and check if auditing supports these events or not. One of my known ArcSight admin also suggested me to check ACS logs as he can check access-list through ACS logs only. I will have to integrate ACS with ArcSight first. I will let you know once I finish it.

Thank's again,

Regards,

Mohammed.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.