Firewall Browser, our recently released free tool, has a very powerful search capability that automatically explores object hierarchies to catch all matching object groups and rules. We often see nested object groups in complex firewalls. Object and rule searches in various management consoles only look at direct matches. They are not capturing the matches that happen at child groups. When a user tries to add new object groups for new security rules, incomplete results can lead to duplicate or overlapping object groups.

Here is an interesting case from a Cisco FWSM firewall:

object-group service ldap-ports udp
 port-object eq ldap
 port-object eq ldaps

object-group service netbios-name-ports udp
 port-object eq 137
 port-object eq 138

object-group service domain-controller-udp-ports udp
 group-object ldap-ports
 group-object netbios-name-ports

object-group service std-dc-udp-port udp
 port-object range 137 138
 port-object eq ldap
 port-object eq ldaps

Object group “domain-controller-udp-ports” is exactly the same as object group “std-dc-udp-port”. With the management console, a user has to manually expand child groups with multiple searches to figure this out. Using Firewall Browser, a user can instantaneously view all object groups that match the given criteria (e.g. object name, IP address or service port) no mater how deep the values are hidden in object hierarchies.

The Firewall Browser rule search facility supports object hierarchies as well. In the above example, any access-list rule that refers to “domain-controller-udp-ports” is captured in Firewall Browser if the rule search is against any member object in “ldap-ports” or in “netbios-name-ports”.

You can download Firewall Browser from the Athena Security web site with no license restrictions for end-users.

We have just released a new free tool for network and firewall engineers called Firewall Browser.  It’s designed to help you search firewall configurations and find security rules and object definitions quickly and easily.  What’s really cool about this tool is that you can search for rules by source, destination, and service, entering values as IP addresses, network object names, port number, or service object names.  Similarly, you can search for network or service object definitions by name, by IP address, or by port number.  It works with Cisco, Check Point, and Netscreen firewall configurations and is available for download from the Athena Security web site with no license restrictions for end-users.  Check it out!  Let me know how you like it.