I recently took over a Fortinet environment filled with a staggering 3000+ rules, and honestly, they make no sense to me or anyone else. The previous network engineer retired a few months ago, and just last week, another engineer quit suddenly. My background is mostly in cloud firewalls with Infrastructure as Code (IaC), but I'm faced with a hefty JSON dump of these rules. I'm looking for advice on how to clean up this rule set, possibly normalize it into an open-source format, and manage it with IaC after tidying it up. There are countless overlapping rules and many dead Fully Qualified Domain Names (FQDNs); I'm honestly overwhelmed!
5 Answers
3000+ rules? You’re in for a ride! But hey, Fortigate’s received/sent counter might be useful for figuring out what's actually needed. Just make sure to map out your rules properly; otherwise, it could get messy.
You might find Ansible helpful here. It has features to work with multiple firewall vendors and could be the solution you’re looking for.
Make sure your firewall software is up to date. Fortinet has had some vulnerabilities recently, so it's good that you checked on that. A solid start! But yeah, the overlapping rules must be frustrating.
Check out the policy counters in your firewall; they’ll tell you which policies are actually in use. Once you clean out the dead ones, you can think about managing the remaining ones with IaC.
Great tip! Recording the current usage, resetting the counters, and then monitoring for a month sounds like a solid plan. Start disabling rules that don't see any traffic.
You might want to consider resetting the metrics and disabling rules that aren’t seeing traffic. It'll help you focus on what remains.
Absolutely! Luckily, they seem to be maintaining their software well. It’s those overlapping rules that really cause issues!