In my previous life as a firewall admin, I found that there were two key things to maintaining a healthy firewall ACL. First, ensure it passes the necessary traffic! Secondly, ensure that the ACL was cluttered with any unnecessary ACL entries. By making sure our ACL's were clutter-free allowed us to see the wood through the trees when troubleshooting, as well as reduce the overhead on the firewall.
In today's post, I will show you how to perform the latter and reduce ACL clutter with Batfish.
For those new to Batfish, TL;DR,
Batfish is an open-source multi-vendor network analysis tool that allows you to model and query your network in some very clever ways! (more here)
Batfish provides various questions that you can ask your modelled network. One of which is the question -
filterLineReachability(). This question,
returns any entries within a filter that will never be matched due to an encompassing rule further up the filter.
Below is an example showing the shadowed line (aka
Unreachable_Line) that will never be matched, along with the shadowing rule (aka
>>> answer = bfq.filterLineReachability().answer().frame() >>> answer.iloc Sources ['nxos-core1: ACL-EXAMPLE'] Unreachable_Line deny tcp addrgroup OBJ-GRP-SERVERS any eq 80 Unreachable_Line_Action DENY Blocking_Lines ['deny ip addrgroup OBJ-GRP-SERVERS any'] Different_Action False Reason BLOCKING_LINES Additional_Info None Name: 0, dtype: object
If you would like to learn more on how you can automate your firewall ACL rule sets with Batfish, such as validating ACL flow behaviour, check out our course below: