Reduce ACL Clutter with Batfish

In my previous life as a firewall admin, I found that there were two key things to maintaining a healthy firewall ACL. First, ensure it passes the necessary traffic! Secondly, ensure that the ACL was cluttered with any unnecessary ACL entries. By making sure our ACL's were clutter-free allowed us to see the wood through the trees when troubleshooting, as well as reduce the overhead on the firewall.

In today's post, I will show you how to perform the latter and reduce ACL clutter with Batfish.

For those new to Batfish, TL;DR,

Batfish is an open-source multi-vendor network analysis tool that allows you to model and query your network in some very clever ways! (more here)

Batfish provides various questions that you can ask your modelled network. One of which is the question - filterLineReachability(). This question,

returns any entries within a filter that will never be matched due to an encompassing rule further up the filter.

Below is an example showing the shadowed line (aka Unreachable_Line) that will never be matched, along with the shadowing rule (aka Blocking_Lines):

>>> answer = bfq.filterLineReachability().answer().frame()
>>> answer.iloc[0]
Sources                    ['nxos-core1: ACL-EXAMPLE']                 
Unreachable_Line           deny tcp addrgroup OBJ-GRP-SERVERS any eq 80
Unreachable_Line_Action    DENY                                        
Blocking_Lines             ['deny ip addrgroup OBJ-GRP-SERVERS any']               
Different_Action           False                                       
Reason                     BLOCKING_LINES                              
Additional_Info            None                                        
Name: 0, dtype: object

If you would like to learn more on how you can automate your firewall ACL rule sets with Batfish, such as validating ACL flow behaviour, check out our course below: