FIREWALL POLICY MANAGEMENT

摘要

Methods and systems are provided for creation and implementation of firewall policies. According to one embodiment, a firewall maintains a log of observed network traffic flows. An administrator may request the firewall to generate a customized report based on the logged network traffic by extracting information from the log based on specified report parameters. The report includes aggregated network traffic items and one or more corresponding action objects. Responsive to receipt of a directive to implement an appropriate firewall policy for one or more network traffic items based on interaction with one or more action objects by the administrator, the firewall then automatically defines and establishes an appropriate firewall policy.

主权项

1. A method comprising:
maintaining, by a firewall running on a network security device associated with a private network, a log of network traffic observed by the firewall by storing, for each network traffic flow, information regarding one or more of a volume of traffic, a source interface, a destination interface, a source Internet Protocol (IP) address, a destination IP address, an application name, an application type, port information, a start time, an end time and a username associated with the network traffic flow; receiving, via a graphical user interface (GUI) associated with the firewall, a request from an administrator of the private network for a report to be generated based on the log, the request containing information indicative of report parameters including (i) a specified time frame, (ii) user information indicative of one or more users associated with the private network; and (iii) application information indicative of one or more particular applications or one or more types of applications associated with the logged network traffic; extracting from the log, by the firewall, information regarding network traffic flows satisfying the report parameters; presenting, by the firewall, via the GUI a customized and interactive hierarchical report to the administrator, wherein the customized and interactive hierarchical report includes (i) a plurality of aggregated network traffic items; and (ii) a plurality of action objects each corresponding to one of the plurality of aggregated network traffic items, wherein information associated with the plurality of aggregated network traffic items is determined by individually aggregating each of a plurality of traffic aggregation parameters for each observed value of a primary report parameter within the extracted information, wherein the plurality of traffic aggregation parameters, include one or more of traffic volume and percentage of traffic volume; and responsive to interaction by the administrator with a particular action object of the plurality of action objects and selection by the administrator of an action to be taken on subsequently received network traffic matching the corresponding aggregated network traffic item of the plurality of aggregated network traffic items, automatically defining and establishing, by the firewall, an appropriate firewall policy including one or more rules identifying the matching network traffic and a corresponding action to be taken on the matching network traffic based on the selection.