Kerry,

one thing you could consider is an "offline audit" using something
like the AlgoSec Firewall Analyzer (www.algosec.com) . it works off
the policy files so it doesn't require any loggiing - although if logs are
turned on then that info is used as well. You can do a _lot_ of cleanup,
and also a lot of security tightening, based on static analysis that doesn't
rely on usage data.

also - I'm not sure what firewall brand you have, but if it's a Cisco then
you can get all the usage information, at least since the last reboot,
from the output of "show access-list" from the "hitcnt" field - and this
works even if logging is completely off.

as to your idea of putting logging on the backup: I don't see how that will help
much. you'll only get logs from the few packets that the backup sees, no?
so unless you force a failover you won't see much logs, and if you do force
the failover I assume the backup CPU will spike to at least 80% too...

HTH,
Avishai

Disclaimer: I created what is now the AlgoSec Firewall Analyzer, starting from
work in Bell Labs in the late 1990's, so I am biased...


On 3/26/08, Kerry Milestone wrote:
> Hello,
>
> I am looking at doing an audit of the policies installed on a HA
> passive/active firewall setup with NSRP. The primary is running at
> about 80% CPU or so, the backup is about 5%. As such, I am a bit
> hesitant (to say the least) about putting policy logging on as it may
> kill the firewall.
>
> Is it possible somehow to have logging on just the redundant firewall?
> My other, perhaps long way of doing this is to convert the current
> policies and, say, parse into snort rules and observe through a port tap
> - the number of 'positive' hits on the IDS.
>
> Does anyone have any other suggestions as to how to achieve what I want
> to do?
>
> Many thanks,
> Kerry Milestone
>
>
> --
> Kerry Milestone
>
> Senior Systems Engineer - Network Project Team
> The Wellcome Trust Sanger Institute
> Wellcome Trust Genome Campus Email: km4@sanger.ac.uk
> Hinxton, Cambridge CB10 1SD Phone: (+44) 1223 492320
> United Kingdom
>
>
>
>
> --
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>



--
Avishai Wool, Ph.D., Co-founder and Chief Technical Officer
http://www.algosec.com
******* Firewall Management Made Smarter ******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards