Firewall Audit Tool - WallParse

WallParse is a firewall audit tool for Cisco ASA firewalls. It parses configuration files from Cisco ASA and there is also experimental support for Fortigate firewall CSV export files. The intended use is to allow firewall auditors to audit firewalls without having login credentials for the firewall. The configuration file is exported (for example using "show running-config") and is imported into WallParse.

WallParse Firewall Audit Tool may be of really good help when conducting audits for PCI DSS 3.2 compliance, maintaining firewall ruleset according to best practice. You can read more on SANS web page here: Methodology for Firewall Reviews for PCI Compliance. Instead of going through a firewall audit checklist manually the WallParse Firewall Audit Tool may be of great help when conducting firewall ruleset reviews.

WallParse is extremely simple to uses and its features include searching for firewall rules (ACL) with specific characteristics. It also gives warnings for common configuration mistakes (such as any-any-rules).



Main Features:
- Gives an overview of Network Objects in the firewall configuration.

- Can compare a configuration with a previous configuration marking what has been changed (really useful for firewall audits).

- Gives automatic warnings for common configuration mistakes.

- Exports to CSV or SQL-lite database for processing in for instance Excel

- Allows for searching for specific ACL rules using SQL Queries

- Use the command line for executing SQL-queries and export results.



Firewall Audit using SQL Queries

Sometimes it is great to have a command line for scripting. Therefore the WallParseC tool has been added so as to support scripting with output to standard out and file exports. Below the command line options are shown.

Command Line Options

--------------------------------------------------------------------

-c Show Console output
--lic Bring forth the license dialog
--suppress Suppress messages
--out Actuate the current output (specify SQL query first)
--parse file - Parse the given config file
--query sql-query - Use the sql-query for searching ACLs
--delimiter delimiter - Use the delimiter for the CSV-output
--outfile file - Use the given file for output. See --out
--export file - Export to the given file with the current sql-query. See --query
--fortigatecsv - The input file is a fortigate CSV.
--savedb file - SQL-lite database file
--printobjects ip - Print network segments that concerns ip. (does not care about interfaces). Specify --parse first
--getip ip/netmask - Print start and end ip-address for ip/netmask
--exportwarnings - When exporting to text; also export warning-texts




Examples:

--------------------------------------------------------------------

Example 1 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile1.txt in csv-format

WallParseC.exe -c --parse test1.txt --outfile testfile1.txt --out



Example 2 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile2.txt in csv-format. Only ACL rows where the source IP contains "172.16." is exported.

WallParseC.exe -c  --parse test1.txt --query "select * from ACL where strSource like '%172.16.%'" --out



Linux-support
WallParse may be run under mono on Linux. Only 32-bit Debian and 64 bit Linux Mint has been tested. It will require the latest version of mono to execute so please test it on your specific Linux system to determine if it executes properly.



Support for other Cisco devices not being ASA Firewalls
There are limited support to parse non Cisco ASA firewalls. For instance, WallParse Firewall Audit Tool will try to parse ACLs in router configuration. However to know if your specific product is supported you need to test it for your specific product.