Firewall Audit Tool - WallParse
WallParse is a firewall audit tool for Cisco ASA firewalls. It parses configuration files from Cisco ASA and there is also experimental support for Fortigate firewall CSV export files. The intended use is to allow firewall auditors to audit firewalls without having login credentials for the firewall. The configuration file is exported (for example using "show running-config") and is imported into WallParse.
WallParse Firewall Audit Tool may be of really good help when conducting audits for PCI DSS 3.2 compliance, maintaining firewall ruleset according to best practice. You can read more on SANS web page here: Methodology for Firewall Reviews for PCI Compliance. Instead of going through a firewall audit checklist manually the WallParse Firewall Audit Tool may be of great help when conducting firewall ruleset reviews.
WallParse is extremely simple to uses and its features include searching for firewall rules (ACL) with specific characteristics. It also gives warnings for common configuration mistakes (such as any-any-rules).
- Gives an overview of Network Objects in the firewall configuration.
- Can compare a configuration with a previous configuration marking what has been changed (really useful for firewall audits).
- Gives automatic warnings for common configuration mistakes.
- Exports to CSV or SQL-lite database for processing in for instance Excel
- Allows for searching for specific ACL rules using SQL Queries
- Use the command line for executing SQL-queries and export results.
Sometimes it is great to have a command line for scripting. Therefore the WallParseC tool has been added so as to support scripting with output to standard out and file exports. Below the command line options are shown.
Command Line Options
-c Show Console output
--lic Bring forth the license dialog
--suppress Suppress messages
--out Actuate the current output (specify SQL query first)
--parse file - Parse the given config file
--query sql-query - Use the sql-query for searching ACLs
--delimiter delimiter - Use the delimiter for the CSV-output
--outfile file - Use the given file for output. See --out
--export file - Export to the given file with the current sql-query. See --query
--fortigatecsv - The input file is a fortigate CSV.
--savedb file - SQL-lite database file
--printobjects ip - Print network segments that concerns ip. (does not care about interfaces). Specify --parse first
--getip ip/netmask - Print start and end ip-address for ip/netmask
--exportwarnings - When exporting to text; also export warning-texts
Example 1 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile1.txt in csv-format
WallParseC.exe -c --parse test1.txt --outfile testfile1.txt --out
Example 2 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile2.txt in csv-format. Only ACL rows where the source IP contains "172.16." is exported.
WallParseC.exe -c --parse test1.txt --query "select * from ACL where strSource like '%172.16.%'" --out
WallParse may be run under mono on Linux. Only 32-bit Debian and 64 bit Linux Mint has been tested. It will require the latest version of mono to execute so please test it on your specific Linux system to determine if it executes properly.
Support for other Cisco devices not being ASA Firewalls
There are limited support to parse non Cisco ASA firewalls. For instance, WallParse Firewall Audit Tool will try to parse ACLs in router configuration. However to know if your specific product is supported you need to test it for your specific product.
No network connections are ever done by WallParse.
- The application should be executed offline since it is handling sensitive firewall configuration.
No automatic updates are attempted (see previous)
- Automatic updates require internet which we do not want near the firewall configurations.
No application-settings are stored in the Windows registry
- If you remove Wallparse executables, then everything is removed. License files are stored in the AppData folder.
- If the installer is used, then only the uninstall-registry-keys are written to.
- We do not want to fill up the Windows registry (other applications may, but we do not)
No email or other private data is stored when downloading or buying the product. )
- We never send you any emails (apart from license keys if the software is purchased of course).
- If license key email is sent to you then your email-address is removed directly afterwards.
- If purchased using PayPal, then PayPal stores email address.
No auto start registry keys or files are used.
-Auto start features is never done by WallParse. The application should never be confused with malware behavior.
No extra executables and dll files in system folders.
-WallParse does not add executable files in system folders and does not install DLL files anywhere else on disk other than its own program folder.
-WallParse strives for having few dependencies on third party code. Now SQLLite DLL is used but this is a TODO-point so as to avoid that dependency.