Firewall Audit Tool - WallParse | Firewall Review, Analysis and Normalization of Configuration Files
Home

Firewall Audit Tool - WallParse


Firewall Review, Analysis and Normalization of Configuration Files
Latest update: 2017-07-10 (sorry for the mess regarding the web site but sadly ... drupal must go away for security reasons... only static content from now on)



Download Installer - [https://www.wallparse.com/SetupLatest.exe]

Download 7Zip archive - [https://www.wallparse.com/wallparse.7z]


Current Price: 89usd please send an email to for payment link.


WallParse Firewall Audit Tool is a firewall audit tool for Cisco ASA firewalls. It parses configuration files from Cisco ASA and there is also experimental support for Fortigate firewall CSV export files. The intended use is to allow firewall auditors to audit firewalls without having login credentials for the firewall. The configuration file is exported (for example using "show running-config") and is imported into WallParse.

WallParse Firewall Audit Tool may be of really good help when conducting audits for PCI DSS 3.2 compliance, maintaining firewall ruleset according to best practice. You can read more on SANS web page here: Methodology for Firewall Reviews for PCI Compliance. Instead of going through a firewall audit checklist manually the WallParse Firewall Audit Tool may be of great help when conducting firewall ruleset reviews.

WallParse is extremely simple to uses and its features include searching for firewall rules (ACL) with specific characteristics. It also gives warnings for common configuration mistakes (such as any-any-rules).



Main Features:
- Gives an overview of Network Objects in the firewall configuration.

- Can compare a configuration with a previous configuration marking what has been changed (really useful for firewall audits).

- Gives automatic warnings for common configuration mistakes.

- Exports to CSV or SQL-lite database for processing in for instance Excel

- Allows for searching for specific ACL rules using SQL Queries

- Use the command line for executing SQL-queries and export results.


screenshots




Firewall Audit using SQL Queries

Sometimes it is great to have a command line for scripting. Therefore the WallParseC tool has been added so as to support scripting with output to standard out and file exports. Below the command line options are shown.

Command Line Options



--------------------------------------------------------------------

-c Show Console output
--lic Bring forth the license dialog
--suppress Suppress messages
--out Actuate the current output (specify SQL query first)
--parse file - Parse the given config file
--query sql-query - Use the sql-query for searching ACLs
--delimiter delimiter - Use the delimiter for the CSV-output
--outfile file - Use the given file for output. See --out
--export file - Export to the given file with the current sql-query. See --query
--fortigatecsv - The input file is a fortigate CSV.
--savedb file - SQL-lite database file
--printobjects ip - Print network segments that concerns ip. (does not care about interfaces). Specify --parse first
--getip ip/netmask - Print start and end ip-address for ip/netmask
--exportwarnings - When exporting to text; also export warning-texts




Examples:

--------------------------------------------------------------------

Example 1 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile1.txt in csv-format

WallParseC.exe -c --parse test1.txt --outfile testfile1.txt --out


Example 2 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile2.txt in csv-format. Only ACL rows where the source IP contains "172.16." is exported.

WallParseC.exe -c --parse test1.txt --query "select * from ACL where strSource like '%172.16.%'" --out


Linux-support
WallParse may be run under mono on Linux. Only 32-bit Debian and 64 bit Linux Mint has been tested. It will require the latest version of mono to execute so please test it on your specific Linux system to determine if it executes properly.



Support for other Cisco devices not being ASA Firewalls
There are limited support to parse non Cisco ASA firewalls. For instance, WallParse Firewall Audit Tool will try to parse ACLs in router configuration. However to know if your specific product is supported you need to test it for your specific product.

[Philosophy]

No network connections are ever done by WallParse.
- The application should be executed offline since it is handling sensitive firewall configuration.

No automatic updates are attempted (see previous)
- Automatic updates require internet which we do not want near the firewall configurations.

No application-settings are stored in the Windows registry
- If you remove Wallparse executables, then everything is removed. License files are stored in the AppData folder.
- If the installer is used, then only the uninstall-registry-keys are written to.
- We do not want to fill up the Windows registry (other applications may, but we do not)

No email or other private data is stored when downloading or buying the product.
- We never send you any emails (apart from license keys if the software is purchased of course).
- If license key email is sent to you then your email-address is removed directly afterwards.
- If purchased using PayPal, then PayPal stores email address.

No auto start registry keys or files are used.
-Auto start features is never done by WallParse. The application should never be confused with malware behavior.

No extra executables and dll files in system folders.
-WallParse does not add executable files in system folders and does not install DLL files anywhere else on disk other than its own program folder.

Few Dependencies
-WallParse strives for having few dependencies on third party code. Now SQLLite DLL is used but this is a TODO-point so as to avoid that dependency.

Support?
- Well the support is quite limited. Feature requests are happily received. We have no support-department but help out when we can


Installation

Windows

Just start the installation file downloaded from http://www.wallparse.com/SetupLatest.exe and follow the instructions. You may also download the zip-archive and extract it to any folder and run it from there.
Linux 1, Make sure the latest and complete version of mono is installed. For example on debian-like systems:
$sudo apt-get update
$sudo apt-get install mono-complete
2. Download and extract the zip-archive version available from http://www.wallparse.com/wallparse.zip
3. Start the exe-file using mono.

$mono WallParse.exe



Getting Started

To analyze a firewall configuration you do the following:
1. Export firewall configuration from your Cisco ASA to a text file. For example if you want to copy it to an FTP server just issue the command:
copy running-config ftp://[user[:password]@]server[/path]/filename
See more details here: Cisco ASA and PIX backup and recovery

2. Start WallParse Firewall Audit Tool

3. Click File --> Open ... and select the text file containing the Cisco ASA configuration file.




Firewall ACL Review Checklist

When conducting manual firewall reviews, such as any with any security reviews, following a checklist is not a complete solution. However it does provide for a structured way of conducting the review. In the link below you can download a suggestion for checklist to use when conducting firewall ACL reviews.


SQL or Interface Mode
With the WallParse Firewall Audit Tool you can work in either interface mode or SQL mode. In interface mode (which is the default mode) you just select the interfaces in the rightmost treeview which of the interfaces you want the ACL list to contain.


If you instead check the checkbox "Filter using SQL" then you can use the SQL Query field to filter your ACLs. If you click the "i"-button next to the SQL Query field you can see some examples. You must use the internal SQL column names for issuing SQL queries. The column names that are strings all starts with the "str"-prefix such as Destination (destination address) becomes strDestination.


Command Line Support
Sometimes it is great to have a command line for scripting. Therefore the WallParseC tool has been added so as to support scripting with output to standard out and file exports. Below the command line options are shown.

-c Show Console output
--lic Bring forth the license dialog
--suppress Suppress messages
--out Actuate the current output. Specify SQL query (--query) first)
--parse FILEParse the given config file
--query SQLQUERY Use the sql-query for searching ACLs
--delimiter DELIMITER Use the delimiter for the CSV-output
--outfile FILE Use the given file for output. See --out
--export FILE Export to the given file with the current sql-query.
--fortigatecsv The input file is a fortigate CSV.
--savedb FILE SQL-lite database file
--printobjects IP Print network segments that concerns ip. Does not care about interfaces. Specify --parse first
--getip IP/NETMASK Calculate start and end ip-address for ip/netmask

Example 1 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile1.txt in csv-format

WallParseC.exe -c --parse test1.txt --outfile testfile1.txt --out
Example 2 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile2.txt in csv-format. Only ACL rows where the source IP contains "172.16." is exported.

WallParseC.exe -c --parse test1.txt --query "select * from ACL where strSource like '%172.16.%'" --out


List network objects concerning a specific IP-address
If you need to know which network objects that affects a specific IP-address then you can search for it using the command-line argument --printobjects .

WallParseC.exe -c --parse test1.txt --printobjects 192.168.1.67


Compare with previous firewall configuration
WallParse Firewall Audit Tool can compare the audited firewall configuration with a previous version. Just click File-->Compare with previous config file... to open a previous configuration to use in the comparison.


Import files exported from Fortigate Firewall
WallParse supports importing CSV-files exported from Fortigate firewalls. Files are imported by chosing "Import Fortigate config file..." in the File-menu. Below an example of a typical line from such a firewall is shown (all in one line).

"enable,""15"",""""""CommonHandDevices"""""",""""""inside"""""",""""""xHnet"""""",
""""""x_inside_host_xNeender56"""""",""""""always"""""",""""""tcp_grp_services"""""",
"""","""",""""""all"""""",""accept"",""""""default"""""","""","""","""","""","""","""","""","""",
"""","""",""all"",""disable"","""",""""""Change requested autumn 2014"""""",
""1aaaa-324-234-1234342""";


Network Object Definitions File
Since the Fortigate firewall export files does not contain any information regarding network objects; these must be loaded by other means. WallParse searches the same folder as the export file resides in after a file on the form: "filename" + ".spec". Example; if the filename of the export file is fortigateexport.csv then the file fortigateexport.csv.spec is loaded and parsed for network objects and service definitions.


- Network objects are defined by # + Network object Name + : + Network address/Netmask
- Network objects may also be defined by Network object name + : IPAddress1 + , + IPAddress2 + , ... + , + IPAddressN
- Service objects may be defined by Service object name + : + Protocol name + : + Port number
- Service objects may also be defined by Service object name + : + Protocol name + : + First port number in range + - + Last number in port range

Example:

#xHnet:192.168.10.0/255.255.255.0
#x_inside_grp_adServers:192.168.11.3,192.168.11.2
DNS:tcp:53
tcp_grp_firstports:tcp:1-1024


Merge firewall configuration files

Lets say you have 2 separate firewalls and want to be able to search the firewalls in one search query. Then with WallParse Firewall Audit Tool you can merge all the 7 firewall configurations into one searchable database. On the command line you do this as shown in the example below:

WallParceC.exe --parse f1.txt --append f2.txt  --query "select * from ACL where strSource like '%172.16.%'" --out
The example will search for firewall rules that have a source IP containing "172.16.". The search will be done using the three firewall configuration files in f1.txt and f2.txt.



Search for network objects matching a specific IP in several firewall configuration files

Lets say you have 3 firewalls with loads of network objects such as IP-ranges and groups of other network objects. If you need to know which network objects that a specific IP may belong to then it is easy to search for the matching network objects using the --printobjects command as show below.

WallParceC.exe --parse firewall1.txt --append firewall2.txt --append firewall3.txt --printobjects 192.168.45.12


The output will be all the network objects that embraces the ip address 192.168.45.12.