Tutorial



Installation


Windows
Just start the installation file downloaded from http://www.wallparse.com/SetupLatest.exe and follow the instructions. You may also download the zip-archive and extract it to any folder and run it from there.


Linux
1, Make sure the latest and complete version of mono is installed. For example on debian-like systems:
$sudo apt-get update
$sudo apt-get install mono-complete

2. Download and extract the zip-archive version available from http://www.wallparse.com/wallparse.zip

3. Start the exe-file using mono.

$mono WallParse.exe



Getting Started


To analyze a firewall configuration you do the following:
1. Export firewall configuration from your Cisco ASA to a text file. For example if you want to copy it to an FTP server just issue the command:
copy running-config ftp://[user[:password]@]server[/path]/filename

See more details here: Cisco ASA and PIX backup and recovery

2. Start WallParse Firewall Audit Tool

3. Click File --> Open ... and select the text file containing the Cisco ASA configuration file.



Firewall ACL Review Checklist


When conducting manual firewall reviews, such as any with any security reviews, following a checklist is not a complete solution. However it does provide for a structured way of conducting the review. In the link below you can download a suggestion for checklist to use when conducting firewall ACL reviews.


Download Firewall ACL Review Checklist - [ PDF ] - [ Open Document Format ]

SQL or Interface Mode


With the WallParse Firewall Audit Tool you can work in either interface mode or SQL mode. In interface mode (which is the default mode) you just select the interfaces in the rightmost treeview which of the interfaces you want the ACL list to contain.


If you instead check the checkbox "Filter using SQL" then you can use the SQL Query field to filter your ACLs. If you click the "i"-button next to the SQL Query field you can see some examples. You must use the internal SQL column names for issuing SQL queries. The column names that are strings all starts with the "str"-prefix such as Destination (destination address) becomes strDestination.


Command Line Support

Sometimes it is great to have a command line for scripting. Therefore the WallParseC tool has been added so as to support scripting with output to standard out and file exports. Below the command line options are shown.

-c  Show Console output
--lic Bring forth the license dialog
--suppress Suppress messages
--out Actuate the current output. Specify SQL query  (--query) first)
--parse FILEParse the given config file
--query SQLQUERY Use the sql-query for searching ACLs
--delimiter DELIMITER Use the delimiter for the CSV-output
--outfile FILE Use the given file for output. See --out
--export FILE  Export to the given file with the current sql-query.
--fortigatecsv    The input file is a fortigate CSV.
--savedb FILE SQL-lite database file
--printobjects IP  Print network segments that concerns ip. Does not care about interfaces. Specify --parse first
--getip IP/NETMASK  Calculate start and end ip-address for ip/netmask

Example 1 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile1.txt in csv-format

WallParseC.exe -c --parse test1.txt --outfile testfile1.txt --out

Example 2 - Parse the Cisco ASA firewall configuration file in test1.txt and store the result in testfile2.txt in csv-format. Only ACL rows where the source IP contains "172.16." is exported.

WallParseC.exe -c  --parse test1.txt --query "select * from ACL where strSource like '%172.16.%'" --out


List network objects concerning a specific IP-address

If you need to know which network objects that affects a specific IP-address then you can search for it using the command-line argument --printobjects .

WallParseC.exe -c  --parse test1.txt --printobjects 192.168.1.67


Compare with previous firewall configuration

WallParse Firewall Audit Tool can compare the audited firewall configuration with a previous version. Just click File-->Compare with previous config file... to open a previous configuration to use in the comparison.

Import files exported from Fortigate Firewall

WallParse supports importing CSV-files exported from Fortigate firewalls. Files are imported by chosing "Import Fortigate config file..." in the File-menu. Below an example of a typical line from such a firewall is shown (all in one line).

"enable,""15"",""""""CommonHandDevices"""""",""""""inside"""""",""""""xHnet"""""",
""""""x_inside_host_xNeender56"""""",""""""always"""""",""""""tcp_grp_services"""""",
"""","""",""""""all"""""",""accept"",""""""default"""""","""","""","""","""","""","""","""","""",
"""","""",""all"",""disable"","""",""""""Change requested autumn 2014"""""",
""1aaaa-324-234-1234342""";

Network Object Definitions File
Since the Fortigate firewall export files does not contain any information regarding network objects; these must be loaded by other means. WallParse searches the same folder as the export file resides in after a file on the form: "filename" + ".spec". Example; if the filename of the export file is fortigateexport.csv then the file fortigateexport.csv.spec is loaded and parsed for network objects and service definitions.

- Network objects are defined by # + Network object Name + : + Network address/Netmask
- Network objects may also be defined by Network object name + : IPAddress1 + , + IPAddress2 + , ... + , + IPAddressN
- Service objects may be defined by Service object name + : + Protocol name + : + Port number
- Service objects may also be defined by Service object name + : + Protocol name + : + First port number in range + - + Last number in port range

Example:

#xHnet:192.168.10.0/255.255.255.0
#x_inside_grp_adServers:192.168.11.3,192.168.11.2
DNS:tcp:53
tcp_grp_firstports:tcp:1-1024

Merge firewall configuration files


Lets say you have 2 separate firewalls and want to be able to search the firewalls in one search query. Then with WallParse Firewall Audit Tool you can merge all the 7 firewall configurations into one searchable database. On the command line you do this as shown in the example below:
WallParceC.exe --parse f1.txt --append f2.txt  --query "select * from ACL where strSource like '%172.16.%'" --out

The example will search for firewall rules that have a source IP containing "172.16.". The search will be done using the three firewall configuration files in f1.txt and f2.txt.


Search for network objects matching a specific IP in several firewall configuration files


Lets say you have 3 firewalls with loads of network objects such as IP-ranges and groups of other network objects. If you need to know which network objects that a specific IP may belong to then it is easy to search for the matching network objects using the --printobjects command as show below.
WallParceC.exe --parse firewall1.txt --append firewall2.txt --append firewall3.txt --printobjects 192.168.45.12

The output will be all the network objects that embraces the ip address 192.168.45.12.