360 Analytics

360-FAAR (360° Firewall Analysis Audit and Repair)

360-FAAR is an open source, firewall policy analysis and manipulation tool capable of automating many large operations tasks. 360-FAAR can be downloaded and used for free under the terms of the GPLv3 license, it is also available as a commercial product called 360-FAAR Enhanced.

360-FAAR has many uses, these include:

* Policy Cleanup,
* Rule Translation,
* Log Analysis,
* Object Analysis.

About 360-FAAR

360-FAAR is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge policies, translate connectivity rules (ACL's and Policy Entries) and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

360-FAAR Enhanced

This version is suitable for large enterprise networks and firewalls. The 'Enhanced' version is capable of far greater security, and maintains the existing rulebase / firewall policy structure. The open source version will meet most small to medium sized companies needs.


SuperFAAR v1.0.0 offers enhanced algorithm capabilities and a MongoDB back end.

SuperFAAR can be run standalone or with the support of a MongoDB database.

If database connectivity is requested SuperFAAR can be run in batch mode which efficiently clears its local memory after each config is loaded to the database and exits after all configs are processed and inserted.

Client mode facilitates multiple SuperFAAR clients connecting to a single MongoDB, into which hundreds of configurations and log files can be loaded and made available to all clients for processing.

All SuperFAAR modes efficiently manage memory usage while connected to the MongoDB and only load required configurations and each log file as it is being used. As a result many very large logs and configs can be processed in each of the modes.

Read the SuperFAAR Release Notes Here

Hardware Requirements

360-FAAR requires no extra hardware on your network, it can be run from any server with a standard instalation of Perl.

360-FAAR Requires:

* Minimum 50MB but at least 2GB of memory is recommended for small to medium sized firewall analysis jobs.
* A standard installation of Perl 5.8 or higher with Text::Shellwords and IO::Handle modules available.
* Terminal Access. Running in a 'screen' session is recommended.
* Windows / Linux / FreeBSD / Solaris / OSX.

360-FAAR Enhanced Requires:

* The above list.
* Perl Modules: File::Find::Rule for reading whole directories of log files.

SuperFAAR Requires:

* The above lists.
* An installation of MongoDB. Local or remote DB supported but local DB is recommended for security.
* Perl Modules: MongoDB / MongoDB::GridFS / MongoDB::GridFS::File / MongoDB::Database / MongoDB::OID
* Perl Modules: Digest::MD5 / JSON / JSON::Parse / FileHandle for log file reading and writing datastructures to GridFS.

360-FAAR reads the firewall configs and log files OFFLINE and requires no connectivity to the firewall infrastructure it is analysing, there is no installation or uninstallation procedure, 360-FAAR is a single file Perl script.

360-FAAR and 360-FAARen write the suggested new firewall policies in text to the command line so that they can be copied and pasted to the firewalls that require new policies.

SuperFAAR writes the suggested new firewall policies to file for easier editing and uploading to firewalls that require new policies, or reprocessing for policy and configuration consistency checking with SuperFAAR and cross comparison with existing configurations from the datastore.

Input Formats

Existing Firewall Policy Rulebase configurations can be loaded in the following formats:

Supported CMD Languages:

* Checkpoint Firewall-1: 'odumper/ofiller' CSV text file. Logexported text logs. FWDoc format NATs CSV.
* Cisco ASA Firewall: 'show run' format text file. Syslog format text logs.
* Netscreen ScreenOS6: 'get config' format text file. Syslog format text logs.

When reading odumper format commands 360-FAAR also requires an FWDoc CSV format NAT translation file to load Firewall-1 NATs.

Output Formats

New Firewall Policy Rulebase are generated automatically by comparing all connectivity found in the log files to the current firewall configurations loaded. The new firewall policies are output in each firewalls native command language:

Supported CMD Languages:

* Checkpoint Firewall-1: dbedit and odumper/ofiller CSV files.
* Cisco ASA Firewall: 'show run' access-list and object CMDs to STDOUT
* Netscreen ScreenOS6: 'get config' policy and object CMDs to STDOUT.

When outputting dbedit commands 360-FAAR also writes an odumper/ofiller format CSV that can be used as a template for translation to many firewalls that can be read in buildobj mode.

Data Driven Analysis

360-FAAR uses a 100% data driven model and all internal processing is done using binary CIDR IP address matching. There is no subjectivity within the analysis or the solution!

WooterWoot (Build FW-1, Cisco and Netscreen Policy From Logs)

A log analysis tool that outputs its results as new firewall configs.

The project WooterWoot (Build FW-1, Cisco, Netscreen Policy From Logs) is, in comparison to 360-FAAR, a much simpler project. It is designed to be able to quickly and simply build new policies for firewalls in small or test networks based on the connectivity seen in the logs. It can however be used in conjunction with 360-FAAR to initially build a new policy which 360-FAAR can then rationalize using existing groups and rules pulled from existing firewall infrastructure.

Read the 360-FAAR User Guide here
Read more here.