:zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq:
Contractor firm was paid by the rule, apparently... NO GROUPS AT ALL. Every rule is one source, one destination, one service. It's hellacious when it gets to rules permitting AD connections...
My current gig has something similar. Shitty design to begin with and migrated it to a major service provider. Rulebase was already a huge mess but they just copied it because of time and resource constraints (or laziness, not sure). Somewhere in the middle, someone also thought it would be a good idea to script it - it wasn't, so they started adding rules with "any" fields to fix it. After six months we got read-only access again. I tried cleaning up some but when I cleaned ten, twenty new ones appeared. Everyone has now given up :mrgreen: I'm sure it would an FTE 3 to 6 months to clean it up, but who would want to do that? :whistle:
^^^ Reasons to get a firewall management system in place.
I hate it when someone adds a duplicate rule, just in case it's not already there and there are too many rules to check.
duplicate object_groups are the worst.
Object-group network ALL_CLIENT_ACCESS
network x.x.x.x
Object-group network ALL-CLIENT-ACCESS
network x.x.x.x
then ya got 2 ACLs doing the same thing
but I think that's the nature of having firewall managed by multiple people, everyone tends to do what they know.
We're merging rules with common source/destination, source/ports, or destination/ports. Down to around 800 now.
FIREWALL PROTIP: Groups are AMAZING. Use them, why don't you?
:tmyk: