Monitoring a firewall is important. So is doing it appropriately

A firewall is indispensable as the first line of defense for a network. Monitoring its efficiency is vital

What is a firewall?

A firewall is a line of defense for any network or device. Usually the very first. The firewall monitors incoming and outgoing traffic, and controls what can be transmitted and what is blocked according to predetermined security rules. A firewall is typically used to establish a barrier between a trusted and an untrusted network. The most common example of a firewall is to prevent unauthorized access from the internet, but there are plenty of other applications for a firewall.

Firewalls are split into software and hardware types. Both control traffic, but the software ones use the resources of the host they are installed on, while hardware firewalls have their own dedicated resources. This is the main distinction between the types of firewalls, beyond which they are categorized by how they operate.

A packet filter firewall inspects the packets transferred between computers and allows or blocks them according to preset rules. Stateful firewalls can also keep track of the state of network connections, such as TCP streams, UDP datagrams, and ICMP messages. These can act over a whole connection, not just packet by packet. Further up are application firewalls, which operate on an application-level, being able to distinguish applications from one another, and allow or block traffic to or from these. Deep packet inspection firewalls are advanced packet filtering systems, capable of inspecting the actual content of each packet and filtering these if desired.

Regardless of the technology behind a firewall, all are rules-based. Rule standards can be applied to large and small items, for example to all of the incoming packets down to a particular type of packet trying to access a single device, on a specific port. The granular control provided by most firewalls is quite high. Keeping track of how a firewall operates is the central point of what monitoring a firewall is all about.

What is firewall monitoring?

Firewall monitoring, as can be imagined, is done with a firewall monitoring software. This may be a standalone tool but in practice it is common to have a network monitoring tool that can check the status of firewalls alongside a plethora of checks on other parts of the infrastructure. Firewalls aren’t particularly complex to monitor and therefore the task of monitoring a firewall is only one of the many that a monitoring solution can accomplish.

In truth, firewalls are victims of the misconception that once set up, no monitoring is necessary. As with any other piece of your network, anything that is not monitored may later cause undetected issues. Firewalls are no exception to this. Therefore, the monitoring of firewalls has to be part of a good network monitoring system. As we will shortly see, there are a number of good reasons for monitoring a firewall.

Monitoring services of a firewall in Checkmk

Why is a firewall monitor important?

The effectiveness of a firewall greatly depends on how up-to-date its rules are. If a new application is installed without a respective rule to control its traffic, when necessary, then the application may not work at all, as its traffic is blocked by default. Whenever a new host is connected the firewall rules may need to be updated to include or exclude it, depending on its role in the network. A new user will have a new set of applications and services that they will need access to, and a firewall may block it.

It is clear then that the first reason why a firewall monitor is important is to avoid potential problems that can be caused by a set of outdated rules. By monitoring your firewall this can be checked and identified. Rules can then be modified as required to reflect the changes in the infrastructure without causing any service disruption.

A second factor for the importance of monitoring a firewall is the limiting of human error. A large percentage of data leaks are due to inadvertent mistakes by employees. Mistakes cannot be 100% eliminated, clearly, but they can be detected by monitoring. The ways with which hackers steal credentials include the typical malware and phishing tricks, both of which generate traffic. A firewall monitor can detect this traffic as it happens, and notify the network administrators about it.

Lastly, having clear firewall policies help in keeping the rule set optimal. Still, if it is not monitored, it is hard to know for sure if these policies are being correctly applied. Here firewall monitoring plays the role of a watcher, checking that the rules are active, and that all ports have the correct status.

Graph showing ip4 blocked packets

What to check when monitoring a firewall

Monitoring a firewall is mostly concerned with the  monitoring of a firewall’s rules. The core of a firewall is really its rules and making sure that these do not conflict with various business processes or another firewall rule is the primary check to have correctly set up. Rules should not override each other, as this causes all sorts of random behaviors that are hard to monitor later. Firewall monitoring software is capable of checking rules as soon as they are implemented.

Not only should rules not be in conflict with other rules, but rules that are no longer required should also not be kept. This can be a security risk, mainly because it can result in ports from a very old rule being left open, a situation that may not have been detected by administrators. Without proper firewall monitoring, such detection is not an easy task. Checking that all rules are actually being correctly applied and that they are required by the policies in use is an important task for the firewall monitoring service.

Firewall log monitoring is the practice of monitoring the logs generated by the firewalls. These provide plenty of insight on how the firewall is performing, what is being blocked, and if any rules are not being triggered. As well as the usefulness of catching outdated rules, perusing the logs can be informative in various other situations.

For instance, knowing which rules are being most often triggered can not only inform the administrators of the traffic trends, and their changes, but enable them to detect many unusual behaviors. A firewall port that was never used and which suddenly becomes very active, can be grounds for treating this new traffic as suspicious. Similarly, ‘false positives’ can also be found in the firewall logs. These are sources of traffic that interact with the firewall, but should not.
Firewall log monitoring is supported by the vast majority of firewall monitoring systems. And, if it is not supported, it is good practice to check the logs manually.

Which metrics are relevant in monitoring firewalls?

Firewall monitoring tools are not only about rule-checking, but also about collecting a series of metrics that help administrators understand how the firewall is performing. Namely, parameters that inform how the traffic on a network is moving are normally within firewall monitors’ tasks. These parameters include the origin and destination of traffic, the bandwidth used, the active sessions, what ports are being used, and whether the ports match any firewall rule.

The ports are especially relevant. They are at the core of the firewall rules and therefore the foremost metric that indicates whether a rule is being applied, or not. By ‘ports' we mean not just the TCP/UDP ones, but the physical ports on a hardware firewall as well. This activity complements port monitoring, which deals with ports only.

Through matching active sessions with their ports, it is possible to identify traffic that is passing through but should not actually be allowed. Such data can require an update of firewall rules. In the opposite case, traffic being blocked at a port may be a signal to the administrator that this traffic should in fact be allowed. Once the firewall monitoring is active, notifications are triggered for both of these cases, and the responsible team can act upon them accordingly.

Another important metric to collect is simply the status of the firewall rules at a given moment. By saving it the firewall monitoring service can notify of any changes. Most changes will be routine, but occasionally a team member can change the firewall rules without informing other members. Knowing what has been changed and why can quickly identify the responsible person.

TCP connection service graphs in Checkmk

Best practices for monitoring firewalls

Firewalls are not all the same. Different firewall technologies are implemented in various firewalls under all the operating systems. Linux firewall monitoring does not function in the same way as Windows firewall monitoring. Thus, make sure that you are monitoring the firewalls according to how they work. A generic check of ports and what traffic goes through them is insufficient. It is important to delve into the differences between Linux and Windows firewall monitoring when considering a firewall monitoring implementation. This topic goes beyond the scope of this article, but it is important to mention as a best practice for monitoring firewalls.

Regardless of whether a Linux or Windows-based firewall is in use, the firewall software needs to be up-to-date. Your monitoring tool of choice should be capable of signaling an outdated version. To prevent any risks and ensure that your firewall is working to its full potential, make sure that its software is regularly updated.

Firewall monitoring is not a process that simply runs continuously, one that once implemented and started can be forgotten about. 

It is important to conduct regular firewall security audits. These are designed to check whether the firewall rules are in accordance with the company’s security policies and compliance requirements. This is made easier with a proper firewall monitoring, but in any case it needs to be done from time to time.

Firewall monitoring can detect when a new or changed rule is opening unwanted ports somewhere in your network, but the consequences of this are yours to decide. Instead of applying rule changes in production, it is a better practice to do so in a staging/testing environment. Monitor the firewall there too, before committing the changes to production. Even a few minutes of an untested firewall rule may mean too large a security risk for most companies to accept.

How to choose a firewall monitoring tool?

Choosing the right firewall monitoring software is primarily a matter of the available support. Firewalls are both hardware and software, and a tool for monitoring them definitely needs to support the actual ones you have in your network. Hardware firewalls are specific devices that may or may not be supported by most firewall monitoring tools. If not, make sure that you can monitor them through SNMP, as a last resort.

Software firewalls mean those coming with Linux, other Unix-like operating systems or Windows. Windows firewall monitoring has its own requirements, which differ from those of Linux or Solaris or AIX. There are even multiple types of firewalls under these systems, and a good firewall monitoring tool needs to be able to monitor all of them. Windows firewall monitoring means at least monitoring the Windows Defender Firewall, which is supplied with Windows itself. Many proprietary and open-source alternatives exist, with their own ways of setting rules and blocking traffic.

Virtual machine monitoring implies checking for their firewalls too. In most environments there are virtual machines, serving a range of purposes, and these are of course integrated into the network they run in. Monitoring a virtual machine firewall is therefore an important weapon to have in your arsenal.

Similarly, cloud services have their own networks and relative cloud firewalls. These are a vital part of modern infrastructures, and logically need to be monitored by your firewall monitoring tool of choice.

An important feature that does not improve the actual monitoring but which makes the lives of administrators easier, is a visual interface to be able to immediately see the status of your firewalls. This is best provided with a dedicated dashboard to check each firewall, and thus to be able to see at a glance if anything is amiss or wrong, basically. Detailed firewall log monitoring and firewall rules monitoring need to be integrated into the monitoring dashboard so that they can be operated with ease.


What is firewall log monitoring?

Firewall log monitoring means the checking of the logs produced by a firewall. Both software and hardware firewalls normally produce logs, and these contain a wealth of information about how the firewall is functioning. In firewall monitoring, analyzing such logs is an important step for gaining a deeper view of the implemented firewalls.

What is Nagios firewall monitoring?

Nagios firewall monitoring is the monitoring of a firewall using Nagios, the network monitoring application which Checkmk was originally based on. With Nagios it is possible to monitor both software (such as the Windows firewall) and hardware firewalls.

What is Cisco firewall monitoring?

Cisco firewall monitoring refers to the checking of the status and collecting metrics from  the popular series of Cisco firewalls, such as Cisco ASA. Monitoring these through SNMP is always an option, but firewall monitoring software also does so through the use of custom tools, like in Checkmk with its cisco_asa_connections plug-in for example.