360-FAAR can be downloaded and used for free under the terms of the GPLv3 license. It is an open source, firewall policy analysis and manipulation tool capable of automating many large operations tasks. 360-FAAR is also available as a commercial product called 360-FAAR Enhanced.
These include: Policy Cleanup, Rule Translation, Log Analysis, Object Analysis.
This version is suitable for large enterprise networks and firewalls. The 'Enhanced' version is capable of far greater security, and maintains the existing rulebase / firewall policy structure! However, the open source version will meet most small to medium sized companies needs.
360-FAAR is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge policies, translate connectivity rules (ACL's and Policy Entries) and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!
360-FAAR requires no extra hardware on your network, it can be run from any server with a standard instalation of Perl. 360-FAAR reads the firewall configs and log files OFFLINE and requires no connectivity to the firewall infrastructure it is analysing, the is no installation or uninstallation procedure, it is a single file Perl script. 360-FAAR writes the suggested new firewall policies in text to the command line so that they can be coppied and pasted to the firewalls that require new policies.
New Firewall Policy Rulebase are generated automatically by comparing all connectivity found in the log files to the current firewall configurations loaded. The new firewall policies are output in each firewalls native command language (Checkpoint dbedit, Cisco ASA, and Netscreen ScreenOS6 supported). When outputting dbedit commands 360-FAAR also writes an odumper/ofiller format CSV that can be used as a template for translation to many firewalls that can be read in buildobj mode.
Data Driven Analysis
360-FAAR uses a 100% data driven model and all internal processing is done using binary CIDR IP address matching. There is no subjectivity within the analysis or the solution!
WooterWoot (Build FW-1, Cisco and Netscreen Policy From Logs)
A log analysis tool that outputs its results as new firewall configs.
The project WooterWoot (Build FW-1, Cisco, Netscreen Policy From Logs) is, in comparison to 360-FAAR, a much simpler project. It is designed to be able to quickly and simply build new policies for firewalls in small or test networks based on the connectivity seen in the logs. It can however be used in conjunction with 360-FAAR to initially build a new policy which 360-FAAR can then rationalize using existing groups and rules pulled from existing firewall infrastructure.
Read more here.