FireMon benefits any organization without configuration management right out of the box
Updated June 04, 2021
FireMon benefits any organization without configuration management right out of the box
Engineer in Information TechnologyFinancial Services Company, 5001-10,000 employees
Score 10 out of 10
- Security Manager
Overall Satisfaction with FireMon
We use FireMon as a firewall configuration management tool as well as our primary software suite for responding to auditors regarding network security. Currently the product is mostly focused at the security administrator/engineer level but we have several users in less technical roles across different business units that have some limited but very useful information thanks to that extra level of deployment. This tool has been crucial in helping us keep our overall rule counts down and also restricting access to only applications that are still valid. Recently I've created controls that were pretty simple to make, they essentially evaluate any new rule created to see if it crosses from outside to inside which allows a tier 3 team to analyze those rules daily/weekly. Compared to how I was doing this in Splunk Firemon is 100x better.
- Finds overly permissive rules
- Finds redundant rules/unused object (junk)
- Acts as a snapshot in time config repository (backup system)
- Helps compare configs from one day to the next to see exactly what changed and who changed it
- Creating controls for higher tier engineers to review to ensure policy is being followed in near real time.
- There are a number of reports both built in and custom that can really help make sure company policy is being followed in rule creation.
- The administration page alerts are pretty bad and need to be finely tuned.
- Performance issues impacting large organizations with a massive amount of traffic passing over their firewalls
- Cisco integration is less than Palo and Checkpoint in many areas; perhaps this is a Cisco side issue, but either way, it would be nice if all features worked with all vendors to the same degree
- As of writing this you can't add Firepower devices directly to Firemon, you have to add a FMC and it can read the config from there. That works well for most people to be fair, but I am looking to kill FMC and use Cisco CDO instead. Firemon is adding support that will permit all of this which I'd estimate at 6 months. Keep that in mind when buying. That said, I'd try to work around the limitation as they add support.
Update: The ability to scale the product before deployment is very high, after deployment you can still add new servers and combine them to get "ultra" performance out of the product though it is more complicated so if I had to go back in time I'd have started with more hardware. Given the somewhat recent dedication to this (supporting large organizations), I am moving my rating from 8 to 9. I would still like to see some sort of magic plug and play for scaling which is probably unlikely especially since it's not really that hard.
- Reduced complexity from fewer unneeded or inactive firewall rules
- Increased efficiency in compliance reporting
- Increased security through reporting of things that would be hard to put together with the human eye in large networks
- An amazing leap forward in rule documentation and reports to help make sure that rules that are created in the organization are done correctly. You could identify possible inside threat rules being deployed within minutes. My focus is on accidental exposure so I check the rules daily that are "high risk".
We have yet to deploy FireMon into our public or hybrid cloud strategies, nor do we really need to support many vendors on premises. Our business does have another security department that finds great benefits from the vendor-agnostic support. I have seen what the product can do, and in time, as our need to support multiple vendors across different environments increases, I have no doubt it will get the job done very well.
We do not currently run the modules that automate workflows but we do have a massive suite of reports created that can actually help reduce mistakes by showing us some that were made the next day (or at some interval) allowing for quick remediation of human error. As for reducing cost, FireMon has helped show us how many of our rules are actually in use and as an unintended side effect has helped to show us we need fewer devices to support our original mission. Fewer devices and better security is always a big win.
This question is asking for some concrete examples, which are hard to provide given the level of secrecy we are held to. What I will say is that our organization is a FinTech, and as such, it is regulated heavily by auditors from the Federal Reserve, other companies, internal groups, and more. I can say that we have absolutely benefitted from the software helping to keep us compliant and preventing potential fines by proving to the auditors that we do what we say in an easy-to-read report.
FireMon, by its very nature, will reduce risk with firewall misconfigurations by simply installing the product and feeding it configurations. The reports included without charge or customization have been enough to protect us from certain downtime due to software/hardware failure from our vendor. Long ago we moved from one security vendor to another, and the new vendor used their professional services team to help us migrate configurations. On the surface, everything seemed totally fine, but after running one of FireMon's most basic reports, I noticed a few environments with a device breaking configuration sizes. By using FireMon to identify the rules causing the biggest problems, I was able to reduce our rule count by 90% in some instances where we were already long past vendor recommendations (and had seen some issues related to this but didn't know why until we got the picture that FireMon was able to easily paint). Update: I have recently added the ability to check (easily) for breach avenues and the reports are fairly brilliant. I would say Firemon could do some work on how the PDF etc is formatted but all the info is there and it is easy enough to read.
To be blunt, at the time of purchase most of these products appeared to do the same things in the same ways. What really brought us to the table with FireMon six years ago was their willingness to earn our business, and to this day they remain just as committed to keeping our business as they were to getting it. Some companies get too big, and with that comes an ego and prioritization of key clients. I'm sure FireMon does some of this in the background, but you'd never know it. AlgoSec didn't think they had to try at all; they thought the product would sell itself. At that time so many years ago, AlgoSec was leading the way, but I saw a ton of potential in FireMon and so we gave it a go and at this moment in time I can say we aren't looking back. In fact, we are trying to forge ahead to open up more product features and bring additional ROI to the organization working side by side with FireMon.
FireMon is very well suited to handle small to midsize networks for total configuration management/rule deployment/reporting. I think where FireMon is less suited is handling larger networks with higher amounts of traffic. To be fair to FireMon, we probably should have been informed by the original sales team (no longer with the company) that we would need more hardware in order to function properly with our network. We've had to use clever workarounds to get basic data from our devices into the product. I do not think this is a problem in all larger organizations but in ours where firewall logging accounts for most logs in the environment, we do have some issues. Update: Firemon is using a lot of different scaling tricks so that you can dedicate servers to functions or load balance the same functions across multiple servers. This won't help with a large environment with routes that don't make much sense but it should help permit the ability to log a lot of traffic if you supply the correct hardware to do so.
FireMon Feature Ratings
Mostly network security but using APIs we've created tools that help system admins find NATs (without logging into the Firemon UI) that are in use so that they can put in cases with more confidence to create new access and somewhat audit themselves along the way.
It really helps to know your way around Linux but is not at all a requirement- if I was posting a job opening that would be in the criteria though. Currently I am the main user supporting Firemon and my best skills are all around network security, despite that I have found it easy enough to maintain by myself with the other 300 things a day I do.
- Rule count/complexity reduction.
- Auditing environments for compliance.
- Documentation and documentation enforcement. Putting a comment on a rule in a firewall is only as good as that firewall and prone to bugs. Firemon keeps rule documentation in a separate database which is great.
- Sharing specific environments with other groups allowing them read only access to "their" firewalls.
- Creating reports to alert on potential data breach pathways with a main focus on N/S traffic.
- Creating reports to ensure that engineers are providing documentation to specifications on each rule created.
- We didn't buy it for the audit components but we did end up using them which has helped a lot.
- Logging the traffic going over specific rules to look for ways to tighten security on overly permissive things. It can do this today but doesn't really have the horsepower to do it well.
- We hope to one day make it to where the maps draw correctly so that we can automate rule creation through multiple firewalls.
- Cloud compliance along with "other" firewall compliance, our team is network security and there are devices we can't easily see right now. Firemon can fix this, it just takes time.
I would give a 10 but if for some crazy reason Firemon does not add support for Firepower (without using FMC) before renewal then we'd have a major problem but I have absolute confidence this will not be an issue.