Firewall automation case study
Financial - Firewall Policy Automation
BestPath helped transform the firewall rule request process for a large financial client; an international business, employing over 4500 people, with annual revenue in excess of £2bn.
In the age of digital transformation and software-defined networks, many data centers are undergoing significant redesigns. Network teams are provisioning new network infrastructure platforms, and for larger clients, this can take time. We need to plan our journey to a fully automated software-defined network with objectives and milestones around replacing key infrastructure components. Often, SDN networks are just one component within a data center. To facilitate end-to-end traffic flows, we need to make configuration changes to different infrastructure components. If a network device exists within a traffic path requiring manual configuration, this device and associated business processes will always be the bottleneck.
BestPath was selected to develop a solution to automate the validation and deployment of security policy across the clients' Fortinet firewall estate.
Software development methodologies demand us to deploy new platforms quickly and confidently. Our objective was to reduce the time to deploy end-to-end connectivity requests to ensure that application teams could continue developing at pace.
End-to-End security policy implementation is often the biggest blocker when it comes to deploying new applications or services. We often see the consistency, standard, and success rate as a real problem within businesses, with wait times ranging from days to weeks for even a simple request.
As part of a long-term cloud-first strategy and applications migrate from on-prem locations, traffic flows between private and public cloud environments are expected to scale up rapidly. The infrastructure migration to the public cloud will increase demand and scale of configuration changes across the security perimeter.
We felt it was important that the solution was dynamic and extensible to cater for any future requirements.
The solution had the following requirements:
- Provide easy validation and triage of connectivity requests
- Enforce configuration standards
- Automate the deployment of requests onto FortiManager
- Be easy to extend the solution to cater for other vendors/platforms.
A new request form was designed in collaboration with both Firewall and Security teams to provide a standardized and straightforward format for connectivity requests to be submitted by application teams.
The new form ensured that all submitted requests contained all the required information to allow the request to be implemented without problems. BestPath created custom Python scripts to validate the customer request. If, for any reason, our validation checks were unsuccessful, we highlighted the errors and passed the request back to the user.
The use of this custom tooling allows the quick triage and validation of requests. We structured the tooling to extend it later and make use of external APIs from a wider ecosystem of products. This future capability will allow us to perform more extensive testing and validation of requests.
Once Python has validated the request, we normalize it and pass it to Ansible. Using Ansible and the Fortinet provided modules, we quickly and consistently deploy the policy.
The benefits of using open-source software like Ansible are the ever-growing support and compatibility for various device types. As new and different requirements come in, we can expand the existing tooling to support more than just the current Fortinet estate.
- Future Capabilities: The choice of Ansible as the automation platform provides the capability to easily integrate other devices into the automation pipeline. Many vendors provide their own Ansible modules which the team can leverage at a later date.
- Reduced time to provision configuration: With engineers no longer spending time manually translating requests into firewall configuration, the automation platform deploys firewall configuration faster than ever.
- Increased Configuration Consistency: Generating all configurations from a single platform improves consistency, and we enforce standards at the source, which helps reduce duplication of objects and redundant configuration elements.
- Team Innovation: The firewall team is changing the way that they operate for the better. These changes simplify operations, allow staff to focus on engineering work, and help drive the business forward.