FireMon Security Manager Reviews

We use FireMon for compliance reporting. Also, because it provides a roadmap for us to start doing workflow automation - not to be confused with other forms of automation that occur in the firewall realm - we use it to see the processes and procedures that we can automate and enforce. These include approval processes, review processes, and pre- and post-implementation validation.

Any organization will have a best practice of looking at their firewalls at least once a year, going line-by-line. But whenever we have something like a PCI assessor coming in, we want to make sure we do our due diligence. We want to look at anything that has popped up, or that we might be unaware of, or that we put on the back burner, because it's impactful to the business. We can't really do that unless we can query our environment or set it up to keep us informed of everything that conflicts with our best practices. That's where we get the great majority of the value out of the product.

One of the most concrete examples of how it has helped our organization - and it's not the most spectacular example - is that with Security Manager specifically, we have the ability, as security engineers, to review and approve firewall rules before they are implemented, even though that task is performed by our networking engineers. What that allows us to do is maintain a separation of duties, which is very important for a lot of compliance checks. I can't be the person who makes a rule and the person who says that the rule that I just made is okay and up to standards. There's a conflict of interest there.

So one of the main things that adds value or improves the security posture of our environment is the ability to separate roles and responsibilities. As part of our processes, I can say to the networking team, "Submit to me what it is that you're planning on doing." Using FireMon, I can look at the firewall and the firewall rule without having to have access to the actual firewall. After they are done with their change, I can validate that what I said they could do matches what they actually did do. Having that mechanism as an option in our environment holds everyone up to a higher level of best practices, because they know someone can validate that they're not just doing whatever they want to do without anybody being the wiser about it.

The solution helps to close a visibility gap we previously had. That goes back to reemphasizing the fact that we're trying to maintain that separation between security engineers and network engineers. I don't want access to the firewalls themselves, but I am accountable for every rule that's on them. Everything we do goes through FireMon. Is it instrumental in my being able to see something and correct it? Absolutely.

Because of FireMon, we have found several instances of objects that were created where the intent was for it to be four ports, but it got fat-fingered and someone put in a much wider port range. It has helped us to identify misconfigurations. It has helped us to identify out-of-band changes, where stuff was done that wasn't necessarily approved. Because it has its own repository of industry best-practices, it has helped us to highlight hundreds of rules that have unwanted objects in them. If I don't have to spend two days walking through all of our firewalls to do that, and I can run a report that I know is pulling back authoritative information, then I'm able to accomplish more because of it.

It certainly helps reduce our overall auditing time. The alternative to not having the product is doing a manual review. What the product is designed to do is to show me everything that violates this standard or that rule. If I can do that - and even if I have to spend a day or two coming up with standards and the rules for me to check against - in two days I have the results that a manual process would take me several weeks to achieve. Now, cleanup still takes just as long. I can't say, "Fix all of these," and it automatically cuts tickets for me - yet. With proper future-proofing, optimization, and integration, it would be able to do that for us as well. But overall, it definitely helps reduce auditing time.

Another advantage is that is has helped to clean up rules that have not been reviewed in several years. There are thousands of rules every year that we clean up directly, based off of the reports.

To give more context to this answer, one of the main functions of anyone in security is: If we don't need it, we need to get rid of it. But there's always that battle between the needs of enforcing best practices and accommodating the business. Anyone who has ever used this solution, or competitors' solutions, or gone through a firewall cleanup process, has experienced this scenario: "Well, we deleted 300 rules and something broke and now we need to find out which of those rules we need to turn back on." And that happened because they were working from a report that they only ran once a month or once a quarter. What this tool allows me to do is not only disable unused rules, but to specify conditions like, "anything that is unused for at least six months, or at least a year." I can now put unused rules into different categories. Something hasn't been used in a year is very low risk. If it was used two months ago, there's a higher risk if I disable it. So it helps reduce potential impact, which is a unique feature.

The most valuable feature is the reporting capability because everything that we do is a result of our being able to query a report, based on our environment and our PCI compliance efforts.

The current health and monitoring of the devices is atrocious. I know of several engineers within the company to whom I've mentioned this to and they say, "I know, I've been telling the devs that." They would back me up on my statement.

Here's the bad part, and it's hard to articulate without having like a visual that you and I are sharing. But imagine you have a list of 200 devices, and you can grade each of those devices as either green, yellow, or red. However, there might be three different reasons for you to go to red, or eight different reasons to go to yellow, and all of those things could be combined. As long as all of them are good, that's the only way that you're going to get green. Out of all those categories, I only find one or two of them that are, perhaps, pertinent. I only care if it's not communicating at all, or it hasn't communicated in the last 48 hours. If the last time that it pulled down information it took three minutes instead of one minute, I don't care about that. 

The way that the health and monitoring works right now is that for all these devices, instead of breaking out all those different things, or allowing me to judge what I think is pertinent or not, I have to see the lowest common denominator. I might have 40 percent of my devices saying that they're in a critical state, when in reality, according to my standards, maybe only five percent of them are. I don't have the time to sit here and click on a dropdown and dig into 100 different devices every day of the week. Essentially, because of the way it works right now, I don't resolve something until I've become personally aware that a firewall isn't communicating with FireMon at a given time.

It's not something that is optimized so that an engineer can run a report, take screenshots, and make a little run-book to hand over to level-two support and say, "Here, you guys do this every day as a repeatable process. Make sure that if we have any issues, we open tickets about them." Right now, the overhead of conducting a thorough day-to-day assay of the health of our environment would take several hours. Functionally and logistically, we just can't accomplish that goal right now.

The solution is stable. The main platform has gone through many iterations of version upgrades with no problems, no hitches. The devices themselves are very stable. The most frequent problem that we have is the loss of connectivity between firewalls and FireMon. That's more due to configuration changes on the firewall side, as opposed to anything that has to with the actual FireMon devices.

It's very scalable.

We have about 60 users configured and that's because everyone on both my team and the networking team has access to it. But we never have more than four concurrent users.

We intend to increase usage, but the goal is to move down the path of integration with our ticketing solution and the actual firewalls themselves. Right now they communicate, but they're not necessarily integrated. Once we achieve that, then instead of network engineers logging into firewalls to do firewall things, they'll be shoehorned into performing everything that they're doing now within FireMon - meaning Security Manager - rather than it being something they pull up whenever they have a use for it. The intent is to make it more of a foundational piece of our operational procedures.

Tech support is really good. If I've praised anything so far, as far as the vendor or the product goes, it would pale in comparison to how much I want to give credit to all of their tech support and their higher-level engineers, like the regional engineers and some of the folks back at headquarters. Whenever I call in and I say, "Hey, I need someone to walk me through this thing that I'm trying to do and I don't want to open up a ticket for it," at several different levels I've always received some of the best customer support and competent feedback, compared to any other solution that I've used.

I've been an engineer for about 15 years so I've owned a lot of technologies for different things in the security arena. I used to be a Cisco firewall admin. That's not necessarily a competitor, but I know what it's like to own IBM products, or Cisco products, or Check Point, or a whole wealth of smaller vendors. To put FireMon's support service on a pedestal, in comparison to everyone else, is pretty accurate as far as I'm concerned.

For this type of use, we did not have a previous solution. Another team already owned this product in our company and we assumed ownership of the product from them.

The initial setup was very straightforward. There are three different versions of the appliance that you can have, but they all come from the same ISO. They're just set up differently, depending on how you go through a configuration process. Everything is virtual. Even if I had to completely rebuild my entire infrastructure, it wouldn't take more than a day.

With all the processes and procedures around testing and only doing stuff during change windows, our original deployment took less than two weeks. For us, that is a pretty good turnaround time for deploying something, going through all the proper procedures and pre-requisites, validation tasks, etc. It wasn't a dedicated two weeks. I only have certain four-hour change windows for when I can accomplish tasks.

Our implementation strategy was that we sat down with a vendor engineer and we talked about how this needs to look. We took that and ran with it. It wasn't a run-book implementation strategy, no. But the vendor made sure that we were very clear on what we were building, how we were building it, how it all needed to talk to each other, and what access it needed to the rest of our network. It's simple enough that we didn't need more of a strategy, the kind you might need with a more complex infrastructure product.

In terms of the staff for maintenance and deployment, maintenance is a vague term. Let me give you two different answers. The actual maintenance of the solution really only occurs whenever the networking team has made a change on a reporting device, and I need them to make sure that they get it working with FireMon again; or, whenever we perform an upgrade. So that's a minimal amount of time, maybe five hours monthly. But, the whole job of one of my operations team's members is to review firewall changes, approve them, validate that they were done correctly, and to run reports monthly and quarterly against out compliance posture. All of that is done within the solution. There are some folks who spend 80 hours per paycheck inside of FireMon.

I, and another engineer from the networking side of the house, managed the deployment independently with FireMon technical support.

Even if it wasn't financially related, I don't have the background where I could authoritatively speak to you about any specific ROI. I can say that I'm sure it's paid for itself several times over, but I would actually have to have seen what a calendar year was like before and after having the product.

The best advice that I could give, honestly, would be not to look at a product for a short-term goal. Speak with the vendor about the maturity model that you want to go down and the roadmap that you have for your organization. They have a lot of different components and products that complement each other. I'm still waiting to do stuff now or next year that I wish I could have gotten funding for three years ago.

If you're going to engage and move forward with something, try to future-proof what you're signing yourself up for. Take into consideration where your roadmap is taking you. If there is something you know you're going to do in two years, and they have this other product that supports that effort and can provide greater ROI between now and then, go ahead and lump that into it.

As far as the solution's cloud support automation for public cloud platforms goes, I have used it and looked at it enough to ensure that it aligns with our roadmap. I feel it's there, but we're not currently utilizing the functionality. The solution would provide us with a single pane of glass for on-premise and cloud environments, but we're not using a production cloud environment at this time. However, I have made sure that whenever that does become a bigger footprint in our infrastructure, everything's going to be in place for us, as far as FireMon as a solution is concerned.

The solution provides us with the option to have comprehensive visibility of all devices, but a prerequisite to it being able to provide that information is that the owners of the solution have to optimize and educate FireMon. That has not necessarily been a high concern of ours. It hasn't been a primary responsibility over the years for me to take my network map and input it into the device. For me, it doesn't fulfill that function, but that's not necessarily a reflection of the tool's abilities.

In terms of using the solution to conduct a full inventory of our assets to secure everything, the Security Manager portion of it, alone, won't be able to perform that function. I think that there are a couple of other options that the vendor provides which address that need, but it's not something that we've invested in. Immediate Insight is the tool that associates itself with that kind of task. It's not something that we currently have the plugin for.

End-to-end change automation for the entire rule lifecycle is something we're moving towards. It is something we have on our roadmap and that we've worked out with the vendor, to make sure we'll be getting funding for that integration. Integration is required to create that full automation. FireMon does support that and it's something that we're actively pursuing, but we have not submitted funding for it yet.

I would certainly give it a nine out of ten because there's always room for improvement. Also, once I'm happy with a vendor, I'm not necessarily interested in whatever their competitors are doing. If I was sitting down with FireMon and all of their competitors every year, I might be able to say, "Hey, Tufin is doing this, why aren't you guys doing this?" But I don't do that. I would only feel comfortable giving a ten if I went through that process. I'm very happy with the solution for what it is, for how much it reduces my overhead, and how much it allows me to do things that, otherwise, I just wouldn't have the option of doing.

We use it for firewall management and security management, firewall health, and processing firewall change requests.

Firewalls are very complex, and FireMon allows us to identify a firewall rule that may have a lot of sources, destinations, and paths, and identify various high-risk ports and high-risk situations that either shouldn't be implemented or need to be rectified prior to implementation.

It has not really saved us time yet because there is still some pretty significant manual intervention involved. We haven't implemented it on all firewall types yet because we have hundreds and hundreds of firewalls that do different things and because different firewalls have different risk conditions. But for the ones we have implemented it on, while it doesn't really save time, per se, it does provide higher visibility into high-risk situations, which were very difficult to identify before. As a result, it has decreased risk.

The most valuable features are the security assessments and the ability to identify unused rules or objects. 

The real-time compliance management, in general, is also pretty good, as is the cleanup of firewall rules in a large, enterprise environment.

It doesn't yet handle our firewall brand very well and some of the complexities that exist in a very large organization like ours. For example, it doesn't handle network address translation very well for cleanup and it doesn't handle nested objects very well for cleanup. It does unused-firewall-rule cleanup pretty well, but we have had to do some extensive modification because it sometimes gave us false positives. It would identify a firewall rule as unused when it really wasn't unused, due to the nature of how Palo Alto works and how FireMon works. That has required some manual workarounds.

I also wouldn't say the solution automatically warns before new firewall rules, or changes to existing ones, violate compliance policies. Not totally. When a change request comes through, it runs through the FireMon process and if it is a high-risk situation, FireMon will flag it. It then requires manual intervention or manual evaluation or correction. Other than that, we work from a monthly audit report that runs to flag any rules that are high-risk. We want to streamline our operations and make them more effective and automated so that high-risk requests are filtered out and validated automatically or semi-automatically, prior to implementation.

We're working on automating the request process, but we're at a standstill right now because FireMon doesn't handle Palo Alto attributes very well yet. It's very Check Point-centric. We've had limited success with automating, as a result. They need to be able to handle Palo Alto firewalls better. For example, they don't do App-ID very well.

I have been using FireMon for almost two years.

We've had some stability issues in the past with FireMon. We still have a few that they say are fixed in version 9.5. But we can't run version 9.5 yet because they took out the SNMP management and our ability to remotely monitor our FireMon instance. As a result, we can't put that version into production yet. They're putting that ability back. That's a feature that we absolutely require. We're not the only ones that require It. In talking with them, a number of customers have complained about that.

We've had some issues with file systems filling up because it identifies unused or unlicensed firewalls and it adds them to the list. It's trying to pull unused firewalls and that is filling up the file system and crashing the system. It still does that on version 9.3, but they say it's fixed in version 9.5.

It's hard to scale FireMon. You have to add a lot more appliances or virtual machines to run the software and scale it appropriately. Because we're a worldwide organization, we've had to do a lot of that. We've had to split out our application servers and databases. We have three instances around the world and we're probably going to need to add more as we go forward, because it does have some limitations in how much it can process at any point in time.

It's also, in part, a Palo Alto issue because Palo Alto processing is very slow. So in the handoff between Palo Alto and FireMon, we've had some issues where FireMon doesn't always retrieve the configurations in a timely manner. When we run a report that is not necessarily running on the current data for all firewall rules, a firewall rule will suddenly be flagged as "not used," for example, when it really is used.

In general, their tech support is pretty good. 

I do have a concern with them, and I did express it to them already: Sometimes, it seems that when a new release comes out and changes take place, their development team doesn't always let the field support people know what the changes are. We have run into something on several occasions that caught the technical account manager off guard because he wasn't aware of it. It was only when we surfaced it that he realized it and said, "Oh yeah, that has changed and they never told me."

But generally, their technical support has been able to resolve issues. They're good, but I don't think they have enough expertise yet in Palo Alto.

Some of our requests are feature requests. We're working with them on a lot of those and they take more time. Some have to be put into a future release, and some are on their roadmap but haven't been pushed out yet. 

Positive

Before FireMon everything was manual.

Our initial setup of FireMon was pretty complex, but we're trying to simplify things by choosing where we start. We're starting with some of our simpler, more straightforward firewalls. We haven't even gotten to the complex ones yet. It's a very slow process.

We haven't calculated ROI but the return when it comes to value is getting there. FireMon doesn't scale well enough with the complexity of our Palo Alto environment yet. I think the value will get there. We're at about the midway point when it comes to value. On a scale of one to 10, we're at about a four or five. On the simple firewalls, it works pretty well. On the complex firewalls, it kind of works, but there are a lot of exceptions that it doesn't know about or can't handle, and that causes us to have to backtrack into a lot of manual work.

I don't see an issue with the pricing.

AlgoSec was one of the three other products we looked at. FireMon seemed to be a better fit for where we're going and what we're doing. It seemed to have more capabilities and features than some of the others did, features that fit our environment.

If a colleague at another company were to say to me that firewall policy cleanup and management is important, but it's just not a priority compared to other more urgent items, I would say that firewall cleanup is pretty subjective. We think it's important because if you don't clean things up it leaves potential holes where vulnerabilities can come into your network. I would tell them it ought to be a priority.

In a small organization, I think FireMon would be absolutely fantastic. Just be sure you do a good job of documenting your use cases in terms of the scalability you need, before you talk to FireMon. You need to be clear with FireMon about what kind of scale you need to be able to scale up to.

When you get into an organization like ours, with hundreds upon hundreds of firewalls for different purposes, our firewalls don't line up in a linear fashion. It's not a case of "more of the same, more of the same," when it comes to our firewalls. They all have their own risks and nuances, their own rule sets, and their own security implications. Our firewalls have multiple paths through them and FireMon falls short a little bit because it's not Palo Alto-centric.

I don't think FireMon has kept up with where Palo Alto is at. They started out being Check Point-centric for years and they've never really fully embraced the nuances others, like Palo Alto or Fortinet, have. They don't handle a lot of the capabilities and attributes that Palo Alto does yet. They're working on it. They're getting there.

We have an open issue list that we are working through with FireMon little by little, including things it doesn't do well. We meet with a technical account manager on a weekly basis. Of course, we're not their only customer, so we can't dictate what they do or don't do regarding Palo Alto, but we're making our concerns known.

We've had to customize a lot of the security. Their out-of-the-box risk situation was too restrictive in some areas and not restrictive enough in others. So we have had to tailor the risk conditions by firewall type and create custom risk reports by firewall type, because not all our firewalls are the same.

There are different groups within our organization that are plugging their routers into the FireMon solution. They have central monitoring and also a central repository, which allows them to look at all of the rule sets.

Basically, there are a few core sites that we plug into and we use FireMon to clean up the firewalls and help with any troubleshooting that comes up. It helps because it provides visibility into everything.

We are only using the Security Manager and we don't have any auditing on that.

When a rule comes in, we audit whether the rule is placed in the correct order and if it matches the request that came in. We do that after the fact.

Using FireMon has sped up our process a little bit.

We had a fairly big hiatus where we weren't really utilizing it to the degree that we wanted. This is because, after the upgrade, there were a few critical things that broke. We worked with FireMon to alleviate those issues and to get them fixed. Now, it's to the point where it was before the upgrade, and we're trying to utilize it more for what we need. This includes compliance, security checks, and a lot of cleaning up.

In terms of cleaning up firewall rules, FireMon helps in the sense that we can determine which rules are justified. One of my teammates actually created a script using the API to pull all the rules for a few of the core devices. Then, we give them to the respective group within the organization to look at and audit. This is something that is done on an annual basis. In that sense, we have started to utilize FireMon a lot, and it gives users a clean look at all of the firewall policies they have and provides them the opportunity to justify them. That helps cleanup because anything that's not justified or that needs to go, we can submit a request and get those taken care of.

For creating, approving, and deploying firewall rules, FireMon saves us time when it comes to the troubleshooting aspect. When there are issues with blocks that happen for users, or if they are trying to go from one end to another end, either outside the internet or internally, FireMon homes in and helps us. We use FireMon more for this, rather than to audit specific rules.

We are using it read-only right now, so it helps us to find the policy in question that could be the cause of the issue, but we alleviate it by submitting a request. There's a lengthy process for validating and verifying requests that come in, so the product doesn't save us time in this regard. We have the visual but then we tell the respective team to handle the writing on the device.

Using FireMon has decreased errors and misconfigurations that would have otherwise increased risk in our environment. I can't estimate an exact number but when we did the initial cleanup a year ago, on the core devices it helped us to eliminate rules that weren't really being used. It was between 300 and 400 rules per device, which is a significant amount.

FireMon has helped us to identify risks in the environment and to prioritize the fixes. This is mainly with some of the security blocking rules that we have, which are pretty intense. Firemon found issues where they were blocking too much or too little. It didn't have a very large impact on our security posture because we have other security tools that we're utilizing for intrusion detection, as well as other vulnerabilities. Because we're using it read-only, its primary use is as a monitoring solution. It doesn't do too much but does help with finding security issues before something goes wrong.

FireMon provides an automated way of figuring out which rules are redundant and which ones aren't used, based on the sys log data.

The SQL language is convenient to use. It allows us to process a bunch of criteria very quickly and narrows things down if there is an issue with the firewall. It's easy to do that with SQL queries.

One way FireMon could be improved is to open up a little bit. Our team is pretty Linux-savvy and when we're troubleshooting on our own, we're limited by the way the backend is locked down. For example, if we're running into issues with a device not being read properly into the system, we have to go offsite and this doesn't give us the answers we want. We have to wait to create a ticket.

I think that having a more open system and providing documentation for it would be helpful for users like us. We are pretty adept and can navigate through the Linux software that the on-premises FireMon is based on. It would help us in the long run.

Again, having a more open system that we can operate using our own scripting and automation would be useful. The API is there, which helps a lot, but a more open system would let us better dig into issues.

I have been using FireMon since I joined the company, approximately two years ago. The company had already been using it in production before that.

It's pretty stable. We do have false negatives about things going awry, but when we submit a CRQ, or submit a ticket to FireMon about it, they're usually aware of the problem. In some cases, we've had swap file issues, which goes into the yellow, and that's normal.

The on-premises deployment is pretty scalable. We have four or five collectors, which is a pretty decently sized deployment. Adding more connectors is just spinning up a new VM in most cases.

We don't have too many connected devices, although that is something that we're working on. It's part of the initiative. We're also looking into gathering information from AWS, the Amazon Web Services, although we're hitting a few roadblocks and we're working with FireMon about.

In that sense, in the way that we want to scale in the Amazon environment, we're just getting clarification from them about it. That's the only downside for scalability that we've found so far. It may be a non-issue but we're working with them to figure it out.

We use technical support pretty regularly and they are prompt. We have a point of contact, who is a project manager that is appointed to us from them. If we have any issues then we contact them directly, and they are pretty quick to respond and remediate any problems.

If it's a small issue, we submit a ticket and they get back to us within a few hours. 

I would rate the technical support a seven out of ten, as there are some areas that need improvement. For example, sometimes when we have a very detailed question, it takes them a bit to get back to us, rather than having knowledgeable people there. Usually, these are detailed questions that we have and we expect the technical resource to have the answers, or to get the answers very quickly.

We did not use another similar solution prior to this one. FireMon was purely stood up to clean up the firewall rules.

I was not with the company for the initial setup but it was pretty straightforward when we did the upgrade. There were no real issues in the process.

Initially, we did have some high-maintenance requirements for it. That was at a point when we were having issues with it. However, after those were fixed within the system, it's been pretty low-maintenance. It runs as it needs to.

FireMon can be used for real-time compliance management, and this is something that we're working on right now. We're working on doing a better job of creating our own custom compliances. The default ones are okay but we're trying to create our own compliance so that we can use that feature a little bit more. Right now, it's just sitting there with most of the defaults but that's one of the goals.

We do not have FireMon fully integrated with anything. It operates mainly in a standalone fashion. If we wanted to, it could be used with the other security appliances. They are also standalone and operate independently.

My advice for anybody who is considering FireMon is to check to make sure that FireMon is capable of pulling data from all of the devices. We have found some gaps in the support for some devices, and we've had to go back and forth for a custom device pack.  It is important to look at the environment to ensure that all of the necessary devices can be monitored.

If FireMon is being used but rule cleanup isn't a priority, then standing it up for the Security Manager and pulling data from all of the devices still allows you to clean things up when there is downtime. As long as the firewall rules are logged, then it should be left to run and collect data until it's a priority. When there is time for a cleanup, it will find the redundant rules, shadow rules, and rules that haven't been used for a while. The reporting functionality auto generates that information and it will provide a stepping stone for easier cleanup.

The capability is there with this product but it has to be refined. Most of the time when we try to add a new device, it should work but we run into issues. It's not hiccup-free. The software is getting there but for now, we run into issues too often.

I would rate this solution a five out of ten.

We are using FireMon Policy Planner because we have a lot of tickets every day, and we are trying to automate the resolution for each ticket. This is our primary use case.

We are not specifically using FireMon for compliance management at this point. However, we will be looking at using more of the features within the next year.

Using FireMon means that we can quickly implement new firewall rules.

FireMon provides the capability for automating firewall policy changes. This helps to reduce errors and overall expense, which are the most important things for our company right now.

Prior to using FireMon, we had to use another procedure that would check every rule that we created. Now, we don't need to do this anymore. Everything is done automatically.

By using the Policy Planner when we are going to create a new rule, it will stop us if there is a similar one that has already been created. Often, we don't have to create new objects because we can reuse the ones that are already in place for the firewall.

FireMon helps us to reduce our policy rule set by cleaning up unused and redundant rules. Prior to using FireMon, our firewall had approximately 10,000 rules. After the cleanup,  that was cut in half to approximately 5,000 rules.

Because we are using automation, FireMon has reduced the time it takes to create new rules in our firewalls. It used to take approximately 15 minutes to create a rule, whereas now, with FireMon, it takes about 7 minutes.

FireMon saves us time when it comes to changing firewall policy rules. On average, we receive 16 tickets per day that relate to changing policy. All of these are now handled by FireMon, which means that we can spend more time on other activities or different operations.

This solution has improved our security posture because before implementing it, we had firewall rules with many sources and destinations. As it is now, our ruleset is very fine-tuned. We have only the source or destination defined that we need.

The GUI is easy to use and makes it very easy to manage the platform.

The automation that the platform provides to create tickets reduces human error and more generally, reduces the operational overhead.

We have had some stability issues that are affecting operations. We rely heavily on this solution and if it isn't working then we have to create rules manually.

We have had some stability issues where the solution could not be used.

The technical support team is very good. When I have to call or create a support ticket, the response is very fast and they are always very helpful.

Prior to FireMon, we were using Tufin. We switched to FireMon because the support for Tufin is not good. When I created a ticket, their response time was very poor.

FireMon is working to integrate with different vendors and different solutions like Palo Alto and Check Point. Tufin does not have many options when it comes to working with other vendors.

It is very easy to set up and deploy this solution. It took perhaps one hour to complete.

I didn't have to use a professional service to create the environment. I received a couple of files and then deployed the product myself.

If I were explaining to a friend of mine at another company what the benefits of FireMon are, I would tell them that it integrates well with other vendors. It is easy to use, help is available by looking through the menus, and the support team is good. You don't need to hire a professional service to set it up and use it. Rather, management of this solution is very easy.

I would rate this solution a nine out of ten.

We have a two-server system, application and web, and we're using FireMon for our Palo Alto firewalls and their logs, to help us create rules. 

We're working on cleaning up our rules using FireMon as well, because we have a lot of live, open rules.

FireMon really helps save time with the reports that give you visibility into what's going on with your network. We were able to pull a report and give it to the networking team and they were able to remove those rules, as opposed to having to dig deep and spend hours on that.

It has also definitely helped decrease errors and misconfigurations. For example, we had certain rules that were overly permissive. We were able to redress those rules and make them more specific. We have seen at least a 10 percent reduction in misconfigurations.

I've been using the reports to see what is going on, and that is a helpful feature. We can track down unused rules, which helps with compliance. We can see rules that have not been used or that are duplicates or overly permissive. We can use FireMon to create reports and use that information to make changes within FireMon. I also like that we can track the kinds of changes that the network engineers are performing on the networks. We can run reports on that.

We have also set up alerts and reports that come into my inbox daily. That gives me a rundown of any changes that have occurred within the environment.

The solution has a good dashboard that gives you an overview of what's going on within your network in terms of compliance and the security index. The dashboard also gives you an outline of redundant and unused rules. You can run reports and make them a bit more targeted in terms of what you're looking for. That can help with the cleanup.

I've also dabbled in the Policy Analyzer to see what information I can get from that.

Some of the things that you want to do in FireMon are not exactly straightforward, like creating certain reports or controls. Some of the functions could be a little more user-friendly, such as creating certain filters.

For example, I was trying to do a traffic analysis and it can be a little tricky trying to change your firewalls on that profile. You almost have to create the entire thing over again. So there could be some enhancements in the user-friendliness.

I have been using FireMon for eight months.

FireMon is pretty stable. 

There has been one issue when I try to run reports. Sometimes it gives me an error and I have to reboot the web services. I'm not sure if that's unique to us or an ongoing issue. I've opened quite a few tickets with FireMon on that. 

Apart from that, it's pretty stable. It doesn't go down.

The support has been good. They have been slow to respond sometimes, but overall, it has been good.

Positive

Networking-wise, I used a number of different solutions, but I didn't use anything similar to FireMon before.

My advice would be to spend a good amount of time on the training videos. And if you can set up some sessions with your FireMon contact, that would also help. I do so many different things that I don't get enough time to spend on FireMon. I do use it pretty often, but maybe in terms of training, especially, there's a lot more I could gain from it, as opposed to just running reports. I could get into automation, for example.

In addition to what I've been using it for, I know there's a lot more within FireMon, like getting an understanding of your network topology, bringing many different points together, and analyzing the risk factors. FireMon also helps automate firewall policy changes across large, enterprise environments, but we don't have it set up to that yet.

Real-time compliance management is great. That's something that we are looking into and we have created some PCI rules. It's just a matter of learning how to make the reports. It's not very difficult at all.

The maintenance that we go through with FireMon is mainly upgrades. I'm the point of contact and we have a couple of networking guys who are hands-on as well.

Firewall policy cleanup is definitely a priority. If you have rules that are not properly configured or overly permissive, you open your environment to a lot of serious compromises.

We use it to go through unused rules, for cleaning up stuff. We have a bi-weekly meeting where we go through firewalls and look for any unused rules or any rules that are redundant and any high ports that are being used that we're not supposed to use. 

We want to eliminate all firewall rules that have FTP access on them. We don't want to use FTP any longer. With the help of FireMon, we were able to go in and check all the firewalls that have rules with FTP on them and we opened up a project with the network team so we could eliminate all those rules.

FireMon has been very helpful with closing visibility gaps we previously had. Since I got here, it has helped us dig into stuff. And whatever help we need, any projects we have that we haven't been able to figure out by ourselves, they have gone in and helped us out.

I called them once because I wanted to see if they had a report that I could run for rules that have not been used in 365 days. With their help, I was able to run that report and provide it to the network team so they could eliminate those rules that had not been hit in a year. The list I gave to the network team had 7,917 rules.

Finally, the solution has helped to reduce our overall audit time by about 50 percent. That's awesome.

I'm working mostly with the Security Manager part of FireMon. It gives me an eye on everything that's out there, everything that I cannot see. Because I'm not a network admin, I cannot go to a firewall itself, but at least I have FireMon so that I can go in and view everything that I want to view. And I can eliminate whatever I see that is wrong.

We also use FireMon to conduct a full inventory of our assets so that we can secure everything. For example, our parent company has three retail brands. The other day, my director asked me for an inventory of all brands: every firewall, Cisco device, whatever we are using, and to give him a break down. I was able to go to FireMon, grab everything, put it in an Excel sheet, and break it down by brand and by DMZ and PCI environment as well.

In addition, it's very easy to navigate. Very easy.

We're working on implementing FireMon with our ticketing system service now. Having that would be an improvement. I believe they said that they are working on that for the future. That would help us out a lot. For example, when somebody wants to open a request for a firewall change, we'll go through ServiceNow, and then go through FireMon, make the changes, and make sure everything is recorded, who did it, etc.

The stability is very good.

The scalability is great.

Technical support is very helpful. On a scale from one to ten, I give them a high ten. You can either use their User Center and open up a ticket via the web, they're pretty quick about it, or you can call them directly. They have a number to call their Help Desk and they pretty much pick up right away. 

They'll go into your machine right away if you need help. I have hardly escalated anything to a Level 2 or Level 3 because right away, whoever picks up the phone is knowledgeable and will resolve it.

I'm not sure if FireMon has saved us money, but I know it has saved time in cleaning up the whole company and has helped reduce all that ugliness that we had.

We pay on a yearly basis but my manager takes care of it. Regarding additional costs, if you want things like Policy Optimizer, extra features, that's extra.

Before the parent company bought us, we used to have another product - I don't want to say its name - but it wasn't like FireMon. FireMon is way out there. It has all these features. I'm still learning it and I have almost a year-and-a-half of experience using it. It just has a lot of stuff that my other tool did not have at all. There's so much visibility in it and stuff to play with that my other tool did not have. I really like FireMon.

One of the products I used was Tufin. It wasn't like anything like FireMon. You couldn't do the stuff you can do with FireMon, in terms of the Policy Planner option and the Policy Optimizer. All you could do in Tufin was view the rules, how many hits; basic stuff.

In terms of what I've used so far in my career, FireMon is one of the best. Try it out, it won't hurt. Give it a shot. It's the best, for me. It has everything that any company would need. It's easy to navigate, there is a lot of helpful stuff in their User Center, in their Knowledge Base. Everything's there. You don't really need to bother them a lot. If you want to know something, they have documents in their User Center. It's a very good product.

In terms of FireMon's cloud support automation for public cloud platforms, we did ask for that. We are actually going to the cloud in a few months. We just asked that question last week. They did say that they do support that, but that's all we've talked about in terms of cloud.

We use FireMon every day. And we have plans to increase usage. Where I came from, we only have regular firewalls in there right now. We're looking to implement our retail stores' firewall devices as well, which is about 200 stores. We're definitely going to implement that so we can see our retail stores' environments in it.

We do have Policy Planner, but I haven't started playing with it yet. We're also looking to get Policy Optimizer, but we still haven't gotten the license for it. Security Manager is the one I mostly play with.

When I came to this company, I have to say, they were very sloppy. That's why they gave me this role, to focus on stuff like this.  We have cleaned out a lot in a year-and-a-half and we're still cleaning. It's so big, so many firewalls out there.

We have the network team as read-only users. There are about six of them on that team. The network team members are the ones who handle the firewall; they're the ones that make the actual changes. So sometimes they go into FireMon and run reports to view things. I don't know what types of reports they run, but we gave them the read-only access for that. In addition, there are three admins: me, as an InfoSec ops technician, my coworker, and my manager. My director is also a user. For deployment and maintenance of FireMon, it's just me and my coworker.

I rate FireMon at ten out of ten. I am very happy with the tool.

We use it to capture logs and events from our enterprise firewalls, and we also collect configurations from those firewalls. Our main use case is for cleanup and hygiene of those firewalls, to make sure that all the rules that allow our systems to talk to each other are current and being used. And if they're not, then we clean those rules up.

We use it more on the reporting and logging side, rather than for actually making changes to our firewalls.

For our PCI compliance audit this year, it was a better tool for us, with better real-time capabilities and better formatting for the reports that we needed. It has definitely made things more efficient by having a single console. We can run all of our reports from it, whether it's for the PCI environment or things that extend beyond that environment. It's very simple to use and it saves us time.

The "wheelhouse" of FireMon, and why we bought it is the effect it has on the cleanup of firewall rules in a large environment. We've had rules out there that needed to be cleaned up for a couple of years and we just didn't have an elegant way to do that. The solution has really helped make things more efficient and easy for the implementing teams to consume. It's been great for that.

While we didn't buy some of the additional tools that allow us to implement changes, it saves us time in accurately creating, approving, and deploying firewall policy rules. We get more value out of being able to compare what was done versus what the team said they were going to do or what was approved.

It has also decreased errors and misconfigurations that increased risk. It's hard to quantify by how much, but we'll catch something that wasn't done quite right or as optimally as possible in 10 to 15 percent of the things that are implemented.

There are some built-in cleanup reports, out-of-the-box, and we like those. 

Also, the unused objects is another nice feature, where it digs a little bit deeper into comparing the logs that it sees versus the configurations that it sees. As an example, a firewall rule deck could be very complex and might have hundreds of objects. The unused objects feature will go through in a pretty detailed way and show us which ones aren't being used. Or, if they are used, it will show us how often they're used. 

Both those are geared toward cleanup and hygiene of the environment.

It's also good when it comes to real-time compliance management. We used it for our PCI audit this year. It's a situation where we have to prove to our auditors that all the communications that are coming in and out of particular systems, and that process cardholder data, are current, and that we have the documentation, descriptions, and the rules. It's been extremely helpful for that. We used some other tools in the past, but this one is far superior.

In addition, in terms of when new firewall rules and changes to existing ones violate compliance, the way we have it set up, FireMon automatically warns us when they're deployed. We look at those and we compare them with what we have approved for changes to the environment and it's very helpful for us.

To my knowledge, there's no cloud component to FireMon whatsoever. We're on the hook for any updates to versioning of the operating system or the application that runs on the operating system. It would be nice if it was a little bit more automated. We've got a small team and every time a new version is released, we have to go back and relearn the commands and how to verify that things were done correctly. That's the one pain point for me: It takes quite a bit of hand-holding, in terms of system administration from our server and infrastructure teams.

We implemented FireMon about six months ago.  

We haven't had any problems since the deployment. Things have been running fast and efficiently.

We're a pretty small shop, so I don't know how it would scale for a Fortune 100-sized company. Based on the feedback I've had, it's been great. We haven't had any problems with capacity or what we have needed to do.

We have 10 people using it who are system admins, network admins, and security analysts. I wouldn't say we use it extensively. It's something that any given person probably uses once a week.

It's possible that we would purchase some other modules that could give us a little bit more insight into the implementation and the planning side of things. But we like what we have for now. We don't have any direct plans to purchase more.

Initially, we had contact with their technical support, but things have been smooth for the last few months. We haven't had to reach out lately.

I don't remember the specific issue that we had, but it seems that they were on the ball. They responded right away and got us what we needed. My overall impression of their support organization is good. We've had limited involvement with them, but from my experience, it's been great.

Positive

We used Tufin. When we looked at FireMon we liked it from a price standpoint; it was better. We asked some peers about it through the reseller that we bought it through and got very good feedback. Those were the two main factors.

The initial setup was pretty straightforward for the most part. We had some hiccups and some bumps with some of the more detailed configurations, but overall, it was pretty simple to set up, get it running, and collecting logs and configurations. It took us about four hours over the span of two weeks.

We used FireMon paid services to help us implement it. They were great.

It's hard to quantify ROI with FireMon, but it's definitely valuable. How do you quantify a missed cyber security incident?

It's a good value. 

From a licensing standpoint, our only limitation is the number of devices that we manage. Our environment is small. We have fewer than 20 enterprise firewalls, meaning it's hard to say what it would look like at a company that has thousands and thousands of enterprise firewalls. But from our standpoint, it's very simple to understand, and gives us a good bang for the buck.

There are some hardware components involved in the cost, but in general, it's pretty straightforward. There are no hidden fees or adjacent costs that we weren't aware of going in.

We looked at Tufin's comparable product. We were using an older platform of theirs so we looked at their new platform and we looked at FireMon's and we decided on FireMon.

Make sure that you've got somebody from your non-cyber-security teams, somebody from one of the other IT teams, such as infrastructure, servers, or networks, who understands and who does really good documentation around the initial setup. Our cyber security or information security team is the one that uses it mostly, but we do need assistance from the other team. Make sure that you have stakeholders from other groups, even though they're not going to be the primary users.

The idea that firewall policy rule cleanup and management is important, but it's just not a priority compared to other more urgent items, is a pretty tough statement to make, especially in a regulated environment or if any sort of compliance is needed. It's just not really a valid statement. If someone said that, I would ask them to go back and make sure that they're following all the rules of the road.

It comes down to what your priorities are and what's important. Most regulations have some sort of a component around zoning and limiting communications between different systems. It's of utmost importance if you think about it from a compliance standpoint.

We use FireMon for monitoring, reporting, and logging purposes.

FireMon's real-time compliance management is good.

The ability to evaluate the overall security measures of our organization is beneficial. However, not essential for small to medium-sized companies like ours. These features are also provided by OEMs. For example, Palo Alto and other firewall solutions offer similar features on their devices. This includes the ability to identify unused or excessively permissive rules.

Generating compliance reports is a straightforward process. These are auto-generated reports that are produced once we forward our traffic to the SIEM devices. The devices automatically generate standard compliance reports that we can customize if necessary. This feature is advantageous because it saves time and ensures that the necessary reports are generated.

FireMon can help organizations automate firewall policy changes across large multi-vendor enterprise environments.

FireMon can impact the cleanup of firewall rules in a large enterprise environment. With FireMon, it is possible to view shared rules and assign tasks to different users within our team. Additionally, tagging is available which allows us to easily revisit and save alerts on these rules. This feature is particularly useful for large organizations.

FireMon helps save us significant time by accurately creating, approving, and deploying firewall policy rules and eliminating duplicate rules.

FireMon helps us identify errors in misconfigured policies by displaying the errors in the dashboard allowing us to remove those rules.

The most valuable feature of FireMon is its ability to configure multiple devices and consolidate them into a single desktop, which allows us to manage all of our security devices, such as Palo Alto and Zscaler, from one place.

The training for configuring new users or operators is confusing because the UI is not user-friendly and has room for improvement.

The technical support team's responsiveness needs improvement.

I have been using FireMon for one year.

FireMon is extremely stable with zero downtime.

FireMon is scalable. The scalability is based on the number of licenses.

The technical support team is not promptly addressing any issues. As a result, it can take some time to have the tech engineers available when we require features to be enabled or configurations to be updated.

Neutral

FireMon's initial setup is straightforward. Three individuals from our team and one engineer from FireMon's team participated in the deployment.

The implementation was completed by the professional services team.

I give FireMon a nine out of ten.

I recommend that prospective users thoroughly familiarize themselves with all the features and capabilities of FireMon before configuring it. This will help ensure that no features are overlooked and that all features are utilized correctly.

Firewall policy rule cleanup and management should be a top priority for all organizations. Improper configuration of these rules can pose a significant security risk. It is crucial to have knowledge of the allowed traffic, necessary policies, and unnecessary policies. Additionally, it is essential to monitor web traffic and accessed web port applications within the organization, including which users are accessing them. Configuring policies correctly is crucial to gaining control over malicious activity and user access.