FireMon Security Manager Reviews

FireMon has served as a change monitoring and notification tool for a number of years, but recently we’ve decided to utilize the policy review capabilities to automate our periodic firewall rule review process.

Our primary use case for Firemon initially was to perform change notification for our ASA firewalls. This was the case for about 5 years.

With the introduction of version 8, we decided to reconsider other capabilities of Firemon – specifically the policy review reports that show unused or duplicative policy rules. We intend to use these features to automate our firewall policy review process.

Instead of having to utilize a manual review process, we can automate most of the process. Change notifications for our ASA firewalls that do not have built in change notification is also automated for us.

7 years.

Yes, after an upgrade to version 8 from version 7, we experienced several issues with the Data Collector component. They were all resolved pretty quickly by FireMon support.

No.

FireMon’s technical support is capable and responsive. I’ve had no issues with getting the right resources engaged when I need them.

No.

The upgrade from version 7 to version 8 seemed to be unnecessarily complicated, so we opted to to a clean install on version 8, and have had no issues with using this approach. In fact, it helped us clean up our installation.

Understand that the licensing exercise, is intended to right size the costs to your actual firewall models, but that Firemon v8 does not make a distinction between firewall models in the tool itself.

No other solutions were considered.

Perform the installation and utilize FireMon support to optimize the installation. Perform a post installation review of the configuration a couple of months after it’s implemented and running so that you can decide what features to use, which are useful. There are a lot of built in features that aren’t apparent until you get the whole system set up, all of your devices discovered, and the system collects information for a few weeks.

The primary use case is optimizing firewall rules.

The firewall administrators have gained time back by using this tool, simplifying the firewall rule set. The solution helps to clean up rules which have not been reviewed in several years.

It gives us the ability to go to one place to look for potential firewall rules that are inappropriate, or which don't meet compliance. Instead of manually searching hundreds of firewalls for a policy, we can go to this one location and find the rules which are now out of compliance.

The policy overview is the most valuable feature for each of the firewalls that we manage right now, as it reduces the complexity of the firewall rule set.

The AWS integration is still not mature for us to use. It is just not ready for our use case for AWS connectivity. Therefore, it does not provide us with a single pane of glass for our cloud environments, because we can't manage our cloud environment with the tool.

The map needs improvement in our network. The tool should be able to map out the path of flow from one firewall through our network. However, it does not understand our routing environment, so it cannot do that for us.

We would like it if this solution could provided us with end-to-end change automation for the entire rule lifecycle, but the map feature cannot support our environment, for now.

It is stable, which is acceptable. I don't have any negatives with it. This is not a concern of mine, as we don't have any issues with stability.

We have probably one full-time equivalent managing the tool right now. Our ultimate end goal, that I am envisioning, is that we would need more support to manage the tool.

All the vendors in this space seem to overpromise and underdeliver on scalability. They all claim they scale the best, but none of them really do. This is an area that could be improved. It is the same with high availability. High availability for geographic separation is also an area that could be improved.

Right now, at this stage, only our firewall admins are using it. This is a team of about 20.

The technical support has been very responsive. They have helped us with all of the issues that we have encountered.

We didn't use a previous solution.

The initial setup was straightforward. The wizard was easy to use. So, the initial installation of the tool was easy. However, when you get back into configuring the details for the map to obtain that single pane of glass view for the entire network, it was not well thought out and it could use improvement.

I would still consider us in an early phase of deployment, even though we've been using it for two years. We don't have all the firewalls licensed, so they are not all being managed by the tool. I would say we're still not done deploying it. We're still waiting on features to be developed by FireMon, so we can use it in our environment.

Our implementation strategy was to license the high value firewalls first, trying to start getting them managed by the tool, then we were hoping to do an initial pilot for firewall rule change management. However, we were never able to get to that step because the tool can't manage our network, or doesn't understand our network.

We used FireMon Professional Services.

We have not met a return on investment with this tool yet.

For the firewalls that we manage, it does help reduce our overall audit time.

We don't license all of the devices in our network, so it does not provide us with a comprehensive visibility of all devices in a hybrid network at this time.

I'm not involved in our licensing costs, but I do know that FireMon has a wide variety of different licensing options.

During our proof of concept phase, we also evaluated Tufin, AlgoSec, and Skybox. We chose FireMon based on a few different things, but the main one was that they were a US-based vendor and the others were Israeli.

Each deployment scenario will be unique. A robust proof of concept is key to make sure it will meet all of your intended use cases.

The solution is managing 25 percent of our firewalls right now. We probably won't increase usage until we can get the required features for firewall change rule management to work correctly. We probably will not increase usage until that works.

I would rate it as a six (out of ten). We need the end-to-end mapping feature working to make it a ten. That is just our next phase. I don't know what other problems that we will run into. There is a lot to deploy before we can give all the details of what we need to make it a ten. There is integration with ServiceNow and some of our other tools. We have to make sure all that is working before we could give it a ten.

Policy test, access path analysis, and change reports.

Policy test and access path analysis tools in Security Manager enable me to find existing firewall policies quickly across the enterprise, troubleshoot, or to help choose the optimal path for proposed rules. Change reports on the device dashboard show us at a glance what was changed in a particular firewall config, by date, so we can easily troubleshoot problems with implementation.

It streamlined the firewall policy change management process by having all firewalls managed in one tool, and a workflow customized to our needs.

Policy Planner requirements section is good, but could use some improvement to allow flexibility to enter different types of requests (modifying an existing policy, object or service group, for example) in a structured task format that can be auto-verified.

4 years

No issues with stability.

No…we easily added a second data collector when needed.

Excellent.

Excellent--tech support engineers go above and beyond to answer questions and resolve issues.

We previously used separate database applications to route change requests for approval, and did not have a tool likeSecurity Managerwith visibility into all the firewall configs and activity.

Infrastructure was simple to set up, but custom workflow was complex, due to customer regulatory environment necessitating a lot of customization. FireMon Professional Services was able to accommodate, though.

In-house project management and equipment configuration; vendor install in the data centers; Firemon Professional Services for extensive custom workflow development.

Pricing model seems fair. Make sure to separate active versus inactive devices, and primary versus standby in HA pairs, as there is a significant cost savings for licensing; licenses on the applications are perpetual.

Customer evaluated other products, but chose FireMon due to its features and rating on Gartner.

Review your current operational requirements and processes well, and determine what can change, internally, to take full advantage of the standard FireMon processes.

Although we have a very mature infrastructure, one of the thorns that come with that maturity is developing policies and processes to support that infrastructure.

This solution assists us in our ability to review and validate firewall rule changes and implementations across a wide audience of users.

Here are some of the ways change management has improved our organization:

• Ensures that proper change controls were enforced.
• Engineers can check if a change was implemented properly.
• Compliance can easily monitor the environment for potential PCI concerns.
• We can heavily leverage the solution for firewall remediation.
• We can pull policy reports from various technologies.
• We can standardize those reports for analysis.
• When we make changes in our environment, we can run usage reports to gauge impact before we make permanent changes to our rules.

With fifteen years as a security administrator, I have used few solutions that are as polished as Security Manager. That being said, every solution has room for improvement.

I would like to see the ability to export reports to .xls. This would help me for the following reasons:

• It would allow for greater data manipulation.
• When I run a report, I have the option of saving or exporting that report as .html or .pdf. As someone who catalogs much of their work in .xls, it would be convenient if I were able to export a policy report to .xls.
• This would allow me to manipulate the data better.
• I would no longer need to copy and paste from the .html to .xls and clean up the information.

I used version 7 for several years. We have upgraded to version 8, and we have been using that version for the last three months.

There have been no stability issues so far.

There were absolutely no scalability issues.

Technical support has been amazing. I would give them a rating of 10/10, an A+, and I would buy from them again.

In this environment, there were no previous solutions.

I have used other solutions at previous jobs. However, this is a solution I would like to bring with me if I ever ended up elsewhere in the future.

The initial setup using VMs was rather straightforward. The use of VM images sped up the process greatly. Professional services added a great deal of value in optimizing the environment.

Much of this information is not applicable to me based on my relationship with the product.

That being said, the ROI for securing dedicated professional services (vendor support) is amazing. It is relatively inexpensive, very customizable, and is a great help when approaching projects with the solution.

Consider investing in the policy planner. Further integration with a ticketing solution is on our roadmap. I certainly wish it was something we pulled the trigger on years ago.

We use it for firewall cleanup, redundant rule removal, and unused rule removal.

We are using the solution to identify anything that might have overly permissive rules or things outside of PCI compliance. We use it to proactively find those kinds of issues. There's more we could be doing with it for sure, we just haven't had the time yet.

We currently have it covering every single firewall we have, which is a lot. There are potential plans to add routers and switches into it again, or even start adding in hybrid cloud solutions, things like that, that we won't be able to see. Honestly, we won't have a single pane of glass without FireMon, so we do have intentions of deploying it at a larger scale, and actually turning on some of those features which we don't use today.

We have some really complex firewalls out there, a lot of rules - too many rules. It's to the point where the firewalls become physically unhealthy. The config is so large that the hardware can't keep up. FireMon allows us not only to very easily identify those firewalls that might be getting overly complicated, but it also allows us to easily remediate those complications. It's probably saved us a lot of downtime that could have resulted from firewall issues caused by the config.

It helps close a visibility gap we previously had. For example, Cisco's primary firewall management tool, either using command-line or GUI, does not cover all the appliances at once. You have to go in one-by-one. FireMon is able to see across every appliance, in a single view and that makes it easier to manage things.

In addition, it reduces our overall audit time. I don't deal enough with the audit side of the house to know by how much it has been reduced.

I have found the reporting on unused rules and redundant rules to be the most useful to me. We run those reports and then we can come back and fix things that are bad.

And overall, the reporting mechanism for anything is pretty good. We use it to baseline, to make sure our configs are accurate across all of our devices.

It provides us with a single pane of glass for our on-prem environment, to see configuration. We have not implemented into the cloud yet. We can search for an object group and see where it lives on any firewall in the enterprise, or find security rules no matter what firewall they're on. We don't use the automation feature, which means we don't do a deployment of any changes, so we don't yet have a single pane for deploying all policies. We know it's capable, it's just that we don't have that function on.

Some of the core functionality in our environment doesn't seem to work. We will get buggy code releases. They need to work on their Q&A of every code release. Too many bugs pop up between releases, and that's where I would like to see the most improvement.

It's recently become much more stable. We had an undersized box, and FireMon actually gave us a very much bigger server for free, which was very good of them to do. It brought our stability to about 99-percent-up.

It's highly scalable, as long as you have servers. You can scale it to pretty much anything. We've had thousands of devices in it.

There front-end technical support is really good, very responsive. To me, it takes a little bit too much time to resolve some issues, but that's to do with their development team, so I don't know if that should get lumped in with support or not. But the time to resolve problems that we identify is something of an issue. I'd give tech support a six out of ten.

We did not have a previous solution.

The initial setup was on version 7, which is a totally different ballgame, but the setup of both versions 7 and 8 were straightforward enough for me. I can't imagine something being much easier. It required minimal configuration and the documentation was excellent on how to set it up on your own. It's just easy.

A single-server deployment wouldn't have taken more than a day or two. We did multiple virtuals so we got slowed down by our virtual team building the servers. As a result, it probably took a few weeks. But that was not because of the product, it was because of our own internal teams.

Our implementation strategy was just to get the system up and running and onboard all of our firewalls into it.

I deployed it mostly by myself.

In my opinion, we have seen ROI. We're able to share data that other groups need, by harvesting it out of FireMon, which is extremely powerful. Another group can look up their own NAT, for instance, even if they're not very savvy. It has helped reduce a lot of casework that was coming into our queue, that was along the lines of, "Hey, what NAT does this belong to?" 

Going back to the complex rules, it has literally prevented devices from falling over and dying. It's maintained uptime, which is invaluable when you're dealing with millions of customers connecting through one firewall.

Our licensing is done yearly. There are different levels of support to pay for, but there are no hidden fees. The pricing is very good, very straightforward. It also came in cheaper than AlgoSec and Tufin.

We demoed and looked at other solutions but we did not implement any. AlgoSec and Tufin were the two main solutions that we checked first.

In the end, it really came down to the support. FireMon is more attentive than these very large companies, and we needed that attention. Their attention to our needs is what sold us on the product.

Make sure that you get the correct hardware for whatever size environment you have.

End-to-end change automation for the entire rule lifecycle is not something we're using yet. It's something that I'm looking to get a beta for.

There are about 20 people currently using the solution. However, the functionality allows us to extend the information that FireMon can gather out to hundreds of people, if not more. In some ways, there are hundreds consuming the information that FireMon gathers, and using it in some way. Network security engineers are the primary consumers, and network engineers are another consumer. In addition, anything related to our audit teams means those guys consume the data.

Two people could do deployment and maintenance, although I tend to do it by myself.

I'd put FireMon at an eight out of ten right now. To me, ten is something you only get if have no bugs or have very few bugs, and everything works perfectly. If you want a ten you've got to be perfect. I don't think any product would get a ten from me.

The security policy manager: We run reports regularly for the customer to show unused tools and unused objects, and to clean up the firewall policy.

Our firewall policies - we work under the standard ITIL framework - and project managers are very good at adding rules to allow their projects to work. However, they're not so good at coming back when the project is finished or the solution has been terminated and cleaning up the rubbish. So, if we don't use this product, we end up with thousands and thousands and thousands of rules, most of which aren't used.

I basically came on board to do the upgrade, which I've done. So, in the old product, we were able to get things out of the CSV file format and that allows you to then manipulate it, but now it's PDF mainly. Beforehand, we were able to take it into CSV and manipulate it in Excel, but now we can't do that anymore. A revert back on this would be good.

Overall, the product seems pretty good, but the fact that we've taken the CSV out now, that seems to me to be like a step backwards. They should be adding functionality, not taking it away.

I only started using it literally about four months ago.

We haven't had any issues with stability yet. Well, we did during the upgrade, to be honest. So, when we did the upgrade, we had to get new versions written for us so that the upgrade worked. It didn't work just off the bat, but once we had that done, it worked fine.

We haven't had any issues with scalability as we're not using that many devices reporting to it, so we haven't had any problems with scalability at all.

I would rate technical support at around 7/10. I mean the reason for giving it a seven is the guy we spoke to over in Germany. He was quite good, but the problem was that it had to go back to the development team, which took a long time to get resolved.

So, basically what happened was, we raised a fault, we went through the upgrade with them and we were able to go to a particular version, as we were running a really old version; version six. We went to version seven but then stopped accessing the system. We then said to them, 'Well, how do we get to version eight?' The upgrade ping didn't seem to work. So they then had to go off and write us a new thing, but all that took months. Three months, four months and we were without access to that system for a long time.

I don't think we used anything beforehand.

I think there has been an evaluation, but I wasn't party to it.

I don't know what advice I would give to others. We are having a lot of problems with the licensing, to be honest. So, there's an issue with the UK and US date format.

When we renew our licenses, I don't know whether it's through our distributor or whatever, but they keep changing the format. In the American date format, you put the month first, then the date, then the year. In the UK we put the day first, then the month, then the year, and they keep flipping the dates over so we lose about three or four months on the licensing every time. We have to go back to our salesperson to get that fixed.

Also, when we did the upgrade, for some reason, we had enough licenses to start with but after the upgrade, we didn't. So, we didn't add any new devices, and we've got a thing in with the salesperson to find out why; what's changed there.

The most valuable feature is security management because it allows us to look inside the firewall and see things that the firewall doesn't report. For some of the things the firewall applications lack, we're able to gain insight with the FireMon appliance, as well as having one platform that looks into different vendors of firewalls. That's really important for us.

For me, specifically, I use it for a lot of firewall migrations. We can see rule usage. On a project that I was on, we saw the rules on the migration. We pulled the rules out that weren't being used, and then we could take rules that were overlapping, join those together and make it more efficient.

One area with room for improvement for me is doing the updates. We have to download it from User Center and then put it unto the machine through FTP, or something like that. I would rather just go to the GUI and hit the Update button, and it goes out and gets the update itself. Because these files are large and sometimes the transfers don't go through, the only way that we're able to do it right now is through FTP. That means we have to have CLI access, which sometimes we don't really want to do. I'd rather just go to the update screen, hit Download the Update, and then be able to reboot it and have it go to all of the data collectors, and transfer that file over there automatically. Right now, it's a process and it takes a lot of time.

It's more complex as opposed to being user friendly. It also depends on your level of knowledge on what to do. Some people may not know to do it, and there are some commands in there. If you don't have support, if you haven't read the entire admin guide, you wouldn't know.

I have used it for eight years.

It crashed one time but that's because of a design issue on our part. It's not something that, I think, was on FireMon's part. We need to offload the storage, and our hard drives are filling up, so that causes problems with our servers, but as far as FireMon, I haven't really had a problem with FireMon crashing on its own.

The only scalability problem is having an offloaded log collector, because we do send a lot of logs. We have our own servers that do the log collection and we need to make backups of that. As far as that’s concerned, no, we haven't had any issues with scalability. We can expand much further than what we have.

We've had the FireMon product for eight years. I've only been directly involved with it for the past year. I generally don't call tech support, I usually contact my SE because we're still in the process of these huge migrations, so I talk to my SE a lot. I have contacted support once and they were very helpful, so I would probably rate it 9-10/10 because they know exactly what they're doing.

We did not previously use a different solution, that I know of. I’ve been with my current organization for almost three years and it's always been FireMon, so I don't know. I wasn't a part of that decision-making process.

At the end of last year, we reevaluated which products we wanted to continue going with based on budgets. We reviewed Skybox, Tufin, AlgoSec, and FireMon.

Don't be scared to contact the SE. My SE and I have a very good relationship and we bounce ideas off each other. Leverage your resources. It's not really a complex product to deploy.

Use the User Center. There's a lot of great info there and a lot of your questions can be answered in the User Center.

General recommendations: Make sure that the firewalls you have are supported. Make sure you know how many firewalls you have.

Go with the mindset of what you want to do; general project management-type stuff.

Everything's working fine. The only thing is the automated updates. I’m not giving it a perfect rating because of the usability of the updates. That's my biggest thing that they need to work on.

It's been working very well for us. We’ve got everything we need. We have several groups using it that like it.

We only have security management. 

It was deployed on-prem. It used to be on the hardware, and there used to be an appliance, but we have switched to a virtual server. We are now on a VM.

It is a good product. Previously, we were using only spreadsheets to compare the usage, but now with FireMon, we are able to clean up or review the policies to some extent. It is still a work in progress, but we are at a good stage now.

Its reporting can be improved. I am the only one who works a lot with it, and I am having problems in terms of reporting. In the case of Palo Alto, I'm okay with it, but with some of the Cisco devices, such as routers, when I provide the reports to other teams for review, they always say that the hit count is incorrect. So, I was struggling for a long time to work with them. When working with other teams, they have a lot of questions about reporting, such as how it reports, and we are still struggling with that.

I have been using this solution for more than five years.

It has been stable until this year when we had three weeks of downtime. We had an issue with data collectors, and they couldn't figure out what the issue was. They were troubleshooting for more than two weeks. It was up and down. It was probably related to the hardware because since we have moved to the virtual machine, we haven't had that issue.

It is a capable solution. We are in the process of buying more licenses and adding more virtual machines. We started with 20 licenses, and now, we have more than 60 licenses.

Their support is nice. They are very good.

I am not aware of any previous solution.

I wasn't there when they installed it.

It is a very good product. I always tell others to have FireMon people come and give a demo. I encourage people to try it out. We only have security management, but it is really a good product. I have attended a couple of their webinars, and they have a lot more features for more usage and value. It is a capable product. If our company had sent us for training and we had got to know more about the product, it wouldn't have been so hard.

To a colleague at another company who says that firewall policy rule clean-up and management is important, but it is just not a priority compared to other more urgent items, I would say that it is very important. Sometimes, a firewall is created temporarily, and if you don't know, you will forget. So, the usage and hit count information is very important.

In terms of compliance reporting, we have set it up for compliance reports such as PCI, but we didn't use it that much. Similarly, in terms of identifying the risks in our environment, it does show the changes, but we aren't yet able to prioritize them.

It is helpful in automating firewall policy changes across large multi-vendor enterprise environments, but we only have two vendors. We were earlier using it only for the Cisco environment, and now, we are using it for Cisco and Palo Alto. We will probably use it for the core environment. Overall, it notifies you, but we are still not using it that much.

In terms of the clean-up of firewall rules in a large enterprise environment, it didn't affect us, and that's because we are not doing it in the right way. We probably need somebody to help us on that one because we gave them the report, but they haven't cleaned it up. For Panorama, they use their own reporting, and we have to correlate them. One thing about Panorama is that if you have a rule from 20 years ago, and somebody is still modifying it, it doesn't update the new person's name. It doesn't ask you to put any change number. I know FireMon is only pulling the data, and it is not pushing the data, but I wish that it was pulling the changed data. The last time when I talked to FireMon, they said that they are just pulling the data. They don't go and push any data. For that reason, we don't have that much data. So, we have a report, but we haven't used it much for clean-up. We should use it in the future more. We also haven't used it to create a lot of policies.

I would rate it a seven out of 10.