Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Firewall Security Management
September 2022
Get our free report covering AlgoSec, FireMon, Tufin, and other competitors of ManageEngine Firewall Analyzer. Updated: September 2022.
634,550 professionals have used our research since 2012.

Read reviews of ManageEngine Firewall Analyzer alternatives and competitors

Jeff Reese - PeerSpot reviewer
Senior Manager, Firewall and Incident Response at Aprio LLP
Real User
Makes compliance much easier compared to doing it manually, and automates policy changes across environments
Pros and Cons
  • "In one report, FireMon tells us there are, say, 1,000 rules that can be taken out and it gives us the ability to disable those for a year and to track when we made our changes. After a year, we can go back and eliminate the rules, to bring the configuration down to an almost human-readable level."
  • "When it comes to documentation, they need to start putting together a basic command manual. With Cisco, you can look up a command and it gives you examples of three or four different ways that command can be used. It tells you how to put it into the GUI and the CLI. FireMon does need to start doing that."

What is our primary use case?

We're an MSSP, so we put FireMon on our customer sites to monitor their security devices.

How has it helped my organization?

It's so quick at finding redundant and shadowed rules. I used to have to do that and I would have to yell at people to stop bothering me because I needed my complete concentration to do it. And there was still human error. FireMon saves all that time and eliminates that human error.

Also, in terms of our compliance reporting process, they would give us a week and we'd pull all the configurations of all the firewalls and send them off to someone like me who would go through them and say, "Hey, this is not good. Take a close look at this. Why is it any-any?" People would have to go back and look at the firewalls to see if that was a business risk or not and, if it was, have the company sign off on it as a business risk. That would actually take up to about six months of going back and forth, giving people weeks at a time to respond.

With FireMon Security Manager, I can create a report and send it off to the customer and say, "Here are the 98 rules that put you at high risk. Are these needed?" They look at them and say, "Oh no, that application is gone, you can get rid of that." Or they say, "Yep, this is an acceptable risk." I then say, "Okay, I'm going to be back in a year," and I mark it as "acceptable risk, by so and so." A year later I can go back and say, "Is this still an acceptable risk to you?" It makes our compliance so much easier when compared to having to do it manually. I would recommend everybody get this tool just for that aspect.

A module that we have to pay for, because we're using FireMon Security Manager, helps automate firewall policy changes across large, multi-vendor enterprise environments, and it's the only solution that does that. The rest of them are so labor-intensive that this would probably save 70 percent of that work time. It enables us to make changes company-wide. Suppose one of our clients has 60 firewalls. We can do a company-wide firewall update within about two hours if they have multiple brands of firewalls. We can do it in about 30 minutes if they only have one brand. When we had a person logging in to manually do it, it would take them at least a day for 60 firewalls. Now, if it's Palo Alto, we can do it in half an hour. If it's Fortinet, it can take us an hour and a half.

We have about 20 customers and we're saving at least a day of time for each one of those customers. Within one day, we can do what we used to do in two weeks. That's very significant because we were looking at hiring more people. FireMon has reduced the need for that. As our people become more and more efficient, we can actually have more and more customers without having to increase our labor force.

The solution can also talk across on-premises, cloud, hybrid, SASE, and SD-WAN environments. You need the path. Once you have the path, which most of the time is going to be a VPN tunnel if it's over an untrusted area, you can do anything. That makes it one pane of glass. For example, in the past, if it was on-prem and in the cloud, I would have to do an on-prem pane of glass and a cloud pane of glass. Now I can do it in one pane of glass and it's less labor-intensive and much faster.

You can even automate the cleanup of firewall rules in a large, enterprise environment. That's the nice part about it. You can say, "Here are 100 rules I want you to disable," put in the IP addresses, hit enter, and it pushes that out to the 60 firewalls. It takes time, but you walk away. You've saved tons of time while it's doing the process for you through automation. I can't see working on more than one firewall without having this tool.

If you make a mistake on one IP address, and you push it out to 60 firewalls, instead of bringing one down, you could bring them all down. You measure twice and cut once. You verify, you make sure you have the stuff in there. Then you have a second person to look at it and, when you both agree, you hit enter and you know you're not going to bring the system down. That actually takes a little bit more time because it's a two-person activity where it used to be just one. We used to bring down a firewall once a month and now we don't do that. We're saving at least one outage day and then another day of apologizing.

What is most valuable?

People have a tendency to just add rules to firewalls, but they don't go back and take rules away. Some of our customers have thousands of unused rules that have been sitting out there for over a year. In one report, FireMon tells us there are, say, 1,000 rules that can be taken out and it gives us the ability to disable those for a year and to track when we made our changes. After a year, we can go back and eliminate the rules, to bring the configuration down to an almost human-readable level.

It also identifies risks in your environment and helps to prioritize fixes. It actually rates the risk level, meaning you look for the red and try to bring everything to green.

What needs improvement?

When it comes to documentation, they need to start putting together a basic command manual. With Cisco, you can look up a command and it gives you examples of three or four different ways that command can be used. It tells you how to put it into the GUI and the CLI. FireMon does need to start doing that. Right now, I use their tech support for that. They give me a command and I create my own book.

For how long have I used the solution?

I have been using FireMon for four years.

What do I think about the stability of the solution?

I have use cases where it's been running for two and a half years, and I've never had a problem with it. They're smaller companies where there aren't a lot of changes going on, but FireMon is just clicking away the whole time. It's stable.

Once it's put in, you pretty much walk away from it. You come back every morning to see if anything is going on and, if not, keep moving. It has made life a whole lot easier for us.

What do I think about the scalability of the solution?

It's very easy to scale up or down.

Every time we get a new customer, we put it in. The customer has to have a VM set up for the hardware requirements of FireMon, or we won't monitor their systems.

How are customer service and support?

They're very quick. They usually have the answer in a short period of time, and the maximum is no more than a day. Most of the time I just need a command and I can put it in on my side to verify, and that's it. I need to see what's going on. I'm a hands-on person. I don't like to sit back and watch other people do things.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We started with another solution called ManageEngine Firewall Analyzer, and we had that throughout our customers' sites. We recently started moving things over to FireMon for our old customers. If you run into Firewall Analyzer, run, don't walk, to the nearest exit.

Firewall Analyzer was so labor intensive just to do a report. You would tell it to look up an IP address and create the report, it would create a 20-page report, but you'd end up having to do that 20 times until you got the entire report. It could take six to eight hours to do a report. With FireMon, I hit "report," walk away, and it says, "Hey, your report's ready."

How was the initial setup?

The initial setup is pretty easy. I have three engineers who work on setups, and it took about 20 minutes, walking through it twice in the sandbox. It's pretty easy to set up.

There are two aspects to the setup. There's the basic setup of getting the application working, and there is the advanced setup of putting firewalls into the application. The basic is so basic that it's ridiculous. I could probably answer all the questions a customer might have and send it off to them and they could do it by themselves the first time. The advanced is a little bit more hairy because you have to make sure everything is in place.

At each of our customers, we assign at least two people to do the reports.

The maintenance is lightweight. The only trouble is in the upgrades. They take a little bit of effort, but they only come out once or twice a year. Sometimes, you don't need to do the upgrade because the change isn't applied to whatever site you're working on. Sometimes an upgrade is easy, and sometimes it's reformatting a database and that takes a little bit more effort. But you don't do it. FireMon has a script all set up. It's just that it takes a little bit longer to watch it do the upgrades, as compared to doing it ourselves.

What was our ROI?

Our ROI is the FTEs a year that we're saving. The solution is not even close to the cost of an employee. It might cost that employee's health benefits. We're saving double the amount of money we would pay a person.

What's my experience with pricing, setup cost, and licensing?

There is sticker shock on Firemon's pricing because it is done per device, but I'll guarantee you that it's well worth it. For each of our customers, we save at least one FTE a year. We would have needed 20 more people in our organization without the FireMon application.

Which other solutions did I evaluate?

When it comes to real-time compliance management, FireMon is much better. I've looked at Tufin and one other competitor, but FireMon has the most accurate best-practice reports. Tufin was our least favorite of the three. The other one was pretty good, but it looked a little bit immature. You had to create all the stuff you needed to do, while FireMon had everything already created, so it was the logical choice.

What other advice do I have?

My advice would be to get familiar with UNIX commands and the VI. Those two are very helpful when you're working on the CLI. Otherwise, the GUI is so easy.

Security Manager, which is what we're using, doesn't automatically warn you when new firewall rules and changes to existing ones violate compliance policies, before they are deployed. However, there is another licensed aspect to Security Manager that does have that ability. What I have will tell me that somebody has made a change, what it was, and when it was made, but for the solution to make it a judgment call, I'd have to license another portion of Security Manager. It will even tell you where to put something. You put the entire enterprise in, with 60 firewalls, and you say, "I want to do this." It will say, "Okay, put it over here on this firewall, on this interface." You don't even have to think about the design. It does all the work for you.

If a colleague at another company said that firewall policy cleanup and management is important, but it's just not a priority, I would tell them that's a misconception. Any rule out there that hasn't been looked at, at least yearly, can become a security problem. Leaving that open, someone else can put another server in its place and now have open ports because you didn't remove a rule that's no longer in use. That's a very big security hazard. You do not want to leave rules in that aren't being used.

I've seen that happen in many companies that I've worked in, where a server had a lot of ports open because it needed to have them open for that application. The server then went away and then someone put another server in there and it automatically had all those rights. You didn't even know that it was changed. All you saw was a name change, and didn't realize that all those open ports are now a security violation because they applied to the old server and not the new one.

Having used it for so long, I'm so inundated with it that I can't see much that needs to be improved without a major redesign, and I can't even see that. When we're putting in automated changes it takes effort, but you realize that if it was too easy you could mess things up pretty quickly. I prefer it the way it is. I really don't want it changing.

It's the only tool we use for our security area that is worth anything.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Buyer's Guide
Firewall Security Management
September 2022
Get our free report covering AlgoSec, FireMon, Tufin, and other competitors of ManageEngine Firewall Analyzer. Updated: September 2022.
634,550 professionals have used our research since 2012.