Secure Passage’s industry-leading FireMon™ solution is built on a scalable, extensible and secure architecture. Working with our global customers and partners, we designed FireMon’s unique architecture to deliver time-saving analysis and reports in an enterprise-ready package. From small-scale network infrastructures to global enterprises, you can reduce operational costs, improve performance and enhance security with FireMon.

How FireMon Works

Monitor: FireMon monitors network devices including firewalls, routers and switches for configuration changes and system events including firewall log data. Using real time event notification, FireMon captures all changes, including when the change was made, who made the change and which device was modified.

Store: FireMon responds to change events by gathering all device configuration data. For firewalls, this includes the system configuration and all policy detail including rules, objects and services. This complete configuration is then securely stored for immediate and future analysis in a central database repository.

Analyze:  FireMon performs deep configuration and behavioral analysis on the device configurations stored in the database. Analysis includes change comparison, compliance analysis, security risk analysis, policy usage and optimization analysis, and user-driven custom analysis.

Alert: FireMon provides flexible and extensive alerting capabilities including change alerts and compliance alerts.

Report: All of FireMon’s analysis capabilities are exposed as user-interactive screens in the Graphical User Interface or various report output formats including HTML, PDF and CSV. These reports provide high-level management summary data as well as complete, detailed technical analysis.

Flexible Deployment Architecture

The FireMon solution features a distributed data collection architecture that collects device configuration and log data, and sends that data back to the central application server for analysis and storage. A single installation can contain multiple data collectors and can scale to monitor thousands of devices. 

Key Components

FireMon is comprised of three key components: Application Server, Data Collector and User Interface.

The Application Server (AS) is the heart of the FireMon product – the data repository that contains the analysis intelligence. The Application Server executes scheduled reports and conducts real time analysis. The Application Server processes all transactions that occur between the Graphical User Interface (GUI) and the Database. It persists the data collected by the Data Collector in the Database. The Application Server is installed on a single machine in your enterprise and it must have connectivity with the Data Collector. You can install the Application Server on a Linux or Windows platform.

The Data Collector (DC) is the FireMon software component that monitors your firewall, router, switch or other network security devices for change. As the direct interface, the Data Collector communicates with the end devices. Upon detecting any type of change to your devices, the Data Collector collects the change details, including new and modified configurations and device policies. The Application Server retrieves this data and stores it in the Database. You can install multiple Data Collectors on separate server-class machines (Linux or Windows platform) for scalability or geographic reasons. 

The FireMon Graphical User Interface (GUI) is an interactive environment for accessing all device information stored in the Database, including device configurations and analysis tools. The GUI is installed on the desktop of every user who uses FireMon.

Deployment Options

In most instances, a single server running all server components of FireMon – the Application Server, Data Collector and Database – will be sufficient to meet enterprise demands.  However, in some instances, it is preferable to distribute the data collection closer to the device being monitored to reduce network traffic overhead. This is very common in geographically disperse environments where WAN bandwidth is limited.

Extensible Application Architecture

FireMon was built on the key principle of extensibility to support new device types and changing customer needs. You can customize analysis reports; not just the output, but also the logic used to identify and report on custom needs. Several key architecture components make all of these requirements possible.

Plug-in Device Adapters

Supporting multiple devices requires unique monitoring, retrieval and analysis engines. Using a shared library and common API for all devices, each device adapter is written as a plug-in component to FireMon. This architecture enables you to quickly add new device types without impacting the rest of your system. Existing devices are easily updated to support new functionality.

Normalized Device Data

FireMon has a comprehensive list of features and functionality. Re-implementing each of these features for every new device type would result in complex and slow feature development as well as inconsistent feature support across devices. Instead, FireMon implements a key concept of normalizing device data while maintaining vendor-specific knowledge. The concept of device data normalization is to replace vendor-specific nomenclature with a common, consistent configuration definition. Using a published XML schema, every device configuration is consistently used throughout FireMon, making all features available to all supported devices.

However, consistency is not enough. Normalizing all vendor-specific detail out of the configuration would result in a vendor-neutral configuration. Although good for some analysis, it is insufficient for vendor-specific analysis such as zone analysis for a NetScreen device or global property analysis on Check Point devices. To support vendor-specific properties, these details are maintained and available for in-depth analysis.

Analysis API

FireMon maintains comprehensive and valuable device data. FireMon also provides in-depth security, configuration and optimization analysis of this data. However, no two environments are exactly alike. Not only are there unique configuration parameters, but there are also unique corporate standards and requirements. To support the unique requirements and requests of every environment, FireMon exposes a powerful analysis API enabling custom security, configuration and optimization analysis.

Built on an industry-standard, well-documented scripting language of JavaScript, FireMon exposes all device data including configuration history and policy usage data, as well as internal analysis engines such as Policy Test for use in the Analysis API. This enables rapid, custom analysis creation. You don’t have to be a developer to take advantage of these capabilities. Nearly 100% of customers use this powerful feature whether it is to simply customize a report output or to create a completely new security analysis check.

The result: FireMon is a tool built just for you.