Chapter 6

Firewall Policy Collection

Quick Start

Add your firewall to inventory.yaml with the correct device_type (e.g., paloalto_panos). Run the standard collect → parse → ingest pipeline. Firewall rules appear automatically under /firewall in the web UI and are queryable via firewall_rules_by_device. Pro+ required.

MeshOptixIQ extends its collection pipeline to gather security policies directly from firewalls — no API credentials or management plane access required beyond SSH. Collected rules, address objects, and service objects are stored in the graph alongside topology data, enabling zone-pair queries and point-and-click source-to-destination path analysis across your entire firewall estate.

6.1 Supported Firewall Vendors

Vendor	OS	Facts Collected
Palo Alto Networks	PAN-OS	Security policies, address objects, service objects
Juniper	JunOS SRX	Security policies (zone-based), address book objects
Fortinet	FortiOS	Firewall policies, address objects, address groups
Cisco	ASA OS	Access-lists (ACLs), object-groups
Cisco	Firepower FTD (LINA)	Access-lists (ASA-compatible LINA format), object-groups
Check Point	Gaia Clish	Rule base (best-effort SSH via `show rule-base`)

Graph Nodes Created

Node Type	Key Properties	Relationship
`FirewallRule`	rule_id, rule_name, action, rule_order, source/dest zones & addresses	Device `HAS_FIREWALL_RULE`
`AddressObject`	name, type (host/network/range/fqdn/group), value	Device `HAS_ADDRESS_OBJECT`
`ServiceObject`	name, protocol, dest_ports	Device `HAS_SERVICE_OBJECT`

6.2 Collection Workflow

Firewall collection uses the same inventory file as topology collection. Ensure firewall devices are listed with the correct device_type (paloalto_panos, juniper_junos, fortinet, cisco_asa, cisco_ftd, or checkpoint_gaia).

# Collect all devices including firewalls
meshq collect --source inventory.yaml

# Parse — automatically detects and processes firewall output
meshq parse

# Ingest — writes FirewallRule, AddressObject, ServiceObject nodes
meshq ingest

Verifying Firewall Data

# List all firewalls with collected rules
curl -H "X-API-Key: $API_KEY" \
  http://localhost:8000/queries/all_firewall_devices/execute \
  -d '{"parameters": {}}'

# Get rules for a specific device
curl -H "X-API-Key: $API_KEY" \
  http://localhost:8000/queries/firewall_rules_by_device/execute \
  -d '{"parameters": {"device": "fw-edge-01"}}'

Deny Rules Summary

curl -H "X-API-Key: $API_KEY" \
  http://localhost:8000/queries/deny_rules_summary/execute \
  -d '{"parameters": {}}'

6.3 Path Analysis

Path analysis evaluates firewall rules for a given source IP, destination IP, and optional protocol/port. The query returns the first-matching rule per firewall along the path; firewalls with no matching rule are treated as implicit default-deny.

# Check if TCP/443 is permitted: 10.0.0.1 → 10.1.0.100
curl -H "X-API-Key: $API_KEY" \
  http://localhost:8000/queries/path_analysis/execute \
  -H "Content-Type: application/json" \
  -d '{
    "parameters": {
      "source_ip": "10.0.0.1",
      "destination_ip": "10.1.0.100",
      "protocol": "tcp",
      "destination_port": "443"
    }
  }'

The response includes the matching rule for each firewall, its action (permit/deny/drop), rule name, and zone pair. Use the Path Analysis page in the web UI for an interactive view with a PERMITTED / DENIED verdict banner.

Firewall Query Gate

Path analysis and zone-pair queries require a Pro or Enterprise license with the firewall_queries feature enabled.