When creating a firewall policy it's always good to add a comment to it.
Adding comments to firewall policies
Although it may appear as an extra and possible time wasting step, adding a comment to a firewall policy can help in many ways:
- You may know exactly all the facts about a policy; but if another admin logs into the firewall without or little knowledge about that policy, the comment will help him quickly understand what the policy does and why is needed.
- Over the time, your number of firewall policies can grow; it's difficult to remember why each policy was created or what it's supposed to do. A policy comment will help in this situation.
- You may manage multiple firewalls, and log into each of them only from time to time; the firewall policies comments will help to easily understand what is allowed on the firewall.
- When reviewing the firewall policies, the comments help you to rapidly scroll through existing rules and check them for consistence or misconfiguration.
- When a new administrator is hired, by reading the comments attached to each firewall policy, he will understand faster what is configured on the firewall.
- Label policies; add warning notes stating that the policy needs to be disabled after a certain date or vice-versa, it must not be disabled or deleted.
- Although the firewall policy may be documented in a report, you may not always have nearby that document.
Tips for adding comments to firewall policies
- Describe what the firewall policy does and why it's needed; use a simple and concise description.
- Possibly add a date to remember when the policy was created.
- Add a warning if needed; e.g. a temporary policy that needs to be disabled or deleted in the future. If by mistake it's not deleted, during a firewall policies review, you can quickly identify it. Or vice-versa, state that the policy must not be disabled or deleted.
- Rate its importance; for example it may allow a critical service.
Comments attached to firewall policies simplify the firewall administrator's job and help keeping a clean and secure firewall configuration.