US 12,273,322 B2
Firewall rule and data flow analysis and modification
Sai Sujith Reddy Mankala, Milpitas, CA (US); Lisette Paloma Hamilton, Redwood City, CA (US); and Mark Gakman, Redmond, WA (US)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on Jun. 20, 2022, as Appl. No. 17/844,587.
Prior Publication US 2023/0412565 A1, Dec. 21, 2023
Int. Cl. H04L 9/40 (2022.01); G06F 3/0482 (2013.01); H04L 47/2483 (2022.01); H04L 67/75 (2022.01)
CPC H04L 63/0263 (2013.01) [G06F 3/0482 (2013.01); H04L 47/2483 (2013.01); H04L 67/75 (2022.05)] 19 Claims
OG exemplary drawing
 
1. A method comprising:
retrieving firewall flow log data from a configurable time period and from a plurality of firewalls, each firewall associated with a firewall identifier of firewall identifiers, the firewall flow log data including data indicating whether a flow was allowed or denied, an identifier of a rule that allowed or denied the flow, and a five-tuple for the flow including a source port, a protocol, a destination port, a source IP or Fully Qualified Domain Name (FQDN), and a destination IP or FQDN;
processing the firewall flow log data, the processing including:
identifying and counting occurrences of unique flows, each unique flow corresponding to a unique five-tuple; and
counting the unique flows allowed or denied by each rule;
generating, based on at least one of the occurrences of unique flows and counted unique flows allowed or denied by each rule of a rule base associated with a subject firewall identifier of the firewall identifiers, a recommendation including limiting an existing rule to allow or deny fewer five-tuple values;
providing the recommendation within a user interface as a selectable option for implementation; and
changing, responsive to the selectable option being selected, the existing rule of the associated subject firewall to allow or deny fewer five-tuple values.