Which firewalls have the best rule organization metaphor in their GUI for constructing and maintaining rules? I'm interested in products that can scale their rulesets to hundreds of rules and dozens of different networks without becoming too difficult to read and maintain.
To be honest I have never met a firewall I really liked, and I have used Checkpoint Firewall-1, Microsoft ISA Server, and a handful of lesser known firewalls. The shortcoming of all of them in a non-trivial network is that once a ruleset becomes sufficiently large it becomes very very hard to read through it and completely understand it. Even if you follow well-organized conventions to put all from and to rules for a network or host together, you in general have to deal with many broad classifications of rules such as:
- rules between networks
- rules applying to specific hosts or segments
- rules that apply to logical groups of hosts or networks (these could represent groups of networks that belong to a single Windows "domain" for example)
Broad rules that you establish early in the ruleset can unintentionally render rules that apply to specific hosts and networks later on in the ruleset inoperative.
Specific rules that you establish for a host or network segment can likewise render a broader rule stated later inoperative.
All of this is made worse by software GUI interfaces in most firewalls that use a purely linear organization scheme for rules. This makes reading the ruleset like reading through a 500 line program that has no indenting or formatting structures for ease of reading or grouping of related items.
Is there a product whose user interface for ruleset organization uses a metaphor that scales to a larger number of rules? In my opinion Checkpoint and Microsoft's products fail on this criteria. Are there any better products for this criteria?
I don't need any kind of exceptional performance. Cheap is better than extremely expensive.