Fault Localization for Firewall Policies

Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (Expected) evaluated decisions are classified as failed (Passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (Such as faulty rules).