From Plain Language to Firewall Rules: A Practical Guide
▼ Summary
– The research presents a prototype system that converts natural language security requests into structured firewall rules, using language models to parse intent while keeping rule validation and enforcement deterministic.
– A key design feature is an intermediate, vendor-agnostic representation of policy intent, which separates the request from device-specific syntax and allows for structured review before deterministic compilation into firewall commands.
– The system embeds multiple validation steps, including schema checks, platform-specific rules, and safety gates, and uses simulation to verify configurations before deployment, prioritizing control and auditability.
– Successful implementation depends on a well-maintained catalog of network objects and services, as ambiguous or omitted details in requests and legacy or drifting object definitions can reduce accuracy and require human review.
– The approach reflects a cautious trend in applying AI to infrastructure, using language models as an assistive tool for intent expression while maintaining human judgment, structured review, and telemetry analysis for secure policy evolution.
The process of configuring a firewall often starts with a simple idea, but translating that human intent into precise technical commands can be complex and error-prone. New research explores a novel approach: using natural language as the starting point for creating robust firewall rules. This method aims to bridge the gap between how security teams describe what they need and how network devices actually implement those policies, potentially reducing misconfiguration risks.
A recent paper from New York University details a prototype system that accepts policy requests written in plain English and converts them into structured, vendor-specific firewall configurations. The architecture is designed to leverage language models for understanding intent while keeping the critical steps of validation and enforcement under strict, deterministic control. This hybrid approach, which combines the flexibility of natural language with the reliability of traditional systems, resonates with security practitioners managing large-scale enterprise networks.
For professionals like Dhiraj Sehgal, Senior Director of Platform Security at Versa Networks, the value lies in alignment with real-world operations. He notes that the system’s design deliberately limits the language model to extracting intent, leaving compilation and enforcement to deterministic components. This mirrors environments where traceability, review, and controlled change management are prioritized over purely automated speed. It reflects a model seen in initiatives like Google’s BeyondCorp, where policy is driven by validated intent and evidence from network telemetry, not silent rule changes.
The system workflow begins when an administrator submits a request, such as “Allow the marketing department to access our CRM SaaS over HTTPS during business hours.” A language model processes this text to extract key entities, sources, destinations, protocols, and time constraints, outputting them into a strict, structured schema. This data then feeds into a vendor-agnostic intermediate representation, a normalized rule record that includes the standard five-tuple plus metadata like direction and scheduling. This layer is crucial; it separates the policy’s intent from the specific syntax of any firewall brand, allowing for human review in a clear, structured format.
From there, deterministic logic takes over. The prototype includes a compiler that translates this intermediate representation into configuration commands for platforms like Palo Alto Networks’ PAN-OS. Multiple validation steps are embedded in the workflow. A general linter checks for structural issues, while a vendor-specific linter applies platform constraints. A separate safety gate enforces high-level security principles, stopping any policy that fails baseline checks. Finally, the generated configuration is run through a network simulator to validate syntax and object references before any deployment is considered.
Testing in synthetic environments showed the system could correctly translate requests into firewall rules about 85% of the time. Errors typically stemmed from ambiguous phrasing or edge cases in platform syntax, underscoring that accurate results depend on a well-maintained catalog of network objects and services. As Rob Rodriguez, Senior Director of Global Field Engineering at FireMon, points out, the quality of this underlying data is paramount. In large enterprises, object catalogs can contain legacy groups and definitions that have drifted. A practical safeguard is to treat object hygiene as a gating condition, with automated checks flagging stale or overlapping references for cleanup before rule generation proceeds.
Differences between firewall platforms add another layer of complexity, as application-aware rules on one system may need conservative, port-based translations on another. Rodriguez also emphasizes the importance of pre-deployment simulation that goes beyond syntax to analyze reachability and change impact. This helps teams understand exactly what new network paths a rule will create before it goes live. For long-term management, mature operations include scheduled reviews of unused rules and the integration of business metadata, like regulatory exposure or critical application status, into policy workflows. Rules affecting sensitive assets can then trigger stricter approval paths, creating a feedback loop where firewall policy continuously reflects operational reality.
This research represents a cautious, pragmatic approach to applying advanced language models to critical infrastructure. The model acts as an assistive tool for intent parsing, but the system’s core relies on deterministic validation, compilation, and enforcement. This balances the speed of natural language expression with the necessary certainty of structured review and human judgment, aligning with how experienced firewall teams already operate to guide secure and effective policy evolution.
(Source: HelpNet Security)
