Natural Language Interface for Firewall Configuration

TL;DR

This paper introduces a natural language interface for firewall configuration that translates plain language policies into vendor-specific commands, enhancing usability and safety with validation layers.

Contribution

It presents a novel framework combining natural language processing, an intermediate schema, and validation layers to improve firewall policy management.

Findings

Prototype successfully translates natural language to Palo Alto configurations.

Validation layers improve rule safety and correctness.

Framework is extensible to other firewall platforms.

Abstract

This paper presents the design and prototype implementation of a natural language interface for configuring enterprise firewalls. The framework allows administrators to express access control policies in plain language, which are then translated into vendor specific configurations. A compact schema bound intermediate representation separates human intent from device syntax and in the current prototype compiles to Palo Alto PAN OS command line configuration while remaining extensible to other platforms. Large language models are used only as assistive parsers that generate typed intermediate representation objects, while compilation and enforcement remain deterministic. The prototype integrates three validation layers, namely a static linter that checks structural and vendor specific constraints, a safety gate that blocks overly permissive rules such as any to any allows, and a Batfish based simulator that validates configuration syntax and referential integrity against a synthetic device model. The paper describes the architecture, implementation, and test methodology on synthetic network context datasets and discusses how this approach can evolve into a scalable auditable and human centered workflow for firewall policy management.