Automated Firewall Operations and Management System at Ctrip

As online services grow, the number of firewalls and security policy entries increase, making manual operation impractical. Ctrip’s senior network security manager, Tian Guohua, explains the challenges of managing dozens of firewalls from five different vendors and the need for rapid policy provisioning.

The proposed solution is a centralized firewall operation management system that achieves transparency, standardization, automation, and efficiency. The architecture connects each firewall via API, performs hourly configuration backups, and stores routing and policy metadata in a unified model database.

Three core functional modules are built: topology calculation (determining which firewalls a traffic flow traverses), policy query (allowing users to self‑service query existing policies), and policy generation (automatically creating vendor‑specific configuration scripts). Additional tools such as password rotation, VPN tunnel management, and element queries are also integrated.

The workflow integrates with existing change‑management and ticketing systems. Users submit policy requests through a web portal; the system checks for existing policies, generates new ones if needed, routes special‑approval requests via automated email links, and, after manual review, automatically pushes configurations to the firewalls during the change window.

By automating topology discovery, policy lookup, and configuration generation, the average time for a policy change dropped from over 30 minutes to about 3 minutes, a ten‑fold improvement, while also reducing the risk of human error.

The presentation concludes that the combination of these modules, a unified portal, and tight integration with ticketing and approval processes enables Ctrip to efficiently operate dozens of firewalls across multiple brands, delivering faster service to users and higher reliability for the network.