View policy data

This section explains how to examine polices in AFA.

Note: Searching the policy in the Policy tab is the preferred method for locating objects. For details, see Searching policies.

Note: Because the Policy tab does not show NAT rules, use the Locate Object feature's Find in Rules option to locate objects in NAT rules. For details, see Locate rules that use specific objects.

Viewing policies

To view a policy:

  1. View the desired device, group, or matrix. For details, see View AFA device data, View AFA group data, and View AFA matrix data.

  2. Click the Policy tab.

    The Policy tab appears in the workspace.

    The columns which appear in the policy tab are specific to each device brand. If AppViz is licensed, fields from AppViz appear, indicating business information such as which rules are included as flows in which applications.

    Note: NAT rules do not appear in the Policy tab. To locate NAT rules, see Locate objects.

    Note: If AppViz is licensed, you can export traffic flows from the policy to AppViz. For more details, see Export flows from AFA.

  3. To search the policy for rules and objects, see Searching policies.

Back to top

Searching policies

AFA provides the ability to perform advanced searches on policies.

For example, you can locate all device rules that use a specific object—whether the rules include the object explicitly or include an object containing the object—in any device, group, or matrix, or in any type of report. This is useful when planning to update or remove an object, since it enables you to detect all the rules that will be affected by the change.

Note: NAT rules do not appear in the Policy tab. To locate NAT rules, see Locate rules that use specific objects.

To search a policy:

  1. View the policy you want to search. For details, see Viewing policies.
  2. In the drop-down list, select the field to search.

    All Fields is the default option.

    If you select the Source, Destination, Source or Destination, Services or All Fields options in the drop-down list, the search will also return rules with objects that contain the specified IP address(es) or services. All other fields perform a simple textual search.

    Note: Depending on your AFA configuration, this search feature may not function in this way. If your AFA is configured to always perform only a textual search, use the Locate Object feature to search for objects that contain specific IP addresses. For details, see Locate objects.

  3. In the Contains field, type a string, IP address, IP range, service, range of services (eg., "TCP/20-50" or "All TCP"), or object name for which you want to search the policy. To search specifically for empty fields, type [EMPTY].
  4. To add another search parameter, click And, then complete the fields in the manner previously described.
  5. To include results which contain the searched IP address(es) or service(s) only because they contain "any", "all", or "*", select Include 'ANY'.
  6. To find rules that contain objects which contain only/exactly the IP address(es) or service(s) you searched for, select Exact Match.
  7. Click Find rules.

    The policy is filtered according to the specified parameters.

    Objects that contain what was searched will appear highlighted in the search results.

Note: For Check Point devices, the results show one device to represent each policy. Multiple devices with the same policy will not appear in the search results.

Back to top

Add/remove AFA rule comments

AFA supports adding comments to rules. The comments will appear in the rules' Documentation fields and in all device/group/matrix reports where the rules appear. You can add comments to a single rule, or add the same comments to multiple rules simultaneously.

Note: These comments are only visible in AFA, not on the devices themselves.

Note: AFA administrators can disable or enable the Documentation field and add more such fields. For more details, see Custom documentation fields.

To add/remove comments from a single rule:

  1. View the device/group/matrix policy, and locate the rule you want to edit. For details, see Searching policies.
  2. In the desired rule's row, click .

    The Edit Documentation dialog box appears.

  3. Select the check box(es) next to the field(s) you want to edit.
  4. Type your comments for the rule in the field(s) or delete the comments you want to remove.
  5. Click Update.

    The comments are added/removed.

To add or remove the same comments from multiple rules:

  1. View the device/group/matrix policy, and locate the rule you want to edit. For details, see Searching policies.
  2. Select the check boxes next to the desired rules.
  3. Click the Add Values link.

    The Edit Documentation dialog box appears.

  4. Select the check box(es) next to the field(s) you want to edit.
  5. Type your comments for the rules in the field(s) or delete any comments you want to remove.
  6. Click Update.

    The comments are added or removed from all the selected rules.

    Back to top

Locate objects

You can locate all objects which contain a specific IP address or range in a device, group, matrix, or in a specific report.

To locate an object:

  1. Do any of the following, as described in View AFA device data, View AFA group data, and View AFA matrix data:

    • To search a device for an object, view the desired device.
    • To search a group for an object, view the desired group.
    • To search a matrix for an object, view the desired matrix.
    • To search a single device report for an object, view the desired device, click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search all device reports for an object, view the ALL_FIREWALL group, then click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search a group report for an object, view the desired group, click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search a matrix report for an object, view the desired matrix, click the Reports tab, and then select the check box next to the report in which you want to locate the object.
  2. Click Locate Object.

    The Locate Object page appears.

  3. Specify the object you want to locate.

    You can select an individual IP address, a range of IP addresses, or a host group that is defined on the device(s). If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.

  4. Click Find in Objects.

    A new window opens displaying a list of objects with the specified IP address, range, or host group, in the specified devices and/or matrices.

  5. To export the results to PDF format, click . For more details, see Export AFA screens to PDF.

Back to top

Locate rules that use specific objects

You can locate all device rules that use a specific object—whether the rules include the object explicitly or include an object containing the specific object—in any given device, group, or matrix, or in any type of report. The procedure below should be used when searching for NAT rules.

Otherwise, the recommended method to locate rules is through the Policy tab. For more information, see Searching policies. NAT rules do not appear in the Policy tab.

To locate rules that use a specific object:

  1. Do any of the following, as described in View AFA device data, View AFA group data, and View AFA matrix data:

    • To search a device for an object, view the desired device.
    • To search a group for an object, view the desired group.
    • To search a matrix for an object, view the desired matrix.
    • To search a single device report for an object, view the desired device, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search all device reports for an object, view the ALL_FIREWALL group, then click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search a group report for an object, view the desired group, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search a matrix report for an object, view the desired matrix, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
  2. Click Locate Object.

    The Locate Object page appears.

  3. Specify the object you want to locate, by doing one of the following:
    • To select a host group that is defined on the device(s):
      1. In the Select Address by area, choose Host group.
      2. Select the host group you wish to locate. You can search the defined names alphabetically, or by using the search filter.
    • To select an individual IP address:
      1. In the Select Address by area, choose IP Address.
      2. Type the IP address you wish to locate.
      3. To locate rules with objects that contain only the specified IP address, select the Exact match check box.
    • To select a range of IP addresses:
      1. In the Select Address by area, choose IP Range.
      2. Type the starting and ending IP addresses for the IP range you wish to locate.
      3. To locate rules with objects that contain only the specified IP range, select the Exact match check box.
    • To select a specific traffic flow:
      1. In the Select Address by area, choose Flow.
      2. Specify the source and destination by selecting or typing an individual IP address, a range of IP addresses, or a host group. If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.

        If you type a host group that has an IP address as its name, put it in quotations (for example "10.20.1.1").

      3. To locate rules with objects that contain only the IP addresses specified in source and destination, select the Exact match check box.

      Note: For Cisco devices, locating rules with the exact match feature will not return results where the IP address was added directly to the rule (not within a network object).

  4. Click Find in Rules.

    A new window opens displaying a list of rules containing the specified object, in the specified devices and/or matrices.

    The yellow highlighting indicates which IP address, range of IP addresses, or host groups contain the object you want to locate.

  5. To see a host group's definition, click on the host group.
  6. To export the results to PDF format, in the top-right corner of the report, click . For more details, see Export AFA screens to PDF.

    Tables at the end of each device display relevant network and service object definitions. Clicking on the object in a rule will bring you to its definition in these tables.

  7. To export the results to CSV format, in the top-right corner of the report, click . Follow your browser prompts to open the file.

Back to top