What's new in A30.10
The AlgoSec Security Management Suite brings business-driven intelligent automation and orchestration of security changes, visibility and control for application connectivity and security, and an enterprise-grade platform and SaaS service.
This topic describes new features available in AlgoSec Security Management Suite version A30.10.
AppViz and AppChange
ASMS A30.10 brings full productization of the AlgoSec AppViz and AppChange add-ons, available over AFA and FireFlow , respectively.
The AppViz and AppChange add-ons replace the functionality previously provided by BusinessFlow. These plugins are installed with and accessed from within AFA and FireFlow but are licensed separately.
Users with AppViz will see the additional AppViz menu item at the bottom of the main menu on the left.
Users licensed for AppChange will also have following additional features available:
- The Change Requests tab, to manage FireFlow change requests from AppViz
- The Resolve button, to resolve FireFlow change requests automatically from AppViz
- The Apply Changes button, to apply changes as specified in the FireFlow change request from AppViz
- The Projects menu, to manage AppViz projects with FireFlow change requests
For more details, see Welcome to AppViz.
Additionally, ASMS A30.10 enhancements for AppViz include the following:
ASMS A30.10 provides enhanced configuration options and newly configured wizards for discovering applications using AlgoSec AutoDiscovery or Cisco Tetration.
In the AppViz Administration area, configure an AutoDiscovery or Cisco Tetration server to use for discovering applications. For AutoDiscovery, you can also configure on-going synchronization to regularly update application data in AppViz.
In AppViz, click the DISCOVERY tab on the left to start discovering applications and importing them into AppViz.
The ASMS license now includes AutoDiscovery instead of requiring a separate license file.
When logging in to AutoDiscovery for the first time you must connect AutoDiscovery to the AFA machine in order to load this license.
For more details, see AutoDiscovery.
Note: AutoDiscovery in A30.10 also provides additional parameters for cluster sensitivity, accessing web servers, saving initial topology baselines, and entry point configuration. For details, see Configure AutoDiscovery.
Enterprise-grade and openness
ASMSA30.10 provides the following updates for enterprise-grade features:
- Central Manager migration
- Device relocation between nodes
- ASMS open APIs
- Cloud and hybrid-cloud
Tip: You may want to migrate your Central Manager or relocate devices if you are moving your data centers to a new location or to the cloud, moving to a new set of upgraded appliances, or if you're adding additional appliances to your system.
For an example, see Use case scenario: Migrating an entire ASMS system.
ASMS A30.10 enables system administrators to migrate an ASMS Central Manager to another appliance via the algosec_conf CLI menu.
This support includes migrations to a virtual appliance, AlgoSec hardware appliance, or an AWS/Azure instance.
For more details, see Migrate the Central Manager.
ASMS A30.10 also enables system administrators on distributed architectures to relocate devices using the algosec_conf CLI menu or new REST APIs.
Relocate the devices as needed using the following architectural options:
- From the ASMS Central Manager to Remote Agents
- From Remote Agents to the ASMS Central Manager
- Between different Remote Agents
For details, see Relocate devices.
ASMS’s REST APIs now includes enhanced Swagger support, enabling you to execute API request calls and access lists of request parameters directly from Swagger.
Access the ASMS interactive Swagger APIs from AFA, FireFlow, or AppViz. Click your username at the top-right corner of your screen and select API Documentation. Alternatively, log in to ASMS and navigate to https://<ASMS IP address>/algosec/swagger/swagger-ui.html.
In Swagger, select the spec for the APIs you want to view from the drop-down at the top-right.
For an example, click to play:
For details, see ASMS API reference.
In A30.10, we’ve also added several new REST APIs:
|Rules hit count||
Count the number of times a specific rule has been hit by network traffic during a specified time period.
This API enables you to better understand and control your network rules. For example, if a rule has a low hit count, you may consider optimizing or removing it.
For details, see Rules hit count.
Relocate devices between nodes in distributed architecture, check relocation progress, or cancel a device relocation process.
New APIs support the following activities:
|Run a traffic simulation query (TSQ)||
Perform a traffic simulation query on a single device or groups of devices.
Note: While this API was already supported in the AFA SOAP API, ASMS A30.10 supports this in REST as well.
For details, see Traffic simulation query.
|Device management APIs||
New CRUD (Create, Review, Update, Delete) APIs to manage your AFA devices.
These APIs support all device brands supported by AFA, including cloud and management devices, and enable the following activities:
|Get all current analysis statuses||
Get the status of all analysis processes currently running in AFA.
For details, see Retrieve an analysis status.
In A30.10, we’ve started to expose additional methods for AFA in Swagger. We invite you to explore our new Swagger options and find new APIs to enhance your ASMS experience. For example:
- Get report statistics
- Download report zip files
- Get all cloud devices managed in AFA
- Get all network or service objects for a specified device
ASMS A30.10 introduces new graphs and dashboards in the AlgoSec Reporting Tool (ART), which have an executive focus. Additionally, A30.10 enables you to navigate between dashboards using the new AlgoSec Navigation pane, located at the top of the page. For example, the following image shows a sample Executive – Workload dashboard, with the AlgoSec Navigation pane highlighted with several more dashboard options.
Click the play the following video, which reviews a few dashboards provided out-of-the-box by AlgoSec.
For more details, see AlgoSec Reporting Tool.
AlgoSec CloudFlow provides instant visibility, risk detection, and mitigation for cloud misconfigurations, and also simplifies network security policies with central management and cleanup capabilities.
CloudFlow’s central management features provide instant visibility and risk assessment, helping you to enforce company and regulatory policies, as well as pro-actively detect misconfigurations in the cloud.
In A30.10, we’ve integrated CloudFlow access with ASMS, enabling CloudFlow users to open their tenants directly from the top-left menu.
In ASMS, click the top-left dropdown menu and then click CloudFlow. The CloudFlow login page opens in a separate tab.
Recent CloudFlow enhancements include support for AWS SG and Azure NSG network risks, as well as streamlined risk trigger remediation.
Devices and automation
ASMS A30.10 brings the following enhancements and updates for device and automation support:
- One-armed service chaining
- Enhancements for Juniper Space Security Director
- FireFlow support for F5 AFM devices
- Maximized traffic workflow optimization
AFA now supports one-armed setup for devices running in Service Chaining modes, where traffic flows in both directions on the same firewall interface. This additional support is provided for single-device queries and risk analysis.
For example, if you have a Check Point CloudGuard device running in a one-armed topology and part of a Cisco ACI Service Graph, AFA now displays that traffic correctly as exiting and entering on the same interface.
AFA now provides support for one-armed configurations for the following device types:
- Check Point CloudGuard
- Cisco Firepower
- Palo Alto firewalls managed by Panorama
ASMS A30.10 provides the following updates for Juniper Space and SRX firewalls managed by Juniper Space:
AFA now provides increased granularity for Virtual Routers, VRFs, and Secure Wires on Juniper SRX firewalls managed by Juniper Space Security Director. This granularity allows a greater level of route analysis and accurate automation design.
This support provides AFA functionality at each level in the device tree: Space > SRX > LSYS > Virtual Router, VRF, or Secure Wire.
In the device tree, AFA displays each supported routing instance as an additional node level. For example:
AFA now provides support for RIB groups and next-table commands as next-hop routers (NHRs) for SRX devices managed by Juniper Space Security Director.
When AFA detects either of these inter-VR routing configurations, it adds fake, or back-plane, interfaces to the Juniper Space's URT file to simulate these connections. These connections can then be displayed on the AFA network map and in query results.
AFA now provides support for IPSec VPN tunnels and VRF with MPLS tunnels over BGP for Juniper Space Security Director devices.
In A30.10, these tunnels are displayed on the AFA network map and in reports, enhancing the accuracy in your map and FireFlow initial plans.
For example, the following image shows both traffic simulation query results, where traffic is shown as routed between Juniper Space devices via an MPLS tunnel. The tunnels are connected automatically, and will be considered during traffic simulation queries:
For more details, see Junos Space Security Director devices in AFA.
FireFlow now supports work order recommendations on traffic workflows for F5 AFM devices, which FireFlow users can follow and implement manually on their devices.
Tip: If you are using an LTM-only device, use the BIG-IP LTM Only option to add your device to AFA.
For more details, see Add F5 BIG-IP load balancers.
In A30.00, FireFlow work orders always recommended creating new contracts for ACI-related change requests.
In A30.10, FireFlow checks to see if there is an existing contract that can be modified to accommodate the requested traffic instead of creating a new contract. This helps cater for new change requests while avoiding a policy bloat.
Additionally, the new CiscoACICreateNewFiltersOnCommonTenant FireFlow configuration parameter enables
FireFlow administrators to determine whether to create new filter objects on the user tenant or the common tenant.
Cisco partnership enhancements
ASMS A30.10 continues to strengthen the partnership between AlgoSec and Cisco, with the following enhancements:
- Cisco Firepower baseline compliance reports
- Enhanced support for Cisco ACI
Note: A30.10 also brings enhanced support for discovering flows via Cisco Tetration servers. For more details, see Discovery wizards for AutoDiscovery and Cisco Tetration.
ASMS now provides Baseline Compliance reporting for Cisco Firepower devices.
AFA Administrators can select a specific baseline profile, either the one provided by AlgoSec out-of-thebox, a modified version, or they can create their own custom profile.
Note: AlgoSec's baselines for Cisco products, such as Firepower devices, are based on the CIS guidelines and other sources for best practices.
For drop traffic requests that result in changes on Cisco ASA devices, FireFlow’s default recommendation is now to simplify or remove existing rules instead of adding additional deny rules to your policy.
These updated recommendations help keep your policy clean, avoiding complexity and future complications.
Recommendations are updated both for requests originating from FireFlow users, or from AppViz users with AppChange enabled.
ASMS A30.10 provides the following enhancements for Cisco ACI support:
The AFA map and traffic simulation query maps now show Cisco ACI VRFs using a new Cisco ACI icon.
These maps provide more accurate and detailed traffic simulation query results, and support cases of ACI in transit mode, where traffic flows through ACI even if the source and destination are not within the ACI fabric.
Like other devices, the traffic simulation query considers any relevant Cisco ACI VRFs found in the requested traffic path. For any VRF found in the path, the query results show the ACI tenant that the VRF belongs to in the list of devices in path.
As in version A30.00, traffic simulation queries also specify when the source or destination resides in the ACI fabric.
The following example shows a traffic simulation query that includes a Cisco IOS device in the external network, a Cisco ACI VRF, as well as a Cisco ACI EPG in the connected subnet.
For more details, see AFA's graphic network map.
Cisco's contract-preferred group (CPG) mechanism provides users to streamline configuration for access between EPGs within a single VRF, without the need to define explicit contracts.
In A30.10, AFA now supports ACI devices with CPGs. If your ACI VRF has a CPG enabled, AFA understands this configuration, and which traffic is allowed.
To simulate the CPG configuration in AFA, AFA adds an artificial rule to the internal ASMS model of the network policy. This rule only reflects the traffic allowed by the CPG and is not added to the ACI device itself.
The new rule (contract) is added to the end of the network policy and is displayed both in AFA and in AFA reports.
For example, the following image shows two new contracts added to the bottom of the AFA POLICY tab, reflecting two CPGs configured for the ACI device:
For more details, see POLICY Page.
For more details, see Cisco Application Centric Infrastructure (ACI) devices in AFA.