Configure advanced AppViz properties

This topic describes the advanced configuration available for AppViz in the user.properties file on the AppViz server.

Access and edit the user.properties file

The user.propertiesAppViz configuration file is located on the AppViz server, at /home/bflow/config/user.properties.

Do the following:

  1. Open a terminal and log in to the AppViz server as user root.
  2. Browse to an open /home/bflow/config/user.properties for editing.

  3. Add or edit configuration parameters as needed. If the parameter is missing, add the parameter name and value on a new line.

    For details, see Advanced AppViz property reference.

  4. When you're finished, save the file and restart AppViz. For more details, see Restart AppViz.

Back to top

Advanced AppViz property reference

This section describes the advanced AppViz properties available for editing in the user.properties file.

Integer. The number of advance search results initially displayed on an advanced search results page.

For example, the following sets the number of advanced search results initially displayed to 15:

advanced-search.results.page_size=15

Boolean. Defines how the object update on device process works: bind endpoint to devices using the endpoint object or the device ID.

Note: This setting is used to enhance performance. If exceptions occur during the sync process, set to false.

true: Using endpoint object (default).

false: Using device ID.

For example,

afa.sync.device_batch_binder.through_objects=true

Integer. Defines the number of recent applications displayed in the applications menu.

application.recent.page_size=15

Default value: 10

Integer. Defines the number of application search results shown by default.

application.search.page_size=100

Default value: 100

Boolean. Determines whether AppChange change request handling is disabled, including all change request creation and all change request-related tabs.

Supported values:

  • True. Change requests are disabled from AppChange
  • False. Change requests are enabled in AppChange

Comma-separated list. Defines the FireFlow change request statuses that AppViz status changes will be triggered for.

By default, pending statuses for objects and applications in AppViz transition to their next status once FireFlow change requests reach the reconcile, pending match, or resolved statsues.

For example, the following sets the AppViz status to change when the FireFlow change request reaches the pending match, matched or resolved status:

changerequest.status.resolved=pending match,matched,resolved

Determines whether application status is constantly refreshed.

  • True. (Default) Enables constant application refreshes.
  • False. Disables constant application refreshes.

Tip: Use together with risk.enable to enable automatic data refreshes.

Integer. Determines the maximum number of flows combined per application during a discovery process.

Default: 50

For example, the following sets the default value to 60 flows:

discovery.max_flows_per_application=60

Tip: The larger the number of maximum flows per application, the more specific each flow will be. The smaller the maximum number of flows per application, the more AppViz will optimize and combine flows.

String. Defines the minimum percentage of the IP addresses required to be found in a specific CIDR, for the CIDR to be suggested as a source/destination value.

This is relevant for the optimization process performed during discovery from traffic logs.

Supported values

Supported values include:

  • Integer between 0 and 1. Indicates a static minimum percentage.

    For example, .4 sets the minimum density to a static 40%, regardless of CIDR size.

  • auto. Determines that AppViz determines the optimum density automatically, depending on the size of the CIDR.

    Larger CIDRs require less density.
Default value

0.3

This value determines that by default, the IP addresses in the traffic logs must be at least 30% of the CIDR to be suggested as a source/destination value.

Default: 10

endpoint.search.page_size=100

Default: 100

Boolean. Determines whether AppChange opens change requests in FireFlow for specific device objects by adding the device name to the object in the source/destination value.

Supported values:

  • True. AppChange appends the device name to the object in the source/destination.
  • False. AppChange does not append the device name to the object.

Note: This feature must be used together with the Set($StoreFirewallSuffixInHostGroup, '1')FireFlow command.

Boolean. Determines whether AppChange passes the names or content of the network objects when opening change requests in FireFlow.

Supported values:

  • True. AppChange passes the content of the network objects.
  • False. (Default) AppChange passes the network object name.

The value determines whether AppViz compacts the IP addresses before opening a Change Request in order to minimize the number of actions the Change Request needs to execute.

For example:

fireflow.ranges.compact=true

Boolean. Determines whether AppChange passes the names or content of the service objects when opening change requests in FireFlow.

Supported values:

  • True. AppChange passes the content of the service objects.
  • False. (Default) AppChange passes the service object name.

Boolean. Determines whether AppViz differentiates between traffic that is explicitly allowed by a rule and traffic that is allowed because it is unprotected or unfiltered.

Supported values:

  • True. AppViz differentiates between explicitly allowed traffic and unprotected/unfiltered traffic.
  • False. (Default). AppViz does not differentiate between allowed traffic types.

For example, you may want to enable this feature when using micro-management within subnets.

flow.connectivity.display_unprotected=true

When configured, AppViz indicates this in the FLOWS tab as follows:

  • All allowed flows appear with a green connectivity indicator.
  • All unprotected flows appear with a striped indicator.

For example:

Additionally, this information is available in:

Flow exports / API responses

When AppViz provides connectivity information about flows, the values will specify whether the flow is "allowed" (protected) or "unprotected".

Note: By default, AppViz does not include connectivity information in flow exports.

For details, see flow.connectivity.export and Export flows directly from AFA.
Application search abilities

When performing an advanced search for applications By Connectivity, you will have the option to specify whether to search for applications with allowed flows that are protected or allowed flows that are unprotected.

For more details, see Business applications.

Note: Unprotected flow detection has no impact on application connectivity status, only flow connectivity status.

An application whose flows are all allowed (protected or unprotected) will always have the connectivity status Allowed.

Boolean. Determines whether flow connectivity data is exported together with an application's flows.

  • True. Connectivity data is exported together with the flows.

  • False. (Default) No connectivity data is exported.

When configured , exported connectivity data includes any of the following values:

  • Allowed
  • Blocked
  • Partially blocked
  • No connectivity information
  • Unprotected.

Note: Unprotected appears only when AppViz is configured to detect unprotected flows.

Otherwise, all allowed traffic is assigned the Allowed value. For details, see flow.connectivity.display_unprotected .

String. Determines the delimiter used in CSV import files.

Default value: , (comma)

For example, change this to a colon if needed:

import.delimiter=:

String. Defines the encoding used for imported files.

Default value: UTF-8

String. Determines the order of preference used when optimizing network objects from different sources.

During discovery, if more than one network object is found with the same name, AppViz selects the object to use based on origin preference configured.

Supported values

Source values include:

  • BusinessFlow. Objects created in AppViz
  • Imported. Objects imported from a discovery server or a CSV file.
  • Device. Objects from an AFA device.
Default value

Imported, BusinessFlow, Device

For example, the following sets the priority sequence to BusinessFlow, Imported, Device :

network_entity.origin.order=BusinessFlow,Imported,Device

Note: Network objects that originate from the same place cannot have the same name, except for device objects. If two device objects with the same name (but different content) exist, the CSV file validation will fail.

If two device objects defined on different devices have the same name and the same content, AppViz will treat them as one object and validation will succeed.

Boolean. Determines whether AppViz is enabled to define device object definitions on the device using AppChange.

Supported values:

  • True. Enables AppViz to define device object definitions on the device.
  • False. Disables the ability for AppViz to define device object definitions on the device.

String. Determines the permissions granted by default to all AppViz users.

Multiple values separated with commas.

For example, the following sets the initial permissions for all users to create applications and view all applications:

permissions.initial=ROLE_CREATE_APPLICATION,ROLE_VIEW_ALL_APPLICATION

For more details, see AppViz permission reference.

Default values:

All users

Default permissions for all users include:

  • Create applications
  • Update vulnerability
  • Edit network objects
  • Edit service objects
Privileged users Privileged users have additional permissions to update risk information by default.
Administrators

Administrator users receive all permissions by default.

Determines the permissions granted by default to AFA-only users.

For example, the following sets the initial permissions for AFA users to view risk information and update vulnerability information:

permissions.initial.afa_user=ROLE_VIEW_RISK,ROLE_UPDATE_VULNERABILITY

For more details, see AppViz permission reference.

Determines whether risk checks are run automatically when a pending revision becomes active.

  • True. (Default) Enables automatic risk checks.
  • False. Disables automatic risk checks.

Tip: Use together with connectivity.enable to enable automatic data refreshes.

A semi-colon delimited list of networks, in CIDR format. Defines the internal/private zone networks.

Default value: 10.0.0.0/8;172.16.0.0/12;92.168.0.0/16

For example, the following sets the internal zone to 172.16.0.0/12 and 92.168.0.0/16:

security_zones.default_internal_network_ranges=172.16.0.0/12;192.168.0.0/16

Defines the number of services displayed.

service.recent.page_size=10

Default 10.

Defines the number of service search results displayed.

service.search.page_size=100

Default 100

String. Determines ownership of shared flows, which are general or partial flows that may be relevant to many applications.

Note: Shared flows specify only a source or destination, leaving the remaining field only with a placeholder value. When an application subscribes to another application's shared flows, the subscribing application specifies a value for the placeholder.

Supported values include:

sharingApplication (Default)

Determines that the application with the shared flows is defined as the flow owner.

Editing a shared flow or a subscribed flow creates an application draft for the application with the shared flow.
combined

Determines that ownership is shared across several applications.

  • Editing a shared flow creates a draft for the application with the shared flow.
  • Editing a subscribed flow's placeholder value creates a draft for the subscribed flow.

The application with the shared flow and the application with the subscribed flow will both reflect the risks, connectivity, etc., derived from the subscribed flow.

Note: When a change is pending for traffic relevant to a shared or subscribed flow, the flows cannot be edited, deleted or added in any application.

For more details, see Application flows.

Integer. Determines the maximum upload size, in MB.

For example:

upload.max_size=100

Back to top

AppViz permission reference

 

Permission name

Permission to...
ROLE_APPLY_DRAFT Apply application drafts.
ROLE_CREATE_APPLICATION Create a new application.
ROLE_CREATE_LABELS Create labels.
ROLE_CREATE_SHARED_FLOWS Create a shared flow.
ROLE_EDIT_ALL_APPLICATION Edit all applications.
ROLE_EDIT_APPLICATION_INFORMATION Edit application custom fields, labels, and contacts.
ROLE_EDIT_NETWORK_OBJECTS Edit network objects.
ROLE_EDIT_SERVICE_OBJECTS Edit service objects.
ROLE_SYNC_OBJECT Run an update process for a device object.
ROLE_UPDATE_CONNECTIVITY Update connectivity.
ROLE_UPDATE_RISK Update risk information.
ROLE_UPDATE_VULNERABILITY Update vulnerability
ROLE_VIEW_ACTIVITY_LOG View activity log information for applications and network objects.
ROLE_VIEW_ALL_APPLICATION View all applications.
ROLE_VIEW_CHANGE_REQUESTS View change request information for applications, network objects, and service objects.
ROLE_VIEW_CONNECTIVITY View connectivity.
ROLE_VIEW_RISK View risk information.
ROLE_VIEW_VULNERABILITY View vulnerability information for applications.