Device report pages

This topic describes the pages included in device reports. For more details, see View AFA device data.

HOME page

The HOME page provides an overview of the device report. The page's content depends on your AFA modules.

  • Click the titles of the various widgets on the page to dive down to other pages in the report.
  • Click the Device Connectivity Diagram to zoom in for details.

RISKS page

The RISKS page summarizes all risk analysis findings.

The Risks page provides the following details:

  • The security rating for the device.

    The security rating indicates the device's degree of compliance with security standards. A security rating of 100% indicates full compliance. For information on how the security rating is calculated, as well as how to customize the security rating settings, see Configure security ratings.

  • The total number of risks in each severity category, not counting duplicates.
  • A graph displaying the security rating trend over time.

  • A list of all the device's risks, in decreasing order of severity.

    The list includes a brief summary of each threat: the risk, its trigger count (the number of times it was detected), and a brief description. The New label indicates risks that were not present in the previous report.

    Tip: Click a risk to drill down to a Risk Assessment page for more details about the risk and any related rules.

The following demonstrates a typical workflow to drill down to a problematic rule or group from the risks page.

  1. On the RISKS page in a report, click on a risk.

    The Risk Assessment appears, displaying the findings and the recommended remedy. The risk is presented in a descriptive manner with links to every entity that is associated with the risk.

    In the example below, AFA shows you the number of internal and external IP addresses that have access or are reachable by the risky service.

  2. Click the Details button to view the specific rules that allow access to the risky services.

  3. In the example above, we see that rule 36 looks like an accept rule that allows outbound access. Allowing any outbound service is not recommended since it may be used by Trojan horses to attack business partners. However, this does not explain why any service is allowed from the outside. Therefore, we navigate further and click on the group GP_NW_Garden_ICN to examine its definition.

  4. The above figure shows that host group GP_NW_Garden_ICN spans the device:

    • The purple icon tells us that some of its IP addresses are outside of the network.
    • The blue icon shows that other IP addresses are on the inside.

    Since the rule that uses this host group allows access to any destination, the outside addresses (198.168….) are allowed to enter the network with any protocol. This is a serious vulnerability.

    In this case, the likely culprit is a typing error: the administrator probably planned to type "192" (which is an inside address) and mistakenly typed "198".

    Note: Similar vulnerabilities exist in virtually every large organization. A scanner will never find it. A human audit will rarely find it, since all IP addresses look the same. AFA finds and highlights all these vulnerabilities automatically, within minutes.

    Tip: Click on the icons in the IP ADDRESSES column to see where the IP addresses are located in the Connectivity Diagram.

RISKY RULES page

The RISKY RULES page shows the rules that pose risk to the policy. As opposed to the RISKS page which shows the risks triggered by risky policy rules, the RISKY RULES page details the rules that cause these risks.

At the top of the page, do any of the following:

  • In the Analysis Summary area, click links to drill down to rules, services, and host groups.
  • In the Risk Levels and Security Rating Trend graphs, view data about the risks on the device over time.

In the Findings table below the graphs, view details about each risky rule found. Additionally, do any of the following:

Filter the table rows

Click to filter the rules displayed.
Sort the table Click in each column to sort the table by that column.
Trust specific rules

Click Trust to add that rule to trusted traffic.

For more details, see Customize trusted traffic.
View rule details

Click the rule number to drill down to more details about that rule.
View risks

Risks are shown as colored boxes in the Risks column, indicating the number of risks in each severity for the rule described in that row.

For example, the following image shows that there is 1 risk with critical severity, 4 with medium, and 5 with suspected high.

Click a colored box to drill down to the selected risky rule and its risks. For more details, see Risks and vulnerabilities in AlgoSec Firewall Analyzer reports.
View vulnerabilities

Vulnerabilities are shown in the Vulnerability Score column, including the overall vulnerability score for the IP addresses covered by the selected rule, the number of vulnerabilities found and the scanning status.

For example, the following image indicates a vulnerability score of medium, with 83 vulnerabilities found, and one or more unscanned servers.

Click a colored box to drill down to the selected risky rule and its vulnerabilities. For more details, see Risks and vulnerabilities in AlgoSec Firewall Analyzer reports.

Note: Vulnerabilities with a CVSS score of 0 are ignored.

When you click a colored box in the Risks or Vulnerability Score column on the Risky Rules page, the page is refreshed with details about the selected risky rule only, and risks and vulnerabilities for that rule are shown in tabs below.

For example:

Do any of the following:

  • Switch back and forth between the tabs as needed, and continue to drill down to view additional information.
  • Use the breadcrumbs at the top of the page or the RISKY RULES menu item at the left to jump back to the main risky rules table.

  • Click the Vulnerability Score Legend link above the Findings table for details about vulnerability score colors.

    Indicates that you have unscanned servers.

Note: Vulnerabilities are displayed only if you have AppViz configured with vulnerability scanners in the AppViz Administration area. For more details, see Application vulnerability and Manage vulnerability assessment scanners.

Risk levels are configured in the AlgoSec Firewall Analyzer Administration area. For details, see Customize risk and compliance management.

The Risky Rules page is not included for VSYS/LSYS-level reports on the following device types:

  • Palo Alto Networks Panorama devices
  • Juniper SRX devices configured to display virtual routers

For these devices, the Risky Rules page is provided for VR reports only, because risky rules only trigger risks on VRs that route traffic.

Note: VSYS/LSYS reports do include all the risks for each of its VRs in the Risks page. For details, see RISKS page.

Additionally, this behavior is not relevant to Juniper Netscreen or NSM devices configured to display virtual routers. For Netscreen, the VR is not a sub-device of a virtual system, so every report includes the Risky Rules page.

REGULATORY COMPLIANCE page

The REGULATORY COMPLIANCE page includes a number of reports that describe how compliant your security policy is to specific regulatory standards.

To customize the Regulatory Compliance page, see Customize the regulatory compliance report.

Running these compliance reports will help you identify non-compliant items that require adjustment. Each report follows the reporting requirements of its standard. The reports can save you hours of work, especially when you need to prepare periodic compliance review.

The Regulatory Compliance page provides the following regulatory compliance reports:

The Payment Card Industry Data Security Standard (PCI DSS) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the PCI DSS v3.2 audit procedures. Using this report can save you hours of work when you need to prepare your annual or quarterly PCI DSS compliance report.

If AppViz is being used with a vulnerability scanner, this report can be configured to display the vulnerability of PCI applications. Requirement 6.1 specifies whether AppViz is being used and whether vulnerability scanner integration is enabled. If you configure the PCI zone and a vulnerability threshold in AFA, the requirement additionally specifies the servers in the PCI zone and the vulnerability assessment for all AppViz applications which intersect the PCI zone. For more details, see Configure the PCI zone.

The Sarbanes-Oxley Act (SOX) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the CobiT 5 control objectives and COSO components.

The ISO/IEC 27001 report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the ISO/IEC 27001:2013 International Standard "Information technology - Security techniques - Information security management systems - Requirements" and of the companion ISO/IEC 27002:2013 "Code of practice for information security management" International Standard.

The NERC Standards for Critical Infrastructure Protection (NERC CIP) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the NERC Standards CIP-002-2, CIP-003-2, CIP-004-2, CIP-005-2, and CIP-007-2. Compliance with these requirements is required of all NERC-registered entities by June 30, 2010. The report addresses the requirements that apply to devices, filtering routers, and VPNs.

Note: By default, NERC version 4 is displayed. It is possible to configure AFA to simultaneously display version 3 and 4. Contact AlgoSec support for assistance.

The requirement numbers listed in the report are aligned with those specified in the relevant NERC Standards.

The NIST Special Publication 800-171 report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the National Institute of Standards and Technology (NIST) document Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, Revision 1 (June 2015).

This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI):

(i) when the CUI is resident in non-federal information systems and organizations;

(ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of federal agencies;

(iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

The NIST Special Publication 800-53 report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the National Institute of Standards and Technology (NIST) Security and Privacy Controls for Federal Information Systems and Organizations , Revision 4 (April 2013). FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems , is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level (High, Moderate or Low) from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.

The NIST Special Publication 800-41 report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the National Institute of Standards and Technology (NIST) Guidelines on Firewalls and Firewall Policy , Revision 1 (Sep 2009).

The Gramm–Leach–Bliley Act (GLBA) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Information Security IT Booklet issued by the Federal Financial Institutions Examination Council (FFIEC) in order to comply with the GLBA Safeguards Rule (section 501(b)).

The Basel-II report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Basel Committee on Banking Supervision's framework International Convergence of Capital Measurement and Capital Standards (June 2006). It follows the IT Governance Institute (ITGI)'s guidelines entitled "IT Control Objectives for Basel II" (2007) as expressed by the ten IT Guiding Principles (ITGP), and uses the Control Objectives for Information and Related Technology (CobiT) framework. In addition this report also refers to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. Within each COSO component the report refers to specific IT Guiding Principles for Basel II numbers and CobiT 5 Control Objectives.

The BSI 200 report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the BSI standard 200-1 information security management systems (ISMS) and its supplementary standard, the BSI standard 200-2 IT-Grundschutz methodology (BSI-Standard 200-1 Informationssicherheitsmanagementsysteme (ISMS) und dessen ergänzendem Standard, der BSI-Standard 200-2 IT-Grundschutz Methodik).

The ASDM report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Australian Signals Directorate's strategies to mitigate targeted cyber intrusions last updated December 2019.

Like the AlgoSec Sarbanes-Oxley report, the Financial Instruments and Exchange Law (Japan) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the CobiT 5 control objectives, in the Japanese language. Use this report to learn how well you are doing, and to present to your auditors as needed.

Note: If you see the titles of the risk items in English it means that you are using the English language pack. For more details, see Language.

The MAS TRM report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Technology Risk Management Guidelines (TRM) issued by The Monetary Authority of Singapore (MAS), updated January 2021.

The HIPAA report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Security Rule of the Health Insurance Portability and Accountability Act issued on February 20, 2003. The AlgoSec interpretation of the HIPAA act relies on both NIST SP 800-66 Revision 1, and The HIPAA Security Information Series.

The General Data Protection Regulation (GDPR) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the European Parliament and the Council of the European Union's regulation, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. For the purpose of this compliance report, AlgoSec uses the framework of ISO/IEC 27001.

The SWIFT report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the SWIFT Customer Security Controls Framework based on the SWIFT Customer Security Programme (CSP) Guidelines, last updated in July 2019.

The HKMA report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the Hong Kong Monetary Authority (HKMA) Supervisory Policy Manual (SPM) last updated in October 2019.

The General Law on Protection of Personal Data (LGPD) report measures compliance levels by correlating data available to the AlgoSec system for the device under review with requirements of the General Data Protection Law of the Federative Republic of Brazil, LEI No. 13,709, of August 14, 2018.

POLICY OPTIMIZATION page

To optimize your policy, you need to find out which rules are redundant, unused or already covered by other, more general rules. These rules are prime candidates for removal from your device policy. In addition, you need to see the statistics on the most and least used rules of a policy: the device's performance may improve if highly used rules are placed near the top of the rule-set, and infrequently used rules are moved further down. In addition, you need to know about unused and empty host group definitions and unused access lists, because these unused definitions clutter up the configuration and reduce your ability to manage your devices effectively.

Note: For Panorama or FortiManager devices, usage on a specific rule in a specific device will reflect the counts of all the devices that share this policy.

To view a training video that follows an Information Security Officer optimizing his organization's firewall policies, see Performing Policy Optimization Training.

In the Policy Optimization page, you can view the rules and objects which diminish your policy's effectiveness and efficiency. Additionally, a graphic display of the number of unused, time-inactive, un-logged and rules already covered by other rules is provided.

When you click on a link in the Rules Cleanup area all of the relevant rules appear. The columns which appear for each rule are specific to each device brand. If AppViz is licensed, fields from AppViz appear, indicating business information such as which rules are included as flows in which applications.

Below is a description of the different areas of the Policy Optimization page, including a summary of the types of rules and objects that can make a policy perform sub-optimally:

Rules Cleanup

Rules Cleanup enables the user to make your policy more streamlined and effective. It may include the following:

Rules that did not match any traffic according to the log data. By default, log data is kept for 60 days back. For Check Point and Juniper, this analysis is based on the collected logs. For Cisco Routers, AFA recognizes unused rules based on the access-list match counters.

Note: The match counters are collected every time the analysis runs, and their values are saved by AFA to allow long-term usage analysis (even when the device resets and counters are cleared).

If FireFlow is installed, you can open a FireFlow change request to disable these rules directly from the report. See Disabling Device Rules.

Rules that are covered by other, more general rules. A rule is covered if there is a combination of rules that are located above it in the rule set that together match all the traffic that could have been matched by the covered rule. As long as a rule is covered by other rules, it will never match any traffic. Therefore, covered rules are good candidates for elimination from the policy.

Note: Check Point's SmartDashboard automatically performs a quick check for covered rules; however, this test does not go into any depth. In contrast, AFA will find covered rules even if it is covered by a combination of multiple rules, and even if the host and service group names on the rules are different (but the IP addresses and port numbers are the same). In Cisco Routers a rule may even be covered by a combination of rules that are located in other access lists and attached to other interfaces: AFA will report on these rules as well.

If FireFlow is installed, you can open a FireFlow change request to disable these rules directly from the report. See Disabling Device Rules.

Clicking the Covered rules link will display each covered rule in a separate table along with the rules that cover it. The covered rule is at the bottom of the table (shaded in light gray).

Rules that are included in a subsequent rule and can therefore be removed.

If FireFlow is installed, you can open a FireFlow change request to disable these rules directly from the report. See Disabling Device Rules.

Note: When determining whether a rule is a redundant special case rule, AFA checks that both the rule and the subsequent rule that includes it have the same logging setting (enabled or disabled). If the setting is different, the rule will not be listed as a redundant special case rule. The logging setting is also examined when checking whether a rule is a consolidate rule. However, this setting is ignored for covered rules. If the traffic is caught by the first rule, it does not matter whether logging is enabled for the second rule, since the second rule will never be activated, and therefore can be safely deleted.

Rules that can be consolidated into one rule because they are identical except for one field: source, destination or service. The rules that AFA recommends to consolidate will always be allowing rules.

If FireFlow is installed, you can open a FireFlow change request to consolidate rules on Cisco Firewalls directly from the report. If needed, you can edit the AFA recommendation before opening the change request. See Consolidating Device Rules.

Disabled rules are rules that were disabled temporarily.

Time Inactive Rules are rules that only apply at certain dates or times - and are inactive at the time of analysis. Such rules are often leftovers from fix-time projects and temporary patches, and may be candidates for elimination.

Rules without logging are rules that do not produce log records when they match packets. Many organizations require all, or nearly all, rules, to produce logs, thus a list of rules without a log keyword may let you ensure that your policy complies with your organization's requirements. With the exception of Cisco devices, these rules are always excluded from the list of unused rules since an absence of log records does not confirm that no traffic was matched.

Note: For Cisco devices, AFA does not rely on logs to determine if a rule is unused.

These rules are rules that do not have comments. Many organizations require all rules to have a comment indicating who wrote the rule, when, why, and with whose authorization. For Cisco Routers, AFA recognizes rules with empty comments based on "set access-list remark" statements.

Rules with a time clause are rules that only apply at certain dates or times. Such rules may become redundant when their activity time passes (In which case they will be reported also as Time Inactive Rules).

These are rules that will expire within a certain number of days. To configure the number of days before expiration that a rule should be flagged as About to Expire, complete the Days before expiration alerts field in the General sub-tab of the Options tab in the Administration area. The default is 14 days. For more details, see Define AFA preferences.

Rules that are not routed through the device. A rule is unrouted if the entire source is not in the source zone, or the entire destination is not in the destination zone. Removing these rules will not affect the device's effective security policy.

Clicking the Unrouted rules link will display the rules in a table. The objects that are not in their respective zone appear highlighted.

Note: Unrouted rules are only supported for Juniper SRX, Juniper Netscreen, Juniper NSM, Palo Alto Networks, and Fortigate devices. Fortigate devices are not supported when defined in AFA via FortiManager, and SRX devices are not supported when defined in AFA, via Juniper Space.

Rules with source objects that are not in the source zone or destination objects that are not in the destination zone. Removing these objects from the rules will not affect the device's effective security policy.

Clicking the Unrouted objects within rules link will display the rules in a table. The objects that are not in their respective zone appear highlighted.

Note: Unrouted objects within rules are only supported for Juniper SRX, Juniper Netscreen, Juniper NSM, Palo Alto Networks, and Fortigate devices. Fortigate devices are not supported when defined in AFA via FortiManager, and SRX devices are not supported when defined in AFA, via Juniper Space.

Many corporate policies dictate that rule comments must contain the ID number for the change request for which the rule was created or changed. AFA allows specifying a regular expression that matches these ticket numbers, and then presents the rules with non-compliant comments (no ticket number).

To configure this functionality, complete the Report rules whose comment field... field in the General sub-tab of the Options tab in the Administration area. For Cisco Routers, AFA recognizes rules with non-compliant comments based on "set access-list remark" statements. For more details, see General.

Unused NAT rules are rules that, according to the device logs, are not used by the device.

Usage information about all NAT rules.

Redundant NAT rules translate traffic that is not permitted by any of the device policy rules.

Objects Cleanup

Objects Cleanup enables the user to clean unnecessary objects. It may include the following:

Unattached objects An object is identified as Unattached if it does not appear in any policy of any zone in the current device.
Empty Objects An object the does not have an IP address value. Perhaps at one time the object had an IP address, but keeping it now is redundant.
Duplicate Objects Two or more objects are identified as duplicate if they have different names but refer to exactly the same collection IP addresses and subnets.
Unused objects within rules The traffic that passes through the rule never reaches the object. For example, if IP 1.1.1.1 and IP 2.2.2.2 are in the same rule but all the traffic in the rule passes through 2.2.2.2, then 1.1.1.1 is an unused object.
Hostgroup Definitions Provides an index of all Host Groups that are defined by the device or generated by queries. Each Host Group record shows the IP address ranges it contains, any DNS names available, the interfaces on which its IP addresses can be found, and any other Host Groups that are its subsets or supersets.
Duplicate Services Two or more services are identified as duplicate if they have different names but refer to exactly the same protocol, source ports and destination ports.

Intelligent Policy Tuner

The Intelligent Policy Tuner (IPT) enables you to refine your policy, by identifying rules that are too wide and permissive, and rules which contain sparsely used and unused objects. It also provides recommendations for replacing permissive rules with new, tighter rules. See Refining Rules via the Intelligent Policy Tuner.

This area includes the following:

Tighten Permissive Rules Permissive rules that should be refined.
Unused objects within rules Rules containing objects that have not been used recently.
Policy tuner analysis for all rules Usage information about all rules.

VPN Cleanup (Check Point)

For Check Point devices, the Policy Optimization page also includes several items that refer to the VPN analysis page (see VPN page):

Expired users

Any VPN user whose access expiration date occurred before the report's date is flagged as Expired.
Users about to expire

Any VPN user whose access expiration date is a certain number of days after the report's date is flagged as About to Expire. To configure the number of days before expiration that a VPN user should be flagged as About to Expire, complete the Days before expiration alerts field in the General sub-tab of the Options tab in the Administration area. For more details, see General.
Unattached user groups

VPN user groups that do not appear in any rule in any policy that is managed by the Check Point SmartCenter or CMA are flagged as an Unattached User Group.
Unattached users

Any VPN user that does not belong to any user group is flagged as Unattached. Such users do not have any real VPN access since no rule can refer to them.

Application Control Rules Cleanup (Check Point)

For Check Point devices, if there is at least one application control rule, the Policy Optimization page also includes information about application control rules:

Unused rules

Application control rules that did not match any traffic according to the log data.
Rules without logging

Application control rules that do not produce log records when they match packets.
Disabled rules

Application control rules that were disabled temporarily.
All rules usage (count, last date)

Usage information about all application control rules.

Rule Reordering

These areas provide recommendations for optimizing the device rules for best performance and lower CPU utilization, an estimate for the device's performance, and suggestions for improving the performance with the most effective rule reordering. For more information, see Reordering Rules.

Rule Usage Statistics

In this area, you have access to the five most- and least-used rules. You can use this information to re-order your policy so the most popular rules are placed near the top of the rule set.

Policy optimization procedures

If FireFlow is installed, you can submit an Object Change request to remove unattached, empty, and unused objects in the device's policy, as well as unrouted objects within rules, directly from the Policy Optimization page.

To open a FireFlow change request to remove objects

  1. View the device's device report. For details, see View AFA device data.

  2. Click the Policy Optimization tab.

    The Policy Optimization page appears.

  3. Click on one of the supported object categories (Unattached objects, Empty objects, and Unused objects).

    The objects in the selected category appear.

  4. Do one of the following:
    • In the first column, select the check boxes next to the objects you want to remove.
    • Select the check box in the table heading to select all objects.

  5. Click Remove Selected Objects.

    The change request is created, and a notification appears with a link to the change request.

    If you want, the change request's fields may be modified later on. For more details, see Manage change requests.

    Note: When you remove more than one object, one change request is opened with multiple object lines.
  6. Click OK.

If FireFlow is installed, you can consolidate rules on Cisco ASAdevices directly from the Policy Optimization page, by doing the following:

  1. Open a FireFlow change request to add one or more consolidated rules, using the procedure below.

    The procedure describes two options:

    • Open the change request directly from the report.

      This option requires the 190:Verbatim Rule Addition request template (which is based on the bulk rules addition workflow) to be active in FireFlow.

    • Download a CSV file which you can edit and then use to manually open the change request in FireFlow.

      You can manually open the change request with the the 190:Verbatim Rule Addition request template or any custom template/workflow for adding rules to devices.

      Once the change is implemented on the device, the next AFA report will automatically identify the original rules as redundant. They will appear in the report as Redundant special case rules.

  2. Remove the redundant rules by opening another change request from the new report. See Disabling Device Rules.

    Note: The original rules will only be marked as Redundant special case rules if there are no rules with a "deny" action below the lowest original rule.

To open a FireFlow change request to add consolidated rules

  1. If not already configured, enable the Access Lists traffic field to the 190:Verbatim Rule Addition FireFlow change request template, by doing the following:

    Note: When opening the change request directly from the AFA report, this is the only request template that can be used. If you use the AFA provided CSV file to manually open a change request (an option discussed below), you can use the 190:Verbatim Rule Addition template or any custom template for adding rules to devices. The Access Lists traffic field must be enabled in the template you use.

    1. Switch to FireFlow. For details, see Switch between AlgoSec products

    2. In the main menu, click Request Templates.

      The Request Templates page appears.

    3. Select the 190:Verbatim Rule Addition template.

      The template's settings appear.

    4. In the Traffic area, click the +Add or remove traffic fields link.

      The Add or remove traffic fields window appears.

    5. In the Traffic area, select the Access Lists check box.

    6. Click Save.
    7. Click Save template.
  2. In AFA, view the device's device report. For more details, see View AFA device data.

  3. Click the PolicyOptimization tab.

    The Policy Optimization page appears.

  4. Click Consolidate rules.

    The consolidated rules appear. Each table represents a single consolidated rule and shows the existing rules it could replace.

    Each table of rules represents a group of rules you can consolidate into a single rule.

  5. Select the rules you want to consolidate.

    You can choose all or only some of the rules from a table. Choosing rules from multiple tables will create a single change request for adding multiple consolidated rules, one for each table.

  6. Click Consolidate selected rules.

    The Consolidate selected rules window appears.

  7. Do one of the following:

    • To automatically open the change request, click OK.

      A confirmation window appears with the change request information.

    • To edit the consolidated rules before opening the change request, do the following:
      1. Download a CSV file with the consolidated rules you specified by clicking the Download consolidated rules CSV file link.
      2. Edit the file.
      3. Manually create a change request in FireFlow using the 190:Verbatim Rule Addition request template.
      4. Populate the traffic area of the change request by clicking the Import traffic from CSV link and selecting the consolidated rules CSV file.
      5. Complete the other fields in the template and submit the change request. For more details, see Implement changes.

If FireFlow is installed, you can submit a Rule Removal request to disable unused, covered, redundant, and unrouted rules in the device's policy, directly from the Policy Optimization page.

To open a FireFlow change request to disable device rules

  1. In AFA, view the device's device report. For more details, see View AFA device data.

  2. Click the PolicyOptimization tab.

    The Policy Optimization page appears.

  3. Click on one of the supported rule categories (Unused rules, Covered rules, Redundant special case rules, and Unrouted rules).

    The rules in the selected category appear.

  4. Do one of the following:
    • In the first column, select the check boxes next to the rules you want to disable.
    • Select the Select All Unused Rules/Select All Covered Rules/Select All Special Case Rules check box to select all the rules.

  5. Click Disable Selected Rules.

    The change request is created and a notification appears with a link to the change request.

    If needed, the change request's fields may be modified later on. For more details, see Manage change requests.

    Note: When you disable more than one rule, a separate change request is created for each rule.

  6. Click OK.

Note: An AlgoSec admin can prevent users from clicking Disable Selected Rules:

  1. Add the parameter OpenFFTicketFromReport=false to /home/afa/.fa/config (see Advanced Configuration).

  2. Run an analysis on the device.

The Policy Optimization page's Intelligent Policy Tuner (IPT) enables you to refine your policy, by identifying rules that are too wide and permissive, and rules which contain sparsely used and unused objects. In addition, it provides recommendations for replacing permissive rules with new rules that are tighter, but which still allow all traffic allowed by the original rules.

If you want, you can change how IPT generates recommendations for replacing permissive rules. For more details, see Configure IPT rule recommendations .

Note: The Intelligent Policy Tuner is only available for devices on which Extensive logging has been enabled. To enable Extensive logging, add or edit the device to enable, and in the Log Analysis column, select Extensive. For more details, see Manage devices.

Note: Generating recommendations for replacing permissive rules may extend report generation time. If needed, you can disable this feature. For more details, see Enable IPT rule recommendations .

To refine rules

  1. In the Policy Optimization page's Intelligent Policy Tuner area, do one or more of the following:

    • To view overly permissive rules, click Tighten Permissive Rules.

      The Intelligent Policy Tuner page appears.

      A table displays a list of permissive rules that should be refined. For information on the columns, see the table below.

      Icons appear next to the objects in each rule, indicating the object's degree of use. You can mouse-over the icons to view the exact percentage of use.

      Objects that are sparsely used and include many unused IP addresses or services are highlighted in blue. It is recommended to refine these objects' definitions.

      If an object is densely used, then it is not recommended to refine it.

      The Intelligent Policy Tuner Recommendation area displays recommendations for replacing permissive rules with new, tighter rules, as well as recommendations for new objects to be used in the rules.

    • To view unused objects that appear within rules, click Unused objects within rules.

      The Rules Cleanup page appears.

      The table displays a list of rules containing objects that have not been used recently. For information on the columns, see the table below.

      The unused objects are highlighted in blue and can be removed.

    • To view all rule usage, click Policy tuner analysis for all rules.

      The All Rule Usage page appears.

      A table displays a list of all rules. For information on the columns, see the following table.

      Icons appear next to the objects in each rule, indicating the object's degree of use. You can mouse-over the icons to view the exact percentage of use.

      If an object is sparsely used, it is recommended to refine its definition. If an object is densely used then it is not recommended to refine it.

  2. Click on any object to drill-down and view more details.
  3. Refine the rules in your policy as needed.

Intelligent Policy Tuner Columns

This column...

Displays this...

RULE

The rule number.

NAME

The rule name.

SOURCE

The device object representing the connection source.

DESTINATION

The device object representing the connection destination.

SERVICE

The device object representing the service for the connection.

ACTION

The device action performed for the connection.

COMMENT

A comment on the rule.

COUNT

The number of times that an IP address in the specified range appeared in the traffic that traversed the rule.

LAST DATE

The latest date on which the IP address or range appeared in the traffic logs.

PERCENTAGE

The percentage of times that this rule was used, out of all rules.

Reordering Rules

The Policy Optimization page's Rule Reordering areas provide recommendations for optimizing the device rules for best performance and lower CPU utilization, an estimate for the device's performance, and suggestions for improving the performance with the most effective rule reordering.

The algorithm relies upon the rule usage statistics collected from the device to compute a RMPP (Rules Matched per Packet) score that measures the device's performance. The RMPP is the average number of rules that are compared to filtered packets until the device finds a match, where the average assumes the mix of packets that is observed in the device rule usage statistics. The RMPP is closely correlated with the device’s CPU utilization: a lower RMPP typically means a lower CPU utilization.

The intuition behind the RMPP calculation is as follows: Suppose that the rule that ultimately matched a connection is rule number "i". Then the device spent a computational effort testing whether the connection matched each of rules 1, 2, …, i-1, until it arrived at rule "i", found that rule "i" matches the connection, and stopped. We see that the computational effort to filter this connection is approximately proportional to the sequence number "i". Therefore, to model the general computational effort the device is spending, we calculate the mean (expected) number of rules that the device had to check against incoming connections, when the mean is weighted using the rule usage statistics gathered from the log data.

If there are N rules in the rule-base then the RMPP is always a number between 1 and N. Here are some examples. If every connection is always matched by the first rule in the rule-base then RMPP=1. Conversely, if all the connections are matched by the last rule then RMPP=N. If neither of the extreme cases occurs then the RMPP will be a value larger than 1 and smaller than N: E.g., if rule 1 matches 50% of the connections, rule 10 matches 30%, and rule 25 patches 20%, then RMPP = 1*0.5 + 10*0.3 + 25*0.2 = 0.5+3+5 = 8.5. This means that, on average, for the mix of connections observed by this device, the device compares 8.5 rules to each connection it needs to filter in order to reach a decision.

Clearly, we should strive to reduce the RMPP: If we can lower the RMPP toward 1, it means that on average the device will compare fewer rules to each incoming connection, and its CPU utilization will drop accordingly.

The Rule Reordering area displays a bar chart showing the RMPP of the current device configuration, the optimal configuration (using the same set of rules), and a midway configuration, which can be achieved from the current configuration by up to 10, most effective rule moves.

Clicking on the bar chart leads to the Rule Reordering page, which provides a detailed analysis.

The Rule Reordering page consists of three sections:

  • Summary. Summarizes the current RMPP (Rules Matched per Packet) situation.

    Note: This summary is also depicted graphically in the Policy Optimization page in a second Rule Reordering area.

  • Optimal Rule Order. Provides a complete list of all device rules, arranged in the optimal order for best performance based on RMPP.

  • Top 10 Rules to Move. A list of up to ten of the most effective steps to generate the greatest improvement in the RMPP score. Each step is a recommendation to move one rule to a different location on the list, and shows the projected RMPP improvement that it will provide.

    Note: The description above refers to the Check Point device screen. The screen differs per device vendor as follows:

    • Cisco – Each access list has its own Optimal access-list order (one list per interface).

    • Netscreen – Each policy list has its own Optimal Policy list.

      Note: For Cisco ASA devices version 7.0 or above, access lists are always "compiled". Consequently, the expected performance gain obtained by reordering the rules is small.

BASELINE COMPLIANCE page

If a baseline compliance profile is specified for the device, the report will include the Baseline Compliance page. This report indicates whether running the commands specified in the baseline compliance profile on the device results in the output specified in the baseline compliance profile. If so, then the device is considered to be in compliance.

Baseline compliance profiles are specified per device when defining the device in AFA. For more details, see Manage devices and Customize baseline configuration profiles.

POLICY Page

AFA provides various advanced capabilities that enable you to explore complex details of your device policy. Click on the Policy tab in the report to drill down into various aspects of your policy:

Click around this page to view more details about your device's policy. For example:

  • Click Expanded Rules on the right to view all rules in the device's policy.

    Note: AFA sometimes adds additional, implicit rules to a device's policy for enhanced management and optimization.

    For example, for devices that support only allowing rules, AFA may add a final Deny rule to be able to simulate the device's policy correctly. Implicit rules added by AFA also enable some devices to allow DNS traffic based on a check-box without forcing the user to write an explicit rule.

  • Click links in the Traffic by Service area to focus in on a sensitive host group and view the services that can reach it, and which corresponding rule is responsible. For example:

    The values in the Source IP addresses and Destination IP addresses columns are the number of IP addresses impacted by the service, excluding Trusted Networks, the IP addresses of the device interfaces, and Private IP addresses.

    You can further explore where a specific service can reach by clicking its link in the Service column.

CHANGES page

The CHANGES page provides detailed information about changes to the device, over the whole history of AFA reports for the device. Reports include all change monitoring supported for real-time change monitoring as well as changes to risks and baseline compliance.

For more details, see Manage real-time monitoring.

VPN page

The VPN page in the AFA report provides you with a clear view of all your VPN settings, and gives you a single place from which to navigate and review the details of your definitions. The report covers VPN definitions related to remote login users that are terminated on the device, and also to point-to-point VPNs. The contents of this page depend on the device vendor.

For Check Point devices, the VPN report consists of the following sections:

  • VPN Rules: lists all the VPN rules found on the device, with links to the user groups that are in use.
  • User Groups: lists all the user groups, with links to the rules each group participates in, and the users that belong to the group.
  • Users: lists all the users defined on the device, each with its authentication and encryption parameters and expiration date, with links to all the groups each user belongs to.

  • Communities: lists all the VPN communities, each with all the member devices.

For Juniper, the VPN report includes the VPN Rules, VPN Tunnels, IKE Information, User Groups and Users definitions.

For Cisco ASA devices, the VPN report includes the Crypto maps, Transform sets, and IKE Policy.

The VPN report page is not available for Forcepoint (McAfee) Security Management Center, Forcepoint (McAfee) SideWinder, F5 Big-IP, Juniper Space, Fortinet, and Hillstone devices.

Note: The Policy Optimization page also contains information which is relevant to VPN management. Specifically, it contains a list of expired users, unattached user groups, and unattached users. See the POLICY OPTIMIZATION page.

Note:

Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was deprecated in ASMS version A30.00. As of A32.20, AlgoSec no longer supports adding new Symantec Blue CoatClosed As of A32.20 AlgoSec will no longer support adding new Symantec Blue Coat devices. Existing deployed Blue Coat devices will still be functional. devices.

If you had defined these devices in an earlier version of ASMS, these devices are still available to you, with all the existing capabilities, but you cannot add new ones.

We recommend backing up device data before or after upgrading and then removing these devices from AFA. Make sure to download any report zip files for the device before deleting.

For more details, see View an earlier report for a specific device and the relevant AlgoPedia KB article.