View policy data

This section explains policy data related procedures.

Viewing policies

To view a policy:

  1. View the desired device, group, or matrix. For details, see View AFA device data, View AFA group data, and View AFA matrix data.

  2. Click the Policy tab.

    The Policy tab appears in the workspace.


    The policy tab columns are specific for each device brand. If AppViz is licensed, fields from AppViz are displayed, indicating business information such as which rules are included as flows in which applications.

    Notes:

    • Since NAT rules do not appear in the Policy tab:

    • If AppViz is licensed, you can export traffic flows from the policy to AppViz. For more details, see Export flows from AFA.

  3. To search the policy for rules and objects, see Policy Search.

Policy Search

Policy search allows you to locate rules within a single device or a group of devices. For example, you can locate all device rules that use a specific object—whether the rules include the object explicitly or include an object containing the object—in any device, group, or matrix, or in any type of report. This is useful when planning to update or remove an object, since it enables you to find all the rules that will be affected by the change.

AFA provides the following tools for locating rules on policies:

Notes:

  • For Check Point devices, the results show one device to represent each policy. Multiple devices with the same policy will not appear in the search results.

Basic Policy Search

To perform the Basic Policy Search:

  1. View the policy you want to search. For details, see Viewing policies.
  2. On the Policy tab for the selected device, from the All Fields drop-down list, select a field whose value should be compared with the contains value.

    3. If you select the Source, Destination, Source or Destination, Services or All Fields options in the drop-down list, the search will also return rules with objects that contain the specified IP address(es) or services. For all other fields, a textual search for the Contains field user input is performed.

    Note: You can use Locate Object feature to search for objects that contain specific IP addresses. For details, see Locate objects .

  3. In the Contains field, type a string, IP address, IP range, service, range of services (eg., "TCP/20-50" or "All TCP"), or object name for which you want to search the policy. To search specifically for rules with specific empty fields, type [EMPTY] in the Contains field for that field.
  4. To add another search criteria, click the plus button to the right of current search criteria and then complete the fields in the manner previously described.
  5. Optional: Use the checkboxes to further define your search as follows -
    • To include results that contain objects which contain only/exactly the IP address(es) or service(s) you searched for, select Exact Match.
    • To include results which contain the searched IP address(es) or service(s) only because they contain "any", "all", or "*", select Include 'ANY'.

  6. Click Find rules.

    • The policy is filtered according to the specified parameters.

    • Objects that contain what was searched will be highlighted in the search results.

Advanced Policy Search

Note: For parameters relevant to the Advanced Policy Search, see ADV_SEARCH_MAX_RESULTS ADV_SEARCH_MAX_COMPARISONS, and ADV_SEARCH_TIMEOUT_SECONDS. Exceeding defined parameter values will cause the search to abort and an error message to be displayed.

The query for this search must be written in the following format:

The format for a simple query is:

[column name][Basic Operator][value]

You can make complex queries by combining Basic queries separated by a Composite Operator:

[Basic Query][Composite Operator][Basic Query]

 

Tips:

  • To search across all fields, use ALL_FIELDS as the rule column name.

  • To search for empty fields, use [EMPTY] as Rule column value.

  • Brackets are optional.

  • You can use wild cards (*) except for contained objects (object/ IP Address definition of object content).

  • < and > symbols are not supported. Use the wild card (*) (except for contained objects).

  • For internal quotation marks, use \" instead of ".

  • Entered search string must be an exact match.

You can use the following operators:

Basic Operators Composite Operators
== Equal To and Logical AND
!= Not Equal To or Logical OR

For example:

Source ==1.2.3.4 or "Service object" !="tcp udp"

Equals to:

(Source equals to "1.2.3.4") or (Service object not equal to "tcp udp" )

To perform the Advanced Policy Search:

  1. View the policy you want to search. For details, see Viewing policies.

    In the Basic Search section, click Advanced Search.

  2. Enter a relational expression of any complexity as the search criteria in the Advanced Search field.
    For example:

    (SOURCE=="g-Cacti") and (ACTION=="accept")

    source==any_eu and Destination==1.2.3.4

    "From Zone"==Inside or Name==test_afa or User==ValidateGroup

    Documentation != [EMPTY]

    (source==Mapat* or action==deny) and Comment==Fireflow* and destination!=any

    action==deny

    ALL_FIELDS==10.10.6.27

    ALL_FIELDS==*http*

    Comment==[EMPTY]

    (action==accept) or (service==icmp6)

    (ALL_FIELDS==untrust) and (service==ssh)

    source==10.10.6.27 and destination==10.34.56.78

    source!=10.20.6.99 or service==tcp*

    service==SSH

    service==*USA* or service!=all and "To Zone"==DMZ or SOURCE==cato*

    ALL_FIELDS != *

    ALL_FIELDS == [EMPTY]

  3. Optional: To further define your search:

    • Select the Include 'ANY' checkbox: To include results which contain the searched IP address(es) or service(s) only because they contain "any", "all", or "*.

    • Select the Include Object Content checkbox: To extend the search to include IPs and sub objects within an object.


  4. Click Find Rules.

    The policy is filtered according to the specified search criteria.

    Note: When the results contain matches due to Include Object Content or Include 'Any' being selected, the relevant objects and 'Any', etc. indications are highlighted.

Tip: You can save search criteria offline rather than defining searches from scratch every time. This means you can perform similar edited searches quickly and easily on a variety of devices, groups, matrices, etc.

Add/remove AFA rule comments

AFA supports adding comments to rules. The comments will appear in the rules' Documentation fields and in all device/group/matrix reports where the rules appear. You can add comments to a single rule, or add the same comments to multiple rules simultaneously.

Notes:

  • These comments are only visible in AFA, not on the devices themselves.

  • AFA administrators can disable or enable the Documentation field and add more such fields. For more details, see Custom documentation fields.

To add/remove comments from a single rule:

  1. View the device/group/matrix policy, and locate the rule you want to edit. For details, see Policy Search.

  2. In the desired rule's row, click .

    The Edit Documentation dialog is displayed.

  3. Select the check box(es) next to the field(s) you want to edit.
  4. Type your comments for the rule in the field(s) or delete the comments you want to remove.

  5. Click Update.

    The comments are added/removed.

To add or remove the same comments from multiple rules:

  1. View the device/group/matrix policy, and locate the rule you want to edit. For details, see Policy Search.
  2. Select the check boxes next to the desired rules.

  3. Click the Add Values link.

    The Edit Documentation dialog is displayed.

  4. Select the check box(es) next to the field(s) you want to edit.
  5. Type your comments for the rules in the field(s) or delete any comments you want to remove.

  6. Click Update.

    The comments are added or removed from all the selected rules.

Locate objects

You can locate all objects which contain a specific IP address or range in a device, group, matrix, or in a specific report.

To locate an object:

  1. Do any of the following, as described in View AFA device data, View AFA group data, and View AFA matrix data:

    • To search a device for an object, view the desired device.
    • To search a group for an object, view the desired group.
    • To search a matrix for an object, view the desired matrix.
    • To search a single device report for an object, view the desired device, click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search all device reports for an object, view the ALL_FIREWALL group, then click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search a group report for an object, view the desired group, click the Reports tab, and then select the check box next to the report in which you want to locate the object.
    • To search a matrix report for an object, view the desired matrix, click the Reports tab, and then select the check box next to the report in which you want to locate the object.

  2. Click Locate Object.

    The Locate Object page appears.

  3. Specify the object you want to locate.

    You can select an individual IP address, a range of IP addresses, or a host group that is defined on the device(s). If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.

  4. Click Find in Objects.

    A new window opens displaying a list of objects with the specified IP address, range, or host group, in the specified devices and/or matrices.

  5. To export the results to PDF format, click . For more details, see Export AFA screens to PDF.

Locate rules that use specific objects

You can locate all device rules that use a specific object—whether the rules include the object explicitly or include an object containing the specific object—in any given device, group, or matrix, or in any type of report. The procedure below should be used when searching for NAT rules.

Otherwise, the recommended method to locate rules is through the Policy tab. For more information, see Policy Search. NAT rules do not appear in the Policy tab.

To locate rules that use a specific object:

  1. Do any of the following, as described in View AFA device data, View AFA group data, and View AFA matrix data:

    • To search a device for an object, view the desired device.
    • To search a group for an object, view the desired group.
    • To search a matrix for an object, view the desired matrix.
    • To search a single device report for an object, view the desired device, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search all device reports for an object, view the ALL_FIREWALL group, then click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search a group report for an object, view the desired group, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.
    • To search a matrix report for an object, view the desired matrix, click the Reports tab, and then select the check box next to the report in which you want to locate the rules.

  2. Click Locate Object.

    The Locate Object page is displayed.

  3. Specify the object you want to locate, by doing one of the following:
    • To select a host group that is defined on the device(s):
      1. In the Select Address by area, choose Host group.
      2. Select the host group you wish to locate. You can search the defined names alphabetically, or by using the search filter.
    • To select an individual IP address:
      1. In the Select Address by area, choose IP Address.
      2. Type the IP address you wish to locate.
      3. To locate rules with objects that contain only the specified IP address, select the Exact match check box.
    • To select a range of IP addresses:
      1. In the Select Address by area, choose IP Range.
      2. Type the starting and ending IP addresses for the IP range you wish to locate.
      3. To locate rules with objects that contain only the specified IP range, select the Exact match check box.
    • To select a specific traffic flow:
      1. In the Select Address by area, choose Flow.

      2. Specify the source and destination by selecting or typing an individual IP address, a range of IP addresses, or a host group. If you wish to select a host group, you can search the defined names alphabetically, or by using the search filter.

        If you type a host group that has an IP address as its name, put it in quotations (for example "10.20.1.1").

      3. To locate rules with objects that contain only the IP addresses specified in source and destination, select the Exact match check box.

      Note: For Cisco devices, locating rules with the exact match feature will not return results where the IP address was added directly to the rule (not within a network object).

  4. Click Find in Rules.

    A new window opens displaying a list of rules containing the specified object, in the specified devices and/or matrices.

    The yellow highlighting indicates which IP address, range of IP addresses, or host groups contain the object you want to locate.

  5. To see a host group's definition, click on the host group.

  6. To export the results to PDF format, in the top-right corner of the report, click . For more details, see Export AFA screens to PDF.

    Tables at the end of each device display relevant network and service object definitions. Clicking on the object in a rule will bring you to its definition in these tables.

  7. To export the results to CSV format, in the top-right corner of the report, click . Follow your browser prompts to open the file.