Policy Browser

SecureTrack can include editable details about policy rules so you can manage rule ownership, expiration and recertification. You can use this information for reporting on documentation and ownership management of security, such as for periodic recertification projects and network security audits, including PCI-DSS.

When new policy revisions are received, they undergo multiple processing steps. New policy revisions appear in the Policy Browser search results after TOS processing is completed.

You can save policy details, or metadata, in SecureTrack for each rule in the most recent policy revision for each device. In the Compare tab, the icon next to a rule indicates that the rule has documentation details.

The rule metadata includes the information categories listed below.

Rule Statistics

Rule statistics includes the following information: 

• Permissiveness level (high/medium/low) – An indication of how widely a rule is defined, for example:

  • A rule with one source host, one destination host and one service is low permissiveness

  • A rule with Source "ANY", Destination "ANY" and Protocol "ANY" is high permissiveness

  Rules with high permissiveness can be a security risk because they allow too much access through the firewall. N/A indicates that the platform is not supported for permissiveness calculations.

• Violations - The number of PCI DSS and Unified Security Policy violations caused by the rule

• Last Hit - The last time traffic that passed through the device matched either the rule, user, or application identities details

• Last Modified - The last time a revision showed that the source, destination or service changed in the rule, including changes group members.

After you upgrade to R16-4 or higher, SecureTrack analyzes the revisions to identify the last time any part of the rule was changed, for example source, destination, service, log, or comment. Rules are labeled with the last modified date of yesterday, 3 months ago, 6 months ago, 12 months ago, or longer, whichever is the most recent change. This process can take up to a few days to complete.

• Shadowing Status - For rules that are marked as fully shadowed, you can click on Details to see the rules that shadow it.

Metadata per rule

The metadata per rule includes the following information:

• Technical owner - One of the SecureTrack admin users: Typically, the firewall administrator who is responsible for the technical accuracy of the rule.

• Rule description - A useful description stored in SecureTrack

• Advanced options:

• Legacy rule - When a rule is marked as legacy, SecureChange Designer will treat a rule marked as legacy as a shadowed rule when making recommendations, and SecureChange Verifier will ignore a rule marked as legacy when verifying access.

  Marking rules as legacy can be used to let you methodically replace overly permissive rules over a period of time. Only rules that have an Allow action will be considered by Designer as legacy.

  When the traffic in an access request is fully or partially implemented by traffic that is handled by legacy rules, Designer locates the recommended rules above the related legacy rule with the highest position in the policy.

• Stealth rule – When a rule as is marked as stealth, SecureChange Designer recommendations will place any new rules recommended for an access request below the stealth section of the policy. Only rules that have a Deny action will be considered by Designer as stealth.

  The stealth section is comprised of all rules above and including the last rule marked as stealth in the device policy and is therefore always the top section in the device policy. Stealth rules can be used to protect a firewall device from attack by denying unwanted access to specific firewalls.

For devices that support hierarchical structures and management of grouped entities, Policy Browser does not display propagated Legacy or Stealth Rules for the devices that are lower in the hierarchy.

To determine whether a device that is lower in the hierarchy includes a Legacy or Stealth Rule propagated from higher up, SecureTrack users should search for the level at which the Legacy or Stealth Rule was defined. The level of each rule is displayed in the Policy Browser, in the Rule Location column.

Designer takes the propagated Legacy or Stealth Rules into account for the managed devices that are lower in the hierarchy when suggesting changes and when provisioning. With Legacy rules, Designer will not create new rules on lower level entities that intersect with the legacy rule.

Record sets for each workflow ticket associated with the rule

This category includes the following information: 

• Ticket ID - Entered manually or matched automatically with SecureChange authorized tickets that allow new traffic.

  For tickets marked as SecureChange Ticket ID, the Ticket ID column is populated when a change triggers a revision on a rule. Rules are mapped to a ticket when active rules intersect with another ticket’s traffic, whether or not a policy change has occurred within an Access Request.

  In Policy Browser, click on the ticket ID to go to the SecureChange ticket in Tasks (Requires permission to view the ticket). In the rule documentation report, you can see the expiration date of the ticket, if one is configured.

• Business owner name and email - The user who opens the ticket

  Assigned automatically

• Expiration date - Entered manually or matched automatically with SecureChange ticket expiration

SecureApp Connection Details

This category includes the application details for SecureApp application connections that match firewall rules:

•  Application name

• Application owner

This information is automatically updated when new revisions are retrieved, when a connection change is saved in SecureApp or when there is a change in the Topology.

Also, rules marked with application information are selected based on the potential traffic for each device in the path as defined in the rule, and not based on the effective traffic that passes through the device which may be blocked by another device or changed by NAT rules before reaching the device.

To help you manage, track, and recertify ownership and expiration, you can:

• View and export the details

• Search for matching rules

• Edit the details

When rules are results of SecureChange Access Requests, you can also manage expiration and recertification using the ticket expiration date in SecureChange.