Preparing a CSV

Prerequisites

You must define your security zones before you can import a security zone matrix.

Procedure

When you create a matrix file to import, you must include the following fields:

  • From zone - The name of the source network zone in Browser > Zones

  • To zone - The name of the destination network zone in Browser > Zones

  • Severity - The severity assigned to the violation: low, medium, high, critical

  • Access Type - Traffic from the source zone and to the destination zone must be:

    • Allow all - All traffic is allowed
    • Block all - All traffic is blocked
    • Allow only - Traffic is allowed only if the traffic service is in the list of services
    • Block only - Traffic is blocked only if the traffic service is in the list of services
  • Services (for Allow Only or Block Only access) - The services that are allowed to pass from the source zone and to the destination zone. See list of Tufin Predefined Services.

    • You can enter multiple values separated by a semicolon, for example: tcp 80; icmp 8

    • You can enter a range of ports, for example: tcp 67-68

    • You can enter any so that all services are allowed.

  • Rule Properties (for Allow Only or Block Only access) - The rules that match the specified traffic requirements are allowed:

    • EXPLICIT_SOURCE - Rules must have an explicit source, not the ANY value

    • EXPLICIT_DESTINATION - Rules must have an explicit destination, not the ANY value

    • EXPLICIT_SERVICE - Rules must have an explicit service, not the ANY value

    • HAS_COMMENT - Rules must have text in the comment field

    • IS_LOGGED - Rules must be configured to create log entries

    • LAST_HIT_WITHIN {DAYS: X} - Rules must have hits within the last X number of days

    • SOURCE_MAX_IP {COUNT:X} - Source must contain less than X IP addresses

    • DESTINATION_MAX_IP {COUNT:X} - Destination must contain less than X IP addresses

    • SERVICE_MAX_SERVICES {COUNT:X} - Service must contain less than X services

    Separate multiple values with a semicolon, for example: IS_LOGGED; Last_Hit_Within {days: 90}

    To enforce Rule Properties on all services, set the Access Type to Allow Only and Service to Any, then add the desired Rule Properties.

  • Flows (for Allow Only or Block Only access) - The rules that match the specified traffic requirements are allowed or blocked. Flows are defined by host and subnet objects. Host objects are any object, multiple objects or group of objects where each object represents one IP address. Subnet objects are any object, multiple objects or group of objects where each object represents more than one IP address, not including ANY or Internet.
  • The syntax for the flow requirement is either:

    • HOST_TO_HOST - Rules where the source and destination of the traffic flow are defined by hosts objects
    • SUBNET_TO_HOST - Rules where the source of the traffic flow is defined by subnet objects and the destination is defined by host
    • HOST_TO_SUBNET - Rules where the source of the traffic flow is defined by host objects and the destination is defined by subnet objects

    To enforce flows on any service, set the Access Type to Allow Only and Service to Any, then add the desired flows.

The rows of the USP matrix must be preceded by a line with each of the headings above, followed by the lines of the matrix data.

from zone,to zone,severity,access type,services,rule properties,flows,description

Sample Code

The sample code shown below creates a sample 4x4 USP matrix. After importing the zones and the USP, you will have the following USP: