On This Page
Cisco
ACI
- Change Management
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
- Policy Analysis
-
Object Lookup (See Object Lookup)
- Topology
-
Static Topology
-
Dynamic Topology
Notes for ACI:
-
For each Tenant, supports tracking, comparing, and generating reports on the changes to the following: Application profiles, contracts, consumers, providers, filters, EPGs, subnets.
-
Interactive map supports path queries to external IP addresses that travel via specific EPGs. In the query, the source and destination can include an IP address AND an EPG, and the query results will return paths that include both. For example: 1.1.1.1@EPG1
-
OSPF and BGP routing is supported for Cisco ACI devices
-
uEPG and Contract Master visibility is supported for revisions and topology retrieved from Cisco ACI Devices
-
Limited support for IPv6 Objects
ASA
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Changes (see Change Browser)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
Rule Recertification(Used to document and verify the need for a rule)
-
-
Automatic Policy Generation (APG) (Analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization)
- Topology
-
Static Topology
-
Dynamic Topology
-
Calculate impact of NAT rules
-
Calculate impact of VPN policies
Notes for ASA:
-
ASA 9.5 support does not include SCTP.
-
NAT rules are supported by ASA 8.3 or higher
-
IPv6 Objects are supported by ASA 8.x or higher
Firepower Management Center
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Changes (see Change Browser)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
Rule Recertification(Used to document and verify the need for a rule)
-
- Topology
-
Static Topology
-
Dynamic Topology
Notes for Firepower Management Center:
-
In the Interactive Map, Path Analysis calculations take Cisco Network Zones into account
-
When dynamic topology is enabled for FMC devices:
-
Both static and dynamic routes are displayed in the Interactive Map.
-
Static routes are not shown as part of the revisions.
-
-
When the Usage Tracking options are selected in the configuration of devices managed by the FMC:
-
Rule Viewer displays the last time specific rules were hit
-
Automatic Policy Generation (APG) is supported
-
Rule and Object Usage Report is supported
-
Policies need to have unique names. If there are multiple policies that share the same name, rule hits will not be mapped correctly to these policies
-
IOS L3 Switch (IOS or IOS XE)
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
-
Calculate impact of VPN policies
IOS-XR
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
-
IPv6 routes
-
Path analysis with IPv6 addresses in source and destination
Notes for IOS-XR:
- Change Management includes visibility on MPLS option B
IOS-XE SD-WAN (Viptela cEdge)
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
-
Calculate impact of VPN policies
- SD-WAN labels
- SD-WAN routes (OMP)
Notes for IOS-XE (cEdge):
- TOS supports local ACLs.
- TOS does not suport vManage ACLs.
Meraki
- Dashboard Widgets
-
General (General overview of the system)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
USP Compliance (The number of rules with violations, according to their severity level)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Device Viewer (see Device Viewer)
- Topology
- Dynamic Topology (including auto-VPN)
-
Calculate impact of VPN policies
Notes for Meraki:
TOS supports the following Meraki devices:
- MX Firewall
- Z-series Firewall
Nexus
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
Routers (IOS or IOS XE)
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Rule and Object Usage Report (Displays statistics for most-used, least-used, and unused rules and objects)
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Full Accountability (Details of the revision, including who made the revision and when)
-
Display IPv6 objects
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
-
Calculate impact of VPN policies
-
Calculate impact of policy-based routing and related ACL rules
Notes for Routers
-
Tufin supports policy-based routing (PBR) for Cisco IOS routers for the following configuration types, when the next hop in the route map is to a monitored device in the Tufin Orchestration Suite topology:
-
set interface <interface name>
-
set ip next-hop <ip address>
-
set vrf <vrf name>
-
Zone-based firewalls
- Dashboard Widgets
-
General (General overview of the system)
-
Cleanup (Summary of the number of rules that are disabled, fully shadowed, or have not been hit in the past year)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Cleanup (see Cleanup Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Real-time Monitoring (Regularly automatically fetches policy information from the device)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Static Topology
-
Dynamic Topology
Cisco Security Manager (CSM)
-
Cisco Security Manager (CSM):
- Supports change tracking in textual policy view only for ASA 8.x-9.x, Catalyst switch 3560, IOS router 2801 devices.