Rule Optimizer

Overview

Rule Optimizer allows you to tighten the permissiveness of a security policy rule based on real traffic usage data by providing instant recommendations for a more secure rule replacement. This will allow you to enhance your security posture by identifying and optimizing rules you may not have realized could be tightened without harming existing connections.

The optimized recommendations are based on the rule’s Source, Destination, and Service fields. These fields indicate which addresses and ports are actually required.

After recommendations are generated, the permissiveness level of the new rule suggestion can be adjusted manually.

Rule Optimizer has the following TQL fields which can be used in Rule Viewer:

• readyForOptimization (true/false)

• ruleOptimizerRecommendations (exists/not exists)

For more information, see TQL Fields For the Rule Viewer.

Prerequisites

• Rule Optimizer must be enabled for the device.
• Recommendations are available only after usage data has been collected for the configured data collection window.
• Only rules that meet the following requirements can be optimized:
  • IPv4 rules
  • Rules with an "Allow" action
  • The rule must be enabled in the firewall policy

Data Collection Window

The Rule Optimizer recommendations are based on traffic usage data collected during the data collection window. By default this is the past 30 days. However, the data collection window can be adjusted to include up to 180 days. The window can be configured globally or for a specific device using GraphQL mutations. Traffic usage data from outside the data collection window is automatically deleted on a daily basis.

TOS only starts collecting data after Rule Optimizer is enabled for the device.

Example:

The data collection window is set for 30 days. You enabled Rule Optimizer on February 5.

• When you run Rule Optimizer On February 15, the recommendations will use data from February 5 to February 15​

• When you run Rule Optimizer On March 15, the recommendations will use data from February 15 to March 15

• On March 16,​ the usage data used by Rule Optimizer on February 15 will be automatically deleted.

Special Objects

Special Objects are dynamic objects that change constantly, such as FQDN, Azure ASG, VM, Network Tags, Security Groups, Zscaler Internet.

By default, Rule Optimizer automatically detects these objects in the Source and Destination fields of the original rule and uses them as is in the recommendations.

If you want to receive IP-based recommendations for rules with Special Objects, you can change this behavior using GraphQL mutations - globally or per device.

Unsupported objects in TOS with no IP resolution are treated by Rule Optimizer as Special Objects.

Rule Optimizer Recommendations

By default, the IP subnets are grouped in the recommendations in subnet mask intervals of 8 (/8, /16, /24, and /32).

If the original rule source or destination have a prefix that is greater than 24, the Rule Optimizer will use in the recommendations a prefix starting from that number.

Rule Optimizer's initial recommendation is always the most permissive rule option available, which is still stricter than the original rule. You can manually adjust this recommendation to further restrict the rule by clicking the + and - buttons.

Example

Rule Optimizer generates the following permissive recommendation, which is still stricter than the original rule.

• Original rule:

• Source: Any

• Destination: Internet

• Initial recommendation:

  • Source: 10.0.0.0/8, 172.0.0.0/8, 192.0.0.0/08

  • Destination: Internet

You can adjust the permissiveness of this recommendation by clicking the + button to be as follows:

• Adjusted recommendation:

  • Source: 10.0.0.0/16, 10.0.1.0/16, 172.0.0.0/8, 192.0.0.0/08

  • Destination: Internet

This recommendation can be further tightened to create an even stricter recommendation:

• Adjusted recommendation:

  • Source: 10.0.0.1/32, 10.0.0.2/32, 10.0.3.2/32, 10.1.0.0/16, 172.0.0.0/8

  • Destination: Internet

Advanced Subnetting

The advanced subnetting commands are applied globally to all devices.

• To configure which prefix the recommendations start from:

  tos config set -p usage.task.network.optimization.firstClassCidr=<prefix> -s usage-calculator​

  tos config set -p usage.task.network.optimization.firstClassCidr=<prefix> -s usage-calculator​

  Where <prefix> is the prefix you want to use.

• To configure the prefix increment jumps in the recommendations:

tos config set -p usage.task.network.optimization.cidrIncrementingSize=<increment> -s usage-calculator

tos config set -p usage.task.network.optimization.cidrIncrementingSize=<increment> -s usage-calculatore

Where <increment> is the increment number you want to use.

Example:

Run the following commands to generate recommendations that include only subnets with a prefix of /24 and above, with all possible subnet groupings.

tos config set -p usage.task.network.optimization.cidrIncrementingSize=1 -s usage-calculator
tos config set -p usage.task.network.optimization.firstClassCidr=24 -s usage-calculator

The result will appear as follows:

What can I Do Here?

Generate Recommendations

The recommendations are based on the traffic usage data collected during the data collection window.

• Click Generate.

Regenerate Recommendations

You can receive new recommendations by adjusting the date range using the available dates in the data collection window.

1. Click Regenerate.

   The Regenerate Recommendations pop-up appears.

   

2. Select the dates for which you want to regenerate recommendations. Only dates in the data collection window can be selected.

3. Click Regenerate.

Export Recommendations to a CSV

1. In the Rule Optimizer Actions menu (), select Export recommendations to CSV.

   The Export Recommendations to CSV pop-up appears.

   

2. Select which recommendations to export:

   • Adjusted: Recommendations that have been manually adjusted.

   • Expanded: Fully expanded recommendations (prefix 32).

3. Click Export.