Security Policy Compliance and Audit

Overview

Establish zone-based network segmentation and enforce compliance through continuous, rule-based checks that validate security policies across environments.

As your environments grow in scale and complexity, you need to ensure that security policies comply with industry standards and regulatory frameworks, and remain consistently enforced across on-premises, public, and private cloud environments.

Security Policy Compliance and Audit guides you through using SecureTrack's USP (Unified Security Policy) to:

• Define and enforce zone-based segmentation aligned with compliance requirements.

• Continuously validate security policies against industry standards and regulatory frameworks.

• Identify policy violations and segmentation gaps across hybrid environments.

• Support audit preparation with clear, actionable compliance insights.

Benefits

• Continuous compliance validation against industry standards and regulatory frameworks.

• Audit-ready visibility and evidence for regulatory and industry compliance requirements.

• Stronger zone-based segmentation to reduce risk.

• Automated tools to predefine policies, alerts, dashboards, and reports.

Intended audience

• Network security architects responsible for troubleshooting network and security policies

• Security analysts responsible for defining and enforcing policy compliance, and providing audit evidence

• Risk and compliance managers responsible for assessing risk and validating compliance

Features

Security Policy Compliance and Audit leverages key features in SecureTrack to provide full visibility and control over your network security policies:

• Zones to configure groups of network addresses that match your organizational structure.

• Unified Security Policy (USP) to define the traffic to allow between your network zones.

• Security Policy Builder to analyze configuration revisions and identify policy changes.

• Rule Viewer to verify access rules, validating that device configurations match intended access rules.

• IPAM Security Policy App to unify and validate subnet data between SecureTrack and external IPAM systems

• Object Lookup to view and track network objects across multiple devices.

• STRE to generate reports for changes, rule usage data, and policy analysis.

Prerequisites

• SecureTrack Reporting Essentials installed and configured to generate required predefined or custom reports

• Connection privileges to IPAM solution to pull zone information, if needed

• Successful completion of:

  • Centralized Security Policy Visibility

Step 1: Define security zones

Identify the security zones your organization requires based on the segmentation strategy, and then map networks to these zones.

Use SecureTrack's Browser > Zonesto define and map zones.

Map zones

Based on what you need, map networks to zones individually or in bulk.

• Manual mapping: Manually map each network to its respective security zone. Use this option when you want to be precise and assign zones explicitly.

• Bulk mapping: Map zones in bulk using the CSV import and export functionality. Use the bulk mapping options for large or complex environments to efficiently assign zones to networks.

  • Import zones: If you maintain zone mappings offline, review and update them as needed and import the mappings into SecureTrack in CSV format.

  • Export zones: Export existing zone mappings to a CSV file to review current assignments, validate segmentation, or prepare updates for bulk re-import.

See: 

Configuring the zone list

Exporting and importing zones

Map internet-facing zones

Assign internet-facing interfaces explicitly to the Internet zone. Defining the Internet boundary removes ambiguity and ensures accurate trust classification for compliance and policy analysis.

All other interface-to-zone mappings are handled automatically through MZTI (Multi-Zone Topology Interface).

• Go to SecureTrack > Monitoring > Device Viewer

See Zone mapping.

Exclude high-volume Layer 3 devices

Exclude high-volume Layer 3 devices used only for topology discovery from violation calculations. Excluding these devices that focus on routing configurations, prevents noise and false violations.

• Go to SecureTrack's Monitoring > Device Viewer

See Include/exclude device in violation calculations.

(Optional) Align IPAM-based zones

For environments with IPAM integration, ensure IP address blocks are properly aligned with the defined security zones. Correct alignment between IPAM data and zone assignments ensures accurate zone resolution and reliable compliance validation.

Step 2: Install and configure IPAM application extension

IPAM (IP Address Management) Security Policy App is a Tufin Extension application to unify and validate subnet data between SecureTrack and external IPAM systems such as Infoblox, Bluecat. IPAM integration enables accurate zone mapping, conflict detection, audit tracking, and automated synchronization.

Use Tufin Extensions > IPAM Security Policy App to configure and manage IPAM systems.

Install IPAM application

If you haven't already installed IPAM, install the application from the Extensions menu.

See Installing and logging in to ISPA.

Configure SecureTrack IP and email addresses

After installation, define the IP address for SecureTrack host, and the addresses for email notifications.

• SecureTrack connection IP: The virtual IP

• Email addresses: The recipients for subnet analysis summaries, and sync status notifications.

Leave the other settings unchanged.

See Configuring IPAM.

Add and configure IPAMs

After installing and configuring the IMAP application, add the IPAMs you need to integrate with from the different vendors. For supported integrations and permissions, see Supported integrations.

• Use tag name/value pairs to map imported subnets to:

  • Zones in SecureTrack

  • Domains if multi-domain is enabled

• any to map untagged subnets to IPAM Unassociated Networks

See:

Adding IPAMs

Configuring IPAM attributes

Sync IPAMs with SecureTrack

After adding IPAMs, synchronize them with SecureTrack to ensure that subnet and zone information remains up to date. Sync your IPAM systems either manually or though scheduled syncs.

• Manual sync

  Perform on-demand sync for a specific IMAP system. Only SecureTrack users with Super Administrator permissions can perform manual synchronizations.

  In addition to importing subnet data, during a manual sync, you can:

  • Map subnets to a SecureTrack domain in multi-domain environments

  • Map subnets to zones

  • Generate a report summarizing the current subnet status

• Scheduled sync

  Perform automated sync without manual intervention.

  Schedule the sync in IPAM Security Policy App (ISPA) to automatically synchronize subnet data from your IPAM systems at a defined frequency.

See:

Automatically syncing IPAMs

Manually syncing IPAMs

Validate subnet inventory

After manually or automatically syncing one or more IPAM systems with SecureTrack, you can:

• View the list of imported subnets

• Export subnet data to a CSV file for offline review and analysis

• Cross-check with zones mapped in SecureTrack to validate that zones are correctly populated with subnets identified from IPAM

See:

Analyze subnets

Explore IPAM dashboard for insights

Gain insights into subnet distribution and mapping status across your environment from the IPAM application dashboard. The dashboard provides visibility into how IPAM data is integrated with SecureTrack zones and domains. It helps you monitor key indicators and assess the overall health and alignment of your IPAM and zone configuration.

From the dashboard, you can:

• View the total number of configured IPAM systems, SecureTrack zones, and subnets

• Analyze subnet distribution by zone and by IPAM source

• Review the current status of IPAM-to-zone subnet mappings

• Track time-based trends in subnet-to-zone mapping

See Analyzing network status.

View historical data

Track updates to subnets and the source of these updates in the IPAM application's History tab.

See Tracking events and subnets.

Step 3: Create and configure USPs

Once you define and map security zones, translate segmentation and compliance requirements into enforceable policy definitions with USPs.

Unified Security Policy (USP), is a logical, high-level policy model that defines the intended access rules and compliance requirements for traffic between security or compliance zones. SecureTrack monitors your actual network segmentation, and measures it against your policy, highlighting policy violations.

A USP matrix:

• Defines which zone-to-zone traffic is allowed, restricted, or blocked

• Represents the desired security posture, independent of specific devices or vendor syntax

• Serves as a compliance and policy baseline

Use SecureTrack's USP Viewer to create and manage USPs.

Create a USP

Create customized USPs to tailor zone-to-zone policies, or compliance-based reate a USP using either:

• A predefined compliance or best-practices template

• Blank USP template for fully customized

As a starting point, use a predefined compliance template. If your environment requires custom segmentation rules, select the blank template and manually define the zone matrix.

See Creating USPs

Step 4: Trigger alerts for USP violations

Defining USPs establishes the compliance baseline. To enforce compliance effectively, you must also receive timely notifications when violations occur.

Use SecureTrack's USP Alerts Manager to configure alerts to proactively monitor USP violations and trigger notifications when defined criteria are met.

• USP alerts

  • Specific USPs or zone-to-zone policies

  • Device-level severity or risk

  • Violation attributes

• Email notification alerts

  Configure alerts to send email notifications to relevant stakeholders to support timely investigation and remediation.

• Integrate with SIEM (optional)

  Enable Syslog forwarding to send new USP violations to a SIEM ((Security Information and Event Management) platform for centralized monitoring and incident response.

When managing multiple USP alerts, use Tufin Query Language (TQL) to filter and locate specific alerts based on policy name, device, severity, or other attributes.

See USP Alerts Manager.

Step 5: Create USP exceptions

Not all USP violations indicate an error. In some cases, business or operational requirements require and justify deviations from the defined policy. USP exceptions allow you to acknowledge and document these deviations, while maintaining visibility and audit traceability.

TOS supports two types of USP exceptions: rule exceptions and traffic exceptions.

Rule exceptions

Rule exceptions are defined at the firewall rule level. They allow a specific rule that violates a USP to remain in place based on documented business justification.

For each rule exception, provide:

• Business justification

• Exception owner

• Approval or reference information

Rule exceptions are recorded and included in compliance reporting for traceability.

Use SecureTrack's Rule Viewer to create rule exceptions.

See:

USP rule exceptions

Add rule to existing USP rule exception

Traffic exceptions

Traffic exceptions are based on observed traffic flows and are independent of firewall rule definitions. They are created directly from USP violation entries.

Traffic exceptions include metadata such as:

• Reason for the exception

• Duration

• Exception owner

Use SecureTrack's USP Exceptions Viewer to create USP traffic exceptions.

See USP traffic exceptions.

Step 6: Explore USP compliance dashboards

Gain a high-level, real-time view of policy compliance across the environment though dedicated USP compliance dashboards.

Use SecureTrack's Dashboard for visibility into overall adherence, violation trends, and areas that require attention.

The USP compliance dashboards, at the bottom of the page, include a set of predefined USP queries which allow you to filter, explore, and export data based on policy names, zones, devices, severity levels, and exception status. To create personalized views, you can customize these queries to get detailed operational and audit information.

Compliance trends

Shows trends over time, including the number and severity of USP violations.

Use compliance trends to:

• Track remediation progress

• Identify recurring or persistent compliance issues

See USP Compliance Trends.

Violations by Device and USP

Highlights devices and policies that generate the highest number of violations.

Use device and USP violations to:

• Prioritize remediation efforts

• Focus audit reviews on high-impact devices or policies

See USP Compliance - Rules with Violations.

Step 7: Use Security Policy Builder

Security Policy Builder (SPB) helps design Unified Security Policies based on actual network traffic and rule usage, with guided recommendations to define zone-to-zone access and accelerate USP implementation.

Use Tufin Extensions > Security Policy Builder to design USPs.

See Security Policy Builder.

Step 8: Generate USP compliance and violation reports

If you have installed and configured SecureTrack Reporting Essentials, you can generate three predefined reports that track different aspects of USPs.

Security Violations Report

• Highlights USP violations across all devices, helping security teams identify and prioritize non-compliant rules.

• Shows details such as violating rules, associated USP, device names, and exception status.

See Security Violations report.

Security Compliance Report

• Measures overall compliance posture by comparing active access rules against defined USP policies.

• Presents a summarized compliance score, violation trends, and zone-to-zone risk visibility.

See Security Compliance report.

Unauthorized Changes Report

• Identifies unapproved or out-of-process configuration changes.

• Presents a list of all the unauthorized changes performed in the environment without a valid SecureChange ticket.

See Unauthorized Changes report.