Rule Violations

Overview

A violation is a case where a rule deviates from the policy specified in a USP.

An overview of rules with violations is shown in the dashboard and you can search for all rules with violations in the rule viewer using TQL. When selecting a rule in the rule viewer, you can view violations for that rule by selecting Violations from the rule menu.

What can I see?

This page displays the following information about violations:

  • Violation Type: Traffic, Rule.

  • USP: The name of the USP containing the rule in violation.

  • Zones from to: The source and target zones for which the rule applies.

  • Sources and destinations: Hover for more information.

  • Security requirement: The action that has not been upheld.

  • Services and/or applications: As defined in the USP. Hover for more detail.

  • Severity: As defined in the USP.

  • Creation Date: The date and time the violation first occurred.

What Can I do Here?

Edit Rule Documentation

  1. Select one or more rules.

  2. From the Actions menu, select Edit Rule Documentation

  3. Add or edit the following information:

    • Rule description - free text

    • Technical Owner - TOS Classic administrators can select any user from the list. Other users can assign only themselves.

    • Automation attribute - used by SecureChange Designer

      • None - no automation attribute
      • Legacy rule
      • Stealth rule

Add Ticket to Rule

A ticket is a change request or other rule related activity that is tracked in a ticketing system. Linking ticket information to a rule may be helpful for auditing as it allows you to track why each change was made, who requested the change, and who authorized it. You can manually enter this information into a related ticket in the Rule Viewer or include a URL which links the ticket in your ticketing system.

You can add details of tickets to a rule or multiple rules, this allows you to track all rule-related information in the Rule Viewer.

  1. In the Rule Viewer, select the checkbox for one or more rules.

  2. From the Actions menu, select Add Related Ticket, and add the following ticket information:

    • Ticket ID (required)
    • External URL
    • Business Owner
    • Email
    • Expiration date
    • Comment

    If SecureTrack is connected to SecureChange, select SecureChange Ticket to create the ticket in SecureChange.

Once you have added a ticket to a rule, in the Rule Overview you can click the Related Tickets link on the left to view details about all related tickets.

Create a USP Rule Exception

You can exempt specific rules from triggering a violation in the USP by creating a USP Rule Exception. These exceptions are useful for when:

  • You have to exempt certain rule violations for a limited period of time due to an urgent requirement.

  • You want to make an exception for specific devices. For example, if you have an HA configuration, and you don't want to receive duplicate violation notifications from the standby devices.

  1. In the Rule Viewer, select the checkbox for one or more rules.

  2. From the Actions menu, select Create USP Rule Exception.

  3. In the General section, enter the following information:

    • Exception Name: The name of the USP Rule exception

    • Ticket ID (Optional): The Ticket ID that relates to this exception.

    • Approver (Optional): The person who approved the USP rule exception.

    • Time Frame (Optional): The time frame in which the USP Rule exception is valid

  4. In the USP section, click +Add USP to select a USP to which to apply the rule exception. If you don't select a USP, the rule exception will apply to all USPs.

  5. In the Description (optional) section, enter a description of the USP rule exception.

  6. Click Create.

Add a Rule to an Existing USP Rule Exception

  1. In the Rule Viewer, select the checkbox for one or more rules.

  2. From the Actions menu, select Add to Existing USP Rule Exception.

  3. In the Exception field, select the USP Rule Exception, and click Open.

  4. Review the information in the USP Rule Exception.

    In the Rules section, the rules which you just added are highlighted in blue.

  5. Click Save

How Do I Get Here?

SecureTrack > Browser > Rule Viewer > click a rule > Violations.