Cisco

ACI

Change Management	Graphical Policy
Policy Analysis	Object Lookup
Topology	Static Topology Dynamic Topology

Notes for ACI:

• For each Tenant, supports tracking, comparing, and generating reports on the changes to the following: Application profiles, contracts, consumers, providers, filters, EPGs, subnets.

• Supports Policy Browser, Object Lookup, comparing rules on ACI Tenant.

• Static Topology and Dynamic Topology is supported for East/West and North/South connectivity.

• Interactive map supports path queries to external IP addresses that travel via specific EPGs. In the query, the source and destination can include an IP address AND an EPG, and the query results will return paths that include both. For example: 1.1.1.1@EPG1

• OSPF and BGP routing is supported for Cisco ACI devices

• uEPG and Contract Master visibility is supported for revisions and topology retrieved from Cisco ACI Devices

• Limited support for IPv6 Objects

ASA

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Violations Cleanup
Change Management	Rule and Object Usage Report Change Management Graphical Policy Real-time Monitoring Full Accountability Display IPv6 objects Create SecureChange ticket from Policy Browser for: • Rule Decommission • Rule Modification • Rule Recertification
Policy Analysis	Automatic Policy Generation (APG) Policy Analysis Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology Calculate impact of NAT rules Calculate impact of VPN policies

Notes for ASA:

• ASA 9.5 support does not include SCTP.

• NAT rules are supported by ASA 8.3 or higher

• IPv6 Objects are supported by ASA 8.x or higher

Firepower Management Center

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Cleanup Violations
Change Management	Change Management Graphical Policy Real-time Monitoring Full Accountability Create SecureChange ticket from Policy Browser for: • Rule Decommission • Rule Modification • Rule Recertification
Policy Analysis	Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology

Notes for Firepower Management Center:

• Dashboard support includes Cleanup, however it does not support the cleanup of “Unused network objects".

• In the Interactive Map, Path Analysis calculations take Cisco Network Zones into account

• When dynamic topology is enabled for FMC devices:

  • Both static and dynamic routes are displayed in the Interactive Map.

  • Static routes are not shown as part of the revisions.

• When the Usage Tracking options are selected in the configuration of devices managed by the FMC:

  • Policy Browser displays the last time specific rules were hit

  • Automatic Policy Generation (APG) is supported

  • Rule and Object Usage Report is supported

  • Policies need to have unique names. If there are multiple policies that share the same name, rule hits will not be mapped correctly to these policies

IOS L3 Switch (IOS or IOS XE)

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Violations Cleanup
Change Management	Rule and Object Usage Report Change Management Graphical Policy Real-time Monitoring Full Accountability Display IPv6 objects Create SecureChange ticket from Policy Browser for: Rule Decommission Rule Recertification
Policy Analysis	Policy Analysis Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology Calculate impact of VPN policies

IOS-XR

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Violations Cleanup
Change Management	Rule and Object Usage Report Change Management Graphical Policy Real-time Monitoring Create SecureChange ticket from Policy Browser for: Rule Decommission Rule Recertification
Policy Analysis	Policy Analysis Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology Display IPv6 objects Path analysis with IPv6 addresses in source and destination

Notes for IOS-XR:

• Change Management includes visibility on MPLS option B

Nexus

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Violations Cleanup
Change Management	Rule and Object Usage Report Change Management Graphical Policy Real-time Monitoring Full Accountability Create SecureChange ticket from Policy Browser for: Rule Decommission Rule Recertification
Policy Analysis	Policy Analysis Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology

Routers (IOS or IOS XE)

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Cleanup Violations
Change Management	Rule and Object Usage Report Change Management Graphical Policy Real-time Monitoring Full Accountability Display IPv6 objects Create SecureChange ticket from Policy Browser for: Rule Decommission Rule Recertification
Policy Analysis	Policy Analysis Object Lookup
Auditing and Reporting	Auditing and Reporting Expired Rules Report
Topology	Static Topology Dynamic Topology Calculate impact of VPN policies Calculate impact of policy-based routing and related ACL rules

Notes for Routers

• Tufin supports policy-based routing (PBR) for Cisco IOS routers for the following configuration types, when the next hop in the route map is to a monitored device in the Tufin Orchestration Suite topology:

  • set interface <interface name>

  • set ip next-hop <ip address>

  • set vrf <vrf name>

Zone-based firewalls

Dashboard and Browsers	Change Tracking Policy Analysis Risk Dashboard Violations Cleanup
Change Management	Change Management Graphical Policy Real-time Monitoring Create SecureChange ticket from Policy Browser for: Rule Decommission Rule Recertification
Policy Analysis	Object Lookup
Auditing and Reporting	Auditing and Reporting
Topology	Static Topology Dynamic Topology

Notes for all Cisco devices

• Cisco Security Manager (CSM):

  • Supports change tracking in textual policy view only for ASA 8.x-9.x, Catalyst switch 3560, IOS router 2801 devices.