Creating a Compliance Policy

This is a Legacy Feature. It will be discontinued as of version R21-3.

We recommend you consider using the following features:

These features give you greater flexibility in the number of zones that you can configure and allow you to define the requirements that you need.

To configure a Compliance Policy, you define a SecureTrack policy of traffic patterns which should always be allowed, or a SecureTrack policy of traffic patterns which should always be blocked. When a firewall security policy is changed so that it conflicts with this Compliance Policy, an alert, in report form, is sent to the recipients defined for that Compliance Policy. In addition, the Compliance Policy can be run on demand to locate current violations.

To create a new Compliance Policy:

  1. Go to Audit > Compliance and click New Compliance Policy:

    New compliance policy

    Stage 1 of the configuration wizard appears:

    security compliance stage 1

  2. Type a Policy Name, and select the following:
    • Compliance Policy Type:
      • For high-security risk traffic: Risk Management. Select whether you will specify the Unauthorized/Risky connectivity, or specify exclusively allowed Authorized connectivity, to consider all non-specified traffic as high-risk.
      • For business-critical traffic: Business Continuity.
    • Devices to which the Compliance Policy will apply
    • Interfaces/Policy Packages/Zones to add groups of rules that the Compliance Policy will check.
    • Recipients to receive alerts when installed policy conflicts with this Compliance Policy.

    You can also select Analyze only relevant policies to let Topology Intelligence find the policies that include rules with the specified zones.

  3. Click Next.

    Stage 2 of the configuration wizard appears.

  4. Configure the traffic patterns to watch:
    1. Click New Rule:
    2. Configure a traffic pattern:

      compliance rule

      Give the traffic pattern a Name and Description, and configure the traffic's Source, Destination, and the Service. For Palo Alto Networks devices, you can also define the User and Application. For each of these, you can select:

      • All
      • Network Object:

        You can select an object defined in a monitored device, in which case, when the query is run, SecureTrack will use the object definition as it appears in the most recent policy revision from that firewall. Note that object names are case-sensitive. To view exact object names, in Compare view, select the most recent policy and click View Policy. The object names appear below in the Objects tab.

        Or, for Source and Destination, you can use an object from SecureTrackzones.

      • Custom:

        For Source or Destination, explicitly define the Network Address and Network Mask.

        Under Service, either select TCP, UDP, or ICMP, and a Port number, or select Other to specify an IP Protocol Number. You can only create queries for services with IP protocol, such as TCP, ICMP and OSPF. Services that are not IP protocols, such as RPC and DCE/RPC, are not supported.

        For Port or for an IP Protocol Number, you can do any of the following:

        - Type a range. For example: 100-200 .

        - Specify multiple ports in a list, separated by commas. For example: 80, 81, 443 .

        - Specify an open-ended range with Less Than or Greater Than. for example: >1023 .

        - Combine elements in a list. For example: 80-81, >1023 .

        To define the Source, Destination, or Service as any host other than the specified, select Negate.

      Click Save.

    3. In a Blacklist Compliance Policy, to define an exception to this traffic pattern (that is, to define a subset of the traffic pattern that can be allowed), click: add blacklist exception:

      add exception to rule

    4. Configure the traffic to be excepted. For Source and/or Destination, you can select Hosts only to restrict the exception so that it is allowed only when the firewall rule allowing it defines the source or destination host specifically (explicitly or in a group, but not as part of a subnet). For Service, you can select Specified ports only to restrict the exception so that it is allowed only when the firewall rule allowing it defines the service specifically but not as an 'any' object (such as ‘any’ or ‘any-tcp’).
    5. Click Save.
  5. Once you have finished configuring traffic patterns for the Compliance policy, Save the Compliance Policy.

Your Compliance Policy now appears in the Compliance Policies list. The specified recipients will receive alerts when there is a policy violation. The report is in the format defined in the Reports tab.

From the list, you can select the report and Run, Edit, or Delete it.