Preparing a Security Zone Matrix File

After you import a CSV file with the specific traffic requirements between zones, you can see a table that represents those requirements. After you define the controls, you can easily find violations of the traffic requirements in: Home > Violations.

Prerequisites

You must define your security zones in Network > Zones before you can import a security zone matrix.

Procedure

To create a security zone matrix file:

When you create a matrix file to import, you must include the following fields:

  • From domain (for Multi-Domain deployment only) - The name of the domain that contains the "from zone"

    This column is optional. If Multi-Domain is enabled and this column is not included in the file, the "Default" domain will be assigned to every row as the "from" domain

  • From zone - The name of the source network zone in Network > Zones
  • To domain (for Multi-Domain only) - The name of the domain that contains the "to zone"

    This column is optional. If Multi-Domain is enabled and this column is not included in the file, the "Default" domain will be assigned to every row as the "to" domain.

  • To zone - The name of the destination network zone in Network > Zones
  • Severity - The severity assigned to the violation: low, medium, high, critical
  • Access Type - Traffic from the source zone and to the destination zone must be:
    • Allow all - All traffic is allowed
    • Block all - All traffic is blocked
    • Allow only - Traffic is allowed only if the traffic service is in the list of services
    • Block only - Traffic is blocked only if the traffic service is in the list of services
  • Services (for Allow Only or Block Only access) - The services that are allowed to pass from the source zone and to the destination zone. See List of Tufin Predefined Services.
    1. You can enter multiple values separated by a semicolon, for example: tcp 80; icmp 8
    2. You can enter a range of ports, for example: tcp 67-68
    3. You can enter any so that all services are allowed.
  • Rule Properties (for Allow Only or Block Only access) - The rules that match the specified traffic requirements are allowed:
    • EXPLICIT_SOURCE - Rules must have an explicit source, not the ANY value
    • EXPLICIT_DESTINATION - Rules must have an explicit destination, not the ANY value
    • EXPLICIT_SERVICE - Rules must have an explicit service, not the ANY value
    • HAS_COMMENT - Rules must have text in the comment field
    • IS_LOGGED - Rules must be configured to create log entries
    • LAST_HIT_WITHIN {DAYS: X} - Rules must have hits within the last X number of days
    • SOURCE_MAX_IP {COUNT:X} - Source must contain less than X IP addresses
    • DESTINATION_MAX_IP {COUNT:X} - Destination must contain less than X IP addresses
    • SERVICE_MAX_SERVICES {COUNT:X} - Service must contain less than X services

    Separate multiple values with a semicolon, for example: IS_LOGGED; Last_Hit_Within {days: 90}

    To enforce Rule Properties on any service, set the Access Type to Allow Only and Service to Any, then add the desired Rule Properties.

  • Flows (for Allow Only or Block Only access) - The rules that match the specified traffic requirements are allowed or blocked. Flows are defined by host and subnet objects. Host objects are any object, multiple objects or group of objects where each object represents one IP address. Subnet objects are any object, multiple objects or group of objects where each object represents more than one IP address, not including ANY or Internet.

    The syntax for the flow requirement is either:

    • HOST_TO_HOST - Rules where the source and destination of the traffic flow are defined by hosts objects
    • SUBNET_TO_HOST - Rules where the source of the traffic flow is defined by subnet objects and the destination is defined by host
    • HOST_TO_SUBNET - Rules where the source of the traffic flow is defined by host objects and the destination is defined by subnet objects

    To enforce flows on any service, set the Access Type to Allow Only and Service to Any, then add the desired flows.

    The rows of the matrix must be preceded by a line with each of the headings above, followed by the lines of the matrix. You can include up to 70 security zones in a single matrix.

Sample File (You must import the sample zone list before you import the sample security zone matrix)

Sample as shown in Excel

Sample after import