On This Page
How APG Works
Overview
The APG analyzes firewall logs (see Getting Logs for APG) to determine actual business practices, and creates an optimized rulebase that limits traffic allowance to traffic actually used in the organization.
If you have an existing rulebase, APG identifies the permissiveness level of each 'accept' rule, on a scale from 1 to 100. Permissiveness measures how widely a rule is defined:
- A rule with one source host, one destination host and one service has the smallest value - 1
- A rule with Source "ANY", Destination "ANY" and Protocol "ANY" has the highest value - 100
Rules with high permissiveness can be a security risk because they allow too much access through the firewall. You can use APG to generate tighter, more granular replacement rules, based on actual traffic logs.
If you do not yet have a firewall policy in place, you can begin by configuring a relatively permissive policy, and leave it in place long enough to produce logs. Then, use the APG to translate these logs into a secure, optimized rulebase.
Once logs have been collected and analyzed, APG provides interfaces for selecting the desired balance between rule granularity (less permissive and therefore more secure) and simplicity (fewer rules and therefore more manageable and potentially better performance). For example, if traffic to a specific destination over a specific service comes from several individual sources, you can select to have a rule for each source, thus providing maximum security, or, you can allow traffic from a generalized subnet, thus reducing them to a single rule.
After generating a policy, you should review it to make sure it isn't reflecting illegitimate traffic. For example, a slow port scan or a generic botnet may have been active in the organization and generating logs. In this case, remove this traffic from the log set and generate a new policy.
Because a rulebase generated by APG closely reflects actual traffic in an organization, this rulebase is also useful for visualizing network traffic as a rulebase, even for purposes other than actually replacing the firewall rulebase. For example, if you want to see all the traffic to and from a specific network, you can select to produce a maximum-granularity rulebase that can be read as a list of source-destination-service sets describing traffic.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague