Configuring APG Job Results

Overview

Once an APG job is completed, APG provides interfaces for selecting the desired balance between rule granularity (less permissive and therefore more secure) and simplicity (fewer rules and therefore more manageable and potentially better performance).

For example, if traffic to a specific destination over a specific service comes from several individual sources, you can:

  • select to have a rule for each source, providing maximum security

  • allow traffic from a generalized subnet, reducing them to a single rule

From the Job list, view Results:

Results

APG provides two interfaces for configuring the generated replacement rule set:

  • When viewing a job's results for the first time, the Balance graph is the first interface presented. The balance graph shows the total number of rules that would result from several options for maximal permissiveness throughout the rule set:

    Balance Graph

    For example, in the above graph, allowing permissiveness of up to about 20 will produce more than 7000 rules; allowing permissiveness of up to 41 will produce very few rules.

  • Subsequently, job results are displayed in the Rule expansion interface. The Rule expansion interface displays the actual rules, and allows expanding parts of the rule set to multiple, tight rules, or collapsing to single, more permissive rules:

    Rule expansion interface

    Clicking apg plus expands rules into tighter rules; apg minus collapses into fewer rules. Rules in grey are not part of the actual rule set for the current configuration; rather, they indicate what their child rules can be collapsed into. After making changes, make sure to Save rule set.

Change Results

  • Click a marked point on the graph to initially configure the rule set accordingly, and Save the configuration.

    The rule expansion interface automatically expands according to the balance you defined in the Balance graph.

You can subsequently fine-tune the configuration in the rule expansion interface. You can always click Balance graph to return to it.

Reanalyze Results

The Rerun Task feature allows TOS to recalculate the APG results using the existing data, without collecting new logs for the calculation. This is particularly useful after any APG customization actions. For more details, see APG Customizations.

  1. In the Job List, click Rerun Task ().

    The Balance Graph appears.

  2. Click a marked point on the graph to configure the rule set accordingly, and click OK.

How Do I Get Here?

SecureTrack > Reports > APG