APG CLI Rule Consolidation

The Automatic Policy Generator (APG) consolidates logs according to:

  • Ports to Any: Logs with ports matching ports specified in the <ports_to_any> tag of the APG configuration file will define rules with 'Any' destination. This is useful for services with which users need to be able to access the entire internet.

  • Network Consolidation: Multiple sources or destinations are generalized to networks, where the values of the other field (destination or source) and of the service field are identical. The consolidation is to the largest possible network (smallest possible netmask) where the logged traffic as a percentage of this network is at least the configurable min_net_coverage value, and this network's netmask (in CIDR notation) is no more than the configurable min_net_size value. These values can be defined in the APG configuration file or in the APG command.

    For example, with the following values configured, network consolidation will be to the largest possible network of which the logged traffic is at least 50%, as long as this network's prefix length is not more than 24 bits (3 octets).

    min_net_coverage 50

    min_net_size 24

Any Consolidation: Multiple sources or destination are generalized to 'Any', where the values of the other field (destination or source) and of the service field are identical, and the number of different sources or destinations is at least the configurable any_threshold value. This value can be defined in the APG configuration file or in the APG command.The Automatic Policy Generator (APG) consolidates logs into rules in the following ways:

  • Ports to Any: Logs with ports matching ports specified in the <ports_to_any> tag of the APG configuration file will define rules with 'Any' destination. This is useful for services with which users need to be able to access the entire internet.

  • Network Consolidation: Multiple sources or destinations are generalized to networks, where the values of the other field (destination or source) and of the service field are identical. The consolidation is to the largest possible network (smallest possible netmask) where the logged traffic as a percentage of this network is at least the configurable min_net_coverage value, and this network's netmask (in CIDR notation) is no more than the configurable min_net_size value. These values can be defined in the APG configuration file or in the APG command.

    For example, with the following values configured, network consolidation will be to the largest possible network of which the logged traffic is at least 50%, as long as this network's prefix length is not more than 24 bits (3 octets).

    min_net_coverage 50

    min_net_size 24

  • Any Consolidation: Multiple sources or destination are generalized to 'Any', where the values of the other field (destination or source) and of the service field are identical, and the number of different sources or destinations is at least the configurable any_threshold value. This value can be defined in the APG configuration file or in the APG command.