APG CLI Rule Consolidation

The Automatic Policy Generator (APG) consolidates logs according to rules using strategies which can be customized through the APG configuration file or the APG command.

  • Ports to Any

  • Network Consolidation

  • Any Consolidation

See APG configuration file and APG command.

Ports to Any

Logs with ports matching those defined in the <ports_to_any> tag of the APG configuration file will generate rules with the destination set to Any.

This is useful for services with which users need to be able to access the entire internet.

Network Consolidation

When multiple source or destination IPs share the same corresponding destination/source and service, APG generalizes them to a network block.

Consolidation is based on the following parameters which you can either define in the APG configuration file, or pass directly in the APG command:

  • min_net_coverage: Minimum percentage of the network that must be covered by the logs.

  • min_net_size: Maximum CIDR prefix length (smallest network) allowed.

 

Example:

If min_net_coverage = 50 and min_net_size = 24 , APG will consolidate to the largest possible network where at least 50% of the traffic is logged, and the network's prefix length does not exceed 24 bits.

Any consolidation

When the number of unique sources or destinations is equal to or exceeds the value of any_threshold, and the destination/source and service fields are identical, APG generalizes the matching field to Any.
This helps reduce policy complexity in environments with high variability in traffic sources or destinations.

You can configure the value of any_threshold either in the APG configuration file, or pass them directly in the APG command.