On This Page
APG CLI Overview
The APG analyzes firewall logs to determine actual business practices, and creates an optimized rulebase that allows only this traffic. If you do not yet have a firewall policy in place, you can begin by configuring a relatively permissive policy on the device and leave it in place long enough to produce logs of the traffic. Then, use the APG to translate these logs into a secure, optimized rulebase.
The APG uses configurable criteria to consolidate logs into rules. You can configure:
- When and how the APG generalizes multiple connections into whole networks or into 'Any' rules.
- Exclusions for rules that you do not want to include in the analysis.
After generating a policy, you should review it to make sure it isn't reflecting illegitimate traffic. For example, a slow port scan or a generic botnet may have been active in the organization and generating logs. In this case, configure the APG to ignore this traffic and generate a new policy.
Because a rulebase generated by APG closely reflects actual traffic in an organization, this rulebase is also useful for visualizing network traffic as a rulebase, even for purposes other than actually replacing the firewall rulebase. For example, if you want to see all the traffic to and from a specific subnet, you can configure a filter to analyze only logs to this subnet and logs from this subnet, and automatically produce a rulebase that can be read as a list of source-destination-service sets describing the traffic to and from the specified subnet.
Hints: To get familiar with the APG CLI, we recommend that you:
-
Start with a simple case, such as a permissive rule you want to review.
-
Run APG several times changing one configuration parameter at a time to see the impact in the results.
-
Try starting with changing the
min-net-coverageandmin-net-sizeparameters and see how the results change. To see the difference clearly, make big changes in the parameters, such as:-
Set the min-net-size to 28, and run the APG CLI first with
min-net-coverageof 90 and then withmin-net-coverageof 10.
-
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague