Cleanup Configuration

Overview

SecureTrack comes with a defined set of cleanups. SecureTrack produces the security score and cleanup instances in the cleanup browser based on the cleanups that are selected in the cleanup configuration.

These cleanups are divided into cleanup types:

Disabled rules: Rules that never have hits from traffic because they are disabled
Duplicate network objects: Network objects (including networks, hosts and ranges) are reported as matching when they have the same IP address and netmask (or start and end IP addresses for ranges) and the same zone.

Groups of network objects are reported as matching when they have the same group members.
Duplicate services: Services are reported as matching when they are not pre-defined and when they have the same values for:
- Protocol: TCP or UDP
- Port: Destination port
- Source port: If specified in the object's properties
- Timeout setting: Either session timeout (Check Point) or inactivity timeout (Juniper)
- Match for Any: Check Point only
  The duplicate service cleanup does not compare source port and timeout in Palo Alto, service timeout in Juniper Netscreen, or protocol type in Check Point.
Groups of services are reported as matching when they have the same group members and at least one of the group members is not a pre-defined service.
Empty groups (C08): Group objects that do not have any members
Fully shadowed and redundant rules (C01): Rules that never have hits from traffic because rules above them in the policy handle the traffic.
- Shadowed: For rules that are marked as fully shadowed, you can click Details to see the rules that shadow it.
Unattached network objects (C06): Objects that are not used in any firewall rules, group objects. Objects used in other forms of management, such as NAT rules or VPN connections, may appear as unattached in the security policy. Verify the use of unattached objects across the relevant device management tools.
Unused network objects (C15): Network objects and network object groups that are not in use across the security policy and have no hits in the policy traffic log during the time period configured. These can be unattached objects, or objects that appear in access rules and object groups but are not being hit within those rules and groups.

Notes:
- The unused objects cleanup is disabled by default. When you enable it, you must also select the time period (days, weeks or months) of the usage data. Objects that have no hits during the usage period are listed as unused.
- Make sure that the cleanup settings in Admin > Maintenance are set for a longer period than the usage period for the cleanup.
- The cleanup is shown only if there are hits for every day in the usage period, such that an object is not shown as unused when there was a connectivity problem that resulted in at least one day without any traffic hits.
- The cleanup does not include:
  - Objects used in VPN rules
  - Addresses in Cisco configurations that are not associated with defined objects
  - Traffic hits from the current day because the results are calculated nightly
  - Rules that were changed during the period and the objects that are used in the rules
  - Rules without logs
  - Predefined, implicit and NAT objects

Each cleanup is defined with a name, severity, and description. You can change the name and definition to fit the terminology and structure of your organization. You can also change the severity to indicate how important the cleanup is to your organization.

Remove Cleanups

You can remove a cleanup from the cleanup configuration so that it is not used in optimization score and cleanup calculations.

Select the cleanup type.
Clear the checkbox for a cleanup.
Click Save.

Edit Cleanups

Select the cleanup type.
Click the name of the cleanup.
Edit the name, description or severity of the cleanup.
Click Save.

How Do I Get Here?

SecureTrack > Admin > Cleanup