Working With USPs

Overview

Unified Security Policies (USPs) define allowable access between network zones to identify security risks and ensure accuracy of risk calculations when new access is requested through SecureChange. These capabilities help you remain compliant as you make changes to access rules. Violations against USPs appear in the SecureTrack Rule Viewer and can be reported through SecureTrack Reporting Essentials.

When you install Security Policy Builder (SPB), the app syncs with SecureTrack automatically and loads the list of USPs that have already been created by your organization.

The app administrator can view, monitor, and modify all USPs in the USP List () List.

Each USP card includes the following fields:

Field

Description
Name

Name of the USP. A icon appears after the name when the USP is also available in SecureTrack. Click this icon to view the USP in SecureTrack.
Affected Domain

Domain for the USP.
Size

Size of the matrix.

Selected Zones

Zones defined in the USP. Click this link for the complete list.
Number of Devices

Devices define in the USP, including those that do not include rules. By default, all network devices will be associated with the USP. Click this link for the complete list.
Description

Description for the USP.
Last Analysis

Date and time that of the last Analyze process. See Analyze a USP.
Analysis Progress

During analysis, this field shows the number of enforcement points that were processed.

Status

Status of the Push and Analyze process that syncs a USP to SecureTrack. Possible values include:

  • Success

  • Failed

  • Not running

  • Analyzing

  • Pushing

Upon completion, email recipients receive a message with a link to the USP. See the Notifications list for more details about Push activities.

Analyze

Finds rules in the USP's devices and matches them to cells in the matrix. Upon completion, email recipients receive a message with a link to the USP. See the Notifications list for more details about Analyze activities.

What Can I Do?

You can create, edit, and delete USPs in SPB. The changes will not appear in SecureTrack until you push the USPs. Conversely, any similar changes in SecureTrack need to be synced with SPB (see Sync USPs with TOS).

Create a USP

  1. From the Actions menu, select Add USP.

  2. Define the following fields:

    • Name: Type a name for the USP.

    • Domain: Select a domain, or All Domains, to which the USP will be applied.

    • Zones: Select specific zones from the Available Zones list or click Add All to move all zones to the Selected Zones list.

    • Devices: SPB obtains USP data from the firewall devices in the network. By default, all devices appear in the Selected Devices list. You can click Remove All and select specific devices from the Available Devices list.

      Note:
      • Devices that were removed in SecureTrack will not appear in existing SPB USPs after the next sync or analysis.
      • For devices that were added in SecureTrack, you must add them manually to any existing USPs as required.

    • Description: (Optional) Give a description for the USP. This description appears in the card in the USP list.

  3. Click Save.

Edit a USP

  1. Select a USP to modify.

  2. From the Actions menu, select Edit USP.

  3. Modify the fields as necessary. For a description of the fields, see Create a USP.
  4. Click Save.

Delete a USP

  1. Select a USP to delete.

  2. From the Actions menu, select Delete USP.

  3. Click Delete.

Analyze a USP

During the Analyze process, SPB finds access rules from the selected enforcement points in SecureTrack and matches them to cells in the USP matrix. See Using a USP Matrix.

  • For any USP, click Analyze.

    The Analysis Progress number continuously increases to reflect the number of devices that were already analyzed. The process is complete when the number of analyzed devices matches the total number of devices in the USP. The number of rules and devices determine the duration of the analysis.

If you change something manually in SPB, you must run Analyze again to update the Conflicts page. USPs with unresolved conflicts cannot be synced with SecureTrack.

You can view the results of the analysis in the Rule Stats page.

Push a USP to SecureTrack

After you resolve conflicts or make other changes to a USP in SPB, we recommend that you push your changes to SecureTrack.

  • From the Matrix page, select Push to SecureTrack.

You can see the status of the Push process in the Notifications list or in the card in the USP List page.

Sync USPs from SecureTrack

The Sync process updates SPB with any USP changes in SecureTrack, since the last Sync process, so that both systems contain identical information.

Note: This process cannot sync USPs that contain unresolved conflicts. See Resolving Conflicts.

  1. (Optional) From the USP List, select one or more USPs.

  2. From the Action menu, select Sync with TOS to sync all USPs (or the selected USPs) with SecureTrack.

After the sync process is complete, we recommend that you re-analyze USPs in SPB if devices or zones were modified in SecureTrack.