On This Page
What's New in STRE
Version 6.3
Security Best Practices report enhancements
Custom compliance templates
STRE admins can now create compliance templates for the Security Best Practices report with any combination of risk checks built from supported frameworks or tailored to internal organizational requirements. This means that admins can define templates and make them available to all users, eliminating the need for users to manually select and configure checks every time they run a report.
-
Precise scope for templates:Each template can be scoped precisely to include as many or as few checks as the audit requires, mix checks from different frameworks, or for a specific internal policy review.
-
Easy risk-check selection: The Risk Checks Library provides the complete list of supported checks in a centralized location.
-
Citations and remediations per risk check: Each risk check in a template includes a direct citation to the relevant regulatory standard (PCI DSS and ISO 27001 are supported out of the box) and step-by-step remediation guidance.
Rather than flagging a violation in isolation, the report tells your teams exactly which regulatory clause applies and what to do to fix it.
See Creating predefined compliance templates.
Expanded Risk Checks Library
The Security Best Practices report supports new risk checks and enhancements to existing checks.
-
Rule-based checks
-
Rules not used for the number of days specified: Checks for rules with no hits for the last 90 days, with the option to exclude rule modified within the recent past.
-
Rules with no name
-
Rules with no name AND no comment: Checks for rules that do not have both a name and a comment.
-
Search rule comment: Checks whether rule comments contain a specified text string.
-
Duplicate subnets: Checks for duplicate network/subnet objects that define the same IP network and prefix, and for overlapping subnet objects with fully or partially overlapping IP ranges.
-
-
Network-zone-based checks
Many compliance requirements require that a check be completed in the context of the network boundary. For example, using either the Tufin Internet Zone or a proxy value (like 8.8.8.8) to run a calculation and determine if a risky configuration exists on the network boundary.
-
Rules allowing “any” to the destination Internet
-
Rules allowing “any” from the source Internet
-
Plaintext management protocols allowed from Internet
-
Direct outbound SMTP not restricted to Mail Relays
-
Report setting enhancements
-
Predefined compliance templates: Users can now create Security Best Practices reports based on any predefined compliance template defined by STRE admins, or create custom report using the familiar All Best Practices report type with full control over which checks to include.
-
Citations in All Best Practices report:Users can now add and edit custom citations and remediation instructions for each risk check in the All Best Practices report, in the Citations/Notes section.
Citations and remediations in predefined templates cannot be changed. -
Custom severity weighting: A new Scoring Configuration setting lets users assign custom weights to each severity level (Critical, High, Medium, Low). The weights directly determine how much each severity level contributes to the compliance score when you create Security Best Practices reports — a single Critical violation for instance can carry far more weight than multiple Low ones. This lets you align the scoring model with your organization's risk tolerance rather than relying on fixed defaults.
See Security Best Practices report settings.
New streamlined report format
We have revamped the design and structure of the Security Best Practices report. The new visually distinctive structure conveys key information at a glance for enhanced usability.
-
General Information is now separated into two additional sections — Scope, which lists the devices and framework selected for the report, and Check Overview, which shows the number of passed and failed checks at a glance, with a link to view the full check breakdown.
-
Per-device sections: Each device selected for the report has its own collapsible section identified by the device name, making it easy to focus on a specific device or compare results across devices. Each device section is divided into Compliance Summary, Rules, and Objects.
-
Compliance score: The Score Breakdown panel in Compliance Summary shows exactly how the compliance percentage was calculated, including the weight assigned to each severity level and its contribution to the final score.
-
Flexible rules and objects view: Rules and Objects can be sorted by Severity or Violation Count to suit your needs. You can view all rules grouped by check type, or drill into a specific check by clicking the arrow next to it to see only the rules that triggered that particular violation.
See Understanding the Security Best Practices Report.
Version 6.2
-
Device Audit report enhancements
-
Device groups: The Device Audit report now supports device groups. The Device Group configuration settings include a new Group Type column with Device Audit as an option. This option supports device groups for the Device Audit report and allows you to select the Device Type and the available devices to include in the group.
A Device Audit device group can include multiple devices from the same vendor and device type. You can then select the device group when creating the report. See Creating device groups.
-
Custom checks for live devices: In addition to custom checks for offline devices, you can now configure custom checks for live devices. When configured, you can select the custom checks to audit from the Custom tab when creating the report. See Configure custom checks.
-
Download configuration for a live device: You can now download the configuration directly from a live device through the Download Config button in the device credentials section. This makes it easier to create new custom checks with the correct regex string for the live device configuration.
-
Configure values for live devices: When creating the Device Audit report for live devices, you can configure values for audit category fields that require numerical input.
Configurable numerical input fields are indicated by the Edit button. For example, in the AAA audit category, you can configure the number of failed attempts for Local Authentication Max Failed Attempts.
-
-
Device Group configuration
The Device Groups settings now include a Group Type column with Multi-vendor and Device Audit options.
-
Multi-vendor: Supported for all reports that support device groups, except the Device Audit report. You can select any device from the available list.
-
Device Audit: Supported only for the Device Audit report. To view and select available devices, you must first select a Device Type. A Device Audit group can include multiple devices from the same vendor and device type.
-
Version 6.1
-
Security Best Practices report:
-
Similar to the Rule Analytics Report, the Security Best Practices report now supports exporting up to 6000 rules to PDFs. The export generates a ZIP file that contains multiple PDFs, with up to 250 rules per PDF. See Export reports from local repository.
-
When viewing the report in the Repo, you can also go directly from a rule in the report to the corresponding rule in SecureTrack's Rule Viewer. See Open rule in SecureTrack.
-
-
Calendar month scheduling for monthly reports
All reports now support calendar month scheduling in addition to day-of-week scheduling for monthly frequencies. You can schedule reports to run on the 1st or 15th of the calendar month at midnight.
-
Guardicore device support for reports
If you have TOS R25-2 PHF3.0.0., you can now select Guardicore as a device in the report configuration settings for the reports listed below. When you select Guardicore, the rule cards in the reports display Guardicore tags.
Supported reports:
-
Rule Analytics
-
Security Best Practices
-
Security Violations
-
Version 6.0
-
Rule Analytics Report now includes a setting in the Report Builder to include group members in the PDF export. In addition, the PDF export maximum has been increased to 6000 rules.
-
Device Audit Report:
-
Import firewall, router, or switch configuration files to run compliance verifications
-
Define file segments to search for multiple iterations of a configuration parameter in a single file
-
Configure custom checks to run on offline devices
-
-
Administrator settings pages have been reorganized to accommodate new features.
-
APIs: new STRE APIs make it possible to import device configuration files, import file segment definitions, and import custom regex check configurations