On this page
Amazon
AWS
- Dashboard Widgets
-
General (General overview of the system)
-
USP Compliance (The number of rules with violations, according to their severity level)
-
Audit (The number of rules with expired access or will have access expire within the next month)
-
Recent Changes (Rules and devices with changes in the past 30 days)
- Browsers
-
Rule Viewer (see Rule Viewer)
-
Rule Optimizer (see Rule Optimizer)
-
Object Lookup (See Object Lookup)
-
USP Viewer (see USP Viewer)
-
USP Alert Manager Viewer (see USP Alerts Manager)
-
USP Exceptions Viewer (see USP Exceptions)
-
Changes (see Change Browser)
-
Device Viewer (see Device Viewer)
- Change Management
-
Change Management (Policy and Side-by-Side policy change comparison in the Compare tab, Comparison report, and New Revision report)
-
Graphical Policy (Policies are displayed in SecureTrack as they are shown in the vendor's management software)
-
Create SecureChange ticket from Rule Viewer for:
-
Rule Decommission (Removes selected rules from supported devices)
-
Rule Modification (Receives rules from the Rule Viewer and lets you create a ticket in SecureChange for a handler to update firewall rules for supported devices)
-
- Topology
-
Dynamic Topology
-
VPC Peering
-
Transit Gateway
-
Gateway Load Balancer (GWLB, using the GENEVE protocol)
- Prefix List Routes (requires AWS SDK v2)
Supported devices
The following devices are supported on Amazon AWS::
- Fortinet
- FortiManager
- FortiGate
- Check Point
- Management Devices (MDS) CloudGuard Network Security - Firewall & Threat Prevention
- Check Point Gateway
- Palo Alto
- Panorama
- PanOS firewalls
Notes for Amazon devices
-
TOS supports security groups applied to both EC2 instances and RDS instances. RDS instances require AWS SDK v2.
-
Last Hit information for AWS inbound and outbound security group rules is available in Rule Viewer. This information can be fetched from the following sources:
-
CloudWatch: This is the default source.
-
S3 buckets: Local S3 (default) or centralized account.
-
-
If the device stores credentials using Hashicorp Vault authentication, Last Hit information is not supported.
-
Monitoring is based on periodic polling. The default is every hour.
-
Topology:
-
Topology path calculation simulates traffic when there is one dynamic connection and any required static connections.
Supported configurations include internal VPC connectivity and connectivity between a VPC and the data center. -
The Topology Map supports path calculations for internet-bound traffic using an internet gateway (IGW) and NAT gateway routes. TOS creates an Internet Link for each VPC with internet access.
-
The Topology Map supports Direct Connect links from AWS VPCs and via Transit Gateways.
-
-
In Compare, nested SGs of peered VPCs are shown as empty groups in rule source and destination. Also, no calculations are made for those rules.
Users may look at the SG origin VPC for more details. - In some cases, this device creates new rules for requested changes rather than updating the existing rules. In these cases, rule history might not be available.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague