Welcome 2.1 release of Opinnate Network Security Policy Manager. This software is designed to make network security policy management to be done effectively and easily. In this document you will find what Opinnate NSPM is, what the key features and known issues are.
Opinnate NSPM is a network security policy management solution that tackles firewall rule analysis, hardening, reporting and automation needs in an easy manner. Opinnate makes policy management in different package levels. The packages are Lite, Standard and Enterprise. Lite package is for firewall rule analysis; Standard package also includes optimization features and finally Enterprise package has all the features including automation.
The product is licensed in subscription model and licensed based on the number of firewalls used and package level.
Key Features
Analysis of policies on firewalls: Firewall rule analysis of all firewalls on several different conditions. Some of the items for this analysis includes:
- Viewing all policies from a single console
- Viewing al IP objects
- Rule or path existence control
- Finding out unused rules
- Finding out expired rules
- Finding out disabled rules
- Finding out shadowed rules
- Finding out permissive rules
- Finding out rules not compliant to corporate policy
Rule hardening by cleaning and disabling: This is also called optimization of rules. These are some of the items that is done for optimization:
- Disabling unused rules
- Disabling expired rules
- Cleaning disabled rules
- Disabling shadowed rules
- Disabling duplicated rules
- Removing duplicate objects
Making policy changes automatically: Automation of rule creation activity is an important aspect and need for policy management. These are some of the items that is done by this automation:
- IPS or logging profile activation on a rule
- User Based Rule Creation
- IP Access Cloning
- Object name/IP change
- Rule update/disable/enable
- Comment update on rules
- IP address decommissioning
- Group-based policy change
Keeping firewalls compliant to standards: Firewalls are one of the most important control points for several regulations and standards. Firewalls must be kept compliant with these standards. Here is a couple of things that is handled for this task:
- Making risk assessment on firewalls
- ISO27001 audit controls
- PCI audit controls
- NIST audit controls
Effective management: Making policy management in an effective way requires management effectiveness. These are some of the items that are made for this management easiness and effectiveness:
- Having virtualized multi-tenancy features
- Corporate policy management/view/usage
- Rule/object usage monitoring
- Alerting on new problematic rule creation
- Finding out firewall changes
- Having executive dashboards
- Firewall specific network topology view
Known Issues and Limitations
Integration partners: Opinnate has integration with just the leading firewall vendors for now. Palo Alto, Fortinet, Check Point, Cisco.
Log collection: All syslog data is collected but not stored into our system. We store just the needed ones for monitoring.
Unused Rules: Unused rules are found based on the Last Used data we collect from firewalls. If there is an issue with this data generation unused rules can not be identified. A ticket should be opened to the related firewall vendors if this is the case.
User-based rule creation: User-based rules can be created for just Fortinet firewalls for now.
SNMP usage on reporting: SNMP v3 usage can be successfully reported for all the firewalls except Cisco.
Clear text protocol usage on reporting: Clear-text protocol usage for admin access identification can not be made for Cisco and Check Point firewalls.
Getting Started
This product can only be used on a server with the mentioned Operating System and version:
Installation Steps
These are the summary of installation steps for v2.1. Detailed installation steps can be found on installation guide document.
- Docker Engine Installation: Docker engine is to be installed on the system if not installed.
- Docker Compose Installation: Docker compose is to be installed if not installed.
- Downloading files: A zip file containing all docker image files, compose file and installation script file.
- Running script: Using the script file installation of the system.
Updates and Changes
These are the new features added in 2.1.1 version.
- A Password Policy has been added in System > Settings for local users
- An Interval option has been introduced for Renew Data
- The Rule Usage & Object Usage Analysis feature now supports up to 10 simultaneous tasks
- A Time-based Rule Installation feature has been implemented for each virtual area
- The Revision and Revision Compare features have been added for each Renew Data operation
- Rule Cards can now be customized for Check Point, Fortigate, and Palo Alto
- A Schedule Task feature has been included for alerting newly added or modified Critical, Risky, and Policy Conflict Rules
- Check Point VSX support has been introduced
- Inline Rule operations, including Add, Disable, Delete, and Modify, have been added for Check Point
- Layer and Policy Package options have been added to Add New Rule Path Free for Check Point
- From, To and Security Profiles options have been added to Add New Rule Path Free for Fortigate
- From, To, Security Group Profile and Log Profile options have been added to Add New Rule Path Free for Palo Alto
- Collecting Route information from Check Point Management Server instead of Security Gateway
- Debug files can be downloaded at different levels, each including varying sets of data
- Backup files can be downloaded at different levels, each including varying sets of data
- Palo Alto Shared Objects analysis added for multi-vsys enabled systems
Resolved Issues
| Bug ID | Issue Details |
| N-13101 | Rule Viewer PDF Export: The Rule ID is missing in the PDF export |
| N-13102 | Rule Viewer Excel Export: The Rule ID is missing in the Excel export |
| N-13103 | Risk Score Widget: It is displaying incorrect data after renewing data in the Virtual Area Dashboard and Firewall Dashboard |
| N-13104 | Renew Data Button: The Renew Data button remained active while the data renewal process is going on. |
| N-13105 | Alert Notification: In the Alert Notification feature, certain fields are experiencing errors, and in some cases email notifications are failing to be sent |
| P-13101 | Palo Alto Complex Password Login Error: There is an issue with complex password logins in Palo Alto |
| P-13102 | Palo Alto Enabled Rule: Some enabled rules are incorrectly shown as disabled |
| P-13103 | VPN Field: The VPN field is not being considered for Check Point in Shadow Analysis |
| P-13104 | URL Category Field: The URL Category field is not being considered for Palo Alto Shadow Analysis |
| P-13105 | Time Object Collection Error: More than 50 Time Objects are causing a collection error from Check Point |
| P-13106 | Palo Alto Logging Enabled: It is incorrectly showing as disabled in the Rules |
| P-13107 | IPSec VPN Data Collection Error: There is an error in collecting IPSec VPN data from Check Point |
| P-13108 | URL Category Field: The URL Category field is not being considered for Palo Alto Shadow Analysis |
| P-13109 | Expired Rules: Expired rules are not being considered in Server Cloning |
| P-13110 | Object IP Change Error: There is an error in handling object IP changes in Check Point |
| P-13111 | Remove Duplicate Object Error: An error occurs when attempting to remove duplicate objects under certain conditions |
| P-13112 | Missing Log Addition: Logs are missing for the Renew Data and some other operations |
| P-13113 | Expired Rule Analysis: The analysis of expired rules do not include rules from the same day |
Support
If you encounter any issues while using Opinnate NSPM, please contact our support team at [email protected].
Thank you for choosing Opinnate! We hope you enjoy using it.
