Welcome 4.1 release of Opinnate Network Security Policy Manager. This software is designed to make network security policy management to be done effectively and easily. In this document you will find what Opinnate NSPM is, what key features, new features and known issues are.
Opinnate NSPM is a network security policy management solution that tackles firewall rule analysis, hardening, reporting and automation needs in an easy manner. Opinnate makes policy management in different editions. The editions are Lite, Standard and Enterprise. Lite edition is for firewall rule analysis and monitoring; Standard edition also includes optimization features and finally Enterprise edition has all the features including automation.
The product is licensed in subscription model and licensed based on the number of firewall systems used including virtual firewalls and related edition.
Key Features
Analysis of policies on firewalls: Firewall rule analysis of all firewalls on several different conditions. Some of the items for this analysis includes:
- Viewing all policies from a single console
- Viewing all IP objects
- Rule or path existence control
- Finding out unused rules
- Finding out expired rules
- Finding out disabled rules
- Finding out shadowed rules
- Finding out permissive rules
- Finding out rules not compliant to corporate policy
Rule hardening by cleaning and disabling of rules: This is also called optimization of rules. These are some of the items that is done for optimization:
- Disabling unused rules
- Disabling expired rules
- Cleaning disabled rules
- Disabling shadowed rules
- Disabling duplicated rules
- Removing duplicate objects
- Consolidating redundant rules
Making policy changes automatically: Automation of rule creation activity is an important aspect and need for policy management. These are some of the items that is done by this automation:
- IP based Rule Creation
- User, Application Based Rule Creation
- IP Access Cloning
- Object name/IP change
- Rule update/disable/enable
- Comment update on rules
Keeping firewalls compliant to standards: Firewalls are one of the most important control points for several regulations and standards. Firewalls must be kept compliant with these standards. Here are a couple of things that is handled for this task:
- Making risk assessment on firewalls
- ISO27001 audit control
- PCI audit control
- NIST audit control
Effective management: Making policy management in an effective way requires management effectiveness. These are some of the items that are made for this management easiness and effectiveness:
- Having virtualized multi-tenancy features
- Corporate policy management/view/usage
- Rule/object usage monitoring
- Alerting on new problematic rule creation
- Finding out firewall changes
- Having executive dashboards
- Firewall specific network topology view
Known Issues and Limitations
Integration vendors: Opinnate has integration with the leading firewall vendors. Palo Alto, Fortinet, Check Point, Cisco and Sophos.
Log collection: All syslog data is collected but just the traffic logs and event logs are investigated, and all traffic logs are stored in a special format for the last 30 days period.
Unused Rules: Unused rules are found based on the Last Used data we collect from firewalls. If there is an issue with this data generation unused rules cannot be identified. A ticket should be opened to the related firewall vendors if this is the case.
Clear text protocol usage on reporting: Clear-text protocol usage for admin access identification cannot be made for Check Point firewalls.
Panorama: If there is Panorama integration for Palo Alto firewalls the integration must be over Panorama.
Getting Started
This product is suggested to be used on a server with the mentioned Operating System and version:
- Ubuntu v18 or higher
- Docker Engine installed
- Docker compose installed
Installation Steps
This is the summary of installation steps for v4.1. Detailed installation steps can be found on the Installation Guide document.
- Docker Engine Installation: A Docker engine is to be installed on the system if not installed.
- Docker Compose Installation: Docker compose is to be installed if not installed.
- Downloading files: A zip file containing all docker image files, compose file and installation script file.
- Running script: Using the script file installation of the system.
Upgrade Process
These are the steps to upgrade for the customers that use 3.1.x release of Opinnate.
- Opinnate will provide v4.1.1 Upgrade File(s)
- Connect Opinnate Web UI via browser with HTTPS protocol
- Go to “System Configuration à Upgrade” menu item on the left menu bar
- Select the upgrade zip file and click upgrade
- Then cloud/upload icon will appear on right/up corner and click on it
- The system will log you out after each upgrade process
- While upgrading, services will restart, Services can be controlled with “watch docker ps” from CLI
Deprecated Features
- Rule&Object Usage with Active Monitoring
- Group Base New Rule
Updates and Changes
These are the new features added in 4.1.1 version.
- Password change can be enforced for newly created admin users during their first login.
- Revision architecture has changed. The stored revision data for the past 10 days has been increased to 180 days. The day-storage setting may increase based on system resources in Global > System > Settings.
- Notifications button is added on the left menu bar.
- Custom Widget can be added with “Widget” button on Virtual Area Dashboard using Saved Filters from Viewer > Rules > Filter.
- The following relevant fields have been added to the Firewall Dashboard middle bar menu on a vendor and device type basis:
- Check Point: Rules, Services, Service Groups, Schedules, NAT Rules.
- FortiGate: Rules, Services, Service Groups, Schedules, Virtual IPs, IP Pools, Web Filters, NAT Rules.
- Palo Alto: Rules, Services, Service Groups, Schedules, URL Category, NAT Rules.
- Sophos: Rules, Services, Service Groups, Schedules, NAT Rules.
- Rule&Object Usage can be performed through Passive Monitoring, The Feature is added to the Rule Cards on Viewer > Rules.
- New Filter Options are added to Viewer > Rules
- “Empty” & “Not Empty” Criteria are added in Rules > Filter for Security Profiles.
- “IPsec” Value is added for Action Field.
- “IP Pool” Field is added.
- “Accepted Modified” Value is added for “Risky”, “Permissive” and “Policy Match” Fields.
- “Certification” Field is added for rules with an assigned “Rule Owner”
- The filtering area in Viewer > Rules has been changed to allow for editing.
- Rule History feature is added to the Rule Cards on Viewer > Rules.
- The Custom Usage feature is added. Traffic usage analysis can be generated retrospectively, using source, destination, or service information.
- Output Design has been changed for Alert Composer
- Users field is added for “Add” and “Edit” actions on Rules within Real Time Configuration Alert
- Subject & Mail Body can be modified in Compliance&Reporting > New Report
- Active Reports that are scheduled can be modified in Compliance&Reporting > Reports
- Risky and Permissive Value analysis is added to Approval step for rule changes.
- “New Custom Rule” feature is added to Automation module.
- Rule Existence Control is added in Analysis step within “Add New Rule”, “Add New Rule Path Free” and “Add New Custom Rule.
- Rule Copy feature is added in “Edit” button within Viewer > Rules. Any firewall rule can be copied to any firewall, regardless of the vendor for a maximum of 20 rules at a time.
- Add New Rule (Above/Below) feature is added “Edit” button within Viewer > Rules.
- Responsive Notification is added for “Rule Lifecycle Management” Alert in Settings > Alert & Notification Settings. Based on the response, it can be indicated whether the rule is still needed.
Resolved Issues
| Bug ID | Issue Details |
| N-32401 | Device Integration: Changing Device “IP address” and “Installation” for Palo Alto |
| N-32402 | Device Integration: Adding Panorama Device using Device Wizard |
| N-32403 | Widget: Missing selection devices of “Total Rule Count” widget |
| P-32401 | Shadow Analysis: Missing Analysis for Interface-Subnet address object type in FortiGate |
| P-32402 | Remove Duplicate Objects: Removing duplicated objects from Address Groups |
Support
If you encounter any issues while using Opinnate NSPM, please contact our support team at [email protected].
Thank you for choosing Opinnate! We hope you enjoy using it.
