Welcome 4.2 release of Opinnate Network Security Policy Manager. This software is designed to make network security policy management to be done effectively and easily. In this document you will find what Opinnate NSPM is, what key features, new features and known issues are.
Opinnate NSPM is a network security policy management solution that tackles firewall rule analysis, hardening, reporting and automation needs in an easy manner. Opinnate makes policy management in different editions. The editions are Lite, Standard and Enterprise. Lite edition is for firewall rule analysis and monitoring; Standard edition also includes optimization features and finally Enterprise edition has all the features including automation.
The product is licensed in subscription model and licensed based on the number of firewall systems used including virtual firewalls and related edition.
Key Features
Analysis of policies on firewalls: Firewall rule analysis of all firewalls on several different conditions. Some of the items for this analysis includes:
- Viewing all policies from a single console
- Viewing all IP objects
- Rule or path existence control
- Finding out unused rules
- Finding out expired rules
- Finding out disabled rules
- Finding out shadowed rules
- Finding out permissive rules
- Finding out rules not compliant to corporate policy
Rule hardening by cleaning and disabling of rules: This is also called optimization of rules. These are some of the items that is done for optimization:
- Disabling unused rules
- Disabling expired rules
- Cleaning disabled rules
- Disabling shadowed rules
- Disabling duplicated rules
- Removing duplicate objects
- Consolidating redundant rules
Making policy changes automatically: Automation of rule creation activity is an important aspect and need for policy management. These are some of the items that is done by this automation:
- IP based Rule Creation
- User, Application Based Rule Creation
- IP Access Cloning
- Object name/IP change
- Rule update/disable/enable
- Comment update on rules
Keeping firewalls compliant to standards: Firewalls are one of the most important control points for several regulations and standards. Firewalls must be kept compliant with these standards. Here are a couple of things that is handled for this task:
- Making risk assessment on firewalls
- ISO27001 audit control
- PCI audit control
- NIST audit control
Effective management: Making policy management in an effective way requires management effectiveness. These are some of the items that are made for this management easiness and effectiveness:
- Having virtualized multi-tenancy features
- Corporate policy management/view/usage
- Rule/object usage monitoring
- Alerting on new problematic rule creation
- Finding out firewall changes
- Having executive dashboards
- Firewall specific network topology view
Known Issues and Limitations
Integration vendors: Opinnate has integration with the leading firewall vendors. Palo Alto, Fortinet, Check Point, Cisco and Sophos.
Log collection: All syslog data is collected but just the traffic logs and event logs are investigated, and all traffic logs are stored in a special format for the last 30 days period.
Unused Rules: Unused rules are found based on the Last Used data we collect from firewalls. If there is an issue with this data generation unused rules cannot be identified. A ticket should be opened to the related firewall vendors if this is the case.
Clear text protocol usage on reporting: Clear-text protocol usage for admin access identification cannot be made for Check Point firewalls.
Panorama: If there is Panorama integration for Palo Alto firewalls the integration must be over Panorama.
Getting Started
This product is suggested to be used on a server with the mentioned Operating System and version:
- Ubuntu v18 or higher
- Docker Engine installed
- Docker compose installed
Installation Steps
This is the summary of installation steps for v4.2. Detailed installation steps can be found on the Installation Guide document.
- Docker Engine Installation: A Docker engine is to be installed on the system if not installed.
- Docker Compose Installation: Docker compose is to be installed if not installed.
- Downloading files: A zip file containing all docker image files, compose file and installation script file.
- Running script: Using the script file installation of the system.
Upgrade Process
These are the steps to upgrade for the customers that use 4.1.x release of Opinnate.
1. Manager
- Opinnate will provide v4.2.1 Upgrade File(s)
- Connect Opinnate Web UI via browser with HTTPS protocol
- There is “System Configuration à Upgrade” menu in “System” on left menu bar
- Select the upgrade zip file and click upgrade
- Then cloud/upload icon will appear on right/up corner and click on it
- The system will log you out after each upgrade process
- While upgrading, services will restart, Services can be controlled with “watch docker ps” from cli
2. Collector
- Upgrade files for Opinnate Collector v2.2.1 will be provided
- The relevant files must be transferred to the collector server via SFTP
- The files, which are in ZIP format, should be extracted
- After extraction, you will see the files docker-compose.yml and opinnate_collector.tar
- Run the command “docker load -i opinnate_collector.tar” to update the service
- In the docker-compose.yml file, within the opinnateredisservice configuration, set the IP address of the Opinnate Manager next to MYSQL_HOST, and save the file
- Locate the existing docker-compose.yml file used by the running services, and replace it with the newly provided one
- After replacing the file, navigate to the directory containing docker-compose.yml and run the command “docker compose up -d” to start the upgrade process
- After the upgrade, monitor the status of the services using watch docker ps. Wait up to 3 minutes to observe the health status change to healthy. If it does not change, run docker compose restart and wait for the health status to turn healthy
3. Steps Required After Upgrade
- Since collector settings are now moved under Virtual Area > Settings > Device Integration, all collector definitions and trusted IPs must be reconfigured from scratch
- For collector definitions, IP input field no longer requires using the x.x.x.x:8081 format
- In the Trusted IPs field, multiple syslog senders can now be added. After entering each IP address, press Enter and click the refresh button next to it
- Palo Alto or Panorama users must update the custom format for Configuration logs in their syslog profile pointing to Opinnate Collector. The format should be updated to:
- $receive_time|$serial|$type|$subtype|$time_generated|$host|$vsys|$cmd|$admin|$client|$result|$path|$before-change-detail|$after-change-detail|$seqno|$dg_hier_level_1|$dg_hier_level_2|$dg_hier_level_3|$dg_hier_level_4|$vsys_name|$device_name
- As Excel export support has been added to Alert Composer, the existing export formats have been modified. You must select a new export format for each alert and update them accordingly
- In Alert Composer, the ‘Firewall Policy’ option has been removed from the ‘Real Time Configuration Alert’. Firewall rule change alerts should now be created using the new ‘Custom Real Time Rule Configuration Alert’. If real-time firewall rule change alerts are currently active, they need to be recreated under this new alert type
Updates and Changes
These are the new features added in 4.2.1 version.
Global:
- The logging structure has been updated to comply with RFC5424 standard.
- A new feature has been added to limit IP addresses logging in via Trusted Host.
- HTTPS access via browser has been improved to ensure certificate-based access, enabling secure connection with valid certificates.
- Collector connections have been redesigned to operate on a per-Virtual Area basis. Collector settings are now located under Virtual Area > Settings > Device Integration.
- Added the capability to receive logs from multiple IP addresses per firewall.
Analysis:
- Rule Usage Level Analysis now supports subnet summarization up to /16 and /8 networks.
- Introduced shadowed rule analysis based on User and User Group.
- VMware NSX is now supported.
- Cisco Firepower integration is now available.
- Excel attachment option is added under Alert Composer.
- Custom Real-Time Rule Configuration alerting is now supported:
- These alerts are now handled separately from general Real-Time Configuration Alerts.
- Filtering options have been added for the incoming Custom Real-Time Rule Configuration alerts.
b.3. Reporting:
- Excel export support added in the Reports section.
- New compliance template reports are added: NERC CIP, GLBA, SOC2, FISMA
b.4. Optimization:
- After Rule Usage Analysis, a “Rule Usage – Add Rule” task is now automatically added to the task list, enabling approval and analysis workflows for new rule creation.
b.5. Automation:
- Palo Alto & Panorama: Added support for creating URL categories and managing category members (add/remove).
- Fortigate & FortiManager: Added support for creating Web Filters and managing filter members (add/remove).
- Added support for creating tags under the Virtual Area > Settings > Environment Settings menu and assigning tags to firewall rules from Home > Viewer > Rules page.
Resolved Issues
| Bug ID | Issue Details |
| N-41401 | Remote Auth: Updating LDAP Authentication Server |
| N-41402 | Real Time Config Alert: Missing Analysis for Route configuration in Palo Alto |
| N-41403 | Real Time Config Alert: Incorrect user-based information formatting in Real-Time Configuration Alerts for firewall rules |
| N-41404 | Firewall Dashboard: Virtual IPs page in the Firewall Dashboard fails to display data beyond the first page |
| N-41405 | Network Role: Security policies cannot be defined after importing network roles via Excel |
| N-41406 | Syslog: Unable to add Syslog server |
| P-41401 | Remove Duplicated Objects: Removing duplicated objects |
| P-41402 | Rule Consolidation: Missing Analysis in Rule Consolidation for Fortigate |
| P-41403 | NAT Rules: Missing Analysis for Palo Alto |
| P-41404 | Decommission: Removing fails for rules using Check Point inline layers |
| P-41405 | Revision Compare: Incorrect revision history entries for Palo Alto site-to-site VPN status changes |
Support
If you encounter any issues while using Opinnate NSPM, please contact our support team at support@opinnate.com.
Thank you for choosing Opinnate! We hope you enjoy using it.
