Welcome 3.1 release of Opinnate Network Security Policy Manager. This software is designed to make network security policy management to be done effectively and easily. In this document you will find what Opinnate NSPM is, what key features, new features and known issues are.
Opinnate NSPM is a network security policy management solution that tackles firewall rule analysis, hardening, reporting and automation needs in an easy manner. Opinnate makes policy management in different package levels. The packages are Lite, Standard and Enterprise. Lite package is for firewall rule analysis; Standard package also includes optimization features and finally Enterprise package has all the features including automation.
The product is licensed in subscription model and licensed based on the number of firewalls used and package level.
Key Features
Analysis of policies on firewalls: Firewall rule analysis of all firewalls on several different conditions. Some of the items for this analysis includes:
- Viewing all policies from a single console
- Viewing al IP objects
- Rule or path existence control
- Finding out unused rules
- Finding out expired rules
- Finding out disabled rules
- Finding out shadowed rules
- Finding out permissive rules
- Finding out rules not compliant to corporate policy
Rule hardening by cleaning and disabling: This is also called optimization of rules. These are some of the items that is done for optimization:
- Disabling unused rules
- Disabling expired rules
- Cleaning disabled rules
- Disabling shadowed rules
- Disabling duplicated rules
- Removing duplicate objects
Making policy changes automatically: Automation of rule creation activity is an important aspect and need for policy management. These are some of the items that is done by this automation:
- IPS or logging profile activation on a rule
- User Based Rule Creation
- IP Access Cloning
- Object name/IP change
- Rule update/disable/enable
- Comment update on rules
- IP address decommissioning
- Group-based policy change
Keeping firewalls compliant to standards: Firewalls are one of the most important control points for several regulations and standards. Firewalls must be kept compliant with these standards. Here are a couple of things that is handled for this task:
- Making risk assessment on firewalls
- ISO27001 audit controls
- PCI audit controls
- NIST audit controls
Effective management: Making policy management in an effective way requires management effectiveness. These are some of the items that are made for this management easiness and effectiveness:
- Having virtualized multi-tenancy features
- Corporate policy management/view/usage
- Rule/object usage monitoring
- Alerting on new problematic rule creation
- Finding out firewall changes
- Having executive dashboards
- Firewall specific network topology view
Known Issues and Limitations
Integration vendors: Opinnate has integration with just the leading firewall vendors for now. Palo Alto, Fortinet, Check Point.
Log collection: All syslog data is collected but not stored into our system. We store just the needed ones for monitoring.
Unused Rules: Unused rules are found based on the Last Used data we collect from firewalls. If there is an issue with this data generation unused rules can not be identified. A ticket should be opened to the related firewall vendors if this is the case.
Clear text protocol usage on reporting: Clear-text protocol usage for admin access identification can not be made for Check Point firewalls.
Getting Started
This product can only be used on a server with the mentioned Operating System and version:
- Ubuntu v18 or higher
- Docker Engine installed
- Docker compose installed
Installation Steps
These are the summary of installation steps for v3.1. Detailed installation steps can be found on installation guide document.
- Docker Engine Installation: Docker engine is to be installed on the system if not installed.
- Docker Compose Installation: Docker compose is to be installed if not installed.
- Downloading files: A zip file containing all docker image files, compose file and installation script file.
- Running script: Using the script file installation of the system.
Upgrade Process
These are the steps to upgrade for the customers that use 2.1.x release of Opinnate.
- Opinnate will provide v3.1.1 Upgrade File(s)
- Connect Opinnate Web UI via browser with HTTPS protocol
- There is “System Configuration à Upgrade” menu in “System” on left menu bar
- For each zip file, select the file and click upgrade
Upgrade Order of Modules
- Docker-Compose-Pre
- Opinsql
- OpinCache
- Docker-Compose-Post
- Node-Frontend
- Opinpy
- Then cloud/upload icon will appear on right/up corner and click on it
- The system will log you out after each upgrade process
Updates and Changes
These are the new features added in 3.1.1 version.
- Forti Manager and Panorama Devices added as Managers.
- Check Point Security Management Server is separated as Manager for Check Point and Check Point VSX
- Device Add Wizard option is added.
- Filter Save/Load feature added in Rule Viewer
- Rule Owner feature added and can be edited in Rule Viewer
- Risky Rule(s) can be assigned as Accepted with Explanation in Rule Viewer
- Permissive Critical Rule(s) can be assigned as Accepted with Explanation in Rule Viewer
- Conflict Rule(s) can be assigned as Accepted with Explanation in Rule Viewer
- Rule Reorder feature added in Rule Viewer with Above/Below/Top/Bottom option.
- Rule update by selecting interface option is added.
- The NAT Rule Viewer has been added in Analysis Module
- Rule Checker Non-Routed Mode is added as device selective mode.
- Find IP Query feature added in Network Topology
- Rule Filter option added in Usage Analysis
- Logo insertion added in Report.
- Report Orientation as Landscape/Portrait options are added.
- Report columns can now be customized based on report orientation and firewall vendor.
- All Rule view option added in Report (Default: 20 Rules)
- Scheduled Tasks Tab changed to Alert Composer
- Real Time Configuration Alert feature added in Alert Composer for Check Point, Fertigate, and Palo Alto
- Rule Reorder option added in Disable Shadowed Rule, Shadowed Rule can be moved to above of the Master Rule
- User Based Rule can be added for Check Point, Forti Manager, Palo Alto and Panorama
- Application Based Rule can be added for Check Point, Palo Alto and Panorama
- Excel Import feature added in Add New Rule an Add New Rule Path Free
- New Rule adding to an existing rule option is added.
- Interface and Route Edit option for Other Device in Device Integration
- GDPR Networks added in Environment Settings for Reporting
- PHI Networks added in Environment Settings for Reporting
- SWIFT Networks added in Environment Settings for Reporting
- Risky Analysis Ports added in Environment Settings to customize Risky Services/Ports with affected Rule(s)
- Custom Mail Body Edit option added in Alert & Notification Settings
- Rule Lifecycle Management feature added for Rule(s) that have been active for 1 Year
- Rule About to Expire feature added for Rule that created via Opinnate.
Resolved Issues
| Bug ID | Issue Details |
| N-21401 | PCIDSS Networks: Missing Subject in Reports |
| N-21402 | Alert Notification: In the Alert Notification feature, certain fields are experiencing errors, and in some cases, email notifications fail to send with auto configuration |
Support
If you encounter any issues while using Opinnate NSPM, please contact our support team at [email protected].
Thank you for choosing Opinnate! We hope you enjoy using it.
