- 1 Introduction
- 2 Installation
- 3 Getting started
- 4 Virtual Area Operations
- 5 Analysis Features - Lite
- 6 Optimization Features - Standard
- 7 Automation Features - Enterprise
- 7.1.1 Add New Rule
- 7.1.2 Server Cloning
- 7.1.3 Group-based Rules
- 7.1.4 Add New Rule Path Free
- 7.1.5 Server Cloning Path Free
- 7.1.6 Disable a rule from Rule Viewer
- 7.1.7 Enable a disabled rule from Rule Viewer
- 7.1.8 Delete a disabled rule from Rule Viewer
- 7.1.9 Editing a rule on Rule Viewer
- 7.1.10 Editing comment on Rule Viewer
- 7.1.11 Change Owner
- 7.1.12 Rule Lock/Unlock
- 7.1.13 Editing an object on Object Viewer
- 7.1.14 Editing an object on Group-Object Viewer
- 8 Task List
- 9 Troubleshooting and Support
- 10 Glossary
- 11 Disclaimer
Copyright© 2024, Opinnate, Inc. All rights reserved. No part of this document may be reproduced, translated into another language or format, or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Opinnate, Inc.
8, 320 Tubbenden Lane South,
Bromley, BR6 7DN, United Kingdom
Trademarks Opinnate®, the Opinnate logo and the names and marks associated with Opinnate products are trademarks and/or service marks of Opinnate, Inc. and are registered and/or common law marks in the United Kingdom and various other countries.
All other trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by any means, for any purpose other than the recipient’s personal use, without the express written permission of Opinnate.
End User License Agreement By installing, copying, or otherwise using this product, you acknowledge that you have read, understand, and agree to be bound by the terms and conditions of the End User License Agreement for this product. The EULA for this product is available on the Opinnate Support page for the product.
Disclaimer While Opinnate uses reasonable efforts to include accurate and up-to-date information in this document, Opinnate makes no warranties or representations as to its accuracy. Opinnate assumes no liability or responsibility for any typographical or other errors or omissions in the content of this document.
Limitation of Liability Opinnate and/or its respective suppliers make no representations about the suitability of the information contained in this document for any purpose. Information is provided “as is” without warranty of any kind and is subject to change without notice. The entire risk arising out of its use remains with the recipient. In no event shall Opinnate and/or its respective suppliers be liable for any direct, consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of business profits, business interruption, or loss of business information), even if Opinnate has been advised of the possibility of such damages.
Customer Feedback We are striving to improve our documentation quality and we appreciate your feedback. Email your opinions and comments to [email protected]. Visit the Opinnate Support Center for End User License Agreements, software downloads, product documents, product licenses, troubleshooting tips, service requests, and more.
TABLE OF CONTENTS
1 Introduction 5
1.1 Conventions 5
1.2 Intended use 5
2 Installation 6
3 Getting started 7
3.1 Connecting to the System 8
3.2 Admin Settings 8
3.3 System Settings 10
3.4 Virtual Areas 11
4 Virtual Area Operations 12
4.1 Settings 14
4.1.1 Device Integration 14
4.1.2 Environmental Settings 16
4.1.3 Alert and Notification Settings 17
4.1.4 Logs 17
4.1.5 Corporate Policy 18
5 Analysis Features – Lite 20
5.1.1 Viewer 20
5.1.2 Rule Checker 23
5.1.3 Network Topology 24
5.1.4 Usage Analysis 24
5.1.5 Revision Compare 25
5.1.6 Alert Composer 26
5.2 Compliance and Reporting 26
5.2.1 New Report 26
5.2.2 Reports 27
5.2.3 Report Settings 27
6 Optimization Features – Standard 28
6.1.1 Disable Shadowed Rule 28
6.1.2 Disable Expired Rule 28
6.1.3 Disable Unused Rule 29
6.1.4 Clean Disabled Rule 30
6.1.5 Remove Duplicate Objects 30
6.1.6 Decommission 30
6.1.7 Scheduled Tasks 31
6.1.8 Rule Consolidation 31
7 Automation Features – Enterprise 32
7.1.1 Add New Rule 32
7.1.2 Server Cloning 33
7.1.3 Group-based Rules 35
7.1.4 Add New Rule Path Free 37
7.1.5 Server Cloning Path Free 39
7.1.6 Disable a rule from Rule Viewer 40
7.1.7 Enable a disabled rule from Rule Viewer 40
7.1.8 Delete a disabled rule from Rule Viewer 40
7.1.9 Editing a rule on Rule Viewer 40
7.1.10 Editing comment on Rule Viewer 41
7.1.11 Change Owner 42
7.1.12 Rule Lock/Unlock 42
7.1.13 Editing an object on Object Viewer 42
7.1.14 Editing an object on Group-Object Viewer 42
8 Task List 44
9 Troubleshooting and Support 45
10 Glossary 46
11 Disclaimer 48
1 Introduction #
This document is the user guide for Opinnate Network Security Policy Manager for the version 3.2.0.
It is recommended that you read this instruction manual carefully before use.
This product is suggested be used on a server with the mentioned Operating System and version:
- Ubuntu v18 or higher
- Docker Engine installed
- Docker compose installed
The use of any other OS is not supported.
Please, carefully read the precautions with symbols, to ensure that the system is used in best conditions and in complete safety.
1.1 Conventions #
To avoid all configurational misconceptions, this document splits informational instructions into two levels.
ATTENTION | |
Care must be taken for this condition |
WARNING | |
It may be serious issue if not done accordingly |
1.2 Intended use #
This software is an aid for security operations. The operations that need hard and repetitive work activity is to be handled by this software. These activities may be firewall policy analysis, making policy changes and generation of specific reports.
Opinnate is a system that makes policy management easier with the capabilities identified in this document. In the first part the installation of the system, and alternative ways of this installation be given. The next part will be an overview of how the product works, what are its abilities, how it is licensed and what kind of packages exist. Also, the global configuration of the system will be detailed.
2 Installation #
The system is working in a containerized model so that you can use your system OS as per your needs. Before installation of the system please make sure that the requested Ubuntu based OS is prepared on the server and the system has the specified resources available. Also, docker engine and docker compose must be installed.
Prerequisites:
Docker engine installation : https://docs.docker.com/engine/install/ubuntu/
Docker compose installation : https://docs.docker.com/compose/install/linux/#install-using-the-repository
Main installation:
You’ll receive a compressed file containing:
- several .tar files that are containing Opinnate Docker images,
- a docker-compose.yml file,
- run.sh file that is a bash script to load the Docker images and run the compose file.
Extract the contents of the compressed file, preferably to /srv/opinnate directory.
Execute the bash script with sudo privileges.
- sudo bash run.sh
- Script will import the docker images and run docker-compose file.
Access Opinnate application in https://localhost:443 or in https://<ip of the device that the app is running on>:443 from any other machine.
When connected a license page will be seen, now you will need to copy the system ID from this page and share this information with your partner. After this step the license file purchased be needed will be generated to be able to connect to the system.
Once you have the license upload the license file using the Upload License file button and now the system is ready.
3 Getting started #
The system is composed of two main areas. The first area is the global area where all general settings and user settings are configured. The other area is the virtual area where all firewall policies are managed. These virtual areas are used for multitenancy purposes and each virtual area is separated from the others and can be managed with different authorization levels.
Opinnate is licensed in three different editions as follows:
- Lite
- Standard
- Enterprise
Lite | Standard | Enterprise |
Analysis | Analysis | Analysis |
Audit | Audit | Audit |
Reporting | Reporting | Reporting |
Optimization | Optimization | |
Automation |
As seen in the comparison chart, the Lite edition is the basic model and the mentioned features exist, so for this licensing model just the related functions be used.
Following are the explanations of each function and their purpose:
Analysis:
Analysis is related to making detailed analysis of firewall rules. The system will be giving information about unused rules, duplicated rules, shadowed rules, etc.
Audit:
In the audit part system will be generating reports for compliance purposes. The compliance reports that can be generated from the system are ISO27001, PCI-DSS, NIST, SOX, HIPAA, GDPR, SWIFT, DTO and BRSA.
Reporting:
Both for compliance purposes and special needs a limitless number of reports can be generated from the system. For example, all permissive rules on all the firewalls.
Optimization:
Analysis results cannot be automatically used, or hardening must be done manually if optimization is not in place. Cleaning of all the analyzed rules automatically is possible with this feature.
Automation:
Policy changes on firewalls be done automatically with this feature adapting the necessary routines like approval in place.
3.1 Connecting to the System #
When connected to the system the first screen to be displayed will be the global dashboard. On the global dashboard license information, logged in admins, system information and virtual areas can be seen.
License:
In the license field apart from the model information the number of virtual areas and the number of firewalls can be seen. The system comes with one virtual area so, if there is a segmentation need or there is different organization to manage additional virtual area license must be purchased. Firewall number is the basic licensing data to be used no matter if the firewall is in cluster, physical or virtual the total number of firewall systems licensed be seen.
Logged in Admins:
During normal operation the users doing activity on the system can be seen in this part.
Virtual Areas:
The virtual areas activated on the system can be seen here with the information about how many numbers of firewalls exist in that virtual area.,
Apart from these fields, for the sake of easiness the addition of a new admin account and new virtual area can be initiated from this page.
From this point on other pages on the global area will be detailed starting from Admin Settings panel.
3.2 Admin Settings #
There are three menus in this panel: Admin Users, Admin Profiles and Remote authentication.
Admin Users:
In this page an admin user can be created on four different authorization levels by default. These are Super-user, Infosec, Firewall, read-only admin users. By default, an admin user exist which can be deleted once a new super-user added to the admin users. *
WARNING | |
It is strongly recommended to delete default username when the new super-admin user is created. |
Admin Profiles:
All the fields and pages are categorized according to authorization levels. By default four different profiles are already added to the system and these are cannot be modified. However, new profiles can be created and edited if it is needed or preferred.
Following is the super-user admin profile settings on the admin profiles page:
Similarly other profiles may be seen here on this page. Since default admin profiles are not editable so are their names.
Remote Authentication:
LDAP and Radius authentication methods are supported. Related authentication servers can be added for admin authentication.
Sample LDAP configuration settings is as foloows:
3.3 System Settings #
General settings for the whole system are configured in this menu. There are five different pages to be seen on this page.
System Configuration: One can get the configuration backup of the system from here. Upgrading of the system and uploading of the backup file is also managed here.
Syslog: As the name implies syslog servers to which system logs be sent be configured on this page.
Collector: The Collector module of Opinnate which is working as a standalone Linux server is added and managed from here.
Helpdesk: Helpdesk integration can be made using this menu. For the end users to create a new firewall service request there are three methods to use. These are Customer helpdesk, Opindesk (add-on Opinnate ticketing software) and Opinnate itself.
Settings: Ticket naming standard, idle timeout and period the system will be renewing data from the firewalls would be configured here. Apart from this password policy for local authentication can also be activated and configured here.
Logs & Debugging: All system global area logs be seen in detail. Debugging is used for the purpose of downloading error logs for support cases.
Licensing: System licenses be seen, and new license be added from here.
3.4 Virtual Areas #
Virtual area naming and scheduling can be configured from here. Also, from here first-time data renewal is made.
4 Virtual Area Operations #
From global dashboard one can go to virtual area dashboard on the left bottom panel of the UI. There are several menus to be used for the management of the system in virtual area section. The first screen to be shown is the virtual area dashboard. Here there are several charts showing the overall status of the environment. Similar charts can also be viewed on the firewall dashboard of each firewall for the analysis of that firewall. The charts and the given information is as following:
Firewalls: Number of firewalls added to the system is shown. There are also other devices like switches and routers, and they can be seen from the devices menu or by clicking on this chart.
Rules: Number of rules existing on the firewalls added to the system. These rules can be seen in detail from the rule viewer and by clicking on this chart.
Shadowed Rules: Number of shadowed rules can be found on this chart. Shadowed rules are the rules that are not processed because there is another rule above these rules in the policy table. No matter if the policy is a permit or deny policy the shadowed rules will be found and shown in the rule viewer for detailed analysis. In shadow analysis every criterion that may lead the rule below not to be looked upon is considered. Source IP, Destination IP, Service, Users, Application, URL Filter (If applied), IPSEC (If applied), Policy Target (If exists)
Expired Rules: Number of expired rules can be found on this chart. Expired rules are the rules that are non-functional since the validity period has passed. Expired rules must be eliminated from the policy table since they increase the complexity level of it. All expired rules will be found and shown in the rule viewer for detailed analysis.
Disabled Rules: Number of disabled rules can be found on this chart. Disabled rules are the rules that are non-functional since they are disabled. Disabled rules must be cleared from the policy table since they increase the complexity level of it. In routine operations these are the first rules that will be acted on because other rules to be optimized are to be disabled.
Policy Conflict: Number of rules that are not compliant to the corporate security policy. These are the rules to be reviewed first because of this incompliance. If the rules are necessary to use, then changes to the corporate security policy must be thought up and documented accordingly. Rules that are not compliant with the security policy can be analyzed from the rule viewer and corporate security policy table.
Log Disabled: Number of rules for which logging not activated is shown. Logging is one of the crucial things in cyber security, so every single rule must generate log messages when there is traffic related to it. It is also a necessity according to several compliances. Detailed information and related rules can be found in rule viewer.
Risky Rules: Number of rules opening ports on risky services is shown. Risky ports are identified from best practices and from compliances and rules are found according to this port information. Detailed information and related rules can be found in rule viewer.
Opinnate uses the following services most of which are coming from NIST framework as risky services:
TCP:135/137-139
UDP:135/137-139
UDP:69
UDP:514
UDP:161-162
TCP:6660-6669
TCP:20-21
TCP:22
TCP:80
TCP:1433
TCP:23
TCP:445
TCP:1521
TCP:87
Tcp:79
TCP:0-19
UDP:0-19
UDP:23
TCP:3389
UDP:3544
TCP:5900
TCP:3306
TCP:5432
TCP:53
UDP:53
TCP:389
UDP:389
TCP:49152-65535
UDP:49152-65535
Permissive Rules: Permissive rules are the rules having permissive source or destination IP or permissive service containing high amounts of ports in it. The number of permissive rules can be seen here in four different levels: critical, high, medium, and low. The details of these rules can be found in rule viewer and can be analyzed further to find out which IP addresses are using it.
Each permissive level is described as below:
Critical: Rule having “any” in any field,
High: Rules having (src_count + dst_count)> 4096 or port_count > 20
Medium: Rules having (src_count + dst_count)> 512 or port_count > 10
Low: Other rules
No Hit Rules: The number of rules having no hit value on it; however, they may not be unused rules if they are newly added rules. So, for optimization purposes the creation date of these rules must also be known to decide if these rules are unused rules or not. Details of these rules can be seen via rule viewer.
Average Risk Score: Risk score of each firewall is calculated based on the following best practices: permissive rules usage, logging activation per rule, risky service usage, perimeter access, cluster, unused rules, corporate policy mismatch and IPS usage.
Here is the list of criteria considered for calculations:
Permissive rules
Risky rules
Rules that are not logged
Explicit rules existence
Perimeter rules
Clustering condition
Unused rules
Conflicting rules
Rules IPS not activated
Each criterion is calculated based on a risk level considering the rules and the total number of rules. Risk score is calculated based on the general formula below:
riskScore = 100-100*(1-calculatedRisk/totalRisk)
Apart from these number charts there are several widgets showing information about active tickets on the system, the latest tickets created, firewall devices and their related statistics, etc.
4.1 Settings #
Settings is the panel that is used for integration of the system to the environment. Till this integration to be done all the fields on the main dashboard will be empty.
There are following menus and sub-menus on this part:
4.1.1 Device Integration #
Devices is the section where the necessary devices to be integrated. This integration is to be done on the Device Add/Remove menu. Here with the supplied necessary information the system will start connecting to the related device. The supplied information will be as follows:
Device Name: A unique device name for identification of the device. It is suggested to use hostname for the sake of standardization.
Device IP: Ip address to be used to connect to this device. *
Device port: Port number to be used to connect to this device. *
User profile: The user profile that is configured on the device user profile page to be used for different devices if they are using the same user and password information. *
ATTENTION | |
Be sure the necessary user creation and permit rules activation on the devices done previously. The communication with firewall devices will be on API and for the switches it will be on SSH. |
Virtual firewall: If the firewall is a virtual firewall, then it must be defined accordingly.
Vendor: The vendor of the device be chosen from the drop down
Internet Firewall: If the added firewall is an internet firewall it must be enabled.
Cluster: If the added firewall is cluster, then it must be enabled.
To remove a device that is already added to the system flip menu be chosen on the upper section. The device to be removed be chosen from this list and from that point on the device and its related data will be removed from the system.
When the devices are added and integrated to the system, they will start to be seen on the Devices menu. From here if the connection is successful a check icon is seen near the related device. Using the Edit button, the configuration parameters of the related device can be updated. Using the Home icon near each device it is possible to reach device dashboard of each device to see the analysis data specifically for that device. Apart from the analysis data the interfaces and routing information on the device can be seen.
Device Add Wizard: It is also possible to add devices via Wizard. Here step by step workflow to inform the user what settings to apply after adding the user profile. In the first step device type is to be chosen from the list of devices such as Panorama, Forti Manager, FortiGate, Palo Alto, Check Point. In the second step necessary user information is given and in the last step settings such as IPS profile to be used can be chosen from among the configured ones on the firewall.
Device User Profiles: All the user profiles created can be listed and viewed here.
LDAP Integration: LDAP Integration is the area that makes it possible to apply policy changes based on user information. From here the LDAP servers that exist in the environment will be added.
There are the following fields to be supplied for this integration in LDAP Server settings:
Domain name
Server IP
Server Port
Distinguished Name
User DN
User Password
Device&Domain Relation: Once the LDAP servers are integrated to the system the devices that have user integration with related LDAP server must be configured. With this information on which devices the domain integration exists will be known.
Other Devices: Devices other than the integrated ones can be seen on this menu. The interfaces and the routing are the data to be seen on the related device.
Sample LDAP configuration settings is as follows:
4.1.2 Environmental Settings #
Customer specific information be needed for audit and analysis. *
DNS Servers: Corporate DNS servers to be defined here.
PCI-DSS networks: Cardholder data network subnets to be defined here.
GDPR Networks: GDPR related servers or networks to be defined here.
PHI Networks: HIPAA related servers or networks to be defined here.
SWIFT Networks: Swift servers or networks be defined here.
Risky Analysis Ports: Apart from the list of risky services given in the previous section custom services can be added as risky to the list here.
WARNING |
Related audit reports will not be generated as expected if these values are not configured correctly. |
4.1.3 Alert and Notification Settings #
The system will be sending alerts when there are specific conditions aroused. For these alerts to be sent, necessary email integration must be done. The SMTP Server Settings to be configured are the following: *
SMTP Server Status
Security Mode
Authentication
SMTP Server
Port
Username
Password
Sender mail
Sender Mail Title
It is also possible to use Auto configuration option for the related settings to be automatically tested with the server side and selected accordingly.
ATTENTION | |
Be sure to make a test when configuration is finished. |
For automation workflows, Approve Notification and Operation notification users must be identified for the system to inform them when there is a new request.
Following are custom body field configuration menus for the related notifications.
Pending Approval Notification: The content to be used on the mail body will be configured to send notification to the Approver.
Pending Operations Notification: The content to be used on the mail body will be configured to send notification to the Operator.
Report Notification: The content to be used on the mail body will be configured to send notification to the Report owner.
Rules About to Expire Management: For rules that are about to expire a notification process exists. From here an email alert is sent to the rule owner.
Rule Lifecycle Management (RLM): For rules that should be reviewed if the need still exists RLM process can be activated for Opinnate to send notifications to the rule owners each year based on the creation time of the rule.
Status of Device Connection: If the connection between the firewall and manager is lost an alert is to be sent to the related owner.
4.1.4 Logs #
Logs related to the virtual area will be found here locally. From here detailed filters can be applied and search can be made effectively. Fields can be applied to are as follows:
Log Type
Log Time
Operation Type
From
To
Once the necessary logs are found they can also be exported to the local PC/Server in PDF or Excel.
4.1.5 Corporate Policy #
In this part of the system the corporate policy of the company can be imported and make it a visual one. The reason for this menu is to create firewall rules that are compatible with corporate security policy. To import policy the first thing to do is to define zones or network roles. After this using the security policy matrix the inter communication between each zone is configured.
4.1.5.1 Network Roles #
Network roles are to be added in this part. Network role means a group of servers having the same duty or used for the same or similar purposes. It may not be the same on the network and it is not the same as network segments. To add a new role, Add New Role button be used to add the information needed to create the rule. The following are the fields to be needed for this creation.
Role Name: Name of the role that is being created.
Description: Explanation of this role but it is not mandatory
New IP: The IP address/es added to this group
4.1.5.2 Security Policy #
With the addition of the roles in the environment. They will be populated on Security Policy matrix that exist on this section. The relationship between each role can easily be configured on this matrix. With the information on this security policy each new rule to be created will be compared to it to make corporate security policy check. The matrix to be seen on this section will be like the following:
Between each role there is a settings button to be used for defining if the role can reach to the other role on any ports, certain ports or it must not reach the other role. The situation for allowance be shown via tick, block signs as seen on the picture. For reaching or not reaching on certain ports “i” icon be used. To see the details of this information, settings button is to be used.
5 Analysis Features – Lite #
Analysis is the activity of collecting firewall policies from all the firewalls and make thorough analysis on firewall rules. After this analysis is made the analysis dashboard charts be filled with the related values and the firewall topology be created. There are five main menus on this part:
5.1.1 Viewer #
All information that is collected from the firewalls such as rules, objects and NAT rules can be found here
5.1.1.1 Rule Viewer #
Rule viewer is the part of the system where detailed searches on all the rules existing on the firewalls are made. After integrating the firewalls to the system, the policies start to be collected from all the firewalls and analysis process starts. Rules can be viewed with most of the common used parameters like Device Vendor, Source IP, etc..
There is a filtering area just above the rule viewer section. By enabling filter option one can make detailed search on rules.
The filtering area is as follows:
From here by choosing the necessary searched item in the related drop-down menu rules be filtered. These search fields can be combined in group wise or inter-group wise to use OR and AND operators in needed combinations.
Field Name: In the field name there are several parameters to be chosen like Source, Destination, Service, Comment, Device Vendor, etc.
Criteria: The criteria may have fields like “contains” for text values, “greater than” for numerical or date values and conditions to be checked as True or False.
Value: For this field the related text, number or date value be given as the search value
There are several fields that can be used for filtering. These are:
Action
App Profile
Application
AV Profile
Comment
Data Filtering
Destination IP
Destination Name
Devie IP
Device Name
Device Type
Disabled
DNS Profile
Expired
File Blocking
First Create
From
Hit Count
Inline Layer
Internet Service
IPS Profile
Last Modifier
Last Modify Time
Last Used
Layer
Location
Logging
NAT
Permissiveness
Policy Match
Policy Package
Profile Group
Risky
Rule ID
Schedule
Schedule Name
Service Name
Service Port
Service Protocol
Shadowed
Source IP
Source Name
SSL Profile
To
URL Category
URL Filtering
Users
Virtual Firewall Name
VPN
Vulnerability Protection
Web Filter
Wildfire Analysis
5.1.1.1.1 Rule Card Customization #
It is possible to choose which fields are to be listed on rule viewer for each vendor. To do that 3-dotted icon used on the upper right side of the rule viewer.
5.1.1.1.2 Risk Management #
It is possible with Opinnate accepting the risk associated with a Risky, Permissive Critical or Policy Conflict rule. So, with this setting related rules start not to be listed as risky, critical or conflict to be able to effectively manage risks associated with the rules.
5.1.1.1.3 Rule Export #
The rules listed on the screen can be exported as pdf or excel file to analyze them offline.
5.1.1.1.4 Rule Update #
It is possible to disable, enable a rule or update its fields like source, destination, or comment. This feature comes with Enterprise edition. If there is one can easily select the necessary, rule/s to update easily via approval in place.
The following are the actions that can be taken on the related rules:
Disable Rule: To disable the selected rule or rules
Enable Rule: To enable the selected rule or rules
Delete Rule: To delete the selected rule or rules
Rule Reorder: To change the order of a rule. The order alternatives can be top, bottom or above or below of a selected rule
Edit Rule: To append IP address/es or to change the chosen fields of a selected rule
Edit Comment: To append, replace or change of the comment section of the selected rule/s
Change Owner: To change the owner or assign the owner of a rule
Rule Lock/Unlock: To lock a rule so that no one can act on it. It is an action that can be made by a super-user admin account.
5.1.1.2 NAT Rule Viewer #
In NAT Rule Viewer section all NAT rules that are configured be listed.
Original Source: Original Source IP
Original Source Zone: Traffic originated from
Original Dst: Translated Source IP
Original Dst Zone: Traffic directed to
Original Services: Related traffic
Name: Name of the NAT rule
Comment: Comment if exists
5.1.1.3 Object Viewer #
All the object names will be listed on each firewall from here. Once an object is searched it will list the related object names that exist on firewalls. When the related object is selected all the rules using this object will be listed on rule viewer.
5.1.1.4 Group Object Viewer #
All the group-object names will be listed on each firewall from here. Once a group-object is searched it will list the related group-object names that exist on firewalls. When the related object is selected all the rules using this group object will be listed on rule viewer.
5.1.2 Rule Checker #
Rule checker is a field that can be used to find out the existence of a rule on the firewalls. When given with the necessary IP and service information the system will make both a path analysis and will find each rule on each firewall.
There are following fields on Rule Checker tool:
Source IP: Source IP is the IP that traffic will start from. This can be a single(host-based) IP, range of IP addresses or IP subnet.
Destination IP: Destination IP is the final arrival point of the traffic.This can be a single(host-based) IP, range of IP addresses or IP subnet.
Select Protocol: Protocol of the traffic that is searched. This can be ALL meaning any traffic, a TCP or a UDP traffic.
Service Port: Service port that will be used for the traffic. For HTTP traffic this can be port 80, 8080 or any similar port that web service is enabled.
User: When selected the check will be based on the AD user/group information given
When all the fields are filled with the related information, the results “Continue” button be used. On the results page the firewalls that must be in place will be seen for this traffic to be established and if these firewalls already allowing the traffic or which ones are blocking it. For example, with the given information for TCP/80 traffic the rule checker result page shows traffic to be blocked.
On the results page after investigating the results there are two options; either come back to the previous page to change one of the parameters that is being searched for or create a new query. With the chosen method the tool will show the new results.
5.1.2.1 Topology Mode #
In topology mode the controlled IP addresses must exist on the network or a routing must exist from source to destination IP. If it is, then the system will show all the firewalls in path giving the information if there is access or not.
5.1.2.2 Non-routed Mode #
If the firewall is known or there is a missing routing, it is also possible to show if there is access on the selected firewall devices.
5.1.3 Network Topology #
Network topology is the graphical representation of all the firewalls added to the system with their connections to each other. The topology can be zoomed in or out via mouse scroll or using the panel on upper right side. Also, it is possible to take a picture of this topology view in jpg format to use somewhere else. In this topology firewall icon locations, be changed easily and to make this place valid in future visits a “Save” button exists in the same panel.
There is a Search area on the left upper side of the screen. The purpose of this search area is to find out the path of any traffic or to find out the existence of a rule with the addition of service field. Like rule checker the system will find the path, but this time it will also show it on the topology. The path be seen via using a dotted line and rule existence is shown on each firewall on the path.
Here is a sample view of a topology to be drawn:
5.1.4 Usage Analysis #
For permissive rules and for regular rules to see what IP addresses or objects are actually using the specific rule, usage analysis is used. For this mechanism to work the related rules must be chosen to monitor on Rule&Object Usage menu. Once the rules are chosen and monitoring duration is identified traffic logs start to be collected by collector and when the duration ends usage analysis will be given by the system. There are two different usage analysis methods that can be used: rule usage and object usage. *
Rule Usage: This mechanism will be used for permissive rules. The system will work on the rules to find out which IP addresses are using the rule and made an analysis based on risk score to be chosen. For higher risk levels IP addresses are to be summarized to lower the total number of rules that need to be created. For lower levels the number of rules will be higher.
Object Usage: This is a mechanism to find out which objects are actually using the rules, and which are not necessary. The system will supply object usage value in percentage. Using this information rule can be edited.
WARNING |
Opinnate Collector must be installed beforehand to make usage analysis and Trusted IP addresses that are sending Syslog messages must also be identified. |
5.1.4.1 Rule&Object Usage #
Using this menu rules to be monitored are chosen in three steps. First, devices need to be chosen. Afterwards, the related rules be chosen in step 2. Finally, the duration period for monitoring will be identified for the monitoring process to start. Started monitoring tasks will be seen on Usage Task List menu.
5.1.4.2 Usage Task List #
Tasks will be listed here with their status. Tasks for which monitoring is going on be listed as Running. Once a task is finished it will be listed as Completed. For completed tasks the rules will be shown once the risk level is chosen for rule usage analysis. For object usage the usage values, be listed in percentage for each object existing in the rule.
5.1.5 Revision Compare #
For configuration changes done on firewalls including objects, object groups, VPNs and policy changes revision compare menu be used. One can easily see the difference between the remaining version with the past ones.
Subjects: For each revision compare report subjects must be chosen. Here are the subject names that configuration updates to be seen:
Device Address
Device Address Group
Device Admins
Device App
Device App Group
Device Interface
Device Route
Device Schedule
Device Service
Device Service Group
IPSEC VPN
Policy
Devices: Each device integrated be listed here and the report will be generated for the chosen devices. By default, all devices is chosen.
Previous Revision: As the name implies past revision that is to be compared against
Next Revision: As the name implies next revision that is controlled.
Once the necessary fields are chosen report be generated and viewed on the next screen shown. One can see all the differences between each revision based on the additions, deletions or modifications.
5.1.6 Alert Composer #
The difference between each revision can be monitored using scheduled tasks. From here four different alert schedules can be created. Once an alert is created system will start sending emails related to each situation:
Revision Compare: A report be generated and sent based on the criteria defined for the last two revisions.
Critical Rule Alert: If a permissive critical rule is found out on the last revision an email alert is sent.
Risky Rule Alert: If a risky rule is found out on the last revision an email alert is sent.
Policy Conflict Rule Alert: If a policy conflict rule is found out on the last revision an email alert is sent.
5.2 Compliance and Reporting #
There are several reports that can be supplied from the system. PCI-DSS, NIST, ISO27001, HIPAA, GDPR, SOX, SWIFT, BRSA and DTO reports that can be used for audit purposes. Apart from this several different custom reports can also be generated. Reports that need to be generated will be defined on New Reports page first and then generated reports be seen on Reports page.
5.2.1 New Report #
To generate a new report what kind of report is needed and if the report is to be scheduled or not will be configured here.
Report Name: The name of the reports that will also be shown on the report be configured here.
Type: Type of report be chosen here. There are five different options here:
PCI-DSS: The report for PCI-DSS audit readiness. If chosen Subjects will be pre-populated
ISO27001: The report for ISO27001 audit readiness. If chosen Subjects will be pre-populated
NIST: The report prepared based on NIST framework on firewalls. If chosen Subjects will be pre-populated
HIPAA: The report prepared based on HIPAA framework on firewalls. If chosen Subjects will be pre-populated
GDPR: The report prepared based on GDPR framework on firewalls. If chosen Subjects will be pre-populated
SOX: The report prepared based on SOX framework on firewalls. If chosen Subjects will be pre-populated
SWIFT: The report prepared based on SWIFT framework on firewalls. If chosen Subjects will be pre-populated
DTO(TR): The report for DTO audit readiness. If chosen Subjects will be pre-populated
BRSA(TR): The report for BRSA audit readiness. If chosen Subjects will be pre-populated
Custom: The reports for special needs like permissive rule analysis.
Subject: Apart from custom reports subjects will automatically be chosen here. For custom reports Subjects need to be identified here.
Devices: Reports to be prepared for which devices be chosen here. By default, all firewalls will be chosen.
Enable Schedule: If the report needs to be prepared in regular intervals the schedule will be configured here.
Enable Notification: If notification is needed or for scheduled reporting email addresses will be identified here.
5.2.2 Reports #
When a new report request is made the prepared reports are listed in this menu. One-time reports and scheduled reports can be viewed in the same manner in the PDFs section of the related report request. Viewing or downloading the prepared report is possible as seen in the following.
5.2.3 Report Settings #
It is possible to change the logo that will be displayed in the generated reports. Simply uploading the preferred logo file using the upload button is needed. Apart from this, changing the columns of the rules in the generated reports and rule export can be made here. Colum preferences can be based on the vendors integrated and the orientation of the report.
6 Optimization Features – Standard #
In the optimization panel there are several workflows related to each rule type that an action must be taken on. These are disabling of shadowed, expired, unused rules, cleaning of disabled rules and decommission of any IP address that is shut down on the environment.
6.1.1 Disable Shadowed Rule #
Shadowed rules are the rules that are not processed because there is another rule above these rules in the policy table. Since these rules are not processed, they must be cleared, however in case of any problem these rules first be disabled with this workflow.
When the workflow is chosen a screen is displayed and it shows firewalls to be selected for this optimization. Either all or the chosen firewalls can be used for optimization. Since this is an optimization process there will be no approval in place in the workflow. For auditing purposes however, the reason part is used and it is a mandatory requirement.
After the firewalls are chosen and an explanation is written in the Reason area the Continue button be used for the rules to be chosen. In the result page are there the shadowed rules. As seen in the following picture the shadowed rule is shown with a box on the left-hand side of it to choose it for optimization. Shadowing rule can also be seen when clicking on MASTER button. When clicked on it as seen in the following image the shadowing rule is shown.
With the chosen rules when clicking on the DISABLE button the optimization process be started and the workflow be seen on the task list.
With the chosen rules when clicking on the RULE REORDER button the optimization process be started and the rule be moved upfront of the master rule when the master rule is a permissive rule especially.
6.1.2 Disable Expired Rule #
Expired rules are the rules that are non-functional since the validity period has already passed. Since these rules are not valid and have no function, they must be cleared, however in case of any problem these rules first be disabled with this workflow.
When the workflow is chosen from the list, the first screen be seen is the firewall list containing all the firewalls within environment. First, the firewalls to work on must be chosen from this list and the reason of this workflow must be specified. Also, how many number of days this expiration event happened before must be chosen. By default, this is 7 days and maximum of 365 days be chosen.
After the firewalls are chosen and the remaining fields are filled with necessary values, “Continue” button will be used to see which are the rules that is expired on these firewalls. The rules are seen as follows.
From the list of the rules on these firewalls the rules to be disabled must be chosen and by clicking on the DISABLE button the disabling workflow will begin and the workflow be seen in the task list.
6.1.3 Disable Unused Rule #
Unused rules are the rules not used for a while. Usage criteria may change from company to company and no usage of 90 days is the default value to be used. Unused rules are open gates on the firewalls and if it can be made sure that these are not used, they should be disabled immediately. Last hit value on the related rule be used for the calculation of this information.
When this workflow is chosen the first screen to be displayed will be again the firewalls in the environment. First, the firewalls that will be worked on must be chosen. Afterwards the reason must be specified since it is a mandatory field. Last used days is by default 90 days or older however it can be made higher or lower than 90 days also.
After the firewalls are chosen and the remaining fields are filled with necessary values, “Continue” button will be used to see which are the rules that are unused on these firewalls. The rules be seen as follows.
From the list of the rules on these firewalls the rules to be disabled must be chosen and by clicking on the DISABLE button the disabling workflow will begin and the workflow be seen in the task list
6.1.4 Clean Disabled Rule #
Disabled rules are the rules that are non-functional since they are disabled. Disabled rules must be cleared from the policy table since they increase the complexity level of firewall policy table. These rules must be cleaned regularly, however with this system in place the first action to be done for optimization purposes must be this workflow since other workflows will generate new disabled rules afterwards.
The first screen to be seen is firewalls like the other workflows. In this firewall list the firewalls that this workflow will be working on must be chosen. Also, the reason of this activity also must be specified like “Periodical Optimization”, etc.
When the firewall is chosen and Continue button be clicked next screen will be the rule list that are disabled. Rule be seen like following:
After the selection of rules to be cleaned Clean button is to be used for this workflow to begin. Once it is started the task also be seen in the task list.
6.1.5 Remove Duplicate Objects #
It is general that a firewall may have different object names for the same server or servers, however it is not a preferred situation and may lead to confusion. With this feature all objects with the same IP information in it will be listed on each firewall. One can choose the preferred object name among these and start the workflow.
When the workflow started with a chosen object name on a firewall analysis page appears.
On this page:
IP Network: The IP address of the objects in common
Selected Object: The object name chosen or preferred to use.
Remove Object(s): Objects to be removed from firewall rules.
And the related rules that are using non-selected objects be shown.
After pressing the Finish button, the system will start changing the object names with the chosen one and it will be shown on Task list.
6.1.6 Decommission #
In a corporate environment there are servers that are being outdated or decommissioned from the environment. When this happens, the IP address belonging to this system will become empty and will possibly use by other servers after a while. Therefore, the decommissioned server IP address must be cleared from the firewalls immediately. This process be automated with this workflow.
When this workflow is chosen the first thing to be done will be to write a reason statement about this activity. Also, the IP addresses must also be added to the list, if there is only one IP address then the flow will be just for it.
After adding the IP addresses to the list there will be a screen the alternatives for this decommission action. There will be three different options based on the rules:
- IP address to be removed from the rules: The IP address is not the single value on source or destination.
- Rules to be disabled: The IP address is the single value on source or destination.
- IP removed from the group object: The IP address will be removed from the group-object since there are other IP addresses in the group.
6.1.7 Scheduled Tasks #
It is possible to schedule optimization tasks in this menu. This way disabling shadowed rules, disabling expired rules, disabling unused rules and cleaning disabled rules tasks be scheduled so that there will be no need to connect to the system to do this optimization activities.
6.1.8 Rule Consolidation #
Starting from 3.2.1 release rules having more than one field common can be consolidated using this workflow to lower the total number of rules on the firewalls. It is possible to consolidate rules either adding a new rule or consolidating them in the upper rule.
7 Automation Features – Enterprise #
In this panel standard rule creation, IP access cloning and group-based firewall policy creation processes be identified and configured. And corporate security policy matrix be created as a table and used for approval process automation. Detailed information about each menu will be detailed here.
7.1.1 Add New Rule #
Creating manual policy change request action be started in this menu. Any admin user created on the system can access this menu, so create a new rule request. Add New Rule is a 3-step workflow. In the first step the request is identified, second step is for approval of the request. Once the request is approved last step meaning the path analysis and final control be handled by firewall admin user if everything is ok.
7.1.1.1 Identification #
For the identification of the request there are several fields that are also needed for rule creation on the firewall. The following are the fields and their meanings or purpose of use.
Source IP: Source IP is the IP that traffic will start from. This can be a single(host-based) IP, range of IP addresses or IP subnet. Using the + button any number of IP address data can be added for rule creation.
Destination IP: Destination IP is the final arrival point of the traffic.This can be a single(host-based) IP, range of IP addresses or IP subnet. Using the + button any number of IP address data can be added to the request.
Domain: Domain of the user if user-based policy is to be created.
Application: Application can be selected from here.
Username: Username or security group to be chosen from the list.
Schedule: The validity of the request that will be defined will be identified here. If there is no limit for validity, then Always tick box must be chosen.
Reason: It is the explanation or reason for the request. There is a 15-character bottom limit here for the requester to give clear information and approver understands it.
Select Protocol: Protocol of the traffic that is needed. This can be ALL meaning any traffic, a TCP, a UDP or an ICMP traffic.
Service Port: Service port that will be used for the traffic. For HTTP traffic this can be port 80, 8080 or any similar port that web service is enabled. Using the + button any number of service ports be requested.
Once all the information is given, so the request is identified all three boxes be filled and it is time to start or open the ticket. Pressing the Add Rule button request is initiated, and it will start be seen in the task list.
7.1.1.2 Approval #
When the request is initiated corporate security policy check process be started in the back end. The process will identify if the requested policy is compliant to security policy or not. If it is parallel to security policy then It means a compliancy, if it is not parallel to it means the requested rule-pair is not compliant. If there is nothing exist on the security policy, then it means not a match condition. In the approval step there are the following fields:
SourceEnv: The corporate security policy matching environment value to the Source IP address requested.
DestEnv: The corporate security policy matching environment value to the Destination IP address requested.
Source: Source IP address, the traffic be initiated.
Destination: Destination IP address, the traffic will reach
Schedule: Requested validity period
Service: Requested service port
Status: If the security policy is parallel to the request, then it says Allow, not parallel then it says Deny, no matching then it says None.
In this step the approver will get a notification email first about the new rule that must be acted on. Once connected to the system the approver will get information about the request in detail and brief information about matching condition as a Description. Finally looking at the reason information supplied in the request the approver will decide on what to do. If the request to be approved, then Approve button be used by the approver. Approver may also get additional information from the requester or change the validity of the request before approving.
7.1.1.3 Path Analysis #
Before this step a path analysis be done in the back end to give information about what path the requested traffic will follow. And, which firewalls the rule change must be applied on. This step is a control step for firewall admins to see if everything is analyzed as expected. Apart from the source, destination, and service fields there are the following fields that can be seen:
Schedule: Time schedule that will be applied on the firewall be given here. It may be different than the request since the approver may change it.
From: The firewall interface that the traffic is coming from. It will be shown once the related firewall icon is clicked.
To: The firewall interface that the traffic be forwarded to. It will be shown once the related firewall icon is clicked.
In this step the firewall admin will get a notification email first about the new rule that must be acted on. When connected, firewall admin will see the routing information, the IP addresses that will be applied on the rule and the ticket number that will be used for the comment section on the firewall. If everything is ok, then for the automation to be started firewall admin must click on Finish button. And the process for applying rules on the firewalls begins. Once the process is finished the task status becomes completed and firewall admin can analyze the process result on the result page of the process.
7.1.2 Server Cloning #
When the destination and the service information somehow is not known by the requester, they may need to copy firewall policies belonging to some other server. This feature is for this need and to make a new workflow Server Cloning menu be used. This is a 3-step process also and the process begins by identification of the request, afterwards approval takes place and lastly Result step comes into play.
7.1.2.1 Identification #
For the identification of the cloning request there are a couple of fields. The following are the fields and their meanings or purpose of use.
Reason: The reason for the cloning request. This field is a mandatory field, and the supplied information is for the approver to make the evaluation better.
Reference IP: The cloned IP address is already active in the environment. All the policies using this IP address be found out.
New IP: New IP address/es to be added to the environment. The policies needed will be found out and even if the new IP address is in another subnet the policy be created.
Once all the information is submitted, “Continue” button be used for the next step to begin.
7.1.2.2 Approval #
When the request is initiated corporate security policy check process be started in the back end. The process will identify if the requested policy is compliant to security policy or not. In the approval step there are the following fields:
SourceEnv: The corporate security policy matching environment value to the Source IP address requested.
DestEnv: The corporate security policy matching environment value to the Destination IP address requested.
Source: Source IP address, the traffic be initiated.
Destination: Destination IP address, the traffic will reach
Service: Requested service port
Status: If the security policy is parallel to the request, then it says Allow, not parallel then it says Deny, no matching then it says None.
In this step the approver will get a notification email first about the new rule that must be acted on. Once connected to the system the approver will get information about the request in detail and brief information about matching condition as a “Description”. Finally looking at the reason information supplied in the request the approver will decide on what to do. If the request to be approved, then Approve button be used by the approver.
7.1.2.3 Path Analysis #
Before this step a path analysis be done in the back end to give information about what path the requested traffic will follow. And, which firewalls the rule change must be applied on. This step is a control step for firewall admins to see if everything is analyzed as expected. Apart from the source, destination, and service fields there are the following fields that can be seen:
From: The firewall interface that the traffic is coming from. It will be shown once the related firewall icon is clicked.
To: The firewall interface that the traffic be forwarded to. It will be shown once the related firewall icon is clicked.
In this step the firewall admin will get a notification email first about the new rule that must be acted on. When connected, firewall admin will see the routing information, the IP addresses that will be applied to the rule and the ticket number that will be used for the comment section on the firewall. If everything is ok, then for the automation to be started firewall admin must click on Finish button. And the process for applying rules on the firewalls begins. Once the process is finished the task status becomes completed and firewall admin can analyze the process result on the result page of the process.
7.1.3 Group-based Rules #
Group-based rules are needed in corporations since there are groups of servers that have the same function, so have the same firewall rules. Since they must have the same firewall access policies, when a new server is added to this group the firewall policy creation must be easily handled and it must be a smooth process. Group-based firewall policy creation makes this a smooth and automatic process. Group-based firewall automation like the other automations is a 3-step automation process that includes approval and analysis. Compared to the other methods groups must be created first to make this automation possible.
7.1.3.1 Groups #
Groups will be created on this menu. To create a new group, the Add New Group button on the upper right corner be used. The following fields exist for the creation of new groups.
Group Name: A name must be given to the group to easily understand what it is, or its members are.
Description: Additional information to be given. Not a compulsory field.
New IP: The IP address the member has. With the usage of the ADD button the IP address be added to the group. And there can be any number of IP addresses within a group.
When groups are added to system and there are rules created on the firewall using these groups the places where these groups are used be found using the button “Where Used”. As can be seen in the flowing picture.
The groups may also be edited or removed on this page using the related buttons as seen on the picture.
7.1.3.2 Add IP to Group #
When a group is created with a set of IP addresses it will be an easy task to add additional IP addresses to this group via this section. It will also be the mechanism used for cloning firewall policies for group-based servers by adding new IP address to this group that is already created on the system. Like other automation tasks this will also be a 3-step process containing these fields. Approval and Result pages will be like adding Group-based rules.
Select Group: This will be the group that will be used for addition of the new IP address.
Reason: The reason for this addition. Will be used for approval.
Ip address: The new IP address that will be added by entering or clicking on the + button.
7.1.3.3 Add new Group-based Rule #
Creating manual group-based policy change request action be started in this menu. Any admin user created on the system can access this menu, so create a new group-based rule request. Add New Rule is a 3-step workflow. In the first step the request is identified, second step is for approval of the request. Once the request is approved the last step meaning the path analysis and final control be handled by firewall admin user if everything is ok.
7.1.3.3.1 Identification #
For the identification of the request there are several fields that are also needed for rule creation on the firewall. The following are the fields and their meanings or purpose of use.
Source IP: Source IP is the IP that traffic will start from. This can be a single(host-based) IP, range of IP addresses or IP subnet. Using the + button any number of IP address data can be added for rule creation.
Source group: Source group name that was created on the system before.
Destination IP: Destination IP is the final arrival point of the traffic.This can be a single(host-based) IP, range of IP addresses or IP subnet. Using the + button any number of IP address data can be added to the request.
Destination group: Destination group name that was created on the system before.
Reason: It is the explanation or reason for the request. There is a 15-character bottom limit here for the requester to give clear information and approver understands it.
Select Protocol: Protocol of the traffic that is needed. This can be ALL meaning any traffic, a TCP, a UDP or an ICMP traffic.
Service Port: Service port that will be used for the traffic. For HTTP traffic this can be port 80, 8080 or any similar port that web service is enabled. Using the + button any number of service ports be requested.
Once all the information is given, so the request is identified, all three boxes be filled and it is time to start or open the ticket. Pressing the Add Rule button request be initiated, and it will start be seen in the task list.
7.1.3.3.2 Approval #
When the request is initiated corporate security policy check process be started in the back end. The process will identify if the requested policy is compliant to security policy or not. If it is parallel to security policy then It means a compliancy, if it is not parallel, it means the requested rule-pair is not compliant. If there is nothing exist on the security policy, then it means not a match condition. In the approval step there are the following fields:
SourceEnv: The corporate security policy matching environment value to the Source IP address requested.
DestEnv: The corporate security policy matching environment value to the Destination IP address requested.
Source: Source IP address, the traffic be initiated.
Destination: Destination IP address, the traffic will reach
Service: Requested service port
Status: If the security policy is parallel to the request, then it says Allow, not parallel then it says Deny, no matching then it says None.
In this step the approver will get a notification email first about the new rule that must be acted on. Once connected to the system the approver will get information about the request in detail and brief information about matching condition as a Description. Finally looking at the reason information supplied in the request the approver will decide on what to do. If the request to be approved, then Approve button be used by the approver. Approver may also get additional information from the requester.
7.1.3.3.3 Path Analysis #
Before this step a path analysis be done in the back end to give information about what path the requested traffic will follow. And, which firewalls the rule change must be applied on. This step is a control step for firewall admins to see if everything is analyzed as expected.
In this step the firewall admin will get a notification email first about the new rule that must be acted on. When connected, firewall admin will see the routing information, the IP addresses that will be applied on the rule and the ticket number that will be used for the comment section on the firewall. If everything is ok, then for the automation to be started firewall admin must click on Finish button. And the process for applying rules on the firewalls begins. Once the process is finished the task status becomes completed and firewall admin can analyze the process result on the result page of the process.
7.1.3.4 Group-based Rule Viewer #
Group-based rule viewer is the part of the system where detailed search on all the rules existing on the firewalls is made. After adding new group-based rules to the firewalls, the policies start to be seen from here.
There is a filtering area just above the rule viewer section. By enabling the filter option one can make detailed search on rules.
7.1.4 Add New Rule Path Free #
Creating manual policy change request without path analysis be started in this menu. Firewall admin users created on the system can access this menu and create a new rule request. Add New Rule Path Free is a 3-step workflow. In the first step the request is identified, second step is for approval of the request. Once the request is approved the last step, meaning the path analysis is a manual process decided by firewall admin and once finished the process be started.
7.1.4.1 Identification #
For the identification of the request there are several fields that are also needed for rule creation on the firewall. The following are the fields to be filled.
Source IP:
Destination IP:
Domain:
Username:
Schedule:
Reason
Select Protocol:
Service Port:
Once all the information is given, so the request is identified all boxes be filled and it is time to start or open the ticket. Pressing the Add Rule button request be initiated, and it will start be seen in the task list.
7.1.4.2 Approval #
When the request is initiated corporate security policy check process be started in the back end. The process will identify if the requested policy is compliant to security policy or not. If it is parallel to security policy then It means a compliancy, if it is not parallel to it means the requested rule-pair is not compliant. If there is nothing exist on the security policy, then it means not a match condition. In the approval step there are the following fields:
SourceEnv:
DestEnv:
Source:
Destination:
Schedule:
Service:
Status:
In this step the approver will get a notification email first about the new rule that must be acted on. Once connected to the system the approver will get information about the request in detail and brief information about matching condition as a Description. Finally looking at the reason information supplied in the request the approver will decide on what to do. If the request to be approved, then Approve button be used by the approver. Approver may also get additional information from the requester or change the validity of the request before approving.
7.1.4.3 Path Analysis #
This time path analysis is not made since the firewalls on which the rules to be implemented be chosen from the list. It is a manual path analysis process. If everything is ok, then for the automation to be started firewall admin must click on Finish button. And the process for applying rules on the firewalls begins. Once the process is finished the task status becomes completed and firewall admin can analyze the process result on the result page of the process.
Apart from this, criteria can be defined for each firewall to be used. Here are the criteria list for each vendor:
Fortinet:
From
To
SSL Profile
AV Profile
IPS Profile
APP Control
DNS Filter
WEB Filter
Palo Alto:
From
To
Security Group Profile
URL Category Profile
Log Profile
Check Point:
Layer
Policy Package
7.1.5 Server Cloning Path Free #
Path-free server cloning is for the cloning or using of same policies meaning when the new IP address is not in another subnet. This a 3-step process also and the process begins by identification of the request, afterwards approval takes place and lastly Result step comes into play.
7.1.5.1 Identification #
For the identification of the cloning request there are a couple of fields. The following are the fields and their meanings or purpose of use.
Reason: The reason of the cloning request. This field is a mandatory field, and the supplied information is for the approver to make the evaluation better.
Reference IP: The cloned IP address already active in the environment. All the policies using this IP address be found out.
New IP: New IP address/es to be added to the environment. The policies needed will be found out and even if the new IP address is in another subnet the policy be created.
Once all the information is submitted, “Continue” button be used for the next step to begin.
7.1.5.2 Approval #
When the request is initiated corporate security policy check process be started in the back end. The process will identify if the requested policy is compliant to security policy or not. In the approval step there are the following fields:
SourceEnv: The corporate security policy matching environment value to the Source IP address requested.
DestEnv: The corporate security policy matching environment value to the Destination IP address requested.
Source: Source IP address, the traffic be initiated.
Destination: Destination IP address, the traffic will reach
Service: Requested service port
Status: If the security policy is parallel to the request, then it says Allow, not parallel then it says Deny, no matching then it says None.
In this step the approver will get a notification email first about the new rule that must be acted on. Once connected to the system the approver will get information about the request in detail and brief information about matching condition as a “Description”. Finally looking at the reason information supplied in the request the approver will decide on what to do. If the request is to be approved, then Approve button be used by the approver.
7.1.5.3 Result #
This time path analysis is not made since the firewalls and the related rules existing on the firewalls be listed here. From here if all the policies is to be written all policies must be selected. However, it is not an obligation, meaning just the policies on a specific firewall may be chosen to clone. Once the selection is made and If everything is ok, then for the automation to be started firewall admin must click on Finish button. And the process for applying rules on the firewalls begins. Once the process is finished the task status becomes completed and firewall admin can analyze the process result on the result page of the process.
7.1.6 Disable a rule from Rule Viewer #
Any rule can be selected from rule viewer and then using the edit button on the upper-right side of rule viewer disable workflow can be started. Once the workflow is completed the new state of the rule be seen on the rule viewer. Also, workflow status be seen from the task list.
7.1.7 Enable a disabled rule from Rule Viewer #
Any disabled rule can be selected from rule viewer and then using the edit button on the upper-right side of rule viewer enable workflow can be started. Once the workflow is completed the new state of the rule be seen on the rule viewer. Also, workflow status be seen from the task list.
7.1.8 Delete a disabled rule from Rule Viewer #
Any disabled rule can be selected from rule viewer and then using the edit button on the upper-right side of rule viewer delete workflow can be started. Once the workflow is completed the rule starts not to be listed on rule viewer. Also, workflow status be seen from the task list.
7.1.9 Editing a rule on Rule Viewer #
One can easily change a rule that is already created with this workflow. There are two options for rule edition. Append a Rule and Update a Rule.
7.1.9.1 Append a Rule #
Appending on source, destination or both source and destination fields of a rule or selected rule groups are possible with this workflow. The selected rules may be on different firewalls. Once a rule or rule group is selected and the Append Rule option is chosen a pop-up screen opens. On this pop-up screen:
Source: When selected this radio button only append will be made to the source field.
Destination: When selected this radio button only append will be made to the destination field.
Source&Destination: When selected this radio button only append will be made to the source and destination fields.
IP Address: More than one IP address or IP network can be added with the + button.
Reason: Reason to be shown to approver.
After necessary actions the process, be started and the approval step begins. Like in 4.4.1 workflow approver will see the requested change details and if it is appropriate to corporate policy. If decided to approve, analysis step starts, and firewall admin will see what actions to be taken last time. If the firewall admin clicks on the Finish button the system will start acting on the related firewalls.
If everything is working normally the workflow will be finished with success and reported this way.
7.1.9.2 Update a Rule #
Updating on any field of a single rule would be handled with this workflow. One can change source, destination, or service fields of a single rule. Once chosen a rule and selected this workflow a pop-up screen opens. On this pop-up screen:
Source IP: Ip address from object list, or a new IP address can be added or already added IP addresses may be removed from this field.
Destination IP: Ip address from object list, or a new IP address can be added or already added IP addresses may be removed from this field.
Protocol/Port: New Protocol and port number will be chosen if needed or already added ones may be removed from this field.
Reason: Reason to be shown to approver.
After necessary actions the process, be started and the approval step begins. Like in 4.4.1 workflow approver will see the requested change details and if it is appropriate to corporate policy. If decided to approve, analysis step starts, and firewall admin will see what actions to be taken last time. If the firewall admin clicks on the Finish button the system will start acting on the related firewall.
If everything is working normally the workflow will be finished with success and reported this way.
7.1.10 Editing comment on Rule Viewer #
There are three options for the edition of the comment field. Append, Replace and Update. Each option will be detailed in the following section:
7.1.10.1 Appending comment on Rule Viewer #
Appending comment can be achieved for more than one firewall rule no matter if the rules are on the same firewall. Once rule/s is/are chosen and this workflow is selected a pop-up screen showing the comment value to be given for append. When the input is written and append button be used workflow be started and new comment be added as requested.
7.1.10.2 Replacing comment on Rule Viewer #
Replacing comment can be achieved for more than one firewall rule no matter if the rules are on the same firewall. Once rule/s is/are chosen and this workflow is selected a pop-up screen showing the comment value to be given for replacement. When the input is written and replace button be used workflow be started and new comment be seen as the comment as requested.
7.1.10.3 Updating a comment on Rule Viewer #
Updating comments can be achieved for only one firewall. Once the rule is chosen and this workflow is selected a pop-up screen showing the comment value to be given for update. When the input is written, an update button be used workflow be started and new comment be seen as requested.
7.1.11 Change Owner #
Assigning or changing an owner to a rule can be made using this option. Email address is used for the definition of the rule owner for sending alerts. Change owner is used for rule lifecycle management. There are two use cases for RLM:
- Expiring rules management: This use case is for sending alerts to the rule owner of a specific rule that Schedule is enabled, and Schedule date is about to arrive. With this alert it is aimed at the owner of the rule being aware of expiry and take necessary action if the rule is still needed.
- Yearly checks for need: For each rule based on their creation date, alerts be sent to the rule owner of each user to get the information about the rule’s need. Based on the collected information unnecessarily enabled rules would be disabled or deleted.
7.1.12 Rule Lock/Unlock #
Some rules may not be preferred to be acted on. For this kind of rules, it is possible to lock the rule so that no one can act on the rule. This locking or unlocking activity can only be done by a super-user admin.
7.1.13 Editing an object on Object Viewer #
Edition of an object can be achieved in two ways. One is object name change and the other is IP change.
7.1.13.1 Name Change on Object Viewer #
The name of an object can be changed with this workflow. For this workflow to begin an object must be chosen from the object list. Once chosen and the Name Change workflow be selected a pop-up screen be shown for changing the name. After writing the new name and pressing the change name button the system will start taking action on it and change the name accordingly.
7.1.13.2 IP Change on Object Viewer #
IP of an object can be changed with this workflow. For this workflow to begin an object must be chosen from the object list. Once chosen and IP Change workflow be selected a pop-up screen be shown for IP change. When workflow starts it will go for approval since there is a change and needs attention. Like in 4.4.1 workflow approval process will be handled by the approver and it will go to the analysis step. On this step if the firewall admin presses Finish button workflow will be started and IP will be changed for the object name.
ATTENTION | |
Once IP is changed for an IP address, the reference will be removed from the object. It will be corrected after first renewal of data. |
7.1.14 Editing an object on Group-Object Viewer #
Edition of an object-group can be achieved in three ways. One is object-group name change, the other is Append IP and the other is Remove IP workflow.
7.1.14.1 Name Change on Object- Group Viewer #
The name of an object-group can be changed with this workflow. For this workflow to begin an object-group must be chosen from the object-group list. Once chosen and the Name Change workflow is selected a pop-up screen be shown for changing the name. After writing the new name and pressing the change name button the system will start taking action on it and change the name accordingly.
7.1.14.2 Append IP on Object-Group Viewer #
A new IP address can be added by this workflow. Once this workflow is chosen a pop-up screen appears to add new IP address/es to the group. After adding the IP address/es to the group and pressing the Append button below Opinnate will connect to the firewall to take the action.
7.1.14.3 Remove IP on Object-Group Viewer #
IP address can be removed by this workflow. Once this workflow is chosen a pop-up screen appears to select the IP address/es to be removed from the group. After removing the IP address/es from the group and pressing the Remove button below Opinnate will connect to the firewall to take the action.
8 Task List #
Task lists are the tasks to be queued generated on the system. These tasks may be automation tasks like Add New Rule or optimization tasks like Clean Disabled Rules. In this task list all the tasks created so far have been seen and detailed search can be made on them using the Filter section like Rule Viewer. There are the following fields on the task list. These can also be used for filtering purposes.
ID: The internal ticket number
Ticket ID: The external ticket number coming from the service desk.
Type: Automation or Optimization task type like Add New Rule.
Owner: Person created the ticket.
Approver: Person that made approval action.
Operator: Person that made the operation action.
Status: There are five fields that are Working On, Pending Approval, Pending Operation, Action Needed and Completed.
Create Time: Time of the creation of the ticket.
Action: Edit or Delete activity on a ticket that is not completed
Status of the ticket will be detailed as following:
Working On: When a ticket is created it will be on working status during this status policy check is handled.
Pending Approval: The state where Approver is to be waited for the action.
Pending Operation: The state where Firewall Admin is waited for the action.
Action Needed: If there is a problem during path analysis this state be used.
Completed: When the action is completed successfully the ticket be closed with this status.
9 Troubleshooting and Support #
During normal operation if there is a problem regarding system functioning and if it is sure that the infrastructure is not causing the problem then it must be further investigated by Opinnate support team. For the support team to make further analysis debug file will be needed. Debug files can be generated from the global settings menu.
10 Glossary #
Firewall
Firewall is a basic network security device that control access between servers or IP addresses.
Policy Analysis
Policy analysis is an action that is acted on firewall rules for specific conditions such as usage of the rule, etc.
Global Area
Global Area is the main area on Opinnate NSPM that general settings to be applied.
Virtual Area
Virtualization is used for isolation purposes.
Multitenancy
A feature giving customer different authorization and authentication levels for them to see their device details or configuration.
Authorization
Once an authentication is completed, giving permission to make specific actions on the system.
Audit
It is referred to make analysis for a specific set of control items if they are compliant or not.
Compliance
Compliance refers to the act of conforming to a set of rules, regulations, or laws that govern a particular industry, organization, or business activity.
Super_user
Super-user is the user having all rights to manage the system.
Infosec_admin
Infosec admin is the user for information security teams and having related rights on the system.
Firewall_admin
Firewall admin is the user having rights to take action on firewalls.
Syslog
A protocol that is used for sending log messages generated internally.
Collector
The independent component of Opinnate that is working on another server to collect syslog messages from firewalls
Helpdesk
The system used to create new service requests
Ticket
On service desk systems each event or request is also called as ticket.
Debugging
All system and code level log messages seen in this level of logging.
Dashboard
A collection of graphical images to show summary information about a system.
Switch
Is a network component used to connect endpoints.
Router
Is a network component making route analysis and forwarding decisions.
Rule
Refers to a firewall rule that enables access from a source IP address to a destination Ip address.
Corporate security policy
Security policy of a corporation having statements about specific access restrictions.
Logging
Act of sending log messages to a syslog server
Port
Refers to service ports for TCP and UDP protocols. The ports can be between 0-65535.
Virtual firewall
Is a firewall working as a subsystem of a physical firewall acting as a regular firewall.
Vendor
Refers to the companies developing products in security and network industry.
Cluster
Means two devices working in sync not to face any service failure.
API
Refers to application programming interface and used for inter communication of systems
Routing
Forwarding traffic between different IP subnets.
LDAP
Protocol used to read directory information from the directory database.
SMTP
Protocol used to send and receive emails between client and server systems.
Network Topology
A topology showing connections between network end points.
Monitoring
Refers to periodically check if a system is working as expected by the aid of several different monitoring algorithms.
Master
Refers to the shadowing rule.
Subnet
Subnet is a smaller set of IP addresses of IP classes.
Protocol
Refers to IP protocols TCP and UDP that are widely used.
Service Port
It is the same as port.
Rule Usage
A workflow that enables collecting real usage on firewalls
Revision
The latest version of configuration on firewalls
Alert Composer
A workflow used to configure email alerts.
11 Disclaimer #
This user guide is provided as a convenience and for informational purposes only. The contents of this guide are subject to change without notice and may contain technical inaccuracies or typographical errors.
This guide is not intended to be a substitute for professional advice, and we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the guide or the information, products, services, or related graphics contained in the guide for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
We disclaim all liability and responsibility arising from any reliance placed on the contents of this guide. Any use of this guide and its contents is at your own risk, and we will not be liable for any damages or losses of any kind arising from the use of this guide or the information contained therein.
This guide may contain links to third-party websites or resources. We do not endorse and are not responsible for the content, accuracy, or reliability of any third-party websites or resources that may be accessed through this guide.