Zone Matrix
The zone matrix allows you to view known access points available between compliance zones in a domain or device group. A detailed analysis of the security rules that allow the access between the compliance zones can be accessed in Security Manager.
When you create a zone, it automatically adds it to the zone matrix found in the Compliance section. The zone created in table form has Source and Destination axises to plot potential access points.
You can switch from viewing access only or you can view access with an overlay of compliance to help determine if any access points violate compliance policy.
Administration displays access and compliance zones, Security Manager only displays compliance zones.
Analysis
- Only compliance zones are available for use in this control.
- Analysis is not based on topology. It is a simple calculation of rules that match zone networks in the source and destination. However, the interface belonging to a zone will define policy selection.
- If interfaces of a device belong to a zone, only applicable policies will be evaluated based on zone membership.
- It is possible that a rule is evaluated against more than one security policy matrix access definition as the source and/or destination columns of the rule may span more than one zone.
- All analysis can be done using SIQL queries.
Allowlist / Denylist
It is possible to create rule exceptions to this control using the allowlist/ denylist feature.
Report
Rules that fail the control are included in the control results and indicate which "zone to zone" policy was violated.
Permissions
The ability to modify the matrix is determined by the assessments and controls Write permission.
Event Log
All changes to the matrix will be listed in the Event Logs.
Permission Requirements
A user will need to be a member of a user group with the following minimum permissions granted:
-
Modules: Administration
Open Zone Matrix
To open Zone Matrix, on the toolbar, click Compliance > Zone Matrix.