Policy Automation

A Policy Planner license is required for each management station and device utilizing policy automation.

If you use Policy Planner, you are able to take a planned rule and stage it on a device from inside the Policy Planner module. This feature includes the capability to create new rules and place existing objects inside of them.

Items of note about policy automation in Policy Planner

  • When filling out fields on a new rule the entry will turn orange when it passes validation. Clicking on an orange field and selecting a search result will turn the field blue to show that it's an existing object on the selected firewall. Some fields are required to be existing objects, these include Application, Service, Source Zone, Destination Zone. Other required fields are Rule Name, Action and Log.
  • The comment on rules created on the device is a concatenation of the Change Control Number, Owner, Justification, and Comment field in FireMon. These fields combined cannot exceed 255 characters.

Supported devices:

  • Amazon AWS
  • Check Point R80 Firewall and Edge devices using CMA
  • Cisco ASA and Context version 9.1+, 9.6 and above using API
  • Cisco Firepower (FMC)
  • Cisco IOS
  • Cisco IOS XR
  • F5 BIG-IP AFM
  • Fortinet FortiGate Firewall
  • FortiManager version 5.2 and above using API
  • Juniper SRX a standalone device, not managed by NSM
  • Microsoft Azure
  • Palo Alto Panorama PanOS version 8.1.x to 10.1.x using Panorama's API
  • VMware NSX Distributed Firewall

The device must be managed by a management station and discovered by SIP for:

  • Check Point R80 Firewall and Edge
  • Cisco Firepower
  • Fortinet (FortiManager)
  • Microsoft Azure
  • Palo Alto (Panorama)
  • VMware NSX

The device must not be managed by a management station for:

  • Cisco ASA/Context
  • Cisco IOS
  • Cisco IOS XR
  • Fortinet FortiGate Firewall
  • Juniper SRX

Device credentials:

Amazon AWS

  • Read/Write access (retrieve and automate): AmazonEC2FullAccess

Cisco ASA

  • Level 15 with HTTPS access. ASA Policy Automation is only supported for ASA 9.1+, 9.6 and above

Cisco Firepower

  • Administrator role assigned

Cisco ISO and ISO XR

  • Level 15 with HTTPS access

F5 BIG-IP AFM

  • Can use the existing admin account

  • AFM must be provisioned on the device and AFM level may be set to nominal, minimum or dedicated

  • Creating or modifying services is not currently supported. Even though Policy Planner allows you to start a change for services, creating or modifying services objects are not supported due to how services are configured on rules and normalized on the F5. If you do attempt to create or modify a service through automation, it will fail with the message ‘Creating service objects is not supported’ or ‘Modifying service objects is not supported’, depending on which type was selected. At this time, you can only reference existing service objects on rules.

  • F5 after version 12 supports network object automation using shared address lists. F5 up to v12 does not support shared objects, it will use regular firewall address lists.

FortiManager

  • Super User with read/write permission

    • In order to use the REST API in FortiManager 5.2.3 and above, the admin user needs this set on their admin account using the following command: set rpc-permit read-write. REST Port should be 443.

Juniper SRX

  • Super User with read/write permission
  • There is an optional set of credentials in case Read-only credentials are being used for retrieval, in which case you would need this secondary account that has write permission.
    • If policy automation credentials are not specified, automation will fall back to device retrieval credentials. If the retrieval credentials are for a user with write permission, then automation will succeed.

The fall back only happens if the policy automation credentials are not specified. The fall back does not happen if the policy automation credentials fail.

  • Port 830/TCP must be used for netconf retrievals

Palo Alto

  • Super User or a custom administrator role that includes XML API configuration permission.
    • If separate credentials are needed for Retrieval and Automation, set the retrieval credentials (in the Administration module) in the Device Settings section and the automation credentials in the Policy Automation section for the Panorama device.
  • Rules with duplicate names cannot be created.
  • User objects from remote authentication servers cannot be searched for.
  • Log Forwarding Profiles, Tags, Log at Session Start and End, Schedule, QOS Marking, and Disable Server Response Inspection must be set on the rule outside of automation.
  • For pre and post rules, the child device must be in sync with Panorama when SIP retrieves the configuration of the firewall that is targeted for automation.

VMware NSX

  • Security Administrator role assigned
    • If separate credentials are needed for Retrieval and Automation, set the retrieval credentials (in the Administration module) in the Device Settings section and the automation credentials in the Policy Automation section for the VMware device.