Policy Dashboard

The security policy is the group security rules, NAT rules, objects (network, service, application, and user), and network architecture (routes, zones, interfaces), and raw files that comprise the network. Security Manager allows you to track the performance of your security policy and analyze the elements that make up the policy.

The following list defines the Policy sub-menus:

  • Dashboard—displays a group of KPIs and widgets
  • Security Rules—security rules in the policy that manage the incoming and outgoing traffic to a network
  • Network Objects—IP addresses inside the network
  • Service Objects—protocols and ports combination inside the network
  • User Objects—users within a network
  • Application Objects—programs, such as websites or email accounts, through which you are trying to access a network
  • Security Profiles—the primary purpose of security profiles is to see what changes are made to a rule, such as if a profile is added, deleted, or modified; in order for users to have a more accurate representation of how a rule behaves
  • URL Categories—used for Palo Alto devices
  • Schedule Objects—security rule objects with schedules
  • NAT Rules—network address translation rules, which use one IP address to represent a group of individual IP addresses
  • Routes—the combination of a destination IP address and a gateway IP address that determines the traffic flow through a network
  • Zones—one or more interface that designate a security area within a network

 

The policy overview displays a group of KPIs and widgets that track performance metrics for policy rules, device complexity, and severity. To view the policy overview, complete the following steps.

  • On the toolbar, click Policy > Dashboard.

Policy KPIs

  • Average Device Complexity—a percentage that measures the complexity of a device's firewall rule configuration. Every new component a network administrator adds to a network - such as a group member, host, network, or service - adds to the device complexity. The higher the device complexity, the greater the risk of a configuration error
  • Redundant Rules—the number of redundant rules in the domain or device group
  • Unused Rules (Last 90 days)—the percentage of rules that have not been used in the last 90 days
  • Unreferenced Network Objects—the number of network objects not referenced by any rules or policies
  • Unreferenced Service Objects—the number of service objects not referenced by any rules or policies

Policy Widgets

  • Rules Identified for Cleanup—a bar chart of rule counts based on Rule Property (Redundant, Shadowed, Expired, Unused) that have been identified for cleanup
  • Rules Identified for Improvement—a bar chart of rule counts based on Rule Property (Disabled, Logging Disabled, No Comment) that have been identified as needing improvement
  • Rule Usage by Cumulative Severity—a bar graph that displays the ratio of low, high, and critical rule severity among unused, heavily used, moderately used, and lightly used rules, as well as rules for which limited data is available. Rules that are either disabled, have logging disabled, or have been created in the last 30 days are not represented
  • Complexity by Device—a bar graph of the most complex devices based on a percentage that measures the complexity of a device's firewall rule configuration. Every new component a network administrator adds to a network - such as a group member, host, network, or service - adds to the device complexity. The higher the device complexity, the greater the risk of a configuration error
  • Unused Rules by Cumulative Severity—an unused rule is a rule that hasn't received any traffic in the specified protocol

    • For example, you could create a rule for a device that allows incoming packets from a specific IP address according to TCP/IP protocol. But if you never receive packets from that source, the rule is unused. Security Manager flags any rule that hasn't been used for over 90 days as "unused."

    • Rules that are either disabled, have logging disabled, or have been created in the last 30 days are not presented.

  • Logged Connections—a line graph that lists the number of rules that were used on each of the last 30 days.