FirewallAnalyzer AdministratorGuide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 542

AlgoSec Firewall Analyzer

Software Version: A30.10

Administration Guide

View our most recent updates in our online ASMS Tech Docs.

Document Release Date: 4 May, 2020 | Software Release Date: April 2020
Administration Guide

Legal Notices
Copyright © 2003-2020 AlgoSec Systems Ltd. All rights reserved.

AlgoSec, FireFlow, AppViz and AppChange are registered trademarks of AlgoSec Systems Ltd. and/or its
affiliates in the U.S. and certain other countries.

Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-
1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,
UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates.

Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, and ACI are trademarks or registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.

All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.

Specifications subject to change without notice.

Proprietary & Confidential Information


This document contains proprietary information. Neither this document nor said proprietary information shall
be published, reproduced, copied, disclosed, or used for any purpose other than the review and
consideration of this material without written approval from AlgoSec, 65 Challenger Rd., Suite 310,
Ridgefield Park, NJ 07660 USA.

The software contains proprietary information of AlgoSec; it is provided under a license agreement
containing restrictions on use and disclosure and is also protected by copyright law.

Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec and the client and remains the
exclusive property of AlgoSec If you find any problems in the documentation, please report them to us in
writing. AlgoSec does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Systems Ltd.

Firewall Analyzer (A30.10) Page 2 of 542


Administration Guide

Contents
AFA administration 15
Access the AFA Administration area 15
Quickstart – Configure AFA to analyze devices 16
Logins and other basics 18
Supported browsers 18
Log in to ASMS 18
View ASMS product details 21
Log out of ASMS 22
Manage devices 24
AFA communication protocols 24
Device procedure reference 24
Device icons 25
Add devices to AFA 27
Add device prerequisites 27
Access the DEVICES SETUP page 28
Add cloud devices 32
AWS (Amazon Web Service) accounts in AFA 32
Microsoft Azure subscriptions in AFA 37
Add Check Point devices 41
Check Point network connections 42
Check Point device permissions 42
Add a Check Point Multi-Domain Security Management device 44
Set user permissions 48
Add a Check Point SmartCenter/Gateway 49
Set user permissions 52
Add a Check Point CMA 52
Check Point fields and options 56
Configure one-armed mode manually 61
Enable data collection for Check Point devices 62
Enable data collection via SSH 62

Firewall Analyzer (A30.10) Page 3 of 542


Administration Guide

Enable data collection via OPSEC 65


Enable data collection via REST 82
Add Cisco devices 84
Add a CSM-managed Cisco device 84
Cisco IOS routers in AFA 88
Cisco Nexus routers in AFA 94
Cisco ASA firewalls in AFA 99
Cisco Application Centric Infrastructure (ACI) devices in AFA 107
Cisco Firepower devices in AFA 115
Configure one-armed mode manually 120
Add F5 BIG-IP load balancers 120
F5 BIG-IP LTM-only device support 121
F5 BIG-IP LTM and AFM support 125
Add Fortinet devices 129
Fortinet network connections 129
FortiManager device permissions 129
FortiGate device permissions 131
Add a Fortinet FortiManager device to AFA 132
Add a Fortinet FortiGate device to AFA 138
Configure one-armed mode manually 141
Add Juniper devices 141
Juniper NSM devices in AFA 142
Junos Space Security Director devices in AFA 150
Juniper Netscreen devices in AFA 162
Juniper SRX devices in AFA 168
Juniper routers in AFA 175
Configure Juniper STRM to forward logs to a Syslog-ng server 178
Add Palo Alto Networks devices 178
Palo Alto network connections 179
Panorama device permissions 180
Palo Alto Networks Firewall device permissions 181

Firewall Analyzer (A30.10) Page 4 of 542


Administration Guide

Add a Palo Alto Networks Panorama 182


Configure one-armed mode manually 187
Add a Palo Alto Networks firewall 187
Add a Symantec Blue Coat 192
Add VMware NSX-V devices 196
Network connectivity 196
Device permissions 196
Add a VMware NSX-V to AFA 198
Required device permissions 200
Baseline configuration compliance 200
Device requirements reference by brand 200
Check Point device requirements 201
Cisco device requirements 201
Arista device requirements 202
Juniper device requirements 202
Fortinet device requirements 202
Palo Alto device requirements 202
F5 device requirements 202
Symantec BlueCoat SGOS device requirements 202
WatchGuard device requirements 202
TopSec device requirements 203
VMware NSX device requirements 203
AWS requirements 203
Azure requirements 203
Add other devices and routing elements 203
Add monitoring and routing devices 203
Add routing elements 207
Add/update multiple devices in bulk 210
Prepare your CSV file 210
Import your CSV file (UI) 212
Import your CSV file (CLI) 213

Firewall Analyzer (A30.10) Page 5 of 542


Administration Guide

Bulk import support scope 214


CSV import file format 215
Basic device description headers 216
Access information headers 217
Cisco-related headers 218
CyberArk-related headers 219
Advanced headers 220
Remote management headers 221
Log and monitoring headers 222
Additional headers 224
SNPM polling headers 226
Maintain devices 227
Edit a device's configuration 227
Rename a device 228
Add additional device identifiers for sub-systems 228
Delete a device 229
Update a password for multiple devices 229
Specify routing data manually 231
Specify routing data manually for primary devices 231
Specify routing data manually for sub-systems 232
Specify routing data from the map 233
Integrate AFA and CyberArk 234
ASMS and CyberArk integration architecture 234
Supported devices for CyberArk integration 235
Configure CyberArk AIM for ASMS access 236
Configure CyberArk accounts and permissions 236
Configure CyberArk integration 238
Alternate data collection methods 240
When to use these procedures 240
Recommended device data collection per device type 240
Add a static file device to AFA (UI) 242

Firewall Analyzer (A30.10) Page 6 of 542


Administration Guide

Add a static file device to AFA (CLI) 244


Semi-automatic data collection scripts 245
Extend device support 247
Static configuration file support 247
Live monitoring support 247
Static support for generic devices 248
Supported device types 248
Adding Support for a File Device 248
Creating the JSON File 249
Tag Reference 250
config_type 251
device 251
hosts 251
hosts_groups 252
interfaces 252
services 253
services_groups 253
policies 253
rules_groups 254
nat_rules 255
zones 256
routes 256
schedules 256
Sample generic device JSON file 257
Static support troubleshooting 257
Troubleshooting directories and files 257
Generic device monitoring 259
Enable live monitoring support 259
Create data collection files for a generic device 260
Install the new brand 260
Add the device to AFA 261

Firewall Analyzer (A30.10) Page 7 of 542


Administration Guide

Collect routing information via SNMP 263


Configuration file example 263
Configuration file example with routing 264
Monitoring support tag reference 265
Tag syntax 265
DEVICE 265
FORM_FIELD 266
CONNECTION_CMD 267
DATA_COLLECTION 268
LOGIN_PROMPT 269
POST_LOGIN_PROMPT 270
COMMANDS_SEQUENCE 271
CMD 272
CMD_VIRT 274
DATA_COLLECTION 276
DIFF 276
EXCLUDE 277
ROUTING 278
FEATURES 279
FEATURE 280
Early availability features 280
Cisco ISE devices in AFA 281
Arista devices in ASMS 284
Enable / Disable map support for Azure 286
Enable /Disable ActiveChange for Azure 288
Enable support for Check Point R80 layers 289
Manage groups 291
About groups in AFA 291
Add groups 291
Edit groups 293
Rename groups 294

Firewall Analyzer (A30.10) Page 8 of 542


Administration Guide

Delete groups 295


Manage matrices 296
About AFA matrices 296
Add matrices 297
Edit matrices 299
Rename matrices 300
Delete matrices 301
Manage DR sets 302
Add DR sets 302
Edit DR sets 303
Rename DR sets 305
Delete DR sets 305
Manage the map 307
Complete the map 307
Completed map contents 307
Identify routers to define in AFA 308
Complete the map (CLI) 311
Map completeness CLI tool scope 311
Identify routers to define in AFA 312
Map completeness parameters 314
Troubleshoot traffic simulation queries 316
Edit IP ranges in clouds 319
Remove devices 322
Restore device interfaces 323
Specify routing data manually 324
Schedule analysis 325
Add and edit analysis jobs 325
Delete scheduled jobs 329
Configure real-time monitoring 331
Activate real-time monitoring 331
AFA users and roles 333

Firewall Analyzer (A30.10) Page 9 of 542


Administration Guide

AFA authentication 333


AFA user types and permissions 333
Configure user authentication 334
Single Sign On (SSO) and ASMS 335
User authentication via authentication servers 347
Import user data from an LDAP server 358
Configure an LDAP forest 360
Log in when an LDAP forest is configured 367
Manage users and roles in AFA 368
Add or edit users 368
Add and edit user roles 375
Delete AFA users or roles 378
ASMS username and password requirements 379
Import users via CSV 380
Prepare a users CSV file 380
Run the import users script 384
Customize risk and compliance management 386
Customize risk profiles 386
View a risk profile 387
Add a new risk profile 389
Delete a custom risk profile 396
Set a default risk profile 396
Customize risk items 397
Edit, duplicate, or add a custom risk item 397
Risk Info fields 398
Risk Query fields 399
Risk Details fields 400
Delete a risk item 404
Disable a risk item 405
Customize zone types 405
Built-in zone types 406

Firewall Analyzer (A30.10) Page 10 of 542


Administration Guide

Add and edit zone types 406


Delete zone types 408
Customize hostgroups 409
Add and edit host groups 409
Delete hostgroups 410
Customize services 411
Add and edit service groups 411
Delete service groups 413
Configure trusted private IP addressses 414
Configure security ratings 415
Security rating calculation 415
Security rating calculation background 416
Customize security rating settings 417
Customize the regulatory compliance report 418
Remove and add compliance reports 419
Supported regulatory compliance reports 420
Customize the compliance score value 422
Customize compliance score severity thresholds 424
Configure the PCI zone 425
Customize baseline configuration profiles 427
Access baseline profiles configuration 427
Add a custom baseline configuration compliance profile 428
Duplicate a baseline configuration compliance profile 430
Edit a baseline configuration compliance profile 432
Delete a custom baseline configuration compliance profile 433
Example: Customize a baseline configuration compliance profile 433
Sample Baseline Configuration Compliance Profile 443
Advanced risk editing 444
Overview 444
Risk item types 445
Traffic risk item guidelines 446

Firewall Analyzer (A30.10) Page 11 of 542


Administration Guide

Host group risk item guidelines 448


Property risk item guidelines 449
Rule risk item guidelines 449
Assessment and remedy keywords 451
Configure notifications 455
Schedule dashboard notifications 455
Add and edit dashboard e-mails 455
Deleting Scheduled Jobs 458
Configure event-triggered notifications 458
Supported notifications 459
E-mail Notification Example 1: Analysis completed 459
E-mail Notification Example 2: Changes to policy and risks 459
Configure AFA to send event triggered e-mail notifications 460
Configure device report page messages 462
Define AFA preferences 465
General 466
General Fields 467
Language 468
Display 469
Display Fields 469
Log analysis 470
Log analysis fields 470
Define a device proxy 471
Proxy fields 472
Mail 472
Storage 473
Configure report cleanup 474
Workflow 477
Change request ID format 478
AlgoSec FireFlow 479
BMC Remedy 479

Firewall Analyzer (A30.10) Page 12 of 542


Administration Guide

HP ServiceCenter (formerly Peregrine) 481


Other 483
Authentication 484
Backup/Restore 485
Backup and restore prerequisites 486
Backup and restore on distributed architectures 486
Define backup options 487
Back up your system 489
Restore your system 490
Advanced Configuration 491
Add a new AFA configuration parameter and value 491
Advanced AFA configuration parameter reference 492
Customize AFA 508
Custom report pages 508
Create a custom report page 508
Custom report configuration file parameters 509
Extract custom report script flags 510
Custom documentation fields 511
Add documentation fields 511
Enable/Disable documentation fields 512
Custom dashboards and charts 512
Configure custom charts 512
Add a custom chart 513
Chart tag reference 513
Configure a custom dashboard 527
Dashboard tag reference 527
Dashboard configuration example 528
Customize regulartory compliance report 529
Add, remove or customize compliance reports 529
Troubleshooting 533
Troubleshooting and maintenance permissions 533

Firewall Analyzer (A30.10) Page 13 of 542


Administration Guide

Entering and exiting debug mode 535


Contact technical support 535
Access log and configuration files 536
Send us feedback 542

Firewall Analyzer (A30.10) Page 14 of 542


Administration Guide | AFA administration

AFA administration
This topic lists supported browsers for working with ASMS, as well as a high-level
instructions for using the AFA Administration area and setting up your AFA environment.

Note: For details about logging in or out of AFA, see Logins and other basics.

Access the AFA Administration area


Most AFA configurations are performed using the AFAAdministration area, accessible
from the top-right of any AFA page.

Do the following:
In the toolbar, click your username, and then select Administration from the dropdown
menu.

The Administration area includes the following tabs:

DEVICES SETUP Manage devices, groups, and matrices. For details, see:


l Manage devices
l Manage groups
l Manage matrices

USERS/ROLES Manage AFA users and user roles. For details, see AFA users
and roles.

Firewall Analyzer (A30.10) Page 15 of 542


Administration Guide | AFA administration

SCHEDULER Schedule analysis and notifications. For details, see Schedule


analysis.

COMPLIANCE Manage risk profiles, baseline profiles, and compliance options.


For details, see Customize risk and compliance management.

OPTIONS Configure AFA preferences including report storage options,


user authentication options, backup options, and more.
For details, see Define AFA preferences.

MONITORING Configure real-time monitoring. For details, see Configure real-


time monitoring.

ARCHITECTURE Manage Remote Agents or Load Units in a distributed


architecture.

Note: The DOMAINS tab enables you to segregate data by domain in a Provider
Edition environment. For more details, contact AlgoSec customer support.

Quickstart – Configure AFA to analyze devices


This section quickly introduces you to a few typical Administrative tasks and gets you
analyzing devices in minutes.

Do the following:

1. Collect your device policy automatically. Add devices for which you want to
activate data collection. For more details, see Manage devices.

2. Configure AFA to run a nightly analysis. Once you have defined your devices for
automatic data collection, you can schedule periodic analyses overnight, or at any
other schedule of your choice.

For more details, see Schedule analysis.

3. Configure email notifications. AFA can send a variety of e-mail messages to you
and to your team members when reports are ready or when changes are made on
the monitored security devices. Additionally, you can schedule e-mails which

Firewall Analyzer (A30.10) Page 16 of 542


Administration Guide | AFA administration

contain dashboards.

For more details, see Configure notifications.

4. Manage user access.The AFA Web GUI allows you to view your reports on a
secure web server, and lets you provide access to the reports to authorized team
members.

Standard or Read-Only access can be granted to each user for each device
separately. The Web GUI also allows authorized users to start analyses, to
customize the resulting reports, and to run traffic simulation queries on them. AFA
administrators may also use the Web GUI for administrative configurations.

For more details, see AFA users and roles.

Firewall Analyzer (A30.10) Page 17 of 542


Administration Guide | Logins and other basics

Logins and other basics


This topic describes the very basics of working with ASMS, such as logging in and out
and supported browsers.

Supported browsers
View ASMS in one the following web browsers, at screen resolution of 1920x1080 or
above.

l Mozilla Firefox

l Google Chrome

l Microsoft Edge

l Internet Explorer 11 and higher. Internet Explorer 8.0 is supported for FireFlow
requestors only.

Log in to ASMS
Log in to ASMS from any desktop computer using the credentials provided by an AFA
administrator.

Do the following:

1. In your browser, navigate to https://<algosec_server> where <algosec_server> is


the ASMS server IP address or DNS name.

If a warning message about the web server's certificate appears, click Accept or
OK. For more details, contact your network administrator.

The Security Management Suite login page appears.

Firewall Analyzer (A30.10) Page 18 of 542


Administration Guide | Logins and other basics

2. In the Username and Password fields, enter your username and password, and click
Login.

You are logged in, and ASMS displays AFA by default.

For example:

Firewall Analyzer (A30.10) Page 19 of 542


Administration Guide | Logins and other basics

Switch ASMS products


If you are a user in multiple ASMS products, such as AFA, FireFlow, and AppViz, switch
between products using the dropdown at the top-left, above the main menu.

If you are an administrator for any of these products, the relevant administration menu is
available from your user dropdown at the top-right:

Firewall Analyzer (A30.10) Page 20 of 542


Administration Guide | Logins and other basics

Note: CloudFlow is now accessible from inside ASMS. Click the dropdown at the
top-left and select CloudFlow.

For more details, see our CloudFlow Help Center.

Adjust your screen space


To adjust the screen space available for your main workspace, hide, display, or change
the size of the main menu on the left.

l To adjust the size of the main menu, hover between the menu and the workspace
and drag the border left or right.

l To collapse the menu entirely, click at the top. When collapsed, click to

expand it again.

View ASMS product details


This procedure describes how you can identify your AFA, FireFlow, or AppViz
installation version and build number.

Do the following:

1. In the toolbar, click your username and then select About or Info.

2. For example, if you're in AFA, in the Info dialog, click About.

Firewall Analyzer (A30.10) Page 21 of 542


Administration Guide | Logins and other basics

The About dialog appears, showing details about the product you have installed.

For example:

Note: If you are running the FIPS 140-2 compliant version of AFA, this information is
indicated in the window.

Log out of ASMS


Log out of ASMS by clicking your username at the top right, and selecting Logout.

You are logged out of all ASMS products available to you.

Firewall Analyzer (A30.10) Page 22 of 542


Administration Guide | Logins and other basics

Note: If Single Sign On is configured, you must browse to the Logout page hosted on
your IdP to log out.

For more details, see the AlgoSec Firewall Analyzer Administrator Guide.

Firewall Analyzer (A30.10) Page 23 of 542


Administration Guide | Manage devices

Manage devices
AFA manages your network security by collecting data from the devices defined in AFA.

Depending on the device's support and the options you enable, add a device to AFA to
enable AFA to automatically obtain the device's policy, routing, configuration, and logs.
AFA collects data via analysis or monitoring processes, at configurable intervals.

Add / Remove Layer 2 Devices: Watch to learn how to manage Layer 2 devices

in AFA.

AFA communication protocols


AFA uses encrypted SSH, SOAP, REST or OPSEC communication to access the
devices, depending on the available API for the device.

AFA encrypts any stored passwords using the advanced and highly-secure128 bit AES
encryption method (Advanced Encryption Standard).

Once the credentials used to access the device are entered and encrypted in AFA,
system administrators can collect device data continuously, without compromising
security or having to enter a password each time.

Device procedure reference


For details about adding devices to AFA, see the following:

Generic procedures l Add devices to AFA


l Add other devices and routing elements
l Add/update multiple devices in bulk
l Required device permissions
l Maintain devices
l Specify routing data manually
l Integrate AFA and CyberArk

Firewall Analyzer (A30.10) Page 24 of 542


Administration Guide | Manage devices

Device-specific procedures l Add cloud devices


l Add Check Point devices
l Add Cisco devices
l Add F5 BIG-IP load balancers
l Add Fortinet devices
l Add Juniper devices
l Add Palo Alto Networks devices
l Add a Symantec Blue Coat
l Add VMware NSX-V devices

Device icons
Once added to AFA, each device type is shown in the device tree and across the AFA
interface using an icon that represents the device's brand or function.

Icon Description

Cisco ASA, ACE, IOS Router, or Nexus Router device or security context

Cisco ACI VRFs and other elements in the Cicso ACI fabric

Check Point Multi-Domain Security Management (MDSM), Security


Management (SmartCenter), or CMA device

Juniper NetScreen, NSM, SRX, Space, M/E Router, Juniper (non-M/E)


router, or Juniper Secure Access (SSL VPN) device

Fortinet FortiGate or FortiManager device

Symantec Blue Coat device

Linux netfilter - iptables device

Microsoft Azure device

Palo Alto Networks Firewall or Panorama device

F5 BIG-IP

Firewall Analyzer (A30.10) Page 25 of 542


Administration Guide | Manage devices

Icon Description

Forcepoint (McAfee) Security Management Center (formerly known as


StoneGate) or Sidewinder device
Note: Supported only if the device had been added in an ASMS version
earlier than A30.00. For details, see Deprecated devices.

Topsec Firewall device

WatchGuard device

Hillstone Networks device


Note: Supported only if the device had been added in an ASMS version
earlier than A30.00. For details, see Deprecated devices.

VMware NSX device

Amazon Web Services (AWS)

Avaya - Routing Switch

Brocade VDX device

H3C device

SECUI MF2 device

Routing Element

Device configuration file

User- A custom device brand.


defined For details, see Extend device support.
icons

Deprecated devices

Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was
deprecated in ASMS version A30.00.

Firewall Analyzer (A30.10) Page 26 of 542


Administration Guide | Manage devices

If you had defined these devices in an earlier version of ASMS, these devices are still
available to you, with all the existing capabilities, but you cannot add new ones after
upgrading.

We recommend backing up device data before or after upgrading and then removing
these devices from AFA. Make sure to download any report zip files for the device
before deleting.

For more details, see the relevant AlgoPedia KB article.

Additionally, all references to Cisco ASA devices also refer to legacy PIX and FWSM
devices. To add a new ASA device to your ASMS system, select ASA options.

Add devices to AFA


This topic provides an introduction on adding devices to AFA so that you can start
collecting data automatically.

Add device prerequisites


Before adding a new device to AFA, ensure that your environment is set up to accept
communication between AFA and the device.

Manage
Note: Make sure to open the necessary port between each device
ports
and the AlgoSec server, depending on the protocol being used to
connect to the device.

Note: In the case of a distributed architecture, open the port


between the device and the specific Remote Agent or Load Unit
managing each device.

Device You may need to configure device user permissions to enable AFA to
permissions collect data from your device.
For details, see Required device permissions.

Firewall Analyzer (A30.10) Page 27 of 542


Administration Guide | Manage devices

Access the DEVICES SETUP page


This procedure describes how to access the DEVICES SETUP page for each device
type.

Note: Before you start, ensure that your environment is configured to allow
communication between AFA and your device. For details, see Add device
prerequisites.

Do the following:

1. Access the DEVICES SETUP page in the Administration area as follows:

From the main menu Click Devices, Groups, or Matrics, and then click the
on the left Configure .. button.

Note: This button is visible to AFA administrators


only.

From the In the toolbar, click your username, and select


Administration area Administration.
In the Administration area, click the
DEVICES SETUP tab.

The DEVICES SETUP tab appears. For example:

Firewall Analyzer (A30.10) Page 28 of 542


Administration Guide | Manage devices

2. Click New 6 and select Devices.

A selection of vendors appears:

3. Select a vendor, and then a device type.

4. A device form appears, specific to the device type you selected.

For example:

Firewall Analyzer (A30.10) Page 29 of 542


Administration Guide | Manage devices

5. Populate the fields as needed to complete the configuration, clicking Next or Back
as needed.

For more details, see Device procedure reference.

Specify a Syslog-ng server


Many device brands support the ability to send log messages to an external Syslog-ng
server.

When relevant, do the following:

l Select a syslog-ng server

l Add a new syslog-ng server

l Edit an existing device

Select a syslog-ng server

Select the syslog-ng server from the list of those already defined in AFA.

Firewall Analyzer (A30.10) Page 30 of 542


Administration Guide | Manage devices

Select localhost to use the built-in syslog-ng server. No credentials are required for this
server.

Note: The localhost option is recommended when it is not practical to allocate a


dedicated syslog-ng server, such as when you have a small number of devices, are
using AFA for evaluation purposes, and so on.

Add a new syslog-ng server

To add a new syslog-ng server, such as if you had one existing before installing AFA,
do the following:

1. Click New and enter the following details:

Syslog-ng The syslog-ng server's host name or IP address.


host

User The user name for connecting to the syslog-ng server.


Name /
SSH User Note: If the specified user does not have root permissions, then
Name logs will not be collected for the device until you have manually
reloaded the syslog-ng server configuration.

Password The password for connecting to the syslog-ng server.


/ SSH
Password

2. Click Test Connectivity to test connectivity to the defined syslog-ng server.

A message informs you whether AFA connected to the syslog-ng server


successfully, and the new syslog-ng server is automatically selected in the
Syslog-ng server drop-down list.

Tip: Save the device configuration to make this syslog-ng server available for other
devices as well.

Edit an existing device

Firewall Analyzer (A30.10) Page 31 of 542


Administration Guide | Manage devices

To edit an existing syslog-ng server, do the following:

1. Select the syslog-ng server that you want to edit, and click Edit.

2. Edit the properties as needed, and click OK.

3. Click Test Connectivity to test connectivity to the defined syslog-ng server.

A message informs you whether AFA connected to the syslog-ng server successfully.

â See also:
l Defining Check Point Devices: Training video about collecting data from a few Check Point
devices
l Defining Cisco, Fortinet, Juniper, McAfee & Palo Alto Devices: Training video about collecting
data from several different device brands

Add cloud devices


This topic describes how to add an AWS account or Azure subscription to AFA, to be
managed and analyzed similarly to on-premises devices.

AWS (Amazon Web Service) accounts in AFA


Add an AWS account to AFA to analyze data using the AWS access key ID you provide.

Analyzed data includes all of the security groups protecting EC2 instances and
application load balancers (ALBs), from all AWS regions related to the configured
access key. AFA separates these instances into groups called security sets. Each AWS
security set is a group of instances or ALBs with the same security group and network
ACLs, as well as network policies.

For details, see:

l Network connection

l Device access requirements for AWS

l Add an AWS account to AFA

Firewall Analyzer (A30.10) Page 32 of 542


Administration Guide | Manage devices

Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to an AWS account via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to AWS via a proxy server, which can be
configured when adding the device to AFA. For more details, see Define a device
proxy .

Device access requirements for AWS


ASMS requires the following permissions for your AWS accounts:

Device analysis

AFA requires minimal read-only access permissions to access AWS and collect data.

This includes the following AWS access keys:

l Access Key ID

l Secret Access Key

We recommend creating a specific IAM user with access keys instead of relying on root
user access keys.

This IAM user must have AmazonEC2ReadOnlyAccess permissions.

For example:

Firewall Analyzer (A30.10) Page 33 of 542


Administration Guide | Manage devices

Tip: You can also use the credentials of another AWS account using the Assume-
Role functionality. For more details, see AWS account fields and options.

ActiveChange

When ActiveChange is enabled, the IAM user must have read-only permissions, plus
the following additional permissions:

l AuthorizeSecurityGroupIngress

l RevokeSecurityGroupEgress

l RevokeSecurityGroupIngress

l AuthorizeSecurityGroupEgress

For example:

Firewall Analyzer (A30.10) Page 34 of 542


Administration Guide | Manage devices

Add an AWS account to AFA


Do the following:

1. Access the DEVICES SETUP page. For details, see Access the


DEVICES SETUP page.

2. In the vendor and device selection page, select Amazon > Web Services (AWS)
EC2.

3. Configure the fields and options as needed.

AWS account fields and options

Access The device type is automatically defined.


Information In the Name field, enter the name that you want to appear in the
device tree for this account.

Tip: Use the account's host or route name.

Additional Enter the following details to define access to your


Information AWS account:
l AWS Access Key ID. Enter your access key, supplied by
Amazon.
l AWS Secret Key ID. Enter your secret key, supplied by
Amazon.
l Regions. Select a region. For example:
o All
o China (Beijing)
l Assume Role for a Different Account. Select to define
this AWS account with the credentials of another AWS
account that is already defined in AFA.
When selected, also define the Target Account Role
ARN (the Amazon Resource Name (ARN) of the role to
assume.)
For more details, see Device access requirements for AWS.

Firewall Analyzer (A30.10) Page 35 of 542


Administration Guide | Manage devices

Route Select one of the following to determine how AFA should


Collection acquire the device's routing data.
l Automatic. Automatically generate routing data upon
analysis or monitoring.
l Static Routing Table (URT). Take the device's routing
data from a static file that you provide.
For details, see Specify routing data manually.

Proxy Click Set Proxy Server to configure a proxy server to connect


all cloud devices defined in AFA, including both AWS and
Azure.
For more details, see Define a device proxy .

ActiveChange Select Enable ActiveChange for this device.

Options Select the following options for your AWS account as needed:
l Real-time change monitoring.Select this option to
enable real-time alerting upon configuration changes. For
more details, see Configure real-time monitoring.
l Set user permissions. Select this option to set user
permissions for this device.

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the subscription is added.

In the device tree, AWS subscriptions are shown in three levels: the user account,
region/VPC, and security set.

For example:

Firewall Analyzer (A30.10) Page 36 of 542


Administration Guide | Manage devices

Microsoft Azure subscriptions in AFA


When you add an Azure subscription to AFA, all VMs related to your subscription are
represented in the device tree.

AFA separates the instances into groups called security sets. Each Azure security set is
a group of VMS with the same security group and subnet security groups, as well as
network policies. VMs with no security groups are assigned to a security set called
Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a
rule to allow all traffic for these VMs.

For more details, see:

l Network connection

l Device requirements for Azure

l Add a Microsoft Azure subscription to AFA

Firewall Analyzer (A30.10) Page 37 of 542


Administration Guide | Manage devices

Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to an Azure subscription via HTTPS-REST (TCP/443).

Tip: ASMS also supports connecting to Azure via a proxy server, which can be
configured when adding the device to AFA. For more details, see Define a device
proxy .

Device requirements for Azure


ASMS requires the following permissions for your Azure subscriptions:

Device analysis

AFA requires minimal Reader access permissions defined for the subscription to
access Azure and collect data.

We recommend creating an App Registration with specific permissions instead of


sharing an account with other applications.

For example:

The IAM permissions should be Reader.

For example:

Firewall Analyzer (A30.10) Page 38 of 542


Administration Guide | Manage devices

ActiveChange

When ActiveChange is enabled, the IAM user permissions must be updated to


Contributor.

For example:

Add a Microsoft Azure subscription to AFA


Do the following:

1. In your Azure account, configure an Active Directory Application to use to connect


to AFA.

For details, see How to configure a Microsoft Azure Active Directory application in
AlgoPedia.

2. In AFA, access the Devices Setup page. For details, see Access the
DEVICES SETUP page.

3. In the vendor and device selection page, select Microsoft > Azure.

4. Configure the fields and options as needed.

Azure subscription field and options

Firewall Analyzer (A30.10) Page 39 of 542


Administration Guide | Manage devices

Access Enter the following details:


Information l Name. The Azure account's host name or IP address.
l Subscription ID. The Azure account's subscription ID.
l Tenant ID. The Active Directory Application tenant ID.
For more details, see Azure documentation.
l Application ID. The application client ID.
l Key. The application key.

Route Select one of the following to determine how AFA should


Collection acquire the device's routing data.
l Automatic. Automatically generate routing data upon
analysis or monitoring.
l Static Routing Table (URT). Take the device's routing
data from a static file that you provide.
For details, see Specify routing data manually.

Proxy Click Set Proxy Server to configure a proxy server to connect


all cloud devices defined in AFA, including both AWS and
Azure.
For more details, see Define a device proxy .

ActiveChange Select Enable ActiveChange for this device.

Options Select the following options for your AWS account as needed:
l Real-time change monitoring.Select this option to
enable real-time alerting upon configuration changes. For
more details, see Configure real-time monitoring.
l Set user permissions. Select this option to set user
permissions for this device.

5. Click Finish.

The new device is added to the device tree.

6. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

Firewall Analyzer (A30.10) Page 40 of 542


Administration Guide | Manage devices

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the account is added.

In the device tree, Azure has a three-tier hierarchy: subscription, region/VNet, and then
security set.

For example:

Add Check Point devices


This topic describes how to add Check Point MDSM, SmartCenter / Gateway, or CMA
devices, as well as fields and options shared by all of these device types.

Firewall Analyzer (A30.10) Page 41 of 542


Administration Guide | Manage devices

Note: You must also perform procedures on your devices, depending on how you
connect to the device from AFA. For details, see Enable data collection for Check
Point devices.

Tip: Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices on the AlgoSec portal.

Check Point network connections


The following diagrams shows an ASMS Central Manager or Remote Agent connecting
to a Check Point MDSM, CMA, or Smart Center device, and a Check Point Gateway.
Check Point versions R80 or higher have an additional connection via HTTP-REST.

Note: If your CLM/MLM log servers reside on separate hosts, you'll need to connect
to these separately from ASMS.

Check Point device permissions


AFA can collect data or logs via SSH or OPSEC. For Check Point versions R80 and
higher, you must also define data collection via REST.

Firewall Analyzer (A30.10) Page 42 of 542


Administration Guide | Manage devices

ASMS requires the following permissions for each type of connection to your Check
Point devices:

Connections via OPSEC (recommended)

ASMS requires minimal read-only CPMI and LEA OPSEC object permissions to


connect to Check Point devices, and automatically initiates log collection via the defined
LEA connection.

In the Check Point interface, define your permissions as follows:

CPMI Select the following CPMI permissions:


l Allow access via Management Portal and SmartConsole Applications
l Permissions > Read Only All. To use ActiveChange, select Read/Write
All.

LEA On the LEA Permissions tab, under Permissions to Read Logs, select Show
all log fields.

Note: Create a separate OPSEC Object and permissions profile for ASMS use only.
Using the Administrator profile results in failures due to Check Point configurations.

For more details, see Create a Check Point OPSEC Certificate for Check Point Devices
(R77 and Lower).

Connections via SSH

ASMS must have SSH access to the relevant management and log devices, such as
PV-1, CMA, SmartCenter, external log server, or CLM.

l For SecurePlatform (SPLAT), ASMS must be allowed to switch to expert mode.

l For Solaris/RHEL/IPSO, ASMS must connect as the root user.

Public key authentication is also supported. In such cases, the following permissions
are required:

Firewall Analyzer (A30.10) Page 43 of 542


Administration Guide | Manage devices

Read AFA requires read permissions on the domain folders, such as


$FWDIR/conf or $FWDIR/log.

Write AFA writes a package containing the required configuration in the /tmp or
/var/tmp directory, based on the device platform, such as SP or Solaris.
AFA also requires write permissions in the $FWDIR/conf directory for
temporary log files.

Execute AFA runs several commands on the management device, including fwm
logexport for logs and cpstat for routing.

For more details, see How to Configure the AlgoSec Firewall Analyzer SSH Client to
Use Public Key Authentication in AlgoPedia and Enable data collection via SSH.

REST connections (R80 and higher only)

When using a Check Point device version R80 or higher, AFA also collects data via
REST, in addition to OPSEC or SSH.

In addition to OSPEC or SSH permissions, ASMS must have permissions to execute


REST calls to the Check Point Security Management Server.

l Minimum permissions required is Read Only All.

l When ActiveChange is enabled, the minimum permissions are Read Write All.

For more details, see Enable data collection via REST

Add a Check Point Multi-Domain Security Management device


Check Point Multi-Domain Security Management (MDSM) integrates multiple 'firewalled'
networks within a single administrative framework. These devices consolidate multiple
SmartCenter Servers, referred to as Customer Management Add-ons (CMAs), on a
single host.

AFA analyzes the Filter Module security policy via a secure connection to the MDSM
server.

Note: Multi-Domain Security Management, or MDSM, refers to both MDSM and

Firewall Analyzer (A30.10) Page 44 of 542


Administration Guide | Manage devices

Provider-1 devices.

Do the following:

1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.

2. In the vendor and device selection page, select Check Point > Multi Domain
Security Management (Provider-1).

Configure the fields and options on the page as needed. For details, see Check
Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License


Agreement appears. Select the I agree checkbox, and then click OK.

3. Click Next.

The fields on the Check Point - Multi-Domain Security Management (Provider-1)


- Step 2/3 page differ, depending on whether you selected to connect to the
device via SSH or OPSEC.

4. Do one of the following:

OPSEC Recommended.
Enter the IP address of the CMA that manages the devices you wish
to analyze.

SSH Select the CMA that manages the devices you wish to analyze by
clicking the relevant row.

5. Click Next.

The Check Point - Multi-Domain Security Management (Provider-1) - Step 3/3


page appears.

Firewall Analyzer (A30.10) Page 45 of 542


Administration Guide | Manage devices

This page displays a table listing all the devices that are managed by the Check
Point MDSM, including standalone devices and virtual systems.

6. Optional: Configure AFA to use logs created by a managed device or virtual


system.

Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.

Do the following:

a. In the Add Device column, select the check box next to the device's name.

b. In the Log Analysis column, select one of the following:

l None. Disables logging.

l Standard. Enables logging.

l Extensive. Enables logging and the Intelligent Policy Tuner.

c. In the Log Server column, click Settings. Then, do one of the following:

l Select the log server you want to use from the drop-down list.

l Select Other and enter the log server's name manually.

Click OK when you're done.

d. SSH only: To edit SSH definitions, Edit SSH definitions.

Firewall Analyzer (A30.10) Page 46 of 542


Administration Guide | Manage devices

In the Check Point Log Server SSH Setup dialog, do the following:

l Specify whether this log server is part of a Multi-domain log module


(MLM/CLM) or a Stand-alone log server.

l Populate the fields as needed. For details, see Log Server fields.

e. OPSEC only: To test OPSEC connectivity to the defined log server, click


Test OPSEC connectivity.

A message informs you whether AFA connected to the log server


successfully.

f. Click OK.

7. Optional: Enable AFA to generate baseline compliance reports and/or allow


dynamic routing collection for all managed devices.

Do the following:

Firewall Analyzer (A30.10) Page 47 of 542


Administration Guide | Manage devices

a. In the Direct access to managed devices area, click .

b. The Direct Access Configuration dialog box appears.

c. Complete the fields as needed. For details, see Baseline Configuration


Compliance fields

Note: Specifying this information for a device triggers a direct SSH


connection to the device.

d. Click OK.

8. Complete the remaining fields as needed. For details, see Additional Check Point
options.

9. Click Finish.

The new device is added to the device tree.

Set user permissions


If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports for
this account. To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Firewall Analyzer (A30.10) Page 48 of 542


Administration Guide | Manage devices

Add a Check Point SmartCenter/Gateway


Check Point products are based on a distributed architecture, where a typical Check
Point deployment is composed of a Filter Module or device and the SmartCenter Server.

l A standalone deployment is the simplest deployment where the SmartCenter


Server and the Filter Module are installed on the same machine.

l A distributed deployment is a more complex deployment where the Filter Module


and the SmartCenter Server are deployed on different machines.

AFA provides an analysis of the Filter Module's security policy via a secure connection
to the SmartCenter server.

Tip: Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices .

Do the following:

1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.

2. In the vendor and device selection page, select Check Point > Security
Management (SmartCenter).

Configure the fields and options on the page as needed. For details, see Check
Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License


Agreement appears. Select the I agree checkbox, and then click OK.

3. Click Next.

The Check Point - Security Management (SmartCenter) - Step 2/2 page


appears, displaying a table that lists all the devices that are managed by the

Firewall Analyzer (A30.10) Page 49 of 542


Administration Guide | Manage devices

Check Point SmartCenter/Gateway, including standalone devices and virtual


systems.

4. Optional: Configure AFA to use logs created by a managed device or virtual


system.

Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.

Do the following:

a. In the Add Device column, select the check box next to the device's name.

b. In the Log Analysis column, select one of the following:

l None. Disables logging.

l Standard. Enables logging.

l Extensive. Enables logging and the Intelligent Policy Tuner.

c. In the Log Server column, click Settings. Then, do one of the following:

l Select the log server you want to use from the drop-down list.

l Select Other and enter the log server's name manually.

Click OK when you're done.

d. SSH only: To edit SSH definitions, Edit SSH definitions.

Firewall Analyzer (A30.10) Page 50 of 542


Administration Guide | Manage devices

In the Check Point Log Server SSH Setup dialog, do the following:

l Specify whether this log server is part of a Multi-domain log module


(MLM/CLM) or a Stand-alone log server.

l Populate the fields as needed. For details, see Log Server fields.

e. OPSEC only: To test OPSEC connectivity to the defined log server, click


Test OPSEC connectivity.

A message informs you whether AFA connected to the log server


successfully.

f. Click OK.

5. Optional: Enable generation of baseline compliance reports and/or allow dynamic


routing collection for all managed devices.

To do so, in the Direct access to managed devices area, click Configure.

Firewall Analyzer (A30.10) Page 51 of 542


Administration Guide | Manage devices

The Direct Access Configuration dialog box appears.

Complete the fields as needed, and click OK. For details, see Baseline
Configuration Compliance fields.

Note: Specifying this information for a device triggers a direct SSH connection
to the device.

6. Complete the remaining fields using the information in Check Point Options Fields
(see Additional Check Point options).

7. Click Finish.

The new device is added to the device tree.

Set user permissions


If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports for
this account. To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Add a Check Point CMA


You can add single Customer Management Add-ons (CMAs) using the following
procedure.

Firewall Analyzer (A30.10) Page 52 of 542


Administration Guide | Manage devices

Tip:

l Add multiple CMAs at once by adding a Check Point MDSM. For details, see
Add Check Point devices.

l Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices .

Do the following:

1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.

2. In the vendor and device selection page, select Check Point > Single CMA.

Configure the fields and options on the page as needed. For details, see Check
Point fields and options.

Note: If you select to enable ActiveChange, the ActiveChange License


Agreement appears. Select the I agree checkbox, and then click OK.

3. Click Next.

The Check Point - Single CMA - Step 2/2 page appears, displaying a table that
lists all the devices that are managed by the Check Point CMA, including
standalone devices and virtual systems.

4. Optional: Configure AFA to use logs created by a managed device or virtual


system.

Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.

Do the following:

Firewall Analyzer (A30.10) Page 53 of 542


Administration Guide | Manage devices

a. In the Add Device column, select the check box next to the device's name.

b. In the Log Analysis column, select one of the following:

l None. Disables logging.

l Standard. Enables logging.

l Extensive. Enables logging and the Intelligent Policy Tuner.

c. In the Log Server column, click Settings. Then, do one of the following:

l Select the log server you want to use from the drop-down list.

l Select Other and enter the log server's name manually.

Click OK when you're done.

d. SSH only: To edit SSH definitions, Edit SSH definitions.

In the Check Point Log Server SSH Setup dialog, do the following:

Firewall Analyzer (A30.10) Page 54 of 542


Administration Guide | Manage devices

l Specify whether this log server is part of a Multi-domain log module


(MLM/CLM) or a Stand-alone log server.

l Populate the fields as needed. For details, see Log Server fields.

e. OPSEC only: To test OPSEC connectivity to the defined log server, click


Test OPSEC connectivity.

A message informs you whether AFA connected to the log server


successfully.

f. Click OK.

5. Optional: Enable generation of baseline compliance reports and/or allow dynamic


routing collection for all managed devices.

To do so, in the Direct access to managed devices area, click Configure.

The Direct Access Configuration dialog box appears.

Complete the fields as needed, and click OK. For details, see Baseline
Configuration Compliance fields.

Note: Specifying this information for a device triggers a direct SSH connection
to the device.

Firewall Analyzer (A30.10) Page 55 of 542


Administration Guide | Manage devices

6. Complete the remaining fields using the information in Check Point Options Fields
(see Additional Check Point options).

7. Click Finish. The new device is added to the device tree.

8. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Check Point fields and options


Check Point devices include the following types of fields and options:

Access Information

Host Enter the host name or IP address of the device.

R80 or higher Select this option for devices versions R80 or higher.
For R80 devices, you must configure the Management API Settings
of the device to accept API calls from the IP address of the AlgoSec
server. For more information, see Enabling REST Calls to the
Security Management Server (see Enable data collection via
REST).

Firewall Analyzer (A30.10) Page 56 of 542


Administration Guide | Manage devices

Connect via Specify how AFA should connect to the device, by selecting one of
the following:
l SSH: Connect via SSH (Secure Shell protocol).
This option is not available when adding a single Check
Point CMA.
l OPSEC (NGX R60 or higher): Connect via OPSEC.
Recommended.
To specify a custom port, select Custom Port and enter the port
number.

Note: For Windows environments, only OPSEC is supported.

Tip: Configure AFA to connect to the device using SSH with


Public-Key authentication.
To do so, select the Use public key authentication in data
collection check box in the General sub-tab of the Options tab
in the Administration area. For details, see Define AFA
preferences.

User Name / Type the user name and password to access the device.
Password These fields only appear if you selected R80 or higher or you
selected SSH in the Connect via area.
For more details, see Required device permissions.

SecurePlatform Choose this option to specify that the device is installed on a


Check Point SecurePlatform operating system.
You must complete the Expert Password field.
This field only appears if you selected SSH in the Connect via
area.

Expert Type the expert password, which allows access to all the functions
Password on the SmartCenter server required for this process.
This field only appears if you selected SSH in the Connect via
area.

Firewall Analyzer (A30.10) Page 57 of 542


Administration Guide | Manage devices

Solaris / Choose this option to specify that the device is installed on a


RedHat Linux Solaris or RedHat Linux operating system.
This field only appears if you selected SSH in the Connect via
area.

User Select this option to specify that the user name and password
credentials entered in the User Name and Password fields are the credentials
above are for for the Solaris root user.
root user If you clear this option, you must complete the Root Password field.
This field only appears if you selected SSH in the Connect via
area.

Root Password Type the root password for Solaris.


This field only appears if you selected SSH in the Connect via
area.

High Select this option to configure High Availability for CMAs.


Availability Important: AFA connects to the HA cluster using the active IP
address, not the virtual IP address. You must configure access
rules for each device in the cluster to allow this traffic.
This field only appears if you selected OPSEC in the Connect via
area. It is not relevant for Check Point MDSM.

Secondary Type the secondary CMA.


Security This field only appears if you selected OPSEC in the Connect via
Management area. It is not relevant for Check Point MDSM.
(SmartCenter)

Geographic Distribution

In the Device managed by field, select the remote agent that should perform data
collection for the device.

To specify that the device is managed locally, select Central Manager.

Log Collection

Select the log collection method to use.

Firewall Analyzer (A30.10) Page 58 of 542


Administration Guide | Manage devices

If you choose SSH, you must enable AFA to analyze application control traffic logs. For
more details, see Enable data collection via SSH. If you do not perform this step, then
information related to application control traffic will not appear in the device report's
Policy Optimization page.

This area only appears if you selected OPSEC in the Connect via area.

OPSEC Setup

This area enables you to specify which certificate to use for OPSEC access to the
device.

For more information, see Specifying a Certificate for OPSEC Access to the Check
Point Device (see Enable data collection via OPSEC).

This area only appears if you selected OPSEC in the Connect via area.

ActiveChange

This area only appears if you selected OPSEC in the Connect via area.

Select to Enable ActiveChange to enable ActiveChange for the device.

Note: This option is unavailable for version R80 or higher.

Log Server fields

Check Point log server fields include the following:

Host (MLM) Type the host name or IP address of the log server.

Username Type the user name to use for SSH access to the log server.

Password Type the password to use for SSH access to the log server.

Secure Platform Choose this option to specify that the log server is installed on a
Check Point SecurePlatform operating system.
You must complete the Expert Password field.

Firewall Analyzer (A30.10) Page 59 of 542


Administration Guide | Manage devices

Expert Type the expert password, which allows access to all the functions
Password on the log server required for this process.

Solaris Choose this option to specify that the log server is installed on a
Solaris operating system.

User credentials Select this option to specify that the user name and password
above are for entered in the Username and Password fields are the credentials
root user for the Solaris root user.
If you clear this option, you must complete the Root Password
field.

Root Password If you use a user other than "root" for accessing the Solaris OS,
type the root password for Solaris.

Test Click this button to test connectivity to the defined log server.
Connectivity A message informs you whether AFA connected to the log server
successfully.

Baseline Configuration Compliance fields

Check Point baseline configuration compliance fields include the following:

Host IP Type the IP address of the device.

User Name Type the user name to access the device.

Password Type the password to access the device.

Platform Select the device's platform.


This field only appears for Check Point devices.

Extra Type the password to use for running OS commands on the device.
Password This field only appears for Check Point devices.

Firewall Analyzer (A30.10) Page 60 of 542


Administration Guide | Manage devices

Baseline Select the baseline compliance profile to use.


Profile The drop-down list includes all baseline compliance profiles in the
system. For more information on baseline compliance profiles and
instructions for adding new baseline compliance profiles, see
Customizing Baseline Configuration Compliance Profiles (see
Customize baseline configuration profiles).
To disable Baseline Compliance Report generation for this device,
select None.

Test Click this button to test connectivity to the defined device.


Connectivity A message informs you whether AFA connected to the device
successfully.

Additional Check Point options

Check Point devices have the following additional options:

Real-time change Select to enable real-time alerting upon configuration changes.


monitoring For more details, see Configure real-time monitoring.

Set user Select to set user permissions for this device


permissions

Collect audit logs Select to collect audit logs from a CLM.


from CLM
Note: When this option is enabled, all modules must be
configured to collect logs from the same CLM.

Log collection Enter the interval of time in minutes, at which AFA should collect
frequency logs for the Check Point device.

Configure one-armed mode manually


AFA automatically identifies Check Point CloudGuard devices in one-armed mode,
when the device has a single interface. If your device has multiple interfaces and one-
armed mode is not identified automatically, configure this for your device manually.

Firewall Analyzer (A30.10) Page 61 of 542


Administration Guide | Manage devices

Do the following:

1. On the AFA machine, access your device configuration meta file as follows:

/home/afa/.fa/firewalls/<device_name>/fwa.meta

where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.

2. On a new line, enter:

is_steering_device=yes

3. Run an analysis on the device to update the device data in AFA.

Enable data collection for Check Point devices


In order for AFA to collect data from a Check Point device, you must configure certain
settings on the device itself. AFA collects data from Check Point devices using either
SSH or OPSEC, and for Check Point versions R80 and above, AFA collects data via
REST (along with either SSH or OPSEC). You must enable the data collection
requirements for every method you use.

Note: In addition the requirements listed below, ensure that the user that AFA is
using to access the device has the required permissions. The minimum permission
required in Read Only All. When the device is using ActiveChange, the minimum
permission is Read Write All. For more details, see Required device permissions.

For more details, see Add Check Point devices.

Enable data collection via SSH


This procedure describes how to enable AFA to process Check Point application
control traffic logs.

AFA can be configured to collect logs from a Check Point device via SSH, but special
configuration is required on the Check Point device. Application control traffic logs

Firewall Analyzer (A30.10) Page 62 of 542


Administration Guide | Manage devices

include the app_rule_id field, and this field is masked by default for the SSH log
collection user that is specified when adding the device to AFA. As a result, AFA cannot
process application control logs that are collected via SSH, nor use them to generate
information for the Application Control Rules Cleanup area of the device report's Policy
Optimization page.

In order to enable AFA to process application control traffic logs, you must modify
permissions for the app_rule_id field on the Check Point device, as described in the
following procedure.

Note: For R80 and above, AFA collects data via REST (along with either SSH or
OPSEC). For more details, see Enable data collection via REST.

Do the following:

1. Run GuiDBedit.exe, and connect to the Check Point device's management


station.

The management station is typically located at C:\Program Files


(x86)\CheckPoint\SmartConsole\RXX\PROGRAM

where RXX is the version number.

2. In the left pane, navigate to Other > log_fields.

3. In the right pane, click on app_rule_id.

The bottom pane displays the fields that are displayed for app_rule_id.

Firewall Analyzer (A30.10) Page 63 of 542


Administration Guide | Manage devices

4. In the bottom pane, double-click on the permissions field.

The Edit dialog box appears.

Firewall Analyzer (A30.10) Page 64 of 542


Administration Guide | Manage devices

5. In the Value field, change the value from 2 to 0.

6. Click OK.

7. Save your changes and exit the program.

8. If the device sends its traffic logs to a log server other than the management station
(for example, a CLM or external log server), do the following:

a. Connect to the Check Point device's management station via


SmartDashboard.

b. Re-install the Check Point database on the log server, by selecting Policy
and then Install Database from the main menu.

c. Exit the program.

Enable data collection via OPSEC


This procedure describes how to specify a certificate for OPSEC access to a Check
Point device, which must be performed in the Check Point - Multi-Domain Security
Management (Provider-1) - Step 1/3 or Check Point - SmartCenter or CMA - Step 1/2
page after selecting OPSEC as the connection method.

Firewall Analyzer (A30.10) Page 65 of 542


Administration Guide | Manage devices

Do the following:

1. Create a certificate for your device. For more details, see:

l Create a Check Point OPSEC Certificate for a MDSM (R80 and Higher)

l Create a Check Point OPSEC Certificate for a CMA/SMC (R80 and Higher)

l Create a Check Point OPSEC Certificate for Check Point Devices (R77 and
Lower)

2. In AFA, in the OPSEC Setup area, click Certificate.

The Retrieve a new OPSEC certificate dialog box appears.

3. Complete the fields as follows:

OPSEC Type the OPSEC application name, as specified in the


Application OPSEC certificate.
Name The default value is "AlgoSec".

One Time Type the one-time password, as specified in the OPSEC


Password certificate.

Advanced Click to display advanced fields.


The CPMI Authorization Type, CPMI Port , LEA
Authorization Type, and LEA Port fields appear.

Firewall Analyzer (A30.10) Page 66 of 542


Administration Guide | Manage devices

CPMI Select the CPMI authorization type.


Authorization
Type

CPMI Port Type the CPMI port number.


The default value is 18190.

LEA Select the LEA authorization type.


Authorization
Type

LEA Port Type the LEA port number.


The default value is 18184.

4. Click OK to retrieve the certificate from the Check Point SmartCenter, CMA or
MDSM server.

Once the certificate is installed, a confirmation window appears.

5. Click OK.

The OPSEC Setup area displays the certificate date and time of creation.

Create a Check Point OPSEC Certificate for a MDSM (R80 and Higher)

In order for AFA to collect data from a CheckPoint MDSM via OPSEC, a global
certificate needs to be created for authentication and security purposes. The certificate
is created using Check Point's SmartConsole for the PV-1.

Do the following:

1. Connect to the SmartConsole, selecting the MDS domain.

2. Right-click Global and select Connect to Domain.

Firewall Analyzer (A30.10) Page 67 of 542


Administration Guide | Manage devices

3. Create a network object for the host that will run AFA

Note: If a network object for the host is already defined, you can skip this step.

Do the following:

a. Click New, and then Host.

The New Host window appears.

b. Complete the Object Name and IPv4 Address fields with the name and
address of the host that will run AFA.

c. Click OK.

4. Create an OPSEC application object for this network object.

Firewall Analyzer (A30.10) Page 68 of 542


Administration Guide | Manage devices

Note: If an OPSEC application object is already defined, you can skip this step.

Do the following:

a. In the Object Categories, under Servers, select OPSEC Applications >


Application.

The OPSEC Application Properties dialog box appears.

b. In the OPSEC Application Properties dialog, define the following:

Name Enter the OPSEC application name.


Note: Record the name you entered here. You'll need to specify
this name in AFA when you retrieve the certificate.

Host Select the host to run AFA.

Firewall Analyzer (A30.10) Page 69 of 542


Administration Guide | Manage devices

Object Select the LEA and CPMI items.


Entities

The LEA Permissions and CPMI Permissions tabs appear.

c. In the CPI Permissions tab, select Permissions Profile, and then do one of
the following:

l Select the super profile in the list, or any other profile with the required
minimum permissions.

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.

For example:

d. In the LEA Permissions tab, select According to Permissions Profile, and


then do one of the following:

Firewall Analyzer (A30.10) Page 70 of 542


Administration Guide | Manage devices

l Select the super profile in the list, or any other profile with the required
minimum permissions.

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access.

e. Click OK. The General tab appears again, with additional options.

5. Create your certificate. Do the following:

a. Click Communication.

b. In the Communication dialog that appears, enter a one-time password , and


then enter it again to confirm.

Note: Record the password you entered here. You'll need to specify this
name in AFA when you retrieve the certificate.

c. Click Initialize.

The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.

Tip: Create a new certificate if needed by clicking Reset and repeating this
step.

6. At the top of the screen, click Publish.

7. Connect to the MDS (PV-1) console, and select Global Assignments.

8. Right-click Global and select Reassign on Domains.

Firewall Analyzer (A30.10) Page 71 of 542


Administration Guide | Manage devices

Continue with Enable data collection via OPSEC.

Create a Check Point OPSEC Certificate for a CMA/SMC (R80 and Higher)

In order for AFA to collect data from a CheckPoint CMA or SMC via OPSEC, a local
certificate needs to be created for authentication and security purposes. The certificate
is created using Check Point's SmartConsole for the CMA/SMC.

Do the following:

1. Connect to the SmartConsole.

2. Create a network object for the host that will run AFA.

Note: If a network object for the host is already defined, you can skip this step.

Do the following:

Firewall Analyzer (A30.10) Page 72 of 542


Administration Guide | Manage devices

a. In the right pane, click the New button and select Host.

b. In the New Host dialog, enter the Name and IP address of the host that will
run AFA, and click OK.

3. Create an OPSEC application object for this network object.

Note: If an OPSEC application object is already defined, you can skip this step.

Do the following:

a. Click the icon at the top left of the screen and select:

New object > More object types > Server > OPSEC Application > New
Application.

Firewall Analyzer (A30.10) Page 73 of 542


Administration Guide | Manage devices

b. In the OPSEC Application Properties dialog, define the following:

Name Enter the OPSEC application name.


Note: Record the name you entered here. You'll need to specify
this name in AFA when you retrieve the certificate.

Host Select the host to run AFA.

Object Select the LEA and CPMI items.


Entities

c. In the CPI Permissions tab, select Permissions Profile, and then do one of
the following:

l Select the super profile in the list, or any other profile with the required
minimum permissions.

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.

For example:

Firewall Analyzer (A30.10) Page 74 of 542


Administration Guide | Manage devices

d. In the LEA Permissions tab, select According to Permissions Profile, and


then do one of the following:

l Select the super profile in the list, or any other profile with the required
minimum permissions.

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access.

e. Click OK. The General tab appears again, with additional options.

4. Create your certificate. Do the following:

a. Click Communication.

b. In the Communication dialog that appears, enter a one-time password , and


then enter it again to confirm.

Note: Record the password you entered here. You'll need to specify this

Firewall Analyzer (A30.10) Page 75 of 542


Administration Guide | Manage devices

name in AFA when you retrieve the certificate.

c. Click Initialize.

The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.

Tip: Create a new certificate if needed by clicking Reset and repeating this
step.

5. Reinstall the Check Point database on all existing log servers, including CLMs or
external log servers.

Do the following:

a. At the top of the screen, click Publish.

b. At the top left, click the icon, and select Install database.

c. In the Install database dialog, verify that your CMA is selected, and click
Install.

Continue with Enable data collection via OPSEC above.

Create a Check Point OPSEC Certificate for Check Point Devices (R77 and Lower)

In order to collect the policy and routing table from a Check Point FireWall-1 module,
AFA can use the OPSEC API. In order for this to happen a certificate needs to be
created for authentication and security purposes.

The certificate is created on the SmartCenter server, using Check Point's


SmartDashboard utility, or on the MDSM server, using Check Point's Global
SmartDashboard utility.

Do the following:

Firewall Analyzer (A30.10) Page 76 of 542


Administration Guide | Manage devices

1. Create a network object for the host.

Note: If a network object for the host running AFA is already defined, you can
skip this step.

Do the following:

a. In the main SmartDashboard menu panel, select Manage > Network


Objects.

b. Click New > Node > Host.

Firewall Analyzer (A30.10) Page 77 of 542


Administration Guide | Manage devices

c. In the Host Node dialog, enter the Name and IP address of the host that will
run AFA, and then click OK.

2. Create an OPSEC application object for this network object.

Note: If an OPSEC application object is already defined, you can skip this step.

Do the following:

Firewall Analyzer (A30.10) Page 78 of 542


Administration Guide | Manage devices

a. In the SmartDashboard main menu, select Manage and then Servers and
OPSEC Applications.

b. In the Servers and OPSEC Applications dialog box, click New > OPSEC
Application.

Firewall Analyzer (A30.10) Page 79 of 542


Administration Guide | Manage devices

c. In the OPSEC Application Properties dialog, define the following:

Name Enter the OPSEC application name.


Note: Record the name you entered here. You'll need to specify
this name in AFA when you retrieve the certificate.

Host Select the host to run AFA.

Object Select the LEA and CPMI items.


Entities

d. In the CPI Permissions tab, select Permissions Profile, and then do one of

Firewall Analyzer (A30.10) Page 80 of 542


Administration Guide | Manage devices

the following:

l Select the super profile in the list, or any other profile with the required
minimum permissions.

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.

For example:

e. For CheckPoint version R76 or above, in the LEA Permissions tab, select
According to Permissions Profile.

Then do one of the following:

l Select the super profile in the list, or any other profile with the required
minimum permissions.

Firewall Analyzer (A30.10) Page 81 of 542


Administration Guide | Manage devices

l Create a new permission profile. To do this, click New. In the


Permissions Profile Properties dialog, enter a name for your new
profile and select the required permissions.

Minimum permissions required are Read Only All access.

f. Click OK. The General tab appears again, with additional options.

3. Create your certificate. Do the following:

a. Click Communication.

b. In the Communication dialog that appears, enter a one-time activation key,


and then enter it again to confirm.

Note: Record the key you entered here. You'll need to specify this name
in AFA when you retrieve the certificate.

c. Click Initialize.

The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.

Tip: Create a new certificate if needed by clicking Reset and repeating this
step.

4. Reinstall the Check Point database on all existing log servers, including CLMs or
external log servers. Click Save, and then selecting Policy and Install Database
from the main menu.

Continue with Enable data collection via OPSEC above.

Enable data collection via REST


This procedure describes how to enable REST calls to the Security Management
Server.

Firewall Analyzer (A30.10) Page 82 of 542


Administration Guide | Manage devices

Note: For versions R80 and above, AFA collects data via REST, along with either
SSH or OPSEC. In addition to enabling REST, you must also enable SSH or
OPSEC as needed.

For details, see Enable data collection via SSH and Enable data collection via
OPSEC.

Do the following:

1. Open a SmartConsole.

2. In the left pane, navigate to Manage & Settings > Blades > Management API >
Advanced Settings.

The Management API Settings window appears.

3. To automatically start the API server at Security Management Server startup,


select the Automatic Start check box.

4. Select which IP addresses from which the API server accepts requests:

Firewall Analyzer (A30.10) Page 83 of 542


Administration Guide | Manage devices

All IP API server will accept scripts and web service requests from
addresses that the same devices that are allowed access to the Security
can be used for Management Server. Make sure the AFA server is in this list.
GUI clients

All IP The API server will accept scripts and web-service requests
addresses from any device

5. Click OK.

In the Management API restart message that appears, click OK.

6. At the top, click Publish.

7. In the Management Check Point Server CLI, run the api restart command, and
then exit.

Add Cisco devices


This topic describes how to add Cisco devices to AFA and perform related
configurations.

Add a CSM-managed Cisco device


This procedure describes how to add a Cisco device managed by a Cisco CSM. You
must add each Cisco device or security context that is managed by a Cisco CSM
separately, even if they are managed by the same CSM.

Note: To perform this procedure, you must have a Cisco API license for the
CSM device.

Firewall Analyzer (A30.10) Page 84 of 542


Administration Guide | Manage devices

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > Point > Firewall via CSM
(CSM 4.3 or above).

3. Complete the fields as needed, and then click Finish.

Access Information

Firewall Host Type the host name of the Cisco device to be analyzed, as it
Name appears in the CSM UI.

CSM Server Type the host name or IP address of the Cisco CSM server.

CSM User Type the user name to use for SSH access to the Cisco CSM.
Name

CSM Type the password to use for SSH access to the Cisco CSM.
Password

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

Select the baseline compliance profile to use, in order to enable generation of


Baseline Compliance Reports for this device.

The drop-down list includes all baseline compliance profiles in the system. For
more information on baseline compliance profiles and instructions for adding new
baseline compliance profiles, see Customize baseline configuration profiles

Select None to disable Baseline Compliance Report generation for this device.

Firewall Analyzer (A30.10) Page 85 of 542


Administration Guide | Manage devices

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Specify routing data
manually.

Rules view

Specify how rules should be displayed in device reports:

l ASDM: Display rules in the Cisco Adaptive Security Device Manager


(ASDM) graphical interface.

l CLI: Display rules in command line format.

The default value is ADSM.

Note: Intelligent Policy Tuner and the "Unused objects within rules" list are
available only with ADSM.

Log Collection and Monitoring

Firewall Analyzer (A30.10) Page 86 of 542


Administration Guide | Manage devices

Log Specify the log collection method that AFA should use when
collection collecting traffic logs for the Cisco device, by selecting one of the
method following:
l Hit-counters: Only use hit-counter data. The Change History
report page will be based on "last modified" timestamps, and
Intelligent Policy Tuner is disabled.
l Standard: Use hit-counter data for rule usage, and Syslog
data for the Change History report page. Intelligent Policy
Tuner is disabled.
l Extensive: Combine data from both hit-counters and Syslog.
Intelligent Policy Tuner is enabled.
The default value is Extensive.

Note: The Extensive method is only available when the ADSM


is selected in the Rules view area.

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Additional Type any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a ':'. For
identifiers example: "1.1.1.1:2.2.2.2:ServerName".
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.

Note: This field is only relevant for the parent device. In order to
specify additional identifiers for sub-systems (Juniper
VSYS/LSYS, Fortinet VDOM, Cisco security context, etc.), see
Add additional device identifiers for sub-systems.

Log Type the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
(minutes)

Firewall Analyzer (A30.10) Page 87 of 542


Administration Guide | Manage devices

Options

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

The new device is added to the device tree.

4. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Cisco IOS routers in AFA


The following sections describe how Cisco IOS routers are added to AFA:

l Network connectivity

l Device permissions

l Add a Cisco IOS router

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco IOS router.

Firewall Analyzer (A30.10) Page 88 of 542


Administration Guide | Manage devices

Device permissions
ASMS requires the following for the user used to access your Cisco IOS routers:

l Device analysis

l ActiveChange

Device analysis

ASMS requires the ability to run the following commands on your Cisco IOS routers:

l show version

l show interface

l show ipv4 vrf all interface

l show ip interface

l show ipv6 interface

l show ip access-list

l show ipv6 access-list

l show bgp summary

l show running-config

l show ip route

l show bgp vpn4 unicast labels

l show ipv4 vrf all interface brief

l show ip route vrf

Note: Some commands may be relevant only on IOS-XE and IOS-XR devices.

Tip: You may want to create a read-only user with specific permissions to run show
running-config view full.

Firewall Analyzer (A30.10) Page 89 of 542


Administration Guide | Manage devices

For details, see Defining a limited-privilege Cisco IOS Router user for AFA data
collection in AlgoPedia.

ActiveChange

When ActiveChange is enabled, ASMS requires a user that is able to enter privileged
mode, using enable credentials (security level 15).

Add a Cisco IOS router


This procedure describes how to add a Cisco IOS router to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > IOS Router.

3. Complete the fields as needed.

Access Information

Enter details for accessing your device.

Host Enter the device's host name or IP address.

User Name Enter the username to use for device access via SSH.

Password Enter the password to use for device access via SSH.

Note: For Cisco IOS devices enabled for CyberArk, the


Password and Enable User Password must be the
same.

Enable User Enter the enable user name to use.


Name
Note: This field is required.

Firewall Analyzer (A30.10) Page 90 of 542


Administration Guide | Manage devices

Enable User Do one of the following:


Password l Enter the enable user password to use.
l To specify an empty enable password, enter
AlgoSec_no_passwd.
l If you do not want AFA to enter the enable mode,
enter noenable.

Note: For Cisco IOS devices enabled for CyberArk, the


Password and Enable User Password must be the
same.

Note: This field is required.

Retrieve Select this check box to authenticate the device with a


credentials from CyberArk Vault instead of saving the device credentials on
CyberArk vault the AFA server.
When selected, also enter the following CyberArk details
for the device being authenticated via CyberArk:
l Platform (Policy ID)
l Safe
l Folder
l Object

Note: These options only appear when CyberArk is


configured in AFA. For details, see Integrate AFA and
CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

Firewall Analyzer (A30.10) Page 91 of 542


Administration Guide | Manage devices

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

To disable Baseline Compliance Report generation for this device, select None.

Note: If this router is divided into VRF modules, Baseline Compliance Reports
will only be generated for the root/default VRF.

Advanced

Select the following options as needed:

Include risk analysis Select this option to include risk analysis and policy
and policy optimization analysis in the device's reports.
optimization When this is not selected, AFA produces condensed
router reports which run as if there is no license for
risks, optimization or regulatory compliance. Reports
still include policy changes and baseline compliance.
This option is disabled by default.

Note: Selecting this option will increase the


analysis time for this router significantly and might
result in performance degradation.

Automatically Select this option to enable automatic updating of VRF


add/remove VRF instances for all Cisco routers defined in AFA.
instances upon The updates will be reflected in the device tree and
detection (Applies for graphic network map, and the updates will affect the
all Cisco Routers) device license usage.

Remote Management Capabilities

Select a data transmission method:

Firewall Analyzer (A30.10) Page 92 of 542


Administration Guide | Manage devices

l SSH (more secure)

l Telnet

Define the following as needed:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

ActiveChange

Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.

Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).

Options

Select the following as needed:

Firewall Analyzer (A30.10) Page 93 of 542


Administration Guide | Manage devices

Real-time Select this option to enable real-time change monitoring. For


change details, see Configure real-time monitoring.
monitoring

Set user Select this option to set user permissions for this device.
permissions

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree, and click OK.

5. Click Finish. The new device is added to the device tree.

6. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added. The new device
appears in the device tree, including any VRF devices as unique nodes.

Cisco Nexus routers in AFA


The following sections describe how ASMS connects to Cisco Nexus routers:

l Network connection

l Device permissions

l Add a Cisco Nexus router to AFA

Network connection
The following diagram shows the connection between an ASMS Central Manager or
Remote Agent and a Cisco Nexus router over SSH.

Firewall Analyzer (A30.10) Page 94 of 542


Administration Guide | Manage devices

Device permissions
To analyze Cisco Nexus router devices, ASMS requires the ability to run the following
commands on the Nexus device:

l show version

l show interface

l show ip interface

l show ip access-list

l show running-config

l show vdc membership (For Nexus 7000 and above)

l show vrf interface | xml

l show vrf all interface

l show ip route

l show ip route vrf all

l show vrf all

l show bgp vpn4 unicast labels

For Nexus versions 7000 and above, ASMS must also have permissions to view all
VDCs.

Add a Cisco Nexus router to AFA


This procedure describes how to add a Cisco Nexus router to AFA.

Firewall Analyzer (A30.10) Page 95 of 542


Administration Guide | Manage devices

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > Nexus Router.

3. Complete the fields as needed.

Access Information

Enter the following details for accessing your device from AFA:

Host Enter the host name or IP address of the device.

User Name Enter the user name to use for SSH access to the device.

Password Enter the password to use for SSH access to the device.

Retrieve Select this check box to authenticate the device with a


credentials from CyberArk Vault instead of saving the device credentials on
CyberArk vault the AFA server.
When selected, also define the following:
l Platform (Policy ID)
l Safe
l Folder
l Object

Note: These options only appear when CyberArk is


configured in AFA. For details, see Integrate AFA and
CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Firewall Analyzer (A30.10) Page 96 of 542


Administration Guide | Manage devices

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

Note: To disable Baseline Compliance Report generation for this device,


select None.

Additional Information

Select the following as needed:

Include risk analysis Select this option to include risk analysis and policy
and policy optimization analysis in the device's reports.
optimization When this is not selected, AFA produces condensed
router reports which run as if there is no license for
risks, optimization or regulatory compliance. Reports
still include policy changes and baseline compliance.
This option is disabled by default.

Note: Selecting this option will increase the


analysis time for this router significantly and might
result in performance degradation.

Automatically Select this option to enable automatic updating of VRF


add/remove VRF instances for all Cisco routers defined in AFA.
instances upon The updates will be reflected in the device tree and
detection (Applies for graphic network map, and the updates will affect the
all Cisco Routers) device license usage.

Route Collection

Specify how AFA should acquire the device's routing information:

Firewall Analyzer (A30.10) Page 97 of 542


Administration Guide | Manage devices

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.

Remote Management Capabilities

Select a data transmission method:

l Telnet

l SSH (more secure)

Then define:

Custom Port To specify a custom port, select this option and type the port.
This option is only relevant when SSH is selected.

Number of Enter the permitted number of different RSA keys received


allowed from this device's IP address.
encryption keys Different RSA keys may be sent from the same IP address in
cases of cluster fail-over, device operating system upgrades,
etc.
For example, if a cluster fail-over occurs, the secondary node
will send a new RSA key from the same IP address to AFA.
If this number is set to 1, the connection to the node will fail,
resulting in a failed analysis.

Options

Select the following as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Firewall Analyzer (A30.10) Page 98 of 542


Administration Guide | Manage devices

Set user Select this option to set user permissions for this device.
permissions

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Cisco ASA firewalls in AFA


The following sections describe how ASMS connects to Cisco ASA firewalls:

l Network connection

l Device permissions

l Add a Cisco ASA firewall

Note: All references in the ASMSTech Docs to Cisco ASA devices also refer to
legacy PIX and FWSM devices. To add a new PIX or FWSM device to AFA, select
ASA options.

Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco ASA device:

Firewall Analyzer (A30.10) Page 99 of 542


Administration Guide | Manage devices

Device permissions
ASMS requires the following permissions to connect to your Cisco ASA devices:

l Device analysis

l ActiveChange

l Log collection

Device analysis

ASMS requires the ability to run the following commands on your ASA device:

l show version

l show mode

l change to system

l show context

l show access-list

l show ipv6 access-list

l show running-config

l show route

l show ipv6

l terminal

l show cts sgt-map

Tip: You may want to create a separate user for ASMS, enabling the user to have a
security level 5.

For details, see Defining a limited-privilege PIX/ASA/FWSM user for AFA data
collection in AlgoPedia. This procedure is not relevant if you have ActiveChange
enabled.

ActiveChange

Firewall Analyzer (A30.10) Page 100 of 542


Administration Guide | Manage devices

When ActiveChange is enabled, ASMS requires a user with read-write permissions


and is able to enter privileged mode, using enable credentials (security level 15).

Log collection

ASMS supports the ability to collect logs either by receiving Syslog messages from the
device, or by collecting Syslog messages from a remote Syslog-ng server.

In either case, make sure that your Cisco ASA device is configured to send CISCO
106100 SYSLOG events to ASMS.

For example:

%FWSM-6-106100: access-list acl_ID {permitted | denied | est-allowed}


protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_

These messages are logged when packets match an ACL statement, if you have the log
option for the access-list command configured.
The message level depends on the level defined for the access-list command. By
default, this level 6.

Note: Intelligent Policy Tuner analysis is supported for Cisco ASA versions 7.1 and
higher.

To use this feature, the device must send correct log messages, in type 106100,
and the device's ACLs must contain the keyword log.

Add a Cisco ASA firewall


This procedure describes how to add a Cisco ASA firewall to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > ASA.

Firewall Analyzer (A30.10) Page 101 of 542


Administration Guide | Manage devices

3. Complete the fields as needed.

Access Information

Enter details to access your device from AFA:

Host Enter the device's host name or IP address.

User Name Enter the user name to use for SSH access to the device.

Note: AFA partially supports user awareness for Cisco


ASA devices. The network user appears as a field for each
rule in the Policy tab, but is not used in traffic simulation
queries.

Password Enter the password to use for SSH access to the device.

Note: For Cisco ASA devices enabled for CyberArk, the


Password and Enable User Password must be the same.

Enable User Enter the enable user password to use:


Password l noenable. Skip running the enable command.
l Algosec_no_passwd. The enable password is empty.
l Leave the field empty. AFA will issue a login command
instead of the enable command, using the same
password provided for the SSH connection.

Note: For Cisco ASA devices enabled for CyberArk, the


Password and Enable User Password must be the same.

Firewall Analyzer (A30.10) Page 102 of 542


Administration Guide | Manage devices

Retrieve Select to authenticate the device with a CyberArk Vault instead


credentials of saving the device credentials on the AlgoSec server.
from When selected, also enter the following CyberArk details for the
CyberArk device being authenticated:
vault
l Platform (Policy ID)
l Safe
l Folder
l Object

Note: These options only appear when CyberArk is


configured in AFA. For details, see Integrate AFA and
CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Note: This field is only relevant when a Geographic Distribution architecture is


configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system.

To disable Baseline Compliance Report generation for this device, select None.

For more details, see Customize baseline configuration profiles.

Remote Management Capabilities

Select one of the following methods to collect data:

Firewall Analyzer (A30.10) Page 103 of 542


Administration Guide | Manage devices

l SSH (recommended)

l Telnet

Then define:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.

Rules View

Specify how rules should be displayed in device reports:

l ASDM: Display rules in the Cisco Adaptive Security Device Manager


(ASDM) graphical interface.

l CLI (Default): Display rules in command line format.

Firewall Analyzer (A30.10) Page 104 of 542


Administration Guide | Manage devices

Note: Intelligent Policy Tuner and the Unused objects within rules list are
available only with ADSM.

Log Collection and Monitoring

Define the following as needed:

Log Specify the log collection method that AFA should use when
collection collecting traffic logs for the Cisco device, by selecting one of the
method following:
l Hit-counters: Only use hit-counter data. The Change History
report page will be based on last modified timestamps.
Intelligent Policy Tuner is disabled.
l Standard: Use hit-counter data for rule usage, and Syslog
data for the Change History report page.
Intelligent Policy Tuner is disabled.
l Extensive (Default): Combine data from both hit-counters and
Syslog.
Intelligent Policy Tuner is enabled.

Note: This method is available only when ADSM is


selected in the Rules view area. For details, see Rules
View.

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server.
For details, see Specify a Syslog-ng server.

Firewall Analyzer (A30.10) Page 105 of 542


Administration Guide | Manage devices

Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.

Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
(minutes)

ActiveChange

Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.

Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).

Options

Select the following as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

Firewall Analyzer (A30.10) Page 106 of 542


Administration Guide | Manage devices

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree, and click OK.

5. Click Finish. The new device is added to the device tree.

6. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added. Any configured
contexts on the ASA device are also imported.

Cisco Application Centric Infrastructure (ACI) devices in AFA


The following sections describe how ASMS connects to Cisco ACI devices:

l Network connectivity

l Device permissions

l Add a Cisco (ACI) to AFA

Network connectivity
The following image shows an ASMS Central Manager or Remote Agent connecting to
a Cisco ACI APIC and fabric.

Firewall Analyzer (A30.10) Page 107 of 542


Administration Guide | Manage devices

Device permissions
ASMS requires the following permissions to access Cisco ACI devices:

l Device analysis

l ActiveChange

Device analysis

ASMS requires minimal, read-only access permissions to access Cisco ACI devices


and collect data.

The user defined on the ACI APIC controller must have a minimum of readPriv
permissions on Security Domains All.

For example:

Firewall Analyzer (A30.10) Page 108 of 542


Administration Guide | Manage devices

ActiveChange

When ActiveChange is enabled, ASMS requires writePriv permissions on Security


Domains All.

For example:

Add a Cisco (ACI) to AFA


This procedure describes how to connect Cisco ACI devices to AFA. AFA always
connects to Cisco ACI devices via REST.

Firewall Analyzer (A30.10) Page 109 of 542


Administration Guide | Manage devices

Note: To identify service graph data in queries and change requests, you must
specifically configure AFA to recognize that data. For details, see Configure support
for Cisco service graphs.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > Application Centric
Infrastructure (ACI).

3. Populate the fields as follows:

Access Information

Enter details to access your device from AFA:

Host Enter the device's host name or IP address.

Tip: Typically, your APIC cluster has three nodes. Specify the
host name or IP address of only one of the APIC nodes.
If the node you added goes down, you'll need to switch your
AFA device configuration to another node. Edit the device
configuration in AFA and enter the host name or IP address of
that second node.

User Enter the user name to use to access the device.


Name

Password Enter the password to use to access the device.

Geographic Distribution

Select a remote agent to perform data collection for the device, if relevant.

To configure the device to be managed locally, select Central Manager.

Firewall Analyzer (A30.10) Page 110 of 542


Administration Guide | Manage devices

Route Collection

Determine how AFA acquires the device's routing information. Select one of the
following:

l Automatic. AFA automatically generates the device's routing upon analysis


or monitoring.

l Static Routing Table (URT). AFA takes the device's routing information from
a static file you provide. For details, see Specify routing data manually.

ActiveChange

Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.

Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).

Options

Select either of the following options:

l Real-time change monitoring. Enable real-time alerting upon configuration


changes. For details, see Configure real-time monitoring.

l Set user permissions. Set user permissions for this device.

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree, and click OK.

5. Click Finish. The new device is added to the device tree.

l ACI devices appear in the device tree in a two-tier hierarchy, including both
APICs and tenants.

Firewall Analyzer (A30.10) Page 111 of 542


Administration Guide | Manage devices

l EPGs are shown with the following syntax: <application_profile>/<EPG_


name>. For more details, see EPG identification and supported contract
scopes.

l Any VRFs on the map are shown with the following syntax: <Tenant_
name>/<VRF_name>

l vzAny objects are shown with the following syntax: <VRF_name>/vzAny.


AFA updates the contents of these objects upon change monitoring and
analysis.

6. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added. The ACI and each
ACI tenant is displayed in the device tree.

EPG identification and supported contract scopes

During analysis, AFA reads all configuration data from ACI and saves EPG values
according to the following logic:

l If an EPG is associated to specific VMs, their IP addresses are saved as the EPG
value.

l Otherwise, AFA reads the subnets associated with the Bridge Domains (BD) and
considers these subnets for the EPG(s) connected to that BD.

The AFA Policy tab displays the following contract scopes for ACI EPGs:

l ApplicationProfile. Supported when the contract is assigned to an EPG that


belongs to a single Application Profile.

l Global. Not supported for imported or exported contracts

Firewall Analyzer (A30.10) Page 112 of 542


Administration Guide | Manage devices

l Tenant.

l VRF. If the source or destination belong to different VRFs, AFA shows expanded
rules, one for each VRF.

Configure support for Cisco service graphs

If you want to be able to identify service graph data in queries and change requests, you
must specifically configure AFA to recognize that data.

Do the following:

1. Ensure that your device has the following vendor property definition: fip_
additional_devices_set_support = yes.

This parameter is set to yes by default, and is defined in the /home/afa/.fa/config


file.

2. Create a CSV file named devicesSetDefinition.csv. Save this file on the AFA
machine, in the /home/afa/.fa/ directory.

3. Populate the devicesSetDefinition.csv file with tenant, service graph, and device
mapping data, as shown in the following example:

Tenant Name Service Graph Redirect Name Devices

Jasmine_ACI SG_HTTP_S CKP1, F51


Jasmine_ACI SG_HTTP3 PAN1
Flower_ACI SG_eCommerce PAN1, PAN2
Begal_ACI SG_2 FP1, F52
Begal_ACI SG_SQL FP1, F52

Note: In this file, device names must be exact matches to the names used to
identify the devices in ASMS.

4. Create another CSV file, in the same /home/afa/.fa/, named


devicesSetConnection.csv.

Firewall Analyzer (A30.10) Page 113 of 542


Administration Guide | Manage devices

5. In the devicesSetConnection.csv file, define the network logic used to define the
service graph redirect. Use source and destination addresses, as shown in the
following example:

Source Destination Tenant Name Service Graph Redirect Name

10.1.0.0 -10.1.0.255.255 10.2.1.6 Jasmine_ACI SG_HTTP_S


10.1.0.0 -10.1.0.255.255 10.2.1.6 Jasmine_ACI SG_HTTP_S
10.1.1.3 10.2.1.6 Jasmine_ACI SG_HTTP3
10.5.7.3-10.5.7.8 10.9.1.5 Flower_ACI SG_eCommerce
192.1.1.3 192.2.1.6 Begal_ACI SG_2
0.0.0.0-255.255.255.255 10.3.1.1 Begal_ACI SG_SQL

Service graph data is now recognized in AFA queries and FireFlow change requests.

Tip: Alternately, advanced administrators can configure a script that resolves service
graph redirects based on any custom logic using FireFlow ticket fields as
parameters.

We recommend contacting AlgoSec professional services to configure this sort of


custom logic.

Configure firewalls in path (FIP) functionality for ACI tenants and VRFs

By default, AFA query results include ACI tenants with either of the following criteria:

l ACI tenants with a BD that intersects with the query source or destination

l ACI tenants where one or more of the tenant’s VRFs is included in the query path

ASMS administrators can configure AFA to identify ACI tenants only when the tenant's
VRF is included in the query path. Do the following:

1. On your AFA machine, browse to and open the devicedriver-cisco-aci.properties


file for editing. This file is located in the /data/algosec-ms/config directory on your
AFA machine.

Firewall Analyzer (A30.10) Page 114 of 542


Administration Guide | Manage devices

2. Update the devicedriver.cisco.aci.protectedCloudHostsEnabled parameter value


to false.

Cisco Firepower devices in AFA


The following sections describe how ASMS connects to Cisco Firepower devices:

l Network connectivity

l Device permissions

l Add a Cisco Firepower

Note: AFA automatically identifies Cisco Firepower devices in service-chaining


mode if the device has only a single interface.

If your device has multiple interfaces and service-chaining mode is not identified
automatically, configure this for your device manually. For more details, see
Configure one-armed mode manually.

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco Firepower device:

Device permissions
ASMS requires the following device permissions to connect to Cisco Firepower devices:

Device analysis

Firewall Analyzer (A30.10) Page 115 of 542


Administration Guide | Manage devices

The Cisco Firepower system includes both the Firepower Management Center (FMC)
and the Firepower Threat Defense (FTD) firewalls.

AFA manges the FMC directly, mainly supporting the FTD via the FMC API. In addition,
AFA collects routing and baseline compliance data directly from the FTD via SSH.

Therefore, AFA must have both of the following access rights:

l API (HTTPS) access to the FMC

l SSH access to the FTD. AFA does not support direct access to the FDM API.

To connect to your device, ASMS requires a user that is:

l Dedicated for ASMS. Connecting to the device using any other user may cause
that user to be logged out of the Firepower UI at each monitoring cycle, as well as
for any changes made to the Firepower device via ASMS.

l In the Global domain

l An Administrator user with a read-only role.

For example:

Note: The Administrator level role is required due to FMC limitations for fetching
Audit logs.

ActiveChange

When ActiveChange is enabled, ASMS requires read-write permissions.

Firewall Analyzer (A30.10) Page 116 of 542


Administration Guide | Manage devices

The user must continue to maintain Administrator permissions.

Add a Cisco Firepower


This procedure describes how to add a Cisco Firepower device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > Firepower.

3. Complete the following fields as needed.

Access Information

Enter details to access the device from AFA:

Host Enter the hostname or IP address of the FMC.

User Enter the username to use for SSH access to the FMC device.
Name
Note: AFA does not support user or network application
awareness for Cisco Firepower. The network application
appears as a field for each rule in the Policy tab, but is not
used in traffic simulation queries.

Password Enter the password to use for SSH access to the FMC device.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

ActiveChange

Select this option to allow FireFlow to automatically implement changes on the

Firewall Analyzer (A30.10) Page 117 of 542


Administration Guide | Manage devices

device.

4. Click Next to continue on to the FirePower - Step 2/2 page. This page lists the
FTDs that are managed by the Firepower FMC.

For example:

5. To exclude an FTD, clear its check box in the table.

6. Click to configure details for the selected FTDs.

In the Direct Access Configuration, define the Host, User Name, and Password,
and Baseline Profile for each FTD.

Tip: To disable Baseline Compliance Report generation for this device, select

Firewall Analyzer (A30.10) Page 118 of 542


Administration Guide | Manage devices

None.

For more details, see Customize baseline configuration profiles.

For example:

Click Test Connectivity to test the connections to the FTDs defined, and then click
OK.

Note: You must specify the credentials for each FTD in order for AFA to collect
routing data it needs to accurately analyze the device.

7. Select the following as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

8. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree, and click OK.

Firewall Analyzer (A30.10) Page 119 of 542


Administration Guide | Manage devices

9. Click Finish.

The new device is added to the device tree.

10. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure one-armed mode manually


AFA automatically identifies Cisco Firepower devices in one-armed mode, when the
device has a single interface. If your device has multiple interfaces and one-armed
mode is not identified automatically, configure this for your device manually.

Do the following:

1. On the AFA machine, access your device configuration meta file as follows:

/home/afa/.fa/firewalls/<device_name>/fwa.meta

where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.

2. On a new line, enter:

is_steering_device=yes

3. Run an analysis on the device to update the device data in AFA.

Add F5 BIG-IP load balancers


This topic describes how to add F5 load balancers to AFA, including LTM-only devices
and LTM and AFM devices.

Firewall Analyzer (A30.10) Page 120 of 542


Administration Guide | Manage devices

If you have both LTM and AFM devices, and you do not need FireFlow support, use the
LTM and AFM option. If you have only an LTM device, or if you have both but need
FireFlow support, use the LTM-only option.

F5 BIG-IP LTM-only device support


This section describes how AFA connects to F5 BIG-IP LTM-only load balancers.

l Device permissions

l Add an F5 BIG-IP LTM-only device to AFA

Device permissions
The user connecting to the F5 device can have any role, but the User Partition must be
ALL.

Terminal access must be set to tmsh or Advanced shell.

Add an F5 BIG-IP LTM-only device to AFA


This procedure describes how to add an F5 BIG-IP LTM-only device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. On the vendor and device selection page, select F5 > BIG-IP LTM Only.

3. Complete the fields as needed, and then click Finish.

Access Information

Type F5 BIG-IP LTM Only


This field is read-only.

Host Enter the host name or IP address of the device.

User Name Enter the user name to use for SSH access to the device.

Password Enter the password to use for SSH access to the device.

Firewall Analyzer (A30.10) Page 121 of 542


Administration Guide | Manage devices

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

To disable Baseline Compliance Report generation for this device, select None.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Remote Management Capabilities

This area enables you to select a define a data transfer method. Only SSH is
supported, using either the default or a custom port.

Define the following as needed:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Firewall Analyzer (A30.10) Page 122 of 542


Administration Guide | Manage devices

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.
Default = unlimited

Log Collection and Monitoring

Define the following as needed:

Log Specify the log collection method that AFA should use when
collection collecting audit logs for the F5 load balancer, by selecting one of
method the following:
l Extensive (Default): Not applicable. Intelligent Policy Tuner
(IPT) is not available for F5 devices.
l Standard: Use Syslog data for the Change History report
page. IPT is disabled.
l None. Disables the other Log Collection and Monitoring
fields.

Note: This device type supports audit logs only.

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server.
For details, see Specify a Syslog-ng server.

Firewall Analyzer (A30.10) Page 123 of 542


Administration Guide | Manage devices

Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.

Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency The default value is 60.
(minutes)

Options

Real-time Select this option to enable real-time alerting upon


change configuration changes. For more details, see Configure real-
monitoring time monitoring,

Set user Select this option to set user permissions for the device.
permissions

The new device is added to the device tree.

4. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Firewall Analyzer (A30.10) Page 124 of 542


Administration Guide | Manage devices

F5 BIG-IP LTM and AFM support


This section describes how AFA connects to F5 BIG-IP LTM and AFM devices.

l Network connection

l Device permissions

l Add an F5 BIG-IP LTM and AFM to AFA

Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a F5 BIG-IP LTM and AFM device.

Device permissions
ASMS requires an Administrator role on all partitions to access your F5 BIG-IP LTM
and AFM device for basic analysis and change management. Additionally, Tmsh for
terminal access is required for Baseline Compliance functionality.

For more details, see F5 BIG-IP LTM+AFM - data collection authentication method in
AlgoPedia.

Add an F5 BIG-IP LTM and AFM to AFA


This procedure describes how to add an F5 BIG-IP LTM and AFM device to AFA, and
should be used when your device uses AFM and you do not need FireFlow support.

Note: If you need FireFlow support, add a F5 BIG-IP LTM Only device. For details,
see Add an F5 BIG-IP LTM-only device to AFA.

Firewall Analyzer (A30.10) Page 125 of 542


Administration Guide | Manage devices

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. On the vendor and device selection page, select F5 > BIG-IP LTM and AFM.

3. Complete the fields as needed, and then click Finish.

Access Information

Type F5 BIG-IP LTM and AFM


This field is read-only.

Host Enter the host name or IP address of the device.

User Name Enter the user name to use for access to the device.

Password Enter the password to use for access to the device.

Retrieve Select this check box to authenticate the device with a


credentials from CyberArk Vault instead of saving the device credentials on
CyberArk vault the AlgoSec server.
When selected, also enter the following CyberArk details for
the device being authenticated via CyberArk:
l Platform (Policy ID)
l Safe
l Folder
l Object

Note: These options only appear when CyberArk is


configured in AFA. For details, see Integrate AFA and
CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Firewall Analyzer (A30.10) Page 126 of 542


Administration Guide | Manage devices

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

To disable Baseline Compliance Report generation for this device, select None.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Log Collection and Monitoring

Define the following as needed:

Log Specify the log collection method that AFA should use when
collection collecting audit logs for the F5 load balancer, by selecting one of
method the following:
l Extensive (Default): Not applicable. Intelligent Policy Tuner
(IPT) is not available for F5 devices.
l Standard: Use Syslog data for the Change History report
page. IPT is disabled.
l None. Disables the other Log Collection and Monitoring
fields.

Note: This device type supports audit logs only.

Firewall Analyzer (A30.10) Page 127 of 542


Administration Guide | Manage devices

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server.
For details, see Specify a Syslog-ng server.

Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.

Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency The default value is 60.
(minutes)

Options

Real-time Select this option to enable real-time alerting upon


change configuration changes. For more details, see Configure real-
monitoring time monitoring.

Set user Select this option to set user permissions for the device.
permissions

4. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Firewall Analyzer (A30.10) Page 128 of 542


Administration Guide | Manage devices

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Add Fortinet devices


This topic describes how Fortinet FortiManager and FortiGate devices are connected to
AFA.

Fortinet network connections


The following image shows an ASMS Central Manager or Remote Agent connected to
Fortinet FortiManager and FortiGate devices.

Note: If syslog messages are sent via FortiAnalyzer device, a separate connection is
required.

FortiManager device permissions


ASMS requires the following permissions when connecting to FortiManager devices:

Device analysis

AFA requires a user account with Restricted_User permissions to connect to the


FortiManager device.

Read-only permissions are sufficient, as shown in the example below (click to expand):

Firewall Analyzer (A30.10) Page 129 of 542


Administration Guide | Manage devices

Note: FortiManager v5.2.3 and above with REST access must have permissions for
rpc-permit (set rpc-permit read).

ActiveChange

When ActiveChange is enabled, AFA requires a user account with Super_User


permissions with read-write permissions.

For example:

Firewall Analyzer (A30.10) Page 130 of 542


Administration Guide | Manage devices

Note: FortiManager v5.2.3 and above with REST access and ActiveChange must
have read-write permissions for rpc-permit (set rpc-permit read-write).

FortiGate device permissions


AFA requires read-only permissions to connect to Fortigate devices.

In the FortiGate web interface, in the Admin Profile configuration > Access Control,
select an option that is at least read-only.

Firewall Analyzer (A30.10) Page 131 of 542


Administration Guide | Manage devices

l If device configuration consists of VDOMs, the user must be configured with set
scope global. Users configured with set scope vdom are not supported for AFA.

l If the FortiGate device is defined directly in AFA as opposed to via a FortiManager


device, AFA does not support a user defined only on the managing FortiManager.

Add a Fortinet FortiManager device to AFA


This procedure describes how to add a Fortinet FortiManager device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Fortinet > FortiManager.

3. Complete the fields as needed.

Access Information

Host Enter the host name or IP address of the device.

User Enter the user name to use for accessing the device.
Name This user name must be a super-user.
If Administrative Domains (ADOMs) are used:
l To analyze only devices under a specific ADOM, specify a
specific ADOM's administrator credentials.
l To analyze all devices under all ADOMs, provide the
credentials of a global administrator.
l When analyzing devices as a global administrator, no other
action is required. Otherwise, some manual configuration may
be required. Contact AlgoSec support for more information.

Password Enter the password to use for accessing the device.

Firewall Analyzer (A30.10) Page 132 of 542


Administration Guide | Manage devices

Connect For FortiManager version 5.2.3 and above, select REST.


via For earlier versions, select SSH and SOAP.
You must enable the relevant web service on the device itself. For
more details, see Enable the relevant API in the FortiNet
FortiManager device. .

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when REST is selected.

The following fields are relevant only when CyberArk is configured. For details,
see Integrate AFA and CyberArk.

Retrieve Select this check box to authenticate the device with a


credentials from CyberArk Vault instead of saving the device credentials on
CyberArk vault the AlgoSec server.

Platform (Policy Enter the Platform for this device which will be
ID) authenticated via CyberArk.

Safe Enter the safe for this device which will be authenticated via
CyberArk.

Folder Enter the folder for this device which will be authenticated
via CyberArk.

Object Enter this device's CyberArk Object.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

ActiveChange

Select Enable ActiveChange to enable FireFlow to implement changes on the


device.

Firewall Analyzer (A30.10) Page 133 of 542


Administration Guide | Manage devices

Log Collection and Monitoring

For AFA to process logs from the devices managed by the FortiManager device
you are adding, you may need to specify additional device identifiers.

This is relevant when the sub-device is represented by multiple or non-standard


device identifiers. For example, this may be relevant for firewall clusters or non-
standard logging settings.

For more details, see Add additional device identifiers for sub-systems.

Define the following values:

Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.

Syslog- If you selected Standard or Extensive in the Log collection method


ng server field, you must specify the syslog-ng server. For details, see Specify
a Syslog-ng server.

Tip: Alternately, see Configure your FortiManager to forward


syslog messages to AFA.

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree and click OK.

5. Click Next to continue to the Fortinet FortiManager Step 2/2 page.

Firewall Analyzer (A30.10) Page 134 of 542


Administration Guide | Manage devices

This page lists all the devices that are managed by the FortiManager, including
standalone devices and virtual systems.

6. Optional: Configure AFA to use logs created by a managed device or virtual


system

To specify that AFA should use the logs created by a managed device / virtual
system, do the following:

a. In the Add Device column, select the check box next to the device's name.

b. In the Log Analysis column, select one of the following:

l None to disable logging.

l Standard to enable logging

l Extensive to enable logging and the Intelligent Policy Tuner.

Note: Using the device's logs enables AFA to detect certain policy
optimization information, such as unused rules. This information is
displayed in the Policy Optimization section of the AFA report.

7. Optional: Enable generation of baseline compliance reports:

To enable generation of baseline compliance reports, do the following:

a. Click .

b. In the Direct Access Configuration, enter the following details, and then click
OK.

Host IP Type the IP address of the device.

User Name Type the user name to access the device.

Firewall Analyzer (A30.10) Page 135 of 542


Administration Guide | Manage devices

Password Type the password to access the device.

Baseline Select the baseline compliance profile to use.


Profile The drop-down list includes all baseline compliance
profiles in the system. For more details, see Customize
baseline configuration profiles.
To disable Baseline Compliance Report generation for this
device, select None.

Test Click this button to test connectivity to the defined device.


Connectivity A message informs you whether AFA connected to the
device successfully.

Note: Specifying this information for a device triggers a direct SSH connection
to the device.

8. Select the remaining options as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

9. Click Finish.

The new device is added to the device tree, and appears with a three tier
hierarchy: FortiManager, FortiGate and VDOM.

10. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Firewall Analyzer (A30.10) Page 136 of 542


Administration Guide | Manage devices

A success message appears to confirm that the device is added.

11. Enable the relevant API in the FortiNet FortiManager device.

Do the following:

a. Log in to the FortiManager Web interface, and navigate to the System


Settings > Network settings.

b. Configure one of the following, depending on your FortiManager device


version:

FortiManager Connect via REST.


versions 5.2.3 and Under System Settings > Network >
higher Management Interface > Administrative Access,
select:
l HTTPS
l Web Service

FortiManager Connect via SOAP.


versions earlier than Under System Settings > Network > Interface >
5.2.3 Administrative Access, select Web Service.

Configure your FortiManager to forward syslog messages to AFA

ASMS can collect log data by receiving syslog messages from the FortiManager device
or a FortiAnalyzer, or by collecting syslog messages from a remote syslog-ng server.

This procedure describes how to configure the FortiManager device to send syslog
messages to ASMS. For more details, see Log Collection and Monitoring.

Do the following:

1. Log in to your FortiManager web interface, and navigate to the Log & Report >
Log Settings area.

2. Enable the Send Logs to Syslog option, and enter the IP Address/FQDN of your
AFA server.

Firewall Analyzer (A30.10) Page 137 of 542


Administration Guide | Manage devices

Add a Fortinet FortiGate device to AFA


This procedure describes how to add a FortiGate device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Fortinet > FortiGate.

3. Complete the fields as needed, and then click Finish.

Access Information

Host Type the host name or IP address of the device.

User Name Type the user name to use for SSH access to the device.

Password Type the password to use for SSH access to the device.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Compliance Configuration

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

To disable Baseline Compliance Report generation for this device, select None.

Route Collection

Specify how AFA should acquire the device's routing information:

Firewall Analyzer (A30.10) Page 138 of 542


Administration Guide | Manage devices

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.

Remote Management Capabilities

Select a data collection method:

l SSH (more secure)

l Telnet

Then define the following:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.

Log Collection and Monitoring

Firewall Analyzer (A30.10) Page 139 of 542


Administration Guide | Manage devices

Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Additional Enter any additional IP addresses or host names that identify the
firewall device.
identifiers When adding multiple entries, separate values with a colon (:). For
example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.

Note: This field is only relevant for the parent device. For more
details, see Add additional device identifiers for sub-systems.

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency

Options

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for the device.
permissions

Firewall Analyzer (A30.10) Page 140 of 542


Administration Guide | Manage devices

The new device is added to the device tree with a two tier hierarchy: FortiGate and
VDOM.

4. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure one-armed mode manually


AFA automatically identifies Fortinet devices in one-armed mode when the device has a
single interface, or a single one non-management interface. If your device has multiple
non-management interfaces and one-armed mode is not identified automatically,
configure this for your device manually.

Do the following:

1. On the AFA machine, access your device configuration meta file as follows:

/home/afa/.fa/firewalls/<device_name>/fwa.meta

where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.

2. On a new line, enter:

is_steering_device=yes

3. Run an analysis on the device to update the device data in AFA.

Add Juniper devices


This topic describes how to add Juniper devices to AFA.

Firewall Analyzer (A30.10) Page 141 of 542


Administration Guide | Manage devices

Tip: If you have multiple Juniper Netscreen or SRX devices, we recommend adding
the Juniper NSM or Space that manages these devices.

This automatically enables AFA to analyze any devices managed by the NSM or
Space device.

Juniper NSM devices in AFA


The following sections describe how Juniper NSM devices are added to AFA:

l Device permissions

l Add a Juniper NSM device

Consider the following when adding NSM devices:

Juniper If you have a Juniper NSM 2007 managing Netscreen devices,


NSM 2007 you must add each Netscreen device separately, and specify that
managing the Netscreen device logs are collected from the NSM.
Netscreen For more details, see Juniper Netscreen devices in AFA.
devices

NAT support for NAT is not supported for Juniper SRX devices defined in AFA
SRX devices under an NSM. If you need NAT support, add your Juniper SRX
device separately.
For details, see Juniper SRX devices in AFA.

Device permissions
AFA requires the following to collect data from NSM devices:

l Device analysis

l Log collection

l Dynamic routing data collection

l Global zone rule collection for SRX

Device analysis

To collect data from the NSM GUI server via SOAP, the user accessing the NSM must

Firewall Analyzer (A30.10) Page 142 of 542


Administration Guide | Manage devices

have the read-only System Administrator role.

You may want to create a user specifically for AFA data collection. To create this user,
do the following:

Create a read-only NSM user for data collection

1. Log in to the NSM and select Tools > Manage Administrators and Domains.

2. Click + to create a new administrator.

3. In the General tab, enter a name for the user.

4. In the Authorization tab, click Set Password and set a password for the user.

5. In the Permissions tab, click +.

6. In the New Select Role and Domains dialog, do the following:

l From the Role drop-down list, select Read-Only System Administrator.

l Select the checkboxes for any of the relevant domains.

7. Click OK to close any open dialog boxes.

Log collection

To collect log files from the NSM dev server, you must do one of the following:

l Access the NSM dev server as user root

l Deploy the install_nsm_sudo script on the NSM dev server to change a minimal
set of folder permissions. For more details, see Collecting Logs from Juniper NSM
without Using the Root in AlgoPedia.

Dynamic routing data collection

To retrieve dynamic routing data from devices managed by the NSM, the user accessing
the NSM must have SNMP access.

For more details, see Collecting dynamic routes via SNMP for devices managed by
NSM in AlgoPedia.

Firewall Analyzer (A30.10) Page 143 of 542


Administration Guide | Manage devices

Global zone rule collection for SRX

To collect global-zone rules for SRX devices managed by an NSM, the NSM user
defined in AFA must have a role with permissions to view the Junos Global Rulebase.
To enable this, do the following:

In the NSM application, navigate to Administration > Common > Task > Manage
administrator and domains > Roles, and select View Juno Global Rulebase.

Add a Juniper NSM device


This procedure describes how to add a Juniper NSM to AFA. AFA uses the NSM API
2008, available in NSM versions 2008 and higher, to connect to the NSM and collect
data.

Do the following:

1. Set your NSM device to listen to port 8443 on the IP address of its interface.

For details, see the Juniper Knowledge Base.

2. If you are using a Juniper NSM 2007 or 2008, enable AFA to translate rule
numbers to rule IDs.

These rule IDs are available by default in NSM 2009 traffic logs.

Enable rule number translation

Do the following:

a. In the AFAAdministration area, navigate to the OPTIONS > Advanced


Configuration tab.

b. Click Add to add a new parameter. Enter the following details:

Name Use_Rulenum

Value yes

c. Click OK and OK again to save your changes.

Firewall Analyzer (A30.10) Page 144 of 542


Administration Guide | Manage devices

3. Access the Devices Setup page. For more details, see Access the
DEVICES SETUP page.

4. In the vendor and device selection page, select Juniper > NSM (NSM 2008 or
above).

5. Complete the following fields as needed.

Access Information

NSM GUI Enter the host name or IP address of the NSM GUI server.
server

NSM HA Select this option to enable a High Availability cluster. If AFA fails
Cluster to access the primary NSM GUI server, AFA will attempt to access
the secondary server instead.
If selected, also populate the Secondary NSM GUI server field with
the host name or IP address of the secondary server.

Note: NSM HA cluster support is only available if the NSM GUI


server and Dev server are running on the same server.

User Enter the user name to use for SSH access to the NSM GUI server.
Name
Note: AlgoSec recommends using a "read-only" user account
on the NSM GUI server.
For details, see Device analysis.

Tip: Configure AFA to connect to the device using SSH and


Public key authentication.
Configure this on the Administration > Options > General tab.
For details, see Use public key authentication in data collection.

Password Enter the password to use for SSH access to the NSM GUI server.

Port Enter the port number to use on the NSM GUI server.
Default: 8443
Default for NSMXpress appliances: 443

Firewall Analyzer (A30.10) Page 145 of 542


Administration Guide | Manage devices

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Log Collection and Monitoring

Do the following:

a. Ensure that Collect Logs (via SSH) is selected to determine that AFA
collects traffic logs for the device using SSH.

b. In the From field, select the log source:

NSM Under NSM Dev server, select the NSM location:


(Default) l Same as NSM GUI server (default). The NSM Devices
server is located on the same machine as the NSM GUI
server.
l Separate server: The NSM is located separately from the
NSM GUI server. If selected, also enter the NSM's host
name or IP address.
In the SSH User Name and SSH Password fields, enter the
credentials used to connect to the NSM.
Dlick Test Connectivity to test the connection.

Tip: When using Juniper's STRM log server, AFA enables


you to forward logs to a built-in or external syslog-ng server,
which you can define as the relevant log server instead. For
more details, see Configure Juniper STRM to forward logs
to a Syslog-ng server.

Note: For NSMXpress appliances, the NSM GUI server and


the NSM Devices server are installed on the same machine.

Firewall Analyzer (A30.10) Page 146 of 542


Administration Guide | Manage devices

Syslog- Select an existing syslog-ng server, edit its details, or add a


ng new one.
For details, see Specify a Syslog-ng server.
Select the NSM forwarding option to indicate that logs are
collected on the NSM and then forwarded to the syslog-ng
server.

c. Select Collect audit logs from the same server to determine that AFA
collects audit logs in addition to traffic logs.

d. In the Log collection frequency (minutes) dropdown, select an interval at


which AFA collects logs. Default = 60 minutes.

Note: You many need to specify additional device identifiers for AFA to
process logs from devices managed by this NSM device. This is relevant when
the managed device has multiple or non-standard device identifiers in the logs,
such as for firewall clusters or non-standard logging settings. For details, see
Add additional device identifiers for sub-systems.

6. Click Next to continue to the Juniper NSM Step 2/2 page.

This page lists the devices that are managed by the NSM, including standalone
devices and virtual systems.

Do the following:

Add Device Select the checkbox for any devices you want to define via the
column NSM.

Firewall Analyzer (A30.10) Page 147 of 542


Administration Guide | Manage devices

Log Analysis Select one of the following to determine log functionality for a
column selected device:
l None to disable logging.
l Standard to enable logging.
l Extensive to enable logging and the Intelligent Policy
Tuner.
This enables AFA to detect policy optimization data, such as
unused rules, and display them in the Policy Optimization
section of the AFA report.

Migrate from Displayed if you have Netscreen devices managed by this


currently NSM already defined in AFA.
defined Select devices to migrate for AFA to delete them in the
Netscreen background and add them back via the NSM.
column
Note: Juniper SRX devices already defined in AFA cannot
be migrated. To define the device as managed by the
NSM, first delete the SRX device from AFA, and then
redefine via the NSM.

7. (Optional) Enable generation of baseline compliance reports.

Do the following:

a. Click .

b. Do one of the following:

Firewall Analyzer (A30.10) Page 148 of 542


Administration Guide | Manage devices

Configure In the Direct Access Configuration dialog, enter the


direct access following details:
for each l Host IP. Enter the device's IP address.
device
l Username. Enter the username used to access the
device.
l Password. Enter the password to access the device.
l Baseline Profile. Select a baseline profile to use for
the device. For details, see Customize baseline
configuration profiles. To disable Baseline
Compliance Report generation for this device, select
None.
Click Test Connectivity to test connectivity to the defined
device.
This triggers a direct SSH connection to the device.

Configure If you do not want to enter credentials for each device and
access to have AFA access them directly, select
managed Access the managed devices through the NSM machine.
devices via Then, enter the SSH User Name and SSH Password.
the NSM
AFA connects to the NSM via SSH, and opens another
SSH connection from the NSM to each of the selected
devices.

8. Complete the remaining fields as needed, and click Finish.

Advanced

Select Display virtual routers (Netscreen devices) to analyze each virtual router
under a Netscreen device separately.

Each virtual router will appear in the device tree immediately below the Netscreen
device, and parallel to virtual systems.

Note: This option is not available for Juniper SRX devices defined in AFA via

Firewall Analyzer (A30.10) Page 149 of 542


Administration Guide | Manage devices

the NSM. To use this functionality for SRX devices, define them directly in AFA.

For more details, see Juniper SRX devices in AFA.

Options

Select the following as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

The new device is added to the device tree.

9. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Junos Space Security Director devices in AFA


The following sections describe how ASMS connects to Junos Space Security Director
devices:

l Network connectivity

l Device permissions

l Add a Junos Space Security Director device

Consider the following when adding Junos Space Security Director devices to AFA:

Data collection time required

Firewall Analyzer (A30.10) Page 150 of 542


Administration Guide | Manage devices

Data collection may take longer on Junos Space than on other brands.

This may have various implications across the system for processes that involve data
collection from Junos Space devices.

Upgrades and additional routing instances

Juniper Space devices defined in AFA before version A30.00 have different behavior
and support options.

If you are upgrading, do one of the following:

Upgrading from If you already have a Juniper Space device defined in AFA, edit
A30.00 to A30.10 your Space device in the AFA Administration area to view all
or higher updates for Space devices, such as viewing additional routing
instances in the device tree and the map.
No changes are required. Simply edit the device configuration
and click Finish to update the data.

Upgrading with If your Juniper Space device was added prior to ASMS A30.00,
Juniper Space you will need to delete this device from AFA and add it back
devices added again to implement all new features.
prior to ASMS For more details, see Delete a device.
A30.00

SRX devices already defined in AFA

If you have SRX devices already defined in AFA and want to convert them to Juniper
Space, first remove the SRX devices and then add them back via Space.

For more details, see Delete a device and Juniper SRX devices in AFA.

Virtual Router, VRF, and Secure Wire support

When the Juniper Space device manages an SRX device or LSYS, which in turn
manages Virtual Routers, VRFs, or Secure Wires, AFA displays these routing instances
in AFA the device tree. This provides increased route analysis and automation design at
the levels of these routing instances.

For example:

Firewall Analyzer (A30.10) Page 151 of 542


Administration Guide | Manage devices

Note: Items not added to the device tree include empty Virtual Routers or LSYSs,
unsupported routing instances, and LSYSs that contain only unsupported routing
instances.

AFA reports provide the following data, per tree level:

Virtual Router / At the level of the routing instance, AFA displays topology
VRF / Secure information only, and no policy information.
Wire level Policy information is displayed at the LSYS level, one node up in
the tree.

LSYS level At the LSYS level, AFA displays policy information only, and no
topology information.
Topology information is shown at the routing instance level, one
node down in the tree.

Management Higher up in the tree, at the Space management, AFA displays


level aggregated information for all child devices, including both policy
and topology information.

If you've added new routing instances to your Juniper Space device and want to
generate AFA data for these routing instances, edit your Space device in the
AFAAdministration area.

No changes are required. Simply edit the device configuration and click Finish to update
the data.

For details, see Virtual Router, VRF, and Secure Wire support.

Inter-VR routing support for route-leaking

AFA supports RIB groups and next-table commands as next-hop routers (NHRs) for

Firewall Analyzer (A30.10) Page 152 of 542


Administration Guide | Manage devices

SRX devices managed by Juniper Space Security Director.

When AFA detects either of these inter-VR routing configurations, it adds fake, or back-
plane, interfaces to the Juniper Space's URT file to simulate these connections. These
connections can then be displayed on the AFA network map and in query results.

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper SPACE device.

Device permissions
ASMS requires the following for the user used to access your Juniper SPACE devices:

l Device analysis

l ActiveChange

l Log collection

Device analysis

l Super administrator permissions on the Juniper SPACE device

l Both GUI and API access enabled

l Full access to all Domains

Firewall Analyzer (A30.10) Page 153 of 542


Administration Guide | Manage devices

You may want to create a user specifically for AFA data collection. To create this user,
do the following:

Create a read-only Juniper Space user for data collection

1. Log in to the Junos Space - Network Management Platform.

2. In the Junos Space - Network Management Platform, create a new API Access
profile.

When adding the new profile, add a new rule with only an asterisk (*) in the name.

For example:

3. Switch to the Roles area and create a new role with the following permissions:

Log Collector Read Log Collector info


Management

Event Viewer View Device Logs

Reports Reports > View Report

Firewall Analyzer (A30.10) Page 154 of 542


Administration Guide | Manage devices

Firewall Policies The following, without sub-permissions:


l View Policy
l Export Policy
l Policy Profiles
l Schedulers
l AccessProfile
l AppFirewall Policy
l SSL Proxy Profile
l End User Profile
l Active Directory
l Condition
l Environment Variable
l Identity Management
l Application Signatures

NAT Policies l Export NAT Policy


l View NAT Policy
l View NAT Dirty Policy
l NAT Pools (without sub-permissions)
l Ports Sets (without sub-permissions)

VPNs View VPN

Shared Objects The following, without sub-permissions:


l Services
l Addresses
l Zones Sets
l Variables

Security Director View Security Director Devices


Devices

Firewall Analyzer (A30.10) Page 155 of 542


Administration Guide | Manage devices

Devices l Unmanaged Devices


l Model Devices >
l View Modeled Instance
l View Modeled Device Status
l View Configlet
l Connection Profiles > View Connection
Profile
l Device Management >
l Device Inventory >
l View Physical Inventory
l View Physical Interfaces
l View Logical Interfaces
l View License Inventory
l View Software Inventory
l Device Access > SSH to Device
l Device Configuration >
l View Active Configuration (without
the sub-permissions)
l View Template Association
l View Configuration Change Log

Device Templates Templates >


l View Template Details
l View Template Association

CLI Configlets l Configlets > View CLI Configlet Details


l Configuration View >
l View Configuration View Details
l Export Configuration View

Configuration Files Config Files Management > Export Configuration


File

Jobs Job Management > View Recurrence

Firewall Analyzer (A30.10) Page 156 of 542


Administration Guide | Manage devices

Audit Logs Audit Log > Export Audit Logs

Administration Fabric (without sub-permissions)


Applications (without sub-permissions)

4. Create a new user. When assigning roles, do the following:

l Select GUI Access and API Access

l In the Exec RPC API Access Profile area, select the new API access profile
that you created in step 2.

l Select the newly defined role that you created in step 3.

l In the Job Management View area, select to view all jobs.

5. When assigning domains, select all domains, or the Global domain.

For more details about how to perform these steps, see Junos Space - Network
Management Platform documentation.

ActiveChange

When ActiveChange is enabled, the user connecting to the Junos Space device
requires a minimum of read-write access via SSH.

Log collection

Configure your system to do one of the following:

l Have syslog messages sent to ASMS directly from the firewall

l Have ASMS collect syslog messages from a remote syslog-ng server

For details, see:

l Log Collection for Juniper Space

l Configure Juniper SRX devices to send traffic logs

l Configure Juniper STRM to forward logs to a Syslog-ng server

Firewall Analyzer (A30.10) Page 157 of 542


Administration Guide | Manage devices

Add a Junos Space Security Director device


This procedure describes how to add a Junos Space Security Director device to AFA.
Once added, all SRX devices managed by the Space device are also added to AFA, as
well as any Virtual Routers or Secure Wires managed by the SRX device or LSYS.

For more details, see Virtual Router, VRF, and Secure Wire support.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, click Juniper > Junos Space Security
Director.

3. Complete the fields as needed.

Access Information

Enter the following access details and credentials:

Host Enter the device's host name or IP address.

User Name Enter the user name to use to access the device.

Password Enter the associated password.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Note: This field is relevant only when a Geographic Distribution architecture is


configured.

ActiveChange

Select Enable ActiveChange to configure FireFlow to generate

Firewall Analyzer (A30.10) Page 158 of 542


Administration Guide | Manage devices

CLI recommendations and push them to the device.

Log Collection

Define log collection on the device as follows:

Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.

Syslog- If you selected Standard or Extensive in the Log collection method


ng server field, you must also specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Note: When using Juniper's STRM log server, we recommend


forwarding logs to the syslog-ng server defined in AFA. For more
details, see Configure Juniper STRM to forward logs to a
Syslog-ng server.

Log Select the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency

Note: In order for AFA to process logs from the devices that are managed by
this management device, you may need to specify additional device identifiers.

This is relevant when the sub-device is represented by multiple or non-


standard device identifiers in the logs, for example, in cases of firewall clusters
or non-standard logging settings. For more details, see Add additional device
identifiers for sub-systems.

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box

Firewall Analyzer (A30.10) Page 159 of 542


Administration Guide | Manage devices

appears.

Select I Agree and click OK.

5. Click Next to continue to the Junos Space Security Director - Step 2/2 page.

This page lists the devices that are managed by the Juniper Space, including
standalone devices and logical systems.

Do the following:

Add Select the checkbox for any devices you want to define via the
Device Space device.
column

Log Select one of the following to determine log functionality for a


Analysis selected device:
column l None to disable logging.
l Standard to enable logging.
l Extensive to enable logging and the Intelligent Policy Tuner.
This enables AFA to detect policy optimization data, such as unused
rules, and display them in the Policy Optimization section of the
AFA report.

6. (Optional) Enable generation of baseline compliance reports.

Do the following:

a. Click .

b. In the Direct Access Configuration dialog, enter the following details:

l Host IP. Enter the device's IP address.

l Username. Enter the username used to access the device.

l Password. Enter the password to access the device.

Firewall Analyzer (A30.10) Page 160 of 542


Administration Guide | Manage devices

l Baseline Profile. Select a baseline profile to use for the device. For
details, see Customize baseline configuration profiles. To disable
Baseline Compliance Report generation for this device, select None.

Click Test Connectivity to test connectivity to the defined device.

This triggers a direct SSH connection to the device.

7. Select the remaining options as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

8. Click Finish.

The new Space device is added to the device tree, showing each individual
device, LSYS, or routing instance configured.

Space devices and the devices they manage appear in the device tree with a
potentially four-tier hierarchy. For example: Juniper Space Security Director
(Management Device) > SRX > LSYS > Virtual Router, VRF, or Secure Wire

For more details, see Virtual Router, VRF, and Secure Wire support.

Note: SRX clusters in passive/active mode appear as a single node in the tree,
while SRX clusters in active/active mode appear as two nodes.

Empty routers or LSYSs, unsupported routing instances, or LSYSs that contain


only unsupported routing instances, are not added to the device tree.

9. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

Firewall Analyzer (A30.10) Page 161 of 542


Administration Guide | Manage devices

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Juniper Netscreen devices in AFA


The following sections describe how ASMS connects to Juniper Netscreen devices:

l Network connectivity

l Device requirements

l Add a Juniper Netscreen to AFA

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper Netscreen device.

Device requirements
ASMS requires the following to connect to Juniper Netscreen devices:

l Device analysis

l ActiveChange

l Log collection

Device analysis

The user connecting to the Netscreen device must be a super-user with a minimum of
read-only access via SSH.

ActiveChange

Firewall Analyzer (A30.10) Page 162 of 542


Administration Guide | Manage devices

When ActiveChange is enabled, the user connecting to the Netscreen device requires a
minimum of read-write access via SSH.

Log collection

ASMS can either receive syslog messages from the device or can collect syslog
messages from a remote syslog-ng server.

Tip: We recommend configuring a remote syslog-ng server for log collection


whenever possible.

If your system is configured for the Netscreen device to send syslog messages to
ASMS, the message format must be configured as follows.

In such cases, ensure that the TCP option is cleared.

Add a Juniper Netscreen to AFA


This procedure describes how to add a Juniper Netscreen to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Juniper > Netscreen.

3. Complete the fields as needed:

Access Information

Enter the device's access information and credentials as follows:

Host Enter the device's host name or IP address.

Firewall Analyzer (A30.10) Page 163 of 542


Administration Guide | Manage devices

User Name Enter the user name to use for SSH access to the device.

Password Enter the password to use for SSH access to the device.

Retrieve Select to authenticate the device with a CyberArk Vault


credentials from instead of saving the device credentials on the AlgoSec
CyberArk vault server.
When selected, also define the following:
l Platform (Policy ID). The Platform for this device
which will be authenticated via CyberArk.
l Safe. The safe for this device which will be
authenticated via CyberArk.
l Folder. The folder for this device which will be
authenticated via CyberArk.
l Object. This device's CyberArk Object.

Note: These options only appear when CyberArk is


configured in AFA. For details, see Integrate AFA and
CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Note: This field is only relevant when a Geographic Distribution architecture is


configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system.

To disable Baseline Compliance Report generation for this device, select None.

Firewall Analyzer (A30.10) Page 164 of 542


Administration Guide | Manage devices

For more details, see Customize baseline configuration profiles.

Advanced

Click the arrow next to the Advanced heading to display the fields in this area.

Select Display virtual routers to analyze each virtual router separately.

When selected, each virtual router will appear in the device tree immediately
below the Netscreen device and parallel to virtual systems.

Note: This is required in the rare cases where there are no inter-VR routes
to/from a specific VR. In other words, when there is an “isolated” VR.

Remote Management Capabilities

Select one of the following methods to collect data:

l SSH (recommended)

l Telnet

To specify a custom port, select the Custom Port option and enter the port. This is
only relevant when SSH is selected.

Tip: Alternately, configure AFA to connect to the device using SSH with Public-
Key authentication. To do so, select the Use public key authentication in data
collection check box in the General sub-tab of the Options tab in the
Administration area.

For details, see Define AFA preferences.

Firewall Log

Configure logging fields as follows:

Firewall Analyzer (A30.10) Page 165 of 542


Administration Guide | Manage devices

Collect Specify whether AFA should collect logs for the device, by
logs selecting one of the following:
l None. Do not collect logs.
l Standard. Enable log collection.
l Extensive. Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.

From Specify from where AFA should collect logs, by selecting one of the
following:
l NSM (default). AFA collects logs from the NSM. If selected,
also define the following:
o NSM Dev server. The NSM host name or IP address.
o User Name. The user name used to connect to the
NSM.
o Password. The password used to connect to the NSM.
Click Test Connectivity to test your connection to the NSM
server.
l Syslog-ng. AFA collects logs from a syslog-ng server.
If selected, also specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Tip: If you are using Juniper's STRM log server, have the
messages forwarded to a syslog-ng. For details, see
Configure Juniper STRM to forward logs to a Syslog-ng
server.

The default value is NSM.

Collect Select to specify that AFA uses the same server to collect both
audit logs traffic and audit logs.
from the
same Note: If you clear this option, specify a separate set of audit log
server details, just as you did for the traffic log server.

Firewall Analyzer (A30.10) Page 166 of 542


Administration Guide | Manage devices

Additional Enter any additional IP addresses or host names that identify the
firewall device, separated by colon (:).
identifiers For example: 1.1.1.1:2.2.2.2:ServerName

This is relevant when the device is represented by multiple or non-


standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is not supported for sub-systems, such as Juniper
VSYS/LSYS. For more details, see Add additional device
identifiers for sub-systems.

Note: This field only appears if you selected Syslog-ng in the


From field.

Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency

ActiveChange

Select Enable ActiveChange to configure FireFlow to generate recommendations


and push them to the device.

Note: The ActiveChange area only appears if you selected SSHabove.

Options

Define the following options as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

Firewall Analyzer (A30.10) Page 167 of 542


Administration Guide | Manage devices

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Juniper SRX devices in AFA


The following sections describe how ASMS connects to Juniper SRX devices:

l Network connection

l Device permissions

l Add a Juniper SRX device to AFA

l Configure Juniper SRX devices to send traffic logs

Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper SRX device.

Device permissions
ASMS requires the following permissions for your Juniper SRX routers:

Device analysis

AFA requires permissions to run the following commands on your SRX device:

Firewall Analyzer (A30.10) Page 168 of 542


Administration Guide | Manage devices

l show configuration

l show route extensive all

l show configuration groups junos-defaults applications

ActiveChange

When ActiveChange is enabled, ASMS requires a specific user on the SRX device.


This user must be a member of the super-user login class.

For example, define the SRX user as follows:

Note: If ActiveChange is not enabled, the user can be in a login-class other than
super-user.

Firewall Analyzer (A30.10) Page 169 of 542


Administration Guide | Manage devices

For details, see How to configure a Juniper SRX read-only user with permissions
required for AFA data collection in AlgoPedia.

Add a Juniper SRX device to AFA


This procedure describes how to add a Juniper SRX to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Juniper > SRX.

3. Complete the fields as needed.

Access Information

Enter the device's access information and credentials as follows:

Host Enter the host name or IP address of the device.

User Name Enter the user name.

Password Type the associated password.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

Firewall Analyzer (A30.10) Page 170 of 542


Administration Guide | Manage devices

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

Note: To disable Baseline Compliance Report generation for this device,


select None.

Additional Information

Select Display virtual routers to analyze each virtual router separately, enabling
advanced routing analysis.

This causes individual virtual routers to appear in the AFA device tree as the last
tier (below their LSYS), and AFA provides a report for each router.

When this option is enabled, the analysis AFA provides for the LSYS aggregates
the information provided for its VRs and should be used for most AFA analysis
capabilities, such as policy optimization recommendations.

The VR analyses provides the ability to:

l Troubleshoot routing/topology issues, such as traffic simulation query results

l Manage risks by focusing on the rules that trigger risks,

l Determine which risky rules to trust

Although the LSYS analysis aggregates the information for each VR under it, the
LSYS analysis does not fully contain the information provided in the VR tier
analyses.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

Firewall Analyzer (A30.10) Page 171 of 542


Administration Guide | Manage devices

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Remote Management Capabilities

Select a data collection method:

l Telnet

l SSH (more secure)

Then, define the following:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.

Tip: You can configure AFA to connect to the device using SSH with Public-
Key authentication. For details, see Define AFA preferences.

Log Collection and Monitoring

Define log collection and monitoring settings as follows:

Firewall Analyzer (A30.10) Page 172 of 542


Administration Guide | Manage devices

Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Note: When using STRM (Juniper's log server), you can forward
the logs to a syslog-ng (AFA's built-in syslog-ng or an external
one). Then, you can define this syslog-ng as the relevant log
server. For more details, see Configure Juniper STRM to
forward logs to a Syslog-ng server.

Additional Enter any additional IP addresses or host names that identify the
firewall device. Separate multiple entries by colons (:).
identifiers For example: 1.1.1.1:2.2.2.2:ServerName

This is relevant when the device is represented by multiple or non-


standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings.
If AFA receives logs with an identifier it does not recognize, the
logs will not be processed.

Note: This field is only relevant for the parent device, and you
may want to specify additional identifiers for sub-systems. For
details, see Add additional device identifiers for sub-systems.

Log Select the interval of time in minutes, in which AFA should collect
collection logs for the device.
frequency

ActiveChange

Select Enable ActiveChange for all supported Juniper SRX firewalls to enable

Firewall Analyzer (A30.10) Page 173 of 542


Administration Guide | Manage devices

FireFlow to generate CLI recommendations and push them to the device.

Note: Checking this box will enable ActiveChange for all Juniper SRX firewalls
(not only for this device).

Options

Define the following options as needed:

Real-time change Select this option to enable real-time alerting upon


monitoring configuration changes.
For details, see Configure real-time monitoring.

Set user permissions Select this option to set user permissions for this
device.

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree and click OK.

5. Click Finish.

6. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

The new device is added to the device tree, and a success message appears to confirm
that the device is added.

Configure Juniper SRX devices to send traffic logs


ASMS can collect log data by receiving traffic logs from the device itself, or by collecting
syslog messages from an external, remote syslog-ng server.

Firewall Analyzer (A30.10) Page 174 of 542


Administration Guide | Manage devices

Configure this as needed. For details, see the Juniper Knowledge Base.

Juniper routers in AFA


The following sections describe how ASMS connects to Juniper JUNOS routers:

l Network connectivity

l Device requirements

l Add a Juniper router to AFA

Note: Juniper routing devices with large route tables may cause data collection to
take longer than usual.

For details about specific routers supported, see the AlgoSec Support Matrix.

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper router.

Device requirements
ASMS connects to Juniper routing devices using SSH, and requires a super-user with
the following permissions:

l show version

l show route active-path all

l show configuration

Note: If you need to use a user that is not a super-user, contact AlgoSec support.

Firewall Analyzer (A30.10) Page 175 of 542


Administration Guide | Manage devices

Add a Juniper router to AFA


This procedure describes how to add a Juniper router to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Juniper > M/E Routers.

3. Complete the fields as needed.

Access Information

Enter the device's access information and credentials as follows:

Host Enter the device's host name or IP address.

User Name Enter the user name used to access the device.

Password Enter the password used to access the device.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Note: This field is relevant when a Geographic Distribution architecture is


configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

To disable Baseline Compliance Report generation for this device, select None.

Firewall Analyzer (A30.10) Page 176 of 542


Administration Guide | Manage devices

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Remote Management Capabilities

Select a method of data transmission:

l SSH (recommended).

If selected, AFA also enables you to specify a custom port. Select Custom
Port and enter the port number.

l Telnet

From the Number of allowed encryption keys dropdown, select the number of
permitted different RSA keys received from this device's IP address.

Different RSA keys may be sent from the same IP address in cases of cluster fail-
over, device operating system upgrades, etc.

For example, if a cluster fail-over occurs, the secondary node will send a new RSA
key from the same IP address to AFA. In this case, if the Number of allowed
encryption keys value was set to 1, the node connection and subsequent analysis
will fail.

Options

Define the following options as needed:

Firewall Analyzer (A30.10) Page 177 of 542


Administration Guide | Manage devices

Real-time change Select this option to enable real-time alerting upon


monitoring configuration changes.
For details, see Configure real-time monitoring.

Set user permissions Select this option to set user permissions for this
device.

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure Juniper STRM to forward logs to a Syslog-ng server


This procedure describes how to configure Juniper STRM to forward logs to a syslog-ng
server.

Do the following:

1. Log in to the STRM Log Manager interface, and click the Admin tab.

2. On the left, click Data Sources > Syslog Forwarding Destinations > Add.

3. Enter the syslog-ng server's IP address and port, and click Save.

All logs that are sent to the Juniper STRM device will be forwarded to the syslog-ng
server.

Add Palo Alto Networks devices


This topic describes how AFA connects to Palo Alto Panorama and firewall devices.

Firewall Analyzer (A30.10) Page 178 of 542


Administration Guide | Manage devices

Palo Alto network connections


The following image shows how an ASMS Central Manager or Remote Agent connects
to Palo Alto Panorama and Gateway devices.

Note: Log data can also be forwarded from M100/M500 collectors.

Service chaining mode

AFA automatically identifies Palo Alto Panorama devices in service-chaining mode


when the device has a single interface, or a single one non-management interface.

If your device has multiple non-management interfaces and service-chaining mode is


not identified automatically, configure this for your device manually. For details, see
Configure one-armed mode manually.

VR/Vwire and VSYS analysis

Once added, AFA identifies and analyzes individual VR/Vwires for Panorama devices,
in addition to analyzing each VSYS. The VSYS analysis aggregates the information
provided for its VR/Vwires, and should be used for most AFA analysis features, such as
policy optimization recommendations.

VR/Vwire analysis data provides the ability to troubleshoot routing and topology issues,
such as traffic simulation query results, manage risks, and determine which risky rules to
trust.

Firewall Analyzer (A30.10) Page 179 of 542


Administration Guide | Manage devices

Although the VSYS analysis aggregates the information for each VR under it, the VSYS
analyis does not fully contain the data provided in the VR tier analysis.

Inter-VR routing / Inter-VSYS support

AFA supports all inter-VR and inter-VSYS cases, whether they are by shared-VR or an
explicit inter-VR, by doing the following:

l Using shared VRs

l Using the VR as a next-hop router

l Including the inter-VSYS using the external zones

Note: Shared Gateways are partially supported, only when the virtual router is
already included in the DEVICES tree.

When AFA detects either of these inter-VR routing configurations, it adds fake, or back-
plane, interfaces to the firewall's VR URT file to simulate these connections. These
connections can then be displayed on the AFA network map and in query results.

Panorama device permissions


ASMS requires the following device permissions to connect to Palo Alto Panorama
devices:

Device analysis

ASMSrequires a Panorama REST API account configured with Configuration and


Operational Requests permissions.

For example:

Firewall Analyzer (A30.10) Page 180 of 542


Administration Guide | Manage devices

ActiveChange

When ActiveChange is enabled, ASMS requires the additional Export permissions as


well.

For example:

Palo Alto Networks Firewall device permissions


To connect to Palo Alto firewall devices, ASMS requires one of the following types of
users:

Firewall Analyzer (A30.10) Page 181 of 542


Administration Guide | Manage devices

l Superuser (read-only)

l Device Admin

l Device Admin (read-only)

If the Palo Alto firewall is a version earlier than 4.1.7, is managed by Panorama, but is
defined directly in AFA, ASMS requires one of the following types of users:

l SuperUser (read/write)

l Admin (read/write)

Add a Palo Alto Networks Panorama


This procedure describes how to add a Palo Alto Networks Panorama device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Palo Alto Networks > Panorama.

3. Complete the fields as needed.

Access Information

Host Enter the host name or IP address of the device.

User name Enter the administrative user name to use for SSH access
to the device.
For more details, see Panorama device permissions.

Password Enter the associated password.

High Availability Select this option to configure a High Availability cluster.


If selected, you must also enter a value for the Secondary
field.

Secondary Type the host name or IP address for the secondary device.
Panorama

Firewall Analyzer (A30.10) Page 182 of 542


Administration Guide | Manage devices

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

ActiveChange

Select this option to enable ActiveChange for the device.

Log Collection and Monitoring

Syslog-ng server Specify the syslog-ng server. For details, see Specify a
Syslog-ng server.

Log collection Type the interval of time in minutes, at which AFA should
frequency collect logs for the device.

You must also configure the device to send syslog messages. For more details,
see Configure log collection on a Panorama device.

Note: To process logs from the devices managed by the Panorama, you may
need to specify additional device identifiers, especially when the sub-device is
represented by multiple or non-standard device identifiers in the logs. This may
be relevant, for example, with firewall clusters or non-standard logging
systems.

For more details, see Add additional device identifiers for sub-systems.

4. If you enabled ActiveChange, the ActiveChange License Agreement dialog box


appears.

Select I Agree and click OK.

5. Click Next to display the Panorama - Step 2/2 page.

Firewall Analyzer (A30.10) Page 183 of 542


Administration Guide | Manage devices

This page lists the devices that are managed by the Panorama, including
standalone devices and virtual systems.

Tip: Clear any devices that you don't want to add to AFA.

6. Optional: To collect logs created by a managed device / virtual system:

a. In the Add Device column, select the check box next to the device's name.

b. In the Log Analysis column, select one of the following:

l None to disable logging.

l Standard to enable logging

l Extensive to enable logging and the Intelligent Policy Tuner.

Note: Using the device's logs enables AFA to detect certain policy
optimization information, such as unused rules. This information is
displayed in the Policy Optimization section of the AFA report.

7. Optional: Enable AFA to generate baseline compliance reports:

a. Click .

b. In the Direct Access Configuration, enter the following details, and then click
OK.

Host IP Type the IP address of the device.

User Name Type the user name to access the device.

Password Type the password to access the device.

Firewall Analyzer (A30.10) Page 184 of 542


Administration Guide | Manage devices

Baseline Select the baseline compliance profile to use.


Profile The drop-down list includes all baseline compliance
profiles in the system. For more details, see Customize
baseline configuration profiles.
To disable Baseline Compliance Report generation for this
device, select None.

Test Click this button to test connectivity to the defined device.


Connectivity A message informs you whether AFA connected to the
device successfully.

Note: Specifying this information for a device triggers a direct SSH connection
to the device.

8. Select the remaining options as needed:

Real-time change Select this option to enable real-time alerting upon


monitoring configuration changes.
For details, see Configure real-time monitoring.

Set user permissions Select this option to set user permissions for this
device.

9. Click Finish. The new device is added to the device tree.

In the device tree, Panoramas are represented with a four tier hierarchy:
Panorama, PA firewall, VSYS, and VR/Vwire.

Passive-Active clusters

Passive-Active clusters, including VSYSs and firewalls display as follows:

l Display as a single node on the tree and on the map.

l Cluster display names in the device tree, report, and so on, represent both
names of the cluster members. For example: NODE1_NODE2

Firewall Analyzer (A30.10) Page 185 of 542


Administration Guide | Manage devices

l Sub-nodes of the device, such as a VSYS, follow afterward. For example:


NODE1_NODE2_VSYS1

l Baseline compliance: Define the active node details in the device definition
wizard.

l For Active-Active clusters, AFA includes both nodes in the tree.

10. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure log collection on a Panorama device

ASMS can collect log data by receiving syslog messages from the Panorama device, or
by collecting syslog messages from a remote syslog-ng server.

This procedure describes how to configure the Panorama device to send syslog
messages to ASMS. For more details, see Log Collection and Monitoring.

On the Panorama device, do the following:

1. Configure a new Syslog Server Profile for the syslog server. For details, see Palo
Alto KnowledgeBase.

Firewall Analyzer (A30.10) Page 186 of 542


Administration Guide | Manage devices

2. Configure the log settings by selecting all severities. For example:

Configure one-armed mode manually


AFA automatically identifies Palo Alto Panorama devices in one-armed mode when the
device has a single interface, or a single one non-management interface. If your device
has multiple non-management interfaces and one-armed mode is not identified
automatically, configure this for your device manually.

Do the following:

1. On the AFA machine, access your device configuration meta file as follows:

/home/afa/.fa/firewalls/<device_name>/fwa.meta

where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.

2. On a new line, enter:

is_steering_device=yes

3. Run an analysis on the device to update the device data in AFA.

Add a Palo Alto Networks firewall


This procedure describes how to add a Palo Alto Networks firewall to AFA.

Firewall Analyzer (A30.10) Page 187 of 542


Administration Guide | Manage devices

Note: Palo Alto Networks firewalls defined directly in AFA do not support the
advanced routing analysis provided for Palo Alto Networks devices defined at the
Panorama level. AFA does not identify individual VR/Vwires and therefore does not
benefit from the routing information they provide.

For more details, see Add a Palo Alto Networks Panorama.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor device selection page, select Palo Alto Networks > Firewall.

3. Complete the fields as needed.

Access Information

Host Type the host name or IP address of the device.

User Type the administrative user name to use for SSH access to the
Name device.
If the device is managed by Panorama and Panorama is used to
push all or part of the device's configuration, you must provide a
user of the Superuser type.
If the device is either not managed by Panorama, or it is managed
by Panorama but no configuration is pushed from Panorama
towards the device, then you can specify a user name of any of the
following types: Superuser, Superuser (Read Only), Device Admin,
or Device Admin (Read-Only).

Password Type the password to use for SSH access to the device.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

Firewall Analyzer (A30.10) Page 188 of 542


Administration Guide | Manage devices

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more information on baseline compliance profiles and instructions for adding new
baseline compliance profiles, see Customizing Baseline Configuration
Compliance Profiles (see Customize baseline configuration profiles).

To disable Baseline Compliance Report generation for this device, select None.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Manually Specifying
Routing Information (see Specify routing data manually).

Remote Management Capabilities

Select a method of data collection:

l SSH (more secure)

l Telnet

Then define the following:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Firewall Analyzer (A30.10) Page 189 of 542


Administration Guide | Manage devices

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.

Log Collection and Monitoring

Specify whether AFA should collect logs for the device, by selecting one of the
following:

l None: Do not collect logs.

l Standard: Enable log collection.

l Extensive: Enable log collection and the Intelligent Policy Tuner.

The default value is Extensive.

Additionally, define the following values:

Syslog-ng If you selected Standard or Extensive in the Log collection method


server field, you must specify the syslog-ng server. For details, see
Specify a Syslog-ng server.

Firewall Analyzer (A30.10) Page 190 of 542


Administration Guide | Manage devices

Additional Enter any additional IP addresses or host names that identify the
firewall device.
identifiers When adding multiple entries, separate values by a colon (:). For
example: 1.1.1.1:2.2.2.2:ServerName
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is not supported for sub-systems (Juniper
VSYS/LSYS, Fortinet VDOM, Cisco security context, etc.). To
configure additional identifiers for sub-systems, see Adding
Additional Device Identifiers for Sub-Systems (see Add additional
device identifiers for sub-systems).

Log Type the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency

Options

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for the device.
permissions

4. Click Finish.

The new device is added to the device tree, with a two tier hierarchy: firewall and
VSYS.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Firewall Analyzer (A30.10) Page 191 of 542


Administration Guide | Manage devices

Click OK to close the dialog.

A success message appears to confirm that the device is added.

â See also:

l AlgoSec & Palo Alto Networks

Add a Symantec Blue Coat


This procedure describes how to add a Symantec Blue Coat device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Symantec > Blue Coat.

3. Enter the following fields as needed:

Access Information

Supported Displays a list of supported device capabilities.


Capabilities This field is read-only.

Host Enter the host name or IP address of the device.

User Name Enter the user name to use for SSH access to the device.

Password Enter the password to use for SSH access to the device.

Firewall Analyzer (A30.10) Page 192 of 542


Administration Guide | Manage devices

Retrieve Select this check box to authenticate the device with a


credentials from CyberArk Vault instead of saving the device credentials on
CyberArk vault the AlgoSec server.
If selected, also enter the following details:
l Platform (Policy ID): The platform to use when
authenticating via CyberArk.
l Safe: The safe to use when authenticating via
CyberArk.
l Folder: The folder to use when authenticating via
CyberArk.
l Object: The device's CyberArk Object.

Note: These options only appear when CyberArk is


configured in AFA. For more details, see Integrate AFA
and CyberArk.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Baseline Configuration Compliance

To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.

The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.

To disable Baseline Compliance Report generation for this device, select None.

SNMP Polling

Firewall Analyzer (A30.10) Page 193 of 542


Administration Guide | Manage devices

SNMP version Select the SNMP version in the drop-down menu.

SNMP community the SNMP community string.


This field is only relevant for SNMP v2c.

Security Name Enter the security name.


(username) This field is only relevant for SNMP v3.

Authentication Protocol Select an authentication protocol as needed.


This field is only relevant for SNMP v3.

Authentication If you selected an authentication protocol, enter the


Password password.
This field is only relevant for SNMP v3.

Privacy Protocol Select a privacy protocol as needed.


This field is only relevant for SNMP v3.

Privacy Password If you selected a privacy protocol, enter the password.


This field is only relevant for SNMP v3.

Additional Information

Enter an enable password to use when switching to enabled mode.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Remote Management Capabilities

Select one of the following methods to collect data:

Firewall Analyzer (A30.10) Page 194 of 542


Administration Guide | Manage devices

l SSH (recommended)

l Telnet

Then, enter the following as needed:

Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.

Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, and so on.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.

Policy Configuration Method

Select one of the following policy configuration methods:

Visual Policy Manager – The device policy is configured via the Visual Policy
VPM Manager (VPM) only.

Content Policy The device policy is configured via both the


Language – CPL command line (CPL) and the Visual Policy Manager
(Command-Line) (VPM).

Options

In this field... Do this...

Real-time change Select this option to enable real-time alerting upon


monitoring configuration changes.
For details, see Configure real-time monitoring.

Set user permissions Select this option to set user permissions for this
device.

Firewall Analyzer (A30.10) Page 195 of 542


Administration Guide | Manage devices

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

Add VMware NSX-V devices


This topic describes ASMS's support for VMware NSX-V devices.

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a VMware NSX-V device environment.

Device permissions
ASMS requires the following to collect data from VMware NSX-V devices

Firewall Analyzer (A30.10) Page 196 of 542


Administration Guide | Manage devices

l Device analysis

l ActiveChange

Device analysis

ASMS requires minimal, read-only access permissions to access VMware NSX-V


devices and perform data collection.

The user accessing the VMware NSX-V device must have one of the following roles:

l Auditor

l Security Admin

l NSX Admin

l Enterprise Admin

Note: If you are using an NSX Manager, we recommend using the build-in NSX
Manager user to connect from ASMS.

ActiveChange

When ActiveChange is enabled, the user connecting to the VMware NSX-V device
requires read-write permissions.

l Security Admin

l Enterprise Admin

Note: When adding an NSX-V device to AFA with vCenter permissions, (both Admin
and Read Only), the following data will be missing:

l Device version

l Device host name

l NSX Manager IP

Firewall Analyzer (A30.10) Page 197 of 542


Administration Guide | Manage devices

Add a VMware NSX-V to AFA


This procedure describes how to add a VMware NSX-V device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page

2. In the vendor device selection page, click VMware > NSX.

3. Complete the fields as needed.

Access Information

Host Enter the host name or IP address of the NSX Manager. This is the
name that will be displayed in the devices tree.

User Enter the user name to use for REST access to the device.
Name

Password Enter the password to use for REST access to the device.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Additional Information

Select the Learning mode option to specify that AFA traffic simulation should treat
traffic that is not specified in a rule as blocked.

In reality, the default behavior for NSX devices is to allow all traffic that is not
explicitly blocked. Learning mode enables you to better understand the specific
traffic that needs to be allowed on the device.

Route Collection

Firewall Analyzer (A30.10) Page 198 of 542


Administration Guide | Manage devices

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

ActiveChange

Select the Enable ActiveChange option to enable ActiveChange for the device.

Note: Enabling ActiveChange rollback for this device requires special


configuration on the device.

Options

Real-time change Select this option to enable real-time change


monitoring monitoring.
For details, see Configure real-time monitoring.

Set user permissions Select this option to set user permissions for this
device.

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Firewall Analyzer (A30.10) Page 199 of 542


Administration Guide | Manage devices

Required device permissions


AFA requires certain permissions on devices in order to collect data and support other
functionalities. The table below describes AFA's requirements for the user account used
to connect to AFA for each brand, as well as any other device requirements. Some
permissions are only required for specific AFA features.

This topic describes items required for each device type in order for AFA to collect data
and support other features. Some items are only required for specific AFA features.

Baseline configuration compliance


For baseline configuration compliance support, AFA connects via SSH to the device
and executes the commands in the specified baseline configuration profile.

The required permissions depend on the profile used, as AFA requires permission to
read/execute all commands listed in the profile.

Device requirements reference by brand


Check requirements for the following device brands:

l Arista device requirements

l AWS requirements

l Azure requirements

l Check Point device requirements

l Cisco device requirements

l F5 device requirements

l Fortinet device requirements

l Juniper device requirements

l Palo Alto device requirements

l Symantec BlueCoat SGOS device requirements

l TopSec device requirements

Firewall Analyzer (A30.10) Page 200 of 542


Administration Guide | Manage devices

l VMware NSX device requirements

l WatchGuard device requirements

Note:

Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was
deprecated in ASMS version A30.00.

If you had defined these devices in an earlier version of ASMS, these devices are
still available to you, with all the existing capabilities, but you cannot add new ones
after upgrading.

We recommend backing up device data before or after upgrading and then removing
these devices from AFA. Make sure to download any report zip files for the device
before deleting.

For more details, see the relevant AlgoPedia KB article.

Check Point device requirements


See Check Point device permissions.

Cisco device requirements

Cisco ASA For details, see Device permissions.

Cisco Requires enabling the CSM API service.


Firewalls To enable this, in the CSM management application, click Tools >
via CSM Security Manager Administration > API, and check the Enable API
Service setting.

Cisco IOS For details, see Device permissions.

Cisco For details, see Device permissions.


Nexus

Cisco ACI For details, see Device permissions.

Cisco ISE For details, see Device permissions.

Firewall Analyzer (A30.10) Page 201 of 542


Administration Guide | Manage devices

Cisco For details, see Device permissions.


Firepower

Arista device requirements


For details, see Device permissions.

Juniper device requirements

Juniper Netscreen For details, see Device requirements.

Juniper SRX For details, see Device permissions.

Juniper NSM For details, see Device permissions

Junos Space Security Director For details, see Device permissions.

Juniper M/E Routers For details, see Device requirements.

Fortinet device requirements


For more details, see Add Fortinet devices.

Palo Alto device requirements


For details, see Add Palo Alto Networks devices.

F5 device requirements

F5 BIG-IP LTM Only For details, see Device permissions.

F5 BIG-IP LTM and AFM For details, see Device permissions.

Symantec BlueCoat SGOS device requirements


The user must be able to enter “enable” mode.

For retrieving routing data from the device, SNMP access is required.

WatchGuard device requirements


Read Only permissions are sufficient.

Routing is based on SNMP.

Firewall Analyzer (A30.10) Page 202 of 542


Administration Guide | Manage devices

l For default usernames and passwords see here


(https://knowledge.algosec.com/skn/tu/e5269).

l For further SNMP details, see here (https://knowledge.algosec.com/skn/tu/e5178).

TopSec device requirements


For further SNMP details, see here (https://knowledge.algosec.com/skn/tu/e5178).

VMware NSX device requirements


For details, see Device permissions.

AWS requirements
For details, see Device access requirements for AWS

Azure requirements
For details, see Device requirements for Azure.

Add other devices and routing elements


This topic describes how to add monitoring and routing devices and routing elements.

Note: For details about adding devices of specific vendor types to AFA, or importing
device data from CSV files, see Add devices to AFA and CSV import file format.

Add monitoring and routing devices


This procedure describes how to add the following types of monitoring and routing
devices to AFA:

l Avaya – Routing Switch l Juniper Routers (non-M/E)


l Brocade VDX l Linux Netfilter IPtables
l Cisco ACE l SECUI MF2
l HP H3C Routers l SonicWall
l Juniper Secure Access (SSL l Topsec Firewall
VPN) l WatchGuard

Firewall Analyzer (A30.10) Page 203 of 542


Administration Guide | Manage devices

Note: These devices support change monitoring, routing analysis, and baseline
configuration compliance only.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select your device type.

3. Complete the following fields as needed, and then click Finish.

The fields displayed may differ depending on your device brand and selections.

Access Information fields

Supported Displays a list of device capabilities.


Capabilities This field is read-only and only appears for some
devices.

Host Type the host name or IP address of the device.

User Name Type the user name to use for SSH access to the
device.

Password Type the password to use for SSH access to the


device.

Geographic Distribution fields

Device Select the remote agent that should perform data collection for
managed by the device.
To specify that the device is managed locally, select Central
Manager.
This field is relevant when a Geographic Distribution
architecture is configured.

Baseline Configuration Compliance

Firewall Analyzer (A30.10) Page 204 of 542


Administration Guide | Manage devices

Baseline To enable generation of Baseline Compliance Reports for this


Configuration device, select the baseline compliance profile to use.
Profile The drop-down list includes all baseline compliance profiles
in the system.
To disable Baseline Compliance Report generation for this
device, select None.
For more details, see Customize baseline configuration
profiles.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Manually Specifying
Routing Information (see Specify routing data manually).

SNMP Polling

Use the following fields to define SNMP polling values. These fields only appear
for selected device brands.

SNMP version Select the SNMP version in the drop-down menu.

SNMP community Type the SNMP community string.


This field is only relevant for SNMP v2c.

Security Name Type the security name.


(username) This field is only relevant for SNMP v3.

Authentication If desired, select the authentication protocol in the drop-


Protocol down menu.
This field is only relevant for SNMP v3.

Firewall Analyzer (A30.10) Page 205 of 542


Administration Guide | Manage devices

Authentication If you selected an authentication protocol, type the


Password password.
This field is only relevant for SNMP v3.

Privacy Protocol If desired, select a privacy protocol in the drop-down


menu.
This field is only relevant for SNMP v3.

Privacy Password If you selected a privacy protocol, type the password.


This field is only relevant for SNMP v3.

Remote Management Capabilities

Select SSH or Telnet to determine how data is transmitted to AFA.

Note: SSH is more secure than Telnet, however some device brands support
only one method.

Then define the following details:

Custom Port To specify a custom port, select this option


and type the port.
This option is only relevant when SSH is
selected.

Number of Enter the permitted number of different RSA


allowed keys received from this device's IP address.
encryption Different RSA keys may be sent from the same
keys IP address in cases of cluster fail-over, device
operating system upgrades, etc.
For example, if a cluster fail-over occurs, the
secondary node will send a new RSA key
from the same IP address to AFA. If this
number is set to 1, the connection to the node
will fail, resulting in a failed analysis.

Firewall Analyzer (A30.10) Page 206 of 542


Administration Guide | Manage devices

Options

Real-time change Select this option to enable real-time change


monitoring monitoring.
For more details, see Configure real-time
monitoring.

Set user permissions Select this option to set user permissions for this
device.

The new device is added to the device tree.

4. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Add routing elements


This procedure describes how to add routing elements to AFA.

Routing elements are generic devices that perform SNMP connections for retrieving
routing tables, without collecting configurations.

Note: AFA supports routing elements using SNMPv2c and SNMPv3. The supported
MIB is RFC-1213, and the OID fetched from the device is ipRouteEntry (object
identifier: 1.3.6.1.2.1.4.21.1).

We do not recommend adding devices as routing elements if they have a non-


standard routing deployment in addition to the standard RFC1213, such as Cisco
Routers. For these devices, the SNMP response does not include crucial
information, mainly concerning VRF instances.

Firewall Analyzer (A30.10) Page 207 of 542


Administration Guide | Manage devices

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, click Routing Element on the right.

3. Complete the following fields as needed and click Finish.

Access Information fields

Supported Capabilities Displays a list of device capabilities.


This field is read-only.

Host Type the host name or IP address of the device.

Geographic Distribution fields

Device Select the remote agent that should perform data collection for
managed by the device.
To specify that the device is managed locally, select Central
Manager.
This field is relevant when a Geographic Distribution
architecture is configured.

SNMP Polling fields

Use the following fields to define SNMP polling values.

SNMP version Select the SNMP version in the drop-down menu.

SNMP community Type the SNMP community string.


This field is only relevant for SNMP v2c.

Security Name Type the security name.


(username) This field is only relevant for SNMP v3.

Firewall Analyzer (A30.10) Page 208 of 542


Administration Guide | Manage devices

Authentication If desired, select the authentication protocol in the drop-


Protocol down menu.
This field is only relevant for SNMP v3.

Authentication If you selected an authentication protocol, type the


Password password.
This field is only relevant for SNMP v3.

Privacy Protocol If desired, select a privacy protocol in the drop-down


menu.
This field is only relevant for SNMP v3.

Privacy Password If you selected a privacy protocol, type the password.


This field is only relevant for SNMP v3.

Route Collection

Specify how AFA should acquire the device's routing information:

l Automatic. AFA will automatically generate the device's routing information


upon analysis or monitoring.

l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.

Options

Update Network Map Select this option to enable automatically updating the
upon routing change graphic network map upon routing changes.

Set user permissions Select this option to set user permissions for this
device.

The new device is added to the device tree.

4. If you selected Set user permissions, the Edit users dialog box appears.

Firewall Analyzer (A30.10) Page 209 of 542


Administration Guide | Manage devices

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Add/update multiple devices in bulk


Add multiple new devices or update multiple existing devices in bulk by importing a pre-
prepared CSV file. After importing, the new or updated devices appear in AFA like all
others.

AFA enables you to do this via the Administration area in AFA or via CLI.

For more details, see the How to Import and Mange Devices in Bulk from a .CSV File
AlgoPedia article.

Prepare your CSV file


Prepare your CSV file to import by using the sample provided in the AFA UI, or creating
your own from scratch.

Note: The same CSV file cannot be used to both add new devices and update
existing devices at the same time.

For more details, see CSV import file format.

Access AFA's sample CSV file


Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Click Bulk and select Add/Update devices (CSV).

3. Click Download sample files.

Firewall Analyzer (A30.10) Page 210 of 542


Administration Guide | Manage devices

A zip file is downloaded with sample files for various device types.

Add a line to the file for each device you want to add or update, as well as values
that correspond to each header.

For details, see CSV import file format.

Prepare a CSV file from scratch


Do the following:

1. Open a text or csv file, and add a list of comma separated column headers. Each
column header supports a device property or option.

For details about supported column headers, see CSV import file format.

2. For each device you want to add or update, add a new line with values that
correspond to each header.

Note the following:

Adding or Your CSV file can include either devices to add or update,
updating but not both.

Devices that The following device types cannot be listed in a CSV file


must be together with other device types:
handled on their l Cisco IOS
own
l Cisco ASA and all types of Cisco firewalls

l Juniper Netscreen
These devices must be added or updated using a CSV file of
their own.

Missing If you are adding new devices, any headers not included in
headers the CSV are assigned with default values.
If you are updating existing devices, any headers not
included in the CSV are ignored, and no changes are made
for those properties in AFA.

Syslog values If you want to assign syslog identifiers for sub-systems, you
for sub-systems must do this as part of an update CSV file. The parent device
must already be defined in AFA.

Firewall Analyzer (A30.10) Page 211 of 542


Administration Guide | Manage devices

3. Save the file and continue with Import your CSV file (UI).

Tip: Use a CSV file to assign additional device identifiers for primary/parent devices
or device subsystems, such as VSYS or VDOM.

In such cases, you only need to include the name and additional_fw_ips column
headers for each device.

For more details, see Add/update multiple devices in bulk and Bulk import support
scope.

Import your CSV file (UI)


This procedure describes how to import a CSV file of device data into AFA via the
Administration UI.

Note: For more details, see Prepare your CSV file and CSV import file format.

Do the following:

1. Ensure that the devices listed in your CSV file are online and accessible by AFA
via SSH.

2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

3. Click Bulk and select Add/Update devices (CSV).

4. Select to either Add New Devices or Update Devices.

5. Select your Device Type, and then browse to and select your prepared CSV file.
For more details, see Prepare your CSV file.

For example:

Firewall Analyzer (A30.10) Page 212 of 542


Administration Guide | Manage devices

6. Click Add or Update.

The configured devices are added to or updated in AFA, and a confirmation


message is displayed.

Import your CSV file (CLI)


This procedure describes how to import a CSV file of device data into AFA via
CLI commands.

Note: For more details, see Prepare your CSV file and CSV import file format.

Do the following:

1. Ensure that the devices listed in your CSV file are online and accessible by AFA
via SSH.

2. Log in to the AFA server as user afa and browse to the directory where the CSV
file is saved.

3. Run the following command:

import_devices -f <CSVFile> -t <deviceType> [-u ]

Where:

-f <CSVFile> Defines the name of the CSV file. This file must be located in
the current directory.

Firewall Analyzer (A30.10) Page 213 of 542


Administration Guide | Manage devices

-t Defines the type of devices to import or update. Supported


<deviceType> values include:
l ASA. A Cisco ASA device.
l IOS. A Cisco IOS Router.
l NSC. A Juniper NetScreen device.
l GEN. Any of the other supported device brands. In this
case, specify the brand in the CSV brand column. For
more details, see CSV import file format.
For additional device types and configurations, see Bulk import
support scope.

-u Determines that the script updates existing devices.


When absent, the script imports the data as new devices.

The script runs and the devices described in your CSV file are added or updated in
AFA.

Bulk import support scope


Each CSV file can include the following types of device data:

l Device data for multiple devices to be added or updated.

You cannot use the same CSV file to add new devices and update existing
devices at the same time.

l Device data for multiple device types, except for the following:

l Cisco IOS

l Cisco ASA

l Juniper Netscreen

These device types must be added in CSV files with no other device types listed.

Additionally, the following types of devices and device options must be added or
configured manually in the AFAAdministration area:

Firewall Analyzer (A30.10) Page 214 of 542


Administration Guide | Manage devices

Device Add the following types of devices individually in the AFAAdministration


types area:
l Management devices, including any device that manages other
devices.
For example, Juniper NSM, Check Point devices, cloud "device"
accounts, and so on.
l Routing elements
l Cisco Firewall via a CSM
l Cisco Application Centric Infrastructure (ACI)
l H3c
l SECUI MF2

Device The following options must be configured manually in the


options AFAAdministration area after importing:
l Enabling ActiveChange
l Enabling Learning mode for a VMware NSX device. Learning mode
causes AFA to treat traffic that is not specified in a rule as blocked.
Because the default behavior of an NSX Distributed Firewall is to
allow all traffic that is not explicitly blocked, AFA provides this option
to enable you to better understand the specific traffic that needs to be
allowed on the device.
l Specifying the policy configuration method for a Symantec Blue Coat
device to VPM.
The default is CPL.
l Specifying a static URT file.

CSV import file format


This topic lists the headers and values supported for CSV files used to import or update
device data in AFA.

Note: Header values are case sensitive. Using header values with different cases
from those listed below will cause unexpected results in your file upload.

Firewall Analyzer (A30.10) Page 215 of 542


Administration Guide | Manage devices

For more details, see Add/update multiple devices in bulk and the How to Import and
Mange Devices in Bulk from a .CSV File AlgoPedia article.

Tip: You can also use a CSV file to assign additional device identifiers for
primary/parent devices or device sub-systems, such as VSYS or VDOM. In such
cases, you only need to include the name and additional_fw_ips values.

Basic device description headers


Header
name Description

brand The device brand. For more details, see Supported device brand values.
Required for all devices except for the following:
l Cisco IOS
l Cisco ASA/PIX/FWSM
l Juniper Netscreen

Specify these brand types in the Bulk Add/Update Device dialog instead.

name The device ID (tree name).


Required for all device types.
This is an internal name, usually the name displayed in the tree, without
non-alphanumeric characters or spaces.
If you're specifying a sub-system, this is the name of the sub-system.

display_ The name as it appears in the device tree, including spaces and other
name special or numeric characters.
Optional for all devices
Default: If this column is missing or empty, the device is added using the
device's host name.

Supported device brand values


Enter the following values to indicate device brands:

Firewall Analyzer (A30.10) Page 216 of 542


Administration Guide | Manage devices

Analysis and monitoring devices l asa. Cisco ASA


l bluecoat. Symantec Blue Coat
l f5bigip
l f5bigip_afm. F5 BIG-IP LTM and AFM
l f5bigip_full. F5 BIG-IP LTM Only
l fortigate. Fortinet Fortigate
l fwsm (Cisco FWSM)
l ios. Cisco IOS
l junos. Juniper SRX
l junosmxrouter. Juniper M/E Routers
l nexus. Cisco Nexus
l nsc. Juniper Netscreen
l nsx. VMware NSX
l paloalto. Palo Alto Networks firewall

Monitoring-only devices l ace. Cisco ACE


l avaya. Avaya Routing Switch
l brocade. Brocade VDX
l junipersa. Juniper Secure Access (SSL
VPN)
l junosrouter. Juniper Routers (non-M/E)
l netfilter. Linux netfilter iptables
l sonicwall. SonicWall
l topsec. Topsec Firewall
l watchguard. WatchGuard

Access information headers


Header
name Description

host_ The device host name or IP address.


name Required for all device types.

user_ The username used to access the device.


name Required for all device types.

Firewall Analyzer (A30.10) Page 217 of 542


Administration Guide | Manage devices

Header
name Description

passwd The password used to access the device.


Required for all device types unless CyberArk authentication is used.

Note: For Cisco IOS or ASA devices enabled for CyberArk, the
Password and Enable User Password must be the same.

enable_ The enable user name.


user_ Relevant and required only for Cisco ISO devices.
name

epasswd The enable password.


Relevant and required only for the following devices, unless CyberArk
authentication is used on these devices:
l Cisco IOS
l Cisco ASA
l Symantec Blue Coat
For more details, see CyberArk-related headers.

Note: For Cisco IOS or ASA devices enabled for CyberArk, the
Password and Enable User Password must be the same.

Cisco-related headers
Header
name Description

rules_ Determines how rules are displayed in device reports, as one of the
view following:
l ASDM. (Default) Display rules in the Cisco Adaptive Security
Device Manager (ASDM) graphical interface.
l CLI. Display rules in command line format.
Relevant for Cisco ASA devices only.

Firewall Analyzer (A30.10) Page 218 of 542


Administration Guide | Manage devices

CyberArk-related headers
Header name Description

use_cyberark Determines whether to use CyberArk authentication:


l yes
l no
Required for CyberArk devices.

cyberark_platform Defines the CyberArk platform name.


Required for CyberArk devices.

cyberark_safe Defines the CyberArk safe.


Required for CyberArk devices.

cyberark_folder Defines the CyberArk folder.


Required for CyberArk devices.

cyberark_object Defines the CyberArk object.


Required for CyberArk devices.

cyberark_enable_platform Defines the CyberArk platform for the enable password.


Optional, and relevant only for CyberArk devices.

cyberark_enable_safe Defines the CyberArk safe for the enable password.


Optional, and relevant only for CyberArk devices.

cyberark_enable_folder Defines the CyberArk folder for the enable password.


Optional, and relevant only for CyberArk devices.

cyberark_enable_object Defines the CyberArk object for the enable password.


Optional, and relevant only for CyberArk devices.

Firewall Analyzer (A30.10) Page 219 of 542


Administration Guide | Manage devices

Advanced headers
Header
name Description

separate_ Determines whether to split the device into VRFs:


vrfs
l yes (Default)

l no
Relevant only for the following devices:
l Juniper Netscreen
l Juniper SRX
l Cisco IOS
l Cisco Nexus

full_ Determines whether to include risk analysis and policy optimization


analysis details in the device reports:
l yes (Default)
l no
Relevant for Cisco IOS and Cisco Nexus devices only.

Firewall Analyzer (A30.10) Page 220 of 542


Administration Guide | Manage devices

Remote management headers


Header name Description

con Determines the connection type as one of the following:


l SSH
l SSH (3des). Cisco ASA only
l SSH (des). Cisco ASA only
l TELNET. For the following device types:
l Juniper
l Cisco
l Blue Coat
l Fortigate
l Palo Alto
l Linux Netfilter
Required for all devices except the following:
l VMware NSX
l Cisco ACI

These devices connect to AFA via REST.

number_of_ Determines the permitted number of different RSA keys that AFA
allowed_ can receive from the device's IP address, as follows:
encryption_keys
l 1
l 2
l unlimited (Default)

Note: Relevant only when using SSH. This might be required


in cases of cluster fail-over, device operating system
upgrades, and so on.

ssh_port Defines the port to use for an SSH connection.


Relevant only when using SSH.
Defaults:
l 4118 for WatchGuard devices
l 22 for all other devices

Firewall Analyzer (A30.10) Page 221 of 542


Administration Guide | Manage devices

Log and monitoring headers


Note: Assigning syslog identifiers for sub-systems must be done as a part of
updating devices in bulk, not as a part of adding devices in bulk. The parent device
must already be defined in AFA.

Header
name Description

collect_log Determines whether AFA collects logs for the device:


l yes
l no (Default)
Relevant for the following device types:
l Cisco ASA/FWSM
l F5 BIG-IP
l FortiGate,
l Juniper Netscreen
l Juniper SRX
l Palo Alto

Note: For Cisco ASA and FWSM devices, set to no to enable


logging with only hit-counter data.

log_ Determines the method for collecting logs for the device:
collection_
mode l standard. Enable log collection.
l extensive. (Default) Enable log collection and the Intelligent Policy
Tuner.
Relevant when log collection is enabled.

Firewall Analyzer (A30.10) Page 222 of 542


Administration Guide | Manage devices

Header
name Description

collect_ Determines whether AFA collects logs from the NSM or a syslog-ng
log_from server:
l nsm (Default)
l syslog
Relevant for Juniper Netscreen when log collection is enabled.

Note: If traffic logs and audit logs are not on the same server, specify
the audit log server using additional headers listed below. In such
cases, this value defines a value for the traffic log server.

log_host_ Defines the host name or IP address of the server/device sending logs
name to AFA.
Relevant when log collection is enabled.

log_user_ Defines the user name used to connect to the server/device sending
name logs to AFA.
Relevant when log collection is enabled.

Note: To collect logs from a remote syslog-ng server using a user


other that root, you must configure the server separately.

log_ Defines a password for connecting to the server/device sending logs to


passwd AFA.
Relevant when log collection is enabled.

collect_ Determines whether AFA collects audit logs from the NSM or a syslog-
log_from_ ng server:
adt
l nsm
l syslog
Relevant for Juniper Netscreen when log collection is enabled.

Note: By default, the audit log server is the same as the traffic log
server.

Firewall Analyzer (A30.10) Page 223 of 542


Administration Guide | Manage devices

Header
name Description

log_host_ Defines the host name or IP address of the server/device sending audit
name_adt logs to AFA.
Relevant for Juniper Netscreen when:
l Log collection is enabled
l The audit log server is different from the traffic log server

log_user_ Defines the user name for connecting to the server/device sending audit
name_adt logs to AFA.
Relevant for Juniper Netscreen when:
l Log collection is enabled
l The audit log server is different from the traffic log server

log_ Defines the password for connecting to the server/device sending audit
passwd_ logs to AFA.
adt

log_ Defines how often AFA collects logs for the device, in minutes.
collection_ Relevant for Juniper Netscreen when:
frequency
l Log collection is enabled
l The audit log server is different from the traffic log server

additional_ Defines any additional IP addresses or host names that identify the
fw_ips device, with colon-separated values.
Relevant when log collection is enabled.

Additional headers
Header
name Description

collector Defines a server to manage the device's data:


l Central Manager (default)
l The name of any remote agent
Relevant only when AFA is configured for geographic distribution.

Firewall Analyzer (A30.10) Page 224 of 542


Administration Guide | Manage devices

Header
name Description

baseline_ Defines the baseline compliance profile to use when generating


profile reports for the device.
Optional for all devices.

root_psw Defines a password to increase permissions on the device to root user


permissions.
Relevant only for Linux Netfilter IPTables

Tip: Devices usually block the ability to access the device as user
root. Enable root access to the device to improve AFA support.

monitoring Determines whether to enable real-time alerts for configuration


changes:
l yes. Default for real/live devices.
l no. Default for file devices.
Optional for all devices.
For more details, see Configure real-time monitoring.

set_user_ Determines whether you can set user permissions for the device:
permissions
l yes (Default)

l no
Optional for all devices.

firewall_ Defines the users with access to the reports produced for the device.
users Separate multiple usernames with slashes (/).
Relevant when setting user permissions is enabled for the device.

Firewall Analyzer (A30.10) Page 225 of 542


Administration Guide | Manage devices

SNPM polling headers


Header name Description

snmp_version Determines the SNMP version:


l snmpv2c
l snmpv3
Relevant only for the following devices:
l Symantec Blue Coat
l Juniper Secure Access (SSL VPN)
l Linux netfilter iptables
l SonicWall
l Topsec
l WatchGuard
l SECUI MF2
l Avaya Routing Switch
l Brocade VDX

snmp_community Defines the SNMP community string.


Required and relevant only when using SNMPv2c.

snmp_username Defines the SNMP Security Name (username).


Required and relevant only when using SNMPv2c.

snmp_auth_password Defines the authentication password.


Required and relevant only when:
l Using SNMPv2c
l The authentication protocol is specified

snmp_auth_protocol Determines the authentication protocol:


l md5
l sha
l empty
Required and relevant only when using SNMPv2c.

Firewall Analyzer (A30.10) Page 226 of 542


Administration Guide | Manage devices

Header name Description

snmp_priv_password Defines the authentication password.


Required and relevant only when:
l Using SNMPv2c
l The privacy protocol is specified

snmp_priv_protocol Determines the privacy protocol:


l des
l aes
l empty
Required and relevant only when using SNMPv2c.

Maintain devices
This topic includes maintenance procedures administrators may need to perform
periodically for devices managed by AFA.

Edit a device's configuration


This procedure describes how to update the configuration for a specific device.

Tip: AFA also supports updating multiple devices in bulk using a CSV file. For more
details, see Add/update multiple devices in bulk.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. From the tree on the left, select the device whose configuration you want to edit,
and then click Edit.

3. Edit the field definitions as needed, and click Finish.

A confirmation message appears. Click OK to continue.

Firewall Analyzer (A30.10) Page 227 of 542


Administration Guide | Manage devices

Rename a device
By default, the device's display name, used to identify the device throughout AFA, is the
device's host name. This procedure describes how to change this display name.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. From the tree on the left, select the device you want to rename, and then click
Rename.

3. In the Rename .... dialog, enter the new name and click OK

A confirmation message appears. Click OK to continue.

Add additional device identifiers for sub-systems


If a device is represented by multiple or non-standard device identifiers in the log files
collected by AFA, such as firewall clusters or non-standard logging settings, you must
configure additional device identifiers to work with AFA.

For parent devices, the AFA configuration enables you to define additional device
identifiers when you add or edit the device. This procedure describes how to specify
identifiers for subsystems, such as VSYS, VDOM, and so on, as well as for devices
managed by a management system such as Juniper NSM or Palo Alto Panorama.

Tip: AFA also enables you to configure device identifiers for parent devices and sub-
systems in bulk via CSV. For more details, see Add/update multiple devices in bulk.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. From the tree on the left, select the device or sub-system you want to add

Firewall Analyzer (A30.10) Page 228 of 542


Administration Guide | Manage devices

identifiers for, and then click Edit on the right.

3. In the Edit.... dialog, in the Log Collection area, enter any additional IP addresses
or host names that identify the device.

Separate multiple values with a colon (:). For example:


1.1.1.1:2.2.2.2:ServerName

Note: The Log Collection areas appears only when log collection is supported
for the device and relevant to the sub-system.

4. Click OK. The additional identifiers are added to the sub-system's definition.

Delete a device
This procedure describes how to delete a device from AFA, such as if it is no longer in
use, or needs to be updated in a way that requires you to remove it and add it back
again.

Do the following:

1. Before deleting a device from AFA, we recommend that you download all AFA
reports for the device to back up the device's historical data.

2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

3. From the tree on the left, select the device you want to delete, and then click
Delete.

4. In the verification message that appears, confirm that you do want to delete the
device, and then click OK.

A confirmation message appears. Click OK to continue.

Update a password for multiple devices


This procedure describes how to update and synchronize passwords across multiple
devices.

Firewall Analyzer (A30.10) Page 229 of 542


Administration Guide | Manage devices

Note: This procedure is not supported for devices configured with CyberArk
authentication. For details, see Integrate AFA and CyberArk.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. On the right, click Bulk and select Update password from the dropdown menu.

3. In the Bulk Update Passwords dialog, select the devices you want to update the
password for.

If you have many devices listed, do any of the following to help you locate your
device:

Find a device Enter a name in the box at the top to select it


quickly automatically.

Navigate across Click Previous or Next below the grid to navigate back
pages and forth

Sort the grid Click a column header to sort the devices shown

Filter the grid Click in each column header to filter the grid by that
column.

4. In the New password field, type the new password to use on all selected devices.

5. To get additional permissions for Cisco devices, select the Enable user password
(Cisco Only) check box and type in another password.

6. Click Update.

7. In the Confirm Password dialog, confirm the password(s) you just updated, and
then click Confirm.

The password is updated for all the specified devices.

Firewall Analyzer (A30.10) Page 230 of 542


Administration Guide | Manage devices

Specify routing data manually


AFA complies routing and topology data collected from each device into a unified
routing table (URT) file, which stores the data in AFA's generic format. By default, this
file automatically regenerated every time the device is monitored or analyzed.

AFA administrators can change the device's routing and topology data by editing the
URT file and uploading it to AFA. Uploaded URT files are static representations of the
device's routing information. For these devices, AFA will not regenerate updated URT
files automatically.

Note: Since AFA doesn't automatically regenerate the URT files if you've uploaded
edits, you must manually update the file again for any configuration changes made
on the device.

Specify routing data manually for primary devices


This procedure describes how to upload an edited URT file for primary devices. If sub-
devices are defined in the URT file, the file is ignored.

This procedure does not affect URT files and data for sub-devices.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. From the tree on the left, select the device you want to edit, and then click Edit on
the right.

3. On the device configuration page, in the Route Collection area, select Static
Routing Table (URT).

Do one of the following:

l If you already have a URT defined that you want to edit, click Download
current URT file.

Firewall Analyzer (A30.10) Page 231 of 542


Administration Guide | Manage devices

l To create a new URL file, click Download Sample file.

4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devices in
AlgoPedia.

5. In AFA, click Upload new file, and select the your edited file.

AFA validates your file, and notifies you if any syntax or content error is found.

6. When complete, click Finish.

The new routing table will take affect after the next device analysis.

Specify routing data manually for sub-systems


This procedure describes how to specify routing data manually for a sub-device or sub-
system.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. From the tree on the left, select the sub-device or sub-system you want to edit, and
then click Edit on the right.

3. In the Edit .... dialog that appears, in the Route Collection area, select Static
Routing Table (URT).

Do one of the following:

l If you already have a URT defined that you want to edit, click Download
current URT file.

l To create a new URL file, click Download Sample file.

4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devicesin
AlgoPedia.

Firewall Analyzer (A30.10) Page 232 of 542


Administration Guide | Manage devices

5. In AFA, click Upload new file, and select the your edited file.

AFA validates your file, and notifies you if any syntax or content error is found.

6. When complete, click Finish.

The new routing table will take affect after the next device analysis.

Specify routing data from the map


This procedure describes how to specify routing data manually directly from the map
instead of the Devices Setup page.

Do the following:

1. In AFA, view the graphic network map. Click DEVICES, select a device, and then
click MAP.

2. Locate and right-click the device you want to edit, and select Routing Information.

The Routing information dialog shows the current URT file. For example:

3. Under the file content, click Static Routing Table (URT), and then do one of the

Firewall Analyzer (A30.10) Page 233 of 542


Administration Guide | Manage devices

following:

l If you already have a URT defined that you want to edit, click Download
current URT file.

l To create a new URL file, click Download Sample file.

4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devicesin
AlgoPedia.

5. In AFA, click Upload new file, and select the your edited file.

AFA validates your file, and notifies you if any syntax or content error is found.

6. When complete, click Finish.

The new routing table will take affect after the next device analysis.

Integrate AFA and CyberArk


ASMS integrates with CyberArk Vault to enable ASMS access to devices without saving
device credentials in ASMS directly. Once configured, ASMS connects to CyberArk to
retrieve device credentials, for monitoring, scheduled analysis, or ActiveChange. The
actual credential retrieval is transparent to the user.

ASMS supports configuring CyberArk credentials for multiple devices in AFA, becoming
more valuable as the number of devices you have in AFA grows.

Note: When integrating with AFA, credentials for syslog collection still need to be
provided separately to AFA.

ASMS and CyberArk integration architecture


The following image shows an example of an ASMS-CyberArk integration, with ASMS
in a Geographic Distribution and High Availability architecture.

Firewall Analyzer (A30.10) Page 234 of 542


Administration Guide | Manage devices

The CyberArk integration is supported for:

l Standalone ASMS installations

l Two ASMS machines, serving in High Availability or Disaster Recovery


configurations

l A Central Manager with one or more hosts in different geographic locations near
each target security device

l Any combination of the last two architectures

The CyberArk AIM agent must be installed on each of the ASMS machines, as each
ASMS machine will need to connect to the devices they manage, and require CyberArk
credentials.

Supported devices for CyberArk integration


CyberArk integration is supported for the following device brands:

l Fortinet FortiManager

l Juniper Netscreen

l Cisco ASA

l Cisco Nexus

Firewall Analyzer (A30.10) Page 235 of 542


Administration Guide | Manage devices

l Cisco IOS

l F5 BIG-IP LTM and AFM

l Symantec Blue Coat

Note: For details about supported versions of CyberArk, contact your AlgoSec
customer representative.

Configure CyberArk AIM for ASMS access


Before using CyberArk in ASMS, you must enable ASMS access in CyberArk. This
procedure describes how to define an application ID and application details for ASMS in
CyberArk's Password Vault Web Access (PVWA).

Do the following:

1. Log in to the PVWA as a user with authorization to manage applications. Add an


application, and name it AlgoSec.

2. Enable the Allow extended authentication restrictions option for the AlgoSec
application you created. This enables you to specify an unlimited number of
machines and Windows domain OS users for a single application.

3. Specify the application's Allowed Machines, and include any of your ASMS
machines. This ensures that ASMS can access credentials managed by CyberArk
from any machine in your system.

For more details, see the CyberArk documentation.

Configure CyberArk accounts and permissions


This procedure describes how to ensure that CyberArk accounts and permissions are
configured as needed for the ASMS integration, and is performed in the CyberArk Vault.

Firewall Analyzer (A30.10) Page 236 of 542


Administration Guide | Manage devices

Do the following:

1. In the CyberArk Password Safe, provision any privileged accounts required by the
AlgoSec application. For each account, make sure to add the Add accounts
permission.

2. Add the Credential Provider and application users as members of the Password
Safes where the application passwords are stored.

3. Add the Provider users as a Safe Member, with the following permissions:

l List accounts

l Retrieve accounts

l View Safe Members

Tip: If you are installing multiple Provider users, we recommend creating a


group for these users and adding the group to the Safe with the required
permissions.

4. Add the application, using the APPID, as a Safe Member with the Retrieve
accounts permission only.

5. Additionally, provide the Provider user and the application with the Access Safe
without Confirmation permission, if your scenario complies with all of the
following:

l Your environment is configured for dual control

l You have a PIM-PSM environments version 7.2 and lower

l The Safe is configured to require confirmation from authorized users before


passwords can be retrieved

This is not required for Privileged Account Security solutions versions 8.0 and
higher.

For more details, see the CyberArk documentation.

Firewall Analyzer (A30.10) Page 237 of 542


Administration Guide | Manage devices

Configure CyberArk integration


This procedure describes how to configure specific devices to be authenticated via a
CyberArk vault. When configured, the CyberArk configuration fields appear for those
devices in the DEVICES SETUP page.

Do the following:

1. Complete the integration configuration on the CyberArk side. For details, see:

l Configure CyberArk AIM for ASMS access

l Configure CyberArk accounts and permissions

2. In the AFAAdministration area, navigate to the Options > Authentication tab.

3. Scroll down to the CyberArk area, and select the Allow to setup devices with
CyberArk credentials management checkbox.

4. (Optional) Define default values for all devices authenticated via CyberArk, as
follows:

Platform (Policy ID) Enter a default CyberArk Platform.

Safe Enter a default CyberArk safe.

Folder Enter a default CyberArk folder.


Default : root

5. Click OK to save your changes.

From now on, CyberArk options will appear in the DEVICES SETUP page for all
relevant device brands.

6. (Optional). Configure CyberArk system notifications. The following parameters are


disabled by default:

l cyberark_connectivity_health_check - Tests the connectivity between


ASMS and the CyberArk vault.

Firewall Analyzer (A30.10) Page 238 of 542


Administration Guide | Manage devices

l suite_cyberark_aim_service – Checks the status of the CyberArk AIM


service (aimprv) running on the ASMS host.

7. Configure the specific devices you want to authenticate via CyberArk, either one at
a time or in bulk.

For details, see:

l Device procedure reference

l Edit a device's configuration

l Add/update multiple devices in bulk

8. Configure the CyberArk Application Access Manager (AAM) agent on all ASMS
hosts and configure it to communicate with the CyberArk vault. If you're working in
a distributed environment, make sure to configure the AIM agent on all hosts in
your system, including the Central Manager, Remote Agents, secondary nodes of
all clusters, and so on.

For more details, see the CyberArk documentation.

Firewall Analyzer (A30.10) Page 239 of 542


Administration Guide | Alternate data collection methods

Alternate data collection methods


This section describes offline device data collection methods that can be used as
alternates to on-boarding the device into AFA from the Administration area and
collecting data automatically.

Note: Since these are static files and not live devices, configuration changes such as
dynamic route updates only appear in AFA when you update the file again.

Additionally, AFA cannot track changes in real-time, or track who may have made
each change on the device. Updates are represented only in reports generated after
the update.

ActiveChange is not supported for file devices.

When to use these procedures


While we recommend that you generally collect data from live devices automatically,
this requires that the AFA machine be connected to the device's network.

This may not always be possible, and you may want to analyze devices in a different
location, or on a network that you are not able to connect to directly.

Additionally, you may have L3 devices where this data is already collected by an
existing toolset.

Note: We recommend that customers ensure that AFA has the most recent device
data possible, which helps to provide network map completeness and traffic
simulation accuracy.

Complete device data typically involves analyzing your core and distribution layer
routing infrastructure as well as firewalls.

Recommended device data collection per device type


Collect data from your devices semi-automatically or manually using scripts provided by
AlgoSec.

Firewall Analyzer (A30.10) Page 240 of 542


Administration Guide | Alternate data collection methods

Each device type has a recommended method, described in the table below.

Note: These procedures are documented in our Alternate data collection method
documentation, on the AlgoSec portal. Use your portal credentials to access them.

Check Point For details, see:


l Check Point FireWall-1 devices (semi-automatic). For Check
Point FireWall-1 devices running on specific platforms, device
data collected includes components of the Check Point file
structure and the filter module's routing table.
Relevant platforms include Windows, Sun, Nokia,
SecurePlatform, Alteon, and Linux.
l Check Point devices (manual). Semi-automatic and manual
data collection is supported only for Check Point device
versions R77.X and below.

Cisco For details, see Cisco routers and devices.

Juniper For details, see Juniper devices.

Fortinet For details, see Fortinet Fortigate (manual).


Fortigate

Palo Alto For details, see Palo Alto Networks (manual).


Networks

McAfee For details, see McAfee Firewall Enterprise (Sidewinder) (manual).


Firewall
Enterprise Note:
(Forcepoint Support for the Forcepoint brands (Sidewinder, StoneGate) and
Sidewinder) Hillstone was deprecated in ASMS version A30.00.
If you had defined these devices in an earlier version of ASMS,
these devices are still available to you, with all the existing
capabilities, but you cannot add new ones after upgrading.
We recommend backing up device data before or after upgrading
and then removing these devices from AFA. Make sure to
download any report zip files for the device before deleting.
For more details, see the relevant AlgoPedia KB article.

Firewall Analyzer (A30.10) Page 241 of 542


Administration Guide | Alternate data collection methods

Symantec For details, see Symantec Blue Coat (manual).


BlueCoat

Access semi-automatic data collection scripts from the AlgoSec portal. For details, see
Semi-automatic data collection scripts.

Depending on your system configuration, device files can also be obtained as follows:

Use a If you have a live device on another ASMS system, retrieve the full
recent device configuration file from the latest AFA report.
AFA For example, you may want to do this when adding a device that already
report exists in a production system to a testing system as well.
For more details, see Access log and configuration files.

Tip: If your device is supported only as EA, make sure that the device
support is enabled as needed in both your production and testing
environments. For details, see Extend device support.

Create a If you do not have another device to collect the data from, create the file
JSON file manually.
manually For details, see Static support for generic devices.

Note: AFA does not currently support manual data collection from monitoring
devices.

Add a static file device to AFA (UI)


This procedure describes how to add a file device to AFA from the AFAAdministration
area.

Note: Alternately, see Add a static file device to AFA (CLI).

Do the following:

1. In AFA, access the Devices Setup page. For details, see Access the
DEVICES SETUP page.

Firewall Analyzer (A30.10) Page 242 of 542


Administration Guide | Alternate data collection methods

2. In the vendor and device selection page, click Device from File on the right.

3. In the Name field, enter a name for your file device.

4. Select the file you want to analyze by selecting one of the following:

Upload Upload a file from your computer. Browse to and select your file.
new File size must not exceed 20 MB.
For larger files, copy the file to the /home/afa/algosec/fwfiles
directory, and use the Existing on server option.
For more details, see Recommended device data collection per
device type.

Existing Select a file already saved on the AFA server, in the


on server /home/afa/algosec/fwfiles directory.
Select the file you want to analyze from the dropdown list.

5. Define how AFA should acquire the device's routing information. Select one of the
following:

Automatic l Automatic. Automatically generate the device's routing


information upon analysis or monitoring.
l Static Routing Table (URT). Take the device's routing
information from a static file you provide. For more details,
see Specify routing data manually.

Static Take the device's routing information from a static file you provide.
Routing For more details, see Specify routing data manually.
Table
(URT).

6. Select Real-time change monitoring option to enable real-time alerting upon


configuration changes. For more details, see Configure real-time monitoring.

7. Select Set user permissions to set user permissions for this device.

8. Click Finish. The new device is added to the device tree.

9. If you selected Set user permissions, the Edit users dialog box appears.

Firewall Analyzer (A30.10) Page 243 of 542


Administration Guide | Alternate data collection methods

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added. The device is now
shown in the device tree in AFA, and will be included in the ALL_FIREWALLS analysis
reports.

Add a static file device to AFA (CLI)


This procedure describes how to add a file device to AFA using CLI commands.

Note: Alternately, see Add a static file device to AFA (UI).

Do the following:

1. Place any collected device data files, such as in the following directory on the AFA
server: home/afa/algosec/fwfiles/

For more details, see Recommended device data collection per device type.

2. Summarize the files in a single CSV file with the following columns:

name The device's display name, used in the device tree and all other
locations around ASMS.

path_ The location of the device file on the AFA machine, in the
name /home/afa/algosec/fwfiles directory.

full_ Determines whether to perform full analysis.


analysis To optimize performance during device analysis, enter no.

For example:

name path_name full_analysis

Firewall Analyzer (A30.10) Page 244 of 542


Administration Guide | Alternate data collection methods

MYROUTER /home/afa/algosec/fwfiles/MyRouter.rd no

MYNEXUS /home/afa/algosec/fwfiles/MyNexus.nexus no

Save the CSV file in the home/afa/algosec/fwfiles/ directory on the AFA server.

3. Log in to the AFA server as user afa.

4. Run import_devices -t <CSV filename> -f FILE

where <CSV filename> is the name of the CSV file you saved in the previous
step.

For example: import_devices -t BulkL3Devices.csv -f FILE

When complete, all devices listed in the CSV file are shown in the device tree in AFA,
and will be included in the ALL_FIREWALLS analysis reports.

Semi-automatic data collection scripts


Access the data collection scripts used for any semi-automatic process from the
AlgoSec portal (portal user account required).

These scripts use the same commands for copying files and creating directories as are
listed in the manual data collection procedures.

Do the following:

1. In your browser, open the Semi-Automatic Data Collection Procedures AlgoSec


portal page.

2. Download the scripts for your device type. Open the files to inspect the scripts as
needed.

Firewall-1 scripts for Sun/Nokia/SecurePlatform/Alteon/Linux platforms

If you copy the Firewall-1 Unix data collection script (ckp_collect) from a Windows PC to
a Sun, Nokia, SecurePlatform, Alteon, or Linux platform, ensure that any carriage
returns (^M) added by the Windows system are removed on the target platform.

If you have a compressed ckp_collect.z file, expand the file as follows:

Firewall Analyzer (A30.10) Page 245 of 542


Administration Guide | Alternate data collection methods

Copy the ckp_collect.z to a Check Point SmartCenter server running on Sun Solaris,
SecurePlatform, or Linux.

Run one of the following commands:

Sun platforms uncompress ckp_collect.Z

SecurePlatform or Linux platforms gunzip ckp_collect.Z

The ckp_collect and ckp_log_collect files are created, and the compressed ckp_
collect.z file is delted.

These scripts are ready for you to run as needed.

Firewall Analyzer (A30.10) Page 246 of 542


Administration Guide | Extend device support

Extend device support


This section explains how to enable support for devices that are not supported out of the
box, and how to manually customize routing information for any device.

ASMS provides the option to enable device support for new devices or to enable
additional support for devices supported out of the box.

To enable additional device support utilizing an early availability feature, see Early
availability features.

To enable support for Huawei devices, install the Huawei provided plug-in using the
information in this AlgoPedia article.

Static configuration file support


You provide a JSON file which represents the device's configuration. This option
provides full support in AFA, FireFlow, and AppViz. See Static support for generic
devices.

Note: When using this option, updating the device's policy requires updating and
replacing the file in AFA (either manually or with a script you provide). Real-time
change monitoring is not supported, but the Changes tab in reports will reflect
changes that are detected by an analysis (as the result of the file being updated).

Note: This device type has a few limitations, due to its static nature. Baseline
compliance analysis is not supported. Log collection is not supported, so none of the
features which require traffic or audit logs are supported, such as policy optimization
recommendations or information about who made a change to the device or when a
change was made. Although these devices are supported for FireFlow, they are not
supported for ActiveChange.

Live monitoring support


You provide an XML file that describes how to collect data from the device and icons to
represent the device brand. This option provides change monitoring, basic routing, and
baseline compliance only. See Generic device monitoring.

Firewall Analyzer (A30.10) Page 247 of 542


Administration Guide | Extend device support

Static support for generic devices


You can enable Analysis and Monitoring support for generic devices with a JSON file
that represents the device's configuration at a single point in time.

Supported device types


The ability to enable AFA support for a generic device is only supported for devices
whose policy's conform to one of the following models:

l Policy-Based. One set of rules per device across all of its interfaces. For example,
Check Point devices.

l Interface-based. One set of rules per interface. For example, Cisco devices.

l Zone-Based. Each policy rule is defined using a source zone and destination
zone. For example, Fortinet devices managed by FortiManager.

Note: Static support is available only for traditional security devices and is not
relevant for other sources, such as SDN and cloud.

Adding Support for a File Device


To add and analyze a generic device using a static configuration file, complete the
following workflow:

1. Create a JSON file which contains the necessary device configuration items. For
details, see Creating the JSON File.

2. Upload the JSON file to AlgoSec Firewall Analyzer as a file device. See Add other
devices and routing elements

Note: Updating the device's policy requires manually updating and replacing the file
in AFA. If desired, you can write your own script to automatically update the file in the
/home/afa/algosec/fwfiles directory.

Firewall Analyzer (A30.10) Page 248 of 542


Administration Guide | Extend device support

Creating the JSON File


The following procedure describes how to create the JSON file that represents the
device configuration.

To create the JSON file:

1. Review the example file located in /usr/share/fa/data/plugins/config_parser_


template.json

2. Create your own configuration file according to the template. See Tag list and Tag
Reference .

Note: If the device is a layer 2 device, you must specify this in the device (see
device) tag. For zone based devices, AFA automatically converts the device's
topology into layer 3 terminology using a heuristic based on the device's policy.
For all other device types, you must provide the device's topology in layer 3
terminology by manually editing the device's URT file. For more details, see
Specify routing data manually.

Note: Any rules with NAT must be defined separately from non-NAT rules in
the configuration.

3. Rename the file with the suffix ".algosec".

4. As user afa, run the JSON validator to verify the JSON file is valid:

su - afa
curl --si ‘127.0.0.1:8080/afa/configParser/validateFile?path=<full path to JSON fil

Tag list

Tag Description
config_type The policy model.
device The definition of the device.

Firewall Analyzer (A30.10) Page 249 of 542


Administration Guide | Extend device support

Tag Description
hosts The host name.
hosts_groups The host group name.
interfaces The interface name.
services The service name.
services_groups The service group name.
policies The rule name.
rules_groups The rules group name. (optional)
nat_rules The rule name.
global_nat_rules The global NAT rule name
nat_objects The NAT object name.
nat_objects_groups The NAT object group name.
nat_pools The NAT pool name.
zones The zone name. (optional)
routes The route's ID.
schedules The schedule name. (optional)

â See also:
l Tag Reference
l Sample generic device JSON file
l Static support troubleshooting

Tag Reference
Note: In order for the file to function as intended, any special characters used in a
string must be escaped with a \.

Firewall Analyzer (A30.10) Page 250 of 542


Administration Guide | Extend device support

For comprehensive examples, see Generic Device JSON File Examples (see Sample
generic device JSON file).

config_type
One of the following values:

l POLICY_BASED: One set of rules per device across all of its interfaces. For
example, Check Point devices.

l INTERFACES_BASED: One set of rules per interface. For example, Cisco devices.

l HOST_BASED: Device policy refers to the host itself (source or destination is "Me").
For example, Amazon AWS devices.

l ZONE_BASED: Each policy rule is defined using a source zone and destination zone.
For example, Fortinet devices managed by FortiManager.

device
Parameter Description
name Device name.
major_version Device major version (first number before first dot).
version Device version.
minor_version Device minor version (last number of whole version).
policy Policy name (optional).
is_layer2 1 or 0. Indicates whether the device is a layer 2 device.

hosts
Parameter Description
name Host name.

comment Host comment, if there is one (optional).

ips List of host IPs.

Firewall Analyzer (A30.10) Page 251 of 542


Administration Guide | Extend device support

Parameter Description
type PREDEFINED/ANY/IP_ADDRESS/IP_RANGE/DOMAIN/SUBNET/IPS_LIST

is_negate true/false (optional)

hosts_groups
Parameter Description

name Host group name.

members List of group members (from hosts hash or from hosts_groups


hash).

type GROUP

is_negate true/false (optional)

interfaces
Parameter Description

name The interface logical name.

enable enabled/disabled. (optional)

ips List of interface's IPs in format of: 'IP address/CIDR'.

Hwdevice The interface physical name.

zone Interface's zone. (optional)

description Description. (optional)

rules_ List of rules groups that apply to this interface.


groups
Note: The name of the rule group should be the same as the rule
group id value in rule_group tag.

Note: This parameter is only relevant for INTERFACE_BASED


configuration.

Firewall Analyzer (A30.10) Page 252 of 542


Administration Guide | Extend device support

services
Parameter Description

name Sevice name.

service_ List of service definitions in the following format:


definitions
protocol: The protocol name: tcp/udp/icmp/any/protocol
number.
l src_port: The source port number/source port range (if there is
no source port, or range is any, it will be *)/ICMP type. (optional)
dst_port: The destination port number/destination port
range. If range is any, it will be *.

Type ANY/TCP/UDP/ICMP/TCP_UDP

services_groups
Parameter Description
name Service group name.

members List of group members (from services hash or from services_


groups hash).

type GROUP

policies
Parameter Description
rule_name Rule's name as appears in the configuration.

rule_ Display name.


display_name

rule_id Rule's ID - unique identifier of the rule, can be the rule


name if it is unique.

line_number Line number of the rule in configuration file.

rule_num Rules number (to save order of rules).

src_zone List of source zones.(optional)

direction Inbound/outbound. (optional)

Firewall Analyzer (A30.10) Page 253 of 542


Administration Guide | Extend device support

Parameter Description
comments Rule's comment. (optional)

rule_grp Group to which the rule belongs. (optional)

log 0/1

enable Enabled/disabled.

src List of rule's sources.

service List of rule's services.

schedule Schedule name from schedules list. (optional)

action ALLOW/DENY

dst_zone List of destination zones.(optional)

dst List of rule's destinations.

src_nat List of source NAT hosts/addresses. (optional)

src_nat_type Source NAT type - one of the values: static/dynamic.


(optional)

dst_nat List of destination NAT hosts/addresses. (optional)

dst_nat_type Destination NAT type - one of the values: static/dynamic.


(optional)

bi- 0/1 (optional). Relevant for static NAT for example, MIP in
directional NetScreen.

src_negate 0/1 (optional)

dst_negate 0/1 (optional)

policy Policy name. (optional)

rules_groups
(optional)

Parameter Description
name Rules group name.

enable Enabled/Disabled.

Firewall Analyzer (A30.10) Page 254 of 542


Administration Guide | Extend device support

Parameter Description
comments Rules group comment, if there is one (optional).

type Rules group type (optional)

nat_rules
Parameter Description
rule_name Rule's name as appears in the configuration (without
canonization).

rule_id Rule's ID - unique identifier of the rule, can be the rule


name if it is unique.

line_number Line number of the rule in the configuration file.

src_zone List of source zones.(optional)

rule_ Display name.


display_name

direction Inbound/outbound.(optional)

comments Rule's comment.(optional)

rule_num Rules number (to save order of rules).

log 0/1

enable Enabled/disabled.

src List of rule's sources.

dst List of rule's destinations.

src_nat List of source NAT hosts/addresses.

src_nat_type Source NAT type - one of the values: static/dynamic.


dst_nat List of destination NAT hosts/addresses.

dst_nat_type Destination NAT type - one of the values: static/dynamic.


bi- 0/1. (optional) Relevant for static NAT (e.g. MIP in
directional NetScreen)

src_negate 0/1 (optional)

Firewall Analyzer (A30.10) Page 255 of 542


Administration Guide | Extend device support

Parameter Description
dst_negate 0/1 (optional)

service List of rule's services.

schedule Schedule name (from schedules list). (optional)

action ALLOW/DENY

dst_zone List of destination zones.(optional)

zones
(optional)

Parameter Description
name Zone name.

interfaces List of zone interfaces.

description Zone's description.

routes
Parameter Description
id Route's ID.

interface_ Logical name. (optional)


name

route_mask CIDR of the route.

gateway Gateway (IP address).

interface Physical name. (The Hwdevice value specified in the


"Interfaces" section.)

route IP address of the route.

schedules
(optional)

Firewall Analyzer (A30.10) Page 256 of 542


Administration Guide | Extend device support

Parameter Description
name Schedule name.

start_date Start date in format of: ‘ddMMMyyyy, HHmm’.

end_date End date in format of: ‘ddMMMyyyy, HHmm’.

Sample generic device JSON file


For sample JSON files, see our online Tech Docs.

Static support troubleshooting


This topic provides troubleshooting information for static devices.

Troubleshooting directories and files


The following table lists directories and files that are relevant for troubleshooting static
devices, depending on the scenario.

Device Definition Analysis

Working /home/afa/algosec/work/ /home/afa/algosec/firewalls/afa-<###>


folder collect_gen-<PID> For example:
For example: /home/afa/algosec/firewalls/afa-88
/home/afa/algosec/work/
collect_gen-62123

Configuration gen_data.txt <device name>.<device brand suffix>


file For example:
10_20_74_1.secui

Note: This file is compressed and


contained in the raw_files.zip file at
the end of the analysis. This is not
done yet when the partner parser is
launched.

Log file /home/afa/.fa-history /home/afa/algosec/firewalls/afa-


<###>/fwa.history

Firewall Analyzer (A30.10) Page 257 of 542


Administration Guide | Extend device support

Problem: Analysis failed


Probable cause: The JSON configuration is invalid. The required data is missing and/or
the file structure is wrong.

Confirm the issue: Confirm the problem by searching the failed analysis's error log file
for the following errors:

l "Invalid JSON format in file: …"

l "Invalid format in file: …"

l "…..at /usr/share/fa/bin/config_parser_json2out line … Error: hash creation failed."

Solution: Identify the problem in the JSON file and fix it.

Do the following:

1. Open an SSH connection to AFA and run:

su - afa

2. Run:

curl –si ‘127.0.0.1:8080/afa/configParser/validate?path=<full path to JSON file>’

3. View the validation results and error messages in the file ValidationLogs.txt file.
This file will be in the same directory as the JSON file.

4. Fix the error identified in the error message.

Example
After the analysis failed, search the failed analysis's error logs for the following:

Info: running config_parser_json2out -i "gen-algosec_generic_device


.algosec" -o "config_parser.out" malformed JSON string, neither array,
object, number, string or atom, at character offset 163088 (before
"a_ext_10.10.110.88"\n...") at /usr/share/fa/bin/config_parser_json2out
line 33. 
Error: hash creation failed.

Firewall Analyzer (A30.10) Page 258 of 542


Administration Guide | Extend device support

You validate the JSON file (as described in the solution above). The following error
message appears in the ValidationLogs.txt file:

ERROR: [Validator] [2015-10-25 13:23:54,884] [ConfigParserValidatorService


.java{1}::validate{1}:41] Invalid JSON format in file =/home/afa/
algosec_generic_device.algosec
Line: 6847
Field: policies -> src
Error message: Unexpected character ('a' (code 97)): expected a
valid value (number, String, array, object, 'true', 'false' or 'null')
 at [Source: java.io.FileInputStream@86daca; line: 6847, column: 14

With this information, you recognize that on line 6847 there is a missing quotation mark:

"src" : [
a_ext_10.10.110.88"
],

Generic device monitoring


AFA provides the ability to enable live monitoring support for generic devices. The
support for these devices is identical to the support provided for monitoring devices
supported by AFA out-of-the-box, including real-time change monitoring, basic routing
simulation based on an SNMP connection, and baseline configuration compliance
analysis.

Note: Reports generated for these devices include device change information
and baseline configuration compliance results only.

Enable live monitoring support


To enable live monitoring support, complete the following workflow:

1. Specify the method for collecting data. For details, see Create data collection files
for a generic device.

2. Install the new brand. For details, see Install the new brand.

3. Add the device to AFA. For details, see Add the device to AFA.

Firewall Analyzer (A30.10) Page 259 of 542


Administration Guide | Extend device support

Create data collection files for a generic device

Note: AFA can connect to the device via SSH or REST, depending on the APIs
supported by the device.

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. Copy the file /usr/share/fa/data/plugins/brand_configuration_template.xml,


and name the new file "brand_config.xml".

3. Edit the tags as needed. For details, see Monitoring support tag reference.

To enable SNMP support, make sure to specify the relevant tags. See Collect
routing information via SNMP.

4. Create the following graphics files of an icon that represents the device brand,
where <brand_id> is the Id you defined in the DEVICE tag of the brand_
config.xml file:

File name Description


<brand_id>.16.png 16x16 pixel png
<brand_id>.35.png 35x35 pixel png
<brand_id>.45.png 45x45 pixel png
<brand_id>.150.png 150x150 pixel png

Install the new brand


Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. Create a new directory /usr/share/fa/data/plugins/brand_name where brand_


name is the name of the new brand.

3. Place the brand_config.xml file and all the icon files into the new directory.

Firewall Analyzer (A30.10) Page 260 of 542


Administration Guide | Extend device support

4. Run the following command:

/usr/share/fa/bin/fa_install_plugin<full path to brand_config.xml>

For example: /usr/share/fa/bin/fa_install_plugin


/usr/share/fa/data/plugins/BrandX/brand_config.xml

5. If you are logged into the ASMS web interface, logout and then log back in.

Note: This is necessary because configuration is loaded only upon login. If


changes are made to a brand_config.xml file while logged into the web
interface, they will take affect only after logging out and logging back in.

The new device will now appear as an option in the web interface when adding a
new device to AFA.

Add the device to AFA


Do the following:

1. Log into the AFA web interface.

2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

3. Click New, and then click Devices.

The vendor device selection page appears.

Firewall Analyzer (A30.10) Page 261 of 542


Administration Guide | Extend device support

4. In the vendor's list, choose the new device type.

5. Complete the fields with the device's information.

6. Click Finish.

The new device is added to the device tree.

7. If you selected Set user permissions, the Edit users dialog box appears.

8. Set which users will have access to the reports produced by the device, by doing
the following:

a. Select the users to have access.

To select multiple users, hold down the Ctrl key while clicking on the desired
users.

Firewall Analyzer (A30.10) Page 262 of 542


Administration Guide | Extend device support

b. Click OK.

A success message appears.

9. Click OK.

Collect routing information via SNMP


You can use SNMP to retrieve the routing table for devices. The procedure below
describes the tags you must add to the config_brand.xml file to enable this option for a
device.

Note: SNMP versions 3 and 2c are supported.

Do the following:

1. Open the device’s brand_config.xml file.

2. Under the <DEVICE> tag, add the following tag:

<FORM_FIELD id="snmp" title="SNMP" type="fieldset"/>

3. Under the <FEATURES> tag, add the following tag:

<FEATURE name="topology" script="snmp2urt"/>

4. Save your changes.

For an example, see Configuration file example with routing.

Configuration file example


<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<DEVICE id="netfilter" name="iptables" title="Linux netfilter - iptables">
<FORM_FIELD id="root_psw" title="root password" type="password" />
<DATA_COLLECTION prompt="\]\s*[#$]\s*$" more_prompt="^\s*-+\s*[Mm]ore
\s*-+\s*$">
<COMMANDS_SEQUENCE>

Firewall Analyzer (A30.10) Page 263 of 542


Administration Guide | Extend device support

<CMD id="1" command="su -" save_output="no" condition="root_psw"


prompt="sword:\s*$" />
<CMD id="2" command="%root_psw%" save_output="no" condition="root_psw"
prompt="\]\s*#\s*$" />
<CMD id="3" command="route" save_output="yes" />
<CMD id="4" command="iptables -L" save_output="yes" />
</COMMANDS_SEQUENCE>
<EXIT_COMMAND command="exit" />
</DATA_COLLECTION>
<DIFF context_lines="5" />
<EXCLUDE regex="no exclusions defined" />
</DEVICE>

Configuration file example with routing


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<DEVICE id="edev" name="Elad Dev" title="Elad security dev">
<FORM_FIELD id="snmp" title="SNMP" type="fieldset"/>
<CONNECTION_CMD id="ssh" command="ssh -l %user_name% %host_name% "
title="SSH-cmd"/>
<DATA_COLLECTION prompt="^ASisg1000-&gt;" more_prompt="^\s*---\s*more
\s*---\s*$">
<COMMANDS_SEQUENCE>
<CMD id="1" command="get conf" save_output="yes" />
</COMMANDS_SEQUENCE>
<EXIT_COMMAND command="\x04"/>
</DATA_COLLECTION>
<DIFF context_lines="5"/>
<FEATURES>
<FEATURE name="topology" script="snmp2urt"/>
</FEATURES>
</DEVICE>

Firewall Analyzer (A30.10) Page 264 of 542


Administration Guide | Extend device support

Monitoring support tag reference


This reference describes the use of each tag in the configuration file. The tags are listed
in the same order as they appear in the configuration file.

Tag syntax
Tag syntax is presented as follows:

l All parameters are presented in italics.

l All optional elements of the tag appear in square brackets [ ].

For a comprehensive example, see Configuration file example, or refer to other


examples under /usr/share/fa/data/plugins/.

DEVICE
Syntax

DEVICE -[id="id"] [name="name"] [title="title"]

Description
This is the main tag for the device, and it identifies the device.

Parameters

Id String. The ID of the device brand.

Name String. The name of the device brand.


The name will appear throughout the Web interface (for example, in the
Overview and Changes tabs).

Title String. The full name of the device brand.


The title represents the device in the list of device types in the Devices tab of
the Administration pages.

Firewall Analyzer (A30.10) Page 265 of 542


Administration Guide | Extend device support

Subtags

l FORM_FIELD

l CONNECTION_CMD

l DATA_COLLECTION

l DIFF

l EXCLUDE

l ROUTING

l FEATURES

Example
In the following example, the device name FortiGate will appear throughout the Web
interface, while the title Fortinet - FortiGate will appear in the list of device types only.

DEVICE id="fortigate" name="FortiGate" title="Fortinet - FortiGate"

FORM_FIELD
Syntax

FORM_FIELD id="id" title="title" [type="type"]

Description
By default, when adding or modifying a device in the Web interface, AFA provides fields
for host name, user name, and password. This tag specifies additional fields that should
appear for the new device.

This tag is optional.

Firewall Analyzer (A30.10) Page 266 of 542


Administration Guide | Extend device support

Parameters

id String. The ID of the field.


It can include only the following characters: a-z , _ , -
The ID is used as a tag in the file firewall_data.xml.

title String. The label representing the field in the Web interface.

type String. The field's type. This can have the following values:
l text. The user must input free text in this field.
l password. The user must input a password in this field.
The default value is text.

Subtags
None.

Example
In the following example, a field called "Virtual Domain" was added for the device. The
field type was not specified and is therefore "text".

FORM_FIELD id="vdom" title="Virtual Domain"

CONNECTION_CMD
Syntax

CONNECTION_CMD id="id" command="command" title="title"

Description
By default, when adding or modifying a device in the Web interface, the Remote
Management Capabilities area includes the following connection options: SSH and
Telnet. You can use this tag to add additional options.

This tag is optional.

Firewall Analyzer (A30.10) Page 267 of 542


Administration Guide | Extend device support

Parameters

id String. The ID of the connection option.


It can include only the following characters: a-z, A-Z, 0-9, @, _, !, +, ., :, -,
), (
The ID is used as a tag in the file firewall_data.xml.

command String. The connection command.


This may include the following parameters from the file firewall_
data.xml:

l %attribute%. An attribute, where attribute represents the name of any


attribute defined in the FORM_FIELD tag.
%password%

%user_name%

%host_name%

title String. The label representing the connection option in the Web interface.

Subtags
None.

Example
In the following example, the connection option SSH is defined.

CONNECTION_CMD id="ssh" command="ssh %user_name%@%host_name%" title="SSH"

DATA_COLLECTION
Syntax

DATA_COLLECTION prompt="prompt" [more_prompt="more_prompt"]

Description
This tag specifies device prompts that AFA will encounter when connecting to the
device.

Firewall Analyzer (A30.10) Page 268 of 542


Administration Guide | Extend device support

Parameters

prompt String. The basic device prompt that appears when the AFA automatic data
collection client connects to the device. This is a regular expression.

more_ String. The device prompt that appears when there is additional data that is
prompt not currently displayed. This is a regular expression.
This parameter is optional.

Subtags

l LOGIN_PROMPT

l POST_LOGIN_PROMPT

l COMMANDS_SEQUENCE

l DATA_COLLECTION

Example

DATA_COLLECTION prompt="#\s*$" more_prompt="^\s*-+\s*[Mm]ore\s*-+\s*$"

LOGIN_PROMPT
Syntax

LOGIN_PROMPT prompt="prompt" response="response" try_again="try_again"

Description
This tag specifies the device prompt that AFA will encounter after successfully
connecting to the device. Usually, this prompt relates to logging in to the device, for
example a request for a password.

This tag is optional.

Firewall Analyzer (A30.10) Page 269 of 542


Administration Guide | Extend device support

Parameters

prompt String. A regular expression that describes the device prompt that appears
after the AFA automatic data collection client has connected to the device.
This regular expression should match the device prompt (e.g.
"user1@device1 #") as tightly as possible.

response String. The command or string that the AFA automatic data collection
client should send after receiving the prompt.

try_ String. Indicates whether after receiving the device prompt specified by
again the prompt parameter, the AFA automatic data collection client should
attempt to log in again, or continue to wait for the basic login prompt. This
can have the following values:
l yes. Attempt to log in again.
l no. Do not attempt to log in again. Instead, wait for the device prompt
specified by the prompt parameter.

Subtags
None.

Example
In the following example, upon receiving the "yes/no?" prompt, the AFA automatic data
collection client will send the response "yes" and then attempt to log in again.

LOGIN_PROMPT prompt="(yes/no)?\s+$" response="yes" try_again="yes"

POST_LOGIN_PROMPT
Syntax

POST_LOGIN_PROMPT prompt="prompt" response="response"

Description
This tag specifies device prompts that AFA will encounter after successfully logging in
to the device.

Firewall Analyzer (A30.10) Page 270 of 542


Administration Guide | Extend device support

This tag is optional.

Parameters

prompt String. The device prompt that appears after the AFA automatic data
collection client has logged in to the device. This is a regular expression.

response String. The command or string that the AFA automatic data collection
client should send after receiving the prompt.

Subtags
None.

Example

POST_LOGIN_PROMPT prompt="Terminal type\?.*$" response="xterm"

COMMANDS_SEQUENCE
Syntax
COMMANDS_SEQUENCE

Description
This tag specifies the sequence of commands that AFA should use during data
collection.

Parameters
None.

Subtags

l CMD

l CMD_VIRT

Firewall Analyzer (A30.10) Page 271 of 542


Administration Guide | Extend device support

CMD
Syntax

CMD id="id" command="command" save_output="save_output"


[condition="condition"] [prompt="prompt"]

Description
This tag specifies a command that AFA should use during data collection.

Parameters

id Integer. The command's ID and order number.


Commands are implemented in numerical order.

command String. The connection command that the AFA automatic data collection
client should send to the device.
This may include the following parameters from the file firewall_
data.xml:

l %attribute%. An attribute, where attribute represents the attribute's


name.
%password%

%user_name%

%host_name%

save_ String. Indicates whether the result of the command should be added to
output output device configuration file. This can have the following values:
l yes. Add the result of the command to the output device
configuration file.
l no. Do not add the result of the command to the output device
configuration file.

Firewall Analyzer (A30.10) Page 272 of 542


Administration Guide | Extend device support

id Integer. The command's ID and order number.


Commands are implemented in numerical order.

condition String. The name of an attribute defined in the FORM_FIELD tag, which if
assigned a value (i.e., the parameter is not empty), should cause the AFA
automatic data collection client to send this command. This can have the
following values:
l The name of any attribute added in the FORM_FIELD tag
l FW_VIRT. Run the command only if the device has a virtual
system.

prompt String. The device prompt that will appear after the AFA automatic data
collection client has sent this command.
This is a regular expression and may include the following parameters
from the file firewall_data.xml:
l %attribute%. An attribute, where attribute represents the attribute's
name.
%password%

%user_name%

%host_name%

Note: By default, the AFA automatic data collection client will expect to
receive the last defined prompt, (which was specified in the preceding
DEVICE, CMD or LOGIN tag).

Subtags
None.

Example
In the following example, the enable command will run only if the device configuration
file includes an enable attribute that is not empty. The result of the command will not be
saved.

CMD id="1" command="enable" save_output="no" condition="enable"


prompt="sword:\s*$"

Firewall Analyzer (A30.10) Page 273 of 542


Administration Guide | Extend device support

CMD_VIRT
Syntax

CMD_VIRT id="id" command="command" save_output="save_output"


[condition="condition"] [prompt="prompt"]

Description
This tag specifies a command that AFA should use during data collection on a virtual
system.

This tag is optional.

Parameters

id Integer. The command's ID and order number.


Commands are implemented in numerical order.

command String. The connection command that the AFA automatic data collection
client should send to the device.
This may include the following parameters from the file firewall_
data.xml:

l %attribute%. An attribute, where attribute represents the attribute's


name.
%password%

%user_name%

%host_name%

save_ String. Indicated whether the result of the command should be added to
output output device configuration file. This can have the following values:
l yes. Add the result of the command to the output device
configuration file.
l no. Do not add the result of the command to the output device
configuration file.

Firewall Analyzer (A30.10) Page 274 of 542


Administration Guide | Extend device support

id Integer. The command's ID and order number.


Commands are implemented in numerical order.

condition String. The name of an attribute defined in the FORM_FIELD tag, which if
assigned a value (i.e., the parameter is not empty), should cause the AFA
automatic data collection client to send this command. This can have the
following values:
l The name of any attribute added in the FORM_FIELD tag.
l FW_VIRT. Run the command only if the device has a virtual
system.

prompt String. The device prompt that will appear after the AFA automatic data
collection client has sent this command.
This is a regular expression and may include the following parameters
from the file firewall_data.xml:
l %attribute%. An attribute, where attribute represents the attribute's
name.
%password%

%user_name%

%host_name%

Note: By default, the AFA automatic data collection client will expect to
receive the last defined prompt, (which was specified in the preceding
DEVICE, CMD or LOGIN tag).

Subtags
None.

Example
In the following example, the end command will run only if the device configuration file
includes a vdom attribute that is not empty. The result of the command will not be saved.

CMD_VIRT id="4" command="end" save_output="no" prompt="#\s*$"


condition="vdom"

Firewall Analyzer (A30.10) Page 275 of 542


Administration Guide | Extend device support

DATA_COLLECTION
Syntax

EXIT_COMMAND command="command"

Description
This tag specifies the command that AFA should use to end the connection to the
device.

Parameters

command String. The command that the AFA automatic data collection client
should send, in order to end the connection.

Subtags
None.

Example
In the following example, the command is "exit".

EXIT_COMMAND command="exit"

DIFF
Syntax

DIFF context_lines="contextLines"

Description
When real-time monitoring and alerting is enabled, specified users receive e-mails upon
changes to monitored devices, and the changes are displayed in the Web interface's
Changes tab. This tag specifies the number of lines before and after a change to display
in e-mails and in the Web interface's Changes tab. The lines surrounding a change
represent the change's context.

Firewall Analyzer (A30.10) Page 276 of 542


Administration Guide | Extend device support

This tag is optional.

Parameters

contextLines Integer. The number of lines to show before and after a change.
The default value is 3.

Subtags
None.

Example
In the following example, the 5 lines before and after a change will be displayed.

DIFF context_lines="5"

EXCLUDE
Syntax

EXCLUDE regex="regex" [lines_before="lines_before"]


[lines_after="lines_after"] [inline="inline"]

Description
When real-time monitoring is enabled, AFA periodically checks whether the device
configuration has changed. You can use this tag to exclude certain lines in the device
configuration from monitoring.

For example, the current date and other counters frequently change, yet do not
represent an actual change to the device configuration. In order to prevent changes to
such lines from repeatedly being interpreted as a device configuration changes and
reported via e-mail and the Web interface's Changes tab, you can exclude these lines
from monitoring.

This tag is optional.

Firewall Analyzer (A30.10) Page 277 of 542


Administration Guide | Extend device support

Parameters

regex String. A regular expression, describing a string in the device configuration


file that should be ignored by AFA when checking for changes to the device
configuration.

line_ Integer. The number of lines preceding the string specified in regex,
before including the line in which the string appears, that should be excluded from
monitoring.

lines_ Integer. The number of lines following the string specified in regex, including
after the line in which the string appears, that should be excluded from monitoring.

inline String. Indicates whether the whole line (or any whole lines before or after) or
only the part of the line that matches the regular expression is excluded. This
can have the following values:
l yes. Exclude only the part of the line that matches the regular
expression.
l no. Exclude the whole line (or any lines before or after).

Subtags
None.

Example
In the following example, when checking the device configuration for changes, AFA will
exclude 30 lines starting from the string "set private-key".

EXCLUDE regex="set private-key" lines_after="30"

ROUTING
Syntax

ROUTING script="script"

Description
This tag specifies a script that should be used to analyze the device's routing table.

Firewall Analyzer (A30.10) Page 278 of 542


Administration Guide | Extend device support

This tag is optional.

Parameters

script String. The name of the script to use for creating a routing table.

Subtags
None.

Example
In the following example, the script forti2urt.pl is specified.

ROUTING script="forti2urt.pl"

FEATURES
Syntax

FEATURES

Description
This tag specifies features that are supported for the device.

Note: By default, only real-time monitoring is supported for the device. To add more
features, contact AlgoSec.

This tag is optional.

Parameters
None.

Subtags

l FEATURE

Firewall Analyzer (A30.10) Page 279 of 542


Administration Guide | Extend device support

FEATURE
Syntax

FEATURE name="name" [script="script"]

Description
This tag specifies a feature that is supported for the device.

Parameters

name String. The name of the feature.

script String. The name of the script to use to run the feature.

Subtags
None.

Example
In the following example, the topology feature is supported for the device.

FEATURE name="topology" script="snmp2urt"

Early availability features


This topic describes how to enable ASMS's Early Availability features.

ASMS's Early Availability features enable you to access new functionality and support
earlier than general availability in hopes that customers provide feedback on the design
and implementation. Early Availability features have shorter QA cycles and therefore are
disabled by default.

Warning: We recommend that you do not keep Early Availability features in use in
production. Either enable only in testing systems, or disable them in production
systems when returning to general use.

Firewall Analyzer (A30.10) Page 280 of 542


Administration Guide | Extend device support

l Cisco ISE devices in AFA

l Arista devices in ASMS

l Enable / Disable map support for Azure

l Enable /Disable ActiveChange for Azure

l Enable support for Check Point R80 layers

Cisco ISE devices in AFA


Support for Cisco ISE is available as an early availability (EA) feature. ASMS supports
Cisco ISE devices as follows:

l Support includes FireFlow, but without ActiveChange

l Support does not include any AppViz features that rely on FireFlow

l Support does not include using a Geographic Distribution Remote Agent to


manage Cisco ISE devices.

The following sections describe ASMS's connection to CISCO ISE devices:

l Network connectivity

l Device permissions

l Enable / disable early availability support for Cisco ISE

l Add a Cisco ISE device to AFA

Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco ISE device.

Firewall Analyzer (A30.10) Page 281 of 542


Administration Guide | Extend device support

Device permissions
ASMS connects to Cisco ISE devices via the Admin Node, using the ERS API.

To do so, ASMS requires an Administrator user with Read/Write permissions and the
ERS-Operator group assignment.

Additionally, ASMS requires:

l A REST connection over port 9060

l Cisco ISE TrustSec SXP feature enabled for the device

Enable / disable early availability support for Cisco ISE


Do the following:

1. In the AFA Administration area, navigate to the Options > Advanced


Configuration tab.

2. Click Add to add a new configuration parameter, and enter the following details:

Name AlgoSec_EA_CISCOISE

Value Enter one of the following:


l Yes = enable advanced map support
l No (default)= disable advanced support

3. Click OK.

Add a Cisco ISE device to AFA


This procedure describes how to add a Cisco ISE device to AFA.

Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. In the vendor and device selection page, select Cisco > CISCO ISE.

Firewall Analyzer (A30.10) Page 282 of 542


Administration Guide | Extend device support

3. Complete the fields as needed.

Access Information

Enter details for accessing your device.

Host Enter the device's host name or IP address.

User Name Enter the username to use for device access.

Password Enter the password to use for device access.

Geographic Distribution

Select the remote agent that should perform data collection for the device.

To specify that the device is managed locally, select Central Manager.

This field is relevant when a Geographic Distribution architecture is configured.

Options

Select the following as needed:

Real-time Select this option to enable real-time change monitoring. For


change details, see Configure real-time monitoring.
monitoring

Set user Select this option to set user permissions for this device.
permissions

4. Click Finish. The new device is added to the device tree.

5. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Firewall Analyzer (A30.10) Page 283 of 542


Administration Guide | Extend device support

Arista devices in ASMS


This section describes the ASMS Early Availability support for Arista devices:

l Network connectivity

l Device permissions

l Enable / Disable support for Arista

l Add an Arista device to AFA

Network connectivity
The following image shows an ASMS Central Manager or Remote Agent connected to
an Arista device over HTTPS-REST.

Device permissions
To analyze Arista devices, ASMS connects to Arista EOS devices using the REST-
based eAPI, ensuring high performance and efficient data collection.

ASMS requires a user with Read permissions, and a REST connection over port 443.

The user must also have permissions are required to run the following commands via
API Explorer:

l show version

l show interfaces

l show ip interfaces

l show ip route vrf ( all | <vrf-name> )

l show ip access lists”

l show ip access-lists summary

Firewall Analyzer (A30.10) Page 284 of 542


Administration Guide | Extend device support

If the REST eAPI is not yet enabled, run the following using the Arista CLI:

Arista(config)#management api http-commands


Arista(config-mgmt-api-http-cmds)#no shut

Enable / Disable support for Arista


This procedure describes how to enable or disable support for Arista devices in ASMS.

Do the following:

1. In AFA, click your username, and select Administration > Advanced


Configuration.

2. Click Add to add a new configuration parameter.

3. Define your parameter values as follows:

Name ALGOSEC_EA_ARISTA

Value One of the following:


l yes = Enable Arista device support
l no = Disable Arista device support

For more details, see Advanced Configuration. Continue with Add an Arista device to
AFA.

Add an Arista device to AFA


This procedure describes how to add an Arista EOS device to AFA.

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page

2. In the vendor device selection page, click Arista > Arista EOS.

3. Complete the following fields:

Firewall Analyzer (A30.10) Page 285 of 542


Administration Guide | Extend device support

Host Enter the host name of the Arista device.


This is the name that will be displayed in the devices tree.

User Name Enter the username to use when accessing the device.

Password Enter the password to use when accessing the device.

Enable Enter the enable password to use when accessing the


Password device.

Note: In the Geographic Distribution area, you must select Central Manager.

Arista devices cannot be managed by Remote Agents.

4. Click Next, and then select the managed devices you want to add to AFA.

5. Select the following as needed:

Real-time Select this option to enable real-time alerting upon


change configuration changes. For details, see Configure real-time
monitoring monitoring.

Set user Select this option to set user permissions for this device.
permissions

6. Click Finish. The new device is added to the device tree.

7. If you selected Set user permissions, the Edit users dialog box appears.

In the list of users displayed, select one or more users to provide access to reports
for this account.

To select multiple users, press the CTRL button while selecting.

Click OK to close the dialog.

A success message appears to confirm that the device is added.

Enable / Disable map support for Azure


By default, no icon appears in the graphic network map for Azure subscriptions, and
traffic simulation queries involving VMs from Azure subscriptions do not benefit from

Firewall Analyzer (A30.10) Page 286 of 542


Administration Guide | Extend device support

internal routing information. Advanced graphic network map support for Azure devices is
available as an early availability feature. Early availability features may be limited in
their scope and have undergone a shortened testing cycle. They are disabled by
default.

When advanced graphic network map support for Azure devices is enabled, the internal
routing information is available to traffic simulation queries and the following network
elements appear in the graphic network map: VNet routers, VNet peerings, and internet
gateways. The subnets coming off the VNet routers include the containers.

Note: VPN gateways are not supported.

Note: AFA does not currently support the use of a Geographical Distribution Remote
Agent to manage this device.

To enable/disable early availability map support for Azure:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Advanced Configuration tab.

The Advanced Configuration page appears.

4. Click Add.

The Add New Configuration Parameter dialog box appears.

5. In the Name field, type AlgoSec_EA_Azure_Topology.

6. In the Value field, type one of the following:

Firewall Analyzer (A30.10) Page 287 of 542


Administration Guide | Extend device support

l Type yes to enable advanced map support.

l Type no to disable advanced map support. This is the default setting.

7. Click OK.

Enable /Disable ActiveChange for Azure


ActiveChange for Microsoft Azure is available as an early availability feature. Early
availability features may be limited in their scope and have undergone a shortened
testing cycle. They are disabled by default.

When ActiveChange for Azure is enabled, you can add and remove rules from the
policy directly from FireFlow. Note that you cannot create new objects; you are limited to
using existing objects. The work order will never recommend creating new objects
regardless of whether ActiveChange is enabled.

Note: The following procedure enables ActiveChange for Azure in the ASMS, but
does not automatically enable ActiveChange for specific Azure subscriptions. In
order to enable ActiveChange for a specific Azure subscription, you must select the
Enable ActiveChange checkbox when defining the Azure in AFA.

Note: AFA does not currently support the use of a Geographical Distribution Remote
Agent to manage this device.

To enable/disable early availability ActiveChange for Azure:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Advanced Configuration tab.

The Advanced Configuration page appears.

Firewall Analyzer (A30.10) Page 288 of 542


Administration Guide | Extend device support

4. Click Add.

The Add New Configuration Parameter dialog box appears.

5. In the Name field, type AlgoSec_EA_Azure_ActiveChange.

6. In the Value field, type one of the following:

l Type yes to enable advanced map support.

l Type no to disable advanced map support. This is the default setting.

7. Click OK.

Enable support for Check Point R80 layers


Enabling this feature expands AFA support to include inline layers and ordered layers
(global and domain-level). AFA supports these layers in the policy tab (including
searching and exporting)and in change monitoring (in the Changes tab directly in the UI
and in reports). Additionally, relevant AFA API responses will include layer information.

AFA represents layers with layer specific columns and action values. In the policy tab,
each layer is grouped by headings.

Before enabling this feature, AFA supports only the global policy layer and the domain-
level first ordered layer. Inline layers and rules in a second (or more) domain-level
ordered layer are ignored, and rules with an action that calls an inline layer are treated
as allow rules. All early availability features are disabled by default.

Note: Additional layer support is not extended to policy optimization, risk analysis, or
traffic simulation queries. For these functionalities, rules in a second (or more)
domain-level ordered layers are ignored, and rules with an action that calls an inline
layer are treated as allow rules.

Firewall Analyzer (A30.10) Page 289 of 542


Administration Guide | Extend device support

When early availability support is enabled, FireFlow and AppViz are not supported
for Check Point R80 devices with policies with inline layer rules or rules implied from
the 2nd and beyond ordered layers.

Warning: After enabling, this feature cannot be disabled again. Additionally,


ActiveChange will not be supported after enabling layers support, on any layer.

If you are using ActiveChange for Check Point devices, we recommend that you do
not enable this feature on your production environment.

Enable early availability support for Check Point R80 Layers


Do the following:

1. In the toolbar, click your username and select Administration to access the AFA
Administration area.

2. Click the Advanced Configuration tab.

3. On the Advanced Configuration page, click Add.

4. In the Add New Configuration Parameter dialog, enter the following:

Name AlgoSec_EA_CKP_R80_Layers

Value This parameter is set to no by default.


Define the value as yes to enable it. Once enabled, this feature cannot
be disabled again.

5. Click OK.

Tip: If you add a Check Point R80 device from a configuration file based on a recent
report to an AFA system with this flag enabled, make sure that the configuration file is
also generated from an AFA system with this flag enabled.

For more details, see Add other devices and routing elements.

Firewall Analyzer (A30.10) Page 290 of 542


Administration Guide | Manage groups

Manage groups
This section describes how to configure device groups in AFA.

About groups in AFA


A group is a set of devices, in which no information about the relationships between the
member devices is provided, or when the devices are not connected in a tiered network.
AFA allows you to quickly define a group and configure parameters for analyzing the
member devices. You can then do the following:

l Schedule an analysis of all the devices in a group at once.

l Produce an additional high-level report that aggregates the reports of all the
member devices, so that you have a bird's-eye view of your group-wide risk
exposure.

For information on defining sets of devices, in which information about the relationships
between the member devices is provided, see Managing Matrices (see Manage
matrices).

In addition to user-defined groups, AFA includes a built-in group called ALL_


FIREWALLS. This group consists of all devices in the system, and you can generate
reports for it. You cannot edit or delete this group.

Note: In a Geographic Distribution architecture, groups may contain devices that are
managed by different remote agents.

Add groups
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Click New, then click Group.

The Create a New Group dialog box appears.

Firewall Analyzer (A30.10) Page 291 of 542


Administration Guide | Manage groups

3. In the Name field, type the name of the new group.

4. Select the devices that you want to add to the group.

You can search for devices by typing the full or partial name of a device into the
box.

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

5. To remove members from the group, clear the device's check box.

The device is removed from the members box.

Note: A group must include at least two members.

6. Click Create.

Firewall Analyzer (A30.10) Page 292 of 542


Administration Guide | Manage groups

A success message appears.

7. Click OK.

Edit groups
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired group and click Edit.

The Edit Groups dialog box appears.

3. To add a member to the group, select the desired device.

You can search for devices by typing the full or partial name of a device into the
box.

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog

Firewall Analyzer (A30.10) Page 293 of 542


Administration Guide | Manage groups

box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

4. To remove members from the group, clear the device's check box.

The device is removed from the members box.

Note: A group must include at least two members.

5. Click Update.

A success message appears.

6. Click OK.

Rename groups
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired group from the tree and click Rename.

The Rename group dialog box appears.

3. In the Group name field, change the group name.

4. Click OK.

A success message appears.

5. Click OK.

Firewall Analyzer (A30.10) Page 294 of 542


Administration Guide | Manage groups

Delete groups
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired group and click Delete.

A confirmation message appears.

3. Click OK.

A success message appears.

4. Click OK.

The group is deleted.

Firewall Analyzer (A30.10) Page 295 of 542


Administration Guide | Manage matrices

Manage matrices
This section describes how to configure matrices in AFA.

About AFA matrices


A matrix is a set of devices, in which information about each device member's position
in the network hierarchy is provided.

When you create a matrix, AFA uses a special algorithm to calculate the relationships
between the members. If desired, you can override the results and edit the topology
information.

Note: In a Geographic Distribution architecture, matrices may contain devices that


are managed by different remote agents.

When a report is generated for the matrix, AFA analyzes the devices' multi-tiered
network topology and enables you to do the following:

Firewall Analyzer (A30.10) Page 296 of 542


Administration Guide | Manage matrices

l View a network diagram of the device members' topology, including the


connections between them.

l View risks associated with traffic that is allowed across all devices in the matrix.

l Run a traffic simulation query on the generated matrix analysis report.

Add matrices
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Click New, then click Matrix.

The Create a New Matrix dialog box appears.

3. In the Name field, type the name of the new matrix.

4. Select the devices that you want to add to the matrix.

You can search for devices by typing the full or partial name of a device into the
box.

Firewall Analyzer (A30.10) Page 297 of 542


Administration Guide | Manage matrices

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

5. To remove members from the matrix, clear the device's check box.

The device is removed from the members box.

Note: A matrix must include 2-4 members.

6. Click Create.

A message box appears asking whether you want to customize the matrix settings.

7. Do one of the following:

l To customize the matrix's topology at a later time, click No.

l To customize the matrix's topology now, do the following:

a. Click Yes.

The Customize Matrix Topology page appears, enabling you to edit all
zones in the matrix's multi-tiered topology.

Firewall Analyzer (A30.10) Page 298 of 542


Administration Guide | Manage matrices

b. Customize the matrix topology.

c. Click OK.

Edit matrices
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired matrix and click Edit.

The Edit Matrix dialog box appears.

3. To add a member to the matrix, select to desired device.

You can search for devices by typing the full or partial name of a device into the
box.

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog

Firewall Analyzer (A30.10) Page 299 of 542


Administration Guide | Manage matrices

box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

4. To remove members from the matrix, clear the device's check box.

The device is removed from the members box.

Note: A matrix must include 2-4 members.

5. Click Update.

A success message appears.

6. Click OK.

A message box appears asking whether you want to customize the matrix settings.

7. Do one of the following:

l To customize the matrix's topology at a later time, click No.

l To customize the matrix's topology now, do the following:

a. Click Yes.

The Customize Matrix Topology page appears, enabling you to edit all
zones in the matrix's multi-tiered topology.

b. Customize the matrix topology.

c. Click OK.

Rename matrices
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired matrix and click Rename.

Firewall Analyzer (A30.10) Page 300 of 542


Administration Guide | Manage matrices

The Rename Matrix dialog box appears.

3. In the Matrix name field, modify the matrix name as desired.

4. Click OK.

A success message appears.

5. Click OK.

Delete matrices
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired matrix and click Delete.

A confirmation message appears.

3. Click OK.

A success message appears.

4. Click OK.

The matrix is deleted.

Firewall Analyzer (A30.10) Page 301 of 542


Administration Guide | Manage DR sets

Manage DR sets
AFA provides the ability to define pairs (or groups) of Disaster Recovery (DR) sets.
Whenever one of the devices in the set is found in the path of a traffic simulation query,
the other devices will automatically be tested against the same traffic, ensuring they
allow it as well. This capability significantly eases troubleshooting and change
management for DR device sets that do not share the same policy.

This section describes how to configure disaster recovery (DR) sets in AFA.

Add DR sets
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Click New, then click DR Set.

The Create a New DR Set dialog box appears.

3. In the Name field, type the name of the new DR set.

Firewall Analyzer (A30.10) Page 302 of 542


Administration Guide | Manage DR sets

4. Select the devices that you want to add to the DR set.

You can search for devices by typing the full or partial name of a device into the
box.

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

5. To remove members from the DR set, clear the device's check box.

The device is removed from the members box.

Note: A DR set must include at least two members.

6. Click Create.

A success message appears.

7. Click OK.

Edit DR sets
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired DR set and click Edit.

The Edit DR set dialog box appears.

Firewall Analyzer (A30.10) Page 303 of 542


Administration Guide | Manage DR sets

3. To add a member to the DR set, select the desired device.

You can search for devices by typing the full or partial name of a device into the
box.

You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.

The devices appear in the members box.

4. To remove members from the DR set, clear the device's check box.

The device is removed from the members box.

Note: A DR set must include at least two members.

5. Click Update.

A success message appears.

Firewall Analyzer (A30.10) Page 304 of 542


Administration Guide | Manage DR sets

6. Click OK.

Rename DR sets
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired DR set from the tree and click Rename.

The Rename Dr Set dialog box appears.

3. In the DR Set name field, modify the DR set name as desired.

4. Click OK.

A success message appears.

5. Click OK.

Delete DR sets
Do the following:

1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.

2. Select the desired DR set from the tree and click Delete.

A confirmation message appears.

3. Click OK.

Firewall Analyzer (A30.10) Page 305 of 542


Administration Guide | Manage DR sets

A success message appears.

4. Click OK.

The DR set is deleted.

Firewall Analyzer (A30.10) Page 306 of 542


Administration Guide | Manage the map

Manage the map


This section describes advanced support options for improving the accuracy of the
graphic network map and the operations which depend on it.

For details, see:

l Complete the map

l Complete the map (CLI)

l Troubleshoot traffic simulation queries

l Edit IP ranges in clouds

l Remove devices

l Restore device interfaces

l Specify routing data manually

Complete the map


AFA creates the graphic network map using all the routing information it collects from
the devices defined in AFA. Whenever a device's routing table implies the existence of
a device that is not defined in AFA, the device is represented in the map as a generic
router. Because AFA has only limited information about these routers, they cause holes
in the network map which AFA can only represent as a cloud. Some of these routers
have a large impact on the paths within the network, and the fact that they are not
defined in AFA deprives the map (and AFA) of the significant routing information they
could provide.

Completed map contents


A complete map will include:

l A direct connection between every internal subnet in the network (without passing
through any clouds).

l A direct connection between every internal subnet and all permitted external IP
addresses that ends in the relevant cloud (without passing through any clouds).

Firewall Analyzer (A30.10) Page 307 of 542


Administration Guide | Manage the map

AFA provides a completeness score for your map and enables you to complete your
map by providing a prioritized list of generic routers in the map that should be defined as
devices AFA. The routers which would complete the most paths are given the highest
priority. AFA automatically performs a DNS lookup to help identify which of your devices
correspond to which IP address. To further assist in identifying the device names, you
can optionally provide the network's SNMP credentials.

Tip: Alternately, complete the map via CLI instead. For more details, see Complete
the map (CLI).

Identify routers to define in AFA


Do the following:

1. View the graphic network map.

The Map appears in the workspace.

The map completeness score appears at the bottom of the workspace.

Note: The map completeness score and the routers that AFA recommends

Firewall Analyzer (A30.10) Page 308 of 542


Administration Guide | Manage the map

defining are calculated by simulating routes between internal subnets and


between each internal subnet and external IP. By default, the maximum
number of paths that will be simulated is 400, and the external IP addresses
used in the calculation is 8.8.8.8. If a custom risk profile spreadsheet is being
used in AFA, the networks in the spreadsheet are used as the default internal
networks. If no such spreadsheet is being used, RFC 1918 is used to provide
the default internal networks.

2. Next to the map completeness score, click the Improve Score link.

The Improve Map Connectivity page appears.

The list on the left is a prioritized list of routers to define in AFA. The routers which
would complete the most paths are given the highest priority, and therefore appear
at the top of the list. The name of the router appears when the DNS lookup was
successful ; otherwise, the IP address of the router appears.

Each router appears in the list with its IP address as a link. Clicking on the link will
focus the map on that router.

The device name to the left of the router's name is the device defined in AFA
which is closest to the router. When multiple devices are close to the router, a link
to a lit of the devices appears.

3. To filter the list of routers, type a search in the search box.

The search results include results for router names, router IP addresses, or names
of the closest device defined in AFA.

4. To define a router in AFA, hover over the router in the list and click .

The administration area for defining new devices appears, enabling you to define
the device in AFA. For more details, see Add devices to AFA.

5. To merge routers in the map into a single router, do the following:

Firewall Analyzer (A30.10) Page 309 of 542


Administration Guide | Manage the map

6. Select the routers in the list that you want to merge.

The Merge Selected button at the top of the list becomes enabled when two or
more routers are selected.

7. Click .

The routers are merged into one router in the map. The new router is represented
with the merged routers icon.

8. To re-run the map completeness calculation with custom values, do the following:

9. Click on the map completeness score icon.

The Calculate Map Completeness Score window appears.

10. Edit the internal or external networks in the fields.

The map completeness score and the routers that AFA recommends defining are
calculated by simulating routes between internal subnets and between each
internal subnet and external IP.

11. To restore the default network values, click the Restore Default Values link.

12. To customize the maximum number of paths that will be simulated and/or to

Firewall Analyzer (A30.10) Page 310 of 542


Administration Guide | Manage the map

provide SNMP credentials for the sake of identifying router names, do the
following:

a. Click Advanced Options.

b. Complete the additional fields.

Note: When SNMP is provided, the only information being fetched via SNMP is
the name of the devices.

13. Click Run.

Complete the map (CLI)


AlgoSec provides a CLI tool to help complete the map.

Note: Using the AFA web interface is the preferred method to complete the map. See
Complete the map. When you chose to use the CLI tool, the results will not appear in
the UI.

Map completeness CLI tool scope


The CLI tool provides:

l A connectivity score for the map.

l A prioritized list of generic routers in the map that should be defined as devices
AFA. The routers which would complete the most paths are given the highest
priority.

In order to identify which device corresponds to which IP address, the tool


automatically performs a DNS lookup. To further assist the tool in identifying the
device names, you can optionally provide the network's SNMP credentials.

l A list of mis-matched routes in the map (the route was complete in one direction,
but not the other).

Firewall Analyzer (A30.10) Page 311 of 542


Administration Guide | Manage the map

Identify routers to define in AFA


Do the following:

1. Set the map to prefer paths where the source is a subnet (and not a cloud) and
disable this preference for destinations. For details, see the
PrioritizeFIPDestination parameter.

Note: Make sure to revert these parameters to the settings required for your
environment after you finish running the CLI tool.

2. Prepare the following input files:

l A .txt file with all the internal subnets within the network. The subnets
should all be connected without going through the internet.

Each subnet in the file must be in CIDR format and on a new line ("line
break" is the delimiter).

Example:

10.0.0.0/8192.168.0.0/16

l A .txt file with all the external IP addresses that should be reachable from
each internal subnet.

Each IP address must be on a new line ("line break" is the delimiter).

Example:

8.8.8.882.102.187.174

l (Optional) A .txt file with the network's SNMP credentials. Providing this
information helps the CLI tool determine the names of the devices in the
prioritized list (not just the IP addresses) when the DNS lookup does not
provide the name.

Firewall Analyzer (A30.10) Page 312 of 542


Administration Guide | Manage the map

l For SNMP version 2, the file must include the following (with the
community string value inserted):

version: 2community:

l For SNMP version 3, the file must include the following (with all the
values inserted):

version: 3username: authprotocol:authpassword:privprotocol:


privpassword:

Note: When SNMP is provided, the only information being fetched


via SNMP is the name of the devices.

3. Open a terminal and log in using the username "afa" and the related password.

4. Run the following command with any desired optional parameters:

map_completeness -i <internal_nets.txt> -e <external_IPs.txt>

For details, see Map completeness parameters.

5. The tool simulates the routes between each internal subnet and between each
internal subnet and external IP.

For example:

Running internal queries:Simulating 950 paths of 8556 possible paths.


100% ProcessedRunning external queries:Simulating 372 paths of 372
possible paths.100% Processed-------------------------------------

Where:

Summary Description...
Internal networks: 2 Number of internal subnets in the input file.
External IPs: 2 Number of external IPs in the input file.

Firewall Analyzer (A30.10) Page 313 of 542


Administration Guide | Manage the map

Summary Description...
Internal subnets in Number of subnets in the current map that are
the map database: 93 included in the internal subnets in the input file.
3 Unique missing Number of routers in the current map that are not
router addresses defined in AFA.
294 Mismatches were Number of paths that are complete in one direction,
found but not the other.
Map is 16.28% The completeness score for the current map. This is
Complete the percentage of possible paths that are complete.

Note: Routes with NAT will be identified as mis-matched even though they do
not predict a hole in the map.

The two output files are created and given the names you specified in the command
parameters or the default names missing_routers.txt and routing_mismatches.txt.

The missing routers output file provides a list of devices to add to AFA. The file includes
the number of paths that are incomplete because of each missing device. The devices
are listed in descending priority, where devices that would complete more paths are
given higher priority. If the tool was not able to determine the name of a device using a
DNS lookup or SNMP, only the IP address appears.

Map completeness parameters


Parameters Mandatory? Description

-i <internal_ Yes Passes the internal networks input file. The value is
nets.txt> the relative path to the file.

Firewall Analyzer (A30.10) Page 314 of 542


Administration Guide | Manage the map

Parameters Mandatory? Description

-e <external_ Yes Passes the external IPs input file. The value is the
IPs.txt> relative path to the file.

-s <snmp_ No Passes the SNMP credentials input file. The value is


credentials.txt> the relative path to the file.

-r <missing_ No Enables you to provide the name of the output file


routers.txt> with the prioritized list of routers.
By default, the files name will be missing_routers.txt.

-m <routing_ No Enables you to provide the name of the output file


mismatches.txt> with the routing mismatches.
By default, the files name will be routing_
mismatches.txt.

-n <max_ No Enables you to specify the maximum number of


queries> routes to simulate. The value is the maximum
number of routes (where each route is simulated in
both directions). The internal subnets are permitted
this number of routes and the external IPs are
permitted this number of routes (individually).
The default value is 1000 routes. In other words,
1000 for internal subnets and 1000 for external IPs,
where each route is simulated in both directions.

Note: This CLI tool does not simulate every


possible route, but a sampling. This parameter
specifies the size of the sample.

-v No Enables verbose mode. The output files will contain


additional information which may be useful for de-
bugging. By default, verbose mode is disabled.

-p No Specifies the output files should be printed in


human-readable format. The default is CSV format.

-h No Prints help. Help will also print if the command is run


with invalid syntax.

Firewall Analyzer (A30.10) Page 315 of 542


Administration Guide | Manage the map

Troubleshoot traffic simulation queries


All traffic simulation queries in AFA are based on information provided by the graphic
network map. AFA enables you to use the map to view network issues and determine
how to improve traffic simulation query results.

If you ran a group device query and received unexpected results, you can troubleshoot
those results by providing the expected results. AFA will make a recommendation to
help you make the traffic traverse correctly.

Note: The traffic simulation query troubleshooting feature is for AFA administrators
only.

Note: This feature is not relevant for single device queries.

Do the following:

1. Run the group Traffic Simulation Query.

A new window opens displaying the traffic simulation results.

Firewall Analyzer (A30.10) Page 316 of 542


Administration Guide | Manage the map

The path detected by the query appears on both the left side pane and the map.
The devices appear in the same order as the path detected in the query.

2. Click Expected a different path?.

The Troubleshooting Query Results wizard appears.

Note: If the query has more than one traffic line with unexpected results, you
can only troubleshoot one path at a time from one of those traffic lines.

3. If the query involves multiple traffic lines or a single traffic line with multiple
sources and/or multiple destinations, select the traffic line and click Next.

The Troubleshooting Query Results wizard appears.

4. Select the path you wish to troubleshoot and click Next.

Firewall Analyzer (A30.10) Page 317 of 542


Administration Guide | Manage the map

5. Specify the expected path for the query. You can loptionally add new devices,
change the order of the devices, and/or delete devices.

Note: You can only add devices to the path that are currently defined in AFA.

6. Click Find inconsistencies.

The new route is simulated.

If the query does not detect the expected path, the result appears displaying the
identified problems and suggested solutions.

7. Do one of the following:

Firewall Analyzer (A30.10) Page 318 of 542


Administration Guide | Manage the map

For any of the following cases: Do the following:


l Identified problem is an issue a. Collect the relevant logs.
with a device b. Open a support case on the
l Root cause could not be AlgoSec portal.
detected
l Too many paths were found

If there is a missing device a. Define the device in AFA.


b. Run analysis on the device
c. Run the query again.

Note: If the identified problem is that the traffic is not routed in the network, no
troubleshooting can be performed.

Note: If there is no problem and the path is exactly as expected, no further


troubleshooting is needed.

Edit IP ranges in clouds


You can add or remove the automatically generated IP ranges in clouds. Once
implemented, any edits will remain for future map calculations. Additionally, you can
display a list of all current cloud edit entries and disable edits that are no longer
relevant.

Note: AFA supports adding or removing ranges from clouds, but not removing
clouds.

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. To add a range to a cloud, enter the following command:

fa_map -add CIDR -stub stub_router_IP [-comment comment]

Firewall Analyzer (A30.10) Page 319 of 542


Administration Guide | Manage the map

where, CIDR is the CIDR you want to include, stub_router_IP is the IP address of
the adjacent router, and comment is a comment for the cloud edit entry (in
quotations).

The comment parameter is optional.

Note: The input range must be in CIDR format.

The range is added to the cloud.

3. To remove a range from cloud(s), do one of the following:

Remove a range from all clouds except for specific clouds

Enter the following command:

fa_map -remove_from_all CIDR -except_stub stub_router_IP


[-comment comment]

where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of
the adjacent router for which you want to keep the CIDR, and comment is a
comment for the cloud edit entry (in quotations).

You can use the except_stub parameter multiple times to include the CIDR in
multiple clouds, as in the following example:

fa_map -remove_from_all 10.0.10.0/24 -except_stub 192.168.1.20


-except_stub 10.155.102.250 -comment "10.0.10.0/24 is only
behind 192.168.1.20 and 10.155.102.250"

Remove a range from a specific cloud

Enter the following command:

fa_map -remove CIDR -stub stub_router_IP[-comment comment]

Firewall Analyzer (A30.10) Page 320 of 542


Administration Guide | Manage the map

where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of
the adjacent router, and comment is a comment for the cloud edit entry (in
quotations).

Note: The comment parameter is optional.

Note: The input range must be in CIDR format.

The range is removed from the cloud.

4. To display a list of all currently configured cloud edit entries, enter the following
command:

fa_map -list -stub stub_router_IP

where, stub_router_IP is the IP address of the router for which you would like to
see all cloud edit entries.

Note: The stub parameter is optional. When a router is not specified, all entries
in the database are displayed.

The list of all cloud edit entries in the database is displayed.

5. To disable a cloud edit, enter the following command:

fa_map -del-entry CIDR -stub stub_router_IP -action exclude

where, CIDR is the CIDR of the entry you want to delete and stub_router_IP is the
IP address of the router for the entry you want to delete.

Note: The input CIDR and router IP address must be exactly as they are in the
cloud edit entry. It is recommended to display the entries (see above) and verify
these inputs before running this command.

Firewall Analyzer (A30.10) Page 321 of 542


Administration Guide | Manage the map

The following prompt appears:

Are you sure you want to delete entry [Y/n]

Press Enter.

The cloud is recalculated without the edit.

Remove devices
You can remove devices from the graphic network map. You can remove devices from
the current map calculation and/or from all future map calculations. If you only remove
the device from current map, the device will appear in the map again once a new report
is generated.

Note: A removed device will not appear in traffic simulation query results.

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. To remove devices from the current map, do the following:

3. Enter the following command:

fa_map -d DeviceID

where, DeviceID is the name of the device you wish to remove from the current
graphic network map.

4. To cause devices to be omitted from all future map updates, do the following:

5. Open /home/afa/.fa/config.

6. On a new line, add the configuration item MAP_BLACK_LIST, and set the
configuration item's value to a semi-colon separated list of devices that you wish to
remove from the graphic network map.

Firewall Analyzer (A30.10) Page 322 of 542


Administration Guide | Manage the map

For example, the following removes the devices rose_checkpoint and flower_asa
from the graphic network map, for all future maps.

MAP_BLACK_LIST=rose_checkpoint;flower_asa

7. Save the file.

Restore device interfaces


You can specify that certain device interfaces be ignored directly from the graphic
network map. The procedure below describes how to restore interfaces you ignored and
view a list of all ignored interfaces.

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. Enter the following command:

fa_map -restore_ignored_interfaceInterfaceName -n DeviceName

where, InterfaceName is the name of the interface you wish to ignore, and
DeviceName is the name of the interface's device.

3. To view a list of all the ignored interfaces for a specific device, enter the following
command:

fa_map -list_ignored_interfaces -n DeviceName

where, DeviceName is the name of the interface's device.

4. To view a list of all the ignored interfaces for all devices, enter the following
command:

fa_map -list_ignored_interfaces

Firewall Analyzer (A30.10) Page 323 of 542


Administration Guide | Manage the map

Specify routing data manually


Administrators can manually specify routing information for a device, instead of using
the automatically generated routing information that AFA compiles with each analysis.
For more information, see Specify routing data manually.

Do the following:

1. View the graphic network map.

The Map appears in the workspace.

2. Right-click the desired device ,and select Routing Information.

The Routing Information dialog box appears, displaying the current URT file.

3. Select Static Routing Table (URT).

New fields appear.

4. Click the Download current URT file link or the Download Sample file link.

The file downloads to your computer.

5. Edit the file with the routing information you want to import.

For information about URT file syntax, see How to manually specify routing
information for Cisco Layer 2 devicesin AlgoPedia.

6. Click Upload new file, and select the new URT file.

The file is validated and uploaded. If there is an error in syntax or content, an error
message appears.

7. Click OK.

The new routing table will take affect after the next device analysis.

Firewall Analyzer (A30.10) Page 324 of 542


Administration Guide | Schedule analysis

Schedule analysis
This section describes how to schedule analyses for devices, groups and matricies.

AFA can run multiple reports in parallel, and the maximum number of reports that can be
generated simultaneously depends on your AFA system configuration and power. In
order to change this value, contact AlgoSec support.

Note: If a manual report process is running on a specific device, the current


monitoring cycle for that device is skipped. AFA will attempt to run the next
monitoring cycle as scheduled. If a monitoring cycle is already running on a specific
device when a manual report is requested, AFA waits for the monitoring process to
complete before generating the report.

Note: It is recommended to only run 'All Firewalls' analyses at night, in order to avoid
a high strain on your system during normal operating hours.

Schedule Analysis: Watch to learn how to schedule analysis to suit your business

needs.

Add and edit analysis jobs


To add or edit an analysis job:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Scheduler tab.

The Scheduler tab appears.

Firewall Analyzer (A30.10) Page 325 of 542


Administration Guide | Schedule analysis

4. Do one of the following:

l To schedule a new analysis job, in the Schedule Recurring Analysis area,


click New.

l To edit an existing analysis job, click on the Edit icon next to the desired job.

New fields appear.

Firewall Analyzer (A30.10) Page 326 of 542


Administration Guide | Schedule analysis

5. In the Job name field, type a name for the job.

6. (Optional) To aggregate a group/matrix members' existing reports into a


group/matrix report, (instead of generating new reports for each member and using
those reports to generate a group/matrix report), select the Base group reports on
existing device reports check box.

This field is relevant only when generating group reports and matrix reports.

7. To select a risk profile, select the Select risk profile check box, and select a risk
profile from the drop-down menu.

8. Select one of the following settings in the Run device analysis drop-down menu:

Firewall Analyzer (A30.10) Page 327 of 542


Administration Guide | Schedule analysis

l Only if the policy/topology changed - if a policy is detected as unchanged


during a scheduled analysis, then AFA should not run a full report, but
instead create an unchanged report that links to the last report for the policy.

l Always (slow) - AFA will always run a full analysis, regardless of whether
the policy has changed or not.

Note: Selecting this option will result in longer analysis time and requires more
disk space.

9. Specify the device, group, or matrix for which you want to schedule an automatic
analysis, by doing the following in the Select a device/group area:

10. Click Select device/group.

A tree of all the devices, groups, and matrices appears.

11. Choose the desired device, group, or matrix.

Firewall Analyzer (A30.10) Page 328 of 542


Administration Guide | Schedule analysis

Note: When you select a "parent" tier device, all the devices beneath it are
automatically analyzed with each analysis.

12. Click OK.

13. In the Recurrence area, specify how often the analysis job should run.

You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or
configure the analysis to occur when a policy is installed on the device(s).

Note: You can only select Upon policy install, if real-time change monitoring is
enabled for this device.

The fields in the Recurrence Pattern area change according to your selection.

14. In the Recurrence Pattern area, configure the desired pattern of recurrence.

Note: If you want to see the scheduled job run during the current schedule
cycle, schedule your analysis at least five minutes later than the current time.

15. Click OK.

Delete scheduled jobs


Use this procedure to delete a scheduled analysis or dashboard email.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Scheduler tab.

Firewall Analyzer (A30.10) Page 329 of 542


Administration Guide | Schedule analysis

The Scheduler Setup tab is appears with a list of scheduled analysis and
dashboard e-mail jobs.

4. Select the check box next to the desired job.

5. Click Delete.

A confirmation message appears.

6. Click Yes.

The job is deleted.

Firewall Analyzer (A30.10) Page 330 of 542


Administration Guide | Configure real-time monitoring

Configure real-time monitoring


AFA provides the option to monitor devices for changes in real-time (as opposed to
waiting for a full analysis).

This option must be activated for the ASMS environment and then enabled per device.
AFA will periodically check devices' policies for changes, and detected changes will be
displayed in the AFA Web interface.

Additionally, a syslog message will be logged in /var/log/messages.

Note: You can configure AFA to send e-mail notifications to selected users
whenever changes are detected. For more details, see Configure event-triggered
notifications.

Activate real-time monitoring


Note: In addition to activating real-time monitoring with this procedure, real-time
monitoring must be enabled on each device you want to monitor. When you add a
device to AFA, this is enabled by default. This option is controlled by the real-time
change monitoring check box in the Devices Setup page for each device.

Do the following

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Monitoring tab.

The Monitoring page appears.

Firewall Analyzer (A30.10) Page 331 of 542


Administration Guide | Configure real-time monitoring

4. To activate real time monitoring for devices, do the following:

1. Select the Real-time device monitoring enabled option.

2. Set the Monitoring frequency to the interval of time in minutes at which AFA
should monitor devices.

5. To activate real-time monitoring for routing elements, do the following:

1. Select the Real-time Routing Elements monitoring enabled option.

2. Set the Routing Element monitoring frequency to the interval of time in


minutes at which AFA should monitor routing elements.

6. Click Apply.

Firewall Analyzer (A30.10) Page 332 of 542


Administration Guide | AFA users and roles

AFA users and roles


This section describes the users, roles, permissions, and authentication supported in
AFA, and how AFA administrators can manage AFA users and roles.

AFA users and roles provide the basis for authentication across both AFA and FireFlow.

AFA authentication
ASMS supports authentication via an LDAP or RADIUS authentication server, Single
Sign On (SSO), or the local AFA database.

Configuring an authentication server or SSO provides additional functionality, such as


associating each AFA role with a specific LDAP group. In such cases, users are
automatically assigned roles according to their LDAP group membership.

Note: When an authentication server or SSO is configured, user credentials and


roles are managed on the external server. In such cases, any changes made directly
in AFA are overwritten the next time the user logs in.

For more details, see:

l Configure user authentication. Describes how to configure an authentication


server or SSO.

l Manage users and roles in AFA. Describes how to manage users and roles
directly in AFA.

AFA user types and permissions


AFA supports the following types of users:

Firewall Analyzer (A30.10) Page 333 of 542


Administration Guide | AFA users and roles

Administrators Can perform any task.


For example, in addition to the tasks that non-administrative users
can perform, administrators can also:
l Manage other users
l Define and edit monitored devices
l Configure AFA general settings and preferences
l Schedule AFA analyses.

Non- Can run analyses, generate reports, view policies and reports, view
administrator network map and monitoring changes, and run traffic simulation
privileged users queries.

Each user is assigned one of the following access levels as part of their default
permission profile:

Standard Enables users to view existing reports, run traffic simulation queries,
Access initiate new device analyses, and use the customization features such as
customizing the topology.

ReadOnly Enables users to view existing reports and run traffic simulation queries
Access on these reports.

None Prevents users from having any access at all to reports.


This access level is automatically applied to all devices that the user is
authorized to view; however, you can override the default access level on
a per-device basis. Permissions and access levels can additionally be
managed using AFA roles. All users assigned a role inherit the
permissions and access levels specified for the role.

For more details, see Manage users and roles in AFA.

Configure user authentication


This topic describes how to configure ASMS user authentication, including single sign-
on, authentication servers, and LDAP forests.

Best practice: Whenever possible, leverage LDAP/LDAPS for authentication. This

Firewall Analyzer (A30.10) Page 334 of 542


Administration Guide | AFA users and roles

enables all ASMS users to log in easily, including change requestors, application
owners, auditors, and so on.

Configuring LDAP/LDAPS for ASMS also enables auto-provisioning, which means


that users are automatically created and assigned to their appropriate roles based on
their LDAP group membership, without any additional configuration.

Configure LDAP in AFA: Watch to learn how to sync AFA with your

organization’s LDAP server.

Single Sign On (SSO) and ASMS


ASMS supports a SAML 2.0-based Single Sign On (SSO) solution, enabling you to
integrate user logins with your SSO Provider.

SSO solutions have the following elements:

A service provider In our case, AlgoSec is a service provider that provides ASMS.
(SP)

An identity In our case, your SSO Provider provides user identity verification
provider (IdP) as the identity provider.

When SSO is enabled:

l ASMS directs users to authenticate against your SSO Provider as the IdP, and
then redirects the user back to ASMS.

l Users already logged in to the SSO Provider are directed directly to ASMS.

l The Logout button no longer appears in ASMS. Log out by logging out of your
SSO Provider only.

For more details, see:

l SSO Provider requirements

l Configure Single Sign On

Firewall Analyzer (A30.10) Page 335 of 542


Administration Guide | AFA users and roles

Note: ASMS provides service provider metadata at the following URL:

https://<Algosec URL>/AFA/php/module.php/saml/sp/metadata.php/<SP
Identifier>

SSO Provider requirements


As your IdP, your SSO Provider must be aware of the following ASMS services:

Assertion Consumer Informs the IdP where ASMS redirects the user for
Service, or the Single Single Sign On (login) requests.
Sign On URL Configured as:
https://<ASMS
URL>/simplesaml/module.php/saml/sp/saml2-
acs.php/<SP Identifier>

Single Logout Service May not be required in all situations. Informs the IdP
where ASMS redirects the user for Single Sign Out
(logout) requests.
Configured as:
https://<ASMS
URL>/simplesaml/module.php/saml/sp/saml2-
logout.php/<SP Identifier>

The SSO Provider must inform ASMS about the user performing the authentication. The
following data is passed with the returned attributes, post-authentication:

Attribute Content Example

UID Username laura

email Email address [email protected]

displayName Name displayed in the user interface Laura Sanchez

Tip: If your SSO Provider cannot be configured to provide the required data in this
format, configure a customized UID parser.

Firewall Analyzer (A30.10) Page 336 of 542


Administration Guide | AFA users and roles

For details, see Configure a customized UID parser.

Configure Single Sign On


To configure Single Sign on in ASMS, do the following:

1. In the AFA Administration area, browse to the OPTIONS > Authentication tab.

2. Under User Authentication, select Single Sign On, and complete the following fields
as needed:

Service Provider The identifier of the AlgoSec SP.


identifier This identifier must be unique, and it must be added to the list
of known SPs in your identity provider's configuration.

Identity Provider The identifier of your installed IdP.


identifier

IdP's Single Sign The URL of the IdP's Login page.


On service URL

IdP's Single Sign The URL of the IdP's Logout page.


Out service URL

3. Optional: To fetch user data, select the Fetch User Data checkbox and do one of the
following:

Fetch user data from an LDAP server

Do the following:

a. Select LDAP, and complete the fields as needed:

l LDAP Server Credentials fields

l Attribute Mapping fields

l Fields Mapping fields

l FireFlow specific fields

Firewall Analyzer (A30.10) Page 337 of 542


Administration Guide | AFA users and roles

b. Click Test connectivity for the specific server to test connectivity. A message
informs you whether AFA connected to the server successfully.

c. To configure one or more secondary LDAP servers, select Use Secondary


Servers, and complete the additional fields as needed. For details, see LDAP
Server Credentials fields.

d. Continue with step 4.

LDAP Server Credentials fields

Server Type the IP address of the LDAP server's host computer.

LDAP Select the version of LDAP used on the LDAP server.


Version

Port Type the port number on the LDAP server's host computer.

Timeout Use the arrow buttons to select the maximum amount of time in
seconds to wait for the LDAP server's reply.

Secure Select this option to secure connections with the LDAP server, then
Connection choose the method to use for securing the connection: LDAPS or
StartTLS.
The default method is LDAPS.
The value of the Port field changes according to the method
selected.

Verify Select this option to specify that AFA should check the LDAP
Server server's certificate against a locally stored certificate. AFA will only
Certificate connect to the LDAP server if the certificates are identical.
The CA Certificate field appears.

CA Select the locally stored certificate against which AFA should


Certificate compare the LDAP server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs in
order to appear in the drop-down list.

Firewall Analyzer (A30.10) Page 338 of 542


Administration Guide | AFA users and roles

Bind Type Select the bind type to use:


l Simple. AFA sends the entered username and password to the
LDAP server. If the entered username exists in the LDAP
server, and the password matches the username, then the user
is logged in.
l Regular. AFA logs in to the LDAP server using a user DN and
password, and then checks the entered username and
password against the LDAP server. If the entered username
exists in the LDAP server, the password matches the
username, and any additional criteria are met, then the user is
logged in.
l Anonymous. AFA accesses the LDAP server anonymously,
and then checks the entered username and password against
the LDAP server. If the entered username exists in the LDAP
server, the password matches the username, and any
additional criteria are met, then the user is logged in.
If you chose Regular or Anonymous, additional fields appear.
The default value is Regular.

User DN Type the user DN that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.

Password Type the password that AFA should use to log in to the LDAP
server.
This field appears only for Regular bind type.

Attribute Mapping fields

Name Type the attribute that contains a user's name, in user objects in
the database.
The default value is sAMAccountName.

Group Type the attribute that contains a user's groups, in user objects
Membership in the database.
The default value is member.

Fields Mapping fields

Firewall Analyzer (A30.10) Page 339 of 542


Administration Guide | AFA users and roles

Associated Select this option to import user group information from the LDAP
Roles server. Selecting this option enables assigning user roles via a
specified correspondence between LDAP groups and AFA,
FireFlow, or AppViz roles.
To manage roles from within the AlgoSec Suite (not the LDAP), do
not select this option.

Full Name Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Full
Name field.

Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email
field.

Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes
field.

FireFlow specific fields

Organization Type the name of the LDAP server user field from which you want
to import data to the FireFlow Organization field.

Address Type the name of the LDAP server user field from which you want
to import data to the FireFlow Address field.

City Type the name of the LDAP server user field from which you want
to import data to the FireFlow City field.

State Type the name of the LDAP server user field from which you want
to import data to the FireFlow State field.

Zip Code Type the name of the LDAP server user field from which you want
to import data to the FireFlow Zip Code field.

Country Type the name of the LDAP server user field from which you want
to import data to the FireFlow Country field.

Home Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Home Phone field.

Firewall Analyzer (A30.10) Page 340 of 542


Administration Guide | AFA users and roles

Work Phone Type the name of the LDAP server user field from which you want
to import data to the FireFlow Work Phone field.

Mobile Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Mobile Phone field.

Pager Type the name of the LDAP server user field from which you want
to import data to the FireFlow Pager field.

Fetch user data from the SSO Provider (the IdP)

Select IDP and complete the fields as needed. For details, see:

l Fields Mapping fields

l FireFlow specific fields

When complete, continue with step 4.

Fields Mapping fields

Full Type the name of the LDAP server user field from which you want to
Name import data to the AlgoSec Firewall Analyzer and FireFlow Full Name
field.

Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email field.

Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes field.

FireFlow specific fields

Organization Type the name of the LDAP server user field from which you want
to import data to the FireFlow Organization field.

Address Type the name of the LDAP server user field from which you want
to import data to the FireFlow Address field.

City Type the name of the LDAP server user field from which you want
to import data to the FireFlow City field.

Firewall Analyzer (A30.10) Page 341 of 542


Administration Guide | AFA users and roles

State Type the name of the LDAP server user field from which you want
to import data to the FireFlow State field.

Zip Code Type the name of the LDAP server user field from which you want
to import data to the FireFlow Zip Code field.

Country Type the name of the LDAP server user field from which you want
to import data to the FireFlow Country field.

Home Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Home Phone field.

Work Phone Type the name of the LDAP server user field from which you want
to import data to the FireFlow Work Phone field.

Mobile Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Mobile Phone field.

Pager Type the name of the LDAP server user field from which you want
to import data to the FireFlow Pager field.

4. To set a default mail domain, select Default Mail Domain, and enter the URL.

When this option is configured, AFA automatically generates an email address for
users by attaching the specified email suffix to its username (when an email address
is not provided).

5. At the bottom of the page, click OK. Changes to user authentication settings
immediately take effect.

Optionally, do any of the following:

Encrypt communication between ASMS and your SSO Provider

If you must encrypt communication between ASMS and your IdP (the SSO Provider),
have the IdP create a certificate for ASMS to use. This is the default behavior for most
IdPs.

Do the following:

Firewall Analyzer (A30.10) Page 342 of 542


Administration Guide | AFA users and roles

1. Open a terminal and log in as user afa.

2. Save the IdP's certificate in a Base-64 encoded PEM format to


/usr/share/fa/simplesaml/cert/.

Tip: The default filename is server.crt. We recommend that you use a different
filename, as this default file is overwritten during upgrades.

3. If you saved the file under a name other than server.crt, configure the name of the
IdP certificate file.

Do the following:

a. Navigate to the /home/afa/.fa/config configuration file, and open it for


editing.

b. Add the SSOSAML_IdP_Certificate parameter, and define it's value as the


name of the IdP certificate file.

For example:

SSOSAML_IdP_Certificate=MyIdPCert.cr

Configure IdP-initated, or unsolicited, SSO

By default, ASMS uses SP-initiated, or solicited SSO, in which the SP signs the
Assertion Certificated passed between the two systems. This is the recommended
usage.

ASMS also supports IdP-initated, or unsolicited SSO, in which the IdP signs the
Assertion Certificate instead.

While both scenarios have users access ASMS using the ASMS URL, the method used
may affect parameter values in the system configuration.

Do the following:

Firewall Analyzer (A30.10) Page 343 of 542


Administration Guide | AFA users and roles

1. In the AFA Administration area, navigate to the Options > Advanced


Configuration tab.

2. Add the following parameters and their values, one at a time:

SSOSAML_IdP_Unsolicited_SSO Yes/No. Specifies whether to use the


IdP method first.

SSOSAML_IdP_Unsolicited_SSO_ The IdP's URL.


URL

SSOSAML_IdP_Unsolicited_SSO_ The parameter name for the SP unique


SP_ID_KEY identifier.

For more details, see Advanced Configuration.

Configure a customized UID parser

Various IdPs have different response formats, and yours may not match the format
expected by ASMS.

If you cannot configure the response format to match ASMS's expectation, define a
customer UID parser to translate the responses.

Do the following:

1. View the response format being sent to ASMS:

a. Switch to Debug mode.

b. Log in to ASMS again, and navigate to the public_html/algosec/.ht-fa-


history log file.

c. Search for the debug log and find the user attributes received, including the
object returned and its structure.

2. Create the customer UID parser as follows:

a. On the ASMS server, create the following new directory:


/usr/share/fa/php/site

Firewall Analyzer (A30.10) Page 344 of 542


Administration Guide | AFA users and roles

b. Copy the original parser from /usr/share/fa/php/SampleUIDParser.php to


/usr/share/fa/php/site/<parser name>.php, giving it a meaningful name.

c. Open the /usr/share/fa/php/site/<parser name>.php file for editing, and


modify the file so that the parseUID function returns the value you expect.

By default the function returns "$userAttributes['UID'][0]".

d. Change your parser permissions by running:

-rw-r----- root apache

3. Set PHP to include files from the /usr/share/fa/php/site/ directory. Do the


following:

a. Browse to and open the /etc/php.ini file for editing.

b. Change the PHP include path directive to include the new directory:

include_path =
".:/usr/share/fa/phplib:/usr/share/fa/php:/usr/share/fa/php/inc:/usr/share/fa/php
/site"

c. Configure AFA to use the new UID parser. In the ~afa/.fa/config


configuration file, add the following attribute:

UID_PARSER_NAME=<parser name>

d. Restart Apache server. Run:

/etc/init.d/httpd restart

Force local authentication

ASMS enables users to log in directly to ASMS, without using SSO, even when SSO is
configured. For example, this may be helpful if your IdP is down, or if there are
configuration errors.

Note: Forcing local authentication uses direct ASMS logins, and requires that users

Firewall Analyzer (A30.10) Page 345 of 542


Administration Guide | AFA users and roles

are defined locally in ASMS.

Do the following:

Navigate to ASMS, with the additional ForceLocalAuth=1 string added on to the end of
the URL.

For example: https://<Algosec Server>/algosec/suite/login.html?ForceLocalAuth=1

The local ASMS login page appears, and users can log in using ASMS credentials.

Troubleshoot SSO configuration

If an SSO error occurs, the browser displays an error page instead of ASMS.

Error messages often show as SimpleSAML_Error_Error errors, and contain a UUID


that can be used to locate the event in the .ht-fa-history log file. There, following the
instructions indicated as ACTION REQUIRED.

Common errors include:

Time assertion failures, such as: Check the clock configurations on the
ASMS machine and the SSO Provider.
l [message:protected] => Received Both of these clocks must be
an assertion that is valid in the synchronized, including timezone.
future. Check clock synchronization
on IdP and SP.
l [message:protected] => Received
an assertion that is valid in the
future. Check clock synchronization
on IdP and SP.

Lost sessions and STATE-related errors Verify that the SSO Provider directs the
user to ASMS using the same
hostname as accessed by the user.

Firewall Analyzer (A30.10) Page 346 of 542


Administration Guide | AFA users and roles

cause:SimpleSAML_Error_ The message cannot be parsed. It may


Exception:private] => SimpleSAML_ have been encrypted, and the SSO
Error_UnserializableException Object Provider certificate not defined.
Place the SSO Provider certificate in
the following directory, and define it's
name in the AFA configuration file:
/usr/share/fa/simplesaml/cert/

[ message:protected] => saml20-idp- The certificate may have an incorrect


remote/'Test': Could not find PEM format.
encoded certificate in Ensure that the certificate format is
"/usr/share/fa/simplesaml/cert/server.crt". PEM.

Users are able to connect from expired If a user is able to log in to ASMS, even
sessions if the ASMS session timeout period has
passed, verify whether the ASMS
timeout and the SSO Provider timeout
are configured correctly.
The ASMS session timeout must be set
to a time limit equal or greater than the
SSO Provider's session timeout.

Disable SSO configuration

If your SSO configuration behaves unexpectedly, you may want to disable it while you
troubleshoot the issues.

Do the following:

1. Log in to the ASMS server or Central Manager as user root.

2. Navigate to the /home/afa/.fa/config file, and open it for editing.

3. Set the Use_SSO value to no.

SSO is disabled. Log in to ASMS using a user defined in ASMS directly.

User authentication via authentication servers


The AlgoSec Security Management Suite (ASMS) supports authenticating users via an
authentication server in the following ways:

Firewall Analyzer (A30.10) Page 347 of 542


Administration Guide | AFA users and roles

Local The AlgoSec Security Management Suite maintains a local user database
user that is composed of the usernames and passwords of users you have
database added. When a user attempts to log in, the AlgoSec Suite compares the
entered username and password to the local user database. If the entered
username exists in the database, and the password matches the
username, then the user is logged in.

LDAP If your company uses an LDAP (Lightweight Directory Access Protocol)


server server for authenticating network users (for example, Microsoft Active
Directory), you can configure the AlgoSec Suite to authenticate users
against the LDAP server. When a user attempts to log in (using the login
credentials defined for them on the LDAP server), the AlgoSec Suite
sends the entered username and password to the LDAP server. If the
entered username exists in the LDAP server, and the password matches
the username, then the user is logged in. The user will automatically be
added to ASMS, allowing you to manage the user in the ASMS web
interface.
If desired, you can configure additional criteria for authentication. For
example, you can specify that the LDAP server should only search certain
parts of its database for the entered username and password, or that users
must belong to a certain LDAP user group.
The AlgoSec Suite additionally supports importing user data, such as
permissions and roles, from an LDAP Server. When this is configured,
each user is automatically assigned roles based on their LDAP groups.

Note: It is possible to use multiple LDAP servers to authenticate users.


For more details, see Import user data from an LDAP server.

Firewall Analyzer (A30.10) Page 348 of 542


Administration Guide | AFA users and roles

RADIUS Some companies use a RADIUS (Remote Authentication Dial In User


server Service) server for authenticating network users. The AlgoSec Security
Suite can be configured to use the corporate RADIUS server to
authenticate users. When a user attempts to log in (using the login
credentials defined on the RADIUS server), ASMS sends the entered
username and password to the RADIUS server. If the entered username
exists in the RADIUS database, and the password matches the
username, then the user is logged in. The user will automatically be
added to ASMS, allowing you to manage the user in the ASMS web
interface.
The AlgoSec Suite additionally supports importing data from an LDAP
server for RADIUS authenticated users. See Import user data from an
LDAP server.

Note: Microsoft Active Directory can be configured as a RADIUS


server. For information on configuring Active Directory, refer to
Microsoft documentation.

By default, the AlgoSec Security Suite uses the local user database to authenticate
users. If you want to use a RADIUS server and/or an LDAP server in addition to local
authentication, you must configure the desired user authentication method using the
following procedure.

Note: When more than one user authentication method is enabled, you can choose
which method to use on a per-user basis.

If importing user data from an LDAP server is not configured, you must manually
define privileged users in AFA.

Configure user authentication via an authentication server


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

Firewall Analyzer (A30.10) Page 349 of 542


Administration Guide | AFA users and roles

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. In the Options tab, click the Authentication sub-tab.

The Authentication page appears.

4. Choose Authentication Server.

Firewall Analyzer (A30.10) Page 350 of 542


Administration Guide | AFA users and roles

Note: The Local check box is selected by default and cannot be cleared.

5. To enable user authentication using a corporate RADIUS server:

a. Select the RADIUS check box.

Radius Authentication fields appear.

b. Complete the fields as needed. If you selected the Use Secondary Servers
check box, additional fields appear.

For details, see RADIUS authentication fields.

6. To enable user authentication against an LDAP server:

a. Select the LDAP check box.

New fields appear.

Firewall Analyzer (A30.10) Page 351 of 542


Administration Guide | AFA users and roles

b. Complete the fields using the information in LDAP Authentication Fields (see
LDAP authentication fields).

If you selected the Use Secondary Servers or Fetch user data from LDAP
check boxes, additional fields appear.

Continue completing the fields using the information in LDAP Authentication


Fields (see LDAP authentication fields).

7. To test connectivity for a defined RADIUS or LDAP server, click Test connectivity for

Firewall Analyzer (A30.10) Page 352 of 542


Administration Guide | AFA users and roles

the specific server.

A message informs you whether AFA connected to the server successfully.

8. In the Default for new users area, choose the default authentication method for new
users.

Note: You can override the default authentication method to use on a per-user
basis.

9. To set a default mail domain, select Default Mail Domain, and  type the URL.

When this option is configured, AFA automatically generates an email address for
users by attaching the specified email suffix to its username (when an email address
is not provided).

10. Click OK.

Changes to user authentication settings immediately take effect.

RADIUS authentication fields

In this
field... Do this...

Server Type the IP address of the RADIUS server's host computer.

Secret key Type the secret key to use for authenticating to the RADIUS server.

Port Type the port number on the RADIUS server's host computer.

Timeout Use the arrow buttons to select the maximum amount of time in seconds
to wait for the RADIUS server's reply.

Firewall Analyzer (A30.10) Page 353 of 542


Administration Guide | AFA users and roles

In this
field... Do this...

Fetch user Select this option to fetch user data from an LDAP server.
data from AFA will perform authentication (check passwords) against the defined
LDAP RADIUS server, but will also access the specified LDAP server to obtain
user information and optionally assign roles.
Important: When this option is selected, you must additionally define the
LDAP server and configure the import with the Fetch user data from
LDAP check box.
For more information, see Importing User Data from an LDAP Server
(see Import user data from an LDAP server).

Use Select this option to configure one or more secondary RADIUS servers.
Secondary You must complete the fields in the Secondary Radius Servers area.
Servers

LDAP authentication fields

In this
field... Do this...

LDAP
Server
Credentials

Server Type the IP address of the LDAP server's host computer.

LDAP Select the version of LDAP used on the LDAP server.


Version

Port Type the port number on the LDAP server's host computer.

Timeout Use the arrow buttons to select the maximum amount of time in
seconds to wait for the LDAP server's reply.

Secure Select this option to secure connections with the LDAP server, then
Connection choose the method to use for securing the connection: LDAPS or
StartTLS.
The default method is LDAPS.
The value of the Port field changes according to the method selected.

Firewall Analyzer (A30.10) Page 354 of 542


Administration Guide | AFA users and roles

In this
field... Do this...

Verify Select this option to specify that AFA should check the LDAP server's
Server certificate against a locally stored certificate. AFA will only connect to
Certificate the LDAP server if the certificates are identical.
The CA Certificate field appears.

CA Select the locally stored certificate against which AFA should compare
Certificate the LDAP server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs in order
to appear in the drop-down list.

Bind Type Select the bind type to use:


l Simple. AFA sends the entered username and password to the
LDAP server. If the entered username exists in the LDAP server,
and the password matches the username, then the user is
logged in.
l Regular. AFA logs in to the LDAP server using a user DN and
password, and then checks the entered username and password
against the LDAP server. If the entered username exists in the
LDAP server, the password matches the username, and any
additional criteria are met, then the user is logged in.
l Anonymous. AFA accesses the LDAP server anonymously, and
then checks the entered username and password against the
LDAP server. If the entered username exists in the LDAP server,
the password matches the username, and any additional criteria
are met, then the user is logged in.
If you chose Regular or Anonymous, additional fields appear.
The default value is Regular.

User DN Type the user DN that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.

Password Type the password that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.

Attribute
Mapping

Firewall Analyzer (A30.10) Page 355 of 542


Administration Guide | AFA users and roles

In this
field... Do this...

Name Type the attribute that contains a user's name, in user objects in the
database.
The default value is sAMAccountName.

Group Type the attribute that contains a user's groups, in user objects in the
Membership database.
The default value is member.

Permitted
Users

Users Under Type the base DN.


Base DN The baseDN is the highest level in the LDAP tree, where AFA should
search. Any entries above this level will not be searched.

Members of Type the DN of the LDAP group that includes all users who may log in
Group DN to AFA and FireFlow.
This field is optional. When it is filled in, users who are not members of
this LDAP group will not be allowed to log in to AFA or FireFlow, even
if they are members of other LDAP groups mapped to AFA or FireFlow
roles.

Note: This LDAP group includes all FireFlow requestors. When this
field is filled in, only users who are members of this group are
allowed to submit requests to FireFlow.

Extra Type any additional criteria that users must meet in order to be
Filtering authenticated.
The default value is (objectClass=*).

Firewall Analyzer (A30.10) Page 356 of 542


Administration Guide | AFA users and roles

In this
field... Do this...

Fetch user Select this option to import user data from the LDAP server upon each
data from login. For example, when a user logs in, data such as the user's
LDAP telephone number can be imported.
You must complete the fields in the Fields Mapping area.

Note: The default values for these fields are taken from Active
Directory. If a different LDAP server is used, the names must be
changed accordingly.
Since data is imported only upon user login, the data stored for
users who log in infrequently may be outdated.

Fields
Mapping

Associated Select this option to import user group information from the LDAP
Roles server. Selecting this option enables assigning user roles via a
specified correspondence between LDAP groups and AFA, FireFlow,
or AppVizroles.
To manage roles from within the AlgoSec Suite (not the LDAP), do not
select this option.

Full Name Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Full Name
field.

Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email field.

Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes field.

FireFlow
specific
fields

Organization Type the name of the LDAP server user field from which you want to
import data to the FireFlow Organization field.

Firewall Analyzer (A30.10) Page 357 of 542


Administration Guide | AFA users and roles

In this
field... Do this...

Address Type the name of the LDAP server user field from which you want to
import data to the FireFlow Address field.

City Type the name of the LDAP server user field from which you want to
import data to the FireFlow City field.

State Type the name of the LDAP server user field from which you want to
import data to the FireFlow State field.

Zip Code Type the name of the LDAP server user field from which you want to
import data to the FireFlow Zip Code field.

Country Type the name of the LDAP server user field from which you want to
import data to the FireFlow Country field.

Home Type the name of the LDAP server user field from which you want to
Phone import data to the FireFlow Home Phone field.

Work Phone Type the name of the LDAP server user field from which you want to
import data to the FireFlow Work Phone field.

Mobile Type the name of the LDAP server user field from which you want to
Phone import data to the FireFlow Mobile Phone field.

Pager Type the name of the LDAP server user field from which you want to
import data to the FireFlow Pager field.

Use Select this option to configure one or more secondary LDAP servers.
Secondary You must complete the fields in the Secondary LDAP Servers area.
Servers (See LDAP Server Credentials at top of this table.)

Import user data from an LDAP server


Whether you are authenticating users with an LDAP or RADIUS authentication server,
you can configure ASMS to import user data from an LDAP server. Upon each login,
ASMS will fetch the user's full name and email address, as well as roles and inherited
permissions. All of this information will be updated for the users on the AlgoSec server.

Firewall Analyzer (A30.10) Page 358 of 542


Administration Guide | AFA users and roles

Note: This procedure is only relevant when authenticating with an LDAP or


RADIUS authentication server. If you want to fetch data from an LDAP, but
authenticate with SSO, see Configure user authentication.

Note: If the system is configured to import user information from an LDAP server,
changes to user settings must be made only on the LDAP server (changes made in
the AlgoSec Suite may be overridden the next time the user logs in).

Note: The data stored for users who log in infrequently may be outdated. Each
user's information is fetched and updated upon login; in addition to name and
email, this includes the list of roles the user is assigned, the list of permissions the
user inherits, and the list of users assigned the fetched roles.

Do the following:

1. Configure LDAP or RADIUS user authentication. For details, see User authentication
via authentication servers.

l When authenticating with an LDAP server, select the Fetch user data from
LDAP check box and complete the fields in the Fields Mapping area.

l When authenticating with a RADIUS server, do the following:

a. Select the Fetch user data from LDAP check box in the RADIUS
Authentication fields area.

b. Additionally define the LDAP, select the Fetch user data from LDAP
check box and complete the fields in the Fields Mapping area.

Note: Many fields in FireFlow appear as options for mapping data.

2. Click OK.

3. If you selected the Associated Roles option, indicate a correspondence between

Firewall Analyzer (A30.10) Page 359 of 542


Administration Guide | AFA users and roles

LDAP groups and AlgoSec Suite roles doing the following:

4. Add/Edit the user role you want to link with an LDAP group. For details, see Manage
users and roles in AFA.

5. Type the LDAP group name that you want to link with the role in the Role LDAP DN
field.

When users log in that are members of this LDAP group, they will automatically be
granted the role.

Configure an LDAP forest


If you have multiple LDAP servers with different users defined on each one, you can
configure an LDAP forest consisting of these servers. AFA and FireFlow will
authenticate LDAP users against the correct LDAP server.

Complete this procedure for each LDAP server you want to include in the forest.

Do the following:

1. Choose a number to represent the LDAP server.

Number 1 represents the primary LDAP server, and numbers 2 and 3 represent
possible backup servers. If you do not want those servers to be included in the forest,
choose a number higher than 3.

2. In the toolbar, click your username.

A drop-down menu appears.

3. Select Administration.

The Administration page appears, displaying the Options tab.

4. In the Options tab, click the Advanced Configuration sub-tab.

The Advanced Configuration page appears.

Firewall Analyzer (A30.10) Page 360 of 542


Administration Guide | AFA users and roles

5. Add the parameters specified in LDAP Parameters (see LDAP parameters), one at a
time, by doing the following:

a. Click Add.

The Add New Configuration Parameter dialog box appears.

b. In the Name field, type ParamNumber

Where:

l Param is the parameter name.

l Number is the server number selected in the previous step.

For example, to specify the port number of LDAP server number 4, type LDAP_
Port4.

c. In the Value field, type the parameters value.

d. Click OK.

Firewall Analyzer (A30.10) Page 361 of 542


Administration Guide | AFA users and roles

e. Repeat the above steps for each parameter.

f. Click OK.

LDAP parameters

Set this
parameter... To this...

LDAP_Port The port number on the LDAP server's host computer.


This parameter is mandatory.

LDAP_Timeout The maximum amount of time in seconds to wait for the LDAP
server's reply.
This parameter is mandatory.

LDAP_Version The version of LDAP used on the LDAP server.


This parameter is mandatory.

Ldap_Secured_ The method to use for securing connections with the LDAP server.
Authentication_ This can have the following values:
Method
l ldaps
l starstls
This parameter is mandatory.

LDAP_Server The IP address of the LDAP server's host computer.


This parameter is mandatory.

LDAP_ Indicates whether to secure connections with the LDAP server.


UseSecured This can have the following values:
l yes
l no
This parameter is mandatory.

Firewall Analyzer (A30.10) Page 362 of 542


Administration Guide | AFA users and roles

Set this
parameter... To this...

LDAP_ Indicates whether AFA should check the LDAP server's certificate
VerifyCert against a locally stored certificate. AFA will only connect to the
LDAP server if the certificates are identical.
This can have the following values:
l yes
l no
This parameter is mandatory.

LDAP_ The locally stored certificate against which AFA should compare
Certificate the LDAP server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs.
This parameter is mandatory.

LDAP_Domain The LDAP server's domain name.


This parameter is mandatory.

LDAP_ The user DN that AFA should use to log in to the LDAP server.
Username This parameter is optional.

LDAP_ The password that AFA should use to log in to the LDAP server.
Password This parameter is optional.

Firewall Analyzer (A30.10) Page 363 of 542


Administration Guide | AFA users and roles

Set this
parameter... To this...

LDAP_Bind_ The bind type to use. This can have the following values:
Type
l Simple. AFA sends the entered username and password to
the LDAP server. If the entered username exists in the LDAP
server, and the password matches the username, then the
user is logged in.
l Regular. AFA logs in to the LDAP server using a user DN
and password, and then checks the entered username and
password against the LDAP server. If the entered username
exists in the LDAP server, the password matches the
username, and any additional criteria are met, then the user
is logged in.
l Anonymous. AFA accesses LDAP server anonymously, and
then checks the entered username and password against the
LDAP server. If the entered username exists in the LDAP
server, the password matches the username, and any
additional criteria are met, then the user is logged in.
This parameter is optional.

LDAP_BaseDN The base DN.


This parameter is optional.

LDAP_ Any additional criteria that users must meet in order to be


ExtraFiltering authenticated.
The default value is (objectClass=*).
This parameter is optional.

LDAP_NameAttr The attribute that contains a user's name, in user objects in the
database.
This parameter is optional.

LDAP_ The attribute that contains a user's groups, in user objects in the
MemberAttr database.
This parameter is optional.

Firewall Analyzer (A30.10) Page 364 of 542


Administration Guide | AFA users and roles

Set this
parameter... To this...

LDAP_ The DN of the user group to which users must belong in order to
GroupDN be authenticated.
This parameter is optional.

LDAP_AttrEmail The name of the LDAP server user field from which you want to
import data to AFA and FireFlow Email field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrFullName import data to AFA and FireFlow Full Name field.
This parameter is optional.

LDAP_AttrNotes The name of the LDAP server user field from which you want to
import data to AFA and FireFlow Notes field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrOrganization import data to the FireFlow Organization field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrAddress1 import data to the FireFlow Address field.
This parameter is optional.

LDAP_AttrCity The name of the LDAP server user field from which you want to
import data to the FireFlow City field.
This parameter is optional.

LDAP_AttrState The name of the LDAP server user field from which you want to
import data to the FireFlow State field.
This parameter is optional.

LDAP_AttrZip The name of the LDAP server user field from which you want to
import data to the FireFlow Zip Code field.
This parameter is optional.

Firewall Analyzer (A30.10) Page 365 of 542


Administration Guide | AFA users and roles

Set this
parameter... To this...

LDAP_ The name of the LDAP server user field from which you want to
AttrCountry import data to the FireFlow Country field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrHomePhone import data to the FireFlow Home Phone field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrWorkPhone import data to the FireFlow Work Phone field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrMobilePhone import data to the FireFlow Mobile Phone field.
This parameter is optional.

LDAP_ The name of the LDAP server user field from which you want to
AttrPagerPhone import data to the FireFlow Pager field.
This parameter is optional.

LDAP_ The name of a custom FireFlow attribute.


AttrCustom This parameter is optional.

LDAP forest example
In the following example, LDAP server 4 is added to the forest:

LDAP_Port4=349
LDAP_Timeout4=120
LDAP_Version4=3
Ldap_Secured_Authentication_Method4=LDAPS
LDAP_Server4=192.164.2.43
LDAP_UseSecured4=no
LDAP_VerifyCert4=no
LDAP_Certificate4=Algosec_CA.pem

Firewall Analyzer (A30.10) Page 366 of 542


Administration Guide | AFA users and roles

LDAP_Domain4=ldomain4
LDAP_Username4=CN=Bob,OU=Algosec,DC=algosec,DC=local
LDAP_Password4=$FOQABRER$27:A3:BD:F2:90:C7:21:5A:3A:F4:F4:AB:R8:20:6F:25
LDAP_Bind_Type4=Regular
LDAP_BaseDN4=dc=algosec,dc=local
LDAP_ExtraFiltering4=(objectClass=*)
DAP_NameAttr4=sAMAccountName
LDAP_MemberAttr4=memberOf
LDAP_GroupDN4=
LDAP_AttrEmail4=mail
LDAP_AttrFullName4=displayName
LDAP_AttrNotes4=description
LDAP_AttrOrganization4=company
LDAP_AttrAddress14=streetAddress
LDAP_AttrCity4=l
LDAP_AttrState4=st
LDAP_AttrZip4=postalCode
LDAP_AttrCountry4=co
LDAP_AttrHomePhone4=homePhone
LDAP_AttrWorkPhone4=telephoneNumber
LDAP_AttrMobilePhone4=mobile
LDAP_AttrPagerPhone4=pager
LDAP_AttrCustom4=group,primaryGroupID;allowDial,msNPAllowDialin;mark,
department

Log in when an LDAP forest is configured


Do the following:

1. In the AFA or FireFlow Login page, type the following in the Username field:

LdapDomain\userName

Where:

Firewall Analyzer (A30.10) Page 367 of 542


Administration Guide | AFA users and roles

l LdapDomain is the domain name of the LDAP server on which they are defined.

l userName is the user's LDAP username.

For example, if Bob is defined on an LDAP server whose domain name is Ldomain4,
then he must type "Ldomain4\Bob" in the Username field.

2. In the Password field, type your LDAP password.

3. Click Login.

Note: The backup servers will not be consulted, in the event that AFA/FireFlow did
not locate the user in the specified LDAP domain.

Manage users and roles in AFA


This topic describes how to manage AFA users and roles in the AFA Administration
area.

Note: If you have an authentication server or SSO configured, user credentials must


be managed on your external server. If your user roles are assigned based on
LDAP group membership, roles must be managed on the LDAP server. In these
cases, any changes made directly in AFA are overwritten the next time the user logs
in. For more details, see Configure user authentication.

Tip: AFA users and roles provide the basis for authentication across both AFA and
FireFlow. If you are an AFA administrator, but not a FireFlow administrator, you can
also access FireFlow role and user management via the AFA Administration area.

Add or edit users


This procedure describes how to add and edit AFA users directly in the AFA database.

Tip: Alternately, manage users via an authentication server or SSO, or import users

Firewall Analyzer (A30.10) Page 368 of 542


Administration Guide | AFA users and roles

via a CSV file. For details, see Configure user authentication or Import users via
CSV.

Do the following:

1. Click your username at the top-right to access the AFA Administration area.

2. Click the USERS/ROLES tab to display the user and role tables. For example:

3. To add a new user, click the New button below the user table. To edit an existing
user, click the edit button at the right side of the row you want to edit.

In the user form that appears, select and enter values as needed:

User details

Username Enter a username for the user.


Usernames can contain any alpha-numeric character and the
following special characters: "@", "_", ".", or "-". See ASMS
username and password requirements.

Firewall Analyzer (A30.10) Page 369 of 542


Administration Guide | AFA users and roles

Full name Enter the user's full name.

E-Mail Enter the user's e-mail address.

Notes Enter any notes about the user.

Authentication Select how to authenticate this user:


l Local. Authenticate the user against the local ASMS user
database.
l RADIUS. Authenticate the user against a RADIUS server.
l LDAP. Select this option to enable user authentication
against an LDAP server.
For more details, see Configure user authentication.

Landing Page Select Firewall Analyzer or FireFlow. Select Automatic to use the
default landing page for the selected role.
For more details, see Default landing pages per role.

Password

New Enter a password for the user.


password Passwords can contain any alpha-numeric character or any special
character, excluding back ticks (`). See ASMS username and
password requirements.

Confirm Re-enter the password you entered in the New password field.
password

General Permissions

Select any of the following options for this user:

Administrator Make the user an administrator.

FireFlow Administrator - Make the user a FireFlow configuration administrator.


Allow FireFlow Advanced This enables the user to perform advanced
Configuration configuration tasks in FireFlow.

Firewall Analyzer (A30.10) Page 370 of 542


Administration Guide | AFA users and roles

Enable Analysis from file Allow the user to perform analyses from configuration
files.

Enable Trusted Traffic -> Allow the user to view trusted traffic.
global

Roles

Select the user roles to assign to the user. The user is automatically granted
permissions specified in the assigned roles.

Tip: If you assign additional permissions to this user, the user will have both the
permissions inherited from their roles, as well as additional permissions assigned
to the user.

Email Notifications

Define the scenarios in which this user receives notifications from AFA:

Changes in The user is notified for each change detected in risks.


risks

Changes in The user is notified for each change detected in policies.


policy

Every group The user is notified for each group report generated.
report

Every report The user is notified for each report generated.

Every The user is notified for each configuration change detected.


configuration
change

Firewall Analyzer (A30.10) Page 371 of 542


Administration Guide | AFA users and roles

Rules and The user is notified when device rules and/or VPN users are
VPN Users about to expire.
about to
expire Tip: To configure the number of days before rule or VPN user
expiration that AFA should send a notification, complete the
Days before expiration alerts field in the General sub-tab of
the Options tab in the Administration area.
For details, see Define AFA preferences.

Error The user receives error messages from AFA, such as for low disk
messages space and license expiration.
This option is relevant for administrators only.

Changes in The user is notified for each customization change detected, such
customization as for topology, trusted traffic, and risk profile customizations.
This option is relevant for administrators only.

Hide change User notification emails include only device names and a link to
details the AFA.
Specific details about new reports and change alerts are omitted
from emails to this user.

Tip: Alternately, hide change details for all user notifications.


For details, see the hide_change_details parameter.

Authorized Views and Actions

Select the items this user can view or perform as follows:

Report Select the report pages/information that the user can view. Select Full
Report to indicate that the user can view all report information.
Pages that are not selected will be inaccessible to the user.

Note: A user can only be given access to Configuration and Logs


information if they have access to the Explore Policy page.

Firewall Analyzer (A30.10) Page 372 of 542


Administration Guide | AFA users and roles

Home Select the Home page elements that the user can view. Select All
Views Home Views To indicate that the user can view all Home page
elements.
Pages that are not selected will be inaccessible to the user.

Reporting Select this option to allow the user to access the AlgoSec Reporting
Tool Tool (ART).

Note: Non-administration users that open the Reporting Tool will


only see data relevant to the user's allowed firewalls.

Actions Select the actions that the user can perform in AFA. Select All Actions
to indicate that the user can perform all actions.
Controls used to perform actions that are not selected will be disabled.

Authorized Devices

Select the user's default access level to devices. Do the following:

a. Select a default permission profile to determine the permission level for the
selected devices.

b. Click Select devices.... to select the devices you want to apply the selected
permission level on.

The device tree appears.

c. Select the checkboxes next to each relevant device and click OK.

A table appears with your selected devices and permissions.

For example:

Firewall Analyzer (A30.10) Page 373 of 542


Administration Guide | AFA users and roles

If needed, do either of the following:

l Select a different option from the Permission profile dropdown to change the
profile for a specific device

l Clear or re-select the Notification checkbox to change notification settings for a


specific device

7. Click OK to save your changes.

Default landing pages per role


ASMS is configured with specific landing pages per user or role. Change this default to
display a different page as needed.

l Landing pages configured for specific users override any configuration for a user's
role.

l Users with multiple roles, with different landing pages for each role, will see the
landing page with the highest priority.

Landing pages are prioritized for FireFlow first, and then AFA.

If no landing page is defined for the user, or any of the user's roles, landing pages are
defined as follows:

Permissions Landing page

Administrators AlgoSec Firewall Analyzer

Firewall Analyzer (A30.10) Page 374 of 542


Administration Guide | AFA users and roles

Permissions Landing page

AFA Users First FireFlow, if licensed and activated, and then


AFA.

Requestors (unprivileged AlgoSec Firewall Analyzer


users)

Add and edit user roles


This procedure describes how to add and edit user roles.

Tip: If you have an LDAP server configured, associate AFA user roles with specific
LDAP user groups to have each user in the group automatically inherit the AFA role.

Do the following:

1. Click your username at the top-right to access the AFA Administration area.

2. Click the USERS/ROLES tab to display the user and role tables. For example:

3. To add a new role, click the New button under the role table. To edit an existing role,

Firewall Analyzer (A30.10) Page 375 of 542


Administration Guide | AFA users and roles

click the edit button in the row for the role you want to edit.

In the user form that appears, select and enter values as needed:

Role details

Role name Enter a name for the role.

Role Enter a description of the role.


description

Role Enter the DN of the LDAP group that corresponds to this role.
LDAP DN When users who are members of this LDAP group log in, they will
automatically be granted this role.
For example: cn=network_
users,ou=organization,o=mycompany,c=us

Note: This field is enabled only if you have AFA configured to


fetch user data from an LDAP server.
To enable this field, select the Fetch user data from LDAP option
on the OPTIONS > Authentication tab in the AFA Administration
area. For details, see Import user data from an LDAP server.

Landing Select Firewall Analyzer or FireFlow. Select Automatic to use the


Page default landing page for the selected role.
For more details, see Default landing pages per role.

General Permissions

Administrator Make all users with this role administrators.

FireFlow Administrator - Allow Make all users with this role FireFlow
FireFlow Advanced Configuration configuration administrators.
This enables these users to perform
advanced configuration tasks in FireFlow.

Enable Analysis from file Allow all users with this role to perform
analyses from configuration files.

Firewall Analyzer (A30.10) Page 376 of 542


Administration Guide | AFA users and roles

Enable Trusted Traffic -> global Allow all users with this role to view and
edit trusted traffic settings.

Authorized Views and Actions

Report Select the report pages that users with this role can view.
l Select Full Report to indicate that users with this role can view
all report pages.
l Pages that are not selected will be inaccessible to users with this
role.

Home Select the Home page elements that users with this role can view.
Views l Select All Home Views to indicate that users with this role can
view all Home page elements.
l Pages that are not selected will be inaccessible to users with this
role.

Actions Select the actions that users with this role can perform in AFA.
l Select All Actions to indicate that users with this role can perform
all actions.
l Controls used to perform actions that are not selected will be
disabled.

Authorized Devices

Select the default device access provided to all users with this role. Do the following:

a. Select a default permission profile to determine the permission level for the
selected devices.

b. Click Select devices.... to select the devices you want to apply the selected
permission level on.

The device tree appears.

c. Select the checkboxes next to each relevant device and click OK.

A table appears with your selected devices and permissions.

Firewall Analyzer (A30.10) Page 377 of 542


Administration Guide | AFA users and roles

For example:

If needed, do either of the following:

l Select a different option from the Permission profile dropdown to change the
profile for a specific device

l Clear or re-select the Notification checkbox to change notification settings for a


specific device

4. Click OK to save your changes.

Delete AFA users or roles


This procedure describes how to delete users from the local AFA database, or delete
user roles.

Tip: Alternately, manage users via an authentication server or SSO. For details, see
Configure user authentication.

Do the following:

1. Click your username at the top-right to access the AFA Administration area.

2. Click the USERS/ROLES tab to display the user and role tables. For example:

Firewall Analyzer (A30.10) Page 378 of 542


Administration Guide | AFA users and roles

3. Select the check box next to the user or role you want to delete, and click Delete.

4. In the confirmation message that appears, click OK.

The selected user or role is deleted from AFA.

ASMS username and password requirements


ASMS user names can contain any alpha-numeric character and the following special
characters:

l @ (at symbol)

l _ (underscore)

l . (period)

l - (hyphen)

l / (forward-slashes)

ASMS passwords can contain any alpha-numeric character or any special character,
except for back-ticks (`)

Firewall Analyzer (A30.10) Page 379 of 542


Administration Guide | AFA users and roles

Use the following regular expressions to confirm that your usernames and passwords
meet ASMS requirements:

Value Regular Expression

Username or username with ^[a-zA-Z0-9@_.-\/]*$


LDAP domain

Password ^[a-zA-Z0-9\x20-\x5F\x7B-\x7E]*$ 

Import users via CSV


You can import multiple local users into ASMS from a CSV file. This allows you to
onboard large numbers of users without manually configuring each of them.

Prepare a users CSV file


Do the following:

1. Open a new text file.

2. In the first line of the file, type a list of column headers.

For a list of supported headers, refer to the following table. The headers must be
separated by commas.

3. For each user you want to import, type a new line containing values that correspond
to the column headers.

Refer to the following table for information about each header's possible values. The
values must be separated by commas. If no value is specified, the default is used.

For example:

username,password,fullname,email,note,policy_change,administrator,
authentication_type,default_fw_profile,firewallsJohnS,JohnSPass,
John Smith,[email protected],customersupport,yes,yes,,
readonly,(ECZ_ASA1;yes;Standard)(ISG1000_root:trust-vr;yes;Standard)
JaneB,,Jane Brown,[email protected],sales,no,no,ldap

4. Save the file.

Firewall Analyzer (A30.10) Page 380 of 542


Administration Guide | AFA users and roles

Supported column headers

Header Name Description Possible Values

username The username to Any


assign the user.
This header is
mandatory.

fullname The user's full name. Any.


This header is
mandatory.

email The user's email An email address in standard email


address. address format.
This header is
mandatory.

note Notes about the user. Any.

password The password to assign Any


the user.

policy_change Indicates whether the l yes


AFA system should l no (Default)
send notifications to the
user when changes are
made to policies.

group_ Indicates whether the l yes


changes AFA system should l no (Default)
send notifications to the
user when a group
report is generated.

all_changes Indicates whether the l yes


AFA system should l no (Default)
send notifications to the
user when a report is
generated.

Firewall Analyzer (A30.10) Page 381 of 542


Administration Guide | AFA users and roles

Header Name Description Possible Values

configuration_ Indicates whether the l yes


changes AFA system should l no (Default)
send notifications to the
user when
configuration changes
are made.

object_ Indicates whether the l yes


expirations AFA system should l no (Default)
send notifications to the
user when device rules
and/or VPN users are
about to expire.

error Indicates whether the l yes


AFA system should l no (Default)
send error messages to
the user. These include
low disk space and
license expiration
warnings.
This header is only
relevant for
administrators.

customizations Indicates whether the l yes


AFA system should l no (Default)
send notifications to the
user when
customization changes
are made. These
include notifications
about topology, trusted
traffic, and risk profile
customizations.
This header is only
relevant for
administrators.

Firewall Analyzer (A30.10) Page 382 of 542


Administration Guide | AFA users and roles

Header Name Description Possible Values

authentication_ The type of l local. Authenticate the user


type authentication to use for against the local AFA user
this user. database.
For information on l radius. Authenticate the user
configuring AFA to against a RADIUS server.
work with a RADIUS l ldap.Authenticate the user against
Server or an LDAP an LDAP server.
server, see Configure
user authentication.

administrator Indicates whether to l yes


make the user an l no (Default)
administrator.

run_file_ Indicates whether to l yes


analysis allow the user to l no (Default)
perform analyses from
configuration files.

global_ Indicates whether to l yes


customisation make the user a l no (Default)
FireFlow configuration
administrator. This
enables the user to
perform advanced
configuration tasks in
FireFlow.

fireflow_admin Indicates whether the l yes


FireFlow user can l no (Default)
perform advanced
configuration tasks,
such as using
VisualFlow to edit
workflows.

default_fw_ The user's default l readonly


profile access level to devices. l none
l standard (Default)

Firewall Analyzer (A30.10) Page 383 of 542


Administration Guide | AFA users and roles

Header Name Description Possible Values

firewalls A list of devices for Each device in the list must be in the
which the user should following format:
be granted (deviceName;notify;permissionProfile)
permissions. where:
l deviceName is the device's name
l notify indicates whether the user
should receive notifications about
the device (yes/no)
l permissionProfile is the user's
access level to the device
(readonly/none/standard)
Multiple devices should not be separated
by anything
For example:

(device)(device)(device)...

Run the import users script


This procedure describes how to import users into AFA from an CSV file.

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. Enter the following command:

import_users -f CSVFile

For information on the command's flags, see the following table.

The import_users script runs and imports users from the file into both AFA and
FireFlow.

Import users script flags

Firewall Analyzer (A30.10) Page 384 of 542


Administration Guide | AFA users and roles

Flag Description

-f CSVFile The name of the CSV file.

Note: The file must be located in the current


directory.

Firewall Analyzer (A30.10) Page 385 of 542


Administration Guide | Customize risk and compliance management

Customize risk and compliance


management
AFA supports many risk and compliance customizations, allowing you to define your
organization's specific needs.

For details, see:

l Create custom risk profiles with built-in and custom risk items. For details, see:

l Customize risk profiles

l Customize risk items

l Define new zone types, in addition to the predefined Internal, External, and DMZ.
For details, see Customize zone types.

l Add new host group definitions. For details, see Customize hostgroups.

l Add new service definitions. For details, see Customize services.

l Configure AFA to treat private IP addresses as non-threatening. For details, see


Configure trusted private IP addressses.

l Customize the security rating and the way security rating information is displayed.
For details, see Configure security ratings.

l Configure which regulatory compliance standards are relevant to your


environment. For details, see Customize the regulatory compliance report.

l Customize the configuration requirements for baseline compliance. For details,


see Customize baseline configuration profiles.

Customize risk profiles


AFA analyzes device configuration and reports security risks using risk profiles, which
define sets of security risk items and their security levels.

By default, AFA uses a Standard Risk Profile for all devices, which includes a set of
standard risk items. Each risk item represents an XQL query that AFA performs on
simulation results to detect risks.

Firewall Analyzer (A30.10) Page 386 of 542


Administration Guide | Customize risk and compliance management

Create custom risk profiles as needed, including different combinations of risk items,
changing severity levels of each risk item, or creating custom risk items. Custom risk
items enable you to define complex risks by composing your own XQL queries.

For more details, see:

l View a risk profile

l Add a new risk profile

l Delete a custom risk profile

l Set a default risk profile

Note: After making changes to risk profiles, you must run a new analysis before
seeing any changes in AFA reports.

Edit a Risk Profile: Watch to learn how to edit a risk profile to suit your network

needs.

View a risk profile


This procedure describes how to view a specific risk profile in the AFA Administration
area, as well as the details shown.

Do the following:

1. Access the AFA Administration area. Click your username in the toolbar and
select Administration.

2. Click the Compliance > Risk Profiles tab, displaying the Standard risk profile with
risk items displayed in a grid below.

Firewall Analyzer (A30.10) Page 387 of 542


Administration Guide | Customize risk and compliance management

The risk item grid includes the following data:

Code The risk item code.

Risk The severity level applied to the risk level.


Level The severity level is also indicated by the color bar on the left of the
row, as follows:
l Brown = Low
l Yellow = Medium
l Orange = Suspected High
l Red = High
l Grey = Ignored
Note: Ignored risk items are listed in AFA reports towards the bottom of
the Risk Assessment page, and not in the main page with other
detected risks.

Title The risk item's title, or name.

Firewall Analyzer (A30.10) Page 388 of 542


Administration Guide | Customize risk and compliance management

From The source and destination zone of connections specified by the risk
/ To item.

Brand The relevant device brand for the risk item.

3. To load a different risk profile, select it from the Select risk profile dropdown menu
above the grid. The page is updated with the selected risk profile.

Continue with any of the following:

l Add a new risk profile

l Delete a custom risk profile

l Set a default risk profile

l Customize risk items

Add a new risk profile


Add a new risk profile by creating one from scratch, modifying an existing profile and
saving it under a new name, or importing a spreadsheet that specifies safe traffic.

Create a new risk profile from scratch


Create a new risk profile from scratch when you want to start with completely empty risk
items.

Do the following:

1. Access the Risk Profiles tab in the AFA Administration area. For details, see View
a risk profile.

2. Click + Create new risk profile, and enter a name for your new profile.

3. Customize your risk items as needed. For details, see Customize risk items.

4. When you're done, click Save and then OK to confirm.

Your new risk profile is ready to use in your next AFA analysis.

Firewall Analyzer (A30.10) Page 389 of 542


Administration Guide | Customize risk and compliance management

Create a new risk profile from an existing one


Create a new profile by starting with an existing one when you want to use the existing
one as a basis for your new profile.

Do the following:

1. View the specific risk profile you want to start with in the Risk Profiles tab in the
AFA Administration area. For details, see View a risk profile.

2. Customize your risk items as needed for your new profile. In the Risk profile notes
field, enter a description for your new risk profile.

3. Click Save As, and enter a new name for your new profile.

4. Click OK, and then OK again to confirm.

Your new risk profile is ready to use in your next AFA analysis.

Tip: While the Standard risk profile is read-only, you can use it as the basis for a
custom profile. Then, you can define your custom profile as the default risk profile for
all future reports. For details, see Set a default risk profile.

Create a new risk profile from a spreadsheet


Create a custom risk profile by uploading a spreadsheet that defines safe and risky
traffic. When you upload this file, AFA creates a new risk profile. By default, any traffic
not included in the spreadsheet is defined as a risk.

Use the template provided in the AFA Administration area to create this spreadsheet.

Do the following:

1. Open the Risk Profiles tab in the AFA Administration area. For details, see View
a risk profile.

2. Click Import from spreadsheet. In the Import risk profile dialog, Download
sample spreadsheet.

Firewall Analyzer (A30.10) Page 390 of 542


Administration Guide | Customize risk and compliance management

3. Save the file locally using a meaningful name, and populate it with details about
the traffic you want to allow or define as risky. For details, see Spreadsheet
requirements.

4. When your spreadsheet is ready, return to the Import risk profile dialog, and click
Choose File. Browse to and select the file you edited, and the click OK to upload
the file.

AFA generates your new risk profile, defining any traffic that is not specified in
your uploaded file as a risk.

AFA optimizes your risks, and combines similar items to create the fewest number
of new risk items possible.

5. Click Save as to save your new Risk Profile. Enter a meaningful name, and click
OK.

Your new risk profile is ready to use in your next AFA analysis.

Note: When you upload a spreadsheet, AFA optimizes risk creation by combining
traffic flows when possible. This may result in individual risks with wide definitions.

In such cases risk descriptions specify the traffic or server that triggered the risk to
help you understand why the risk was triggered.

Spreadsheet requirements
The spreadsheet uploaded to AFA to generate a custom risk profile must include the
following sheets:

Firewall Analyzer (A30.10) Page 391 of 542


Administration Guide | Customize risk and compliance management

l Traffic. Defines the traffic you want to mark as allowed or risky by the generated
risk profile.

Modify the number of rows or columns as needed to describe the traffic.

l Networks. Defines network objects used in the Traffic sheet.

l Services. Defines service objects used in the Traffic sheet.

Across all sheets in the spreadsheet:

l Object names are case-sensitive.

l Comments are supported in all sheets, only outside the data table, title rows or
columns. Add # before the comment text.

For more details, see Populate the Traffic sheet and Populate the Networks and
Services sheets.

Note: To define conditional severities, include the Conditional Severities sheet as


well.

Populate the Traffic sheet

You must populate every cell in the Traffic sheet data table, as follows:

Source / List source network objects in the left column, and destination network
destinations objects across the top row.
Destinations do not need to be the same as the sources, but must be
network objects defined in the Networks tab, or the predefined Other
object.
The Other object includes all IP addresses that are not included in
network objects listed on the Networks tab, and generally includes the
public internet.

Firewall Analyzer (A30.10) Page 392 of 542


Administration Guide | Customize risk and compliance management

Service Each cell that intersects a source and destination must contain one or
objects more service objects, as follows:
l To define safe traffic, enter the name of a safe service object.
l To define risky traffic, enter the name of a risky service object
using the following syntax: not( service_object ) or !service_
object
l To define multiple service objects in a single cell, enter each
object name on a new line in the cell (ALT+ENTER).
Service object values must either be listed on the Services tab, or be
one of the following predefined services:
l Any. All services
l None. No services.

Tip: Optionally, specify risk severity levels for risk traffic associated with a specific
source or destination. For details, see Specify risk severity in your spreadsheet.

Populate the Networks and Services sheets

Populate the Networks and Services sheets as follows:

Object List object names in the left column.


names

Object List object content in the same row as the objects name.
content Assign multiple values to each object as needed, by specifying multiple
values across the row, each value in it's own cell.

Object Object names support lowercase and uppercase letters, digits, and
names underscores (_).

Network Network objects support single IP addresses, subnets, or ranges.


objects

Service Service objects support:


objects
l Protocol/port format for TCP, UDP, and ICMP protocols
l Other standard names such as SSH, FTP, and so on, including
AlgoSec standard services

Firewall Analyzer (A30.10) Page 393 of 542


Administration Guide | Customize risk and compliance management

Specify risk severity in your spreadsheet

By default, all risks generated by uploading a spreadsheet are given a Medium severity.
To customize this, specify severity levels in the Traffic sheet for risks associated with
specific traffic, sources, or destinations.

Do the following:

In the Traffic sheet, add the following characters to your cells to indicate severity levels:

l H = High

l S = Suspected high

l M = Medium

l L = Low

l Any conditional ID specified in a Conditional Severities sheet.

Add your severity notations to cells in your Traffic sheet as follows:

Specify severity for all traffic Indicate the severity level with the network object in
from a specific source the left column.

Specify severity for all traffic Indicate the severity level with the network object in
from a specific destination the header row.

Specify severity for all traffic Indicate the severity level with the service object in the
from a specific source and intersecting cell.
to a specific destination In such cases:
l By default, the generated risk will be relevant to
all traffic between the services, via services
other than those included in the service object.
l If you specify severity for a risky service object,
the generated risk will be relevant to all traffic
between the servers via the specified service
object.

Firewall Analyzer (A30.10) Page 394 of 542


Administration Guide | Customize risk and compliance management

Specify multiple severity Further segregate traffic by defining a permitted


levels for traffic from a service object and one or more negated service
specific source to a specific objects in the same intersecting cell, each with a
destination specified severity.
In such cases:
l Place each object on a new line in the cell
(ALT+ENTER)
l The first object in the cell can be safe or
negated. All other objects must be negated.

Note: If a severity is specified for either the traffic, or for a specific source or
destination, AFA assigns the specified severity to that risk.

If different severities are assigned to the source and destination, AFA uses the higher
severity when generating the risk.

For more details, see Populate the Traffic sheet.

The following table shows an example of a Traffic sheet with severities indicated:

To
From Net1 Net2 Net3 PartnerNet PCIzone;S Other

- ! SecureSrvs ; Any SecureSrvs Any


Net1 (forbiddenSvc) C2

Net2 Any - Any Any SecureSrvs Any

Net3 OnlySrv/X !(OnlySrv/X) - Any SecureSrvs Any

PartnerSrv !PartnerSrv ; !PartnerSrv ; Any SecureSrvs Any


PartnerNet C1 C1
SecureSrvs ; M SecureSrvs SecureSrvs ; SecureSrvs ; - None;H
C2 C3
!forbiddenSvc ;
PCIzone;S H

Other - - http_Services - None;H Any

In this example, AFA will use the data in the highlighted cell to generate risks with the
following severities:

Firewall Analyzer (A30.10) Page 395 of 542


Administration Guide | Customize risk and compliance management

High Traffic from PCIZone to Net1 , via forbiddenSvc

Medium Traffic from PCIZone to Net1 , via any services other than those defined in forbiddenSvc or
SecureSrvs

Not Traffic from PCIZone to Net1 , via SecureSrvs


risky

Note that although the risk specified for all traffic from PCIzone is Suspected high, no
traffic from PCIzone to Net1 is specified as Suspected high, as the severities associated
with each service object take precedence.

Delete a custom risk profile


Delete any unused risk profiles to declutter your system.

Do the following:

1. View the specific risk profile you want to delete in the Risk Profiles tab in the AFA
Administration area. For details, see View a risk profile.

2. Below the Risk Profile table, click Delete this profile.

3. Click OK to confirm, and then OK again.

Set a default risk profile


By default, the risk profile used when running an analysis is always the Standard risk
profile. Set a custom risk profile as the default, as needed.

Do the following;

1. Access the AFA Administration area. Click your username in the toolbar and
select Administration.

2. Click the Compliance > Compliance Options tab.

3. In the Default risk profile dropdown, select the risk profile you want to set as
default, and click OK.

Firewall Analyzer (A30.10) Page 396 of 542


Administration Guide | Customize risk and compliance management

For example:

AFA uses the selected risk profile by default when running an analysis.

Customize risk items


In addition to creating a custom risk profile, you can customize individual risk items or
add new ones from scratch.

Edit, duplicate, or add a custom risk item


Edit risk items, duplicate them to create new items based on existing risk items, or add a
new custom risk item from scratch.

Do the following:

1. View the Risk Profile with the risk items you want to edit. For details, see View a
risk profile.

2. Do one of the following:

Edit an existing Select the risk in the grid, and click Edit.
risk item The risk item is opened for editing. Make your changes as
needed, and then click OK.

Firewall Analyzer (A30.10) Page 397 of 542


Administration Guide | Customize risk and compliance management

Duplicate an Select the risk in the grid, and click Duplicate.


existing risk A new risk item is opened for editing, with the same values
item as the risk item you had originally selected.
Make your changes as needed, especially giving the new
risk item a new name, and click OK.

Create a new Click New, and then select one of the following options:
risk item l Basic risk. Create a basic risk
l Risk with destination threshold. Create a risk item with
a specific destination threshold
l Risk with source threshold. Create a risk with a
specific source threshold
l Risk with specific IP addresses. Create a risk with
specific IP addresses, an IP address range, or a subnet
l PCI risk. Create a risk that refers to PCI zones

3. Populate the fields as needed for your risk item type. For details, see:

l Risk Info fields

l Risk Query fields

l Customize risk items

l Customize risk items

4. When you're done, click OK to return to your risk profile.

Risk Info fields


All risk types include the following data in the Risk Info area:

l Title. Enter a name for your new risk.

l Level. Select a risk severity level.

l Template. Displays the type of risk item you're editing.

l Code. An automatically assigned code for this risk item. For example, user-defined
items have a code that start with U.

Firewall Analyzer (A30.10) Page 398 of 542


Administration Guide | Customize risk and compliance management

Risk Query fields


Risk query fields will differ depending on the type of risk item you're editing.

Name Description

From zone Relevant for basic risks and risks with source or destination thresholds
/ To Zone Select the zone types that represent where the traffic you want to
analyze is coming from and going to.

With Relevant for all risk types


service Select a service you want to consider as risky in this risk item.
Supported services include pre-defined services, user-defined services,
or device-defined services.

Note: Selecting a device-defined service imports the service from


the device, and creates a new user-defined service with the same
details. In such cases, the new service's name is the same as the
device-defined service, with an additional prefix of algosec_.

Tip: Alternately, create a new service group that consists of one or


more services. To do this, click Create New. For more details, see
Customize services.

Source / Relevant for: risks with specific IP addresses or PCI risks


Destination Enter one or more IP addresses or address ranges. Separate multiple
/ PCI zone addresses and address ranges with commas.

Alternately, click Add to use a wizard. There, select a method to use to


define your source or destination, including:
l An individual IP address
l An IP address range
l Host group defined on the device
l AlgoSec Hostgroup, a host group defined by AlgoSec
Enter subsequent values to continue through the wizard, following on-
screen instructions as needed.

Firewall Analyzer (A30.10) Page 399 of 542


Administration Guide | Customize risk and compliance management

Name Description

Trust VPN Relevant for basic risks and risks with source or destination thresholds
IP Select to determine that VPN traffic be excluded from this risk item, and
addresses not shown in the AFA report.
Default = Enabled

Threshold Relevant for risks with source or destination thresholds only


on Enter the threshold for the source or destination IP address, depending
Destination on the type of risk item you're editing.
/ Source IP
address

Advanced Relevant for all risk types


Define an XQL query for the risk item.
Click Advanced and enter your query in the Advanced Query Editor.
Warning: Setting an invalid query format may cause analysis errors
when creating future reports.
Follow the guidelines needed for the risk type you're editing. For
details, see Advanced risk editing.

Tip: Click Auto Fill to load pre-defined values from a template in to the Risk details
area below, based on the values you've selected. Any existing values are
overwritten.

For more details, see Customize risk items.

Risk Details fields


The Risk Details includes the following data for all risk types:

Firewall Analyzer (A30.10) Page 400 of 542


Administration Guide | Customize risk and compliance management

Assessment Enter a description of the risk and risk remedy.


/ Remedy These texts are displayed in the AFA report whenever this risk item is
triggered.
l Both Assessment and Remedy values can be written in any
language.
l Optionally, include keywords that link the risk item's assessment
or remedy to other parts of the AFA report.
Insert keywords by typing them directly or click Insert Field to
select them from a list.
For more details, see Assessment and remedy keywords.

Description Enter a general description of the risk, using terms that are not tied to
any particular device.
This text appears in Group reports whenever a device in the group has
triggered this risk item.

Suppressed Enter the codes of other risk items that should prevent the current risk
by item from appearing in AFA reports or click Select to select them from
a list.

Note: Configuring suppression for your risks helps to avoid clutter


and double-reporting in your AFA reports. However, overall security
rating scores do also consider suppressed risks.

Additionally, risks are not suppressed unless the suppression resolves


all cases of that risk.
For more details, see Suppression in AFA.

Suppression in AFA

In AFA reports, each specific risk may be suppressed by another risk.

For example, you may want to do this when you have a more general risk that also
includes the specific risk.

The following sample device, rule, and risk configuration illustrates this concept:

If no suppression is configured:

If you have a device with the following rules ...

Firewall Analyzer (A30.10) Page 401 of 542


Administration Guide | Customize risk and compliance management

Rule Source Destination Services

01 10.1.1.2 20.1.1.1 Any

02 10.2.1.2 20.2.1.1 Telnet

... and the risk profile for the device includes the following risks:

The RISKS report for your device might include the following risk and rule details:

If suppression is configured:

If you've configured the device's risk profile to include suppression as follows:

Firewall Analyzer (A30.10) Page 402 of 542


Administration Guide | Customize risk and compliance management

l D02 is suppressed by D01:

l D03 is suppressed by D02:

The RISKS report for the device shows the following:

Firewall Analyzer (A30.10) Page 403 of 542


Administration Guide | Customize risk and compliance management

In this report, Risk D02 does not appear at all. This is because:

l Risk D01 suppresses risk D02.

l The number of rules triggering D02 = The number of rules triggering D01.

Also in this report, D03 is shown because suppression is not in effect. This is because:

l While risk D02 suppresses risk D03;

l The number of rules triggering risk D02 ≠ The number of rules triggering risk D03.

Delete a risk item


Delete custom risk items that you don't need anymore.

Warning: Do not delete risks with a prefix of unnamed or AlgoSec. Deleting these
items may damage a risk profile.

Tip: While Standard risk items cannot be deleted, they can be disabled. For details,
see Disable a risk item.

Do the following:

1. View the risk profile with the risk item you want to delete. For details, see View a
risk profile.

Firewall Analyzer (A30.10) Page 404 of 542


Administration Guide | Customize risk and compliance management

2. In the grid, select the risk item you want to delete, and click Delete.

3. Click OK to confirm.

The risk item is deleted, and will no longer be included in future AFA reports.

Disable a risk item


Disable standard or custom risk items when you want to prevent them from being
included in all AFA reports, but you don't want to remove them from the system.

Warning: Do not disable any risks with a prefix of unnamed or AlgoSec. Disabling
these items may damage a risk profile.

Do the following:

1. View the risk profile with the risk item you want to disable. For details, see View a
risk profile.

2. In the grid, select the risk item you want to disable, and click Edit.

3. In the Level field, select Ignore, and then click OK.

The risk item is disabled, and will not be included in future AFA reports.

Customize zone types


Device and matrix topologies are defined in AFA using zone types. Each of the
network's zones is assigned a zone type, and the zone is represented in the zone type's
color in all AFA diagrams and reports.

If desired, you can define additional zone types. Configuring user-defined zone types
enables you to tailor risk profiles to your exact network topology. Each user-defined
zone type is based on one of AFA's built-in zone types.

Firewall Analyzer (A30.10) Page 405 of 542


Administration Guide | Customize risk and compliance management

Built-in zone types


Zone
Type Color Description Example

External Red Represents network zones that are The "Outside" zone is
directly connected to the Internet. assigned to this zone
type.

Internal Blue Represents network zones that are The "Inside" zone is
not connected to the Internet. assigned to this zone
type.

DMZ Orange Represents the DMZ (Demilitarized The "DMZ" zone is


Zone). assigned to this zone
type.

Add and edit zone types


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The Edit and define zone types page appears.

Firewall Analyzer (A30.10) Page 406 of 542


Administration Guide | Customize risk and compliance management

5. Do one of the following:

l To add a new zone type, click New.

l To edit an existing zone type, select the desired zone type and click Edit.

The Add New Zone Type or Edit Zone Type dialog box appears.

Note: You cannot edit the built-in zone types (EXTERNAL, INTERNAL, or DMZ).

6. Complete the fields using the information in the following table.

7. Click OK.

Zone Type Fields

Firewall Analyzer (A30.10) Page 407 of 542


Administration Guide | Customize risk and compliance management

In this field... Do this...

Name Type the zone type's name.


This field is read-only when editing a zone.

Color Select a color to represent the zone type.

Like Select an existing zone type from which this zone type
should inherit its settings. You can then override the
inherited settings as desired.
This field is read-only when editing a zone.

Automatically create Select this option to automatically use the Standard Risk
standard risks for the Profile for the zone.
new zone type This field appears only when adding a new zone.

Delete zone types


Note: You cannot delete a zone type if it appears in a defined device's topology.

Note: You cannot delete the built-in zone types (EXTERNAL, INTERNAL, or DMZ).

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The Edit and define zone types page appears.

Firewall Analyzer (A30.10) Page 408 of 542


Administration Guide | Customize risk and compliance management

5. Select the desired zone type and click Delete.

A confirmation message appears.

6. Click OK.

The zone type is deleted.

Customize hostgroups
You can define hostgroups to use when performing tasks such as running traffic
simulation queries and/or configuring the trusted traffic you want to view.

Add and edit host groups


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The Edit and define hostgroups page appears.

Firewall Analyzer (A30.10) Page 409 of 542


Administration Guide | Customize risk and compliance management

5. Do one of the following:

l To add a new host group, click New.

l To edit an existing host group, select the check box next to the desired host
group and then click Edit.

The New Hostgroup dialog box appears.

6. In the Name field, type a name for the host group.

7. In the IP Addresses field, type the IP address or IP address range that the host group
represents.

8. Click OK.

The new host group appears in the list.

Delete hostgroups
Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

Firewall Analyzer (A30.10) Page 410 of 542


Administration Guide | Customize risk and compliance management

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The Edit and define hostgroups page appears.

5. Select the check box next to the desired host group and then click Delete.

A confirmation message appears.

6. Click OK.

The host group is deleted.

Customize services
You can define service groups that contain one or more services to use when
performing tasks such as running traffic simulation queries and/or configuring the trusted
traffic you want to view.

Add and edit service groups


Note: To define a single custom service, add a service group that contains only the
desired service.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

Firewall Analyzer (A30.10) Page 411 of 542


Administration Guide | Customize risk and compliance management

The User-defined Services window appears.

5. Do one of the following:

l To add a new service, click Add.

l To edit an existing service, select the service and then click Edit.

The New Service Group / Edit Service Group dialog box appears.

6. In the Service group name field, type the service group's name.

7. To add a service to the group, do the following:

If this is not the first service to be added to the group, click New Member.

Complete the fields using the information in the following table.

Firewall Analyzer (A30.10) Page 412 of 542


Administration Guide | Customize risk and compliance management

In this field... Do this...

Protocol Select the service's protocol.

Destination port Type the destination port range.

Source port Type the source port range.

8. To remove a service from the group, select the service in the Service group
members list box, then click Remove.

9. Click Save.

A success message appears.

10. Click OK.

11. Click Close.

Delete service groups


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The User-defined Services window appears.

5. Select the desired service and click Delete.

A success message appears.

6. Click OK.

Firewall Analyzer (A30.10) Page 413 of 542


Administration Guide | Customize risk and compliance management

The service is deleted.

7. Click Close.

Configure trusted private IP addressses


By default AFA treats private IP addresses like 10.0.0.1 as non-threatening. Since these
IP addresses are not routed on the public Internet, they typically represent machines that
are owned by your corporation and are therefore not threatening. If desired, you can
change this behavior.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

3. The Administration page appears, displaying the Options tab.

4. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

5. Click the Compliance Options sub-tab.

6. Do one of the following:

l To treat private IP addresses as threatening, clear the Trust private IP


addresses check box.

l To treat private IP addresses as non-threatening, select the Trust private IP


addresses check box.

7. Click OK.

Note: This setting will only take effect in future reports that you generate.

Firewall Analyzer (A30.10) Page 414 of 542


Administration Guide | Customize risk and compliance management

Configure security ratings


AFA reports' Home and Risks pages display a security rating which indicates the
device's degree of compliance with security standards.

Note: It is possible for a device with more risks to have a higher security rating than a
device with fewer risks.

The Security Rating is calculated as the ratio of the number of risks detected vs. the
number of risks searched for, and the total number of risks searched for differs per
device.

If a device has multiple interfaces and some are configured as Internal, some as
External, and some as DMZ, more risks will be searched for than on a device with
only an Internal and External interface. Also, some risks are defined only for specific
device vendors.

Security rating calculation


AFA calculates the security rating with the following formula:

Security rating = 100 x (1 - (W1 X1 + W2 X2 + W3 X3 + W4 X4 ) / (W1 T1 + W2 T2 + W3 T3 +


W4 T4 ))

where:

This
variable... Represents...

W1 The weight of High risks.


Default = 10.

W2 The weight of Suspected High risks.


Default = 4.

W3 The weight of Medium risks.


Default = 2.

Firewall Analyzer (A30.10) Page 415 of 542


Administration Guide | Customize risk and compliance management

This
variable... Represents...

W4 The weight of Low risks.


Default = 1.

X1 The number of High risks detected in the current device policy.

X2 The number of Suspected High risks detected in the current device


policy.

X3 The number of Medium risks detected in the current device policy.

X4 The number of Low risks detected in the current device policy.

T1 The maximum number of High risks possible for the device. This is
determined by the device's brand and topology.

T2 The maximum number of Suspected High risks possible for the device.
This is determined by the device's brand and topology.

T3 The maximum number of Medium risks possible for the device. This is
determined by the device's brand and topology.

T4 The maximum number of Low risks possible for the device. This is
determined by the device's brand and topology.

Security rating calculation background


In ASMS's security rating calculation, risk is determined by the weakest link in the
defense. This means that several well-configured devices do not mitigate the risk posed
by a single, badly-configured device.

ASMS, therefore, cannot determine the security rating for a group of devices as a simple
average of the security ratings of the group's members. Instead, ASMS looks at all
possible risk items as a "whole", and deducts one "point" for every risk item flagged on
at least one group member.

This approach may lead to scenarios where the security rating of a group is even lower
than that of each group member.

For example, suppose the following:

Firewall Analyzer (A30.10) Page 416 of 542


Administration Guide | Customize risk and compliance management

l There are 100 possible risk items

l There are 100 devices in the group

l Each device is flagged for a single risk item.

In this case, the security rating of each device will be 99, because 99 of the 100 possible
risk items are not flagged.

The case may differ as follows:

If the same risk item is The group security rating will also be 99, since 99 of the
flagged on all 100 100 possible risk items are still not flagged.
devices

If each device is The group security rating will be 0, because 100 out of 100
flagged for a different possible risk items are flagged for at least one group
risk item member.

Customize security rating settings


You can customize the security rating by changing the weight assigned to each type of
risk. In addition, you can customize the security rating bar's appearance in reports, and
the number of days included in the Security Rating Trend graph in the Risks page of
reports.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click .

The Security Rating Settings dialog box appears.

Firewall Analyzer (A30.10) Page 417 of 542


Administration Guide | Customize risk and compliance management

5. Complete the fields using the information in the following table.

Days in Type the number of days to include in the Security Rating Trend
Trend graph in the Risks page of reports.
Graph The default value is 180 days.

Low Type a number representing the point on the security ratings bar
Breakpoint where the bar should changes from red to yellow, if the leftmost end
of the bar is 0 and the rightmost end is 100.
The default value is 50.

High Type a number representing the point on the security ratings bar
Breakpoint where the bar should change from yellow to green, if the leftmost end
of the bar is 0 and the rightmost end is 100.
The default value is 85.

Formula Enter the desired weight for each risk type.


Weights

6. Click OK.

Customize the regulatory compliance report


AFA provides regulatory compliance reports for a variety of regulatory compliance
standards. These reports can be accessed from the Regulatory Compliance report page
of each AFA report.

You can customize the Regulatory Compliance page in the following ways:

Firewall Analyzer (A30.10) Page 418 of 542


Administration Guide | Customize risk and compliance management

l Remove and add compliance reports

l Customize the compliance score value

l Customize compliance score severity thresholds

To add or remove reports in the CLI or to create a custom regulatory compliance report,
see Customize regulartory compliance report.

Remove and add compliance reports


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

The Compliance page appears, displaying the Risk Profiles sub-tab.

4. Click the Compliance Options sub-tab.

5. Next to Regulatory compliance reports to be included in the device analysis, click


Select.

The Regulatory Compliance Reports dialog box appears.

Firewall Analyzer (A30.10) Page 419 of 542


Administration Guide | Customize risk and compliance management

For a description of each standard, see Supported regulatory compliance reports.

6. To enable a report, select its check box.

7. To disable a report, clear its check box.

8. Click Save.

Note: When upgrading AFA, any newly supported reports are automatically enabled.

Supported regulatory compliance reports


Standard Description

US
Centric

SOX Required for publicly traded companies on US markets.


NERC Required for Power manufacturing and distribution, including Oil, Gas
CIP v3, and Nuclear. The customer may choose to analyze against either v3, v4
v4, v5 or v5 of the NERC CIP standards, to evaluate readiness for future
standard deadlines.

HIPAA Required for protecting patient data in US healthcare companies.

Firewall Analyzer (A30.10) Page 420 of 542


Administration Guide | Customize risk and compliance management

Standard Description

NIST SP Required by US DoD. This report uses the National Institute of


800-53 Standards and Technology (NIST) Security and Privacy Controls for
Federal Information Systems and Organizations, Revision 4 (April 2013).

NIST SP Required by US DoD. This report uses the National Institute of


800-41 Standards and Technology (NIST) Guidelines on Firewalls and Firewall
Policy, Revision 1 (Sep 2009).

GLBA Consumer identity safety requirements for US companies.

Europe
Centric

ISO/IEC ISO/IEC 27001 formally specifies an Information Security Management


27001 System (ISMS), a suite of activities concerning the management of
information security risks.

Basel-II This addresses the Basel Committee on Banking Supervision's


framework International Convergence of Capital Measurement and
Capital Standards (June 2006).

Global

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) was
3.0 developed to encourage and enhance cardholder data security and
facilitate the broad adoption of consistent data security measures
globally. PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.
You can optionally indicate which servers are in your PCI zone.
Specifying these servers enables AFA and AppViz to provide you with
more specific security information for PCI applications. See Configure
the PCI zone.

Australia
Centric

ASD-ISM Firewall configuration guidelines from Australian Government.

Japan
Centric

J-SOX Japanese version of SOX.

Firewall Analyzer (A30.10) Page 421 of 542


Administration Guide | Customize risk and compliance management

Standard Description

Singapore
Centric

MAS-TRM Guidelines for information security for Singapore operating banks,


published by the government banking regulator.

Customize the compliance score value


AFA reports' Regulatory Compliance page displays a compliance score which
indicates the device's degree of compliance with each compliance report. AFA
calculates the compliance score with the following formula:

Compliance score = (X1 + WX2)/(X1 + X2 + X3)

Compliance Score Formula Variables

This
variable... Represents...

X1 The total number of requirements in the compliance report for which the
device policy is compliant. Each of these requirements has a status of .

X2 The total number of requirements in the compliance report for which


additional information or manual verification is necessary for the device
policy to meet the requirement. Each of these requirements has a status
of .

X3 The total number of requirements in the compliance report for which the
device policy is not compliant. Each of these requirements has a status of
.

W The weight of the number of requirements for which additional


information or manual verification is necessary to meet the requirement.
The default value is 0.5.

You can customize the compliance score value by changing the value of the "W"
variable.

Firewall Analyzer (A30.10) Page 422 of 542


Administration Guide | Customize risk and compliance management

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Advanced Configuration tab.

The Advanced Configuration tab appears.

4. Click Add.

The Add New Configuration Parameter dialog box appears.

5. In the Name field, type Compliance_Score_Star_Weight.

6. In the Value field, type the value you wish to assign to the "W" variable.

Firewall Analyzer (A30.10) Page 423 of 542


Administration Guide | Customize risk and compliance management

7. Click OK.

8. Click OK.

Customize compliance score severity thresholds


AFA provides the ability to customize the compliance score severity thresholds.

By default, a bad score is 55% and below (red), a moderate score is between 55% and
70% (yellow), and a good score is 70% and above (green).

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Advanced Configuration tab.

The Advanced Configuration tab appears.

4. To adjust the threshold for a bad score, do the following:

Firewall Analyzer (A30.10) Page 424 of 542


Administration Guide | Customize risk and compliance management

a. Click Add.

The Add New Configuration Parameter dialog box appears.

b. In the Name field, type Compliance_Score_Max_Red.

c. In the Value field, type the maximum value for a bad score.

For example, if you want a score of 60% and below to be a bad score, type 60.

d. Click OK.

5. To adjust the threshold for a good score, do the following:

a. Click Add.

The Add New Configuration Parameter dialog box appears.

b. In the Name field, type Compliance_Score_Min_Green.

c. In the Value field, type the minimum value for a good score.

For example, if you want a score of 80% and above to be a good score, type
80.

d. Click OK.

6. Click OK.

Configure the PCI zone


Specifying the servers in the PCI zone enables AFA to specify the vulnerability of PCI
applications in the PCI regulatory compliance report. Additionally, configuring these
servers enables AppViz to tag which network objects intersect the PCI Zone and the
applications that use these servers.

Note: This feature is only relevant when using AppViz.

Firewall Analyzer (A30.10) Page 425 of 542


Administration Guide | Customize risk and compliance management

AFA can only show the vulnerability of PCI applications in the PCI report when
AppViz is integrated with a vulnerability scanner. When using AppViz without a
vulnerability scanner, AppViz will still tag the network objects and applications that
intersect the PCI zone with the PCI label.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

3. The Administration page appears, displaying the Options tab.

4. Click the Compliance tab.

The Compliance tab appears, displaying the Risk Profiles sub-tab.

5. Click the Compliance Options sub-tab.

6. In the Regulatory Compliance area, in the PCI zone field, type an IP address, range,
or CIDR.

7. To add another entry, click , and type the additional value in the field.

8. To remove a field, click .

9. In the Vulnerability level threshold field, select the threshold for acceptable
vulnerability in the drop-down menu.

Applications with the selected vulnerability level (or lower) will be considered
vulnerable in PCI reports. For example, selecting Medium will cause applications with
medium or low security scores to be considered vulnerable.

Note: Specifying the vulnerability level threshold is only relevant when AppViz is
integrated with a vulnerability scanner.

Firewall Analyzer (A30.10) Page 426 of 542


Administration Guide | Customize risk and compliance management

Customize baseline configuration profiles


A baseline configuration compliance profile contains a set of commands to be run on the
device upon analysis and the desired output for the commands, allowing you to
determine the device's compliance with a certain basic configuration. In order for a
device's report to include a baseline configuration compliance report page, a baseline
configuration compliance profile must be specified for the device when defining the
device in AFA. See Manage devices.

AFA includes a set of built-in baseline configuration compliance profiles suitable for all
device brands which appear as options in the Baseline Configuration Compliance
Profile drop-down list and in the /usr/share/fa/data/baseline_profiles/ directory.

If desired, you can create custom baseline compliance profiles.

AFA provides the following options:

l Access baseline profiles configuration

l Add a custom baseline configuration compliance profile

l Duplicate a baseline configuration compliance profile

l Delete a custom baseline configuration compliance profile

l Edit a baseline configuration compliance profile

l Example: Customize a baseline configuration compliance profile

Access baseline profiles configuration


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Compliance tab.

Firewall Analyzer (A30.10) Page 427 of 542


Administration Guide | Customize risk and compliance management

The Compliance tab appears, displaying the Risk Profiles sub-tab.

4. Click the Baseline Profiles sub-tab.

A list of baseline profiles appears.

Add a custom baseline configuration compliance profile


Do the following:

1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.

2. Click New.

The baseline profile form appears.

Firewall Analyzer (A30.10) Page 428 of 542


Administration Guide | Customize risk and compliance management

3. Complete the fields using Example: Customize a baseline configuration


compliance profile.

Firewall Analyzer (A30.10) Page 429 of 542


Administration Guide | Customize risk and compliance management

4. Click Save.

The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Duplicate a baseline configuration compliance profile


You can create a custom baseline configuration compliance profile by duplicating an
existing baseline profile and editing the duplicate.

Do the following:

1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.

2. Select one of the baseline profiles.

3. Click Duplicate.

The baseline profile form appears with the values of the original profile.

Firewall Analyzer (A30.10) Page 430 of 542


Administration Guide | Customize risk and compliance management

4. Edit the fields, as desired, using Example: Customize a baseline configuration


compliance profile.

Note: To prevent the creation of two baseline profiles with the same display
name, change the Profile Name.

5. Click Save.

The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Firewall Analyzer (A30.10) Page 431 of 542


Administration Guide | Customize risk and compliance management

Edit a baseline configuration compliance profile


You can create a custom baseline configuration compliance profile by editing an
existing baseline profile.

Note: The original baseline profile will not be over-written, but it will not be
available to use unless you delete the new custom baseline profile.

Do the following:

1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.

2. Select a baseline profile.

3. Click Edit.

The baseline profile form appears.

Firewall Analyzer (A30.10) Page 432 of 542


Administration Guide | Customize risk and compliance management

4. Edit the fields using Example: Customize a baseline configuration compliance


profile.

5. Click Save.

The new custom baseline profile appears in the baseline profile table.

Note: A appears in the Customized field of all custom baseline profiles.

Delete a custom baseline configuration compliance profile

Note: You can only delete custom baseline profiles. Custom baseline profiles are
indicated with a in the Customized field.

Do the following:

1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.

2. Select one of the custom baseline profiles.

3. Click Delete.

4. Click OK.

Example: Customize a baseline configuration compliance profile


The following is an example of adding an additional command and baseline
requirement to an existing Cisco baseline profile.

1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.

2. Select a baseline profile.

In this example, we selected the Cisco ACE Sample profile. The profile is
highlighted in blue.

Firewall Analyzer (A30.10) Page 433 of 542


Administration Guide | Customize risk and compliance management

3. Click Edit.

The baseline profile form appears.

Firewall Analyzer (A30.10) Page 434 of 542


Administration Guide | Customize risk and compliance management

4. To add a command to the profile:

a. Click Commands (CommandDef).

The Commands area is highlighted in blue.

Firewall Analyzer (A30.10) Page 435 of 542


Administration Guide | Customize risk and compliance management

b. In the Add Subelement menu on the right side of the workspace, click
Command.

An additional Command window appears in the profile.

Note: You can click X at anytime to remove a Top Element, Subelement,


or Attribute from the profile.

5. In the Add Attribute menu on the right side of the workspace, click attributes to add
to the command. Available options are id (Command ID), name (Command
Name), and cmd (Command Syntax). For details, see Command.

6. Fill in attribute fields.

Firewall Analyzer (A30.10) Page 436 of 542


Administration Guide | Customize risk and compliance management

Note: The Command ID must be unique.

7. To add a baseline requirement to the profile:

In the Add Top Element menu on the right side of the workspace, click
BaselineRequirement.

A additional Baseline Requirement window appears in the profile.

8. In the Add Subelement menu on the right side of the workspace, you can add the
following subelements in hierarchical order:

l Command

l Criterion

l Line (Item)

For more details, see Tag Reference,

9. Click Add Attribute to add attributes to the baseline requirement or any of the
subelements.

10. Fill in attribute fields.

Note: The Command ID must be unique.

Firewall Analyzer (A30.10) Page 437 of 542


Administration Guide | Customize risk and compliance management

11. Click Save.

Tag Reference
This reference describes the use of each tag in the baseline configuration compliance
profile. The tags are listed in the same order as they appear in the file.

Tag syntax is presented as follows:

l All parameters are presented in italics.

l All optional elements of the tag appear in square brackets [ ].

BaselineProfile

Syntax

BaselineProfile brand_id="id" display_name="name"

Description

This is the main tag for the baseline compliance profile, and it identifies the profile.

Parameters

Firewall Analyzer (A30.10) Page 438 of 542


Administration Guide | Customize risk and compliance management

brand_id String. The brand ID of the device brand relevant to the baseline
configuration compliance report.
The brand_id for each device brand is configured in the brand's brand_
config.xml file in /usr/share/fa/data/plugins/brand_name. See the Id
parameter in the DEVICE tag.
display_ String. The name of the baseline configuration compliance profile.
name
The name will appear at the head of the Baseline Configuration
Compliance Report.

Subtags

l CommandsDef (see CommandsDef)

l BaselineRequirement (see BaselineRequirement)

Example

The following example describes a baseline profile for a Cisco ASA device with the
name "Cisco ASA".

BaselineProfile brand_id="asa" display_name="Cisco ASA"

CommandsDef

SyntaxCommandsDefDescription

This tag specifies the sequence of commands that AFA should run on the device during
analysis.

Parameters

None.

Subtags

l Command (see Command)

BaselineRequirement

Syntax

Firewall Analyzer (A30.10) Page 439 of 542


Administration Guide | Customize risk and compliance management

BaselineRequirement name="name" id="id"

Description

This tag specifies a requirement that the device must meet in order to be considered "in
compliance". The requirement consists of a list of required outputs for the commands
that AFA will run on the device, specified in the CommandsDef (see CommandsDef)
tag.

Parameters

name String. The requirement's name.


id Integer. The requirement's ID and order number.
Commands are displayed in numerical order in the Baseline Compliance
Report.

Subtags

l Command (see Command)

ExampleBaselineRequirement name="First" id="1"

Command

Syntax

Command id="id" [name="name"] cmd="cmd"

Description

This tag specifies a command that AFA should run on the device.

Parameters

id Integer. The command's ID and order number.


Commands are implemented in numerical order.
name String. The command's name.
cmd String. The command that AFA should run on the device.

Firewall Analyzer (A30.10) Page 440 of 542


Administration Guide | Customize risk and compliance management

Subtags

l Criterion (see Criterion)

ExampleCommand id="1" name="Check Access" cmd="show access-list"

Criterion

Syntax

Criterion type="type"

Description

This tag specifies a criterion that the command output must meet.

Parameters

type String. The criterion type. This can be any of the following:
l Required Line. Theline specified in the Item sub-tag must be present in
the command output.

l Required Regexp. The regular expression specified in the Item sub-tag


must be present in the command output.
l Forbidden Line. The line specified in the Item sub-tag must not be
present in the command output.
l Forbidden Regexp. The regular expression specified in the Item sub-tag
must not be present in the command output.
l Custom Function. The custom function specified in the Item sub-tag must
return true when run on the command output.
l Manual Review. The regular expression or line specified in the Item sub-
tag will be searched for in the command output.

Subtags

l Item (see Item)

ExampleCriterion type="Custom Function"

Firewall Analyzer (A30.10) Page 441 of 542


Administration Guide | Customize risk and compliance management

Item

Syntax

Item [comments="comments"]

Description

This tag specifies information about a criterion that the command output must meet.

Parameters

comments String. Comments about a criterion that the command output must meet.

Contents

This tag contains further details about a criterion that the command output must meet.

Subtags

None.

Example

<Item comments="first required line for command 2">extended permit ip


207.193.122.0 255.255.255.0</Item>

BaselineHeader

Syntax

BaselineHeader title="title"

Description

This tag specifies information about the header text of the Baseline Compliance Report.

Parameters

title String. The title that should appear in the header section of the report page.

Contents

Firewall Analyzer (A30.10) Page 442 of 542


Administration Guide | Customize risk and compliance management

This tag contains the header text that should appear in the Baseline Compliance
Report.

Subtags

None.

Example<BaselineHeader title="Introduction">Introduction to the


report</BaselineHeader>

BaselineFooter

Syntax

BaselineFooter title="title"

Description

This tag specifies information about the footer text of the Baseline Compliance Report.

Parameters

title String. The title that should appear in the footer section of the report page.

Contents

This tag contains the footer text that should appear in the Baseline Compliance Report.

Subtags

None.

Example<BaselineFooter title="Summary">Summary of the


report</BaselineFooter>

Sample Baseline Configuration Compliance Profile


<BaselineProfile display_name="Custom Profile" brand_id="asa">
<CommandsDef>
<Command id="1" name="Check Access" cmd="show access-list" />
</CommandsDef>

Firewall Analyzer (A30.10) Page 443 of 542


Administration Guide | Customize risk and compliance management

<BaselineRequirement name="First" description="This is first requirement."


id="1">
<Command id="1">
<Criterion type="Required Line">
<Item comments="">extended permit ip 207.193.122.0 255.255.255.0</Item>
<Item comments="">extended permit tcp object-group</Item>
</Criterion>
<Criterion type="Required Regexp">
<Item>.*\.company\.com</Item>
</Criterion>
<Criterion type="Forbidden Line">
<Item>extended deny ip host 100.77.20.9 192.168.52.0</Item>
</Criterion>
<Criterion type="Custom Function">
<Item>perl /home/shira/.fa/check_resolv.pl</Item>
</Criterion>
</Command>
</BaselineRequirement>
<BaselineHeader title="Introduction">Introduction to the report - freetext
</BaselineHeader>
<BaselineFooter title="Summary">Summary of the report - freetext
</BaselineFooter></BaselineProfile>

Advanced risk editing


This section explains how to perform advanced editing of custom risk items. For
information on custom risk items, see Customize risk profiles.

Overview
You can customize Risk Profiles by defining custom risk items. Custom risk items allow
you to define more complex risks by composing the XQL query of your choice. For
example, you can define risks for the following types of allowed traffic:

Firewall Analyzer (A30.10) Page 444 of 542


Administration Guide | Customize risk and compliance management

l Group of several services from X to Y

l Insecure external access to device

l Over N machines can manage your device

l TCP on over M ports can enter your network

l "From A to B with service C" rules

All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$,
$lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'),
$no_match$, brackets().

Risk item types


AFA supports the following types of risk items:

Type Description

Traffic Relates to risks regarding traffic allowed through the device.


This type of risk item can be used to detect risky traffic allowed by the
device.
In standard risk items, this type is represented by the letters
D,J,Z,K,I,S,O,M,E. In custom risk items, this type is represented by the
letter U.

Host Relates to risks regarding host group definitions.


Group This type of risk item can be used to detect certain host groups defined
on the device, according to specific criteria.
In standard risk items, this type is represented by the letter H. In custom
risk items, this type is represented by the letter U.

Properties Relates to risks regarding device property definitions.


This type of risk item can be used to detect the value of certain device
properties.
In standard risk items, this type is represented by the letter P. In custom
risk items, this type is represented by the letter U.

Firewall Analyzer (A30.10) Page 445 of 542


Administration Guide | Customize risk and compliance management

Type Description

Rules Relates to risks regarding rule definitions.


This type of risk item can be used to detect specific rules in the policy, for
example rules with "Any" as their source and so on.
In standard risk items, this type is represented by the letter R. In custom
risk items, this type is represented by the letter U.

Traffic risk item guidelines


Sample traffic risk item (Rule I08)

Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[
@srv $eq$ "http" $and$
eval("256", "Number") $lt$ @n_dst_impact_ips
]/QRes[
@n_risky_dst_ips $ne$ 0 $and$
@n_risky_src_ips $ne$ 0 $and$
@is_vpn $ne$ "yes"
]

QIndex

This section specifies the traffic source and destination zones, by indicating them in the
name of the query results file.

Parameters

Firewall Analyzer (A30.10) Page 446 of 542


Administration Guide | Customize risk and compliance management

@name The query results file's name in the format:


q_srv_srcZone_dstZone

where srcZone is the source zone, and dstZone is the destination zone, as
defined in the AFA's device topology.
Available zones include Outside, Inside, DMZs, and any user-defined zone
type
For example:
l In the preceding example, the file name is q_srv_Outside_Inside.
l For traffic going from Inside to DMZs, the relevant file name would be q_
srv_Inside_DMZs.
l For traffic between different Internal zones, the relevant file name would
be q_srv_Inside_Inside.
For access to device itself, use the file name q_fw_access.

QEntry

This section describes the type of traffic between the source and destination zones
(specified in QIndex) that will trigger the risk. In the preceding example, a traffic query
issued to the device simulation engine will trigger this risk if the service is HTTP and the
number of affected destination IP addresses is over 256.

Parameters

@srv The service that was queried.


@action The action that occurred:
l PASS. Traffic was passed by the device.
l DROP. Traffic was blocked by the device.
@is_external_ Indicates whether the source zone of the traffic is external or not:
src
l yes. The source zone is external.
l no. The source zone is not external.
@n_src_impact_ The total number of source IP addresses detected as relevant for
ips this query.

Firewall Analyzer (A30.10) Page 447 of 542


Administration Guide | Customize risk and compliance management

@srv The service that was queried.


@n_dst_impact_ The total number of destination IP addresses detected as relevant
ips for this query.
@n_TCP_dst_ The total number of destination TCP ports detected as relevant for
ports this query.
@n_UDP_dst_ The total number of destination UDP ports detected as relevant for
ports this query.

QRes

This section describes the type of traffic query results that will trigger the risk. In the
preceding example, the traffic must be encrypted in order for this risk to be triggered.

Parameters

@is_vpn Indicates whether encrypted traffic should trigger the risk or not:
l yes. Encrypted traffic should trigger the risk.
l no. Encrypted traffic should not trigger the risk.
@pass_rule The name of the rule that is relevant for this traffic in AFA.

Host group risk item guidelines


Sample host group risk item (RiskH02)

Hosts
/Host[
@name $eq$ "Trusted_hosts" $and$
eval("20", "Number") $lt$ @n_Total
]

This query checks whether the pre-defined "Trusted_hosts" object (which represents
servers that can manage this firewall) contains a certain number of IP addresses.

Parameters

Firewall Analyzer (A30.10) Page 448 of 542


Administration Guide | Customize risk and compliance management

@name The host group's name.


Only alphanumeric characters, '_', '.', and '-' can be used. Other
characters are automatically replaced by '_'.
@n_Total The number of IP addresses contained in the host group.
@internal Indicates whether this host group contains internal IP addresses:
l yes. This host group contains internal IP addresses.
l no. This host group does not contain internal IP addresses.
@external Indicates whether this host group contains external IP addresses:
l yes. This host group contains external IP addresses.
l no. This host group does not contain external IP addresses.
@zone_ Indicates whether this host group spans multiple zones:
spanning
l yes. This host group spans multiple zones.
l no. This host group does not span multiple zones.

Property risk item guidelines


Property risk items are used to detect the value of certain firewall properties. These
properties are extracted by AFA during analysis. For a full list of properties, refer to the
properties.xml file in the relevant report directory.

Note: Properties will differ between firewall vendors. Parameters can be created for
Check Point firewalls from the asm.C file.

Sample property risk item (risk P05)

Props[http_enforce_buffer_overflow[@value $ne$ "true"]]

Rule risk item guidelines


Sample rule risk item (risk R01)

Rules/Rulebase[@interface="%INTERFACE"]/Rule

Firewall Analyzer (A30.10) Page 449 of 542


Administration Guide | Customize risk and compliance management

[
@dst = "*" $and$
@srv = "*" $and$
@orig_rule $ne$ "" $and$
@orig_rule $ne$ "0" $and$
@vpn $ne$ "VPN_PERMIT" $and$
@vpn $ne$ "VPN" $and$
@action = "PASS"
]

This query detects all rules other than VPN rules, where both the destination and the
service are "any", and the action is "PASS".

Parameters
@src The source object of the rule.
@dst The destination object of the rule.
@srv The service object of the rule.
@src_ The translated source hostgroup object.
xlt

@dst_ The translated destination hostgroup object.


xlt

@ruleno The expanded rule ID.


@action The rule action:
l PASS. Pass the specified traffic.
l DROP. Drop the specified traffic.
@orig_ The original rule number (in vendor format).
rule

Firewall Analyzer (A30.10) Page 450 of 542


Administration Guide | Customize risk and compliance management

@src The source object of the rule.


@vpn Indicates whether the rule is a VPN rule, as well as whether traffic is
encrypted:
l A number. The rule is a VPN rule, and the number indicates the
relevant VPN rule's number. Traffic is not encrypted.
l VPN or VPN_PERMIT. The rule is a VPN rule. Traffic is encrypted.
l Empty (""). The rule is not a VPN rule.

Note: AFA performs these queries on its internal "Expanded rules". To see these
rules in your device report, go to Explore Policy -> Expanded Rules.

Assessment and remedy keywords


The following keywords can be added to risk item assessments and remedies, for richer
user-defined risk descriptions in the report. Keyword use is optional.

For more details, see Customize risk items.

Traffic Risk Item Keywords

Keyword Description

%AMOUNT The number of rules that contributed to the risk.

%CUSTOMIZATION_ Standard text explaining how to eliminate this risk.


NOTE

%FWNAME A link to the device's host group.

%HGRP{hostgroup} A link to the specified host group, hostgroup.


Can contain a zone name: Inside, Outside, DMZs, or a user-
defined zone name.

%HREF{url} A link to an HTML file, url.

%N_DST_IMPACT_ The number of destination IP addresses in the query output


IPS (without VPNs).

Firewall Analyzer (A30.10) Page 451 of 542


Administration Guide | Customize risk and compliance management

Keyword Description

%N_DST_IMPACT_ The number of destination IP addresses in the query output


IPS_COUNT_VPN (with VPNs).

%N_SRC_IMPACT_ The number of source IP addresses in the query output


IPS (without VPNs).

%N_SRC_IMPACT_ The number of source IP addresses in the query output (with


IPS_COUNT_VPN VPNs).

%N_TCP_DST_ The number of reachable destination TCP ports in the query


PORTS output.

%N_UDP_DST_ The number of reachable destination UDP ports in the query


PORTS output.

%PCIDS The Payment Card Industry Data Security Standard risk


level.

%QREF{ A "Details" button linking to the query results for the


QueryInputFile:service specified traffic, where:
} QueryInputFile is the query input file, and
service is the service, as defined in the AFA's device
topology.
For example: %QREF{q_srv_Inside_Outside:http}

%QSRC_LIST A list of source host groups that can access the device, as
{QueryInputFile} specified in the query input file, QueryInputFile.

%SRV{service} A link to the specified service, service.


For example, %SRV{smtp} would be replaced by "smtp" and
linked to the definition of this service, as defined on this
device.

%SRV_LIST A list of all the services in the query output.

%SRV_TABLE A "Details" button linking to a table of the services in the


{QueryInputFile} query results, where QueryInputFile is the query input file.

Host Group Risk Item Keywords

Firewall Analyzer (A30.10) Page 452 of 542


Administration Guide | Customize risk and compliance management

Keyword Description

%AMOUNT The number of rules that contributed to the risk.

%CUSTOMIZATION_ Standard text explaining how to eliminate this risk.


NOTE

%HGRP{hostgroup} A link to the specified host group, hostgroup.


Can contain a zone name: Inside, Outside, DMZs, or a user-
defined zone name.

%HOST_TABLE A list of relevant host groups.

%HREF{url} A link to an HTML file, url.

%N_OUTSIDE_IPS The number of outside IP addresses in the query output.

%N_TOTAL The total number of IP addresses in the query output.

%PCIDS The Payment Card Industry Data Security Standard risk


level.

%SRV{service} A link to the specified service, service.


For example, %SRV{smtp} would be replaced by "smtp" and
linked to the definition of this service, as defined on this
device.

Property Risk Item Keywords

Keyword Description

%CUSTOMIZATION_ Standard text explaining how to eliminate this risk.


NOTE

%HGRP{hostgroup} A link to the specified host group, hostgroup.


Can contain a zone name: Inside, Outside, DMZs, or a user-
defined zone name.

%HREF{url} A link to an HTML file, url.

%META A link to a parameter, MetaDataParam, that was extracted


{MetaDataParam} during AFA analysis.

Firewall Analyzer (A30.10) Page 453 of 542


Administration Guide | Customize risk and compliance management

Keyword Description

%PCIDS The Payment Card Industry Data Security Standard risk


level.

%PROPERTY A link to the specified device property, propertyName. The


{propertyName} link anchor text is specified in the parameter
{displayedName} displayedName.

%SRV{service} A link to the specified service, service.


For example, %SRV{smtp} would be replaced by "smtp" and
linked to the definition of this service, as defined on this
device.

Rule Risk Item Keywords

Keyword Description

%AMOUNT The number of rules that contributed to the risk.

%CUSTOMIZATION_ Standard text explaining how to eliminate this risk.


NOTE

%HGRP{hostgroup} A link to the specified host group, hostgroup.


Can contain a zone name: Inside, Outside, DMZs, or a user-
defined zone name.

%HOST_TABLE A list of relevant host groups.

%HREF{url} A link to an HTML file, url.

%PCIDS The Payment Card Industry Data Security Standard risk


level.

%RULE A link to the first rule in the query output.

%RULE_TABLE A list of all the rules in the query output.

%SRV{service} A link to the specified service, service.


For example, %SRV{smtp} would be replaced by "smtp" and
linked to the definition of this service, as defined on this
device.

%SRV_LIST A list of all the services in the query output.

Firewall Analyzer (A30.10) Page 454 of 542


Administration Guide | Configure notifications

Configure notifications
This section describes how to configure the different types of automatic e-mail
messages supported by AFA.

For details, see:

l Schedule dashboard notifications

l Configure event-triggered notifications

l Configure device report page messages

Schedule dashboard notifications


You can schedule dashboard e-mail notifications, by adding a dashboard e-mail job to
the AFA Scheduler.

Add and edit dashboard e-mails


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Scheduler tab.

The Scheduler Setup page appears with a list of scheduled analysis and
dashboard e-mail jobs.

Firewall Analyzer (A30.10) Page 455 of 542


Administration Guide | Configure notifications

4. Do one of the following:

l To schedule a new dashboard email jab, in the Schedule Dashboard E-mail


area, click New.

l To edit an existing dashboard email job, click on the Edit icon next to the
desired job.

New fields appear.

Firewall Analyzer (A30.10) Page 456 of 542


Administration Guide | Configure notifications

5. In the Job name field, type a name for the job.

6. In the Select dashboard drop-down list, choose a dashboard.

7. In the Recipients field, type an email address or a comma seperated list of multiple
email addresses to which to send the notifications.

8. (Optional) In the Email Subject field, type a subject for the email notifications.

The default subject is the dashboard's name.

9. (Optional) In the Email Body field, type a message to include in the body of the
email notifications.

10. In the Recurrence area, specify how often the analysis job should run.

Firewall Analyzer (A30.10) Page 457 of 542


Administration Guide | Configure notifications

You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or
configure the analysis to occur when a policy is installed on the device(s).

The fields in the Recurrence Pattern area change according to your selection.

11. In the Recurrence Pattern area, configure the desired pattern of recurrence.

12. Click OK.

Deleting Scheduled Jobs


Use this procedure to delete a scheduled analysis or dashboard email.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. Click the Scheduler tab.

The Scheduler Setup tab is appears with a list of scheduled analysis and
dashboard e-mail jobs.

4. Select the check box next to the desired job.

5. Click Delete.

A confirmation message appears.

6. Click Yes.

The job is deleted.

Configure event-triggered notifications


You can configure AFA to send e-mail notifications when certain events occur. All
notifications are configured per user or role, and device related notifications are
configured per device.

Firewall Analyzer (A30.10) Page 458 of 542


Administration Guide | Configure notifications

Supported notifications
Supported notifications include:

l When an analysis detects changes in the risks or policy of a device.

l When an analysis is completed.

l When real-time change monitoring detects configuration changes.

l When rules and VPN users are about to expire.

l When a system error or system customization occurs.

E-mail Notification Example 1: Analysis completed

E-mail Notification Example 2: Changes to policy and risks

Firewall Analyzer (A30.10) Page 459 of 542


Administration Guide | Configure notifications

Configure AFA to send event triggered e-mail notifications


1. Configure the mail server settings. For details, see Configuring Mail Server
Settings.

2. Enable the desired notifications for each user or role that should receive e-mail
notifications. For details, see Manage users and roles in AFA.

Configuring Mail Server Settings

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab.

3. In the Options tab, click the Mail sub-tab.

The Mail tab appears.

Firewall Analyzer (A30.10) Page 460 of 542


Administration Guide | Configure notifications

4. Complete the fields as needed:

Server name Type the SMTP server's name.

Use name and Select this option if the SMTP server requires a username
password and password.

Username Type the username for the SMTP server.

Password Type the password for the SMTP server.

Use SSL Select this option to use SSL when authenticating with the
SMTP server.

Email Type the "From" address of the notification. All e-mail


Notification notifications will appear as coming from this e-mail account.
FROM address

Firewall Analyzer (A30.10) Page 461 of 542


Administration Guide | Configure notifications

Test E-Mail Click this button to send a test e-mail to all administrators.
message

Email greeting Type an e-mail greeting to include in the body of the e-mail.
(Optional)

Default Click this button to reset the e-mail greeting to its default
setting.

5. Click OK.

Configure device report page messages


You can configure AFA to send specific report pages to a user automatically, each time
a report is generated for a certain device. AFA sends the specified user a single e-mail
with the specified report pages attached as individually zipped PDF documents. The e-
mail includes a list of the attached report pages, as well as a list of any report pages that
could not be attached due to inadequate permissions or size limitations.

Note: The specified user must have permission to view the device and the specified
report pages. E-mails will not be sent to users that do not have permission to view
the device. Report pages for which the user does not have permissions will not be
included in the e-mail. No e-mail notification options need to be enabled in the user's
settings in order for the user to receive these e-mail messages.

Note: By default, each e-mail can be sent with up to 10 MB of attachments, only.


Once the size limit has been reached, additional report pages will not be attached.
It is possible to change the size limit, by opening /home/afa/.fa/config and adding
the following line:
MaximumReportZipFileSize=sizeLimit

Where sizeLimit is the desired size limit in MB.

Note: It is possible to generate report page PDFs (including those that cannot be

Firewall Analyzer (A30.10) Page 462 of 542


Administration Guide | Configure notifications

sent to a user due to inadequate permissions or size limitations) for additional uses.
For example, you could export the PDFs to a central repository in order to display
them on an enterprise or MSSP portal. The desired usage should be implemented by
a script that receives the path of the report's directory as a parameter, and which runs
after generating report pages for all devices and users, but before removing all of the
created files.
To configure AFA to use such a script, open /home/afa/.fa/config and add the
following line:
PostPublishReportParts=command

Where command is the command to run.

To automatically send device report pages to users:

1. On the AFA server, under /home/afa/.fa, create a file called publish_def.xml.

2. Add the following lines to this file:

<ReportPartsPublish>
<DevicesDef>

<Device name="deviceName">
<User username="userName" parts="reportPages" />
</Device>
</DevicesDef>
</ReportPartsPublish>

Where:

l deviceName is the name of the device whose report pages should be sent. A
list of all device names is available in the file /home/afa/.fa/firewall_
data.xml.

l userName is the username of the user who should receive the report pages.
A list of all usernames is available in the file /home/afa/.fa/users_info.xml.

Firewall Analyzer (A30.10) Page 463 of 542


Administration Guide | Configure notifications

l reportPages is a list of report page IDs separated by semicolons (;). A list of


report pages and their IDs is available in the file
/usr/share/fa/data/publish_parts.xml, where each report page is
represented by a Part tag, and each page's ID number appears in the Part
tag's id attribute.

An example is available under /usr/share/fa/data.

Note: Parts 1-14 are supported for group reports and single device reports.
Parts 15 and up are only supported for single device reports.

3. Save the file.

Firewall Analyzer (A30.10) Page 464 of 542


Administration Guide | Define AFA preferences

Define AFA preferences


Use the following procedure to set preferences when domains are not enabled or when
setting preferences in a specific domain.

Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

The Administration page appears, displaying the Options tab and the General
sub-tab.

3. Access the desired configuration options, by clicking the relevant sub-tab in the
Options Menu area.

4. Set the desired preferences by completing the relevant fields:

l To set general analysis options, complete the fields using the information in
General (see General).

l To set language options, click the Language sub-tab and complete the fields
using the information in Language (see Language).

l To set Web interface options, click the Display sub-tab and complete the
fields using the information in Display (see Display).

l To set log analysis options, click the Log analysis sub-tab and complete the
fields using the information in Log Analysis (see Log analysis).

l To configure a proxy server, click the Proxy sub-tab and complete the fields
using the information in Proxy (see Define a device proxy).

l To configure a mail server, click the Mail sub-tab and complete the fields
using the information in Mail (see Mail).

Firewall Analyzer (A30.10) Page 465 of 542


Administration Guide | Define AFA preferences

l To set criteria for storing/deleting AFA reports, click the Storage sub-tab and
complete the fields using the information in Storage (see Storage).

l To integrate AFA with a change management system, click the Workflow


sub-tab and complete the fields using the information in Workflow (see
Workflow).

l To configure how users are authenticated, click the Authentication sub-tab


and complete the fields using the information in Authentication (see
Authentication).

l To set backup and restore options (for all of ASMS), click the
Backup/Restore sub-tab and complete the fields using the information in
Backup/Restore (see Backup/Restore).

Note: If you are logged in to a specific domain in an ASMS environment with


domains enabled, only the following options are available: General, Display,
Authentication, Log Analysis, and Workflow.

5. To set advanced configuration parameters, click the Advanced Configuration sub-


tab and complete the fields using the information in Advanced Configuration (see
Advanced Configuration).

6. After changing a set of options, click OK.

Note: AFA preferences, as well as other information, are stored in the .fa directory
in the user's home directory.

General
Use the General tab to set the following options.

Firewall Analyzer (A30.10) Page 466 of 542


Administration Guide | Define AFA preferences

General Fields
In this field... Do this...

Comprehensive Select this option to specify that AFA should analyze all of the
mode - analyze services defined on the device, and not only the ones relevant for
every service risks.
defined on the Selecting this option results in more comprehensive information in
device (slow) the reports' Policy tab, particularly when comparing different
reports.

Note: Checking this option will result in longer analysis time


and will require more disk space.

With IP address Select this option to add the DNS name next to any IP address
name lookups shown in a report, if a DNS name exists. This functionality requires
(slow) the AFA machine to be connected to the network and configured to
use a name server.
If you want analysis to run faster, clear this option.

Include traffic Select this option to specify that the Changes report page should
changes include the calculated changes in allowed traffic (in addition to its
analysis in regular content).
Change History If you want analysis to run faster, clear this option.
(slow)

Timed rules: Select this option to specify that time-dependant rules should only
only apply rules be applied if they are active when AFA analysis is performed. This
active at is relevant to policy optimization criteria.
analysis time

Use public key Select this option to use public key authentication in SSH
authentication connections to a Check Point management, Juniper Netscreen
in data devices, or NSMs.
collection
Note: When this option is enabled, the password defined for the
device(s) in AFA must be the local private key passphrase.

Simulation Type the maximum amount of time in seconds that a traffic


timeout simulation query can run.
(seconds)

Firewall Analyzer (A30.10) Page 467 of 542


Administration Guide | Define AFA preferences

In this field... Do this...

Data collection Type the amount of time in seconds that the device analyzer
timeout should wait for the device's reaction before aborting
(seconds) communications.
If you encounter timeout problems, increase this value.

Days before Type the number of days before a device rule or VPN user expires
expiration alerts that AFA should consider the rule/user as about to expire. This is
relevant for policy optimization and for users who are configured to
receive such notifications.

Report rules Complete this field to indicate you want to find rules whose
whose comments match a regular expression, or rules whose comments
comment field... do not match a regular expression. Select the desired operator in
the drop-down menu and type a regular expression describing the
format for the rule comment.
For example, if you select does not match, and then type a regular
expression that defines the required format of a rule comment, you
can detect non-compliant rule comments.
Click on the Details button for more information and examples of
regular expressions.
If this field is left empty, rule comment detection will be disabled.

Run device Select Only if the policy/topology changed to specify that if a


analysis policy is detected as unchanged during a scheduled analysis, then
AFA should not run a full report, but instead create an unchanged
report that links to the last report for the policy.
Select Always to specify that AFA will always run a full analysis,
regardless of whether the policy has changed or not.

Note: Selecting the Always option will result in longer analysis


time and will require more disk space.

Language
In the Language tab, select the language for risk titles in reports. Currently only English
and Japanese are supported.

Firewall Analyzer (A30.10) Page 468 of 542


Administration Guide | Define AFA preferences

Display
In the Display tab, set the display options described below.

Display Fields
In this
field... Do this...

Session Enter the number of minutes of inactivity before a user is logged out of the
timeout Web interface.
(minutes)

Firewall Analyzer (A30.10) Page 469 of 542


Administration Guide | Define AFA preferences

In this
field... Do this...

Enable Select this option to upload a custom logo that will appear at the top right
Custom corner of every page of the AFA, FireFlow and AppViz Web Interfaces, as
Logo well as all future AFA reports.
The logo file must be in GIF, JPG, or PNG format, and it must be 115
pixels in width and 50 pixels in height. It is important to use these exact
dimensions, so that the logo image is not distorted.
To remove a custom logo, clear this check box.

Log analysis
In the Log analysis tab, set the log analysis options described below.

Log analysis fields


In this field... Do this...

Use log starting Type the number of days before a report date to specify how far
n days before the back you want to use log data when generating AFA reports.
report date For example, if you set this field to 180, AFA will use all logs
generated between 180 days before the report date and the
actual report date, when creating the report.

Firewall Analyzer (A30.10) Page 470 of 542


Administration Guide | Define AFA preferences

In this field... Do this...

Timeout for log Type the maximum amount of time in minutes for log analyses to
analysis is n run.
minutes

Define log Click Define to define log collection for AppViz Discovery.
collection for
selected devices

Define a device proxy


In the Proxy tab, set the proxy options described below.

Note: If you do not know the proxy settings in your organization, contact your local
network administrator.

Firewall Analyzer (A30.10) Page 471 of 542


Administration Guide | Define AFA preferences

Proxy fields
In this field... Do this...

Use proxy Select this option to specify that a proxy server is used to access the
server Internet. This is relevant for the following situations:
l You want to connect to cloud devices defined in AFA (such as
AWS or Azure) via a proxy server.
l You want to validate your AFA "Online" license via a proxy
server. Defining the proxy server enables AFA to access the
license server.

Note: This only applies if you received an "Online" license from


AlgoSec.

Note: Only one proxy server can be defined.

Proxy Type the proxy server's IP address.

Port Type the port number used by the proxy server.

Use proxy Select this option if the proxy server requires authentication.
authentication If you select this option, you must complete the Username and
Password fields.

Username Type the username to use for authenticating to the proxy server.

Password Type the password to use for authenticating to the proxy server.

Mail
In the Mail tab, configure a mail server for sending automatic e-mail notifications. For
information about AFA e-mail notifications, see Configure event-triggered notifications.

Firewall Analyzer (A30.10) Page 472 of 542


Administration Guide | Define AFA preferences

Storage
Whenever AFA generates a report, the report is stored on the AFA server. Each AFA
report may consume significant amounts of storage (about 75 MB* per report on
average, though this can greatly vary). For example, if you have four devices whose
policies are changed and analyzed daily, then AFA reports will consume about 4x75 =
300 MB per day, 7x4x75 = 2.1 GB per week. Therefore, you would require an empty 150
GB disk in order to store 70 weeks worth of reports.

To enable you to efficiently manage your available disk space, and to prevent an
overload of data on the AFA server, you can configure AFA to delete old reports, based
on deletion criteria you define. You can configure clean-up to run automatically or trigger
it manually, as needed.

Firewall Analyzer (A30.10) Page 473 of 542


Administration Guide | Define AFA preferences

Note: AFA checks the amount of local disk space remaining after running each
report. If the remaining space is less than 10 GB, or if more than 95% of the disk is
already used, AFA sends a warning e-mail to the users configured to receive error
messages via e-mail notifications. See Configuring Event-Triggered Notifications
(see Configure event-triggered notifications). In addition, AFA also sends
notifications via the issues center and Syslog messages.

Note: AFA provides an option to only run a scheduled analysis if policy changes
were detected since the previous analysis. This option ensures that full analyses will
only run when the report will differ from the most recent report, saving both the CPU
time needed to produce a report and the disk space needed to store it. To enable this
option, select the Run analysis only when policy is changed check box, in the
General sub-tab of the Options tab in the Administration area. For more details, see
Define AFA preferences.

Note: You can optionally save reports on your remote backup server by including
reports in your ASMS backups. See the Backup/Restore (see Backup/Restore) tab.

Configure report cleanup


Do the following:

1. In the toolbar, click your username.

A drop-down menu appears.

2. Select Administration.

Firewall Analyzer (A30.10) Page 474 of 542


Administration Guide | Define AFA preferences

The Administration page appears, displaying the Options tab.

3. Click Storage.

The Storage tab appears.

4. Complete the fields using the information in Storage Fields (see Storage Fields).

5. Click OK.

Firewall Analyzer (A30.10) Page 475 of 542


Administration Guide | Define AFA preferences

If the number of days to retain reports is greater than the number of days to retain
the monitoring information, a confirmation message appears.

Click OK.

The settings are changed.

6. To delete any reports that meet the deletion criteria immediately, rather than wait
until the next scheduled clean-up time, do the following:

7. Click Clean-up now.

A success message appears.

8. Click OK.

Storage Fields

In this field... Do this...

Keep all reports Select this option to enable automatic deletion of reports older
from the last n than a specified number of days, then type the number of days
days after which reports should be deleted.

Do not keep older Click this option to specify that AFA should delete all reports
reports (Default) that have reached the age specified in the Keep all reports from
the last ndays field.

Leave one report Click this option to specify that each month AFA automatically
per month for each deletes all reports, except for the most recent successful report
device for each device, for audit purposes.

Firewall Analyzer (A30.10) Page 476 of 542


Administration Guide | Define AFA preferences

In this field... Do this...

Leave one report Click this option to specify that each quarter AFA automatically
per quarter for deletes all reports, except for the most recent successful report
each device for each device, for audit purposes.

Keep reports of Select this option to specify AFA retain a device's reports when
deleted devices the device is removed from AFA.

Run the clean-up Use the drop-down lists to specify the time at which AFA should
job daily at perform automatic deletion each day.

Clean-up now Click this button to delete any reports that meet the deletion
criteria immediately, rather than wait until the next scheduled
clean-up time.
Important: If you made changes to the deletion criteria that you
want to apply to the clean-up, click OK to save the changes
before clicking this button.

Retain per-device Type the number of days of change monitoring reports you want
monitoring to retain for each device.
information for n
days

Workflow
In the Workflow tab, define the parameters for integration with an external corporate
Change Management System (CMS). AFA supports integration with AlgoSec FireFlow,
BMC Remedy, HP ServiceCenter (ServiceNow), or any other system supporting Web-
based access.

When implementing a requested change in the device, many organizations choose to


specify a CMS ticket ID in the relevant rule comment. AFA will automatically detect such
CMS ticket IDs in rule comments. Wherever a rule is displayed in the AFA report, its
comment will include a link to the CMS system, pointing at the relevant ticket. Clicking
the link opens a browser window with the relevant CMS ticket open, allowing further
examination of the change (who requested it, who authorized it and when, etc.).

Firewall Analyzer (A30.10) Page 477 of 542


Administration Guide | Define AFA preferences

Change request ID format


This option is relevant for all Workflow types. This option allows you to define a format to
which the device rule comments must comply so AlgoSec recognizes them as
containing a change request id. Only properly formatted rule comments will be linked to
the CMS change request.

AFA will look for the following format in the rule comments:

<Before><Chang_Request_id><After>

Where <Before> and <After> are fixed strings, and <Change _Request_id> is a Perl
regular expression (see note below).

For example:

Field Input

Before Change Request #

Change Request id \d+

After #

This comment will become a link: 'Change Request #1234#'. This comment will not
become a link: 'Change Request 1234#' , because <Before> is not equal to 'Change
Request #'.

Note: The required Change_Request_id format must be specified as a Perl regular


expression. You can find tutorials on writing regular expressions on the Internet.
Here are some examples of the type of things you can accomplish:

Note: \d represents a digit, \s represents a space, \w - an alphanumeric character.

Note: Examples:

\d\d\d\d-\d\d- comments must contain a change request number like 1234-56

Firewall Analyzer (A30.10) Page 478 of 542


Administration Guide | Define AFA preferences

\d\d-\d\d-\d\d\d\d- comments must contain a date like 01-01-2007

[A-Z]{2}\s*\d+- comments must contain two capital letters, then zero or more spaces,
then one or more digits (e.g. "AK  123")

AlgoSec FireFlow
If you use AlgoSec FireFlow, select AlgoSec Fireflow in the Workflow tab to fill in
FireFlow-specific parameters.

l Server: Name of the AlgoSec FireFlow server to be accessed (usually the AFA
server).

l URL Template: The structure of the URL that will be created for change request ID
links in AFA reports. The following keywords will be replaced by the relevant
values: __SERVER_NAME__ and _REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.

BMC Remedy
If you use a BMC Remedy Change Management System, select BMC Remedy in the
Workflow tab to fill in Remedy-specific parameters.

Firewall Analyzer (A30.10) Page 479 of 542


Administration Guide | Define AFA preferences

Fill in the different fields, in order to allow AFA to create the correct links. The format of a
typical URL to a Remedy change request is as follows:

<protocol>://<mid_tier_server>/arsys/servlet/ViewFormServlet?server=
<server_name>&form=<form_name>&qual=<query>

Where:

l <protocol>: may be either http or https

l <mid_tier_server>: (required) - the server name or IP where the Mid Tier is


installed. May contain an optional port number, format: 192.168.2.60:8080

l <server_name>: (required) - Name of the AR System server to be accessed.

l <form>: (required) - Name of the AR System form to be accessed.

Example:

If the parameters are:

l Mid Tier Server: 192.168.2.60:8080 (Host: 192.168.2.60, Port: 8080),

l Server: remedy (this is its DNS name)

Firewall Analyzer (A30.10) Page 480 of 542


Administration Guide | Define AFA preferences

l Form: Sample

l URL Template: kept at the AlgoSec default.

Then the fully formatted URL for change request id 12345 would look like this (all on
one row):

http://192.168.2.60:8080/arsys/servlet/ViewFormServlet?server=remedy&form=
Sample&qual=%27Change%20ID%2A%2B%27%3D%2212345%22

The URL template that AFA uses can be viewed and edited in the URL Template field. It
contains the structure of the URL that will be created for change request ID links in AFA
reports. You may change this field to specify the URL format explicitly (over-ride the
defaults). The following keywords will be replaced by the relevant values: __SERVER_
NAME__, __MID_TIER_SERVER__, __FORM_NAME__, __REQUEST_ID__.

Click Show Full URL to see the resulting URL string.

HP ServiceCenter (formerly Peregrine)


If you use a HP ServiceCenter (formerly Peregrine) Change Management System,
select HP ServiceCenter (Peregrine) in the Workflow tab to fill in ServiceCenter-
specific parameters.

Firewall Analyzer (A30.10) Page 481 of 542


Administration Guide | Define AFA preferences

Fill in the different fields, in order to allow AFA to create the correct links. The format of a
typical URL to an HP ServiceCenter change request is as follows:

protocol://<server>/sc/index.do?ctx=docEngine&file=<file>&query=
<query>&action=&title=Ticket%20Information

Where:

l <protocol>: may be either http or https

l <server>: The HP ServiceCenter (Peregrine) server (name or IP address)

l <file>: The table name

l <query>: Format of the actual query string, e.g. number="__REQUEST_ID__" or


incident.id="__REQUEST_ID__"

The string "__REQUEST_ID__" must appear in the query, and will be replaced by the
actual request ID in the final link URL.

The URL template that AFA uses can be viewed and edited in the URL Template field. It
contains the structure of the URL that will be created for change request ID links in AFA
reports. You may change this field to specify the URL format explicitly (over-ride the

Firewall Analyzer (A30.10) Page 482 of 542


Administration Guide | Define AFA preferences

defaults). The following keywords will be replaced by the relevant values: __SERVER_
NAME__, __FILE_NAME__, __QUERY__.

Click Show Full URL to see the resulting URL string.

Note: Some versions of HP ServiceCenter may require the URL to contain a hash
value in addition to the query itself. In order to integrate with AFA, this option should
be disabled.

Note: In order to configure the Web application to ignore this hash value in
ServiceCenter version 6.x and below, add the following lines to the Web
application's web.xml file:
<init-param> <param-name>sc.querysecurity</param-name> <param-
value>false</param-value></init-param>

Note: In HP Service Manager version 9.2 and above, add the following lines to the
Web application's web.xml file on the Service Manager server:
<init-param> <param-name>querySecurity</param-name> <param-
value>false</param-value></init-param>

Note: In addition, you must add the following line to the sm.ini file:

querysecurity:0

Other
If you use any other CMS system, which supports Web-access, choose Other.

Firewall Analyzer (A30.10) Page 483 of 542


Administration Guide | Define AFA preferences

l Server: Name of the HP ServiceCenter server to be accessed.

l URL Template: The structure of the URL that will be created for change request ID
links in AFA reports. The following keywords will be replaced by the relevant
values: __SERVER_NAME__, __REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.

Authentication
In the Authentication tab, configure the methods AFA uses for authenticating users and
authenticating devices.

For more details, see Configure user authentication and Integrate AFA and CyberArk.

Firewall Analyzer (A30.10) Page 484 of 542


Administration Guide | Define AFA preferences

Backup/Restore
This section describes how to back up and restore your AlgoSec Firewall Analyzer from
AFA using both automatic scheduling and manual processes.

Backup files include ASMS users, devices, and other configurations and optional
content, and can be saved locally or on a remote server. Only one backup or restore
process can run at a single time.

Firewall Analyzer (A30.10) Page 485 of 542


Administration Guide | Define AFA preferences

Backup and restore prerequisites


Note the following before starting your backup or restore procedure:

User roles You must be an administrator to perform the backup or restore.

Version You can only restore ASMS to the same major version from which the
backup was taken.
If you have upgrades to perform, upgrade your system only before the
backup or after the restore. Do not attempt to upgrade your system
between backup and restore processes.

System Restoring your system requires some downtime. Disable any jobs
processes scheduled to run during the restore process, such as ASMS
monitoring or analysis.
Reinstate the scheduling once the restore is complete.

System We recommend always restoring to an appliance with the same


requirements number of cores as the appliance from which the backup was taken.

For more details, see:

l Backup and restore on distributed architectures

l Define backup options

l Back up your system

l Restore your system

Backup and restore on distributed architectures


Backup and restore handles data on a single appliance. Performing a restore overwrites
the settings and device definitions on each target node with the data from the source
node.

Additionally:

l In geographic distributions, the target appliance for the restore must have the
same number of Remote Agents, with the same names, as the appliance on which
the backup was performed.

Firewall Analyzer (A30.10) Page 486 of 542


Administration Guide | Define AFA preferences

l In load distributions, restoring to an environment with fewer Load Units than


existed on the backup environment will impact performance.

Note: We recommend running your backup and restore on the Central Manager or
Master Appliance only.

Define backup options


In the AFA Administration area, browse to the Options > Backup / Restore tab, and
define the Backup Scheduler options and Backup Server options.

Backup Scheduler options


Define the following options to schedule a regular system backup:

Schedule Select to schedule a regular backup process.


backup Define the daily, weekly, or monthly backup schedule in the Scheduling
Options area that appears below.

Firewall Analyzer (A30.10) Page 487 of 542


Administration Guide | Define AFA preferences

Backup Select either of the following:


options
l Include traffic logs. Includes traffic logs in the backup.
l Include reports. Includes AFA reports in the backup. This option
includes all reports created since the last scheduled backup.

Additional Select Encrypt backup files to configure encryption for the backup file.
options In the Password and Retype password fields that appear, enter and
confirm the password you want to use to secure the backup file.

Backup Server options


Define the following options to define your backup server:

Back up Select one of the following to determine how backup files are sent to the
via backup server:
l FTP
l SFTP
l Local

Backup Enter the name of the backup server.


server This field is not relevant for local backups.
name

Username Enter the credentials used to access the backup server.


/ These fields are not relevant for local backups.
Password
Note: Public key authentication is supported for SFTP. In such cases,
enter the private key's passphrase in the Password field.

Firewall Analyzer (A30.10) Page 488 of 542


Administration Guide | Define AFA preferences

Path Enter the path where you want to store the backup files. The afa user
must have permissions to access the specified path.
If the directory does not exist, AFA will attempt to create the folder
automatically, as follows:
l Local paths. When testing the connection
l Remote paths. Only when performing a backup, either manual or
automatic.

Note: If an error appears stating that there are connection problems,


the user may not have the permissions required to create the
directory.

In such cases, either manually change the permissions or have an


admin user create the directory.

Back up your system


This procedure describes how to perform an immediate ASMS backup, in addition to
any backup process you may have scheduled.

Do the following:

1. In the AFA Administration area, browse to the Options > Backup / Restore tab.

2. Click Back up now...

3. In the Backup configuration dialog that appears, select any of the following
options as needed:

Include Include traffic logs. Includes traffic logs in the backup


traffic
logs

Firewall Analyzer (A30.10) Page 489 of 542


Administration Guide | Define AFA preferences

Include Includes AFA reports in the backup. By default, this includes all
reports reports created since the last scheduled backup.
Tip: To save disk space, select Only include last successful report
per device.
Including all existing reports may require a significant amount of
disk space

Encrypt Select to configure encryption specifically for this backup file.


backup In the Password and Retype password fields that appear, enter and
files confirm the password you want to use to secure the backup file.

4. In the Backup configuration dialog, click Back Up Now to start the backup.

Backup files are created in the path configured, including several directories containing
your backup files. Each directory contains a single backup, where the folder name is the
epoch timestamp of when the backup was generated.

Restore your system


This procedure describes how to restore your ASMS system from a saved backup file.
Restoring ASMS replaces all existing users, devices, and configurations with those
specified in the selected backup file.

Do the following:

1. If you are working with HA/DR clusters, break your cluster before starting your
restore.

Firewall Analyzer (A30.10) Page 490 of 542


Administration Guide | Define AFA preferences

2. In the AFA Administration area, browse to the Options > Backup / Restore tab.

3. Click Restore now...

4. In the Backup configuration dialog that appears, enter the following values:

File Enter the filename of the backup file you want to use.
name

Backup Select if the backup file is encrypted. Enter the required password in
file the Password field that appears.
requires Note: Entering an incorrect or old password restores only those
password reports that were not encrypted, or those encrypted with the
password entered. In such cases, the restore process does not fail,
but error messages in the log indicate the names of the reports that
failed to restore.

The restore process begins.

Note: ASMS is unresponsive for the duration of the restore process.

To view details during the process, see the log file at /data/algosec-
ms/logs/ms-backuprestore.log.

5. After the restore is complete, run a report on All Firewalls to ensure a valid
network map.

Advanced Configuration
This topic describes how to add and modify advanced AFA configuration parameters, as
well as a reference of parameters available.

Add a new AFA configuration parameter and value


This procedure descries how to add a new advanced configuration parameter to AFA.
Use this procedure to override various system defaults or implement hotfix updates.

Firewall Analyzer (A30.10) Page 491 of 542


Administration Guide | Define AFA preferences

Do the following:

1. In the toolbar, click your username and select Administration to access the
AFAAdministration area.

2. Navigate to Options > Advanced Configuration.

3. Click Add, and enter the name and value of your configuration parameter.

4. Click OK to close the dialog, and then OK again to save your changes.

Advanced AFA configuration parameter reference


The following tables list commonly used AFA configuration parameters and their
possible values.

Use the alphabetical links below to jump between tables.

A-B | C | D | E-I |L | M | N-R | S-W

A-B

Parameter Description

Active_Change_ CLI only. Define the number of backup files stored by AFA for
Backups_Number Cisco firewalls, Juniper SRX devices, or Panorama devices.
Default: 50

AddOnlyChildren Determines whether the add_device_to_group and create_


device_group SOAP APIs add both the parent and children
devices to the group.
Possible values:
l 0: Both parents and children are added. (Default)
l 1: Only children are added.

ALGOSEC_EA_ Determines whether AFA administrators can add Arista devices


ARISTA to AFA.
Default: FALSE

Firewall Analyzer (A30.10) Page 492 of 542


Administration Guide | Define AFA preferences

Parameter Description

AlgoSec_EA_ Determines whether AFA administrators can define


Azure_ ActiveChange options for Azure devices.
ActiveChange Default: FALSE

AlgoSec_EA_ Determines whether AFA administrators can define


Cisco_ACI_ ActiveChange options for Cisco ACI devices.
ActiveChange Default: FALSE

ALGOSEC_EA_ Determines whether AFA administrators can add Cisco ISE


CISCOISE devices to AFA.
Default: FALSE

analyze_only_ Determines whether analysis is always run, even if the


changed_reports configuration has not changed.
Possible values:
l yes: Analysis is run only if the configuration has changed
l no: Analysis is always run

Backup_Firewall_ Determines whether backup files include change history.


History Possible values:
l yes. Change history is included
l no. Change history is not included in backups

BUSINESSFLOW_ Determines the IP address of the BusinessFlow host, if not


ADDRESS local.

Parameter Description

CHANGE_HISTORY_DAYS Determines the number of days that legacy changes


are kept in report change histories.
Default: 90

Firewall Analyzer (A30.10) Page 493 of 542


Administration Guide | Define AFA preferences

Parameter Description

Chart_Threshold_Val Defines the chart threshold value for all condition


type charts, including the built-in compliance charts.
Possible value: Integer
Default: 23

Checkpoint_Adtlog_Exclude_ Defines a pipe-separated list of Check Point audit


Fields log fields that are ignored.
For example:
CKP_Adtlog_Exclude_
Fields=CLCStatus|threshold_event_uint

Note: Regular expressions are supported.

CKP_optimizations_per_ Determines whether policy optimization items are


policy shown for all rules in the policy, and not only those
installed on the analyzed module.
Default: yes

CKP_REST_RULEBASE_ Defines the maximum size for each batch data


BATCH_SIZE collection for Check Point devices.
For very large policies, set this parameter to a large
value, such as 1000, to shorter the data collection
time.
Possible value: Integer
Default: null

CKP_turbo_log_collection Determines whether a dummy environment is used


to speed up log collection on Check Point devices.
Default: no

CLUSTER_USE_VIP Determines whether a VIP is shown instead of a MIP


in Check Point cluster topologies.
Default: yes

Firewall Analyzer (A30.10) Page 494 of 542


Administration Guide | Define AFA preferences

Parameter Description

CollapseDevicesTreeOnLogin Determines whether the device tree is collapsed by


default.
Possible values:
l true. Collapsed (Default)
l false. Expanded

CollapseDevicesTreeOnLogin Determines whether the device tree appears fully


collapsed or expanded by default.
Possible values:
l True (default). Sets the tree to display
collapsed by default.
l False. Sets the tree to display expanded by
default.

Comments_Regex_Match Determines whether comments match or do not


match the regular expression defined in
Comments_Regex.
Possible values:

l 0: Does not match


l 1: Matches

comprehensive_mode Determines whether comprehensive mode is


enabled, where AFA queries all services that appear
in any rule in the policy.
Default: yes

CONSIDER_MULITPLE_ Determines whether all multiple routes for each


NHG range are saved and used for FIP.
Supported only for IOS.
Default: yes

covered_exclude_services Defines a colon-separated list of values. Rules that


contain any of the listed values as services are not
listed as covering rules.
Default: null (no exclusions)

Firewall Analyzer (A30.10) Page 495 of 542


Administration Guide | Define AFA preferences

Days_To_ Determines the number of days before which rules are


Consider_Rules_ considered as unusued.
As_New Additionally, if defined, rules with no rule creation time are
considered to be older than the set value.
For example, if this parameter is set to 30, rules that are less
than 30 days old are never defined as unused.
0 = Disable this feature, and instead use the value defined in
Log_Analysis_Days_Before instead.

Days_Without_ Determines the threshold at which warnings are sent for missing
Logs_Percentage_ log days, in log data-based parts of the policy optimization.
Threshold Possible values: Integers, 0-100
0 disables the warning altogether
Default: 50

DB_host Defines the database host.


Default: localhost

DB_name Defines the database name.


Default: afa

DB_user Defines the database username.


Default: afa

default_dashboard Defines the default AFA dashboard shown.


Possible values:
l optimizations.xml (default)
l compliance.xml
l none - do not load a dashboard at login

Firewall Analyzer (A30.10) Page 496 of 542


Administration Guide | Define AFA preferences

Disable_IPT_ Determines whether to include Intelligent Policy Optimization


Recommendations recommendations on the Policy Optimization report page.
Possible values:
l yes: Disable IPT recommendations. Recommended if IPT
recommendations are causing the report generation to
take too long.
l no: Enable IPT recommendations (Default)

Note: To determine the amount of time consumed by the


generation of rule replacement recommendations, view the
AFA log. The start of this task is marked IPT
recommendations generation – Starting, and the end of this
task is marked IPT recommendations generation – Finished.

Disable_IPT_ Defines the database username.


Time_Checking Default: afa

Disable_ Determines whether global monitoring is disabled.


Monitoring Possible values:

l yes: Monitoring is disabled for all firewalls.


l no: Monitoring is enabled. (Default)

Disable_Routing_ Determines whether to disable monitoring for routing element


Element_ devices.
Monitoring Possible values:
l yes: Monitoring on routing element devices is disabled.
l no: Monitoring on routing element devices are enabled.
(Default)

E-I

Enable_Ms_Traffic_ Determines whether traffic log collection is enabled using


Logs_Processing the ms_trafficlogmanager service.
Possible values:
l yes. Enabled (Default)
l no. Disabled

Firewall Analyzer (A30.10) Page 497 of 542


Administration Guide | Define AFA preferences

Export_Policy_Tab_ Determines whether the exported PDF report's Policy page


With_Objects_Content shows the network object content as well as the network
object names.
Possible values:
l yes. Network object content and names shown
l no. Network object names shown only (Default)

EXPECT_TIMEOUT Defines the timeout, in seconds, for processing a single


command in the Expect data collection.
Default: 120

FailCLIOnMissingUIDs Determines whether the CLI is generated even in case of


missing UIds in Cisco PIX devices.
Possible values:
l yes: CLI generation fails in case of missing UID
(Default)
l no: CLI is generated even if there are missing UIDs

FIP_MAX_DEVICES_ Defines a maximum number of devices for which to run a


SEARCH_PATHS_ query with a FIP destination of any.
FOR_DESTINATION_ Default: 100
ANY

FireFlowXmlEncoding Determines whether FireFlow XML change files are


encoded as UTF-8 or ISO-8859-1.
Possible values:
l UTF-8 (Default)
l ISO-8859-1. Supports Latin characters

FWFiles_Directory Defines the path of the Analyze from file firewalls.


Default: $HOME/algosec/fwfiles

Firewall Analyzer (A30.10) Page 498 of 542


Administration Guide | Define AFA preferences

hide_change_details Determines whether to omit change details from emails


about new reports and change alerts, for all users.
Possible values:
l yes: Hides change details for all users. Emails about
new reports and change alerts include only the device
name and a link to AFA.
l no. Change details are displayed for all users.
Change this setting per user with the Hide change
details checkbox. For details, see Manage users and
roles in AFA.

IPT_Density_Action_ The maximum density of a sparse object. When this limit is


Limit exceeded, the object is considered semi-dense.
Default: 50

IPT_ Defines the maximum number of CIDR blocks into which


Recommendation_ IPT will recommend splitting a host object, if the original
Max_Ranges object contains more IP addresses/ranges than defined in
IPT_Recommendation_Max_Subnets_Per_Range.
Default: 20

IPT_ The maximum number of services or applications from


Recommendation_ which IPT will recommend composing a new object.
Max_Services Default: 20

IPT_ Defines the maximum number of CIDR blocks into which


Recommendation_ IPT will recommend splitting a host object.
Max_Subnets_Per_ IPT recommends creating a new object only when the
Range number of used IP addresses/ranges is smaller than the
defined number.
Default: 4

Firewall Analyzer (A30.10) Page 499 of 542


Administration Guide | Define AFA preferences

Locate_in_ Determines whether rule search results include rules that contain
rules_include_ the searched IP only in Any source or destination.
any Possible values:
l yes: Rules results include rules where the searched IP
address is found in Any source or destination
l no: Rule results do not include rules where the searched IP
address is found in Any source or destination (Default)

LOCK_WAIT_ Defines how often the Check Point and IOS data collection lock file
FREQUENCY is sampled, in seconds.
The value of this parameter, multiplied by the value of the MAX_
LOCK_WAIT parameter equal the total wait time for IOS devices.
Default: 10

Log_Analysis_ Defines the analysis log lookup, in days.


Days_Before Default: 60

Log_Analysis_ Defines the time period for which traffic database is retained, in
Months_ months. Traffic logs older than the defined value are deleted.
Before Default: 12

Log_Time_ Defines the time period, in minutes, before which a device's log
Interval_ collection status is set to failure, in case log collection finds no new
Minutes_ logs for a specific server for one of the following reasons:
Before_Error
l No logs have arrived to the log server. This may be an issue in
the customer environment.
l No logs were found for the target devices. This may be an AFA
misconfiguration or error.
Default: 180

Log_Timeout_ Defines the timeout for the entire log collection process, in minutes.
Minutes Default: 900 (15 hours)

Firewall Analyzer (A30.10) Page 500 of 542


Administration Guide | Define AFA preferences

mailSuffix Defines an email address to use as a default if a new or edited


user email address is left empty.
Default: null

MAP_BLACK_ Determines whether to ignore defined devices in AFA when


LIST creating the map.
Default: null

MAX_LOCK_ Defines a time to wait for the Check Point, IOS, or NSM data
WAIT collection lock file, in seconds.
Default: 7200 (2 hours)

MAX_LOCK_ Defines a time to wait for the NSC data collection file, in seconds.
WAIT_NSC Default: 7200 (2 hours)

Max_Parallel_ Determines the maximum number of analyses that are allowed to


Analyses run in parallel.
Default: The number of CPUs on the machine.

Max_Parallel_ Determines the maximum number of log collections running in


Logcollect parallel.
Possible values:
l Positive integers
l 0: unlimited

Max_Rows_To_ Determines whether sorting and filtering in AFA report tables is


Sort enabled, and if so, for how many rows.
Sorting and filtering large tables may take a long time.
Possible values:
l Integer, 1 or greater. Defines the maximum number of rows
for which sorting and filtering can be performed.
l 0: Sorting and filtering is disabled.
Default: 10,000

Firewall Analyzer (A30.10) Page 501 of 542


Administration Guide | Define AFA preferences

MGMT_ Defines the frequency of routing information collection for


ROUTING_ management devices, such as Panorama, in minutes.
FREQUENCY Default: 60

Monitor_ Defines a single regular expression, including a simple string, to


exclude_PIX exclude from comparisons during monitoring.

Tip: Even though this supports a single regular expression


only, define multiple matches using an OR pipe (|). For
example: (log\s+in|log\s+out)

Monitor_Force_ Defines how often data collection runs on Check Point devices, in


Data_Coll_ minutes, even if no new logs are found.
Ckp_Min Default: 720

Monitor_Force_ Defines how often a full monitoring cycle is run on Check Point


Data_Coll_ devices, in minutes, even if no new audit logs are found.
Cycles_Num Default: 720

Firewall Analyzer (A30.10) Page 502 of 542


Administration Guide | Define AFA preferences

monitor_ Defines how often the monitoring process runs, in hours.


frequency Default: 5
If MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY is set to
no, or does not exist, defines the hour of the day at which the
monitoring process runs. In such cases, supported hours include
the hours between 2:00-24:00, skipping 1:00.
Possible values: Integer, multiple of 60.
For example:
l 60x2 = 120. 120 runs monitoring at 02:00 and 14:00.
l 60x4 = 240. 240 runs monitoring at 04:00 and 16:00.
l 60x12 = 720. 720 runs monitoring at 00:00 and 12:00.
Sample procedure: Configure monitoring to run once a day
1. Set the new MONITOR_USE_FREQUENCY_AS_HOUR_
OF_DAY configuration parameter value to no, or delete this
parameter.
2. Set the monitor_frequency parameter value to 60x<x>,
where <x> is the hour of the day at which you want
monitoring to run.

For example, 60x14 = 840. 840 runs monitoring at 14:00.

Monitor_ Defines a general monitoring frequency for all devices, in minutes.


Frequency Default: 5

MONITOR_ Determines whether monitoring processes are defined by setting


USE_ frequency to the hour of the day.
FREQUENCY_ Possible values:
AS_HOUR_
OF_DAY l no: Monitoring processes run as scheduled.
l yes: Monitoring processes runs as defined in the monitor_
frequency parameter.

MONITORING_ Defines the number of days to retain monitoring changes.


HISTORY_ Default: 90
DAYS

Firewall Analyzer (A30.10) Page 503 of 542


Administration Guide | Define AFA preferences

N-R

NSM_optimizations_ Determines whether to show policy optimization items for


per_policy all the rules in a policy, and not only for those that have the
analyzed device in their target.
Possible values:
l Yes: Optimizations shown for all rules in policy
l No: Optimizations shown only for rules that have the
analyzed device in their target. (Default)

PrioritizeFIPDestination Determines if routing queries and traffic simulation queries


prioritize paths that begin and end with a subnet (and not a
cloud) for destinations.
The default setting is yes.
l yes. Enables the preference for subnets in
destinations.
l no. Disables the preference for subnets in
destinations.

PrioritizeFIPSources Determines if routing queries and traffic simulation queries


prioritize paths that begin and end with a subnet (and not a
cloud) for sources.
The default setting is yes.
l yes. Enables the preference for subnets in sources.
l no. Disables the preference for subnets in sources.

PrioritizeFIPSources Determines whether subnets are prioritized for sources in


routing and traffic simulation queries.
Possible values:
l yes. Subnets are prioritized for sources. (Default)
l no. Subnets are not prioritized for sources.

Query_Timeout Defines the timeout for a single query, in seconds.


Default: 15

Firewall Analyzer (A30.10) Page 504 of 542


Administration Guide | Define AFA preferences

QueryByPolicy Determines whether traffic simulation group query results


include all devices in device groups, or are grouped by
policy with a single representative device for each policy.

Note: This setting affects group traffic simulation query


results and batch traffic simulation query results. It also
affects initial plan query results in FireFlow.

Possible values:
l yes. Display group query results by policy.
l no. Do not group query results by policy (Default)

RADIUS_FetchData Determines whether to fetch data and groups from


LDAP for users authenticated by a Radius server.
Default: no

REMOVE_DELETED_ Determines whether to remove reports for all deleted


DEVICE_REPORTS devices.
Possible values:
l Yes: Remove reports for deleted devices
l No: Keep reports for deleted devices

Routing_Element_ Determines the frequency for which to run monitoring on


Monitor_Frequency routing elements, in minutes.
Default: 5

Rule_Selection_Limit Defines the maximum number of rules allowed to be


selected for a single FireFlow change request.

Tip: Avoid using large numbers to prevent performance


issues in FireFlow.

Default: 50

Firewall Analyzer (A30.10) Page 505 of 542


Administration Guide | Define AFA preferences

S-W

Parameter
name Description

SHOW_ Determines whether the network map shown in query results shows
ONLY_ only the nodes in the network path, without surrounding devices and
NODES_IN_ objects.
PATH Possible values:
l yes: Shows only the nodes in the network path queried,
including stub routers, clouds, subnets, and so on.
l no: Shows the nodes in the network path queried, and also
surrounding devices and objects. (Default)

syslog_ Defines the maximum amount of time between syslog collection and


dump_interval memory dump to files, in minutes.

TarFormat Determines support file download attributes.


l zip: AFA creates zip files for download.
l tar: AFA creates tar files for download.
l tgz: AFA creates tgz files for download. (Default)
l extended_tgz: AFA creates an extended tgz file for download.
Use this option when you have devices with names that are
longer than 100 characters.

trust_rfc1918 Determines that risk calculation is skipped for private networks. This
means that most Z## risks will not be triggered.
Possible values:
l Yes: Skipped for private networks. (Default)
l No: Private networks are included in risk calculation.

Firewall Analyzer (A30.10) Page 506 of 542


Administration Guide | Define AFA preferences

Parameter
name Description

Use_Custom_ Determines whether custom report pages are enabled.


Report For more details, see Custom report pages.
Possible values:
l yes. Enable custom reports. (Default, when a custom report
has been created and installed)
l no. Disable custom reports, preventing any custom reports from
appearing in AFA reports.

Use_Nexus_ Determines whether Traffic Simulation Query results on Cisco


Wildcards Nexus devices use wildcard IP ranges.
Possible values:
l yes: Wildcard IP ranges are included.
l no: Wildcard IP ranges are not included. (Default)

WEBGUI_ Defines the maximum length of a UI session that is not active, in


SESSION_ minutes. Any session that goes on for longer than the defined setting
LENGTH is automatically ended.
Default: 300

Firewall Analyzer (A30.10) Page 507 of 542


Administration Guide | Customize AFA

Customize AFA
This section describes the following types of AFA customizations:

l Custom report pages

l Custom documentation fields

l Custom dashboards and charts

l Customize regulartory compliance report

Custom report pages


AFA enables you to create custom pages in your reports.

Create a custom report page


You can create a custom report page that will be included as a separate tab in each new
device, group, or matrix report.

Note: Only one custom report page is supported.

Note: The custom report page cannot be exported to HTML or PDF.

To create a custom report page:

1. Create an XML file called custom_report.xml, containing all of the execution


commands in the following format:

<Custom_Report>
<Report name="report_name">
<device command="device_script_execution_command" output=
"device_output_file"></device>
<group command="group_script_execution_command" output=
"group_output_file"></group>
<matrix command="matrix_script_execution_command" output=
"group_output_file"></matrix>

Firewall Analyzer (A30.10) Page 508 of 542


Administration Guide | Customize AFA

</Report>
</Custom_Report>

For more details, see Custom report configuration file parameters.

The <device>, <group>, and <matrix> lines are optional. If you include the
<device> line but do not include the <group> or <matrix> lines, the custom report
page in the group or matrix report will display a concatenation of custom device
pages.

2. Create a folder called custom_report, containing all of the scripts that must be
executed.

3. Create a sub-folder called additional_files under the custom_report folder,


containing additional files that are required for generating the custom report, for
example data files, .css files, and so forth.

4. Add the file custom_report.xml and the folder custom_report (along with all its
contents, including the subfolder additional_files) to a single .zip file.

5. Enter the following command:

extract_custom_report -f zip_ file [-d domain_number] [-u user_name]

For more details, see Extract custom report script flags.

The extract_custom_report script extracts the .zip file.

The next time a report is generated, it will include the custom page.

Note: If desired, you can disable the custom report page. For details, see the Use_
Custom_Report parameter.

Custom report configuration file parameters


Parameter Description

report_name The name of the report page.

Firewall Analyzer (A30.10) Page 509 of 542


Administration Guide | Customize AFA

Parameter Description

device_script_ The script execution command for the custom device report page,
execution_ including input parameters. For example: sh device_script.sh
command

device_output_ The name of the HTML output file for the custom device report
file page. For example: custom_device.html

group_script_ The script execution command for the custom group report page,
execution_ including input parameters. For example: sh group_script.sh
command

group_output_ The name of the HTML output file for the custom device report
file page. For example: custom_group.html

matrix_script_ The script execution command for the custom matrix report page,
execution_ including input parameters. For example: sh matrix_script.sh
command

matrix_output_ The name of the HTML output file for the custom device report
file page. For example: custom_matrix.html

Extract custom report script flags


Flag Description

-f zip_ file The name of the .zip file.

Note: The file must be located in the current directory.

-d The number of the domain in the .fa directory, where the .zip file
domain_ should be extracted.
number This flag is optional.

-u user_ The user to use when installing the contents of the .zip file. This user
name will be granted permissions for the .zip file's contents.
This flag is optional. If it is not included, the contents of the .zip file will
be installed using the "afa" user.

Firewall Analyzer (A30.10) Page 510 of 542


Administration Guide | Customize AFA

Custom documentation fields


By default, AFA adds a field called Documentation to each device policy, which you can
use to add comments and other information to a rule. See Adding/Removing AFA Rule
Comments.

If desired, you can disable or enable the Documentation field or add more such fields.

Add documentation fields


Each documentation field appears as a column at the far-right side of the device policy.

Note: Documentation fields cannot be deleted, only disabled. For details, see
Enable/Disable documentation fields.

To add a documentation field:

1. Open a terminal and log in using the username "afa" and the related password.

2. Enter the following command:

update_document_fields ADD "field_name" "field_type"


"field_default_value"

Where:

l field_name is the name of the field, for example "My Doc".

l field_type is the field's type. This can have the following values: Text,
Number, Bool, or List.

l field_default_value is the field's default value, for example "Good rule!"

The field is added to all device polices in AFA.

Firewall Analyzer (A30.10) Page 511 of 542


Administration Guide | Customize AFA

Enable/Disable documentation fields


To enable a documentation field:

1. Open a terminal and log in using the username "afa" and the related password.

2. Enter the following command:

update_document_fields ENABLE "field_name"

Where field_name is the name of the field.

The field is enabled for all device polices in AFA.

Note: When re-enabling a documentation field, all data that was entered in this field
before it was disabled, will appear once again in the device policies.

To disable a documentation field:

1. Open a terminal and log in using the username "afa" and the related password.

2. Enter the following command:

update_document_fields DISABLE "field_name"

Where field_name is the name of the field.

The field is disabled for all device polices in AFA.

Custom dashboards and charts


You can create custom dashboards in AFA that include built-in charts, custom charts, or
both, by defining them directly in XML.

Configure custom charts


When creating a dashboard with custom charts, you must configure the custom charts
before you configure the dashboard itself.

Firewall Analyzer (A30.10) Page 512 of 542


Administration Guide | Customize AFA

l You specify the title of the chart.

l You specify the type of chart.

l You specify the variable for which the chart displays data.

l You specify the Y-axis values the chart displays.

l For bar charts, you also specify the following:

l The number of devices displayed in the chart.

l Whether the chart starts with displaying the devices with the most of the
variable or the least of the variable.

l The direction of the chart.

l For trend charts, you also specify how many days back the chart displays.

Add a custom chart


1. Open a terminal and log in using the username "afa" and the related password.

2. Create a new file in /home/afa/.fa/charts.

3. Name the file chart_name.xml, where chart_name is the name you choose for the
chart.

4. Add the CHART tag to the file, using the information in Chart Tag Reference (see
Chart tag reference). For an example, see Chart Example (see Chart Example).

5. Save the file.

Chart tag reference


This reference describes the use of the chart tag and its sub-tags.

Tag syntax is presented as follows:

l All parameters and content are presented in italics.

l All optional elements of the tag appear in square brackets [ ].

Note: All tags, parameters, and content are case sensitive, and must be in lower

Firewall Analyzer (A30.10) Page 513 of 542


Administration Guide | Customize AFA

case.

chart

Syntax

chart

Description

This is the main tag for the chart. It specifies all the information included in the chart.

Parameters

None.

Subtags

l title (see title)

l variable_name (see variable_name)

l statistics_type (see statistics_type)

l type (see type)

l limit (see limit)

l order_dir (see order_dir)

l direction (see direction)

l ymin (see order_dir)

l ymax (see ymax)

l days_back (see days_back)

title

Syntax

<title> title</title>

Description

Firewall Analyzer (A30.10) Page 514 of 542


Administration Guide | Customize AFA

This tag specifies the title of the chart.

Parameters

None.

Subtags

None.

Content

title String. The name that you choose for the title of the chart. You can include the
following variable in the title:
l __GROUP_NAME__. The name of the device group that is analyzed by
the chart (as defined in the dashboard XML file).
l __THRESHOLD__. The value set as the "Chart_Threshold_Val"
configuration item.
l __COUNT__. The number of devices the chart displays.

Example

In the following example, if the number of devices in the chart is 8, and the chart
analyzes the group "ALL_FIREWALLS", the title of the chart is "8 Devices with lowest
security rating in group ALL_FIREWALLS".
<title>__COUNT__ Devices with lowest security rating in group __GROUP_NAME__
</title>

variable_name

Syntax

<variable_name [color= "color"] [value_condition= "value_condition"] [bar_name= "bar_


name"]> variable_name</variable_name>

Description

This tag specifies the variable that the chart displays.

Parameters

Firewall Analyzer (A30.10) Page 515 of 542


Administration Guide | Customize AFA

color String. The color of the bar or series of the variable, expressed in #RGB.
This parameter is for count type and trend_count_group type charts, and
the default chart type only.
This parameter is optional.
value_ String. A condition, such that, only devices with a variable value that
condition passes the condition will be counted.
This parameter is for count type and trend_count_group type charts only.
For trend_count_group type charts, only equality is supported, and the
value is stated without the operator.

Note: For trend_count_group type charts, this variable is an integer.

This parameter is optional.


bar_name String. The label of the bar.
This parameter is for count type charts only.
This parameter is optional.
function String. An aggregate function used to compile the chart data. All
aggregate SQL functions are supported (for example: "avg", "min",and
"max").
This parameter is for trend_value type charts only.
This parameter is optional. The default function is the average function,
which compiles the average of the data over the group.
legend String. The label of the variable in the legend.
This parameter is for trend_value type charts only.
This parameter is optional.
sum String. The sum of the statistic type.
This parameter is for sum_over_time and trend_sum_over_time type
charts only.
This parameter is optional.

Subtags

None.

Content

Firewall Analyzer (A30.10) Page 516 of 542


Administration Guide | Customize AFA

Variable Content Available Statistic


Options Type. Specifies this...
rules simple_count The number of rules for each device.
covered_rules simple_count The number of covered rules for each
device.
special_case_rules simple_count The number of special case rules for
each device.
unused_rules simple_count The number of unused rules for each
device.
security_rating simple_count The security rating for each device.
highest risk_level The highest risk level of each device.
PCI compliance_pass Whether a device meets PCI compliance.
high risks_per_risk_ The number of high risks for each device.
level

suspected_high risks_per_risk_ The number of suspected high risks for


level each device.
medium risks_per_risk_ The number of medium risks for each
level device.
low risks_per_risk_ The number of low risks for each device.
level

Example

In the following example, the color of the bars for this variable will be #cb3333, only
devices with a variable value of 3 will be counted, and the label of the bars for this
variable will be "high".
<variable_name color="#cb3333" value_condition="=3" bar_
name="high">highest</variable_name>

statistics_type

Syntax

Firewall Analyzer (A30.10) Page 517 of 542


Administration Guide | Customize AFA

<statistics_type> statistics_type</statistics_type>

Description

This tag specifies the type of statistic that the chart displays.

Parameters

None.

Subtags

None.

Content

Content
Options Specifies this...
simple_ The count of the variable for each device. This statistic type is
count available for the following variables: rules, covered_rules, special_
case_rules, unused_rules, and security_rating. For example, if the
statistic type is simple_count, and the variable is rules, the chart will
display the number of rules for each device.

Note: When the simple_count statistic type is used with the


security_rating variable, the security rating for each device is
displayed.

risk_level The risk level of each device. This statistic type is available for the
highest variable. When this statistic type/variable combination is used,
the chart will display the number of devices whose highest risk is high,
suspected high, medium, and low.
compliance_ The compliance score of each device. This statistics type is available
score for the following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.

compliance_ The compliance color of each device. This statistics type is available
color for the following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.

Firewall Analyzer (A30.10) Page 518 of 542


Administration Guide | Customize AFA

Content
Options Specifies this...
baseline_ The baseline compliance score of each device (the score is the
score percentage of met requirements).This statistics type is available for the
baseline variable.

risks_per_ The number of risks for a specific risk level for each device. This
risk_level statistic type is available for the following variables: high, suspected_
high, medium, and low. For example, if the statistic type is risks_per_
risk_level, and the variable is high, the chart will display the number
of high risk rules for each device.
total_ The number of changes on each device. This statistic type is available
changes for the sum variable. When this statistic type/variable combination is
used, the chart will display the total number of changes on each
device.

Example

In the following example, the chart will display a simple count of the specified variable.
<statistics_type>simple_count</statistics_type>

type

Syntax

<type> [type]</type>

Description

This tag specifies the type of chart.

Parameters

None.

Subtags

None.

Content

Firewall Analyzer (A30.10) Page 519 of 542


Administration Guide | Customize AFA

Content
Options Specifies this...
count A bar chart that specifies the count of devices for each variable.
condition A bar chart that displays the number of devices whose variable value is
greater than the Chart_Threshold_Val configuration item, and the number
of devices whose variable value is not, for all devices in the group.
For details, see the Chart_Threshold_Val parameter.
trend_ A trend chart that displays a calculation (defined by the function
value parameter of variable_name) of the variable values over all devices in the
group, over time.
trend_ A trend chart that displays the number of devices whose variable value is
condition greater than the Chart_Threshold_Val configuration item, and the number
of devices whose variable value is not, for all devices in the group, over
time.
For details, see the Chart_Threshold_Val parameter.
trend_ A trend chart that displays the total count of the variable for all devices in
count_ the group, over time.
group

sum_over_ A bar chart that displays the accumulation of the statistic for each device
time in the group.
trend_ A trend chart that displays the accumulation of the statistic, over time.
sum_over_
time

empty A bar chart that displays the count of the variable for each device in the
(default) group. There can be multiple variables per device.

Example

In the following example, the chart will be a bar chart that displays the total count of the
variable for each device in the group. For example, if the chosen variable is unused_
rules, the chart will display a bar chart with the count of unused rules per device.
<type>count</type>

limit

Firewall Analyzer (A30.10) Page 520 of 542


Administration Guide | Customize AFA

Syntax

<limit> [limit]</limit>

Description

This tag specifies the number of devices the chart displays. This tag is only for bar
charts.

Parameters

None.

Subtags

None.

Content

Integer. The number of devices the chart will display. If left empty, the LIMIT tag defaults
to 25.

Example

In the following example, the chart will display 6 devices.


<limit>6</limit>

order_dir

Syntax

<order_dir> [order_dir]</order_dir>

Description

This tag specifies whether the chart starts with displaying the devices with the most of
the variable or the least of the variable. This tag is only for bar charts.

Parameters

None.

Subtags

None.

Firewall Analyzer (A30.10) Page 521 of 542


Administration Guide | Customize AFA

Content

Content
Options Specifies this...
ASC The bar chart will start with displaying devices with the least of the variable.
For example, if the LIMIT tag is set to 6, this will produce a chart with the
bottom 6 devices.
DESC The bar chart will start with displaying devices with the most of the variable.
For example, if the LIMIT tag is set to 6, this will produce a chart with the
top 6 devices.

empty The ORDER_DIR tag defaults to DESC.

Example

In the following example, the chart will start with displaying devices with the least of the
variable.
<order_dir>ASC</order_dir>

direction

Syntax

<direction> [direction]</direction>

Description

This tag specifies the direction the chart displays. This tag is only for bar charts.

Parameters

None.

Subtags

None.

Content

Firewall Analyzer (A30.10) Page 522 of 542


Administration Guide | Customize AFA

Content Options Specifies this...


horizontal The bar chart will display horizontally.
vertical The bar chart will display vertically.

empty The DIRECTION tag defaults to vertical.

Example

In the following example, the chart will display vertically.


<direction>vertical</direction>

order_dir

Syntax

<ymin> [ymin]</ymin>

Description

This tag specifies the minimum y-axis value displayed in the chart. This tag is optional.

Parameters

None.

Subtags

None.

Content

Integer. The minimum y-axis value displayed in the chart. If left empty, the value is
computed to fit the data.

Example

In the following example, the minimum y-axis value displayed in the chart is 0.
<ymin>0</ymin>

ymax

Syntax

Firewall Analyzer (A30.10) Page 523 of 542


Administration Guide | Customize AFA

<ymax> [ymax]</ymax>

Description

This tag specifies the maximum y-axis value displayed in the chart. This tag is optional.

Parameters

None.

Subtags

None.

Content

Integer. The maximum y-axis value displayed in the chart. If left empty, the value is
computed to fit the data.

Example

In the following example, the maximum y-axis value displayed in the chart is 100.
<ymax>100</ymax>

days_back

Syntax

<days_back> [days_back]</days_back>

Description

This tag specifies the number of days back displayed in the chart. This tag is optional,
and is only for trend charts.

Parameters

None.

Subtags

None.

Content

Firewall Analyzer (A30.10) Page 524 of 542


Administration Guide | Customize AFA

Integer. The number of days back displayed in the chart. If left empty, the value defaults
to 100 days.

Example

In the following example, the trend chart will display data for the last 200 days.
<days_back>200</days_back>

Chart Example

<!-- This is an AFA dashboard chart configuration file. Each dashboard chart is
configured by one such file. The user defined files should be in '<AFA home
dir>/.fa/dashboards/charts', or if domains are enabled, in '<AFA home dir>/.fa/algosec_
domains/<domain>/dashboards/charts'.
Note: The tags and properties in this file are case sensitive. A chart is configured by the
'CHART' tag. -->
<CHART>

<!-- The 'title' tag determines the title that will be displayed at the top of the chart. The
title can contain several parameters which will be replaced by the appropriate values: _
_GROUP_NAME__ - The AFA devices group whose data will be compiled in this chart
(as defined in the dashboard XML) __THRESHOLD__ - The threshold stated in the
"Chart_Threshold_Val" configuration Item __COUNT__ - The number of devices
compiled for the charts. -->
<title>Number of devices by leading risk severity in group __GROUP__</title>

<!-- The 'type' tag determines the chart type. The default type (if no value is specified)
will cause each variable (there may be several, representing different series) value to be
plotted for each group member. Available types are: count - Count each variable over all
group members condition - Count values greater than the "Chart_Threshold_Val"
configuration item trend_value - For each time frame, calculate the property over the
group members defined by the function property of varible_name (the default is average)
trend_condition - For each time frame, count values greater than the "Chart_Threshold_

Firewall Analyzer (A30.10) Page 525 of 542


Administration Guide | Customize AFA

Val" configuration item trend_count_group - For each time frame, count the variable over
all group members -->
<type>count</type>

<!-- 'statistics_type' - The type of the statistics. Allowed values are: simple_count, risk_
level, compliance_pass, and risks_per_risk_level -->
<statistics_type>risk_level</statistics_type>

<!-- The 'variable_name' depends on 'statistics_type' value as follows: simple_count -


covered_rules, security_rating, special_case_rules, unused_rules risk_level - highest
compliance_pass - PCI risks_per_risk_level - high, suspected_high, medium, low For
the default type and the count type, there may be multiple variables, which will be
expressed as multiple series. The variable name has the following optional attributes:
'color' - The color of the bar/line (in count types) or series (in the default type), expressed
in #RGB 'value_condition' - The condition to apply on statistics value to count (for
example: ">3", "=2"...). For count type charts only. For trend_count_group type chart the
condition is strictly equality and the value is stated without the operator (for example:
"3", "2"...). Only values passing the condition will be counted. 'bar_name' - The label for
the bar. For count type only. If not present than the condition will be taken. 'function' - An
aggregate function to use when compiling the data on trend_value type charts. The
default is 'avg', which averages the data over all devices. All aggregate SQL functions
are supported (for example: 'min', 'max') 'legend' - The label of the variable in the
legend. Relevant for trend_value chart type only. -->
<variable_name bar_name="high" value_condition="=3"
color="#cb3333">highest</variable_name><variable_name bar_name="suspected
high" value_condition="=2" color="#ff8213">highest</variable_name><variable_
name bar_name="medium" value_condition="=1"
color="#fcf00a">highest</variable_name><variable_name bar_name="low" value_
condition="=0" color="#e4c67e">highest</variable_name>

<!-- A chart may have several additional configurable properties, specified by the
following tags: 'order_dir' - The ordering of the results: asc (ascending) or desc
(descending). The default is descending. For default type bar charts only. In case of

Firewall Analyzer (A30.10) Page 526 of 542


Administration Guide | Customize AFA

multiple variables (multi-series chart), the sort is based on the first variable. 'limit' - How
many results to show, combined with 'order_dir' creates a top-X/bottom-X charts. Default
is 20. Relevant for the default type only. 'direction' - The direction of the chart: horizontal
or vertical. The default is vertical. Relevant for bar charts only. 'ymin' - The minimum
value of the Y axis. The default is auto computed to fit the data. 'ymax' - The maximum
value of the Y axis. The default is auto computed to fit the data. 'days_back' - The
number of days back to show in a trend chart. -->
</CHART>

Configure a custom dashboard


Configure a custom dashboard by specifying the charts that the dashboard includes, the
relevant device group, and the number of charts that appear in a row.

Do the following:

1. Open a terminal and log in as user afa.

2. Create a new file in /home/afa/.fa/dashboards.

3. Name the file <dashboard_name>.xml, where <dashboard_name> is the name


you choose for the dashboard.

4. Add the DASHBOARD tag to the file, with the additional CHARTS and CHART
sub-tags.

For more details, see Dashboard tag reference and Dashboard configuration
example.

Dashboard tag reference


The following table describes the DASHBOARD tag and its subtags.

Firewall Analyzer (A30.10) Page 527 of 542


Administration Guide | Customize AFA

Tag name Description

DASHBOARD Identifies the dashboard and specifies how charts are oriented.
Includes the CHARTS sub-tag.
Parameters include:
l name. String. The dashboard name. This name appears at the
top of the dashboard.
l columns. The number of charts that appear in each row of the
dashboard.
The charts will be filled in order of appearance, from left to right
and top to bottom.

CHARTS Defines all the charts that appear in the dashboard.


Includes several CHART sub-tags.

CHART Defines the type of data in the chart, and which device group's data
appears in the chart.
Parameters include:
l group. String. The name of the AFA device group that is
analyzed in the chart.
l definition_file. String. The name of the chart XML file.
Specify a custom chart that you created and saved in the <AFA
home dir>/.fa/dashboards/charts directory, or a built-in chart.
For more details, see Custom dashboards and charts.

Dashboard configuration example


The following code shows an AFA dashboard configuration file, including a
DASHBOARD tag and CHARTS and CHART sub-tags.

<DASHBOARD columns="2" name="Summary">


<CHARTS>
<CHART definition_file="total_risks_per_type_per_fw.xml" group="ALL_
FIREWALLS"/>

<CHART definition_file="security_rating_trend.xml" group="ALL_


FIREWALLS"/>

Firewall Analyzer (A30.10) Page 528 of 542


Administration Guide | Customize AFA

<CHART definition_file="rules_per_fw.xml" group="ALL_FIREWALLS"/>

<CHART definition_file="covered_rules_per_fw.xml" group="ALL_


FIREWALLS"/>

</CHARTS>

</DASHBOARD>

Customize regulartory compliance report


AFA provides the ability to customize the Regulatory Compliance page for each AFA
report in the CLI. The CLI supports the following actions:

l Adding or removing compliance reports.

l Creating custom reports by modifying existing reports.

For descriptions of all built-in regulatory compliance reports, see Supported regulatory
compliance reports.

Note: To remove or add compliance reports in the Web Interface, customize the
compliance score value, or customize the compliance score severity threshold, see
Customize the regulatory compliance report.

Note: To create a completely custom regulatory compliance report for your


organization, contact AlgoSec support.

Add, remove or customize compliance reports

Do the following:

1. Open a terminal and log in using the username "afa" and the related password.

2. Create a new directory /home/afa/.fa/compliance_reports/. This is the override


directory.

Firewall Analyzer (A30.10) Page 529 of 542


Administration Guide | Customize AFA

3. Copy /usr/share/fa/data/compliance_reports/compliance_reports.xml to
/home/afa/.fa/compliance_reports/.

4. To create a custom report by modifying an existing report (and add it to the


regulatory compliance page), do the following:

5. Create new templates for the report, by doing the following:

a. Find the report template(s) you want to modify in the override directory.

Report templates follow the following naming convention:

l For individual device reports: compliance_rep_templ_


reportname.html

l For group device reports: compliance_rep_templ_group_


reportname.html

l For matrix device reports: compliance_rep_templ_matrix_


reportname.html

where reportname is the name of the compliance report.

b. Copy the report templates you want to modify, and save the copy (in the
override directory). Use the above naming convention, with a new name for
your new report.

c. Modify your template copies as you desire.

d. Save the files.

6. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.

Add a new report tag as a sub-tag to the compliance_reports tag. The following table
describes the report tag attributes:

Attribute Description
id Internal key necessary for report creation.

Firewall Analyzer (A30.10) Page 530 of 542


Administration Guide | Customize AFA

Attribute Description
title Title of the report. This title will appear as a link on the Regulatory
Compliance page of the device report. The link leads to the compliance
report.
template_ HTML template file for a single device. This template will be used to
file create a single device compliance report.
template_ HTML template file for a device group. This template will be used to
file_ create a device group compliance report.
group

template_ HTML template file for a device matrix. This template will be used to
matrix create a device matrix compliance report.
active Indicates whether the report is generated when a device is analyzed.
This attribute can take the following values:
yes. Include the report on the Regulatory Compliance page of the device
report.
no. Exclude the report.
sub_title The sub-title for the report. This appears below the title of the report.

Example

<report title="Payment Card Industry Data Security Standard (PCI-DSS) version 2"
active="yes" template_file_matrix="compliance_rep_templ_matrix_pci2.html"

template_file_group="compliance_rep_templ_group_pci2.html" template_

file="compliance_rep_templ_pci2.html" sub_title="test sub-title" id="pci2"/>

1. Save the file

2. To add a built-in report to the regulatory compliance page, do the following:

3. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.

4. Set the active attribute of the report you wish to enable to yes.

5. Save the file.

6. To remove a built-in report from the regulatory compliance page, do the following:

Firewall Analyzer (A30.10) Page 531 of 542


Administration Guide | Customize AFA

a. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.

b. Set the active attribute of the report you wish to remove to no.

c. Save the file.

Firewall Analyzer (A30.10) Page 532 of 542


Administration Guide | Troubleshooting

Troubleshooting
This topic describes common procedures used when troubleshooting AFA.

Tip: To view a training video that follows an Information Security Officer


troubleshooting common issues that may be  preventing him from monitoring and
analyzing several types of security devices, see Performing Basic AFA
Troubleshooting.

Troubleshooting and maintenance permissions


Troubleshooting and day-to-day system maintenance may require permissions to
perform the following steps or access the following directories:

Stop/Start/Restart services

Users may need to stop/start/restart the following services:

l algosec-ms

l apache-tomcat

l crond

l httpd

l iptabes

l syslog-ng

l algosec-ms

Files and folders

Users may need to copy files from various locations (For example, /tmp, mv, rm, mkdir)
and run chmod, chown, and chattr on the following paths:

l /usr/share/fa/* (all sub-tree)

l /home/afa/algosec/syslog_processor/*

l /home/afa

Firewall Analyzer (A30.10) Page 533 of 542


Administration Guide | Troubleshooting

l /home/afa/.fa

l /home/afa/.fa/firewalls/*

Run various commands

Users may be required to run the following commands:

l crontab -e -u afa

l vi /etc/ntp.conf

l vi /etc/hosts

l vi /etc/security/limits.conf

l kill -9 / pkill -9

l screen

l strace

In addition, they may be required to modify the iptables configuration on the AlgoSec
appliance/VM.

Sync AFA and FireFlow DB passwords

Some support cases may require performing a sync between the Firewall Analyzer and
FireFlow DB passwords.

To do this, run the following commands from the root user SSH CLI:

FA_USER='afa'
FA_CONF_FILE="/home/$FA_USER/.fa/config"
FIREFLOW_SITE_CONFIG='/usr/share/fireflow/local/etc/site/
FireFlow_SiteConfig.pm'
DB_ENC_PASS=`awk -F"'" '/FireFlowDatabasePasswordEncrypted/
{print $2;exit}' $FIREFLOW_SITE_CONFIG`
export PGPASSWORD=`/usr/bin/sudo -H -u $FA_USER /usr/share/
fa/bin/fa_password -decrypt $DB_ENC_PASS 2>/dev/null`
psql -U postgres -c "alter user $FA_USER with password
'${PGPASSWORD}';"

Firewall Analyzer (A30.10) Page 534 of 542


Administration Guide | Troubleshooting

sed -i 's/^DB_password=.*/DB_password='$DB_ENC_PASS'/'
$FA_CONF_FILE

Entering and exiting debug mode


AlgoSec Support may request that you enter Debug mode.

Enter Debug mode Click your username in the toolbar and then click Info.
In the Info dialog, click Enter Debug Mode.

Exit Debug mode Click your username in the toolbar and then click Info.
In the Info dialog, click Exit Debug Mode.

Contact technical support


Contact AlgoSec support to open a new case or update an existing case.

Open a new case from the AlgoSec Portal > Support > Submit a Support Case.

You may be requested to send one of the folloiwng sets of files:

GUI-related algosec-support-gui.zip
issues For details, see Download general log files
If the algosec-support-gui.zip file is unavailable, send the following
files instead:
l .fa-history
l fa-install.log
l .ht-fa-history
For more details, see Access log and configuration files.

Firewall Analyzer (A30.10) Page 535 of 542


Administration Guide | Troubleshooting

All other issues algosec-support.zip


For details, see Download report log files
If the algosec-support.zip file is unavailable, send the following
files instead:
l fa-install.log
l .fa-history
l log.html
l index.html
l .ht-fa-history
For more details, see Access log and configuration files.

For more details, see the AlgoSec Portal > Support > Support Home.

Access log and configuration files


Note: Accessing the device configuration and log files requires configuration and
logs privileges.

The following table lists log and configuration files useful when troubleshooting AFA.

Firewall Analyzer (A30.10) Page 536 of 542


Administration Guide | Troubleshooting

File Name Description Location

algosec- An archive file that includes the $HOME/algosec/firewalls/<job-


support.zip following report and general log name>/
files: Where <job-name> is the Job
l fa-history Name of the report.
l fa-install.log The Job Name consists of the
user login name followed by a
l ht-fa-history hyphen and an integer.
l log.html Example: afa-3
l fwa_monitor.history

Note: The fwa_monitor.history


file may be missing if the file
report has a status of FAILED, or
if you encounter problems during
the installation or licensing
stages.

algosec- An archive file that includes: Download from AFA.


support- For details, see Download
gui.zip l fa-history
general log files.
l fa-install.log
l ht-fa-history
l map.sqlite
l dump_nat_data

log.html The report log file. $HOME/algosec/firewalls/<job-


Note: This file may be missing if the name>/
file report has a status of FAILED. For details, see:
l View report log files
l Download report log files

algosec- Full support data files which Download from the device
support-full- include: report.
ENTITY_ For details, see Download full
NAME.zip l report log files
support files.
l full firewall configuration

Firewall Analyzer (A30.10) Page 537 of 542


Administration Guide | Troubleshooting

File Name Description Location

algosec- Full support data files which Download from the device
support-full- include: report.
ENTITY_ For details, see Download full
NAME- l report log files
support files.
withlogs.zip l full firewall configuration
l traffic logs

messages All syslog messages. /var/log/

fa-install.log The AFA installation log /var/log/

fa-history The AFA application's history file. $HOME/


This file is hidden by default. To
view, run:
ls -a $HOME/.fa-history

ht-fa-history The Web interface's log file. $HOME/public_html/algosec/


This file is hidden by default. To
view, run:
ls -a $HOME/public_
html/algosec/.ht-fa-history

map.sqlite The database of the map. $HOME/.fa/map.sqlite

dump_nat_ Dump of NAT related tables.


data

index.html The report main index file. This $HOME/algosec/firewalls/<job-


serves as the log file if analysis name>/
failed.

Note: You'll need to access the log files directly if the ASMS web interface isn't
available, or if the algosec-support.zip archive is missing. This may happen if a
report has failed, or if you've encountered issues during installation or licensing.

For more details, see:

Firewall Analyzer (A30.10) Page 538 of 542


Administration Guide | Troubleshooting

l View report log files

l Download report log files

l Download full support files

l Download general log files

View report log files


Report log files are accessed from a specific AFA report.

Do the following:

1. View the report.

2. In the report menu, click Policy.

3. In the Report Information area, click the Log File link.

The log file appears. All messages are prefixed with one of the following severity tags:

Severity
Level Description

Info Normal information messages and notification of events. No user action is


required.

Warning AFA took corrective action to remedy a problem that was encountered.
Usually, no user action is required unless the report failed to generate, in
which case the log file should be sent to AlgoSec Technical Support.
For more details, see Contact technical support.

Error A problem that prevented the report from being generated occurred.
Contact AlgoSec Technical Support. For more details, see Contact
technical support.

Fatal A severe error condition required an immediate halt to the report


generation process.
Contact AlgoSec Technical Support. For more details, see Contact
technical support.

Firewall Analyzer (A30.10) Page 539 of 542


Administration Guide | Troubleshooting

Download report log files


Report log files are accessed from a specific AFA report.

Do the following:

1. View the report.

2. In the report menu, click Policy.

3. In the Report Information area, click AlgoSec Support File.

The zip file is downloaded to your computer.

Download full support files


Full support files are accessed from a specific AFA report.

Do the following:

1. View the report.

2. In the report menu, click Policy.

3. In the Report Information area, click one of the following:

l Full Support Data with traffic logs (Large)

l Full Support Data

The zip file is downloaded to your computer.

Download general log files


General log files are useful for troubleshooting interface-related issues.

Do the following:

1. In the toolbar, click your username, and select Info.

2. In the Info dialog, click Download Support Files.

3. Click Download Support Files.

Firewall Analyzer (A30.10) Page 540 of 542


Administration Guide | Troubleshooting

The algosec-support-gui.zip file downloaded to your computer. It contains the following


files:

l catalina.out

l configuration_access_log.<date>.txt

l dump_nat_data

l fa-history

l fa-install.log

l fa/map.sqlite

l fwa_monitor.history

l ha-logs.tgz

l ht-fa-history

l localhost_access_log.<date>.txt

l log.html

l ms-backuprestore.log

l ms-batch-application.log

l ms-configuration.log

l ms-devicemanager.log

l ms-mapDiagnostics.log

l ms-watchdog.log

Firewall Analyzer (A30.10) Page 541 of 542


Administration Guide | Send us feedback

Send us feedback
Let us know how we can improve your experience with the Administration Guide.
Email us at: [email protected]

Note: For more details not included in this guide, see the online ASMS Tech Docs.

You might also like