FirewallAnalyzer AdministratorGuide
FirewallAnalyzer AdministratorGuide
FirewallAnalyzer AdministratorGuide
Administration Guide
View our most recent updates in our online ASMS Tech Docs.
Document Release Date: 4 May, 2020 | Software Release Date: April 2020
Administration Guide
Legal Notices
Copyright © 2003-2020 AlgoSec Systems Ltd. All rights reserved.
AlgoSec, FireFlow, AppViz and AppChange are registered trademarks of AlgoSec Systems Ltd. and/or its
affiliates in the U.S. and certain other countries.
Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,
SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-
1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap,
SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,
UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1
SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates.
Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, and ACI are trademarks or registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.
All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.
The software contains proprietary information of AlgoSec; it is provided under a license agreement
containing restrictions on use and disclosure and is also protected by copyright law.
Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec and the client and remains the
exclusive property of AlgoSec If you find any problems in the documentation, please report them to us in
writing. AlgoSec does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Systems Ltd.
Contents
AFA administration 15
Access the AFA Administration area 15
Quickstart – Configure AFA to analyze devices 16
Logins and other basics 18
Supported browsers 18
Log in to ASMS 18
View ASMS product details 21
Log out of ASMS 22
Manage devices 24
AFA communication protocols 24
Device procedure reference 24
Device icons 25
Add devices to AFA 27
Add device prerequisites 27
Access the DEVICES SETUP page 28
Add cloud devices 32
AWS (Amazon Web Service) accounts in AFA 32
Microsoft Azure subscriptions in AFA 37
Add Check Point devices 41
Check Point network connections 42
Check Point device permissions 42
Add a Check Point Multi-Domain Security Management device 44
Set user permissions 48
Add a Check Point SmartCenter/Gateway 49
Set user permissions 52
Add a Check Point CMA 52
Check Point fields and options 56
Configure one-armed mode manually 61
Enable data collection for Check Point devices 62
Enable data collection via SSH 62
AFA administration
This topic lists supported browsers for working with ASMS, as well as a high-level
instructions for using the AFA Administration area and setting up your AFA environment.
Note: For details about logging in or out of AFA, see Logins and other basics.
Do the following:
In the toolbar, click your username, and then select Administration from the dropdown
menu.
USERS/ROLES Manage AFA users and user roles. For details, see AFA users
and roles.
Note: The DOMAINS tab enables you to segregate data by domain in a Provider
Edition environment. For more details, contact AlgoSec customer support.
Do the following:
1. Collect your device policy automatically. Add devices for which you want to
activate data collection. For more details, see Manage devices.
2. Configure AFA to run a nightly analysis. Once you have defined your devices for
automatic data collection, you can schedule periodic analyses overnight, or at any
other schedule of your choice.
3. Configure email notifications. AFA can send a variety of e-mail messages to you
and to your team members when reports are ready or when changes are made on
the monitored security devices. Additionally, you can schedule e-mails which
contain dashboards.
4. Manage user access.The AFA Web GUI allows you to view your reports on a
secure web server, and lets you provide access to the reports to authorized team
members.
Standard or Read-Only access can be granted to each user for each device
separately. The Web GUI also allows authorized users to start analyses, to
customize the resulting reports, and to run traffic simulation queries on them. AFA
administrators may also use the Web GUI for administrative configurations.
Supported browsers
View ASMS in one the following web browsers, at screen resolution of 1920x1080 or
above.
l Mozilla Firefox
l Google Chrome
l Microsoft Edge
l Internet Explorer 11 and higher. Internet Explorer 8.0 is supported for FireFlow
requestors only.
Log in to ASMS
Log in to ASMS from any desktop computer using the credentials provided by an AFA
administrator.
Do the following:
If a warning message about the web server's certificate appears, click Accept or
OK. For more details, contact your network administrator.
2. In the Username and Password fields, enter your username and password, and click
Login.
For example:
If you are an administrator for any of these products, the relevant administration menu is
available from your user dropdown at the top-right:
Note: CloudFlow is now accessible from inside ASMS. Click the dropdown at the
top-left and select CloudFlow.
l To adjust the size of the main menu, hover between the menu and the workspace
and drag the border left or right.
l To collapse the menu entirely, click at the top. When collapsed, click to
expand it again.
Do the following:
1. In the toolbar, click your username and then select About or Info.
The About dialog appears, showing details about the product you have installed.
For example:
Note: If you are running the FIPS 140-2 compliant version of AFA, this information is
indicated in the window.
Note: If Single Sign On is configured, you must browse to the Logout page hosted on
your IdP to log out.
For more details, see the AlgoSec Firewall Analyzer Administrator Guide.
Manage devices
AFA manages your network security by collecting data from the devices defined in AFA.
Depending on the device's support and the options you enable, add a device to AFA to
enable AFA to automatically obtain the device's policy, routing, configuration, and logs.
AFA collects data via analysis or monitoring processes, at configurable intervals.
Add / Remove Layer 2 Devices: Watch to learn how to manage Layer 2 devices
in AFA.
AFA encrypts any stored passwords using the advanced and highly-secure128 bit AES
encryption method (Advanced Encryption Standard).
Once the credentials used to access the device are entered and encrypted in AFA,
system administrators can collect device data continuously, without compromising
security or having to enter a password each time.
Device icons
Once added to AFA, each device type is shown in the device tree and across the AFA
interface using an icon that represents the device's brand or function.
Icon Description
Cisco ASA, ACE, IOS Router, or Nexus Router device or security context
Cisco ACI VRFs and other elements in the Cicso ACI fabric
F5 BIG-IP
Icon Description
WatchGuard device
H3C device
Routing Element
Deprecated devices
Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was
deprecated in ASMS version A30.00.
If you had defined these devices in an earlier version of ASMS, these devices are still
available to you, with all the existing capabilities, but you cannot add new ones after
upgrading.
We recommend backing up device data before or after upgrading and then removing
these devices from AFA. Make sure to download any report zip files for the device
before deleting.
Additionally, all references to Cisco ASA devices also refer to legacy PIX and FWSM
devices. To add a new ASA device to your ASMS system, select ASA options.
Manage
Note: Make sure to open the necessary port between each device
ports
and the AlgoSec server, depending on the protocol being used to
connect to the device.
Device You may need to configure device user permissions to enable AFA to
permissions collect data from your device.
For details, see Required device permissions.
Note: Before you start, ensure that your environment is configured to allow
communication between AFA and your device. For details, see Add device
prerequisites.
Do the following:
From the main menu Click Devices, Groups, or Matrics, and then click the
on the left Configure .. button.
For example:
5. Populate the fields as needed to complete the configuration, clicking Next or Back
as needed.
Select the syslog-ng server from the list of those already defined in AFA.
Select localhost to use the built-in syslog-ng server. No credentials are required for this
server.
To add a new syslog-ng server, such as if you had one existing before installing AFA,
do the following:
Tip: Save the device configuration to make this syslog-ng server available for other
devices as well.
1. Select the syslog-ng server that you want to edit, and click Edit.
A message informs you whether AFA connected to the syslog-ng server successfully.
â See also:
l Defining Check Point Devices: Training video about collecting data from a few Check Point
devices
l Defining Cisco, Fortinet, Juniper, McAfee & Palo Alto Devices: Training video about collecting
data from several different device brands
Analyzed data includes all of the security groups protecting EC2 instances and
application load balancers (ALBs), from all AWS regions related to the configured
access key. AFA separates these instances into groups called security sets. Each AWS
security set is a group of instances or ALBs with the same security group and network
ACLs, as well as network policies.
l Network connection
Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to an AWS account via HTTPS-REST (TCP/443).
Tip: ASMS also supports connecting to AWS via a proxy server, which can be
configured when adding the device to AFA. For more details, see Define a device
proxy .
Device analysis
AFA requires minimal read-only access permissions to access AWS and collect data.
l Access Key ID
We recommend creating a specific IAM user with access keys instead of relying on root
user access keys.
For example:
Tip: You can also use the credentials of another AWS account using the Assume-
Role functionality. For more details, see AWS account fields and options.
ActiveChange
When ActiveChange is enabled, the IAM user must have read-only permissions, plus
the following additional permissions:
l AuthorizeSecurityGroupIngress
l RevokeSecurityGroupEgress
l RevokeSecurityGroupIngress
l AuthorizeSecurityGroupEgress
For example:
2. In the vendor and device selection page, select Amazon > Web Services (AWS)
EC2.
Options Select the following options for your AWS account as needed:
l Real-time change monitoring.Select this option to
enable real-time alerting upon configuration changes. For
more details, see Configure real-time monitoring.
l Set user permissions. Select this option to set user
permissions for this device.
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
In the device tree, AWS subscriptions are shown in three levels: the user account,
region/VPC, and security set.
For example:
AFA separates the instances into groups called security sets. Each Azure security set is
a group of VMS with the same security group and subnet security groups, as well as
network policies. VMs with no security groups are assigned to a security set called
Unprotected VMs. To enable accurate traffic simulation, AFA automatically creates a
rule to allow all traffic for these VMs.
l Network connection
Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to an Azure subscription via HTTPS-REST (TCP/443).
Tip: ASMS also supports connecting to Azure via a proxy server, which can be
configured when adding the device to AFA. For more details, see Define a device
proxy .
Device analysis
AFA requires minimal Reader access permissions defined for the subscription to
access Azure and collect data.
For example:
For example:
ActiveChange
For example:
For details, see How to configure a Microsoft Azure Active Directory application in
AlgoPedia.
2. In AFA, access the Devices Setup page. For details, see Access the
DEVICES SETUP page.
Options Select the following options for your AWS account as needed:
l Real-time change monitoring.Select this option to
enable real-time alerting upon configuration changes. For
more details, see Configure real-time monitoring.
l Set user permissions. Select this option to set user
permissions for this device.
5. Click Finish.
6. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
In the device tree, Azure has a three-tier hierarchy: subscription, region/VNet, and then
security set.
For example:
Note: You must also perform procedures on your devices, depending on how you
connect to the device from AFA. For details, see Enable data collection for Check
Point devices.
Tip: Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices on the AlgoSec portal.
Note: If your CLM/MLM log servers reside on separate hosts, you'll need to connect
to these separately from ASMS.
ASMS requires the following permissions for each type of connection to your Check
Point devices:
LEA On the LEA Permissions tab, under Permissions to Read Logs, select Show
all log fields.
Note: Create a separate OPSEC Object and permissions profile for ASMS use only.
Using the Administrator profile results in failures due to Check Point configurations.
For more details, see Create a Check Point OPSEC Certificate for Check Point Devices
(R77 and Lower).
ASMS must have SSH access to the relevant management and log devices, such as
PV-1, CMA, SmartCenter, external log server, or CLM.
Public key authentication is also supported. In such cases, the following permissions
are required:
Write AFA writes a package containing the required configuration in the /tmp or
/var/tmp directory, based on the device platform, such as SP or Solaris.
AFA also requires write permissions in the $FWDIR/conf directory for
temporary log files.
Execute AFA runs several commands on the management device, including fwm
logexport for logs and cpstat for routing.
For more details, see How to Configure the AlgoSec Firewall Analyzer SSH Client to
Use Public Key Authentication in AlgoPedia and Enable data collection via SSH.
When using a Check Point device version R80 or higher, AFA also collects data via
REST, in addition to OPSEC or SSH.
l When ActiveChange is enabled, the minimum permissions are Read Write All.
AFA analyzes the Filter Module security policy via a secure connection to the MDSM
server.
Provider-1 devices.
Do the following:
1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.
2. In the vendor and device selection page, select Check Point > Multi Domain
Security Management (Provider-1).
Configure the fields and options on the page as needed. For details, see Check
Point fields and options.
3. Click Next.
OPSEC Recommended.
Enter the IP address of the CMA that manages the devices you wish
to analyze.
SSH Select the CMA that manages the devices you wish to analyze by
clicking the relevant row.
5. Click Next.
This page displays a table listing all the devices that are managed by the Check
Point MDSM, including standalone devices and virtual systems.
Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.
Do the following:
a. In the Add Device column, select the check box next to the device's name.
c. In the Log Server column, click Settings. Then, do one of the following:
l Select the log server you want to use from the drop-down list.
In the Check Point Log Server SSH Setup dialog, do the following:
l Populate the fields as needed. For details, see Log Server fields.
f. Click OK.
Do the following:
d. Click OK.
8. Complete the remaining fields as needed. For details, see Additional Check Point
options.
9. Click Finish.
In the list of users displayed, select one or more users to provide access to reports for
this account. To select multiple users, press the CTRL button while selecting.
AFA provides an analysis of the Filter Module's security policy via a secure connection
to the SmartCenter server.
Tip: Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices .
Do the following:
1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.
2. In the vendor and device selection page, select Check Point > Security
Management (SmartCenter).
Configure the fields and options on the page as needed. For details, see Check
Point fields and options.
3. Click Next.
Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.
Do the following:
a. In the Add Device column, select the check box next to the device's name.
c. In the Log Server column, click Settings. Then, do one of the following:
l Select the log server you want to use from the drop-down list.
In the Check Point Log Server SSH Setup dialog, do the following:
l Populate the fields as needed. For details, see Log Server fields.
f. Click OK.
Complete the fields as needed, and click OK. For details, see Baseline
Configuration Compliance fields.
Note: Specifying this information for a device triggers a direct SSH connection
to the device.
6. Complete the remaining fields using the information in Check Point Options Fields
(see Additional Check Point options).
7. Click Finish.
In the list of users displayed, select one or more users to provide access to reports for
this account. To select multiple users, press the CTRL button while selecting.
Tip:
l Add multiple CMAs at once by adding a Check Point MDSM. For details, see
Add Check Point devices.
l Watch a training video on how AFA can collect data from a few Check Point
devices. See Defining Check Point Devices .
Do the following:
1. Access the DEVICES SETUP page. For details, see Access the
DEVICES SETUP page.
2. In the vendor and device selection page, select Check Point > Single CMA.
Configure the fields and options on the page as needed. For details, see Check
Point fields and options.
3. Click Next.
The Check Point - Single CMA - Step 2/2 page appears, displaying a table that
lists all the devices that are managed by the Check Point CMA, including
standalone devices and virtual systems.
Tip: This enables AFA to detect certain policy optimization information, such as
unused rules.
Do the following:
a. In the Add Device column, select the check box next to the device's name.
c. In the Log Server column, click Settings. Then, do one of the following:
l Select the log server you want to use from the drop-down list.
In the Check Point Log Server SSH Setup dialog, do the following:
l Populate the fields as needed. For details, see Log Server fields.
f. Click OK.
Complete the fields as needed, and click OK. For details, see Baseline
Configuration Compliance fields.
Note: Specifying this information for a device triggers a direct SSH connection
to the device.
6. Complete the remaining fields using the information in Check Point Options Fields
(see Additional Check Point options).
8. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Access Information
R80 or higher Select this option for devices versions R80 or higher.
For R80 devices, you must configure the Management API Settings
of the device to accept API calls from the IP address of the AlgoSec
server. For more information, see Enabling REST Calls to the
Security Management Server (see Enable data collection via
REST).
Connect via Specify how AFA should connect to the device, by selecting one of
the following:
l SSH: Connect via SSH (Secure Shell protocol).
This option is not available when adding a single Check
Point CMA.
l OPSEC (NGX R60 or higher): Connect via OPSEC.
Recommended.
To specify a custom port, select Custom Port and enter the port
number.
User Name / Type the user name and password to access the device.
Password These fields only appear if you selected R80 or higher or you
selected SSH in the Connect via area.
For more details, see Required device permissions.
Expert Type the expert password, which allows access to all the functions
Password on the SmartCenter server required for this process.
This field only appears if you selected SSH in the Connect via
area.
User Select this option to specify that the user name and password
credentials entered in the User Name and Password fields are the credentials
above are for for the Solaris root user.
root user If you clear this option, you must complete the Root Password field.
This field only appears if you selected SSH in the Connect via
area.
Geographic Distribution
In the Device managed by field, select the remote agent that should perform data
collection for the device.
Log Collection
If you choose SSH, you must enable AFA to analyze application control traffic logs. For
more details, see Enable data collection via SSH. If you do not perform this step, then
information related to application control traffic will not appear in the device report's
Policy Optimization page.
This area only appears if you selected OPSEC in the Connect via area.
OPSEC Setup
This area enables you to specify which certificate to use for OPSEC access to the
device.
For more information, see Specifying a Certificate for OPSEC Access to the Check
Point Device (see Enable data collection via OPSEC).
This area only appears if you selected OPSEC in the Connect via area.
ActiveChange
This area only appears if you selected OPSEC in the Connect via area.
Host (MLM) Type the host name or IP address of the log server.
Username Type the user name to use for SSH access to the log server.
Password Type the password to use for SSH access to the log server.
Secure Platform Choose this option to specify that the log server is installed on a
Check Point SecurePlatform operating system.
You must complete the Expert Password field.
Expert Type the expert password, which allows access to all the functions
Password on the log server required for this process.
Solaris Choose this option to specify that the log server is installed on a
Solaris operating system.
User credentials Select this option to specify that the user name and password
above are for entered in the Username and Password fields are the credentials
root user for the Solaris root user.
If you clear this option, you must complete the Root Password
field.
Root Password If you use a user other than "root" for accessing the Solaris OS,
type the root password for Solaris.
Test Click this button to test connectivity to the defined log server.
Connectivity A message informs you whether AFA connected to the log server
successfully.
Extra Type the password to use for running OS commands on the device.
Password This field only appears for Check Point devices.
Log collection Enter the interval of time in minutes, at which AFA should collect
frequency logs for the Check Point device.
Do the following:
1. On the AFA machine, access your device configuration meta file as follows:
/home/afa/.fa/firewalls/<device_name>/fwa.meta
where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.
is_steering_device=yes
Note: In addition the requirements listed below, ensure that the user that AFA is
using to access the device has the required permissions. The minimum permission
required in Read Only All. When the device is using ActiveChange, the minimum
permission is Read Write All. For more details, see Required device permissions.
AFA can be configured to collect logs from a Check Point device via SSH, but special
configuration is required on the Check Point device. Application control traffic logs
include the app_rule_id field, and this field is masked by default for the SSH log
collection user that is specified when adding the device to AFA. As a result, AFA cannot
process application control logs that are collected via SSH, nor use them to generate
information for the Application Control Rules Cleanup area of the device report's Policy
Optimization page.
In order to enable AFA to process application control traffic logs, you must modify
permissions for the app_rule_id field on the Check Point device, as described in the
following procedure.
Note: For R80 and above, AFA collects data via REST (along with either SSH or
OPSEC). For more details, see Enable data collection via REST.
Do the following:
The bottom pane displays the fields that are displayed for app_rule_id.
6. Click OK.
8. If the device sends its traffic logs to a log server other than the management station
(for example, a CLM or external log server), do the following:
b. Re-install the Check Point database on the log server, by selecting Policy
and then Install Database from the main menu.
Do the following:
l Create a Check Point OPSEC Certificate for a MDSM (R80 and Higher)
l Create a Check Point OPSEC Certificate for a CMA/SMC (R80 and Higher)
l Create a Check Point OPSEC Certificate for Check Point Devices (R77 and
Lower)
4. Click OK to retrieve the certificate from the Check Point SmartCenter, CMA or
MDSM server.
5. Click OK.
The OPSEC Setup area displays the certificate date and time of creation.
Create a Check Point OPSEC Certificate for a MDSM (R80 and Higher)
In order for AFA to collect data from a CheckPoint MDSM via OPSEC, a global
certificate needs to be created for authentication and security purposes. The certificate
is created using Check Point's SmartConsole for the PV-1.
Do the following:
3. Create a network object for the host that will run AFA
Note: If a network object for the host is already defined, you can skip this step.
Do the following:
b. Complete the Object Name and IPv4 Address fields with the name and
address of the host that will run AFA.
c. Click OK.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
c. In the CPI Permissions tab, select Permissions Profile, and then do one of
the following:
l Select the super profile in the list, or any other profile with the required
minimum permissions.
Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.
For example:
l Select the super profile in the list, or any other profile with the required
minimum permissions.
e. Click OK. The General tab appears again, with additional options.
a. Click Communication.
Note: Record the password you entered here. You'll need to specify this
name in AFA when you retrieve the certificate.
c. Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this
step.
Create a Check Point OPSEC Certificate for a CMA/SMC (R80 and Higher)
In order for AFA to collect data from a CheckPoint CMA or SMC via OPSEC, a local
certificate needs to be created for authentication and security purposes. The certificate
is created using Check Point's SmartConsole for the CMA/SMC.
Do the following:
2. Create a network object for the host that will run AFA.
Note: If a network object for the host is already defined, you can skip this step.
Do the following:
a. In the right pane, click the New button and select Host.
b. In the New Host dialog, enter the Name and IP address of the host that will
run AFA, and click OK.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
a. Click the icon at the top left of the screen and select:
New object > More object types > Server > OPSEC Application > New
Application.
c. In the CPI Permissions tab, select Permissions Profile, and then do one of
the following:
l Select the super profile in the list, or any other profile with the required
minimum permissions.
Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.
For example:
l Select the super profile in the list, or any other profile with the required
minimum permissions.
e. Click OK. The General tab appears again, with additional options.
a. Click Communication.
Note: Record the password you entered here. You'll need to specify this
c. Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this
step.
5. Reinstall the Check Point database on all existing log servers, including CLMs or
external log servers.
Do the following:
b. At the top left, click the icon, and select Install database.
c. In the Install database dialog, verify that your CMA is selected, and click
Install.
Create a Check Point OPSEC Certificate for Check Point Devices (R77 and Lower)
In order to collect the policy and routing table from a Check Point FireWall-1 module,
AFA can use the OPSEC API. In order for this to happen a certificate needs to be
created for authentication and security purposes.
Do the following:
Note: If a network object for the host running AFA is already defined, you can
skip this step.
Do the following:
c. In the Host Node dialog, enter the Name and IP address of the host that will
run AFA, and then click OK.
Note: If an OPSEC application object is already defined, you can skip this step.
Do the following:
a. In the SmartDashboard main menu, select Manage and then Servers and
OPSEC Applications.
b. In the Servers and OPSEC Applications dialog box, click New > OPSEC
Application.
d. In the CPI Permissions tab, select Permissions Profile, and then do one of
the following:
l Select the super profile in the list, or any other profile with the required
minimum permissions.
Minimum permissions required are Read Only All access. If you're using
ActiveChange, you must have Read/Write All access.
For example:
e. For CheckPoint version R76 or above, in the LEA Permissions tab, select
According to Permissions Profile.
l Select the super profile in the list, or any other profile with the required
minimum permissions.
f. Click OK. The General tab appears again, with additional options.
a. Click Communication.
Note: Record the key you entered here. You'll need to specify this name
in AFA when you retrieve the certificate.
c. Click Initialize.
The Trust state will change from Uninitialized to Initialized but trust not
established. After the certificate is retrieved by AFA, the trust state will
change to Trusted.
Tip: Create a new certificate if needed by clicking Reset and repeating this
step.
4. Reinstall the Check Point database on all existing log servers, including CLMs or
external log servers. Click Save, and then selecting Policy and Install Database
from the main menu.
Note: For versions R80 and above, AFA collects data via REST, along with either
SSH or OPSEC. In addition to enabling REST, you must also enable SSH or
OPSEC as needed.
For details, see Enable data collection via SSH and Enable data collection via
OPSEC.
Do the following:
1. Open a SmartConsole.
2. In the left pane, navigate to Manage & Settings > Blades > Management API >
Advanced Settings.
4. Select which IP addresses from which the API server accepts requests:
All IP API server will accept scripts and web service requests from
addresses that the same devices that are allowed access to the Security
can be used for Management Server. Make sure the AFA server is in this list.
GUI clients
All IP The API server will accept scripts and web-service requests
addresses from any device
5. Click OK.
7. In the Management Check Point Server CLI, run the api restart command, and
then exit.
Note: To perform this procedure, you must have a Cisco API license for the
CSM device.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > Point > Firewall via CSM
(CSM 4.3 or above).
Access Information
Firewall Host Type the host name of the Cisco device to be analyzed, as it
Name appears in the CSM UI.
CSM Server Type the host name or IP address of the Cisco CSM server.
CSM User Type the user name to use for SSH access to the Cisco CSM.
Name
CSM Type the password to use for SSH access to the Cisco CSM.
Password
Geographic Distribution
Select the remote agent that should perform data collection for the device.
The drop-down list includes all baseline compliance profiles in the system. For
more information on baseline compliance profiles and instructions for adding new
baseline compliance profiles, see Customize baseline configuration profiles
Select None to disable Baseline Compliance Report generation for this device.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Specify routing data
manually.
Rules view
Note: Intelligent Policy Tuner and the "Unused objects within rules" list are
available only with ADSM.
Log Specify the log collection method that AFA should use when
collection collecting traffic logs for the Cisco device, by selecting one of the
method following:
l Hit-counters: Only use hit-counter data. The Change History
report page will be based on "last modified" timestamps, and
Intelligent Policy Tuner is disabled.
l Standard: Use hit-counter data for rule usage, and Syslog
data for the Change History report page. Intelligent Policy
Tuner is disabled.
l Extensive: Combine data from both hit-counters and Syslog.
Intelligent Policy Tuner is enabled.
The default value is Extensive.
Additional Type any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a ':'. For
identifiers example: "1.1.1.1:2.2.2.2:ServerName".
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is only relevant for the parent device. In order to
specify additional identifiers for sub-systems (Juniper
VSYS/LSYS, Fortinet VDOM, Cisco security context, etc.), see
Add additional device identifiers for sub-systems.
Log Type the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
(minutes)
Options
Set user Select this option to set user permissions for this device.
permissions
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connectivity
l Device permissions
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco IOS router.
Device permissions
ASMS requires the following for the user used to access your Cisco IOS routers:
l Device analysis
l ActiveChange
Device analysis
ASMS requires the ability to run the following commands on your Cisco IOS routers:
l show version
l show interface
l show ip interface
l show ip access-list
l show running-config
l show ip route
Note: Some commands may be relevant only on IOS-XE and IOS-XR devices.
Tip: You may want to create a read-only user with specific permissions to run show
running-config view full.
For details, see Defining a limited-privilege Cisco IOS Router user for AFA data
collection in AlgoPedia.
ActiveChange
When ActiveChange is enabled, ASMS requires a user that is able to enter privileged
mode, using enable credentials (security level 15).
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > IOS Router.
Access Information
User Name Enter the username to use for device access via SSH.
Password Enter the password to use for device access via SSH.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
To disable Baseline Compliance Report generation for this device, select None.
Note: If this router is divided into VRF modules, Baseline Compliance Reports
will only be generated for the root/default VRF.
Advanced
Include risk analysis Select this option to include risk analysis and policy
and policy optimization analysis in the device's reports.
optimization When this is not selected, AFA produces condensed
router reports which run as if there is no license for
risks, optimization or regulatory compliance. Reports
still include policy changes and baseline compliance.
This option is disabled by default.
l Telnet
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
ActiveChange
Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.
Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).
Options
Set user Select this option to set user permissions for this device.
permissions
6. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
A success message appears to confirm that the device is added. The new device
appears in the device tree, including any VRF devices as unique nodes.
l Network connection
l Device permissions
Network connection
The following diagram shows the connection between an ASMS Central Manager or
Remote Agent and a Cisco Nexus router over SSH.
Device permissions
To analyze Cisco Nexus router devices, ASMS requires the ability to run the following
commands on the Nexus device:
l show version
l show interface
l show ip interface
l show ip access-list
l show running-config
l show ip route
For Nexus versions 7000 and above, ASMS must also have permissions to view all
VDCs.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > Nexus Router.
Access Information
Enter the following details for accessing your device from AFA:
User Name Enter the user name to use for SSH access to the device.
Password Enter the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
Additional Information
Include risk analysis Select this option to include risk analysis and policy
and policy optimization analysis in the device's reports.
optimization When this is not selected, AFA produces condensed
router reports which run as if there is no license for
risks, optimization or regulatory compliance. Reports
still include policy changes and baseline compliance.
This option is disabled by default.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.
l Telnet
Then define:
Custom Port To specify a custom port, select this option and type the port.
This option is only relevant when SSH is selected.
Options
Set user Select this option to set user permissions for this device.
permissions
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connection
l Device permissions
Note: All references in the ASMSTech Docs to Cisco ASA devices also refer to
legacy PIX and FWSM devices. To add a new PIX or FWSM device to AFA, select
ASA options.
Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco ASA device:
Device permissions
ASMS requires the following permissions to connect to your Cisco ASA devices:
l Device analysis
l ActiveChange
l Log collection
Device analysis
ASMS requires the ability to run the following commands on your ASA device:
l show version
l show mode
l change to system
l show context
l show access-list
l show running-config
l show route
l show ipv6
l terminal
Tip: You may want to create a separate user for ASMS, enabling the user to have a
security level 5.
For details, see Defining a limited-privilege PIX/ASA/FWSM user for AFA data
collection in AlgoPedia. This procedure is not relevant if you have ActiveChange
enabled.
ActiveChange
Log collection
ASMS supports the ability to collect logs either by receiving Syslog messages from the
device, or by collecting Syslog messages from a remote Syslog-ng server.
In either case, make sure that your Cisco ASA device is configured to send CISCO
106100 SYSLOG events to ASMS.
For example:
These messages are logged when packets match an ACL statement, if you have the log
option for the access-list command configured.
The message level depends on the level defined for the access-list command. By
default, this level 6.
Note: Intelligent Policy Tuner analysis is supported for Cisco ASA versions 7.1 and
higher.
To use this feature, the device must send correct log messages, in type 106100,
and the device's ACLs must contain the keyword log.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > ASA.
Access Information
User Name Enter the user name to use for SSH access to the device.
Password Enter the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system.
To disable Baseline Compliance Report generation for this device, select None.
l SSH (recommended)
l Telnet
Then define:
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.
Rules View
Note: Intelligent Policy Tuner and the Unused objects within rules list are
available only with ADSM.
Log Specify the log collection method that AFA should use when
collection collecting traffic logs for the Cisco device, by selecting one of the
method following:
l Hit-counters: Only use hit-counter data. The Change History
report page will be based on last modified timestamps.
Intelligent Policy Tuner is disabled.
l Standard: Use hit-counter data for rule usage, and Syslog
data for the Change History report page.
Intelligent Policy Tuner is disabled.
l Extensive (Default): Combine data from both hit-counters and
Syslog.
Intelligent Policy Tuner is enabled.
Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
(minutes)
ActiveChange
Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.
Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).
Options
Set user Select this option to set user permissions for this device.
permissions
6. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
A success message appears to confirm that the device is added. Any configured
contexts on the ASA device are also imported.
l Network connectivity
l Device permissions
Network connectivity
The following image shows an ASMS Central Manager or Remote Agent connecting to
a Cisco ACI APIC and fabric.
Device permissions
ASMS requires the following permissions to access Cisco ACI devices:
l Device analysis
l ActiveChange
Device analysis
The user defined on the ACI APIC controller must have a minimum of readPriv
permissions on Security Domains All.
For example:
ActiveChange
For example:
Note: To identify service graph data in queries and change requests, you must
specifically configure AFA to recognize that data. For details, see Configure support
for Cisco service graphs.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > Application Centric
Infrastructure (ACI).
Access Information
Tip: Typically, your APIC cluster has three nodes. Specify the
host name or IP address of only one of the APIC nodes.
If the node you added goes down, you'll need to switch your
AFA device configuration to another node. Edit the device
configuration in AFA and enter the host name or IP address of
that second node.
Geographic Distribution
Select a remote agent to perform data collection for the device, if relevant.
Route Collection
Determine how AFA acquires the device's routing information. Select one of the
following:
l Static Routing Table (URT). AFA takes the device's routing information from
a static file you provide. For details, see Specify routing data manually.
ActiveChange
Select this option to enable FireFlow to generate CLI recommendations and push
them to the device.
Checking this box will enable ActiveChange for all the supported Cisco firewalls,
Cisco IOS routers, and Juniper SRX firewalls (not only for this device).
Options
l ACI devices appear in the device tree in a two-tier hierarchy, including both
APICs and tenants.
l Any VRFs on the map are shown with the following syntax: <Tenant_
name>/<VRF_name>
6. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
A success message appears to confirm that the device is added. The ACI and each
ACI tenant is displayed in the device tree.
During analysis, AFA reads all configuration data from ACI and saves EPG values
according to the following logic:
l If an EPG is associated to specific VMs, their IP addresses are saved as the EPG
value.
l Otherwise, AFA reads the subnets associated with the Bridge Domains (BD) and
considers these subnets for the EPG(s) connected to that BD.
The AFA Policy tab displays the following contract scopes for ACI EPGs:
l Tenant.
l VRF. If the source or destination belong to different VRFs, AFA shows expanded
rules, one for each VRF.
If you want to be able to identify service graph data in queries and change requests, you
must specifically configure AFA to recognize that data.
Do the following:
1. Ensure that your device has the following vendor property definition: fip_
additional_devices_set_support = yes.
2. Create a CSV file named devicesSetDefinition.csv. Save this file on the AFA
machine, in the /home/afa/.fa/ directory.
3. Populate the devicesSetDefinition.csv file with tenant, service graph, and device
mapping data, as shown in the following example:
Note: In this file, device names must be exact matches to the names used to
identify the devices in ASMS.
5. In the devicesSetConnection.csv file, define the network logic used to define the
service graph redirect. Use source and destination addresses, as shown in the
following example:
Service graph data is now recognized in AFA queries and FireFlow change requests.
Tip: Alternately, advanced administrators can configure a script that resolves service
graph redirects based on any custom logic using FireFlow ticket fields as
parameters.
Configure firewalls in path (FIP) functionality for ACI tenants and VRFs
By default, AFA query results include ACI tenants with either of the following criteria:
l ACI tenants where one or more of the tenant’s VRFs is included in the query path
ASMS administrators can configure AFA to identify ACI tenants only when the tenant's
VRF is included in the query path. Do the following:
l Network connectivity
l Device permissions
If your device has multiple interfaces and service-chaining mode is not identified
automatically, configure this for your device manually. For more details, see
Configure one-armed mode manually.
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco Firepower device:
Device permissions
ASMS requires the following device permissions to connect to Cisco Firepower devices:
Device analysis
The Cisco Firepower system includes both the Firepower Management Center (FMC)
and the Firepower Threat Defense (FTD) firewalls.
AFA manges the FMC directly, mainly supporting the FTD via the FMC API. In addition,
AFA collects routing and baseline compliance data directly from the FTD via SSH.
l SSH access to the FTD. AFA does not support direct access to the FDM API.
l Dedicated for ASMS. Connecting to the device using any other user may cause
that user to be logged out of the Firepower UI at each monitoring cycle, as well as
for any changes made to the Firepower device via ASMS.
For example:
Note: The Administrator level role is required due to FMC limitations for fetching
Audit logs.
ActiveChange
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > Firepower.
Access Information
User Enter the username to use for SSH access to the FMC device.
Name
Note: AFA does not support user or network application
awareness for Cisco Firepower. The network application
appears as a field for each rule in the Policy tab, but is not
used in traffic simulation queries.
Password Enter the password to use for SSH access to the FMC device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
ActiveChange
device.
4. Click Next to continue on to the FirePower - Step 2/2 page. This page lists the
FTDs that are managed by the Firepower FMC.
For example:
In the Direct Access Configuration, define the Host, User Name, and Password,
and Baseline Profile for each FTD.
Tip: To disable Baseline Compliance Report generation for this device, select
None.
For example:
Click Test Connectivity to test the connections to the FTDs defined, and then click
OK.
Note: You must specify the credentials for each FTD in order for AFA to collect
routing data it needs to accurately analyze the device.
Set user Select this option to set user permissions for this device.
permissions
9. Click Finish.
10. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Do the following:
1. On the AFA machine, access your device configuration meta file as follows:
/home/afa/.fa/firewalls/<device_name>/fwa.meta
where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.
is_steering_device=yes
If you have both LTM and AFM devices, and you do not need FireFlow support, use the
LTM and AFM option. If you have only an LTM device, or if you have both but need
FireFlow support, use the LTM-only option.
l Device permissions
Device permissions
The user connecting to the F5 device can have any role, but the User Partition must be
ALL.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. On the vendor and device selection page, select F5 > BIG-IP LTM Only.
Access Information
User Name Enter the user name to use for SSH access to the device.
Password Enter the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
To disable Baseline Compliance Report generation for this device, select None.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
This area enables you to select a define a data transfer method. Only SSH is
supported, using either the default or a custom port.
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.
Default = unlimited
Log Specify the log collection method that AFA should use when
collection collecting audit logs for the F5 load balancer, by selecting one of
method the following:
l Extensive (Default): Not applicable. Intelligent Policy Tuner
(IPT) is not available for F5 devices.
l Standard: Use Syslog data for the Change History report
page. IPT is disabled.
l None. Disables the other Log Collection and Monitoring
fields.
Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency The default value is 60.
(minutes)
Options
Set user Select this option to set user permissions for the device.
permissions
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connection
l Device permissions
Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a F5 BIG-IP LTM and AFM device.
Device permissions
ASMS requires an Administrator role on all partitions to access your F5 BIG-IP LTM
and AFM device for basic analysis and change management. Additionally, Tmsh for
terminal access is required for Baseline Compliance functionality.
For more details, see F5 BIG-IP LTM+AFM - data collection authentication method in
AlgoPedia.
Note: If you need FireFlow support, add a F5 BIG-IP LTM Only device. For details,
see Add an F5 BIG-IP LTM-only device to AFA.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. On the vendor and device selection page, select F5 > BIG-IP LTM and AFM.
Access Information
User Name Enter the user name to use for access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
To disable Baseline Compliance Report generation for this device, select None.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
Log Specify the log collection method that AFA should use when
collection collecting audit logs for the F5 load balancer, by selecting one of
method the following:
l Extensive (Default): Not applicable. Intelligent Policy Tuner
(IPT) is not available for F5 devices.
l Standard: Use Syslog data for the Change History report
page. IPT is disabled.
l None. Disables the other Log Collection and Monitoring
fields.
Additional Enter any additional IP addresses or host names that identify the
firewall device. When adding multiple entries, separate values by a colon
identifiers (:).
For example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is only relevant for the parent device, and not for
sub-systems. For more details, see Add additional device
identifiers for sub-systems
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency The default value is 60.
(minutes)
Options
Set user Select this option to set user permissions for the device.
permissions
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Note: If syslog messages are sent via FortiAnalyzer device, a separate connection is
required.
Device analysis
Read-only permissions are sufficient, as shown in the example below (click to expand):
Note: FortiManager v5.2.3 and above with REST access must have permissions for
rpc-permit (set rpc-permit read).
ActiveChange
For example:
Note: FortiManager v5.2.3 and above with REST access and ActiveChange must
have read-write permissions for rpc-permit (set rpc-permit read-write).
In the FortiGate web interface, in the Admin Profile configuration > Access Control,
select an option that is at least read-only.
l If device configuration consists of VDOMs, the user must be configured with set
scope global. Users configured with set scope vdom are not supported for AFA.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Fortinet > FortiManager.
Access Information
User Enter the user name to use for accessing the device.
Name This user name must be a super-user.
If Administrative Domains (ADOMs) are used:
l To analyze only devices under a specific ADOM, specify a
specific ADOM's administrator credentials.
l To analyze all devices under all ADOMs, provide the
credentials of a global administrator.
l When analyzing devices as a global administrator, no other
action is required. Otherwise, some manual configuration may
be required. Contact AlgoSec support for more information.
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when REST is selected.
The following fields are relevant only when CyberArk is configured. For details,
see Integrate AFA and CyberArk.
Platform (Policy Enter the Platform for this device which will be
ID) authenticated via CyberArk.
Safe Enter the safe for this device which will be authenticated via
CyberArk.
Folder Enter the folder for this device which will be authenticated
via CyberArk.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
ActiveChange
For AFA to process logs from the devices managed by the FortiManager device
you are adding, you may need to specify additional device identifiers.
For more details, see Add additional device identifiers for sub-systems.
Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
This page lists all the devices that are managed by the FortiManager, including
standalone devices and virtual systems.
To specify that AFA should use the logs created by a managed device / virtual
system, do the following:
a. In the Add Device column, select the check box next to the device's name.
Note: Using the device's logs enables AFA to detect certain policy
optimization information, such as unused rules. This information is
displayed in the Policy Optimization section of the AFA report.
a. Click .
b. In the Direct Access Configuration, enter the following details, and then click
OK.
Note: Specifying this information for a device triggers a direct SSH connection
to the device.
Set user Select this option to set user permissions for this device.
permissions
9. Click Finish.
The new device is added to the device tree, and appears with a three tier
hierarchy: FortiManager, FortiGate and VDOM.
10. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Do the following:
ASMS can collect log data by receiving syslog messages from the FortiManager device
or a FortiAnalyzer, or by collecting syslog messages from a remote syslog-ng server.
This procedure describes how to configure the FortiManager device to send syslog
messages to ASMS. For more details, see Log Collection and Monitoring.
Do the following:
1. Log in to your FortiManager web interface, and navigate to the Log & Report >
Log Settings area.
2. Enable the Send Logs to Syslog option, and enter the IP Address/FQDN of your
AFA server.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Fortinet > FortiGate.
Access Information
User Name Type the user name to use for SSH access to the device.
Password Type the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
To disable Baseline Compliance Report generation for this device, select None.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more details, see Specify routing data
manually.
l Telnet
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.
Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.
Additional Enter any additional IP addresses or host names that identify the
firewall device.
identifiers When adding multiple entries, separate values with a colon (:). For
example: 1.1.1.1:2.2.2.2:ServerName.
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is only relevant for the parent device. For more
details, see Add additional device identifiers for sub-systems.
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
Options
Set user Select this option to set user permissions for the device.
permissions
The new device is added to the device tree with a two tier hierarchy: FortiGate and
VDOM.
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Do the following:
1. On the AFA machine, access your device configuration meta file as follows:
/home/afa/.fa/firewalls/<device_name>/fwa.meta
where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.
is_steering_device=yes
Tip: If you have multiple Juniper Netscreen or SRX devices, we recommend adding
the Juniper NSM or Space that manages these devices.
This automatically enables AFA to analyze any devices managed by the NSM or
Space device.
l Device permissions
NAT support for NAT is not supported for Juniper SRX devices defined in AFA
SRX devices under an NSM. If you need NAT support, add your Juniper SRX
device separately.
For details, see Juniper SRX devices in AFA.
Device permissions
AFA requires the following to collect data from NSM devices:
l Device analysis
l Log collection
Device analysis
To collect data from the NSM GUI server via SOAP, the user accessing the NSM must
You may want to create a user specifically for AFA data collection. To create this user,
do the following:
1. Log in to the NSM and select Tools > Manage Administrators and Domains.
4. In the Authorization tab, click Set Password and set a password for the user.
Log collection
To collect log files from the NSM dev server, you must do one of the following:
l Deploy the install_nsm_sudo script on the NSM dev server to change a minimal
set of folder permissions. For more details, see Collecting Logs from Juniper NSM
without Using the Root in AlgoPedia.
To retrieve dynamic routing data from devices managed by the NSM, the user accessing
the NSM must have SNMP access.
For more details, see Collecting dynamic routes via SNMP for devices managed by
NSM in AlgoPedia.
To collect global-zone rules for SRX devices managed by an NSM, the NSM user
defined in AFA must have a role with permissions to view the Junos Global Rulebase.
To enable this, do the following:
In the NSM application, navigate to Administration > Common > Task > Manage
administrator and domains > Roles, and select View Juno Global Rulebase.
Do the following:
1. Set your NSM device to listen to port 8443 on the IP address of its interface.
2. If you are using a Juniper NSM 2007 or 2008, enable AFA to translate rule
numbers to rule IDs.
Do the following:
Name Use_Rulenum
Value yes
3. Access the Devices Setup page. For more details, see Access the
DEVICES SETUP page.
4. In the vendor and device selection page, select Juniper > NSM (NSM 2008 or
above).
Access Information
NSM GUI Enter the host name or IP address of the NSM GUI server.
server
NSM HA Select this option to enable a High Availability cluster. If AFA fails
Cluster to access the primary NSM GUI server, AFA will attempt to access
the secondary server instead.
If selected, also populate the Secondary NSM GUI server field with
the host name or IP address of the secondary server.
User Enter the user name to use for SSH access to the NSM GUI server.
Name
Note: AlgoSec recommends using a "read-only" user account
on the NSM GUI server.
For details, see Device analysis.
Password Enter the password to use for SSH access to the NSM GUI server.
Port Enter the port number to use on the NSM GUI server.
Default: 8443
Default for NSMXpress appliances: 443
Geographic Distribution
Select the remote agent that should perform data collection for the device.
Do the following:
a. Ensure that Collect Logs (via SSH) is selected to determine that AFA
collects traffic logs for the device using SSH.
c. Select Collect audit logs from the same server to determine that AFA
collects audit logs in addition to traffic logs.
Note: You many need to specify additional device identifiers for AFA to
process logs from devices managed by this NSM device. This is relevant when
the managed device has multiple or non-standard device identifiers in the logs,
such as for firewall clusters or non-standard logging settings. For details, see
Add additional device identifiers for sub-systems.
This page lists the devices that are managed by the NSM, including standalone
devices and virtual systems.
Do the following:
Add Device Select the checkbox for any devices you want to define via the
column NSM.
Log Analysis Select one of the following to determine log functionality for a
column selected device:
l None to disable logging.
l Standard to enable logging.
l Extensive to enable logging and the Intelligent Policy
Tuner.
This enables AFA to detect policy optimization data, such as
unused rules, and display them in the Policy Optimization
section of the AFA report.
Do the following:
a. Click .
Configure If you do not want to enter credentials for each device and
access to have AFA access them directly, select
managed Access the managed devices through the NSM machine.
devices via Then, enter the SSH User Name and SSH Password.
the NSM
AFA connects to the NSM via SSH, and opens another
SSH connection from the NSM to each of the selected
devices.
Advanced
Select Display virtual routers (Netscreen devices) to analyze each virtual router
under a Netscreen device separately.
Each virtual router will appear in the device tree immediately below the Netscreen
device, and parallel to virtual systems.
Note: This option is not available for Juniper SRX devices defined in AFA via
the NSM. To use this functionality for SRX devices, define them directly in AFA.
Options
Set user Select this option to set user permissions for this device.
permissions
9. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connectivity
l Device permissions
Consider the following when adding Junos Space Security Director devices to AFA:
Data collection may take longer on Junos Space than on other brands.
This may have various implications across the system for processes that involve data
collection from Junos Space devices.
Juniper Space devices defined in AFA before version A30.00 have different behavior
and support options.
Upgrading from If you already have a Juniper Space device defined in AFA, edit
A30.00 to A30.10 your Space device in the AFA Administration area to view all
or higher updates for Space devices, such as viewing additional routing
instances in the device tree and the map.
No changes are required. Simply edit the device configuration
and click Finish to update the data.
Upgrading with If your Juniper Space device was added prior to ASMS A30.00,
Juniper Space you will need to delete this device from AFA and add it back
devices added again to implement all new features.
prior to ASMS For more details, see Delete a device.
A30.00
If you have SRX devices already defined in AFA and want to convert them to Juniper
Space, first remove the SRX devices and then add them back via Space.
For more details, see Delete a device and Juniper SRX devices in AFA.
When the Juniper Space device manages an SRX device or LSYS, which in turn
manages Virtual Routers, VRFs, or Secure Wires, AFA displays these routing instances
in AFA the device tree. This provides increased route analysis and automation design at
the levels of these routing instances.
For example:
Note: Items not added to the device tree include empty Virtual Routers or LSYSs,
unsupported routing instances, and LSYSs that contain only unsupported routing
instances.
Virtual Router / At the level of the routing instance, AFA displays topology
VRF / Secure information only, and no policy information.
Wire level Policy information is displayed at the LSYS level, one node up in
the tree.
LSYS level At the LSYS level, AFA displays policy information only, and no
topology information.
Topology information is shown at the routing instance level, one
node down in the tree.
If you've added new routing instances to your Juniper Space device and want to
generate AFA data for these routing instances, edit your Space device in the
AFAAdministration area.
No changes are required. Simply edit the device configuration and click Finish to update
the data.
For details, see Virtual Router, VRF, and Secure Wire support.
AFA supports RIB groups and next-table commands as next-hop routers (NHRs) for
When AFA detects either of these inter-VR routing configurations, it adds fake, or back-
plane, interfaces to the Juniper Space's URT file to simulate these connections. These
connections can then be displayed on the AFA network map and in query results.
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper SPACE device.
Device permissions
ASMS requires the following for the user used to access your Juniper SPACE devices:
l Device analysis
l ActiveChange
l Log collection
Device analysis
You may want to create a user specifically for AFA data collection. To create this user,
do the following:
2. In the Junos Space - Network Management Platform, create a new API Access
profile.
When adding the new profile, add a new rule with only an asterisk (*) in the name.
For example:
3. Switch to the Roles area and create a new role with the following permissions:
l In the Exec RPC API Access Profile area, select the new API access profile
that you created in step 2.
For more details about how to perform these steps, see Junos Space - Network
Management Platform documentation.
ActiveChange
When ActiveChange is enabled, the user connecting to the Junos Space device
requires a minimum of read-write access via SSH.
Log collection
For more details, see Virtual Router, VRF, and Secure Wire support.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, click Juniper > Junos Space Security
Director.
Access Information
User Name Enter the user name to use to access the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
ActiveChange
Log Collection
Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.
Log Select the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
Note: In order for AFA to process logs from the devices that are managed by
this management device, you may need to specify additional device identifiers.
appears.
5. Click Next to continue to the Junos Space Security Director - Step 2/2 page.
This page lists the devices that are managed by the Juniper Space, including
standalone devices and logical systems.
Do the following:
Add Select the checkbox for any devices you want to define via the
Device Space device.
column
Do the following:
a. Click .
l Baseline Profile. Select a baseline profile to use for the device. For
details, see Customize baseline configuration profiles. To disable
Baseline Compliance Report generation for this device, select None.
Set user Select this option to set user permissions for this device.
permissions
8. Click Finish.
The new Space device is added to the device tree, showing each individual
device, LSYS, or routing instance configured.
Space devices and the devices they manage appear in the device tree with a
potentially four-tier hierarchy. For example: Juniper Space Security Director
(Management Device) > SRX > LSYS > Virtual Router, VRF, or Secure Wire
For more details, see Virtual Router, VRF, and Secure Wire support.
Note: SRX clusters in passive/active mode appear as a single node in the tree,
while SRX clusters in active/active mode appear as two nodes.
9. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connectivity
l Device requirements
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper Netscreen device.
Device requirements
ASMS requires the following to connect to Juniper Netscreen devices:
l Device analysis
l ActiveChange
l Log collection
Device analysis
The user connecting to the Netscreen device must be a super-user with a minimum of
read-only access via SSH.
ActiveChange
When ActiveChange is enabled, the user connecting to the Netscreen device requires a
minimum of read-write access via SSH.
Log collection
ASMS can either receive syslog messages from the device or can collect syslog
messages from a remote syslog-ng server.
If your system is configured for the Netscreen device to send syslog messages to
ASMS, the message format must be configured as follows.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Juniper > Netscreen.
Access Information
User Name Enter the user name to use for SSH access to the device.
Password Enter the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system.
To disable Baseline Compliance Report generation for this device, select None.
Advanced
Click the arrow next to the Advanced heading to display the fields in this area.
When selected, each virtual router will appear in the device tree immediately
below the Netscreen device and parallel to virtual systems.
Note: This is required in the rare cases where there are no inter-VR routes
to/from a specific VR. In other words, when there is an “isolated” VR.
l SSH (recommended)
l Telnet
To specify a custom port, select the Custom Port option and enter the port. This is
only relevant when SSH is selected.
Tip: Alternately, configure AFA to connect to the device using SSH with Public-
Key authentication. To do so, select the Use public key authentication in data
collection check box in the General sub-tab of the Options tab in the
Administration area.
Firewall Log
Collect Specify whether AFA should collect logs for the device, by
logs selecting one of the following:
l None. Do not collect logs.
l Standard. Enable log collection.
l Extensive. Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.
From Specify from where AFA should collect logs, by selecting one of the
following:
l NSM (default). AFA collects logs from the NSM. If selected,
also define the following:
o NSM Dev server. The NSM host name or IP address.
o User Name. The user name used to connect to the
NSM.
o Password. The password used to connect to the NSM.
Click Test Connectivity to test your connection to the NSM
server.
l Syslog-ng. AFA collects logs from a syslog-ng server.
If selected, also specify the syslog-ng server. For details, see
Specify a Syslog-ng server.
Tip: If you are using Juniper's STRM log server, have the
messages forwarded to a syslog-ng. For details, see
Configure Juniper STRM to forward logs to a Syslog-ng
server.
Collect Select to specify that AFA uses the same server to collect both
audit logs traffic and audit logs.
from the
same Note: If you clear this option, specify a separate set of audit log
server details, just as you did for the traffic log server.
Additional Enter any additional IP addresses or host names that identify the
firewall device, separated by colon (:).
identifiers For example: 1.1.1.1:2.2.2.2:ServerName
Log Enter the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
ActiveChange
Options
Set user Select this option to set user permissions for this device.
permissions
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connection
l Device permissions
Network connection
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper SRX device.
Device permissions
ASMS requires the following permissions for your Juniper SRX routers:
Device analysis
AFA requires permissions to run the following commands on your SRX device:
l show configuration
ActiveChange
Note: If ActiveChange is not enabled, the user can be in a login-class other than
super-user.
For details, see How to configure a Juniper SRX read-only user with permissions
required for AFA data collection in AlgoPedia.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Juniper > SRX.
Access Information
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
Additional Information
Select Display virtual routers to analyze each virtual router separately, enabling
advanced routing analysis.
This causes individual virtual routers to appear in the AFA device tree as the last
tier (below their LSYS), and AFA provides a report for each router.
When this option is enabled, the analysis AFA provides for the LSYS aggregates
the information provided for its VRs and should be used for most AFA analysis
capabilities, such as policy optimization recommendations.
Although the LSYS analysis aggregates the information for each VR under it, the
LSYS analysis does not fully contain the information provided in the VR tier
analyses.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
l Telnet
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.
Tip: You can configure AFA to connect to the device using SSH with Public-
Key authentication. For details, see Define AFA preferences.
Log Specify whether AFA should collect logs for the device, by
collection selecting one of the following:
method l None: Do not collect logs.
l Standard: Enable log collection.
l Extensive: Enable log collection and the Intelligent Policy
Tuner.
The default value is Extensive.
Note: When using STRM (Juniper's log server), you can forward
the logs to a syslog-ng (AFA's built-in syslog-ng or an external
one). Then, you can define this syslog-ng as the relevant log
server. For more details, see Configure Juniper STRM to
forward logs to a Syslog-ng server.
Additional Enter any additional IP addresses or host names that identify the
firewall device. Separate multiple entries by colons (:).
identifiers For example: 1.1.1.1:2.2.2.2:ServerName
Note: This field is only relevant for the parent device, and you
may want to specify additional identifiers for sub-systems. For
details, see Add additional device identifiers for sub-systems.
Log Select the interval of time in minutes, in which AFA should collect
collection logs for the device.
frequency
ActiveChange
Select Enable ActiveChange for all supported Juniper SRX firewalls to enable
Note: Checking this box will enable ActiveChange for all Juniper SRX firewalls
(not only for this device).
Options
Set user permissions Select this option to set user permissions for this
device.
5. Click Finish.
6. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
The new device is added to the device tree, and a success message appears to confirm
that the device is added.
Configure this as needed. For details, see the Juniper Knowledge Base.
l Network connectivity
l Device requirements
Note: Juniper routing devices with large route tables may cause data collection to
take longer than usual.
For details about specific routers supported, see the AlgoSec Support Matrix.
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Juniper router.
Device requirements
ASMS connects to Juniper routing devices using SSH, and requires a super-user with
the following permissions:
l show version
l show configuration
Note: If you need to use a user that is not a super-user, contact AlgoSec support.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Juniper > M/E Routers.
Access Information
User Name Enter the user name used to access the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
To disable Baseline Compliance Report generation for this device, select None.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
l SSH (recommended).
If selected, AFA also enables you to specify a custom port. Select Custom
Port and enter the port number.
l Telnet
From the Number of allowed encryption keys dropdown, select the number of
permitted different RSA keys received from this device's IP address.
Different RSA keys may be sent from the same IP address in cases of cluster fail-
over, device operating system upgrades, etc.
For example, if a cluster fail-over occurs, the secondary node will send a new RSA
key from the same IP address to AFA. In this case, if the Number of allowed
encryption keys value was set to 1, the node connection and subsequent analysis
will fail.
Options
Set user permissions Select this option to set user permissions for this
device.
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Do the following:
1. Log in to the STRM Log Manager interface, and click the Admin tab.
2. On the left, click Data Sources > Syslog Forwarding Destinations > Add.
3. Enter the syslog-ng server's IP address and port, and click Save.
All logs that are sent to the Juniper STRM device will be forwarded to the syslog-ng
server.
Once added, AFA identifies and analyzes individual VR/Vwires for Panorama devices,
in addition to analyzing each VSYS. The VSYS analysis aggregates the information
provided for its VR/Vwires, and should be used for most AFA analysis features, such as
policy optimization recommendations.
VR/Vwire analysis data provides the ability to troubleshoot routing and topology issues,
such as traffic simulation query results, manage risks, and determine which risky rules to
trust.
Although the VSYS analysis aggregates the information for each VR under it, the VSYS
analyis does not fully contain the data provided in the VR tier analysis.
AFA supports all inter-VR and inter-VSYS cases, whether they are by shared-VR or an
explicit inter-VR, by doing the following:
Note: Shared Gateways are partially supported, only when the virtual router is
already included in the DEVICES tree.
When AFA detects either of these inter-VR routing configurations, it adds fake, or back-
plane, interfaces to the firewall's VR URT file to simulate these connections. These
connections can then be displayed on the AFA network map and in query results.
Device analysis
For example:
ActiveChange
For example:
l Superuser (read-only)
l Device Admin
If the Palo Alto firewall is a version earlier than 4.1.7, is managed by Panorama, but is
defined directly in AFA, ASMS requires one of the following types of users:
l SuperUser (read/write)
l Admin (read/write)
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Palo Alto Networks > Panorama.
Access Information
User name Enter the administrative user name to use for SSH access
to the device.
For more details, see Panorama device permissions.
Secondary Type the host name or IP address for the secondary device.
Panorama
Geographic Distribution
Select the remote agent that should perform data collection for the device.
ActiveChange
Syslog-ng server Specify the syslog-ng server. For details, see Specify a
Syslog-ng server.
Log collection Type the interval of time in minutes, at which AFA should
frequency collect logs for the device.
You must also configure the device to send syslog messages. For more details,
see Configure log collection on a Panorama device.
Note: To process logs from the devices managed by the Panorama, you may
need to specify additional device identifiers, especially when the sub-device is
represented by multiple or non-standard device identifiers in the logs. This may
be relevant, for example, with firewall clusters or non-standard logging
systems.
For more details, see Add additional device identifiers for sub-systems.
This page lists the devices that are managed by the Panorama, including
standalone devices and virtual systems.
Tip: Clear any devices that you don't want to add to AFA.
a. In the Add Device column, select the check box next to the device's name.
Note: Using the device's logs enables AFA to detect certain policy
optimization information, such as unused rules. This information is
displayed in the Policy Optimization section of the AFA report.
a. Click .
b. In the Direct Access Configuration, enter the following details, and then click
OK.
Note: Specifying this information for a device triggers a direct SSH connection
to the device.
Set user permissions Select this option to set user permissions for this
device.
In the device tree, Panoramas are represented with a four tier hierarchy:
Panorama, PA firewall, VSYS, and VR/Vwire.
Passive-Active clusters
l Cluster display names in the device tree, report, and so on, represent both
names of the cluster members. For example: NODE1_NODE2
l Baseline compliance: Define the active node details in the device definition
wizard.
10. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
ASMS can collect log data by receiving syslog messages from the Panorama device, or
by collecting syslog messages from a remote syslog-ng server.
This procedure describes how to configure the Panorama device to send syslog
messages to ASMS. For more details, see Log Collection and Monitoring.
1. Configure a new Syslog Server Profile for the syslog server. For details, see Palo
Alto KnowledgeBase.
Do the following:
1. On the AFA machine, access your device configuration meta file as follows:
/home/afa/.fa/firewalls/<device_name>/fwa.meta
where <device_name> is the name of the device listed. If you device is listed
multiple times, enter the longer name.
is_steering_device=yes
Note: Palo Alto Networks firewalls defined directly in AFA do not support the
advanced routing analysis provided for Palo Alto Networks devices defined at the
Panorama level. AFA does not identify individual VR/Vwires and therefore does not
benefit from the routing information they provide.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor device selection page, select Palo Alto Networks > Firewall.
Access Information
User Type the administrative user name to use for SSH access to the
Name device.
If the device is managed by Panorama and Panorama is used to
push all or part of the device's configuration, you must provide a
user of the Superuser type.
If the device is either not managed by Panorama, or it is managed
by Panorama but no configuration is pushed from Panorama
towards the device, then you can specify a user name of any of the
following types: Superuser, Superuser (Read Only), Device Admin,
or Device Admin (Read-Only).
Password Type the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more information on baseline compliance profiles and instructions for adding new
baseline compliance profiles, see Customizing Baseline Configuration
Compliance Profiles (see Customize baseline configuration profiles).
To disable Baseline Compliance Report generation for this device, select None.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Manually Specifying
Routing Information (see Specify routing data manually).
l Telnet
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, etc. For
example, if a cluster fail-over occurs, the secondary node will send
a new RSA key from the same IP address to AFA. If this number is
set to 1, the connection to the node will fail, resulting in a failed
analysis.
Specify whether AFA should collect logs for the device, by selecting one of the
following:
Additional Enter any additional IP addresses or host names that identify the
firewall device.
identifiers When adding multiple entries, separate values by a colon (:). For
example: 1.1.1.1:2.2.2.2:ServerName
This is relevant when the device is represented by multiple or non-
standard device identifiers in the logs, for example, in cases of
firewall clusters or non-standard logging settings. If AFA receives
logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is not supported for sub-systems (Juniper
VSYS/LSYS, Fortinet VDOM, Cisco security context, etc.). To
configure additional identifiers for sub-systems, see Adding
Additional Device Identifiers for Sub-Systems (see Add additional
device identifiers for sub-systems).
Log Type the interval of time in minutes, at which AFA should collect
collection logs for the device.
frequency
Options
Set user Select this option to set user permissions for the device.
permissions
4. Click Finish.
The new device is added to the device tree, with a two tier hierarchy: firewall and
VSYS.
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
â See also:
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Symantec > Blue Coat.
Access Information
User Name Enter the user name to use for SSH access to the device.
Password Enter the password to use for SSH access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For
more details, see Customize baseline configuration profiles.
To disable Baseline Compliance Report generation for this device, select None.
SNMP Polling
Additional Information
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
l SSH (recommended)
l Telnet
Custom To specify a custom port, select this option and type the port.
Port This option is only relevant when SSH is selected.
Number Enter the permitted number of different RSA keys received from
of allowed this device's IP address.
encryption Different RSA keys may be sent from the same IP address in cases
keys of cluster fail-over, device operating system upgrades, and so on.
For example, if a cluster fail-over occurs, the secondary node will
send a new RSA key from the same IP address to AFA. If this
number is set to 1, the connection to the node will fail, resulting in a
failed analysis.
Visual Policy Manager – The device policy is configured via the Visual Policy
VPM Manager (VPM) only.
Options
Set user permissions Select this option to set user permissions for this
device.
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a VMware NSX-V device environment.
Device permissions
ASMS requires the following to collect data from VMware NSX-V devices
l Device analysis
l ActiveChange
Device analysis
The user accessing the VMware NSX-V device must have one of the following roles:
l Auditor
l Security Admin
l NSX Admin
l Enterprise Admin
Note: If you are using an NSX Manager, we recommend using the build-in NSX
Manager user to connect from ASMS.
ActiveChange
When ActiveChange is enabled, the user connecting to the VMware NSX-V device
requires read-write permissions.
l Security Admin
l Enterprise Admin
Note: When adding an NSX-V device to AFA with vCenter permissions, (both Admin
and Read Only), the following data will be missing:
l Device version
l NSX Manager IP
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page
Access Information
Host Enter the host name or IP address of the NSX Manager. This is the
name that will be displayed in the devices tree.
User Enter the user name to use for REST access to the device.
Name
Password Enter the password to use for REST access to the device.
Geographic Distribution
Select the remote agent that should perform data collection for the device.
Additional Information
Select the Learning mode option to specify that AFA traffic simulation should treat
traffic that is not specified in a rule as blocked.
In reality, the default behavior for NSX devices is to allow all traffic that is not
explicitly blocked. Learning mode enables you to better understand the specific
traffic that needs to be allowed on the device.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
ActiveChange
Select the Enable ActiveChange option to enable ActiveChange for the device.
Options
Set user permissions Select this option to set user permissions for this
device.
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
This topic describes items required for each device type in order for AFA to collect data
and support other features. Some items are only required for specific AFA features.
The required permissions depend on the profile used, as AFA requires permission to
read/execute all commands listed in the profile.
l AWS requirements
l Azure requirements
l F5 device requirements
Note:
Support for the Forcepoint brands (Sidewinder, StoneGate) and Hillstone was
deprecated in ASMS version A30.00.
If you had defined these devices in an earlier version of ASMS, these devices are
still available to you, with all the existing capabilities, but you cannot add new ones
after upgrading.
We recommend backing up device data before or after upgrading and then removing
these devices from AFA. Make sure to download any report zip files for the device
before deleting.
F5 device requirements
For retrieving routing data from the device, SNMP access is required.
AWS requirements
For details, see Device access requirements for AWS
Azure requirements
For details, see Device requirements for Azure.
Note: For details about adding devices of specific vendor types to AFA, or importing
device data from CSV files, see Add devices to AFA and CSV import file format.
Note: These devices support change monitoring, routing analysis, and baseline
configuration compliance only.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select your device type.
The fields displayed may differ depending on your device brand and selections.
User Name Type the user name to use for SSH access to the
device.
Device Select the remote agent that should perform data collection for
managed by the device.
To specify that the device is managed locally, select Central
Manager.
This field is relevant when a Geographic Distribution
architecture is configured.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For more information, see Manually Specifying
Routing Information (see Specify routing data manually).
SNMP Polling
Use the following fields to define SNMP polling values. These fields only appear
for selected device brands.
Note: SSH is more secure than Telnet, however some device brands support
only one method.
Options
Set user permissions Select this option to set user permissions for this
device.
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
Routing elements are generic devices that perform SNMP connections for retrieving
routing tables, without collecting configurations.
Note: AFA supports routing elements using SNMPv2c and SNMPv3. The supported
MIB is RFC-1213, and the OID fetched from the device is ipRouteEntry (object
identifier: 1.3.6.1.2.1.4.21.1).
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, click Routing Element on the right.
Device Select the remote agent that should perform data collection for
managed by the device.
To specify that the device is managed locally, select Central
Manager.
This field is relevant when a Geographic Distribution
architecture is configured.
Route Collection
l Static Routing Table (URT). AFA will take the device's routing information
from a static file you provide. For details, see Specify routing data manually.
Options
Update Network Map Select this option to enable automatically updating the
upon routing change graphic network map upon routing changes.
Set user permissions Select this option to set user permissions for this
device.
4. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
AFA enables you to do this via the Administration area in AFA or via CLI.
For more details, see the How to Import and Mange Devices in Bulk from a .CSV File
AlgoPedia article.
Note: The same CSV file cannot be used to both add new devices and update
existing devices at the same time.
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
A zip file is downloaded with sample files for various device types.
Add a line to the file for each device you want to add or update, as well as values
that correspond to each header.
1. Open a text or csv file, and add a list of comma separated column headers. Each
column header supports a device property or option.
For details about supported column headers, see CSV import file format.
2. For each device you want to add or update, add a new line with values that
correspond to each header.
Adding or Your CSV file can include either devices to add or update,
updating but not both.
l Juniper Netscreen
These devices must be added or updated using a CSV file of
their own.
Missing If you are adding new devices, any headers not included in
headers the CSV are assigned with default values.
If you are updating existing devices, any headers not
included in the CSV are ignored, and no changes are made
for those properties in AFA.
Syslog values If you want to assign syslog identifiers for sub-systems, you
for sub-systems must do this as part of an update CSV file. The parent device
must already be defined in AFA.
3. Save the file and continue with Import your CSV file (UI).
Tip: Use a CSV file to assign additional device identifiers for primary/parent devices
or device subsystems, such as VSYS or VDOM.
In such cases, you only need to include the name and additional_fw_ips column
headers for each device.
For more details, see Add/update multiple devices in bulk and Bulk import support
scope.
Note: For more details, see Prepare your CSV file and CSV import file format.
Do the following:
1. Ensure that the devices listed in your CSV file are online and accessible by AFA
via SSH.
2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
5. Select your Device Type, and then browse to and select your prepared CSV file.
For more details, see Prepare your CSV file.
For example:
Note: For more details, see Prepare your CSV file and CSV import file format.
Do the following:
1. Ensure that the devices listed in your CSV file are online and accessible by AFA
via SSH.
2. Log in to the AFA server as user afa and browse to the directory where the CSV
file is saved.
Where:
-f <CSVFile> Defines the name of the CSV file. This file must be located in
the current directory.
The script runs and the devices described in your CSV file are added or updated in
AFA.
You cannot use the same CSV file to add new devices and update existing
devices at the same time.
l Device data for multiple device types, except for the following:
l Cisco IOS
l Cisco ASA
l Juniper Netscreen
These device types must be added in CSV files with no other device types listed.
Additionally, the following types of devices and device options must be added or
configured manually in the AFAAdministration area:
Note: Header values are case sensitive. Using header values with different cases
from those listed below will cause unexpected results in your file upload.
For more details, see Add/update multiple devices in bulk and the How to Import and
Mange Devices in Bulk from a .CSV File AlgoPedia article.
Tip: You can also use a CSV file to assign additional device identifiers for
primary/parent devices or device sub-systems, such as VSYS or VDOM. In such
cases, you only need to include the name and additional_fw_ips values.
brand The device brand. For more details, see Supported device brand values.
Required for all devices except for the following:
l Cisco IOS
l Cisco ASA/PIX/FWSM
l Juniper Netscreen
Specify these brand types in the Bulk Add/Update Device dialog instead.
display_ The name as it appears in the device tree, including spaces and other
name special or numeric characters.
Optional for all devices
Default: If this column is missing or empty, the device is added using the
device's host name.
Header
name Description
Note: For Cisco IOS or ASA devices enabled for CyberArk, the
Password and Enable User Password must be the same.
Note: For Cisco IOS or ASA devices enabled for CyberArk, the
Password and Enable User Password must be the same.
Cisco-related headers
Header
name Description
rules_ Determines how rules are displayed in device reports, as one of the
view following:
l ASDM. (Default) Display rules in the Cisco Adaptive Security
Device Manager (ASDM) graphical interface.
l CLI. Display rules in command line format.
Relevant for Cisco ASA devices only.
CyberArk-related headers
Header name Description
Advanced headers
Header
name Description
l no
Relevant only for the following devices:
l Juniper Netscreen
l Juniper SRX
l Cisco IOS
l Cisco Nexus
number_of_ Determines the permitted number of different RSA keys that AFA
allowed_ can receive from the device's IP address, as follows:
encryption_keys
l 1
l 2
l unlimited (Default)
Header
name Description
log_ Determines the method for collecting logs for the device:
collection_
mode l standard. Enable log collection.
l extensive. (Default) Enable log collection and the Intelligent Policy
Tuner.
Relevant when log collection is enabled.
Header
name Description
collect_ Determines whether AFA collects logs from the NSM or a syslog-ng
log_from server:
l nsm (Default)
l syslog
Relevant for Juniper Netscreen when log collection is enabled.
Note: If traffic logs and audit logs are not on the same server, specify
the audit log server using additional headers listed below. In such
cases, this value defines a value for the traffic log server.
log_host_ Defines the host name or IP address of the server/device sending logs
name to AFA.
Relevant when log collection is enabled.
log_user_ Defines the user name used to connect to the server/device sending
name logs to AFA.
Relevant when log collection is enabled.
collect_ Determines whether AFA collects audit logs from the NSM or a syslog-
log_from_ ng server:
adt
l nsm
l syslog
Relevant for Juniper Netscreen when log collection is enabled.
Note: By default, the audit log server is the same as the traffic log
server.
Header
name Description
log_host_ Defines the host name or IP address of the server/device sending audit
name_adt logs to AFA.
Relevant for Juniper Netscreen when:
l Log collection is enabled
l The audit log server is different from the traffic log server
log_user_ Defines the user name for connecting to the server/device sending audit
name_adt logs to AFA.
Relevant for Juniper Netscreen when:
l Log collection is enabled
l The audit log server is different from the traffic log server
log_ Defines the password for connecting to the server/device sending audit
passwd_ logs to AFA.
adt
log_ Defines how often AFA collects logs for the device, in minutes.
collection_ Relevant for Juniper Netscreen when:
frequency
l Log collection is enabled
l The audit log server is different from the traffic log server
additional_ Defines any additional IP addresses or host names that identify the
fw_ips device, with colon-separated values.
Relevant when log collection is enabled.
Additional headers
Header
name Description
Header
name Description
Tip: Devices usually block the ability to access the device as user
root. Enable root access to the device to improve AFA support.
set_user_ Determines whether you can set user permissions for the device:
permissions
l yes (Default)
l no
Optional for all devices.
firewall_ Defines the users with access to the reports produced for the device.
users Separate multiple usernames with slashes (/).
Relevant when setting user permissions is enabled for the device.
Maintain devices
This topic includes maintenance procedures administrators may need to perform
periodically for devices managed by AFA.
Tip: AFA also supports updating multiple devices in bulk using a CSV file. For more
details, see Add/update multiple devices in bulk.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. From the tree on the left, select the device whose configuration you want to edit,
and then click Edit.
Rename a device
By default, the device's display name, used to identify the device throughout AFA, is the
device's host name. This procedure describes how to change this display name.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. From the tree on the left, select the device you want to rename, and then click
Rename.
3. In the Rename .... dialog, enter the new name and click OK
For parent devices, the AFA configuration enables you to define additional device
identifiers when you add or edit the device. This procedure describes how to specify
identifiers for subsystems, such as VSYS, VDOM, and so on, as well as for devices
managed by a management system such as Juniper NSM or Palo Alto Panorama.
Tip: AFA also enables you to configure device identifiers for parent devices and sub-
systems in bulk via CSV. For more details, see Add/update multiple devices in bulk.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. From the tree on the left, select the device or sub-system you want to add
3. In the Edit.... dialog, in the Log Collection area, enter any additional IP addresses
or host names that identify the device.
Note: The Log Collection areas appears only when log collection is supported
for the device and relevant to the sub-system.
4. Click OK. The additional identifiers are added to the sub-system's definition.
Delete a device
This procedure describes how to delete a device from AFA, such as if it is no longer in
use, or needs to be updated in a way that requires you to remove it and add it back
again.
Do the following:
1. Before deleting a device from AFA, we recommend that you download all AFA
reports for the device to back up the device's historical data.
2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
3. From the tree on the left, select the device you want to delete, and then click
Delete.
4. In the verification message that appears, confirm that you do want to delete the
device, and then click OK.
Note: This procedure is not supported for devices configured with CyberArk
authentication. For details, see Integrate AFA and CyberArk.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. On the right, click Bulk and select Update password from the dropdown menu.
3. In the Bulk Update Passwords dialog, select the devices you want to update the
password for.
If you have many devices listed, do any of the following to help you locate your
device:
Navigate across Click Previous or Next below the grid to navigate back
pages and forth
Sort the grid Click a column header to sort the devices shown
Filter the grid Click in each column header to filter the grid by that
column.
4. In the New password field, type the new password to use on all selected devices.
5. To get additional permissions for Cisco devices, select the Enable user password
(Cisco Only) check box and type in another password.
6. Click Update.
7. In the Confirm Password dialog, confirm the password(s) you just updated, and
then click Confirm.
AFA administrators can change the device's routing and topology data by editing the
URT file and uploading it to AFA. Uploaded URT files are static representations of the
device's routing information. For these devices, AFA will not regenerate updated URT
files automatically.
Note: Since AFA doesn't automatically regenerate the URT files if you've uploaded
edits, you must manually update the file again for any configuration changes made
on the device.
This procedure does not affect URT files and data for sub-devices.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. From the tree on the left, select the device you want to edit, and then click Edit on
the right.
3. On the device configuration page, in the Route Collection area, select Static
Routing Table (URT).
l If you already have a URT defined that you want to edit, click Download
current URT file.
4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devices in
AlgoPedia.
5. In AFA, click Upload new file, and select the your edited file.
AFA validates your file, and notifies you if any syntax or content error is found.
The new routing table will take affect after the next device analysis.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. From the tree on the left, select the sub-device or sub-system you want to edit, and
then click Edit on the right.
3. In the Edit .... dialog that appears, in the Route Collection area, select Static
Routing Table (URT).
l If you already have a URT defined that you want to edit, click Download
current URT file.
4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devicesin
AlgoPedia.
5. In AFA, click Upload new file, and select the your edited file.
AFA validates your file, and notifies you if any syntax or content error is found.
The new routing table will take affect after the next device analysis.
Do the following:
1. In AFA, view the graphic network map. Click DEVICES, select a device, and then
click MAP.
2. Locate and right-click the device you want to edit, and select Routing Information.
The Routing information dialog shows the current URT file. For example:
3. Under the file content, click Static Routing Table (URT), and then do one of the
following:
l If you already have a URT defined that you want to edit, click Download
current URT file.
4. Edit the file with the routing information you want to import. For more details, see
How to manually specify routing information for Cisco Layer 2 devicesin
AlgoPedia.
5. In AFA, click Upload new file, and select the your edited file.
AFA validates your file, and notifies you if any syntax or content error is found.
The new routing table will take affect after the next device analysis.
ASMS supports configuring CyberArk credentials for multiple devices in AFA, becoming
more valuable as the number of devices you have in AFA grows.
Note: When integrating with AFA, credentials for syslog collection still need to be
provided separately to AFA.
l A Central Manager with one or more hosts in different geographic locations near
each target security device
The CyberArk AIM agent must be installed on each of the ASMS machines, as each
ASMS machine will need to connect to the devices they manage, and require CyberArk
credentials.
l Fortinet FortiManager
l Juniper Netscreen
l Cisco ASA
l Cisco Nexus
l Cisco IOS
Note: For details about supported versions of CyberArk, contact your AlgoSec
customer representative.
Do the following:
2. Enable the Allow extended authentication restrictions option for the AlgoSec
application you created. This enables you to specify an unlimited number of
machines and Windows domain OS users for a single application.
3. Specify the application's Allowed Machines, and include any of your ASMS
machines. This ensures that ASMS can access credentials managed by CyberArk
from any machine in your system.
Do the following:
1. In the CyberArk Password Safe, provision any privileged accounts required by the
AlgoSec application. For each account, make sure to add the Add accounts
permission.
2. Add the Credential Provider and application users as members of the Password
Safes where the application passwords are stored.
3. Add the Provider users as a Safe Member, with the following permissions:
l List accounts
l Retrieve accounts
4. Add the application, using the APPID, as a Safe Member with the Retrieve
accounts permission only.
5. Additionally, provide the Provider user and the application with the Access Safe
without Confirmation permission, if your scenario complies with all of the
following:
This is not required for Privileged Account Security solutions versions 8.0 and
higher.
Do the following:
1. Complete the integration configuration on the CyberArk side. For details, see:
3. Scroll down to the CyberArk area, and select the Allow to setup devices with
CyberArk credentials management checkbox.
4. (Optional) Define default values for all devices authenticated via CyberArk, as
follows:
From now on, CyberArk options will appear in the DEVICES SETUP page for all
relevant device brands.
7. Configure the specific devices you want to authenticate via CyberArk, either one at
a time or in bulk.
8. Configure the CyberArk Application Access Manager (AAM) agent on all ASMS
hosts and configure it to communicate with the CyberArk vault. If you're working in
a distributed environment, make sure to configure the AIM agent on all hosts in
your system, including the Central Manager, Remote Agents, secondary nodes of
all clusters, and so on.
Note: Since these are static files and not live devices, configuration changes such as
dynamic route updates only appear in AFA when you update the file again.
Additionally, AFA cannot track changes in real-time, or track who may have made
each change on the device. Updates are represented only in reports generated after
the update.
This may not always be possible, and you may want to analyze devices in a different
location, or on a network that you are not able to connect to directly.
Additionally, you may have L3 devices where this data is already collected by an
existing toolset.
Note: We recommend that customers ensure that AFA has the most recent device
data possible, which helps to provide network map completeness and traffic
simulation accuracy.
Complete device data typically involves analyzing your core and distribution layer
routing infrastructure as well as firewalls.
Each device type has a recommended method, described in the table below.
Note: These procedures are documented in our Alternate data collection method
documentation, on the AlgoSec portal. Use your portal credentials to access them.
Access semi-automatic data collection scripts from the AlgoSec portal. For details, see
Semi-automatic data collection scripts.
Depending on your system configuration, device files can also be obtained as follows:
Use a If you have a live device on another ASMS system, retrieve the full
recent device configuration file from the latest AFA report.
AFA For example, you may want to do this when adding a device that already
report exists in a production system to a testing system as well.
For more details, see Access log and configuration files.
Tip: If your device is supported only as EA, make sure that the device
support is enabled as needed in both your production and testing
environments. For details, see Extend device support.
Create a If you do not have another device to collect the data from, create the file
JSON file manually.
manually For details, see Static support for generic devices.
Note: AFA does not currently support manual data collection from monitoring
devices.
Do the following:
1. In AFA, access the Devices Setup page. For details, see Access the
DEVICES SETUP page.
2. In the vendor and device selection page, click Device from File on the right.
4. Select the file you want to analyze by selecting one of the following:
Upload Upload a file from your computer. Browse to and select your file.
new File size must not exceed 20 MB.
For larger files, copy the file to the /home/afa/algosec/fwfiles
directory, and use the Existing on server option.
For more details, see Recommended device data collection per
device type.
5. Define how AFA should acquire the device's routing information. Select one of the
following:
Static Take the device's routing information from a static file you provide.
Routing For more details, see Specify routing data manually.
Table
(URT).
7. Select Set user permissions to set user permissions for this device.
9. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
A success message appears to confirm that the device is added. The device is now
shown in the device tree in AFA, and will be included in the ALL_FIREWALLS analysis
reports.
Do the following:
1. Place any collected device data files, such as in the following directory on the AFA
server: home/afa/algosec/fwfiles/
For more details, see Recommended device data collection per device type.
name The device's display name, used in the device tree and all other
locations around ASMS.
path_ The location of the device file on the AFA machine, in the
name /home/afa/algosec/fwfiles directory.
For example:
MYROUTER /home/afa/algosec/fwfiles/MyRouter.rd no
MYNEXUS /home/afa/algosec/fwfiles/MyNexus.nexus no
Save the CSV file in the home/afa/algosec/fwfiles/ directory on the AFA server.
where <CSV filename> is the name of the CSV file you saved in the previous
step.
When complete, all devices listed in the CSV file are shown in the device tree in AFA,
and will be included in the ALL_FIREWALLS analysis reports.
These scripts use the same commands for copying files and creating directories as are
listed in the manual data collection procedures.
Do the following:
2. Download the scripts for your device type. Open the files to inspect the scripts as
needed.
If you copy the Firewall-1 Unix data collection script (ckp_collect) from a Windows PC to
a Sun, Nokia, SecurePlatform, Alteon, or Linux platform, ensure that any carriage
returns (^M) added by the Windows system are removed on the target platform.
Copy the ckp_collect.z to a Check Point SmartCenter server running on Sun Solaris,
SecurePlatform, or Linux.
The ckp_collect and ckp_log_collect files are created, and the compressed ckp_
collect.z file is delted.
ASMS provides the option to enable device support for new devices or to enable
additional support for devices supported out of the box.
To enable additional device support utilizing an early availability feature, see Early
availability features.
To enable support for Huawei devices, install the Huawei provided plug-in using the
information in this AlgoPedia article.
Note: When using this option, updating the device's policy requires updating and
replacing the file in AFA (either manually or with a script you provide). Real-time
change monitoring is not supported, but the Changes tab in reports will reflect
changes that are detected by an analysis (as the result of the file being updated).
Note: This device type has a few limitations, due to its static nature. Baseline
compliance analysis is not supported. Log collection is not supported, so none of the
features which require traffic or audit logs are supported, such as policy optimization
recommendations or information about who made a change to the device or when a
change was made. Although these devices are supported for FireFlow, they are not
supported for ActiveChange.
l Policy-Based. One set of rules per device across all of its interfaces. For example,
Check Point devices.
l Interface-based. One set of rules per interface. For example, Cisco devices.
l Zone-Based. Each policy rule is defined using a source zone and destination
zone. For example, Fortinet devices managed by FortiManager.
Note: Static support is available only for traditional security devices and is not
relevant for other sources, such as SDN and cloud.
1. Create a JSON file which contains the necessary device configuration items. For
details, see Creating the JSON File.
2. Upload the JSON file to AlgoSec Firewall Analyzer as a file device. See Add other
devices and routing elements
Note: Updating the device's policy requires manually updating and replacing the file
in AFA. If desired, you can write your own script to automatically update the file in the
/home/afa/algosec/fwfiles directory.
2. Create your own configuration file according to the template. See Tag list and Tag
Reference .
Note: If the device is a layer 2 device, you must specify this in the device (see
device) tag. For zone based devices, AFA automatically converts the device's
topology into layer 3 terminology using a heuristic based on the device's policy.
For all other device types, you must provide the device's topology in layer 3
terminology by manually editing the device's URT file. For more details, see
Specify routing data manually.
Note: Any rules with NAT must be defined separately from non-NAT rules in
the configuration.
4. As user afa, run the JSON validator to verify the JSON file is valid:
su - afa
curl --si ‘127.0.0.1:8080/afa/configParser/validateFile?path=<full path to JSON fil
Tag list
Tag Description
config_type The policy model.
device The definition of the device.
Tag Description
hosts The host name.
hosts_groups The host group name.
interfaces The interface name.
services The service name.
services_groups The service group name.
policies The rule name.
rules_groups The rules group name. (optional)
nat_rules The rule name.
global_nat_rules The global NAT rule name
nat_objects The NAT object name.
nat_objects_groups The NAT object group name.
nat_pools The NAT pool name.
zones The zone name. (optional)
routes The route's ID.
schedules The schedule name. (optional)
â See also:
l Tag Reference
l Sample generic device JSON file
l Static support troubleshooting
Tag Reference
Note: In order for the file to function as intended, any special characters used in a
string must be escaped with a \.
For comprehensive examples, see Generic Device JSON File Examples (see Sample
generic device JSON file).
config_type
One of the following values:
l POLICY_BASED: One set of rules per device across all of its interfaces. For
example, Check Point devices.
l INTERFACES_BASED: One set of rules per interface. For example, Cisco devices.
l HOST_BASED: Device policy refers to the host itself (source or destination is "Me").
For example, Amazon AWS devices.
l ZONE_BASED: Each policy rule is defined using a source zone and destination zone.
For example, Fortinet devices managed by FortiManager.
device
Parameter Description
name Device name.
major_version Device major version (first number before first dot).
version Device version.
minor_version Device minor version (last number of whole version).
policy Policy name (optional).
is_layer2 1 or 0. Indicates whether the device is a layer 2 device.
hosts
Parameter Description
name Host name.
Parameter Description
type PREDEFINED/ANY/IP_ADDRESS/IP_RANGE/DOMAIN/SUBNET/IPS_LIST
hosts_groups
Parameter Description
type GROUP
interfaces
Parameter Description
services
Parameter Description
Type ANY/TCP/UDP/ICMP/TCP_UDP
services_groups
Parameter Description
name Service group name.
type GROUP
policies
Parameter Description
rule_name Rule's name as appears in the configuration.
Parameter Description
comments Rule's comment. (optional)
log 0/1
enable Enabled/disabled.
action ALLOW/DENY
bi- 0/1 (optional). Relevant for static NAT for example, MIP in
directional NetScreen.
rules_groups
(optional)
Parameter Description
name Rules group name.
enable Enabled/Disabled.
Parameter Description
comments Rules group comment, if there is one (optional).
nat_rules
Parameter Description
rule_name Rule's name as appears in the configuration (without
canonization).
direction Inbound/outbound.(optional)
log 0/1
enable Enabled/disabled.
Parameter Description
dst_negate 0/1 (optional)
action ALLOW/DENY
zones
(optional)
Parameter Description
name Zone name.
routes
Parameter Description
id Route's ID.
schedules
(optional)
Parameter Description
name Schedule name.
Confirm the issue: Confirm the problem by searching the failed analysis's error log file
for the following errors:
Solution: Identify the problem in the JSON file and fix it.
Do the following:
su - afa
2. Run:
3. View the validation results and error messages in the file ValidationLogs.txt file.
This file will be in the same directory as the JSON file.
Example
After the analysis failed, search the failed analysis's error logs for the following:
You validate the JSON file (as described in the solution above). The following error
message appears in the ValidationLogs.txt file:
With this information, you recognize that on line 6847 there is a missing quotation mark:
"src" : [
a_ext_10.10.110.88"
],
Note: Reports generated for these devices include device change information
and baseline configuration compliance results only.
1. Specify the method for collecting data. For details, see Create data collection files
for a generic device.
2. Install the new brand. For details, see Install the new brand.
3. Add the device to AFA. For details, see Add the device to AFA.
Note: AFA can connect to the device via SSH or REST, depending on the APIs
supported by the device.
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
3. Edit the tags as needed. For details, see Monitoring support tag reference.
To enable SNMP support, make sure to specify the relevant tags. See Collect
routing information via SNMP.
4. Create the following graphics files of an icon that represents the device brand,
where <brand_id> is the Id you defined in the DEVICE tag of the brand_
config.xml file:
1. Open a terminal and log in using the username "afa" and the related password.
3. Place the brand_config.xml file and all the icon files into the new directory.
5. If you are logged into the ASMS web interface, logout and then log back in.
The new device will now appear as an option in the web interface when adding a
new device to AFA.
2. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
6. Click Finish.
7. If you selected Set user permissions, the Edit users dialog box appears.
8. Set which users will have access to the reports produced by the device, by doing
the following:
To select multiple users, hold down the Ctrl key while clicking on the desired
users.
b. Click OK.
9. Click OK.
Do the following:
Tag syntax
Tag syntax is presented as follows:
DEVICE
Syntax
Description
This is the main tag for the device, and it identifies the device.
Parameters
Subtags
l FORM_FIELD
l CONNECTION_CMD
l DATA_COLLECTION
l DIFF
l EXCLUDE
l ROUTING
l FEATURES
Example
In the following example, the device name FortiGate will appear throughout the Web
interface, while the title Fortinet - FortiGate will appear in the list of device types only.
FORM_FIELD
Syntax
Description
By default, when adding or modifying a device in the Web interface, AFA provides fields
for host name, user name, and password. This tag specifies additional fields that should
appear for the new device.
Parameters
title String. The label representing the field in the Web interface.
type String. The field's type. This can have the following values:
l text. The user must input free text in this field.
l password. The user must input a password in this field.
The default value is text.
Subtags
None.
Example
In the following example, a field called "Virtual Domain" was added for the device. The
field type was not specified and is therefore "text".
CONNECTION_CMD
Syntax
Description
By default, when adding or modifying a device in the Web interface, the Remote
Management Capabilities area includes the following connection options: SSH and
Telnet. You can use this tag to add additional options.
Parameters
%user_name%
%host_name%
title String. The label representing the connection option in the Web interface.
Subtags
None.
Example
In the following example, the connection option SSH is defined.
DATA_COLLECTION
Syntax
Description
This tag specifies device prompts that AFA will encounter when connecting to the
device.
Parameters
prompt String. The basic device prompt that appears when the AFA automatic data
collection client connects to the device. This is a regular expression.
more_ String. The device prompt that appears when there is additional data that is
prompt not currently displayed. This is a regular expression.
This parameter is optional.
Subtags
l LOGIN_PROMPT
l POST_LOGIN_PROMPT
l COMMANDS_SEQUENCE
l DATA_COLLECTION
Example
LOGIN_PROMPT
Syntax
Description
This tag specifies the device prompt that AFA will encounter after successfully
connecting to the device. Usually, this prompt relates to logging in to the device, for
example a request for a password.
Parameters
prompt String. A regular expression that describes the device prompt that appears
after the AFA automatic data collection client has connected to the device.
This regular expression should match the device prompt (e.g.
"user1@device1 #") as tightly as possible.
response String. The command or string that the AFA automatic data collection
client should send after receiving the prompt.
try_ String. Indicates whether after receiving the device prompt specified by
again the prompt parameter, the AFA automatic data collection client should
attempt to log in again, or continue to wait for the basic login prompt. This
can have the following values:
l yes. Attempt to log in again.
l no. Do not attempt to log in again. Instead, wait for the device prompt
specified by the prompt parameter.
Subtags
None.
Example
In the following example, upon receiving the "yes/no?" prompt, the AFA automatic data
collection client will send the response "yes" and then attempt to log in again.
POST_LOGIN_PROMPT
Syntax
Description
This tag specifies device prompts that AFA will encounter after successfully logging in
to the device.
Parameters
prompt String. The device prompt that appears after the AFA automatic data
collection client has logged in to the device. This is a regular expression.
response String. The command or string that the AFA automatic data collection
client should send after receiving the prompt.
Subtags
None.
Example
COMMANDS_SEQUENCE
Syntax
COMMANDS_SEQUENCE
Description
This tag specifies the sequence of commands that AFA should use during data
collection.
Parameters
None.
Subtags
l CMD
l CMD_VIRT
CMD
Syntax
Description
This tag specifies a command that AFA should use during data collection.
Parameters
command String. The connection command that the AFA automatic data collection
client should send to the device.
This may include the following parameters from the file firewall_
data.xml:
%user_name%
%host_name%
save_ String. Indicates whether the result of the command should be added to
output output device configuration file. This can have the following values:
l yes. Add the result of the command to the output device
configuration file.
l no. Do not add the result of the command to the output device
configuration file.
condition String. The name of an attribute defined in the FORM_FIELD tag, which if
assigned a value (i.e., the parameter is not empty), should cause the AFA
automatic data collection client to send this command. This can have the
following values:
l The name of any attribute added in the FORM_FIELD tag
l FW_VIRT. Run the command only if the device has a virtual
system.
prompt String. The device prompt that will appear after the AFA automatic data
collection client has sent this command.
This is a regular expression and may include the following parameters
from the file firewall_data.xml:
l %attribute%. An attribute, where attribute represents the attribute's
name.
%password%
%user_name%
%host_name%
Note: By default, the AFA automatic data collection client will expect to
receive the last defined prompt, (which was specified in the preceding
DEVICE, CMD or LOGIN tag).
Subtags
None.
Example
In the following example, the enable command will run only if the device configuration
file includes an enable attribute that is not empty. The result of the command will not be
saved.
CMD_VIRT
Syntax
Description
This tag specifies a command that AFA should use during data collection on a virtual
system.
Parameters
command String. The connection command that the AFA automatic data collection
client should send to the device.
This may include the following parameters from the file firewall_
data.xml:
%user_name%
%host_name%
save_ String. Indicated whether the result of the command should be added to
output output device configuration file. This can have the following values:
l yes. Add the result of the command to the output device
configuration file.
l no. Do not add the result of the command to the output device
configuration file.
condition String. The name of an attribute defined in the FORM_FIELD tag, which if
assigned a value (i.e., the parameter is not empty), should cause the AFA
automatic data collection client to send this command. This can have the
following values:
l The name of any attribute added in the FORM_FIELD tag.
l FW_VIRT. Run the command only if the device has a virtual
system.
prompt String. The device prompt that will appear after the AFA automatic data
collection client has sent this command.
This is a regular expression and may include the following parameters
from the file firewall_data.xml:
l %attribute%. An attribute, where attribute represents the attribute's
name.
%password%
%user_name%
%host_name%
Note: By default, the AFA automatic data collection client will expect to
receive the last defined prompt, (which was specified in the preceding
DEVICE, CMD or LOGIN tag).
Subtags
None.
Example
In the following example, the end command will run only if the device configuration file
includes a vdom attribute that is not empty. The result of the command will not be saved.
DATA_COLLECTION
Syntax
EXIT_COMMAND command="command"
Description
This tag specifies the command that AFA should use to end the connection to the
device.
Parameters
command String. The command that the AFA automatic data collection client
should send, in order to end the connection.
Subtags
None.
Example
In the following example, the command is "exit".
EXIT_COMMAND command="exit"
DIFF
Syntax
DIFF context_lines="contextLines"
Description
When real-time monitoring and alerting is enabled, specified users receive e-mails upon
changes to monitored devices, and the changes are displayed in the Web interface's
Changes tab. This tag specifies the number of lines before and after a change to display
in e-mails and in the Web interface's Changes tab. The lines surrounding a change
represent the change's context.
Parameters
contextLines Integer. The number of lines to show before and after a change.
The default value is 3.
Subtags
None.
Example
In the following example, the 5 lines before and after a change will be displayed.
DIFF context_lines="5"
EXCLUDE
Syntax
Description
When real-time monitoring is enabled, AFA periodically checks whether the device
configuration has changed. You can use this tag to exclude certain lines in the device
configuration from monitoring.
For example, the current date and other counters frequently change, yet do not
represent an actual change to the device configuration. In order to prevent changes to
such lines from repeatedly being interpreted as a device configuration changes and
reported via e-mail and the Web interface's Changes tab, you can exclude these lines
from monitoring.
Parameters
line_ Integer. The number of lines preceding the string specified in regex,
before including the line in which the string appears, that should be excluded from
monitoring.
lines_ Integer. The number of lines following the string specified in regex, including
after the line in which the string appears, that should be excluded from monitoring.
inline String. Indicates whether the whole line (or any whole lines before or after) or
only the part of the line that matches the regular expression is excluded. This
can have the following values:
l yes. Exclude only the part of the line that matches the regular
expression.
l no. Exclude the whole line (or any lines before or after).
Subtags
None.
Example
In the following example, when checking the device configuration for changes, AFA will
exclude 30 lines starting from the string "set private-key".
ROUTING
Syntax
ROUTING script="script"
Description
This tag specifies a script that should be used to analyze the device's routing table.
Parameters
script String. The name of the script to use for creating a routing table.
Subtags
None.
Example
In the following example, the script forti2urt.pl is specified.
ROUTING script="forti2urt.pl"
FEATURES
Syntax
FEATURES
Description
This tag specifies features that are supported for the device.
Note: By default, only real-time monitoring is supported for the device. To add more
features, contact AlgoSec.
Parameters
None.
Subtags
l FEATURE
FEATURE
Syntax
Description
This tag specifies a feature that is supported for the device.
Parameters
script String. The name of the script to use to run the feature.
Subtags
None.
Example
In the following example, the topology feature is supported for the device.
ASMS's Early Availability features enable you to access new functionality and support
earlier than general availability in hopes that customers provide feedback on the design
and implementation. Early Availability features have shorter QA cycles and therefore are
disabled by default.
Warning: We recommend that you do not keep Early Availability features in use in
production. Either enable only in testing systems, or disable them in production
systems when returning to general use.
l Support does not include any AppViz features that rely on FireFlow
l Network connectivity
l Device permissions
Network connectivity
The following diagram shows an ASMS Central Manager or Remote Agent connecting
to a Cisco ISE device.
Device permissions
ASMS connects to Cisco ISE devices via the Admin Node, using the ERS API.
To do so, ASMS requires an Administrator user with Read/Write permissions and the
ERS-Operator group assignment.
2. Click Add to add a new configuration parameter, and enter the following details:
Name AlgoSec_EA_CISCOISE
3. Click OK.
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. In the vendor and device selection page, select Cisco > CISCO ISE.
Access Information
Geographic Distribution
Select the remote agent that should perform data collection for the device.
Options
Set user Select this option to set user permissions for this device.
permissions
5. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
l Network connectivity
l Device permissions
Network connectivity
The following image shows an ASMS Central Manager or Remote Agent connected to
an Arista device over HTTPS-REST.
Device permissions
To analyze Arista devices, ASMS connects to Arista EOS devices using the REST-
based eAPI, ensuring high performance and efficient data collection.
ASMS requires a user with Read permissions, and a REST connection over port 443.
The user must also have permissions are required to run the following commands via
API Explorer:
l show version
l show interfaces
l show ip interfaces
If the REST eAPI is not yet enabled, run the following using the Arista CLI:
Do the following:
Name ALGOSEC_EA_ARISTA
For more details, see Advanced Configuration. Continue with Add an Arista device to
AFA.
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page
User Name Enter the username to use when accessing the device.
Note: In the Geographic Distribution area, you must select Central Manager.
4. Click Next, and then select the managed devices you want to add to AFA.
Set user Select this option to set user permissions for this device.
permissions
7. If you selected Set user permissions, the Edit users dialog box appears.
In the list of users displayed, select one or more users to provide access to reports
for this account.
internal routing information. Advanced graphic network map support for Azure devices is
available as an early availability feature. Early availability features may be limited in
their scope and have undergone a shortened testing cycle. They are disabled by
default.
When advanced graphic network map support for Azure devices is enabled, the internal
routing information is available to traffic simulation queries and the following network
elements appear in the graphic network map: VNet routers, VNet peerings, and internet
gateways. The subnets coming off the VNet routers include the containers.
Note: AFA does not currently support the use of a Geographical Distribution Remote
Agent to manage this device.
2. Select Administration.
4. Click Add.
7. Click OK.
When ActiveChange for Azure is enabled, you can add and remove rules from the
policy directly from FireFlow. Note that you cannot create new objects; you are limited to
using existing objects. The work order will never recommend creating new objects
regardless of whether ActiveChange is enabled.
Note: The following procedure enables ActiveChange for Azure in the ASMS, but
does not automatically enable ActiveChange for specific Azure subscriptions. In
order to enable ActiveChange for a specific Azure subscription, you must select the
Enable ActiveChange checkbox when defining the Azure in AFA.
Note: AFA does not currently support the use of a Geographical Distribution Remote
Agent to manage this device.
2. Select Administration.
4. Click Add.
7. Click OK.
AFA represents layers with layer specific columns and action values. In the policy tab,
each layer is grouped by headings.
Before enabling this feature, AFA supports only the global policy layer and the domain-
level first ordered layer. Inline layers and rules in a second (or more) domain-level
ordered layer are ignored, and rules with an action that calls an inline layer are treated
as allow rules. All early availability features are disabled by default.
Note: Additional layer support is not extended to policy optimization, risk analysis, or
traffic simulation queries. For these functionalities, rules in a second (or more)
domain-level ordered layers are ignored, and rules with an action that calls an inline
layer are treated as allow rules.
When early availability support is enabled, FireFlow and AppViz are not supported
for Check Point R80 devices with policies with inline layer rules or rules implied from
the 2nd and beyond ordered layers.
If you are using ActiveChange for Check Point devices, we recommend that you do
not enable this feature on your production environment.
1. In the toolbar, click your username and select Administration to access the AFA
Administration area.
Name AlgoSec_EA_CKP_R80_Layers
5. Click OK.
Tip: If you add a Check Point R80 device from a configuration file based on a recent
report to an AFA system with this flag enabled, make sure that the configuration file is
also generated from an AFA system with this flag enabled.
For more details, see Add other devices and routing elements.
Manage groups
This section describes how to configure device groups in AFA.
l Produce an additional high-level report that aggregates the reports of all the
member devices, so that you have a bird's-eye view of your group-wide risk
exposure.
For information on defining sets of devices, in which information about the relationships
between the member devices is provided, see Managing Matrices (see Manage
matrices).
Note: In a Geographic Distribution architecture, groups may contain devices that are
managed by different remote agents.
Add groups
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
5. To remove members from the group, clear the device's check box.
6. Click Create.
7. Click OK.
Edit groups
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
4. To remove members from the group, clear the device's check box.
5. Click Update.
6. Click OK.
Rename groups
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. Select the desired group from the tree and click Rename.
4. Click OK.
5. Click OK.
Delete groups
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
3. Click OK.
4. Click OK.
Manage matrices
This section describes how to configure matrices in AFA.
When you create a matrix, AFA uses a special algorithm to calculate the relationships
between the members. If desired, you can override the results and edit the topology
information.
When a report is generated for the matrix, AFA analyzes the devices' multi-tiered
network topology and enables you to do the following:
l View risks associated with traffic that is allowed across all devices in the matrix.
Add matrices
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
5. To remove members from the matrix, clear the device's check box.
6. Click Create.
A message box appears asking whether you want to customize the matrix settings.
a. Click Yes.
The Customize Matrix Topology page appears, enabling you to edit all
zones in the matrix's multi-tiered topology.
c. Click OK.
Edit matrices
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
4. To remove members from the matrix, clear the device's check box.
5. Click Update.
6. Click OK.
A message box appears asking whether you want to customize the matrix settings.
a. Click Yes.
The Customize Matrix Topology page appears, enabling you to edit all
zones in the matrix's multi-tiered topology.
c. Click OK.
Rename matrices
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
4. Click OK.
5. Click OK.
Delete matrices
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
3. Click OK.
4. Click OK.
Manage DR sets
AFA provides the ability to define pairs (or groups) of Disaster Recovery (DR) sets.
Whenever one of the devices in the set is found in the path of a traffic simulation query,
the other devices will automatically be tested against the same traffic, ensuring they
allow it as well. This capability significantly eases troubleshooting and change
management for DR device sets that do not share the same policy.
This section describes how to configure disaster recovery (DR) sets in AFA.
Add DR sets
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
5. To remove members from the DR set, clear the device's check box.
6. Click Create.
7. Click OK.
Edit DR sets
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
You can search for devices by typing the full or partial name of a device into the
box.
You can browse the list by clicking Previous or Next below the list. Additionally,
you can see more devices on the same page by expanding the size of the dialog
box by pulling the bottom corner. You can filter the devices by Device, Brand and
Group by clicking beside the column title.
4. To remove members from the DR set, clear the device's check box.
5. Click Update.
6. Click OK.
Rename DR sets
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. Select the desired DR set from the tree and click Rename.
4. Click OK.
5. Click OK.
Delete DR sets
Do the following:
1. Access the Devices Setup page. For details, see Access the DEVICES SETUP
page.
2. Select the desired DR set from the tree and click Delete.
3. Click OK.
4. Click OK.
l Remove devices
l A direct connection between every internal subnet in the network (without passing
through any clouds).
l A direct connection between every internal subnet and all permitted external IP
addresses that ends in the relevant cloud (without passing through any clouds).
AFA provides a completeness score for your map and enables you to complete your
map by providing a prioritized list of generic routers in the map that should be defined as
devices AFA. The routers which would complete the most paths are given the highest
priority. AFA automatically performs a DNS lookup to help identify which of your devices
correspond to which IP address. To further assist in identifying the device names, you
can optionally provide the network's SNMP credentials.
Tip: Alternately, complete the map via CLI instead. For more details, see Complete
the map (CLI).
Note: The map completeness score and the routers that AFA recommends
2. Next to the map completeness score, click the Improve Score link.
The list on the left is a prioritized list of routers to define in AFA. The routers which
would complete the most paths are given the highest priority, and therefore appear
at the top of the list. The name of the router appears when the DNS lookup was
successful ; otherwise, the IP address of the router appears.
Each router appears in the list with its IP address as a link. Clicking on the link will
focus the map on that router.
The device name to the left of the router's name is the device defined in AFA
which is closest to the router. When multiple devices are close to the router, a link
to a lit of the devices appears.
The search results include results for router names, router IP addresses, or names
of the closest device defined in AFA.
4. To define a router in AFA, hover over the router in the list and click .
The administration area for defining new devices appears, enabling you to define
the device in AFA. For more details, see Add devices to AFA.
The Merge Selected button at the top of the list becomes enabled when two or
more routers are selected.
7. Click .
The routers are merged into one router in the map. The new router is represented
with the merged routers icon.
8. To re-run the map completeness calculation with custom values, do the following:
The map completeness score and the routers that AFA recommends defining are
calculated by simulating routes between internal subnets and between each
internal subnet and external IP.
11. To restore the default network values, click the Restore Default Values link.
12. To customize the maximum number of paths that will be simulated and/or to
provide SNMP credentials for the sake of identifying router names, do the
following:
Note: When SNMP is provided, the only information being fetched via SNMP is
the name of the devices.
Note: Using the AFA web interface is the preferred method to complete the map. See
Complete the map. When you chose to use the CLI tool, the results will not appear in
the UI.
l A prioritized list of generic routers in the map that should be defined as devices
AFA. The routers which would complete the most paths are given the highest
priority.
l A list of mis-matched routes in the map (the route was complete in one direction,
but not the other).
1. Set the map to prefer paths where the source is a subnet (and not a cloud) and
disable this preference for destinations. For details, see the
PrioritizeFIPDestination parameter.
Note: Make sure to revert these parameters to the settings required for your
environment after you finish running the CLI tool.
l A .txt file with all the internal subnets within the network. The subnets
should all be connected without going through the internet.
Each subnet in the file must be in CIDR format and on a new line ("line
break" is the delimiter).
Example:
10.0.0.0/8192.168.0.0/16
l A .txt file with all the external IP addresses that should be reachable from
each internal subnet.
Example:
8.8.8.882.102.187.174
l (Optional) A .txt file with the network's SNMP credentials. Providing this
information helps the CLI tool determine the names of the devices in the
prioritized list (not just the IP addresses) when the DNS lookup does not
provide the name.
l For SNMP version 2, the file must include the following (with the
community string value inserted):
version: 2community:
l For SNMP version 3, the file must include the following (with all the
values inserted):
3. Open a terminal and log in using the username "afa" and the related password.
5. The tool simulates the routes between each internal subnet and between each
internal subnet and external IP.
For example:
Where:
Summary Description...
Internal networks: 2 Number of internal subnets in the input file.
External IPs: 2 Number of external IPs in the input file.
Summary Description...
Internal subnets in Number of subnets in the current map that are
the map database: 93 included in the internal subnets in the input file.
3 Unique missing Number of routers in the current map that are not
router addresses defined in AFA.
294 Mismatches were Number of paths that are complete in one direction,
found but not the other.
Map is 16.28% The completeness score for the current map. This is
Complete the percentage of possible paths that are complete.
Note: Routes with NAT will be identified as mis-matched even though they do
not predict a hole in the map.
The two output files are created and given the names you specified in the command
parameters or the default names missing_routers.txt and routing_mismatches.txt.
The missing routers output file provides a list of devices to add to AFA. The file includes
the number of paths that are incomplete because of each missing device. The devices
are listed in descending priority, where devices that would complete more paths are
given higher priority. If the tool was not able to determine the name of a device using a
DNS lookup or SNMP, only the IP address appears.
-i <internal_ Yes Passes the internal networks input file. The value is
nets.txt> the relative path to the file.
-e <external_ Yes Passes the external IPs input file. The value is the
IPs.txt> relative path to the file.
If you ran a group device query and received unexpected results, you can troubleshoot
those results by providing the expected results. AFA will make a recommendation to
help you make the traffic traverse correctly.
Note: The traffic simulation query troubleshooting feature is for AFA administrators
only.
Do the following:
The path detected by the query appears on both the left side pane and the map.
The devices appear in the same order as the path detected in the query.
Note: If the query has more than one traffic line with unexpected results, you
can only troubleshoot one path at a time from one of those traffic lines.
3. If the query involves multiple traffic lines or a single traffic line with multiple
sources and/or multiple destinations, select the traffic line and click Next.
5. Specify the expected path for the query. You can loptionally add new devices,
change the order of the devices, and/or delete devices.
Note: You can only add devices to the path that are currently defined in AFA.
If the query does not detect the expected path, the result appears displaying the
identified problems and suggested solutions.
Note: If the identified problem is that the traffic is not routed in the network, no
troubleshooting can be performed.
Note: AFA supports adding or removing ranges from clouds, but not removing
clouds.
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
where, CIDR is the CIDR you want to include, stub_router_IP is the IP address of
the adjacent router, and comment is a comment for the cloud edit entry (in
quotations).
where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of
the adjacent router for which you want to keep the CIDR, and comment is a
comment for the cloud edit entry (in quotations).
You can use the except_stub parameter multiple times to include the CIDR in
multiple clouds, as in the following example:
where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of
the adjacent router, and comment is a comment for the cloud edit entry (in
quotations).
4. To display a list of all currently configured cloud edit entries, enter the following
command:
where, stub_router_IP is the IP address of the router for which you would like to
see all cloud edit entries.
Note: The stub parameter is optional. When a router is not specified, all entries
in the database are displayed.
where, CIDR is the CIDR of the entry you want to delete and stub_router_IP is the
IP address of the router for the entry you want to delete.
Note: The input CIDR and router IP address must be exactly as they are in the
cloud edit entry. It is recommended to display the entries (see above) and verify
these inputs before running this command.
Press Enter.
Remove devices
You can remove devices from the graphic network map. You can remove devices from
the current map calculation and/or from all future map calculations. If you only remove
the device from current map, the device will appear in the map again once a new report
is generated.
Note: A removed device will not appear in traffic simulation query results.
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
fa_map -d DeviceID
where, DeviceID is the name of the device you wish to remove from the current
graphic network map.
4. To cause devices to be omitted from all future map updates, do the following:
5. Open /home/afa/.fa/config.
6. On a new line, add the configuration item MAP_BLACK_LIST, and set the
configuration item's value to a semi-colon separated list of devices that you wish to
remove from the graphic network map.
For example, the following removes the devices rose_checkpoint and flower_asa
from the graphic network map, for all future maps.
MAP_BLACK_LIST=rose_checkpoint;flower_asa
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
where, InterfaceName is the name of the interface you wish to ignore, and
DeviceName is the name of the interface's device.
3. To view a list of all the ignored interfaces for a specific device, enter the following
command:
4. To view a list of all the ignored interfaces for all devices, enter the following
command:
fa_map -list_ignored_interfaces
Do the following:
The Routing Information dialog box appears, displaying the current URT file.
4. Click the Download current URT file link or the Download Sample file link.
5. Edit the file with the routing information you want to import.
For information about URT file syntax, see How to manually specify routing
information for Cisco Layer 2 devicesin AlgoPedia.
6. Click Upload new file, and select the new URT file.
The file is validated and uploaded. If there is an error in syntax or content, an error
message appears.
7. Click OK.
The new routing table will take affect after the next device analysis.
Schedule analysis
This section describes how to schedule analyses for devices, groups and matricies.
AFA can run multiple reports in parallel, and the maximum number of reports that can be
generated simultaneously depends on your AFA system configuration and power. In
order to change this value, contact AlgoSec support.
Note: It is recommended to only run 'All Firewalls' analyses at night, in order to avoid
a high strain on your system during normal operating hours.
Schedule Analysis: Watch to learn how to schedule analysis to suit your business
needs.
2. Select Administration.
l To edit an existing analysis job, click on the Edit icon next to the desired job.
This field is relevant only when generating group reports and matrix reports.
7. To select a risk profile, select the Select risk profile check box, and select a risk
profile from the drop-down menu.
8. Select one of the following settings in the Run device analysis drop-down menu:
l Always (slow) - AFA will always run a full analysis, regardless of whether
the policy has changed or not.
Note: Selecting this option will result in longer analysis time and requires more
disk space.
9. Specify the device, group, or matrix for which you want to schedule an automatic
analysis, by doing the following in the Select a device/group area:
Note: When you select a "parent" tier device, all the devices beneath it are
automatically analyzed with each analysis.
13. In the Recurrence area, specify how often the analysis job should run.
You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or
configure the analysis to occur when a policy is installed on the device(s).
Note: You can only select Upon policy install, if real-time change monitoring is
enabled for this device.
The fields in the Recurrence Pattern area change according to your selection.
14. In the Recurrence Pattern area, configure the desired pattern of recurrence.
Note: If you want to see the scheduled job run during the current schedule
cycle, schedule your analysis at least five minutes later than the current time.
Do the following:
2. Select Administration.
The Scheduler Setup tab is appears with a list of scheduled analysis and
dashboard e-mail jobs.
5. Click Delete.
6. Click Yes.
This option must be activated for the ASMS environment and then enabled per device.
AFA will periodically check devices' policies for changes, and detected changes will be
displayed in the AFA Web interface.
Note: You can configure AFA to send e-mail notifications to selected users
whenever changes are detected. For more details, see Configure event-triggered
notifications.
Do the following
2. Select Administration.
2. Set the Monitoring frequency to the interval of time in minutes at which AFA
should monitor devices.
6. Click Apply.
AFA users and roles provide the basis for authentication across both AFA and FireFlow.
AFA authentication
ASMS supports authentication via an LDAP or RADIUS authentication server, Single
Sign On (SSO), or the local AFA database.
l Manage users and roles in AFA. Describes how to manage users and roles
directly in AFA.
Non- Can run analyses, generate reports, view policies and reports, view
administrator network map and monitoring changes, and run traffic simulation
privileged users queries.
Each user is assigned one of the following access levels as part of their default
permission profile:
Standard Enables users to view existing reports, run traffic simulation queries,
Access initiate new device analyses, and use the customization features such as
customizing the topology.
ReadOnly Enables users to view existing reports and run traffic simulation queries
Access on these reports.
enables all ASMS users to log in easily, including change requestors, application
owners, auditors, and so on.
Configure LDAP in AFA: Watch to learn how to sync AFA with your
A service provider In our case, AlgoSec is a service provider that provides ASMS.
(SP)
An identity In our case, your SSO Provider provides user identity verification
provider (IdP) as the identity provider.
l ASMS directs users to authenticate against your SSO Provider as the IdP, and
then redirects the user back to ASMS.
l Users already logged in to the SSO Provider are directed directly to ASMS.
l The Logout button no longer appears in ASMS. Log out by logging out of your
SSO Provider only.
https://<Algosec URL>/AFA/php/module.php/saml/sp/metadata.php/<SP
Identifier>
Assertion Consumer Informs the IdP where ASMS redirects the user for
Service, or the Single Single Sign On (login) requests.
Sign On URL Configured as:
https://<ASMS
URL>/simplesaml/module.php/saml/sp/saml2-
acs.php/<SP Identifier>
Single Logout Service May not be required in all situations. Informs the IdP
where ASMS redirects the user for Single Sign Out
(logout) requests.
Configured as:
https://<ASMS
URL>/simplesaml/module.php/saml/sp/saml2-
logout.php/<SP Identifier>
The SSO Provider must inform ASMS about the user performing the authentication. The
following data is passed with the returned attributes, post-authentication:
Tip: If your SSO Provider cannot be configured to provide the required data in this
format, configure a customized UID parser.
2. Under User Authentication, select Single Sign On, and complete the following fields
as needed:
3. Optional: To fetch user data, select the Fetch User Data checkbox and do one of the
following:
Do the following:
b. Click Test connectivity for the specific server to test connectivity. A message
informs you whether AFA connected to the server successfully.
Port Type the port number on the LDAP server's host computer.
Timeout Use the arrow buttons to select the maximum amount of time in
seconds to wait for the LDAP server's reply.
Secure Select this option to secure connections with the LDAP server, then
Connection choose the method to use for securing the connection: LDAPS or
StartTLS.
The default method is LDAPS.
The value of the Port field changes according to the method
selected.
Verify Select this option to specify that AFA should check the LDAP
Server server's certificate against a locally stored certificate. AFA will only
Certificate connect to the LDAP server if the certificates are identical.
The CA Certificate field appears.
User DN Type the user DN that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.
Password Type the password that AFA should use to log in to the LDAP
server.
This field appears only for Regular bind type.
Name Type the attribute that contains a user's name, in user objects in
the database.
The default value is sAMAccountName.
Group Type the attribute that contains a user's groups, in user objects
Membership in the database.
The default value is member.
Associated Select this option to import user group information from the LDAP
Roles server. Selecting this option enables assigning user roles via a
specified correspondence between LDAP groups and AFA,
FireFlow, or AppViz roles.
To manage roles from within the AlgoSec Suite (not the LDAP), do
not select this option.
Full Name Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Full
Name field.
Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email
field.
Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes
field.
Organization Type the name of the LDAP server user field from which you want
to import data to the FireFlow Organization field.
Address Type the name of the LDAP server user field from which you want
to import data to the FireFlow Address field.
City Type the name of the LDAP server user field from which you want
to import data to the FireFlow City field.
State Type the name of the LDAP server user field from which you want
to import data to the FireFlow State field.
Zip Code Type the name of the LDAP server user field from which you want
to import data to the FireFlow Zip Code field.
Country Type the name of the LDAP server user field from which you want
to import data to the FireFlow Country field.
Home Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Home Phone field.
Work Phone Type the name of the LDAP server user field from which you want
to import data to the FireFlow Work Phone field.
Mobile Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Mobile Phone field.
Pager Type the name of the LDAP server user field from which you want
to import data to the FireFlow Pager field.
Select IDP and complete the fields as needed. For details, see:
Full Type the name of the LDAP server user field from which you want to
Name import data to the AlgoSec Firewall Analyzer and FireFlow Full Name
field.
Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email field.
Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes field.
Organization Type the name of the LDAP server user field from which you want
to import data to the FireFlow Organization field.
Address Type the name of the LDAP server user field from which you want
to import data to the FireFlow Address field.
City Type the name of the LDAP server user field from which you want
to import data to the FireFlow City field.
State Type the name of the LDAP server user field from which you want
to import data to the FireFlow State field.
Zip Code Type the name of the LDAP server user field from which you want
to import data to the FireFlow Zip Code field.
Country Type the name of the LDAP server user field from which you want
to import data to the FireFlow Country field.
Home Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Home Phone field.
Work Phone Type the name of the LDAP server user field from which you want
to import data to the FireFlow Work Phone field.
Mobile Type the name of the LDAP server user field from which you want
Phone to import data to the FireFlow Mobile Phone field.
Pager Type the name of the LDAP server user field from which you want
to import data to the FireFlow Pager field.
4. To set a default mail domain, select Default Mail Domain, and enter the URL.
When this option is configured, AFA automatically generates an email address for
users by attaching the specified email suffix to its username (when an email address
is not provided).
5. At the bottom of the page, click OK. Changes to user authentication settings
immediately take effect.
If you must encrypt communication between ASMS and your IdP (the SSO Provider),
have the IdP create a certificate for ASMS to use. This is the default behavior for most
IdPs.
Do the following:
Tip: The default filename is server.crt. We recommend that you use a different
filename, as this default file is overwritten during upgrades.
3. If you saved the file under a name other than server.crt, configure the name of the
IdP certificate file.
Do the following:
For example:
SSOSAML_IdP_Certificate=MyIdPCert.cr
By default, ASMS uses SP-initiated, or solicited SSO, in which the SP signs the
Assertion Certificated passed between the two systems. This is the recommended
usage.
ASMS also supports IdP-initated, or unsolicited SSO, in which the IdP signs the
Assertion Certificate instead.
While both scenarios have users access ASMS using the ASMS URL, the method used
may affect parameter values in the system configuration.
Do the following:
Various IdPs have different response formats, and yours may not match the format
expected by ASMS.
If you cannot configure the response format to match ASMS's expectation, define a
customer UID parser to translate the responses.
Do the following:
c. Search for the debug log and find the user attributes received, including the
object returned and its structure.
b. Change the PHP include path directive to include the new directory:
include_path =
".:/usr/share/fa/phplib:/usr/share/fa/php:/usr/share/fa/php/inc:/usr/share/fa/php
/site"
UID_PARSER_NAME=<parser name>
/etc/init.d/httpd restart
ASMS enables users to log in directly to ASMS, without using SSO, even when SSO is
configured. For example, this may be helpful if your IdP is down, or if there are
configuration errors.
Note: Forcing local authentication uses direct ASMS logins, and requires that users
Do the following:
Navigate to ASMS, with the additional ForceLocalAuth=1 string added on to the end of
the URL.
The local ASMS login page appears, and users can log in using ASMS credentials.
Troubleshoot SSO configuration
If an SSO error occurs, the browser displays an error page instead of ASMS.
Time assertion failures, such as: Check the clock configurations on the
ASMS machine and the SSO Provider.
l [message:protected] => Received Both of these clocks must be
an assertion that is valid in the synchronized, including timezone.
future. Check clock synchronization
on IdP and SP.
l [message:protected] => Received
an assertion that is valid in the
future. Check clock synchronization
on IdP and SP.
Lost sessions and STATE-related errors Verify that the SSO Provider directs the
user to ASMS using the same
hostname as accessed by the user.
Users are able to connect from expired If a user is able to log in to ASMS, even
sessions if the ASMS session timeout period has
passed, verify whether the ASMS
timeout and the SSO Provider timeout
are configured correctly.
The ASMS session timeout must be set
to a time limit equal or greater than the
SSO Provider's session timeout.
Disable SSO configuration
If your SSO configuration behaves unexpectedly, you may want to disable it while you
troubleshoot the issues.
Do the following:
Local The AlgoSec Security Management Suite maintains a local user database
user that is composed of the usernames and passwords of users you have
database added. When a user attempts to log in, the AlgoSec Suite compares the
entered username and password to the local user database. If the entered
username exists in the database, and the password matches the
username, then the user is logged in.
By default, the AlgoSec Security Suite uses the local user database to authenticate
users. If you want to use a RADIUS server and/or an LDAP server in addition to local
authentication, you must configure the desired user authentication method using the
following procedure.
Note: When more than one user authentication method is enabled, you can choose
which method to use on a per-user basis.
If importing user data from an LDAP server is not configured, you must manually
define privileged users in AFA.
2. Select Administration.
Note: The Local check box is selected by default and cannot be cleared.
b. Complete the fields as needed. If you selected the Use Secondary Servers
check box, additional fields appear.
b. Complete the fields using the information in LDAP Authentication Fields (see
LDAP authentication fields).
If you selected the Use Secondary Servers or Fetch user data from LDAP
check boxes, additional fields appear.
7. To test connectivity for a defined RADIUS or LDAP server, click Test connectivity for
8. In the Default for new users area, choose the default authentication method for new
users.
Note: You can override the default authentication method to use on a per-user
basis.
9. To set a default mail domain, select Default Mail Domain, and type the URL.
When this option is configured, AFA automatically generates an email address for
users by attaching the specified email suffix to its username (when an email address
is not provided).
In this
field... Do this...
Secret key Type the secret key to use for authenticating to the RADIUS server.
Port Type the port number on the RADIUS server's host computer.
Timeout Use the arrow buttons to select the maximum amount of time in seconds
to wait for the RADIUS server's reply.
In this
field... Do this...
Fetch user Select this option to fetch user data from an LDAP server.
data from AFA will perform authentication (check passwords) against the defined
LDAP RADIUS server, but will also access the specified LDAP server to obtain
user information and optionally assign roles.
Important: When this option is selected, you must additionally define the
LDAP server and configure the import with the Fetch user data from
LDAP check box.
For more information, see Importing User Data from an LDAP Server
(see Import user data from an LDAP server).
Use Select this option to configure one or more secondary RADIUS servers.
Secondary You must complete the fields in the Secondary Radius Servers area.
Servers
In this
field... Do this...
LDAP
Server
Credentials
Port Type the port number on the LDAP server's host computer.
Timeout Use the arrow buttons to select the maximum amount of time in
seconds to wait for the LDAP server's reply.
Secure Select this option to secure connections with the LDAP server, then
Connection choose the method to use for securing the connection: LDAPS or
StartTLS.
The default method is LDAPS.
The value of the Port field changes according to the method selected.
In this
field... Do this...
Verify Select this option to specify that AFA should check the LDAP server's
Server certificate against a locally stored certificate. AFA will only connect to
Certificate the LDAP server if the certificates are identical.
The CA Certificate field appears.
CA Select the locally stored certificate against which AFA should compare
Certificate the LDAP server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs in order
to appear in the drop-down list.
User DN Type the user DN that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.
Password Type the password that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.
Attribute
Mapping
In this
field... Do this...
Name Type the attribute that contains a user's name, in user objects in the
database.
The default value is sAMAccountName.
Group Type the attribute that contains a user's groups, in user objects in the
Membership database.
The default value is member.
Permitted
Users
Members of Type the DN of the LDAP group that includes all users who may log in
Group DN to AFA and FireFlow.
This field is optional. When it is filled in, users who are not members of
this LDAP group will not be allowed to log in to AFA or FireFlow, even
if they are members of other LDAP groups mapped to AFA or FireFlow
roles.
Note: This LDAP group includes all FireFlow requestors. When this
field is filled in, only users who are members of this group are
allowed to submit requests to FireFlow.
Extra Type any additional criteria that users must meet in order to be
Filtering authenticated.
The default value is (objectClass=*).
In this
field... Do this...
Fetch user Select this option to import user data from the LDAP server upon each
data from login. For example, when a user logs in, data such as the user's
LDAP telephone number can be imported.
You must complete the fields in the Fields Mapping area.
Note: The default values for these fields are taken from Active
Directory. If a different LDAP server is used, the names must be
changed accordingly.
Since data is imported only upon user login, the data stored for
users who log in infrequently may be outdated.
Fields
Mapping
Associated Select this option to import user group information from the LDAP
Roles server. Selecting this option enables assigning user roles via a
specified correspondence between LDAP groups and AFA, FireFlow,
or AppVizroles.
To manage roles from within the AlgoSec Suite (not the LDAP), do not
select this option.
Full Name Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Full Name
field.
Email Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Email field.
Notes Type the name of the LDAP server user field from which you want to
import data to the AlgoSec Firewall Analyzer and FireFlow Notes field.
FireFlow
specific
fields
Organization Type the name of the LDAP server user field from which you want to
import data to the FireFlow Organization field.
In this
field... Do this...
Address Type the name of the LDAP server user field from which you want to
import data to the FireFlow Address field.
City Type the name of the LDAP server user field from which you want to
import data to the FireFlow City field.
State Type the name of the LDAP server user field from which you want to
import data to the FireFlow State field.
Zip Code Type the name of the LDAP server user field from which you want to
import data to the FireFlow Zip Code field.
Country Type the name of the LDAP server user field from which you want to
import data to the FireFlow Country field.
Home Type the name of the LDAP server user field from which you want to
Phone import data to the FireFlow Home Phone field.
Work Phone Type the name of the LDAP server user field from which you want to
import data to the FireFlow Work Phone field.
Mobile Type the name of the LDAP server user field from which you want to
Phone import data to the FireFlow Mobile Phone field.
Pager Type the name of the LDAP server user field from which you want to
import data to the FireFlow Pager field.
Use Select this option to configure one or more secondary LDAP servers.
Secondary You must complete the fields in the Secondary LDAP Servers area.
Servers (See LDAP Server Credentials at top of this table.)
Note: If the system is configured to import user information from an LDAP server,
changes to user settings must be made only on the LDAP server (changes made in
the AlgoSec Suite may be overridden the next time the user logs in).
Note: The data stored for users who log in infrequently may be outdated. Each
user's information is fetched and updated upon login; in addition to name and
email, this includes the list of roles the user is assigned, the list of permissions the
user inherits, and the list of users assigned the fetched roles.
Do the following:
1. Configure LDAP or RADIUS user authentication. For details, see User authentication
via authentication servers.
l When authenticating with an LDAP server, select the Fetch user data from
LDAP check box and complete the fields in the Fields Mapping area.
a. Select the Fetch user data from LDAP check box in the RADIUS
Authentication fields area.
b. Additionally define the LDAP, select the Fetch user data from LDAP
check box and complete the fields in the Fields Mapping area.
2. Click OK.
4. Add/Edit the user role you want to link with an LDAP group. For details, see Manage
users and roles in AFA.
5. Type the LDAP group name that you want to link with the role in the Role LDAP DN
field.
When users log in that are members of this LDAP group, they will automatically be
granted the role.
Complete this procedure for each LDAP server you want to include in the forest.
Do the following:
Number 1 represents the primary LDAP server, and numbers 2 and 3 represent
possible backup servers. If you do not want those servers to be included in the forest,
choose a number higher than 3.
3. Select Administration.
5. Add the parameters specified in LDAP Parameters (see LDAP parameters), one at a
time, by doing the following:
a. Click Add.
Where:
For example, to specify the port number of LDAP server number 4, type LDAP_
Port4.
d. Click OK.
f. Click OK.
LDAP parameters
Set this
parameter... To this...
LDAP_Timeout The maximum amount of time in seconds to wait for the LDAP
server's reply.
This parameter is mandatory.
Ldap_Secured_ The method to use for securing connections with the LDAP server.
Authentication_ This can have the following values:
Method
l ldaps
l starstls
This parameter is mandatory.
Set this
parameter... To this...
LDAP_ Indicates whether AFA should check the LDAP server's certificate
VerifyCert against a locally stored certificate. AFA will only connect to the
LDAP server if the certificates are identical.
This can have the following values:
l yes
l no
This parameter is mandatory.
LDAP_ The locally stored certificate against which AFA should compare
Certificate the LDAP server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs.
This parameter is mandatory.
LDAP_ The user DN that AFA should use to log in to the LDAP server.
Username This parameter is optional.
LDAP_ The password that AFA should use to log in to the LDAP server.
Password This parameter is optional.
Set this
parameter... To this...
LDAP_Bind_ The bind type to use. This can have the following values:
Type
l Simple. AFA sends the entered username and password to
the LDAP server. If the entered username exists in the LDAP
server, and the password matches the username, then the
user is logged in.
l Regular. AFA logs in to the LDAP server using a user DN
and password, and then checks the entered username and
password against the LDAP server. If the entered username
exists in the LDAP server, the password matches the
username, and any additional criteria are met, then the user
is logged in.
l Anonymous. AFA accesses LDAP server anonymously, and
then checks the entered username and password against the
LDAP server. If the entered username exists in the LDAP
server, the password matches the username, and any
additional criteria are met, then the user is logged in.
This parameter is optional.
LDAP_NameAttr The attribute that contains a user's name, in user objects in the
database.
This parameter is optional.
LDAP_ The attribute that contains a user's groups, in user objects in the
MemberAttr database.
This parameter is optional.
Set this
parameter... To this...
LDAP_ The DN of the user group to which users must belong in order to
GroupDN be authenticated.
This parameter is optional.
LDAP_AttrEmail The name of the LDAP server user field from which you want to
import data to AFA and FireFlow Email field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrFullName import data to AFA and FireFlow Full Name field.
This parameter is optional.
LDAP_AttrNotes The name of the LDAP server user field from which you want to
import data to AFA and FireFlow Notes field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrOrganization import data to the FireFlow Organization field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrAddress1 import data to the FireFlow Address field.
This parameter is optional.
LDAP_AttrCity The name of the LDAP server user field from which you want to
import data to the FireFlow City field.
This parameter is optional.
LDAP_AttrState The name of the LDAP server user field from which you want to
import data to the FireFlow State field.
This parameter is optional.
LDAP_AttrZip The name of the LDAP server user field from which you want to
import data to the FireFlow Zip Code field.
This parameter is optional.
Set this
parameter... To this...
LDAP_ The name of the LDAP server user field from which you want to
AttrCountry import data to the FireFlow Country field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrHomePhone import data to the FireFlow Home Phone field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrWorkPhone import data to the FireFlow Work Phone field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrMobilePhone import data to the FireFlow Mobile Phone field.
This parameter is optional.
LDAP_ The name of the LDAP server user field from which you want to
AttrPagerPhone import data to the FireFlow Pager field.
This parameter is optional.
LDAP forest example
In the following example, LDAP server 4 is added to the forest:
LDAP_Port4=349
LDAP_Timeout4=120
LDAP_Version4=3
Ldap_Secured_Authentication_Method4=LDAPS
LDAP_Server4=192.164.2.43
LDAP_UseSecured4=no
LDAP_VerifyCert4=no
LDAP_Certificate4=Algosec_CA.pem
LDAP_Domain4=ldomain4
LDAP_Username4=CN=Bob,OU=Algosec,DC=algosec,DC=local
LDAP_Password4=$FOQABRER$27:A3:BD:F2:90:C7:21:5A:3A:F4:F4:AB:R8:20:6F:25
LDAP_Bind_Type4=Regular
LDAP_BaseDN4=dc=algosec,dc=local
LDAP_ExtraFiltering4=(objectClass=*)
DAP_NameAttr4=sAMAccountName
LDAP_MemberAttr4=memberOf
LDAP_GroupDN4=
LDAP_AttrEmail4=mail
LDAP_AttrFullName4=displayName
LDAP_AttrNotes4=description
LDAP_AttrOrganization4=company
LDAP_AttrAddress14=streetAddress
LDAP_AttrCity4=l
LDAP_AttrState4=st
LDAP_AttrZip4=postalCode
LDAP_AttrCountry4=co
LDAP_AttrHomePhone4=homePhone
LDAP_AttrWorkPhone4=telephoneNumber
LDAP_AttrMobilePhone4=mobile
LDAP_AttrPagerPhone4=pager
LDAP_AttrCustom4=group,primaryGroupID;allowDial,msNPAllowDialin;mark,
department
1. In the AFA or FireFlow Login page, type the following in the Username field:
LdapDomain\userName
Where:
l LdapDomain is the domain name of the LDAP server on which they are defined.
For example, if Bob is defined on an LDAP server whose domain name is Ldomain4,
then he must type "Ldomain4\Bob" in the Username field.
3. Click Login.
Note: The backup servers will not be consulted, in the event that AFA/FireFlow did
not locate the user in the specified LDAP domain.
Tip: AFA users and roles provide the basis for authentication across both AFA and
FireFlow. If you are an AFA administrator, but not a FireFlow administrator, you can
also access FireFlow role and user management via the AFA Administration area.
Tip: Alternately, manage users via an authentication server or SSO, or import users
via a CSV file. For details, see Configure user authentication or Import users via
CSV.
Do the following:
1. Click your username at the top-right to access the AFA Administration area.
2. Click the USERS/ROLES tab to display the user and role tables. For example:
3. To add a new user, click the New button below the user table. To edit an existing
user, click the edit button at the right side of the row you want to edit.
In the user form that appears, select and enter values as needed:
User details
Landing Page Select Firewall Analyzer or FireFlow. Select Automatic to use the
default landing page for the selected role.
For more details, see Default landing pages per role.
Password
Confirm Re-enter the password you entered in the New password field.
password
General Permissions
Enable Analysis from file Allow the user to perform analyses from configuration
files.
Enable Trusted Traffic -> Allow the user to view trusted traffic.
global
Roles
Select the user roles to assign to the user. The user is automatically granted
permissions specified in the assigned roles.
Tip: If you assign additional permissions to this user, the user will have both the
permissions inherited from their roles, as well as additional permissions assigned
to the user.
Email Notifications
Define the scenarios in which this user receives notifications from AFA:
Every group The user is notified for each group report generated.
report
Rules and The user is notified when device rules and/or VPN users are
VPN Users about to expire.
about to
expire Tip: To configure the number of days before rule or VPN user
expiration that AFA should send a notification, complete the
Days before expiration alerts field in the General sub-tab of
the Options tab in the Administration area.
For details, see Define AFA preferences.
Error The user receives error messages from AFA, such as for low disk
messages space and license expiration.
This option is relevant for administrators only.
Changes in The user is notified for each customization change detected, such
customization as for topology, trusted traffic, and risk profile customizations.
This option is relevant for administrators only.
Hide change User notification emails include only device names and a link to
details the AFA.
Specific details about new reports and change alerts are omitted
from emails to this user.
Report Select the report pages/information that the user can view. Select Full
Report to indicate that the user can view all report information.
Pages that are not selected will be inaccessible to the user.
Home Select the Home page elements that the user can view. Select All
Views Home Views To indicate that the user can view all Home page
elements.
Pages that are not selected will be inaccessible to the user.
Reporting Select this option to allow the user to access the AlgoSec Reporting
Tool Tool (ART).
Actions Select the actions that the user can perform in AFA. Select All Actions
to indicate that the user can perform all actions.
Controls used to perform actions that are not selected will be disabled.
Authorized Devices
a. Select a default permission profile to determine the permission level for the
selected devices.
b. Click Select devices.... to select the devices you want to apply the selected
permission level on.
c. Select the checkboxes next to each relevant device and click OK.
For example:
l Select a different option from the Permission profile dropdown to change the
profile for a specific device
l Landing pages configured for specific users override any configuration for a user's
role.
l Users with multiple roles, with different landing pages for each role, will see the
landing page with the highest priority.
Landing pages are prioritized for FireFlow first, and then AFA.
If no landing page is defined for the user, or any of the user's roles, landing pages are
defined as follows:
Tip: If you have an LDAP server configured, associate AFA user roles with specific
LDAP user groups to have each user in the group automatically inherit the AFA role.
Do the following:
1. Click your username at the top-right to access the AFA Administration area.
2. Click the USERS/ROLES tab to display the user and role tables. For example:
3. To add a new role, click the New button under the role table. To edit an existing role,
click the edit button in the row for the role you want to edit.
In the user form that appears, select and enter values as needed:
Role details
Role Enter the DN of the LDAP group that corresponds to this role.
LDAP DN When users who are members of this LDAP group log in, they will
automatically be granted this role.
For example: cn=network_
users,ou=organization,o=mycompany,c=us
General Permissions
FireFlow Administrator - Allow Make all users with this role FireFlow
FireFlow Advanced Configuration configuration administrators.
This enables these users to perform
advanced configuration tasks in FireFlow.
Enable Analysis from file Allow all users with this role to perform
analyses from configuration files.
Enable Trusted Traffic -> global Allow all users with this role to view and
edit trusted traffic settings.
Report Select the report pages that users with this role can view.
l Select Full Report to indicate that users with this role can view
all report pages.
l Pages that are not selected will be inaccessible to users with this
role.
Home Select the Home page elements that users with this role can view.
Views l Select All Home Views to indicate that users with this role can
view all Home page elements.
l Pages that are not selected will be inaccessible to users with this
role.
Actions Select the actions that users with this role can perform in AFA.
l Select All Actions to indicate that users with this role can perform
all actions.
l Controls used to perform actions that are not selected will be
disabled.
Authorized Devices
Select the default device access provided to all users with this role. Do the following:
a. Select a default permission profile to determine the permission level for the
selected devices.
b. Click Select devices.... to select the devices you want to apply the selected
permission level on.
c. Select the checkboxes next to each relevant device and click OK.
For example:
l Select a different option from the Permission profile dropdown to change the
profile for a specific device
Tip: Alternately, manage users via an authentication server or SSO. For details, see
Configure user authentication.
Do the following:
1. Click your username at the top-right to access the AFA Administration area.
2. Click the USERS/ROLES tab to display the user and role tables. For example:
3. Select the check box next to the user or role you want to delete, and click Delete.
l @ (at symbol)
l _ (underscore)
l . (period)
l - (hyphen)
l / (forward-slashes)
ASMS passwords can contain any alpha-numeric character or any special character,
except for back-ticks (`)
Use the following regular expressions to confirm that your usernames and passwords
meet ASMS requirements:
Password ^[a-zA-Z0-9\x20-\x5F\x7B-\x7E]*$
For a list of supported headers, refer to the following table. The headers must be
separated by commas.
3. For each user you want to import, type a new line containing values that correspond
to the column headers.
Refer to the following table for information about each header's possible values. The
values must be separated by commas. If no value is specified, the default is used.
For example:
username,password,fullname,email,note,policy_change,administrator,
authentication_type,default_fw_profile,firewallsJohnS,JohnSPass,
John Smith,[email protected],customersupport,yes,yes,,
readonly,(ECZ_ASA1;yes;Standard)(ISG1000_root:trust-vr;yes;Standard)
JaneB,,Jane Brown,[email protected],sales,no,no,ldap
firewalls A list of devices for Each device in the list must be in the
which the user should following format:
be granted (deviceName;notify;permissionProfile)
permissions. where:
l deviceName is the device's name
l notify indicates whether the user
should receive notifications about
the device (yes/no)
l permissionProfile is the user's
access level to the device
(readonly/none/standard)
Multiple devices should not be separated
by anything
For example:
(device)(device)(device)...
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
import_users -f CSVFile
The import_users script runs and imports users from the file into both AFA and
FireFlow.
Flag Description
l Create custom risk profiles with built-in and custom risk items. For details, see:
l Define new zone types, in addition to the predefined Internal, External, and DMZ.
For details, see Customize zone types.
l Add new host group definitions. For details, see Customize hostgroups.
l Customize the security rating and the way security rating information is displayed.
For details, see Configure security ratings.
By default, AFA uses a Standard Risk Profile for all devices, which includes a set of
standard risk items. Each risk item represents an XQL query that AFA performs on
simulation results to detect risks.
Create custom risk profiles as needed, including different combinations of risk items,
changing severity levels of each risk item, or creating custom risk items. Custom risk
items enable you to define complex risks by composing your own XQL queries.
Note: After making changes to risk profiles, you must run a new analysis before
seeing any changes in AFA reports.
Edit a Risk Profile: Watch to learn how to edit a risk profile to suit your network
needs.
Do the following:
1. Access the AFA Administration area. Click your username in the toolbar and
select Administration.
2. Click the Compliance > Risk Profiles tab, displaying the Standard risk profile with
risk items displayed in a grid below.
From The source and destination zone of connections specified by the risk
/ To item.
3. To load a different risk profile, select it from the Select risk profile dropdown menu
above the grid. The page is updated with the selected risk profile.
Do the following:
1. Access the Risk Profiles tab in the AFA Administration area. For details, see View
a risk profile.
2. Click + Create new risk profile, and enter a name for your new profile.
3. Customize your risk items as needed. For details, see Customize risk items.
Your new risk profile is ready to use in your next AFA analysis.
Do the following:
1. View the specific risk profile you want to start with in the Risk Profiles tab in the
AFA Administration area. For details, see View a risk profile.
2. Customize your risk items as needed for your new profile. In the Risk profile notes
field, enter a description for your new risk profile.
3. Click Save As, and enter a new name for your new profile.
Your new risk profile is ready to use in your next AFA analysis.
Tip: While the Standard risk profile is read-only, you can use it as the basis for a
custom profile. Then, you can define your custom profile as the default risk profile for
all future reports. For details, see Set a default risk profile.
Use the template provided in the AFA Administration area to create this spreadsheet.
Do the following:
1. Open the Risk Profiles tab in the AFA Administration area. For details, see View
a risk profile.
2. Click Import from spreadsheet. In the Import risk profile dialog, Download
sample spreadsheet.
3. Save the file locally using a meaningful name, and populate it with details about
the traffic you want to allow or define as risky. For details, see Spreadsheet
requirements.
4. When your spreadsheet is ready, return to the Import risk profile dialog, and click
Choose File. Browse to and select the file you edited, and the click OK to upload
the file.
AFA generates your new risk profile, defining any traffic that is not specified in
your uploaded file as a risk.
AFA optimizes your risks, and combines similar items to create the fewest number
of new risk items possible.
5. Click Save as to save your new Risk Profile. Enter a meaningful name, and click
OK.
Your new risk profile is ready to use in your next AFA analysis.
Note: When you upload a spreadsheet, AFA optimizes risk creation by combining
traffic flows when possible. This may result in individual risks with wide definitions.
In such cases risk descriptions specify the traffic or server that triggered the risk to
help you understand why the risk was triggered.
Spreadsheet requirements
The spreadsheet uploaded to AFA to generate a custom risk profile must include the
following sheets:
l Traffic. Defines the traffic you want to mark as allowed or risky by the generated
risk profile.
l Comments are supported in all sheets, only outside the data table, title rows or
columns. Add # before the comment text.
For more details, see Populate the Traffic sheet and Populate the Networks and
Services sheets.
You must populate every cell in the Traffic sheet data table, as follows:
Source / List source network objects in the left column, and destination network
destinations objects across the top row.
Destinations do not need to be the same as the sources, but must be
network objects defined in the Networks tab, or the predefined Other
object.
The Other object includes all IP addresses that are not included in
network objects listed on the Networks tab, and generally includes the
public internet.
Service Each cell that intersects a source and destination must contain one or
objects more service objects, as follows:
l To define safe traffic, enter the name of a safe service object.
l To define risky traffic, enter the name of a risky service object
using the following syntax: not( service_object ) or !service_
object
l To define multiple service objects in a single cell, enter each
object name on a new line in the cell (ALT+ENTER).
Service object values must either be listed on the Services tab, or be
one of the following predefined services:
l Any. All services
l None. No services.
Tip: Optionally, specify risk severity levels for risk traffic associated with a specific
source or destination. For details, see Specify risk severity in your spreadsheet.
Object List object content in the same row as the objects name.
content Assign multiple values to each object as needed, by specifying multiple
values across the row, each value in it's own cell.
Object Object names support lowercase and uppercase letters, digits, and
names underscores (_).
By default, all risks generated by uploading a spreadsheet are given a Medium severity.
To customize this, specify severity levels in the Traffic sheet for risks associated with
specific traffic, sources, or destinations.
Do the following:
In the Traffic sheet, add the following characters to your cells to indicate severity levels:
l H = High
l S = Suspected high
l M = Medium
l L = Low
Specify severity for all traffic Indicate the severity level with the network object in
from a specific source the left column.
Specify severity for all traffic Indicate the severity level with the network object in
from a specific destination the header row.
Specify severity for all traffic Indicate the severity level with the service object in the
from a specific source and intersecting cell.
to a specific destination In such cases:
l By default, the generated risk will be relevant to
all traffic between the services, via services
other than those included in the service object.
l If you specify severity for a risky service object,
the generated risk will be relevant to all traffic
between the servers via the specified service
object.
Note: If a severity is specified for either the traffic, or for a specific source or
destination, AFA assigns the specified severity to that risk.
If different severities are assigned to the source and destination, AFA uses the higher
severity when generating the risk.
The following table shows an example of a Traffic sheet with severities indicated:
To
From Net1 Net2 Net3 PartnerNet PCIzone;S Other
In this example, AFA will use the data in the highlighted cell to generate risks with the
following severities:
Medium Traffic from PCIZone to Net1 , via any services other than those defined in forbiddenSvc or
SecureSrvs
Note that although the risk specified for all traffic from PCIzone is Suspected high, no
traffic from PCIzone to Net1 is specified as Suspected high, as the severities associated
with each service object take precedence.
Do the following:
1. View the specific risk profile you want to delete in the Risk Profiles tab in the AFA
Administration area. For details, see View a risk profile.
Do the following;
1. Access the AFA Administration area. Click your username in the toolbar and
select Administration.
3. In the Default risk profile dropdown, select the risk profile you want to set as
default, and click OK.
For example:
AFA uses the selected risk profile by default when running an analysis.
Do the following:
1. View the Risk Profile with the risk items you want to edit. For details, see View a
risk profile.
Edit an existing Select the risk in the grid, and click Edit.
risk item The risk item is opened for editing. Make your changes as
needed, and then click OK.
Create a new Click New, and then select one of the following options:
risk item l Basic risk. Create a basic risk
l Risk with destination threshold. Create a risk item with
a specific destination threshold
l Risk with source threshold. Create a risk with a
specific source threshold
l Risk with specific IP addresses. Create a risk with
specific IP addresses, an IP address range, or a subnet
l PCI risk. Create a risk that refers to PCI zones
3. Populate the fields as needed for your risk item type. For details, see:
l Code. An automatically assigned code for this risk item. For example, user-defined
items have a code that start with U.
Name Description
From zone Relevant for basic risks and risks with source or destination thresholds
/ To Zone Select the zone types that represent where the traffic you want to
analyze is coming from and going to.
Name Description
Trust VPN Relevant for basic risks and risks with source or destination thresholds
IP Select to determine that VPN traffic be excluded from this risk item, and
addresses not shown in the AFA report.
Default = Enabled
Tip: Click Auto Fill to load pre-defined values from a template in to the Risk details
area below, based on the values you've selected. Any existing values are
overwritten.
Description Enter a general description of the risk, using terms that are not tied to
any particular device.
This text appears in Group reports whenever a device in the group has
triggered this risk item.
Suppressed Enter the codes of other risk items that should prevent the current risk
by item from appearing in AFA reports or click Select to select them from
a list.
Suppression in AFA
For example, you may want to do this when you have a more general risk that also
includes the specific risk.
The following sample device, rule, and risk configuration illustrates this concept:
If no suppression is configured:
... and the risk profile for the device includes the following risks:
The RISKS report for your device might include the following risk and rule details:
If suppression is configured:
In this report, Risk D02 does not appear at all. This is because:
l The number of rules triggering D02 = The number of rules triggering D01.
Also in this report, D03 is shown because suppression is not in effect. This is because:
l The number of rules triggering risk D02 ≠ The number of rules triggering risk D03.
Warning: Do not delete risks with a prefix of unnamed or AlgoSec. Deleting these
items may damage a risk profile.
Tip: While Standard risk items cannot be deleted, they can be disabled. For details,
see Disable a risk item.
Do the following:
1. View the risk profile with the risk item you want to delete. For details, see View a
risk profile.
2. In the grid, select the risk item you want to delete, and click Delete.
3. Click OK to confirm.
The risk item is deleted, and will no longer be included in future AFA reports.
Warning: Do not disable any risks with a prefix of unnamed or AlgoSec. Disabling
these items may damage a risk profile.
Do the following:
1. View the risk profile with the risk item you want to disable. For details, see View a
risk profile.
2. In the grid, select the risk item you want to disable, and click Edit.
The risk item is disabled, and will not be included in future AFA reports.
If desired, you can define additional zone types. Configuring user-defined zone types
enables you to tailor risk profiles to your exact network topology. Each user-defined
zone type is based on one of AFA's built-in zone types.
External Red Represents network zones that are The "Outside" zone is
directly connected to the Internet. assigned to this zone
type.
Internal Blue Represents network zones that are The "Inside" zone is
not connected to the Internet. assigned to this zone
type.
2. Select Administration.
4. Click .
l To edit an existing zone type, select the desired zone type and click Edit.
The Add New Zone Type or Edit Zone Type dialog box appears.
Note: You cannot edit the built-in zone types (EXTERNAL, INTERNAL, or DMZ).
7. Click OK.
Like Select an existing zone type from which this zone type
should inherit its settings. You can then override the
inherited settings as desired.
This field is read-only when editing a zone.
Automatically create Select this option to automatically use the Standard Risk
standard risks for the Profile for the zone.
new zone type This field appears only when adding a new zone.
Note: You cannot delete the built-in zone types (EXTERNAL, INTERNAL, or DMZ).
Do the following:
2. Select Administration.
4. Click .
6. Click OK.
Customize hostgroups
You can define hostgroups to use when performing tasks such as running traffic
simulation queries and/or configuring the trusted traffic you want to view.
2. Select Administration.
4. Click .
l To edit an existing host group, select the check box next to the desired host
group and then click Edit.
7. In the IP Addresses field, type the IP address or IP address range that the host group
represents.
8. Click OK.
Delete hostgroups
Do the following:
2. Select Administration.
4. Click .
5. Select the check box next to the desired host group and then click Delete.
6. Click OK.
Customize services
You can define service groups that contain one or more services to use when
performing tasks such as running traffic simulation queries and/or configuring the trusted
traffic you want to view.
Do the following:
2. Select Administration.
4. Click .
l To edit an existing service, select the service and then click Edit.
The New Service Group / Edit Service Group dialog box appears.
6. In the Service group name field, type the service group's name.
If this is not the first service to be added to the group, click New Member.
8. To remove a service from the group, select the service in the Service group
members list box, then click Remove.
9. Click Save.
2. Select Administration.
4. Click .
6. Click OK.
7. Click Close.
Do the following:
2. Select Administration.
7. Click OK.
Note: This setting will only take effect in future reports that you generate.
Note: It is possible for a device with more risks to have a higher security rating than a
device with fewer risks.
The Security Rating is calculated as the ratio of the number of risks detected vs. the
number of risks searched for, and the total number of risks searched for differs per
device.
If a device has multiple interfaces and some are configured as Internal, some as
External, and some as DMZ, more risks will be searched for than on a device with
only an Internal and External interface. Also, some risks are defined only for specific
device vendors.
where:
This
variable... Represents...
This
variable... Represents...
T1 The maximum number of High risks possible for the device. This is
determined by the device's brand and topology.
T2 The maximum number of Suspected High risks possible for the device.
This is determined by the device's brand and topology.
T3 The maximum number of Medium risks possible for the device. This is
determined by the device's brand and topology.
T4 The maximum number of Low risks possible for the device. This is
determined by the device's brand and topology.
ASMS, therefore, cannot determine the security rating for a group of devices as a simple
average of the security ratings of the group's members. Instead, ASMS looks at all
possible risk items as a "whole", and deducts one "point" for every risk item flagged on
at least one group member.
This approach may lead to scenarios where the security rating of a group is even lower
than that of each group member.
In this case, the security rating of each device will be 99, because 99 of the 100 possible
risk items are not flagged.
If the same risk item is The group security rating will also be 99, since 99 of the
flagged on all 100 100 possible risk items are still not flagged.
devices
If each device is The group security rating will be 0, because 100 out of 100
flagged for a different possible risk items are flagged for at least one group
risk item member.
Do the following:
2. Select Administration.
4. Click .
Days in Type the number of days to include in the Security Rating Trend
Trend graph in the Risks page of reports.
Graph The default value is 180 days.
Low Type a number representing the point on the security ratings bar
Breakpoint where the bar should changes from red to yellow, if the leftmost end
of the bar is 0 and the rightmost end is 100.
The default value is 50.
High Type a number representing the point on the security ratings bar
Breakpoint where the bar should change from yellow to green, if the leftmost end
of the bar is 0 and the rightmost end is 100.
The default value is 85.
6. Click OK.
You can customize the Regulatory Compliance page in the following ways:
To add or remove reports in the CLI or to create a custom regulatory compliance report,
see Customize regulartory compliance report.
2. Select Administration.
8. Click Save.
Note: When upgrading AFA, any newly supported reports are automatically enabled.
US
Centric
Standard Description
Europe
Centric
Global
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) was
3.0 developed to encourage and enhance cardholder data security and
facilitate the broad adoption of consistent data security measures
globally. PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.
You can optionally indicate which servers are in your PCI zone.
Specifying these servers enables AFA and AppViz to provide you with
more specific security information for PCI applications. See Configure
the PCI zone.
Australia
Centric
Japan
Centric
Standard Description
Singapore
Centric
This
variable... Represents...
X1 The total number of requirements in the compliance report for which the
device policy is compliant. Each of these requirements has a status of .
X3 The total number of requirements in the compliance report for which the
device policy is not compliant. Each of these requirements has a status of
.
You can customize the compliance score value by changing the value of the "W"
variable.
Do the following:
2. Select Administration.
4. Click Add.
6. In the Value field, type the value you wish to assign to the "W" variable.
7. Click OK.
8. Click OK.
By default, a bad score is 55% and below (red), a moderate score is between 55% and
70% (yellow), and a good score is 70% and above (green).
Do the following:
2. Select Administration.
a. Click Add.
c. In the Value field, type the maximum value for a bad score.
For example, if you want a score of 60% and below to be a bad score, type 60.
d. Click OK.
a. Click Add.
c. In the Value field, type the minimum value for a good score.
For example, if you want a score of 80% and above to be a good score, type
80.
d. Click OK.
6. Click OK.
AFA can only show the vulnerability of PCI applications in the PCI report when
AppViz is integrated with a vulnerability scanner. When using AppViz without a
vulnerability scanner, AppViz will still tag the network objects and applications that
intersect the PCI zone with the PCI label.
Do the following:
2. Select Administration.
6. In the Regulatory Compliance area, in the PCI zone field, type an IP address, range,
or CIDR.
7. To add another entry, click , and type the additional value in the field.
9. In the Vulnerability level threshold field, select the threshold for acceptable
vulnerability in the drop-down menu.
Applications with the selected vulnerability level (or lower) will be considered
vulnerable in PCI reports. For example, selecting Medium will cause applications with
medium or low security scores to be considered vulnerable.
Note: Specifying the vulnerability level threshold is only relevant when AppViz is
integrated with a vulnerability scanner.
AFA includes a set of built-in baseline configuration compliance profiles suitable for all
device brands which appear as options in the Baseline Configuration Compliance
Profile drop-down list and in the /usr/share/fa/data/baseline_profiles/ directory.
2. Select Administration.
1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.
2. Click New.
4. Click Save.
The new custom baseline profile appears in the baseline profile table.
Do the following:
1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.
3. Click Duplicate.
The baseline profile form appears with the values of the original profile.
Note: To prevent the creation of two baseline profiles with the same display
name, change the Profile Name.
5. Click Save.
The new custom baseline profile appears in the baseline profile table.
Note: The original baseline profile will not be over-written, but it will not be
available to use unless you delete the new custom baseline profile.
Do the following:
1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.
3. Click Edit.
5. Click Save.
The new custom baseline profile appears in the baseline profile table.
Note: You can only delete custom baseline profiles. Custom baseline profiles are
indicated with a in the Customized field.
Do the following:
1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.
3. Click Delete.
4. Click OK.
1. Access the Baseline Profile configuration area. For details, see Access baseline
profiles configuration.
In this example, we selected the Cisco ACE Sample profile. The profile is
highlighted in blue.
3. Click Edit.
b. In the Add Subelement menu on the right side of the workspace, click
Command.
5. In the Add Attribute menu on the right side of the workspace, click attributes to add
to the command. Available options are id (Command ID), name (Command
Name), and cmd (Command Syntax). For details, see Command.
In the Add Top Element menu on the right side of the workspace, click
BaselineRequirement.
8. In the Add Subelement menu on the right side of the workspace, you can add the
following subelements in hierarchical order:
l Command
l Criterion
l Line (Item)
9. Click Add Attribute to add attributes to the baseline requirement or any of the
subelements.
Tag Reference
This reference describes the use of each tag in the baseline configuration compliance
profile. The tags are listed in the same order as they appear in the file.
BaselineProfile
Syntax
Description
This is the main tag for the baseline compliance profile, and it identifies the profile.
Parameters
brand_id String. The brand ID of the device brand relevant to the baseline
configuration compliance report.
The brand_id for each device brand is configured in the brand's brand_
config.xml file in /usr/share/fa/data/plugins/brand_name. See the Id
parameter in the DEVICE tag.
display_ String. The name of the baseline configuration compliance profile.
name
The name will appear at the head of the Baseline Configuration
Compliance Report.
Subtags
Example
The following example describes a baseline profile for a Cisco ASA device with the
name "Cisco ASA".
CommandsDef
SyntaxCommandsDefDescription
This tag specifies the sequence of commands that AFA should run on the device during
analysis.
Parameters
None.
Subtags
BaselineRequirement
Syntax
Description
This tag specifies a requirement that the device must meet in order to be considered "in
compliance". The requirement consists of a list of required outputs for the commands
that AFA will run on the device, specified in the CommandsDef (see CommandsDef)
tag.
Parameters
Subtags
Command
Syntax
Description
This tag specifies a command that AFA should run on the device.
Parameters
Subtags
Criterion
Syntax
Criterion type="type"
Description
This tag specifies a criterion that the command output must meet.
Parameters
type String. The criterion type. This can be any of the following:
l Required Line. Theline specified in the Item sub-tag must be present in
the command output.
Subtags
Item
Syntax
Item [comments="comments"]
Description
This tag specifies information about a criterion that the command output must meet.
Parameters
comments String. Comments about a criterion that the command output must meet.
Contents
This tag contains further details about a criterion that the command output must meet.
Subtags
None.
Example
BaselineHeader
Syntax
BaselineHeader title="title"
Description
This tag specifies information about the header text of the Baseline Compliance Report.
Parameters
title String. The title that should appear in the header section of the report page.
Contents
This tag contains the header text that should appear in the Baseline Compliance
Report.
Subtags
None.
BaselineFooter
Syntax
BaselineFooter title="title"
Description
This tag specifies information about the footer text of the Baseline Compliance Report.
Parameters
title String. The title that should appear in the footer section of the report page.
Contents
This tag contains the footer text that should appear in the Baseline Compliance Report.
Subtags
None.
Overview
You can customize Risk Profiles by defining custom risk items. Custom risk items allow
you to define more complex risks by composing the XQL query of your choice. For
example, you can define risks for the following types of allowed traffic:
All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$,
$lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'),
$no_match$, brackets().
Type Description
Type Description
Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[
@srv $eq$ "http" $and$
eval("256", "Number") $lt$ @n_dst_impact_ips
]/QRes[
@n_risky_dst_ips $ne$ 0 $and$
@n_risky_src_ips $ne$ 0 $and$
@is_vpn $ne$ "yes"
]
QIndex
This section specifies the traffic source and destination zones, by indicating them in the
name of the query results file.
Parameters
where srcZone is the source zone, and dstZone is the destination zone, as
defined in the AFA's device topology.
Available zones include Outside, Inside, DMZs, and any user-defined zone
type
For example:
l In the preceding example, the file name is q_srv_Outside_Inside.
l For traffic going from Inside to DMZs, the relevant file name would be q_
srv_Inside_DMZs.
l For traffic between different Internal zones, the relevant file name would
be q_srv_Inside_Inside.
For access to device itself, use the file name q_fw_access.
QEntry
This section describes the type of traffic between the source and destination zones
(specified in QIndex) that will trigger the risk. In the preceding example, a traffic query
issued to the device simulation engine will trigger this risk if the service is HTTP and the
number of affected destination IP addresses is over 256.
Parameters
QRes
This section describes the type of traffic query results that will trigger the risk. In the
preceding example, the traffic must be encrypted in order for this risk to be triggered.
Parameters
@is_vpn Indicates whether encrypted traffic should trigger the risk or not:
l yes. Encrypted traffic should trigger the risk.
l no. Encrypted traffic should not trigger the risk.
@pass_rule The name of the rule that is relevant for this traffic in AFA.
Hosts
/Host[
@name $eq$ "Trusted_hosts" $and$
eval("20", "Number") $lt$ @n_Total
]
This query checks whether the pre-defined "Trusted_hosts" object (which represents
servers that can manage this firewall) contains a certain number of IP addresses.
Parameters
Note: Properties will differ between firewall vendors. Parameters can be created for
Check Point firewalls from the asm.C file.
Props[http_enforce_buffer_overflow[@value $ne$ "true"]]
Rules/Rulebase[@interface="%INTERFACE"]/Rule
[
@dst = "*" $and$
@srv = "*" $and$
@orig_rule $ne$ "" $and$
@orig_rule $ne$ "0" $and$
@vpn $ne$ "VPN_PERMIT" $and$
@vpn $ne$ "VPN" $and$
@action = "PASS"
]
This query detects all rules other than VPN rules, where both the destination and the
service are "any", and the action is "PASS".
Parameters
@src The source object of the rule.
@dst The destination object of the rule.
@srv The service object of the rule.
@src_ The translated source hostgroup object.
xlt
Note: AFA performs these queries on its internal "Expanded rules". To see these
rules in your device report, go to Explore Policy -> Expanded Rules.
Keyword Description
Keyword Description
%QSRC_LIST A list of source host groups that can access the device, as
{QueryInputFile} specified in the query input file, QueryInputFile.
Keyword Description
Keyword Description
Keyword Description
Keyword Description
Configure notifications
This section describes how to configure the different types of automatic e-mail
messages supported by AFA.
2. Select Administration.
The Scheduler Setup page appears with a list of scheduled analysis and
dashboard e-mail jobs.
l To edit an existing dashboard email job, click on the Edit icon next to the
desired job.
7. In the Recipients field, type an email address or a comma seperated list of multiple
email addresses to which to send the notifications.
8. (Optional) In the Email Subject field, type a subject for the email notifications.
9. (Optional) In the Email Body field, type a message to include in the body of the
email notifications.
10. In the Recurrence area, specify how often the analysis job should run.
You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or
configure the analysis to occur when a policy is installed on the device(s).
The fields in the Recurrence Pattern area change according to your selection.
11. In the Recurrence Pattern area, configure the desired pattern of recurrence.
Do the following:
2. Select Administration.
The Scheduler Setup tab is appears with a list of scheduled analysis and
dashboard e-mail jobs.
5. Click Delete.
6. Click Yes.
Supported notifications
Supported notifications include:
2. Enable the desired notifications for each user or role that should receive e-mail
notifications. For details, see Manage users and roles in AFA.
2. Select Administration.
Use name and Select this option if the SMTP server requires a username
password and password.
Use SSL Select this option to use SSL when authenticating with the
SMTP server.
Test E-Mail Click this button to send a test e-mail to all administrators.
message
Email greeting Type an e-mail greeting to include in the body of the e-mail.
(Optional)
Default Click this button to reset the e-mail greeting to its default
setting.
5. Click OK.
Note: The specified user must have permission to view the device and the specified
report pages. E-mails will not be sent to users that do not have permission to view
the device. Report pages for which the user does not have permissions will not be
included in the e-mail. No e-mail notification options need to be enabled in the user's
settings in order for the user to receive these e-mail messages.
Note: It is possible to generate report page PDFs (including those that cannot be
sent to a user due to inadequate permissions or size limitations) for additional uses.
For example, you could export the PDFs to a central repository in order to display
them on an enterprise or MSSP portal. The desired usage should be implemented by
a script that receives the path of the report's directory as a parameter, and which runs
after generating report pages for all devices and users, but before removing all of the
created files.
To configure AFA to use such a script, open /home/afa/.fa/config and add the
following line:
PostPublishReportParts=command
<ReportPartsPublish>
<DevicesDef>
<Device name="deviceName">
<User username="userName" parts="reportPages" />
</Device>
</DevicesDef>
</ReportPartsPublish>
Where:
l deviceName is the name of the device whose report pages should be sent. A
list of all device names is available in the file /home/afa/.fa/firewall_
data.xml.
l userName is the username of the user who should receive the report pages.
A list of all usernames is available in the file /home/afa/.fa/users_info.xml.
Note: Parts 1-14 are supported for group reports and single device reports.
Parts 15 and up are only supported for single device reports.
Do the following:
2. Select Administration.
The Administration page appears, displaying the Options tab and the General
sub-tab.
3. Access the desired configuration options, by clicking the relevant sub-tab in the
Options Menu area.
l To set general analysis options, complete the fields using the information in
General (see General).
l To set language options, click the Language sub-tab and complete the fields
using the information in Language (see Language).
l To set Web interface options, click the Display sub-tab and complete the
fields using the information in Display (see Display).
l To set log analysis options, click the Log analysis sub-tab and complete the
fields using the information in Log Analysis (see Log analysis).
l To configure a proxy server, click the Proxy sub-tab and complete the fields
using the information in Proxy (see Define a device proxy).
l To configure a mail server, click the Mail sub-tab and complete the fields
using the information in Mail (see Mail).
l To set criteria for storing/deleting AFA reports, click the Storage sub-tab and
complete the fields using the information in Storage (see Storage).
l To set backup and restore options (for all of ASMS), click the
Backup/Restore sub-tab and complete the fields using the information in
Backup/Restore (see Backup/Restore).
Note: AFA preferences, as well as other information, are stored in the .fa directory
in the user's home directory.
General
Use the General tab to set the following options.
General Fields
In this field... Do this...
Comprehensive Select this option to specify that AFA should analyze all of the
mode - analyze services defined on the device, and not only the ones relevant for
every service risks.
defined on the Selecting this option results in more comprehensive information in
device (slow) the reports' Policy tab, particularly when comparing different
reports.
With IP address Select this option to add the DNS name next to any IP address
name lookups shown in a report, if a DNS name exists. This functionality requires
(slow) the AFA machine to be connected to the network and configured to
use a name server.
If you want analysis to run faster, clear this option.
Include traffic Select this option to specify that the Changes report page should
changes include the calculated changes in allowed traffic (in addition to its
analysis in regular content).
Change History If you want analysis to run faster, clear this option.
(slow)
Timed rules: Select this option to specify that time-dependant rules should only
only apply rules be applied if they are active when AFA analysis is performed. This
active at is relevant to policy optimization criteria.
analysis time
Use public key Select this option to use public key authentication in SSH
authentication connections to a Check Point management, Juniper Netscreen
in data devices, or NSMs.
collection
Note: When this option is enabled, the password defined for the
device(s) in AFA must be the local private key passphrase.
Data collection Type the amount of time in seconds that the device analyzer
timeout should wait for the device's reaction before aborting
(seconds) communications.
If you encounter timeout problems, increase this value.
Days before Type the number of days before a device rule or VPN user expires
expiration alerts that AFA should consider the rule/user as about to expire. This is
relevant for policy optimization and for users who are configured to
receive such notifications.
Report rules Complete this field to indicate you want to find rules whose
whose comments match a regular expression, or rules whose comments
comment field... do not match a regular expression. Select the desired operator in
the drop-down menu and type a regular expression describing the
format for the rule comment.
For example, if you select does not match, and then type a regular
expression that defines the required format of a rule comment, you
can detect non-compliant rule comments.
Click on the Details button for more information and examples of
regular expressions.
If this field is left empty, rule comment detection will be disabled.
Language
In the Language tab, select the language for risk titles in reports. Currently only English
and Japanese are supported.
Display
In the Display tab, set the display options described below.
Display Fields
In this
field... Do this...
Session Enter the number of minutes of inactivity before a user is logged out of the
timeout Web interface.
(minutes)
In this
field... Do this...
Enable Select this option to upload a custom logo that will appear at the top right
Custom corner of every page of the AFA, FireFlow and AppViz Web Interfaces, as
Logo well as all future AFA reports.
The logo file must be in GIF, JPG, or PNG format, and it must be 115
pixels in width and 50 pixels in height. It is important to use these exact
dimensions, so that the logo image is not distorted.
To remove a custom logo, clear this check box.
Log analysis
In the Log analysis tab, set the log analysis options described below.
Use log starting Type the number of days before a report date to specify how far
n days before the back you want to use log data when generating AFA reports.
report date For example, if you set this field to 180, AFA will use all logs
generated between 180 days before the report date and the
actual report date, when creating the report.
Timeout for log Type the maximum amount of time in minutes for log analyses to
analysis is n run.
minutes
Define log Click Define to define log collection for AppViz Discovery.
collection for
selected devices
Note: If you do not know the proxy settings in your organization, contact your local
network administrator.
Proxy fields
In this field... Do this...
Use proxy Select this option to specify that a proxy server is used to access the
server Internet. This is relevant for the following situations:
l You want to connect to cloud devices defined in AFA (such as
AWS or Azure) via a proxy server.
l You want to validate your AFA "Online" license via a proxy
server. Defining the proxy server enables AFA to access the
license server.
Use proxy Select this option if the proxy server requires authentication.
authentication If you select this option, you must complete the Username and
Password fields.
Username Type the username to use for authenticating to the proxy server.
Password Type the password to use for authenticating to the proxy server.
Mail
In the Mail tab, configure a mail server for sending automatic e-mail notifications. For
information about AFA e-mail notifications, see Configure event-triggered notifications.
Storage
Whenever AFA generates a report, the report is stored on the AFA server. Each AFA
report may consume significant amounts of storage (about 75 MB* per report on
average, though this can greatly vary). For example, if you have four devices whose
policies are changed and analyzed daily, then AFA reports will consume about 4x75 =
300 MB per day, 7x4x75 = 2.1 GB per week. Therefore, you would require an empty 150
GB disk in order to store 70 weeks worth of reports.
To enable you to efficiently manage your available disk space, and to prevent an
overload of data on the AFA server, you can configure AFA to delete old reports, based
on deletion criteria you define. You can configure clean-up to run automatically or trigger
it manually, as needed.
Note: AFA checks the amount of local disk space remaining after running each
report. If the remaining space is less than 10 GB, or if more than 95% of the disk is
already used, AFA sends a warning e-mail to the users configured to receive error
messages via e-mail notifications. See Configuring Event-Triggered Notifications
(see Configure event-triggered notifications). In addition, AFA also sends
notifications via the issues center and Syslog messages.
Note: AFA provides an option to only run a scheduled analysis if policy changes
were detected since the previous analysis. This option ensures that full analyses will
only run when the report will differ from the most recent report, saving both the CPU
time needed to produce a report and the disk space needed to store it. To enable this
option, select the Run analysis only when policy is changed check box, in the
General sub-tab of the Options tab in the Administration area. For more details, see
Define AFA preferences.
Note: You can optionally save reports on your remote backup server by including
reports in your ASMS backups. See the Backup/Restore (see Backup/Restore) tab.
2. Select Administration.
3. Click Storage.
4. Complete the fields using the information in Storage Fields (see Storage Fields).
5. Click OK.
If the number of days to retain reports is greater than the number of days to retain
the monitoring information, a confirmation message appears.
Click OK.
6. To delete any reports that meet the deletion criteria immediately, rather than wait
until the next scheduled clean-up time, do the following:
8. Click OK.
Storage Fields
Keep all reports Select this option to enable automatic deletion of reports older
from the last n than a specified number of days, then type the number of days
days after which reports should be deleted.
Do not keep older Click this option to specify that AFA should delete all reports
reports (Default) that have reached the age specified in the Keep all reports from
the last ndays field.
Leave one report Click this option to specify that each month AFA automatically
per month for each deletes all reports, except for the most recent successful report
device for each device, for audit purposes.
Leave one report Click this option to specify that each quarter AFA automatically
per quarter for deletes all reports, except for the most recent successful report
each device for each device, for audit purposes.
Keep reports of Select this option to specify AFA retain a device's reports when
deleted devices the device is removed from AFA.
Run the clean-up Use the drop-down lists to specify the time at which AFA should
job daily at perform automatic deletion each day.
Clean-up now Click this button to delete any reports that meet the deletion
criteria immediately, rather than wait until the next scheduled
clean-up time.
Important: If you made changes to the deletion criteria that you
want to apply to the clean-up, click OK to save the changes
before clicking this button.
Retain per-device Type the number of days of change monitoring reports you want
monitoring to retain for each device.
information for n
days
Workflow
In the Workflow tab, define the parameters for integration with an external corporate
Change Management System (CMS). AFA supports integration with AlgoSec FireFlow,
BMC Remedy, HP ServiceCenter (ServiceNow), or any other system supporting Web-
based access.
AFA will look for the following format in the rule comments:
<Before><Chang_Request_id><After>
Where <Before> and <After> are fixed strings, and <Change _Request_id> is a Perl
regular expression (see note below).
For example:
Field Input
After #
This comment will become a link: 'Change Request #1234#'. This comment will not
become a link: 'Change Request 1234#' , because <Before> is not equal to 'Change
Request #'.
Note: Examples:
[A-Z]{2}\s*\d+- comments must contain two capital letters, then zero or more spaces,
then one or more digits (e.g. "AK 123")
AlgoSec FireFlow
If you use AlgoSec FireFlow, select AlgoSec Fireflow in the Workflow tab to fill in
FireFlow-specific parameters.
l Server: Name of the AlgoSec FireFlow server to be accessed (usually the AFA
server).
l URL Template: The structure of the URL that will be created for change request ID
links in AFA reports. The following keywords will be replaced by the relevant
values: __SERVER_NAME__ and _REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.
BMC Remedy
If you use a BMC Remedy Change Management System, select BMC Remedy in the
Workflow tab to fill in Remedy-specific parameters.
Fill in the different fields, in order to allow AFA to create the correct links. The format of a
typical URL to a Remedy change request is as follows:
<protocol>://<mid_tier_server>/arsys/servlet/ViewFormServlet?server=
<server_name>&form=<form_name>&qual=<query>
Where:
Example:
l Form: Sample
Then the fully formatted URL for change request id 12345 would look like this (all on
one row):
http://192.168.2.60:8080/arsys/servlet/ViewFormServlet?server=remedy&form=
Sample&qual=%27Change%20ID%2A%2B%27%3D%2212345%22
The URL template that AFA uses can be viewed and edited in the URL Template field. It
contains the structure of the URL that will be created for change request ID links in AFA
reports. You may change this field to specify the URL format explicitly (over-ride the
defaults). The following keywords will be replaced by the relevant values: __SERVER_
NAME__, __MID_TIER_SERVER__, __FORM_NAME__, __REQUEST_ID__.
Fill in the different fields, in order to allow AFA to create the correct links. The format of a
typical URL to an HP ServiceCenter change request is as follows:
protocol://<server>/sc/index.do?ctx=docEngine&file=<file>&query=
<query>&action=&title=Ticket%20Information
Where:
The string "__REQUEST_ID__" must appear in the query, and will be replaced by the
actual request ID in the final link URL.
The URL template that AFA uses can be viewed and edited in the URL Template field. It
contains the structure of the URL that will be created for change request ID links in AFA
reports. You may change this field to specify the URL format explicitly (over-ride the
defaults). The following keywords will be replaced by the relevant values: __SERVER_
NAME__, __FILE_NAME__, __QUERY__.
Note: Some versions of HP ServiceCenter may require the URL to contain a hash
value in addition to the query itself. In order to integrate with AFA, this option should
be disabled.
Note: In order to configure the Web application to ignore this hash value in
ServiceCenter version 6.x and below, add the following lines to the Web
application's web.xml file:
<init-param> <param-name>sc.querysecurity</param-name> <param-
value>false</param-value></init-param>
Note: In HP Service Manager version 9.2 and above, add the following lines to the
Web application's web.xml file on the Service Manager server:
<init-param> <param-name>querySecurity</param-name> <param-
value>false</param-value></init-param>
Note: In addition, you must add the following line to the sm.ini file:
querysecurity:0
Other
If you use any other CMS system, which supports Web-access, choose Other.
l URL Template: The structure of the URL that will be created for change request ID
links in AFA reports. The following keywords will be replaced by the relevant
values: __SERVER_NAME__, __REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.
Authentication
In the Authentication tab, configure the methods AFA uses for authenticating users and
authenticating devices.
For more details, see Configure user authentication and Integrate AFA and CyberArk.
Backup/Restore
This section describes how to back up and restore your AlgoSec Firewall Analyzer from
AFA using both automatic scheduling and manual processes.
Backup files include ASMS users, devices, and other configurations and optional
content, and can be saved locally or on a remote server. Only one backup or restore
process can run at a single time.
Version You can only restore ASMS to the same major version from which the
backup was taken.
If you have upgrades to perform, upgrade your system only before the
backup or after the restore. Do not attempt to upgrade your system
between backup and restore processes.
System Restoring your system requires some downtime. Disable any jobs
processes scheduled to run during the restore process, such as ASMS
monitoring or analysis.
Reinstate the scheduling once the restore is complete.
Additionally:
l In geographic distributions, the target appliance for the restore must have the
same number of Remote Agents, with the same names, as the appliance on which
the backup was performed.
Note: We recommend running your backup and restore on the Central Manager or
Master Appliance only.
Additional Select Encrypt backup files to configure encryption for the backup file.
options In the Password and Retype password fields that appear, enter and
confirm the password you want to use to secure the backup file.
Back up Select one of the following to determine how backup files are sent to the
via backup server:
l FTP
l SFTP
l Local
Path Enter the path where you want to store the backup files. The afa user
must have permissions to access the specified path.
If the directory does not exist, AFA will attempt to create the folder
automatically, as follows:
l Local paths. When testing the connection
l Remote paths. Only when performing a backup, either manual or
automatic.
Do the following:
1. In the AFA Administration area, browse to the Options > Backup / Restore tab.
3. In the Backup configuration dialog that appears, select any of the following
options as needed:
Include Includes AFA reports in the backup. By default, this includes all
reports reports created since the last scheduled backup.
Tip: To save disk space, select Only include last successful report
per device.
Including all existing reports may require a significant amount of
disk space
4. In the Backup configuration dialog, click Back Up Now to start the backup.
Backup files are created in the path configured, including several directories containing
your backup files. Each directory contains a single backup, where the folder name is the
epoch timestamp of when the backup was generated.
Do the following:
1. If you are working with HA/DR clusters, break your cluster before starting your
restore.
2. In the AFA Administration area, browse to the Options > Backup / Restore tab.
4. In the Backup configuration dialog that appears, enter the following values:
File Enter the filename of the backup file you want to use.
name
Backup Select if the backup file is encrypted. Enter the required password in
file the Password field that appears.
requires Note: Entering an incorrect or old password restores only those
password reports that were not encrypted, or those encrypted with the
password entered. In such cases, the restore process does not fail,
but error messages in the log indicate the names of the reports that
failed to restore.
To view details during the process, see the log file at /data/algosec-
ms/logs/ms-backuprestore.log.
5. After the restore is complete, run a report on All Firewalls to ensure a valid
network map.
Advanced Configuration
This topic describes how to add and modify advanced AFA configuration parameters, as
well as a reference of parameters available.
Do the following:
1. In the toolbar, click your username and select Administration to access the
AFAAdministration area.
3. Click Add, and enter the name and value of your configuration parameter.
4. Click OK to close the dialog, and then OK again to save your changes.
A-B
Parameter Description
Active_Change_ CLI only. Define the number of backup files stored by AFA for
Backups_Number Cisco firewalls, Juniper SRX devices, or Panorama devices.
Default: 50
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Days_Without_ Determines the threshold at which warnings are sent for missing
Logs_Percentage_ log days, in log data-based parts of the policy optimization.
Threshold Possible values: Integers, 0-100
0 disables the warning altogether
Default: 50
E-I
Locate_in_ Determines whether rule search results include rules that contain
rules_include_ the searched IP only in Any source or destination.
any Possible values:
l yes: Rules results include rules where the searched IP
address is found in Any source or destination
l no: Rule results do not include rules where the searched IP
address is found in Any source or destination (Default)
LOCK_WAIT_ Defines how often the Check Point and IOS data collection lock file
FREQUENCY is sampled, in seconds.
The value of this parameter, multiplied by the value of the MAX_
LOCK_WAIT parameter equal the total wait time for IOS devices.
Default: 10
Log_Analysis_ Defines the time period for which traffic database is retained, in
Months_ months. Traffic logs older than the defined value are deleted.
Before Default: 12
Log_Time_ Defines the time period, in minutes, before which a device's log
Interval_ collection status is set to failure, in case log collection finds no new
Minutes_ logs for a specific server for one of the following reasons:
Before_Error
l No logs have arrived to the log server. This may be an issue in
the customer environment.
l No logs were found for the target devices. This may be an AFA
misconfiguration or error.
Default: 180
Log_Timeout_ Defines the timeout for the entire log collection process, in minutes.
Minutes Default: 900 (15 hours)
MAX_LOCK_ Defines a time to wait for the Check Point, IOS, or NSM data
WAIT collection lock file, in seconds.
Default: 7200 (2 hours)
MAX_LOCK_ Defines a time to wait for the NSC data collection file, in seconds.
WAIT_NSC Default: 7200 (2 hours)
N-R
Possible values:
l yes. Display group query results by policy.
l no. Do not group query results by policy (Default)
Default: 50
S-W
Parameter
name Description
SHOW_ Determines whether the network map shown in query results shows
ONLY_ only the nodes in the network path, without surrounding devices and
NODES_IN_ objects.
PATH Possible values:
l yes: Shows only the nodes in the network path queried,
including stub routers, clouds, subnets, and so on.
l no: Shows the nodes in the network path queried, and also
surrounding devices and objects. (Default)
trust_rfc1918 Determines that risk calculation is skipped for private networks. This
means that most Z## risks will not be triggered.
Possible values:
l Yes: Skipped for private networks. (Default)
l No: Private networks are included in risk calculation.
Parameter
name Description
Customize AFA
This section describes the following types of AFA customizations:
<Custom_Report>
<Report name="report_name">
<device command="device_script_execution_command" output=
"device_output_file"></device>
<group command="group_script_execution_command" output=
"group_output_file"></group>
<matrix command="matrix_script_execution_command" output=
"group_output_file"></matrix>
</Report>
</Custom_Report>
The <device>, <group>, and <matrix> lines are optional. If you include the
<device> line but do not include the <group> or <matrix> lines, the custom report
page in the group or matrix report will display a concatenation of custom device
pages.
2. Create a folder called custom_report, containing all of the scripts that must be
executed.
4. Add the file custom_report.xml and the folder custom_report (along with all its
contents, including the subfolder additional_files) to a single .zip file.
The next time a report is generated, it will include the custom page.
Note: If desired, you can disable the custom report page. For details, see the Use_
Custom_Report parameter.
Parameter Description
device_script_ The script execution command for the custom device report page,
execution_ including input parameters. For example: sh device_script.sh
command
device_output_ The name of the HTML output file for the custom device report
file page. For example: custom_device.html
group_script_ The script execution command for the custom group report page,
execution_ including input parameters. For example: sh group_script.sh
command
group_output_ The name of the HTML output file for the custom device report
file page. For example: custom_group.html
matrix_script_ The script execution command for the custom matrix report page,
execution_ including input parameters. For example: sh matrix_script.sh
command
matrix_output_ The name of the HTML output file for the custom device report
file page. For example: custom_matrix.html
-d The number of the domain in the .fa directory, where the .zip file
domain_ should be extracted.
number This flag is optional.
-u user_ The user to use when installing the contents of the .zip file. This user
name will be granted permissions for the .zip file's contents.
This flag is optional. If it is not included, the contents of the .zip file will
be installed using the "afa" user.
If desired, you can disable or enable the Documentation field or add more such fields.
Note: Documentation fields cannot be deleted, only disabled. For details, see
Enable/Disable documentation fields.
1. Open a terminal and log in using the username "afa" and the related password.
Where:
l field_type is the field's type. This can have the following values: Text,
Number, Bool, or List.
1. Open a terminal and log in using the username "afa" and the related password.
Note: When re-enabling a documentation field, all data that was entered in this field
before it was disabled, will appear once again in the device policies.
1. Open a terminal and log in using the username "afa" and the related password.
l You specify the variable for which the chart displays data.
l Whether the chart starts with displaying the devices with the most of the
variable or the least of the variable.
l For trend charts, you also specify how many days back the chart displays.
3. Name the file chart_name.xml, where chart_name is the name you choose for the
chart.
4. Add the CHART tag to the file, using the information in Chart Tag Reference (see
Chart tag reference). For an example, see Chart Example (see Chart Example).
Note: All tags, parameters, and content are case sensitive, and must be in lower
case.
chart
Syntax
chart
Description
This is the main tag for the chart. It specifies all the information included in the chart.
Parameters
None.
Subtags
title
Syntax
<title> title</title>
Description
Parameters
None.
Subtags
None.
Content
title String. The name that you choose for the title of the chart. You can include the
following variable in the title:
l __GROUP_NAME__. The name of the device group that is analyzed by
the chart (as defined in the dashboard XML file).
l __THRESHOLD__. The value set as the "Chart_Threshold_Val"
configuration item.
l __COUNT__. The number of devices the chart displays.
Example
In the following example, if the number of devices in the chart is 8, and the chart
analyzes the group "ALL_FIREWALLS", the title of the chart is "8 Devices with lowest
security rating in group ALL_FIREWALLS".
<title>__COUNT__ Devices with lowest security rating in group __GROUP_NAME__
</title>
variable_name
Syntax
Description
Parameters
color String. The color of the bar or series of the variable, expressed in #RGB.
This parameter is for count type and trend_count_group type charts, and
the default chart type only.
This parameter is optional.
value_ String. A condition, such that, only devices with a variable value that
condition passes the condition will be counted.
This parameter is for count type and trend_count_group type charts only.
For trend_count_group type charts, only equality is supported, and the
value is stated without the operator.
Subtags
None.
Content
Example
In the following example, the color of the bars for this variable will be #cb3333, only
devices with a variable value of 3 will be counted, and the label of the bars for this
variable will be "high".
<variable_name color="#cb3333" value_condition="=3" bar_
name="high">highest</variable_name>
statistics_type
Syntax
<statistics_type> statistics_type</statistics_type>
Description
This tag specifies the type of statistic that the chart displays.
Parameters
None.
Subtags
None.
Content
Content
Options Specifies this...
simple_ The count of the variable for each device. This statistic type is
count available for the following variables: rules, covered_rules, special_
case_rules, unused_rules, and security_rating. For example, if the
statistic type is simple_count, and the variable is rules, the chart will
display the number of rules for each device.
risk_level The risk level of each device. This statistic type is available for the
highest variable. When this statistic type/variable combination is used,
the chart will display the number of devices whose highest risk is high,
suspected high, medium, and low.
compliance_ The compliance score of each device. This statistics type is available
score for the following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.
compliance_ The compliance color of each device. This statistics type is available
color for the following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.
Content
Options Specifies this...
baseline_ The baseline compliance score of each device (the score is the
score percentage of met requirements).This statistics type is available for the
baseline variable.
risks_per_ The number of risks for a specific risk level for each device. This
risk_level statistic type is available for the following variables: high, suspected_
high, medium, and low. For example, if the statistic type is risks_per_
risk_level, and the variable is high, the chart will display the number
of high risk rules for each device.
total_ The number of changes on each device. This statistic type is available
changes for the sum variable. When this statistic type/variable combination is
used, the chart will display the total number of changes on each
device.
Example
In the following example, the chart will display a simple count of the specified variable.
<statistics_type>simple_count</statistics_type>
type
Syntax
<type> [type]</type>
Description
Parameters
None.
Subtags
None.
Content
Content
Options Specifies this...
count A bar chart that specifies the count of devices for each variable.
condition A bar chart that displays the number of devices whose variable value is
greater than the Chart_Threshold_Val configuration item, and the number
of devices whose variable value is not, for all devices in the group.
For details, see the Chart_Threshold_Val parameter.
trend_ A trend chart that displays a calculation (defined by the function
value parameter of variable_name) of the variable values over all devices in the
group, over time.
trend_ A trend chart that displays the number of devices whose variable value is
condition greater than the Chart_Threshold_Val configuration item, and the number
of devices whose variable value is not, for all devices in the group, over
time.
For details, see the Chart_Threshold_Val parameter.
trend_ A trend chart that displays the total count of the variable for all devices in
count_ the group, over time.
group
sum_over_ A bar chart that displays the accumulation of the statistic for each device
time in the group.
trend_ A trend chart that displays the accumulation of the statistic, over time.
sum_over_
time
empty A bar chart that displays the count of the variable for each device in the
(default) group. There can be multiple variables per device.
Example
In the following example, the chart will be a bar chart that displays the total count of the
variable for each device in the group. For example, if the chosen variable is unused_
rules, the chart will display a bar chart with the count of unused rules per device.
<type>count</type>
limit
Syntax
<limit> [limit]</limit>
Description
This tag specifies the number of devices the chart displays. This tag is only for bar
charts.
Parameters
None.
Subtags
None.
Content
Integer. The number of devices the chart will display. If left empty, the LIMIT tag defaults
to 25.
Example
order_dir
Syntax
<order_dir> [order_dir]</order_dir>
Description
This tag specifies whether the chart starts with displaying the devices with the most of
the variable or the least of the variable. This tag is only for bar charts.
Parameters
None.
Subtags
None.
Content
Content
Options Specifies this...
ASC The bar chart will start with displaying devices with the least of the variable.
For example, if the LIMIT tag is set to 6, this will produce a chart with the
bottom 6 devices.
DESC The bar chart will start with displaying devices with the most of the variable.
For example, if the LIMIT tag is set to 6, this will produce a chart with the
top 6 devices.
Example
In the following example, the chart will start with displaying devices with the least of the
variable.
<order_dir>ASC</order_dir>
direction
Syntax
<direction> [direction]</direction>
Description
This tag specifies the direction the chart displays. This tag is only for bar charts.
Parameters
None.
Subtags
None.
Content
Example
order_dir
Syntax
<ymin> [ymin]</ymin>
Description
This tag specifies the minimum y-axis value displayed in the chart. This tag is optional.
Parameters
None.
Subtags
None.
Content
Integer. The minimum y-axis value displayed in the chart. If left empty, the value is
computed to fit the data.
Example
In the following example, the minimum y-axis value displayed in the chart is 0.
<ymin>0</ymin>
ymax
Syntax
<ymax> [ymax]</ymax>
Description
This tag specifies the maximum y-axis value displayed in the chart. This tag is optional.
Parameters
None.
Subtags
None.
Content
Integer. The maximum y-axis value displayed in the chart. If left empty, the value is
computed to fit the data.
Example
In the following example, the maximum y-axis value displayed in the chart is 100.
<ymax>100</ymax>
days_back
Syntax
<days_back> [days_back]</days_back>
Description
This tag specifies the number of days back displayed in the chart. This tag is optional,
and is only for trend charts.
Parameters
None.
Subtags
None.
Content
Integer. The number of days back displayed in the chart. If left empty, the value defaults
to 100 days.
Example
In the following example, the trend chart will display data for the last 200 days.
<days_back>200</days_back>
Chart Example
<!-- This is an AFA dashboard chart configuration file. Each dashboard chart is
configured by one such file. The user defined files should be in '<AFA home
dir>/.fa/dashboards/charts', or if domains are enabled, in '<AFA home dir>/.fa/algosec_
domains/<domain>/dashboards/charts'.
Note: The tags and properties in this file are case sensitive. A chart is configured by the
'CHART' tag. -->
<CHART>
<!-- The 'title' tag determines the title that will be displayed at the top of the chart. The
title can contain several parameters which will be replaced by the appropriate values: _
_GROUP_NAME__ - The AFA devices group whose data will be compiled in this chart
(as defined in the dashboard XML) __THRESHOLD__ - The threshold stated in the
"Chart_Threshold_Val" configuration Item __COUNT__ - The number of devices
compiled for the charts. -->
<title>Number of devices by leading risk severity in group __GROUP__</title>
<!-- The 'type' tag determines the chart type. The default type (if no value is specified)
will cause each variable (there may be several, representing different series) value to be
plotted for each group member. Available types are: count - Count each variable over all
group members condition - Count values greater than the "Chart_Threshold_Val"
configuration item trend_value - For each time frame, calculate the property over the
group members defined by the function property of varible_name (the default is average)
trend_condition - For each time frame, count values greater than the "Chart_Threshold_
Val" configuration item trend_count_group - For each time frame, count the variable over
all group members -->
<type>count</type>
<!-- 'statistics_type' - The type of the statistics. Allowed values are: simple_count, risk_
level, compliance_pass, and risks_per_risk_level -->
<statistics_type>risk_level</statistics_type>
<!-- A chart may have several additional configurable properties, specified by the
following tags: 'order_dir' - The ordering of the results: asc (ascending) or desc
(descending). The default is descending. For default type bar charts only. In case of
multiple variables (multi-series chart), the sort is based on the first variable. 'limit' - How
many results to show, combined with 'order_dir' creates a top-X/bottom-X charts. Default
is 20. Relevant for the default type only. 'direction' - The direction of the chart: horizontal
or vertical. The default is vertical. Relevant for bar charts only. 'ymin' - The minimum
value of the Y axis. The default is auto computed to fit the data. 'ymax' - The maximum
value of the Y axis. The default is auto computed to fit the data. 'days_back' - The
number of days back to show in a trend chart. -->
</CHART>
Do the following:
4. Add the DASHBOARD tag to the file, with the additional CHARTS and CHART
sub-tags.
For more details, see Dashboard tag reference and Dashboard configuration
example.
DASHBOARD Identifies the dashboard and specifies how charts are oriented.
Includes the CHARTS sub-tag.
Parameters include:
l name. String. The dashboard name. This name appears at the
top of the dashboard.
l columns. The number of charts that appear in each row of the
dashboard.
The charts will be filled in order of appearance, from left to right
and top to bottom.
CHART Defines the type of data in the chart, and which device group's data
appears in the chart.
Parameters include:
l group. String. The name of the AFA device group that is
analyzed in the chart.
l definition_file. String. The name of the chart XML file.
Specify a custom chart that you created and saved in the <AFA
home dir>/.fa/dashboards/charts directory, or a built-in chart.
For more details, see Custom dashboards and charts.
</CHARTS>
</DASHBOARD>
For descriptions of all built-in regulatory compliance reports, see Supported regulatory
compliance reports.
Note: To remove or add compliance reports in the Web Interface, customize the
compliance score value, or customize the compliance score severity threshold, see
Customize the regulatory compliance report.
Do the following:
1. Open a terminal and log in using the username "afa" and the related password.
3. Copy /usr/share/fa/data/compliance_reports/compliance_reports.xml to
/home/afa/.fa/compliance_reports/.
a. Find the report template(s) you want to modify in the override directory.
b. Copy the report templates you want to modify, and save the copy (in the
override directory). Use the above naming convention, with a new name for
your new report.
6. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
Add a new report tag as a sub-tag to the compliance_reports tag. The following table
describes the report tag attributes:
Attribute Description
id Internal key necessary for report creation.
Attribute Description
title Title of the report. This title will appear as a link on the Regulatory
Compliance page of the device report. The link leads to the compliance
report.
template_ HTML template file for a single device. This template will be used to
file create a single device compliance report.
template_ HTML template file for a device group. This template will be used to
file_ create a device group compliance report.
group
template_ HTML template file for a device matrix. This template will be used to
matrix create a device matrix compliance report.
active Indicates whether the report is generated when a device is analyzed.
This attribute can take the following values:
yes. Include the report on the Regulatory Compliance page of the device
report.
no. Exclude the report.
sub_title The sub-title for the report. This appears below the title of the report.
Example
<report title="Payment Card Industry Data Security Standard (PCI-DSS) version 2"
active="yes" template_file_matrix="compliance_rep_templ_matrix_pci2.html"
template_file_group="compliance_rep_templ_group_pci2.html" template_
3. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
4. Set the active attribute of the report you wish to enable to yes.
6. To remove a built-in report from the regulatory compliance page, do the following:
a. Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
b. Set the active attribute of the report you wish to remove to no.
Troubleshooting
This topic describes common procedures used when troubleshooting AFA.
Stop/Start/Restart services
l algosec-ms
l apache-tomcat
l crond
l httpd
l iptabes
l syslog-ng
l algosec-ms
Users may need to copy files from various locations (For example, /tmp, mv, rm, mkdir)
and run chmod, chown, and chattr on the following paths:
l /home/afa/algosec/syslog_processor/*
l /home/afa
l /home/afa/.fa
l /home/afa/.fa/firewalls/*
l crontab -e -u afa
l vi /etc/ntp.conf
l vi /etc/hosts
l vi /etc/security/limits.conf
l kill -9 / pkill -9
l screen
l strace
In addition, they may be required to modify the iptables configuration on the AlgoSec
appliance/VM.
Some support cases may require performing a sync between the Firewall Analyzer and
FireFlow DB passwords.
To do this, run the following commands from the root user SSH CLI:
FA_USER='afa'
FA_CONF_FILE="/home/$FA_USER/.fa/config"
FIREFLOW_SITE_CONFIG='/usr/share/fireflow/local/etc/site/
FireFlow_SiteConfig.pm'
DB_ENC_PASS=`awk -F"'" '/FireFlowDatabasePasswordEncrypted/
{print $2;exit}' $FIREFLOW_SITE_CONFIG`
export PGPASSWORD=`/usr/bin/sudo -H -u $FA_USER /usr/share/
fa/bin/fa_password -decrypt $DB_ENC_PASS 2>/dev/null`
psql -U postgres -c "alter user $FA_USER with password
'${PGPASSWORD}';"
sed -i 's/^DB_password=.*/DB_password='$DB_ENC_PASS'/'
$FA_CONF_FILE
Enter Debug mode Click your username in the toolbar and then click Info.
In the Info dialog, click Enter Debug Mode.
Exit Debug mode Click your username in the toolbar and then click Info.
In the Info dialog, click Exit Debug Mode.
Open a new case from the AlgoSec Portal > Support > Submit a Support Case.
GUI-related algosec-support-gui.zip
issues For details, see Download general log files
If the algosec-support-gui.zip file is unavailable, send the following
files instead:
l .fa-history
l fa-install.log
l .ht-fa-history
For more details, see Access log and configuration files.
For more details, see the AlgoSec Portal > Support > Support Home.
The following table lists log and configuration files useful when troubleshooting AFA.
algosec- Full support data files which Download from the device
support-full- include: report.
ENTITY_ For details, see Download full
NAME.zip l report log files
support files.
l full firewall configuration
algosec- Full support data files which Download from the device
support-full- include: report.
ENTITY_ For details, see Download full
NAME- l report log files
support files.
withlogs.zip l full firewall configuration
l traffic logs
Note: You'll need to access the log files directly if the ASMS web interface isn't
available, or if the algosec-support.zip archive is missing. This may happen if a
report has failed, or if you've encountered issues during installation or licensing.
Do the following:
The log file appears. All messages are prefixed with one of the following severity tags:
Severity
Level Description
Warning AFA took corrective action to remedy a problem that was encountered.
Usually, no user action is required unless the report failed to generate, in
which case the log file should be sent to AlgoSec Technical Support.
For more details, see Contact technical support.
Error A problem that prevented the report from being generated occurred.
Contact AlgoSec Technical Support. For more details, see Contact
technical support.
Do the following:
Do the following:
Do the following:
l catalina.out
l configuration_access_log.<date>.txt
l dump_nat_data
l fa-history
l fa-install.log
l fa/map.sqlite
l fwa_monitor.history
l ha-logs.tgz
l ht-fa-history
l localhost_access_log.<date>.txt
l log.html
l ms-backuprestore.log
l ms-batch-application.log
l ms-configuration.log
l ms-devicemanager.log
l ms-mapDiagnostics.log
l ms-watchdog.log
Send us feedback
Let us know how we can improve your experience with the Administration Guide.
Email us at: [email protected]
Note: For more details not included in this guide, see the online ASMS Tech Docs.