Upload
lamcong
View
229
Download
0
Embed Size (px)
Citation preview
Optimize Policy
Optimize Policy: CPdefense
Rules Cleanup
Rule ReorderingRule reordering analysis was not performed
Click to learn how to activate rule usage statistics
Rules Cleanup Unused rules N/A Covered rules 1 Redundant special case rules 2 Consolidate rules 0 Disabled rules 6 Time-inactive rules 0 Rules without logging 6 Rules with empty comments 3
Rules with a time clause 0Rules about to expire 0Unused NAT rules N/ARedundant NAT rules 0Rules 18
Objects CleanupUnattached objects 25Empty objects 0Duplicate objects 3Unused objects N/AUnused objects within rules N/AHostgroup definitions 91Duplicate services 0
Intelligent Policy TunerClick to learn how to activate rule usage statistics
VPN CleanupVPN Analysis ReportExpired users 0Users about to expire 0
Unused Covered Disabled Time-inactive
Notlogged
Nocomments
0
2
4
6
8
Unattached user groups 0Unattached users 0
Rule ReorderingClick to learn how to activate rule usage statistics
Rule Usage StatisticsClick to learn how to activate rule usage statistics
Covered rules
This page shows rules that are covered (hidden) by other rules.Such rules are effectively disabled and can probably be deleted.
Rule 11 is covered by rule 10.
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT DOCUMENTATION
10 TEST10 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A
11 TEST11 HostB_192.168.10.5 Office_192.168.3.0 Any accept HOST B
Redundant special case rulesThis page shows rules that are a special case of other rules.In each pair of rules below, the top rule is a special case of the bottom rule.This means the top rule in every pair is redundant: removing it will not changethe firewall's effective security policy.
Rule 8 is a special case of rule 9
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT DOCUMENTATION
8 TEST8 Production-Workstation Office_192.168.3.0 NFS accept Produktion 1
9 TEST9 prod_192.168.22.0 Office_192.168.3.0 NFS accept Produktion 2
Rule 10 is a special case of rule 11
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT DOCUMENTATION
10 TEST10 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A
11 TEST11 HostB_192.168.10.5 Office_192.168.3.0 Any accept HOST B
Disabled Rules
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT DOCUMENTATION
12Disabled TEST12 Any Any Any drop
13Disabled TEST13 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A
14Disabled TEST14 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A
15Disabled TEST15 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A
16Disabled TEST16 Any NESSUS-SCANNER Any drop
17Disabled TEST17 HostA_192.168.10.5 Proxies-Trustwave
http https
accept
Showing 1 to 6 of 6 entries
Rules without logging
Log action is not defined for the following rules
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT TRACK DOCUMENTATION
8 TEST8 Production-Workstation Office_192.168.3.0 NFS accept Produktion 1 None
9 TEST9 prod_192.168.22.0 Office_192.168.3.0 NFS accept Produktion 2 None
10 TEST10 HostA_192.168.10.5 Office_192.168.3.0 Any accept HOST A None
11 TEST11 HostB_192.168.10.5 Office_192.168.3.0 Any accept HOST B None
12Disabled TEST12 Any Any Any drop None
17Disabled TEST17 HostA_192.168.10.5 Proxies-Trustwave
http https
accept None
Showing 1 to 6 of 6 entries
Rules with an empty comment field
RULE NAME SOURCE DESTINATION SERVICE ACTION COMMENT DOCUMENTATION
12Disabled TEST12 Any Any Any drop
16Disabled TEST16 Any NESSUS-SCANNER Any drop
17Disabled TEST17 HostA_192.168.10.5 Proxies-Trustwave
http https
accept
Showing 1 to 3 of 3 entries
Unattached objects
An object is identified as Unattached if it does not appear in any rule,in any policy that is managed by the current SmartCenter or CMA,and also it is not a member of any object group that appears in any such rule.
NAMEAuxiliaryNet
CPDShield
DMZNet
EMailEnc-Cluster
Endian-Industrial-MGMT
FW-Admins
HoneyBOX-Mgmt
HoneyBOXen
InternalNet
IPS-SourceFiree-1
IPS-SourceFiree-2
LocalMachine
LocalMachine_All_Interfaces
LUMENSION-SCANNER
MailServer
SecuriyCenterTenable
Unattached objects referred by groups
The following list contains Unattached objects that are contained in groups.These objects and their containing groups are Unattached.They do not appear in any rule in any policy managed by the SmartCenter or CMA,and are not members of a group that appears in any such rule.
NAME
EMailEnc-Zertificon100
EMailEnc-Zertificon200
Exchange100
Exchange200
FW-ADMIN-1
FW-ADMIN-2
HoneyBox-1
HoneyBox-2
HoneyBox-3
Duplicate objects
Two or more objects are identified as duplicate if they have different names but refer to exactly the same collection IP addresses and subnets.
NAMETrusted_hosts = Any
CPdefense = Gateways
HostA_192.168.10.5 = HostB_192.168.10.5
Patent(s) pending & Copyright © 2003-2012 AlgoSec. All rights reserved. Usage strictly subject to License Agreement.