Access Rules Report

• Action: (RULE_ACTION) Permit, Allow or Deny.
• Application: (RULE_APPLICATION) Filtered application name associated with the rule (only for next-gen firewall).
• Bindings (ACL): (RULE_ACL) Name of the access list under which the rule is defined. This is a normalized zone representation of [src zone]:[dst zone] or interfaces if zones are not used [src binding]:[dst binding]
• Change Status: used in comparison mode to reflect added, unchanged and removed rules.
• Comment (Author, Date Status): User entered comments (or justification) and associated status (verified, to review, to revise).
• Description: (RULE_DESCRIPTION) Remarks from configs associated with rules. Typically found in Cisco and SonicWall devices.
• Destination: (RULE_DESTINATION) Object group destination for the rule.
• Device: (RULE_DEVICE) Device host name as defined in a configuration file.
• Dst Binding: (RULE_DST_BINDING) Outbound interface to which the rule is bound.
• Dst Criticality: (RULE_DST_CRIT) Criticality of the object group destination (or the parent zone containing the object group destination) as defined by the user on the topology map.
• Enabled: (RULE_ENABLED) Rule is enabled (True / False). The enabled column gets its value from the firewall config. The parser then decides if the rule is supported (True) or not (False). Disabled rules (value from firewall config) are displayed in the table as False and may have a green or gray text color.
• First Hit: Timestamp of when rule was first accessed (Palo Alto NGFW Only).
• Hit Count: (RULE_ACL_HITS) Number of times the ACL was accessed (Palo Alto NGFW Only).
• Hit Updated: Timestamp of last hits import. (Palo Alto NGFW Only).
• First Hit: Timestamp of when rule was last accessed (Palo Alto NGFW Only).
• Line #: Line number(s) in the configuration text file where the rule can be found.
• Object ID: Value for linking rules to comments. This column must be displayed when exporting the rule table for enrichment and reimport.
• Risk: (RULE_RISK) Highest risk text for associated Risk Criticality.
• Risk Criticality: (RULE_RISK_CRIT) Highest criticality assigned by the triggered risk rule.
• Rule: (RULE_NAME) Name of the rule found in the configuration. If the rule doesn’t have a name (e.g., Cisco devices), the value is populated by NP-View as RULE_X where X is the rule index.
• Rule Tag: Palo Alto Only – rule tags from firewall.
• Rule UUID: Palo Alto Only – rule UUID from firewall.
• Service: (RULE_SERVICE) Object group service(s) associated with the rule. Alternatively, the field may be represented in a protocol/port-x to port-y format. For example, TCP/any to 53 (meaning TCP protocol, any to port 53), IP/any to 50 (meaning protocol 50). For ICMP we store the ICMP types in those fields. For example: “any to 11” or “any to 3” represent Type 3 — Destination Unreachable, Type 11 — Time Exceeded.
• Source: (RULE_SOURCE) Object group source for the rule.
• Src Binding: (RULE_SRC_BINDING) Inbound interface to which the rule is bound.
• Src Criticality: (RULE_SRC_CRIT) Criticality of the object group source (or the parent zone containing the object group source) as defined by the user on the topology map.
• Type: (RULE_TYPE) Type of rule (regular or VPN).
• User: (RULE_USER) Filtered user name associated with the rule.

Note that this feature was removed from v5.0 and up due to performance issues. It may return in the future.

The source and destination criticalities are calculated based on the higher of the criticalities assigned to the device, network, and zone (aka. binding) that the device is in.

• if device A is in network N1 and bound to zone Z1 and A is Low, N1 is Medium, and Z1 is High, then the criticality of A will be High (highest criticality based on zone)
• if A is Medium, N1 is Low, and Z1 is Low, then the criticality of A will be Medium (highest criticality based on device)
• if A is Low, N1 is High, and Z1 is Medium, then the criticality of A will be High (highest criticality based on network)

NP-View provides a simple and easy way for users to add comments and other metadata to rows in Access Rules, and to track the historical lineage of these comments in a workspace. Comments can be added, or viewed, for integrity purposes they cannot be edited or deleted.

Adding a Comment: Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button. Once the comment is saved, the author and time stamp are automatically inserted.

*applying comment

*applying comment – closeup

Comment History: Additional comments can be added to a row to begin creating a lineage or history of comments. This history will be automatically available when more than one comment exists on a row and can be expanded by clicking the blue clock icon on the leftmost column of the table. If there is no history the icon will be disabled.

When viewing history, changes between lines are highlighted in blue.

Example: If Comment 1 is: “rule comment 1” – ‘verified’ and Comment 2 is “rule comment 1a” – ‘to revise’ the status cell would be highlighted because there was a change – the comment text would not be highlighted if the text remained the same.

*Viewing comment history

Access rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks. The tag (hash) is calculated based on a hex converted combination of the following data fields. Available data varies based on manufacturer so, some fields may not apply to specific manufacturers. Most of the fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and risks will no longer be associated with this rule.

Universal Variables:

• ‘Binding (ACL)’ (Source binding : Destination binding)
• ‘Destination’ (group contents excluding group names*)
• ‘Service’ (group contents excluding group names)
• ‘Source’ (group contents excluding group names)
• ‘Application’ (group contents excluding group names*)

Vendor-specific Variables:

• ‘Action’
• ‘direction’ – is used to set some rules to isolate guests from LAN so that rules in the VLAN section of the firewall be set. Each specific network is going to have a set of rules. Depending on the rules created, each traffic will be labeled in, or out, or both.
• ‘Enabled’
• ‘scope’ – is for the traffic zones used in their networks. Rules can be created based on the parameters of interzone, intrazone, and universal.
• ‘Type’

*If the group name changes but the contents stay the same, the object_id will not change.

Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.

The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.

The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.

Clicking the “Compare” button will revert to the normal table but will not clear the selections.

Clicking the “Reset” button will clear the selections and reset the table.