Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Policy Manager

Overview

The policy manager is used to build requirements that trigger messages or formatting in a designated table, based on logic. All users have access to Default Policies and Requirements. Default policies and requirements cannot be edited or deleted. Default Policies and Requirements can be “Enabled or Disabled” by clicking the toggle button and “Run” by clicking the “Run” button.  Policies and Requirements are global in nature and changes made when in one workspace will apply to all workspaces.  For example, if a Policy, Requirement, or Device is deactivated in one workspace, that update will apply to all workspaces.

Only Enterprise users are able to create their own Custom Policies and Requirements. That content can be found at the bottom of this article.

 

Key Concepts

Using the policy manager requires the understanding of a few concepts:

Requirement A requirement contains logic to trigger a message or formatting action for one use case.

Policy A policy is a collection of related requirements and does not have any logic associated with it, it is a means for categorization.

Risks and Warnings Policies Trigger alert messages based on logic – device specific

Table Highlighting Policies  Formats the color of cells and text based on logic – device agnostic

 

 

Default Risks & Warnings Policies

Risk and Warnings messages, which can be found in our table reports, are generated using Policies and Requirements located in the Policy Manager.  NP Policies and Requirements are automatically assigned to all devices when they are imported, and run when network device configuration changes are identified.

The following default policies are provided for all Compliance modules:

  • NP-Parser Policy – triggers from device configuration files
  • NP Path Policy – triggers from the results of the path analysis
  • NP Rule Policy – triggers from access rules

Policy Requirement Risk Severity
NP Parser Policy Unnecessary EIGRP Network Low
Broadcast traffic permission Low
Traffic to multicast group Low
Empty Field Low
Unused ACL's Low
Unused group Low
Mixed any and not any Low
Unassigned interface Low
Missing interfaces Low
Rule following schedule Low
NP Path Policy Any protocol path Medium
NP Rule Policy Any protocol path High
Any to any IP Medium
Any source IP High
Any destination IP Medium
Any protocol Medium
Any destination port Medium

 

Default CiS Benchmark Risk Policies

CiS Benchmarks are provided as part of the Best Practices Module. CiS Benchmarks provide a powerful set of secondary policies to help identify risks within your network.  CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted, changes to Risk related Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.

  • CiS Benchmark for Check Point
  • CiS Benchmark for Cisco
  • CiS Benchmark for Palo Alto

 

Requirement Risk Severity
Ensure 'Login Banner' is set Low
Ensure CLI session timeout is set to less than or equal to 10 minutes Low
Ensure Check for Password Reuse is selected and History Length is set to 12 or more Low
Ensure DHCP is disabled Low
Ensure DNS server is configured Low
Ensure Deny access after failed login attempts is selected Low
Ensure Deny access to unused accounts is selected Low
Ensure Disk Space Alert is set Low
Ensure force users to change password at first login after password was changed from Users page is selected Low
Ensure Host Name is set Low
Ensure IPv6 is disabled if not used Low
Ensure Maximum number of failed attempts allowed is set to 5 or fewer Low
Ensure Minimum Password Length is set to 14 or higher Low
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server Low
Ensure Password Complexity is set to 3 Low
Ensure Password Expiration is set to 90 days or less Low
Ensure Telnet is disabled Low
Ensure Warn users before password expiration is set to 7 days or less Low
Ensure Web session timeout is set to less than or equal to 10 minutes Low
Ensure Radius or TACACS+ server is configured Low
Logging should be enabled for all Firewall Rules Low

 

Requirement Risk Severity
Ensure 'Domain Name' is set Low
Ensure 'Failover' is enabled Low
Ensure 'HTTP session timeout' is less than or equal to '5' minutes Low
Ensure 'Host Name' is set Low
Ensure 'LOGIN banner' is set Low
Ensure 'MOTD banner' is set Low
Ensure 'NTP authentication key' is configured correctly Low
Ensure 'Password Policy' is enabled Low
Ensure 'Password Recovery' is disabled Low
Ensure 'SNMP community string' is not the default string Low
Ensure 'SSH session timeout' is less than or equal to '5' minutes Low
Ensure 'TACACS+RADIUS' is configured correctly Low
Ensure 'console session timeout' is less than or equal to '5' minutes Low
Ensure 'local username and password' is set Low
Ensure 'logging with timestamps' is enabled Low
Ensure 'logging' is enabled Low
Ensure ActiveX filtering is enabled Low
Ensure DHCP services are disabled for untrusted interfaces Low
Ensure DOS protection is enabled for untrusted interfaces Low
Ensure Master Key Passphrase is set Low
Ensure email logging is configured for critical to emergency Low
Ensure explicit deny in access lists is configured correctly Low
Ensure 'trusted NTP server' exists Low
Ensure Enable Password is set Low
Ensure Java applet filtering is enabled Low
Ensure Logon Password is set Low
Ensure known default accounts do not exist Low

 

Requirement Risk Severity
Ensure 'Idle timeout' is less than or equal to 10 minutes for device management' is set Low
Ensure 'Login Banner' is set Low
Ensure 'Minimum Length' is greater than or equal to 12 Low
Ensure 'Minimum Lowercase Letters' is greater than or equal to 1 Low
Ensure 'Minimum Numeric Letters' is greater than or equal to 1 Low
Ensure 'Minimum Password Complexity' is enabled Low
Ensure 'Minimum Special Characters' is greater than or equal to 1 Low
Ensure 'Minimum Uppercase Letters' is greater than or equal to 1 Low
Ensure 'New Password Differs By Characters' is greater than or equal to 3 Low
Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled Low
Ensure 'Permitted IP Addresses' is set to those necessary for device management Low
Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwords Low
Ensure 'Required Password Change Period' is less than or equal to 90 days Low
Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Low
Ensure HTTP and Telnet options are disabled for all management profiles Low
Ensure HTTP and Telnet options are disabled for the management interface Low
Ensure System Logging to a Remote Host Low
Ensure alerts are enabled for malicious files detected by WildFire Low
Ensure redundant NTP servers are configured appropriately Low
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones Low
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones Low
Ensure that the Certificate used for Decryption is Trusted Low
Ensure valid certificate is set for browser-based administrator interface Low
Syslog logging should be configured Low

 

Risks Walkthrough

To better understand how to use the policy manager, let’s walk through an example using Risks & Warnings Policies and Requirements.

In the above image we can see the policy manager window open. The Risks & Warnings Policies tab has been selected. Below there is a dropdown that contains all the default and custom (custom Policies are Enterprise only) policies available. The Default NP Rule Policy has been selected. 

 

Policy Details

When a Policy is selected we see its details on the right side of the window. Risks & Warnings Policies are device-specific and it is on this page where we can change what devices the policy applies to.  If we change whether or not the Policy is enabled, or the devices included, the Policy will need to be rerun by clicking the “Run” button.  Rerunning an enabled Policy also reruns all the enabled Requirements within that Policy.

Requirement Details

On the left hand side, below our chosen Policy, we can see the Requirements that are included in this Policy and an icon indicating whether or not they are enabled.

In the above image we can see then information for a default Requirement, “Any destination IP”.  looking at the details for this requirement we can see its name, its details, and the logic being used to trigger the Risk alert message. This requirement is an example of compound logic being used. This risk will only trigger if all four conditions are met. Conditions have four elements. 

 

Requirement Conditions

Apply To This is the Table_Column that the logic will run on

Apply When If the string is found or not found

String What information the requirement is looking for in the specified table_column

Operator Used to build compound logic using and/or

We cannot edit them, but if we disable a requirement we need to run the requirement again for that to take effect.

 

Risks & Warnings Output

Finally, when are risks in warnings policy and and or requirement are met the result will look like the below image. The text has been populated into the Risk column if a requirement was triggered.

Now that we know where the text comes from – let’s find out where the coloring comes from.

 

Table Highlighting Walkthrough

Table Highlighting Policies and Requirements work in almost the same way as Risks & Warnings, with a few key differences. The main being that it formats cells and texts instead of producing an alert message.

When comments are added to any table and assigned a criticality, the Comment Count columns will display the number of comments for each table row and the cell color will reflect the highest criticality comment. High = Red, Medium = Orange, Low = Blue.

 

Rule Name Text Match Action
Rule Action - Allow or Permit or Accept Action = Allow or Permit or Accept 'Action' cell = None, Text = Green
Rule Action - Deny Action = Deny 'Action' cell = None, Text = Red
Rule Destination - Any Destination =

[\s\S]*any[\s\S]*
'Destination' cell = None, Text = Red
Rule Destination - High Dst Criticality = High 'Destination' cell = Red, Text = White
Rule Destination - Medium Dst Criticality = Medium 'Destination' cell = Yellow, Text = Black
Rule Destination - Low Dst Criticality = Low 'Destination' cell = Blue, Text = White
Rule Destination - Untrusted Dst Criticality = Untrusted 'Destination' cell = Gray, Text = Black
Rule Destination Binding - Any Dst Binding = [\s\S]*any[\s\S]* 'Dst Binding' cell = None, Text = Red
Rule Destination Binding - High Dst Criticality = High 'Dst Binding' cell = Red, Text = White
Rule Destination Binding - Medium Dst Criticality = Medium 'Dst Binding' cell = Orange, Text = Black
Rule Destination Binding- Low Dst Criticality = Low 'Dst Binding' cell = Blue, Text = White
Rule Destination Binding - Untrusted Dst Criticality = Untrusted 'Dst Binding' cell = Gray, Text = Black
Rule Destination Criticality - High Dst Criticality = High 'Dst Criticality' cell = Red, Text = White
Rule Destination Criticality - Medium Dst Criticality = Medium 'Dst Criticality' cell = Yellow, Text = Black
Rule Destination Criticality- Low Dst Criticality = Low 'Dst Criticality' cell = Blue, Text = White
Rule Enabled - True Enabled = True 'Enabled' cell = None, Text = Green
Rule Enabled - False Enabled = False 'Enabled' cell = None, Text = Gray
Rule Enabled - Ignored Enabled = Ignored 'Enabled' cell = None, Text = Yellow
Rule Risk - High Risk Criticality = High 'Risk' cell = White, Text = Red
Rule Risk - Medium Risk Criticality = Medium 'Risk' cell = White, Text = Yellow
Rule Risk - Low Risk Criticality = Low 'Risk' cell = White, Text = Blue
Rule Risk - None Risk Criticality = High, Medium, Low 'Risk' cell = None, Text = Gray
Rule Risk Criticality - High Risk Criticality = High 'Risk Criticality' cell = Red, Text = White
Rule Risk Criticality - Medium Risk Criticality = Medium 'Risk Criticality' cell = Yellow, Text = Black
Rule Risk Criticality - Low Risk Criticality = Low 'Risk Criticality' cell = Blue, Text = White
Rule Risk Criticality - N/A Risk Criticality = High, Medium, Low 'Risk Criticality' cell = None, Text = Gray
Rule Service - Any Service = Any 'Source' cell = None, Text = Red
Rule Source - Any Source = Any 'Source' cell = None, Text = Red
Rule Source - High Src Criticality = High 'Source' cell = Red, Text = White
Rule Source - Medium Src Criticality = Medium 'Source' cell = Yellow, Text = Black
Rule Source - Low Src Criticality = Low 'Source' cell = Blue, Text = White
Rule Source - Untrusted Src Criticality = Untrusted 'Source' cell = Gray, Text = Black
Rule Source Binding - Any Src Binding = Any 'Src Binding' cell = None, Text = Red
Rule Source Binding- High Src Criticality = High 'Src Binding' cell = Red, Text = White
Rule Source Binding - Medium Src Criticality = Medium 'Src Binding' cell = Yellow, Text = Black
Rule Source Binding - Low Src Criticality = Low 'Src Binding' cell = Blue, Text = White
Rule Source Binding - Untrusted Src Criticality = Untrusted 'Src Binding' cell = Gray, Text = Black
Rule Source Criticality - High Src Criticality = High 'Src Criticality' cell = Red, Text = White
Rule Source Criticality - Medium Src Criticality = Medium 'Src Criticality' cell = Yellow, Text = Black
Rule Source Criticality - Low Src Criticality = Low 'Src Criticality' cell = Blue, Text = White
Rule Source Criticality - Untrusted Src Criticality = Untrusted 'Src Criticality' cell = Gray, Text = Black

 


Policy Details

On the default Policy page for Table Highlighting we can see that these Policies do not require device selection.

Requirement Details

Selecting a default Requirement for this Policy shows us the requirement details.

For a Table Highlight requirement there are a few more options that are used to target the logic for the action. This is because Table Highlighting requirements allow you to look for information in one table/ column and apply the action in a different table/column. First, we choose the target Table and Column that will receive the Highlighting Action. Then we choose the table and column where we want the logic to run.

Requirement Conditions

Compliance Type Table Highlighting requirements can be set to run only on certain compliance frameworks

Table The target table that the highlighting will be applied to if the logic is found.

Column The target column within the previously chosen target table, that the highlighting will be applied to if the logic is found

When String The string the requirement is searching for

Is found or not found

In Column Table_Column where the requirement is searching for the designated string

Operator And/ or for building compound logic

Highlighting Action If the conditions for the logic are met this is how the cell will be colored and how the text will be colored.

 

Highlighting Output

 

Reset

Sometimes there may be a reason to need to reset the risks or the formatting. For this, Administrator or Workspace Admins have access, on both the Risks & Warnings Policies Overview page and the Table Highlighting Policies Overview page, to a reset button.

Risks & Warnings

This action will reset all Risks and Warnings information for this workspace. After, all enabled policies for this workspace will be rerun. Because Policies will be rerun after reset, at least one policy must be enabled at time of reset. Only Risks and Warnings data will be affected.

 

Table Highlighting

To remove all existing table highlights from a table, select the table you wish to reset and click “Reset Table.” Note: to add formatting back in, each requirement will need to be run again individually.

 

 

Supported Products Banner

Enterprise Only Features

Custom Policies and Requirements

Customers with an enterprise-level license have the option to create custom policies and requirements to create risks and warning messages or personalized table highlighting, in addition to the defaults that are provided. Building custom policies and requirements requires that you know the basics of the policy manager. If you haven’t already go back to the top of this article read the policy manager overview before proceeding to custom policies and requirements

Two examples will be provided here:

1. Create a custom Policy and a custom Requirement for Risks & Warnings
2. Create a custom Policy and a custom Requirement for Table Highlighting

 

Risks & Warnings

Custom Policy

With the policy manager open to the Risks & Warnings tab, click the “add policy” button beneath the existing policies drop down. Once this is done, you will see the “New Policy” form, where you can select a name, write a description, choose the vendor, and mark whether or not the Policy is enabled. Save the policy.

Custom Requirement

Now that we’ve added a Custom Risks & Warnings Policy, let’s put a Custom Requirement in this Policy. First, click the “Add Requirement” button. This will display the “New Requirement” form. Once the required fields have been filled in, you can save and run this new Custom Requirement.

Note: Empty cells can be found using the regex for an empty string. In the logic input field use ^$

For this example we created a requirement to trigger a risk message if EMS was found in the access rules destination column.

After saving and running this requirement we can see that our Custom Requirement was properly triggered, and an alert was registered in the Access Rules table.

 

But what if we want to assign a color when ‘EMS’ is found in the Destination column of Access Rules? We will need a Custom Table Highlight Requirement to accomplish this.

Table Highlighting

Custom Policy

With the policy manager open to the Table Highlighting tab, click the “Add Policy” button beneath the existing policies drop down. Once this is done, you will see the “New Policy” form, where you can select a name, write a description, and mark whether or not the Policy is enabled. Save the policy.

Custom Requirement

Now that we’ve added a Custom Table Highlighting Policy, let’s put a Custom Requirement in this Policy. First, click the “Add Requirement” button. This will display the “New Requirement” form. Once the required fields have been filled in, you can save and run this new Custom Requirement.

When making a custom requirement for table highlighting it is important to know that you must select the compliance framework, then the table, and then the column that you want the highlighting to be applied to first. After this is done, to create the requirement logic you are defining what table and column is being searched for the criteria, which may be different than the table and column to which the formatting will be applied.

Note: Empty cells can be found using the regex for an empty string. In the logic input field use ^$

 

Let’s create a requirement that will highlight the cell for the risk we created in the previous example. Let’s highlight it in purple with white text. This means that we need to create a requirement for NERC CIP workspaces, that will format the ‘risk’ column in the ‘Access Rules’ table when the string ‘EMS’ is found in the column ‘Destination’ of the Access Rules table. The above image shows how we would lay that out. Once complete, save and run the new custom table highlighting requirement.

 

After this is complete, we can open ‘Access Rules’ table and see that our new requirement has taken effect.

Previous Dashboard
Next Path Analysis
Table of Contents