Policy Manager
Overview
The policy manager is used to build requirements that trigger messages or formatting in a designated table, based on logic. All users have access to Default Policies and Requirements. Default policies and requirements cannot be edited or deleted. Default Policies and Requirements can be “Enabled or Disabled” by clicking the toggle button and “Run” by clicking the “Run” button. Policies and Requirements are global in nature and changes made when in one workspace will apply to all workspaces. For example, if a Policy, Requirement, or Device is deactivated in one workspace, that update will apply to all workspaces
Key Concepts
Using the policy manager requires the understanding of a few concepts:
Requirement A requirement contains logic to trigger a message or formatting action for one use case.
Policy A policy is a collection of related requirements and does not have any logic associated with it, it is a means for categorization.
Risks and Warnings Policies Trigger alert messages based on logic – device specific
Table Highlighting Policies Formats the color of cells and text based on logic – device agnostic
Default Risks & Warnings Policies
Risk and Warnings messages, which can be found in our table reports, are generated using Policies and Requirements located in the Policy Manager. NP Policies and Requirements are automatically assigned to all devices when they are imported, and run when network device configuration changes are identified.
The following default policies are provided for all Compliance modules:
- NP-Parser Policy – triggers from device configuration files
- NP Rule Policy – triggers from access rules
Default Policies and Requirements
| Policy | Requirement | Risk Severity |
| NP Parser Policy | Unnecessary EIGRP Network | Low |
| Broadcast traffic permission | Low | |
| Traffic to multicast group | Low | |
| Empty Field | Low | |
| Unused ACL’s | Low | |
| Unused group | Low | |
| Mixed any and not any | Low | |
| Unassigned interface | Low | |
| Missing interfaces | Low | |
| Rule following schedule | Low | |
| NP Rule Policy | Any protocol path | High |
| Any to any IP | Medium | |
| Any source IP | High | |
| Any destination IP | Medium | |
| Any protocol | Medium | |
| Any destination port | Medium |
Default CiS Benchmark Risk Policies
CiS Benchmarks are provided as part of the Best Practices Module. CiS Benchmarks provide a powerful set of secondary policies to help identify risks within your network. CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted, changes to Risk related Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.
- CiS Benchmark for Check Point
- CiS Benchmark for Cisco
- CiS Benchmark for Juniper
- CiS Benchmark for Palo Alto
CiS Benchmark for Check Point Firewall
The below requirements were derived from the CiS Check Point Firewall Benchmark v1.1.0 – 06-29-2020.
| Requirement | Risk Severity |
| Ensure ‘Login Banner’ is set | Low |
| Ensure CLI session timeout is set to less than or equal to 10 minutes | Low |
| Ensure Check for Password Reuse is selected and History Length is set to 12 or more | Low |
| Ensure DHCP is disabled | Low |
| Ensure DNS server is configured | Low |
| Ensure Deny access after failed login attempts is selected | Low |
| Ensure Deny access to unused accounts is selected | Low |
| Ensure Disk Space Alert is set | Low |
| Ensure force users to change password at first login after password was changed from Users page is selected | Low |
| Ensure Host Name is set | Low |
| Ensure IPv6 is disabled if not used | Low |
| Ensure Maximum number of failed attempts allowed is set to 5 or fewer | Low |
| Ensure Minimum Password Length is set to 14 or higher | Low |
| Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server | Low |
| Ensure Password Complexity is set to 3 | Low |
| Ensure Password Expiration is set to 90 days or less | Low |
| Ensure Telnet is disabled | Low |
| Ensure Warn users before password expiration is set to 7 days or less | Low |
| Ensure Web session timeout is set to less than or equal to 10 minutes | Low |
| Ensure Radius or TACACS+ server is configured | Low |
| Logging should be enabled for all Firewall Rules | Low |
CiS Benchmark for Cisco ASA 8.x, 9.x Firewall
The below requirements were derived from the CiS Cisco Firewall Benchmark v4.1.0 – 01-16-2018. Supporting ASA 8.x and 9.x.
| Requirement | Risk Severity |
| Ensure ‘Domain Name’ is set | Low |
| Ensure ‘Failover’ is enabled | Low |
| Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutes | Low |
| Ensure ‘Host Name’ is set | Low |
| Ensure ‘LOGIN banner’ is set | Low |
| Ensure ‘MOTD banner’ is set | Low |
| Ensure ‘NTP authentication key’ is configured correctly | Low |
| Ensure ‘Password Policy’ is enabled | Low |
| Ensure ‘Password Recovery’ is disabled | Low |
| Ensure ‘SNMP community string’ is not the default string | Low |
| Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutes | Low |
| Ensure ‘TACACS+RADIUS’ is configured correctly | Low |
| Ensure ‘console session timeout’ is less than or equal to ‘5’ minutes | Low |
| Ensure ‘local username and password’ is set | Low |
| Ensure ‘logging with timestamps’ is enabled | Low |
| Ensure ‘logging’ is enabled | Low |
| Ensure ActiveX filtering is enabled | Low |
| Ensure DHCP services are disabled for untrusted interfaces | Low |
| Ensure DOS protection is enabled for untrusted interfaces | Low |
| Ensure Master Key Passphrase is set | Low |
| Ensure email logging is configured for critical to emergency | Low |
| Ensure explicit deny in access lists is configured correctly | Low |
| Ensure ‘trusted NTP server’ exists | Low |
| Ensure Enable Password is set | Low |
| Ensure Java applet filtering is enabled | Low |
| Ensure Logon Password is set | Low |
| Ensure known default accounts do not exist | Low |
CiS Benchmark for Juniper JunOS 15.1 Firewall
The below requirements were derived from the CiS Cisco Juniper Benchmark v2.1.0 – 11-23-2020. Supporting JunOS v15.1.
| Requirement | Risk Severity |
| Forbid Dial in Access | Low |
| Ensure VRRP authentication-key is set | Low |
| Ensure proxy-arp is disabled | Low |
| Ensure EBGP peers are set to use GTSM | Low |
| Ensure authentication check is not suppressed | Low |
| Ensure loose authentication check is not configured | Low |
| Ensure RIP authentication is set to MD5 | Low |
| Ensure BFD Authentication is Set | Low |
| Ensure BFD Authentication is Not Set to Loose-Check | Low |
| Ensure SNMPv1/2 are set to Read Only | Low |
| Ensure “Default Restrict” is set in all client lists | Low |
| Ensure AES128 is set for all SNMPv3 users | Low |
| Ensure SHA1 is set for SNMPv3 authentication | Low |
| Ensure Accounting of Logins | Low |
| Ensure Accounting of Configuration Changes | Low |
| Ensure Archive on Commit | Low |
| Ensure NO Plain Text Archive Sites are configured | Low |
| Ensure external AAA is used | Low |
| Ensure TCP SYN/FIN is Set to Drop | Low |
| Ensure TCP RST is Set to Disabled | Low |
| Ensure Minimum Session Time of at least 20 seconds | Low |
| Ensure Lockout-period is set to at least 30 minutes | Low |
| Ensure login message is set | Low |
| Ensure local passwords require multiple character sets | Low |
| Ensure at least 4 set changes in local passwords | Low |
| Ensure local passwords are at least 10 characters | Low |
| Ensure External NTP Servers are set | Low |
| Ensure Strong Ciphers are set for SSH | Low |
| Ensure Web-Management is not Set to HTTP | Low |
| Ensure Web-Management is Set to use HTTPS | Low |
| Ensure Web-Management is Set to use PKI Certificate for HTTPS | Low |
| Ensure Session Limited is Set for Web-Management | Low |
| Ensure Telnet is Not Set | Low |
| Ensure Reverse Telnet is Not Set | Low |
| Ensure Finger Service is Not Set | Low |
| Ensure Log-out-on-disconnect is Set for Console | Low |
| Ensure Autoinstallation is Set to Disabled | Low |
| Ensure Hostname is Not Set to Device Make or Model | Low |
| Ensure Password is Set for PIC-Console-Authentication | Low |
CiS Benchmark for Palo Alto 9
The below requirements were derived from the CiS Palo Alto Firewall 9 Benchmark v1.0.0 – 03-23-2020.
| Requirement | Risk Severity |
| Ensure ‘Idle timeout’ is less than or equal to 10 minutes for device management’ is set | Low |
| Ensure ‘Login Banner’ is set | Low |
| Ensure ‘Minimum Length’ is greater than or equal to 12 | Low |
| Ensure ‘Minimum Lowercase Letters’ is greater than or equal to 1 | Low |
| Ensure ‘Minimum Numeric Letters’ is greater than or equal to 1 | Low |
| Ensure ‘Minimum Password Complexity’ is enabled | Low |
| Ensure ‘Minimum Special Characters’ is greater than or equal to 1 | Low |
| Ensure ‘Minimum Uppercase Letters’ is greater than or equal to 1 | Low |
| Ensure ‘New Password Differs By Characters’ is greater than or equal to 3 | Low |
| Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled | Low |
| Ensure ‘Permitted IP Addresses’ is set to those necessary for device management | Low |
| Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords | Low |
| Ensure ‘Required Password Change Period’ is less than or equal to 90 days | Low |
| Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not exist | Low |
| Ensure HTTP and Telnet options are disabled for all management profiles | Low |
| Ensure HTTP and Telnet options are disabled for the management interface | Low |
| Ensure System Logging to a Remote Host | Low |
| Ensure alerts are enabled for malicious files detected by WildFire | Low |
| Ensure redundant NTP servers are configured appropriately | Low |
| Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones | Low |
| Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones | Low |
| Ensure that the Certificate used for Decryption is Trusted | Low |
| Ensure valid certificate is set for browser-based administrator interface | Low |
| Syslog logging should be configured | Low |
Risks Walkthrough
To better understand how to use the policy manager, let’s walk through an example using Risks & Warnings Policies and Requirements.
In the above image we can see the policy manager window open. The Risks & Warnings Policies tab has been selected. Below there is a dropdown that contains all the default policies available. The Default NP Rule Policy has been selected.
Policy Details
When a Policy is selected we see its details on the right side of the window. Risks & Warnings Policies are device-specific and it is on this page where we can change what devices the policy applies to. If we change whether or not the Policy is enabled, or the devices included, the Policy will need to be rerun by clicking the “Run” button. Rerunning an enabled Policy also reruns all the enabled Requirements within that Policy.
Requirement Details
On the left hand side, below our chosen Policy, we can see the Requirements that are included in this Policy and an icon indicating whether or not they are enabled.
In the above image we can see then information for a default Requirement, “Any destination IP”. looking at the details for this requirement we can see its name, its details, and the logic being used to trigger the Risk alert message. This requirement is an example of compound logic being used. This risk will only trigger if all four conditions are met. Conditions have four elements.
Requirement Conditions
Apply To This is the Table_Column that the logic will run on
Apply When If the string is found or not found
String What information the requirement is looking for in the specified table_column
Operator Used to build compound logic using and/or
We cannot edit them, but if we disable a requirement we need to run the requirement again for that to take effect.
Risks & Warnings Output
Finally, when are risks in warnings policy and and or requirement are met the result will look like the below image. The text has been populated into the Risk column if a requirement was triggered.
Now that we know where the text comes from – let’s find out where the coloring comes from.
Table Highlighting Walkthrough
Table Highlighting Policies and Requirements work in almost the same way as Risks & Warnings, with a few key differences. The main being that it formats cells and texts instead of producing an alert message.
Global Default Policies and Requirements
When comments are added to any table and assigned a criticality, the Comment Count columns will display the number of comments for each table row and the cell color will reflect the highest criticality comment. High = Red, Medium = Orange, Low = Blue.
Access rules Default Policies and Requirements
| Rule Name | Text Match | Action |
|---|---|---|
| Rule Action – Allow or Permit or Accept | Action = Allow or Permit or Accept | ‘Action’ cell = None, Text = Green |
| Rule Action – Deny | Action = Deny | ‘Action’ cell = None, Text = Red |
| Rule Destination – Any | Destination = [\s\S]*any[\s\S]* | ‘Destination’ cell = None, Text = Red |
| Rule Destination – High | Dst Criticality = High | ‘Destination’ cell = Red, Text = White |
| Rule Destination – Medium | Dst Criticality = Medium | ‘Destination’ cell = Yellow, Text = Black |
| Rule Destination – Low | Dst Criticality = Low | ‘Destination’ cell = Blue, Text = White |
| Rule Destination – Untrusted | Dst Criticality = Untrusted | ‘Destination’ cell = Gray, Text = Black |
| Rule Destination Binding – Any | Dst Binding = [\s\S]*any[\s\S]* | ‘Dst Binding’ cell = None, Text = Red |
| Rule Destination Binding – High | Dst Criticality = High | ‘Dst Binding’ cell = Red, Text = White |
| Rule Destination Binding – Medium | Dst Criticality = Medium | ‘Dst Binding’ cell = Orange, Text = Black |
| Rule Destination Binding- Low | Dst Criticality = Low | ‘Dst Binding’ cell = Blue, Text = White |
| Rule Destination Binding – Untrusted | Dst Criticality = Untrusted | ‘Dst Binding’ cell = Gray, Text = Black |
| Rule Destination Criticality – High | Dst Criticality = High | ‘Dst Criticality’ cell = Red, Text = White |
| Rule Destination Criticality – Medium | Dst Criticality = Medium | ‘Dst Criticality’ cell = Yellow, Text = Black |
| Rule Destination Criticality- Low | Dst Criticality = Low | ‘Dst Criticality’ cell = Blue, Text = White |
| Rule Enabled – True | Enabled = True | ‘Enabled’ cell = None, Text = Green |
| Rule Enabled – False | Enabled = False | ‘Enabled’ cell = None, Text = Gray |
| Rule Enabled – Ignored | Enabled = Ignored | ‘Enabled’ cell = None, Text = Yellow |
| Rule Risk – High | Risk Criticality = High | ‘Risk’ cell = White, Text = Red |
| Rule Risk – Medium | Risk Criticality = Medium | ‘Risk’ cell = White, Text = Yellow |
| Rule Risk – Low | Risk Criticality = Low | ‘Risk’ cell = White, Text = Blue |
| Rule Risk – None | Risk Criticality = High, Medium, Low | ‘Risk’ cell = None, Text = Gray |
| Rule Risk Criticality – High | Risk Criticality = High | ‘Risk Criticality’ cell = Red, Text = White |
| Rule Risk Criticality – Medium | Risk Criticality = Medium | ‘Risk Criticality’ cell = Yellow, Text = Black |
| Rule Risk Criticality – Low | Risk Criticality = Low | ‘Risk Criticality’ cell = Blue, Text = White |
| Rule Risk Criticality – N/A | Risk Criticality = High, Medium, Low | ‘Risk Criticality’ cell = None, Text = Gray |
| Rule Service – Any | Service = Any | ‘Source’ cell = None, Text = Red |
| Rule Source – Any | Source = Any | ‘Source’ cell = None, Text = Red |
| Rule Source – High | Src Criticality = High | ‘Source’ cell = Red, Text = White |
| Rule Source – Medium | Src Criticality = Medium | ‘Source’ cell = Yellow, Text = Black |
| Rule Source – Low | Src Criticality = Low | ‘Source’ cell = Blue, Text = White |
| Rule Source – Untrusted | Src Criticality = Untrusted | ‘Source’ cell = Gray, Text = Black |
| Rule Source Binding – Any | Src Binding = Any | ‘Src Binding’ cell = None, Text = Red |
| Rule Source Binding- High | Src Criticality = High | ‘Src Binding’ cell = Red, Text = White |
| Rule Source Binding – Medium | Src Criticality = Medium | ‘Src Binding’ cell = Yellow, Text = Black |
| Rule Source Binding – Low | Src Criticality = Low | ‘Src Binding’ cell = Blue, Text = White |
| Rule Source Binding – Untrusted | Src Criticality = Untrusted | ‘Src Binding’ cell = Gray, Text = Black |
| Rule Source Criticality – High | Src Criticality = High | ‘Src Criticality’ cell = Red, Text = White |
| Rule Source Criticality – Medium | Src Criticality = Medium | ‘Src Criticality’ cell = Yellow, Text = Black |
| Rule Source Criticality – Low | Src Criticality = Low | ‘Src Criticality’ cell = Blue, Text = White |
| Rule Source Criticality – Untrusted | Src Criticality = Untrusted | ‘Src Criticality’ cell = Gray, Text = Black |
Policy Details
On the default Policy page for Table Highlighting we can see that these Policies do not require device selection.
Requirement Details
Selecting a default Requirement for this Policy shows us the requirement details.
For a Table Highlight requirement there are a few more options that are used to target the logic for the action. This is because Table Highlighting requirements allow you to look for information in one table/ column and apply the action in a different table/column. First, we choose the target Table and Column that will receive the Highlighting Action. Then we choose the table and column where we want the logic to run.
Requirement Conditions
Compliance Type Table Highlighting requirements can be set to run only on certain compliance frameworks
Table The target table that the highlighting will be applied to if the logic is found.
Column The target column within the previously chosen target table, that the highlighting will be applied to if the logic is found
When String The string the requirement is searching for
Is found or not found
In Column Table_Column where the requirement is searching for the designated string
Operator And/ or for building compound logic
Highlighting Action If the conditions for the logic are met this is how the cell will be colored and how the text will be colored.
Highlighting Output
Reset
Sometimes there may be a reason to need to reset the risks or the formatting. For this, Administrator or Workspace Admins have access, on both the Risks & Warnings Policies Overview page and the Table Highlighting Policies Overview page, to a reset button.
Risks & Warnings
This action will reset all Risks and Warnings information for this workspace. After, all enabled policies for this workspace will be rerun. Because Policies will be rerun after reset, at least one policy must be enabled at time of reset. Only Risks and Warnings data will be affected.
Table Highlighting
To remove all existing table highlights from a table, select the table you wish to reset and click “Reset Table.” Note: to add formatting back in, each requirement will need to be run again individually.
