Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Policy Manager

Overview

The policy manager is used to build requirements that trigger messages or formatting in a designated table, based on logic. All users have access to Default Policies and Requirements. Default policies and requirements cannot be edited or deleted. Default Policies and Requirements can be “Enabled or Disabled” by clicking the toggle button and “Run” by clicking the “Run” button.  Policies and Requirements are global in nature and changes made when in one workspace will apply to all workspaces.  For example, if a Policy, Requirement, or Device is deactivated in one workspace, that update will apply to all workspaces

Key Concepts

Using the policy manager requires the understanding of a few concepts:

Requirement A requirement contains logic to trigger a message or formatting action for one use case.

Policy A policy is a collection of related requirements and does not have any logic associated with it, it is a means for categorization.

Risks and Warnings Policies Trigger alert messages based on logic – device specific

Table Highlighting Policies  Formats the color of cells and text based on logic – device agnostic

 

Default Risks & Warnings Policies

Risk and Warnings messages, which can be found in our table reports, are generated using Policies and Requirements located in the Policy Manager.  NP Policies and Requirements are automatically assigned to all devices when they are imported, and run when network device configuration changes are identified.

The following default policies are provided for all Compliance modules:

  • NP-Parser Policy – triggers from device configuration files
  • NP Rule Policy – triggers from access rules
PolicyRequirementRisk Severity
NP Parser PolicyUnnecessary EIGRP NetworkLow
 Broadcast traffic permissionLow
 Traffic to multicast groupLow
 Empty FieldLow
 Unused ACL’sLow
 Unused groupLow
 Mixed any and not anyLow
 Unassigned interfaceLow
 Missing interfacesLow
 Rule following scheduleLow
NP Rule PolicyAny protocol pathHigh
 Any to any IPMedium
 Any source IPHigh
 Any destination IPMedium
 Any protocolMedium
 Any destination portMedium

Default CiS Benchmark Risk Policies

CiS Benchmarks are provided as part of the Best Practices Module. CiS Benchmarks provide a powerful set of secondary policies to help identify risks within your network.  CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted, changes to Risk related Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.

  • CiS Benchmark for Check Point
  • CiS Benchmark for Cisco
  • CiS Benchmark for Juniper
  • CiS Benchmark for Palo Alto

The below requirements were derived from the CiS Check Point Firewall Benchmark v1.1.0 – 06-29-2020.

RequirementRisk Severity
Ensure ‘Login Banner’ is setLow
Ensure CLI session timeout is set to less than or equal to 10 minutesLow
Ensure Check for Password Reuse is selected and History Length is set to 12 or moreLow
Ensure DHCP is disabledLow
Ensure DNS server is configuredLow
Ensure Deny access after failed login attempts is selectedLow
Ensure Deny access to unused accounts is selectedLow
Ensure Disk Space Alert is setLow
Ensure force users to change password at first login after password was changed from Users page is selectedLow
Ensure Host Name is setLow
Ensure IPv6 is disabled if not usedLow
Ensure Maximum number of failed attempts allowed is set to 5 or fewerLow
Ensure Minimum Password Length is set to 14 or higherLow
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP serverLow
Ensure Password Complexity is set to 3Low
Ensure Password Expiration is set to 90 days or lessLow
Ensure Telnet is disabledLow
Ensure Warn users before password expiration is set to 7 days or lessLow
Ensure Web session timeout is set to less than or equal to 10 minutesLow
Ensure Radius or TACACS+ server is configuredLow
Logging should be enabled for all Firewall RulesLow

The below requirements were derived from the CiS Cisco Firewall Benchmark v4.1.0 – 01-16-2018. Supporting ASA 8.x and 9.x.

RequirementRisk Severity
Ensure ‘Domain Name’ is setLow
Ensure ‘Failover’ is enabledLow
Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘Host Name’ is setLow
Ensure ‘LOGIN banner’ is setLow
Ensure ‘MOTD banner’ is setLow
Ensure ‘NTP authentication key’ is configured correctlyLow
Ensure ‘Password Policy’ is enabledLow
Ensure ‘Password Recovery’ is disabledLow
Ensure ‘SNMP community string’ is not the default stringLow
Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘TACACS+RADIUS’ is configured correctlyLow
Ensure ‘console session timeout’ is less than or equal to ‘5’ minutesLow
Ensure ‘local username and password’ is setLow
Ensure ‘logging with timestamps’ is enabledLow
Ensure ‘logging’ is enabledLow
Ensure ActiveX filtering is enabledLow
Ensure DHCP services are disabled for untrusted interfacesLow
Ensure DOS protection is enabled for untrusted interfacesLow
Ensure Master Key Passphrase is setLow
Ensure email logging is configured for critical to emergencyLow
Ensure explicit deny in access lists is configured correctlyLow
Ensure ‘trusted NTP server’ existsLow
Ensure Enable Password is setLow
Ensure Java applet filtering is enabledLow
Ensure Logon Password is setLow
Ensure known default accounts do not existLow

The below requirements were derived from the CiS Cisco Juniper Benchmark v2.1.0 – 11-23-2020. Supporting JunOS v15.1.

RequirementRisk Severity
Forbid Dial in AccessLow
Ensure VRRP authentication-key is setLow
Ensure proxy-arp is disabledLow
Ensure EBGP peers are set to use GTSMLow
Ensure authentication check is not suppressedLow
Ensure loose authentication check is not configuredLow
Ensure RIP authentication is set to MD5Low
Ensure BFD Authentication is SetLow
Ensure BFD Authentication is Not Set to Loose-CheckLow
Ensure SNMPv1/2 are set to Read OnlyLow
Ensure “Default Restrict” is set in all client listsLow
Ensure AES128 is set for all SNMPv3 usersLow
Ensure SHA1 is set for SNMPv3 authenticationLow
Ensure Accounting of LoginsLow
Ensure Accounting of Configuration ChangesLow
Ensure Archive on CommitLow
Ensure NO Plain Text Archive Sites are configuredLow
Ensure external AAA is usedLow
Ensure TCP SYN/FIN is Set to DropLow
Ensure TCP RST is Set to DisabledLow
Ensure Minimum Session Time of at least 20 secondsLow
Ensure Lockout-period is set to at least 30 minutesLow
Ensure login message is setLow
Ensure local passwords require multiple character setsLow
Ensure at least 4 set changes in local passwordsLow
Ensure local passwords are at least 10 charactersLow
Ensure External NTP Servers are setLow
Ensure Strong Ciphers are set for SSHLow
Ensure Web-Management is not Set to HTTPLow
Ensure Web-Management is Set to use HTTPSLow
Ensure Web-Management is Set to use PKI Certificate for HTTPSLow
Ensure Session Limited is Set for Web-ManagementLow
Ensure Telnet is Not SetLow
Ensure Reverse Telnet is Not SetLow
Ensure Finger Service is Not SetLow
Ensure Log-out-on-disconnect is Set for ConsoleLow
Ensure Autoinstallation is Set to DisabledLow
Ensure Hostname is Not Set to Device Make or ModelLow
Ensure Password is Set for PIC-Console-AuthenticationLow

The below requirements were derived from the CiS Palo Alto Firewall 9 Benchmark v1.0.0 – 03-23-2020.

RequirementRisk Severity
Ensure ‘Idle timeout’ is less than or equal to 10 minutes for device management’ is setLow
Ensure ‘Login Banner’ is setLow
Ensure ‘Minimum Length’ is greater than or equal to 12Low
Ensure ‘Minimum Lowercase Letters’ is greater than or equal to 1Low
Ensure ‘Minimum Numeric Letters’ is greater than or equal to 1Low
Ensure ‘Minimum Password Complexity’ is enabledLow
Ensure ‘Minimum Special Characters’ is greater than or equal to 1Low
Ensure ‘Minimum Uppercase Letters’ is greater than or equal to 1Low
Ensure ‘New Password Differs By Characters’ is greater than or equal to 3Low
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabledLow
Ensure ‘Permitted IP Addresses’ is set to those necessary for device managementLow
Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwordsLow
Ensure ‘Required Password Change Period’ is less than or equal to 90 daysLow
Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not existLow
Ensure HTTP and Telnet options are disabled for all management profilesLow
Ensure HTTP and Telnet options are disabled for the management interfaceLow
Ensure System Logging to a Remote HostLow
Ensure alerts are enabled for malicious files detected by WildFireLow
Ensure redundant NTP servers are configured appropriatelyLow
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zonesLow
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zonesLow
Ensure that the Certificate used for Decryption is TrustedLow
Ensure valid certificate is set for browser-based administrator interfaceLow
Syslog logging should be configuredLow

Risks Walkthrough

To better understand how to use the policy manager, let’s walk through an example using Risks & Warnings Policies and Requirements.

In the above image we can see the policy manager window open. The Risks & Warnings Policies tab has been selected. Below there is a dropdown that contains all the default policies available. The Default NP Rule Policy has been selected. 

Policy Details

When a Policy is selected we see its details on the right side of the window. Risks & Warnings Policies are device-specific and it is on this page where we can change what devices the policy applies to.  If we change whether or not the Policy is enabled, or the devices included, the Policy will need to be rerun by clicking the “Run” button.  Rerunning an enabled Policy also reruns all the enabled Requirements within that Policy.

 
Requirement Details

On the left hand side, below our chosen Policy, we can see the Requirements that are included in this Policy and an icon indicating whether or not they are enabled.

In the above image we can see then information for a default Requirement, “Any destination IP”.  looking at the details for this requirement we can see its name, its details, and the logic being used to trigger the Risk alert message. This requirement is an example of compound logic being used. This risk will only trigger if all four conditions are met. Conditions have four elements. 

 
Requirement Conditions

Apply To This is the Table_Column that the logic will run on

Apply When If the string is found or not found

String What information the requirement is looking for in the specified table_column

Operator Used to build compound logic using and/or

We cannot edit them, but if we disable a requirement we need to run the requirement again for that to take effect.

Risks & Warnings Output

Finally, when are risks in warnings policy and and or requirement are met the result will look like the below image. The text has been populated into the Risk column if a requirement was triggered.

Now that we know where the text comes from – let’s find out where the coloring comes from.

Table Highlighting Walkthrough

Table Highlighting Policies and Requirements work in almost the same way as Risks & Warnings, with a few key differences. The main being that it formats cells and texts instead of producing an alert message.

When comments are added to any table and assigned a criticality, the Comment Count columns will display the number of comments for each table row and the cell color will reflect the highest criticality comment. High = Red, Medium = Orange, Low = Blue.

 

Rule NameText MatchAction
Rule Action – Allow or Permit or AcceptAction = Allow or Permit or Accept‘Action’ cell = None, Text = Green
Rule Action – DenyAction = Deny‘Action’ cell = None, Text = Red
Rule Destination – Any

Destination =

[\s\S]*any[\s\S]*
‘Destination’ cell = None, Text = Red
Rule Destination – HighDst Criticality = High‘Destination’ cell = Red, Text = White
Rule Destination – MediumDst Criticality = Medium‘Destination’ cell = Yellow, Text = Black
Rule Destination – LowDst Criticality = Low‘Destination’ cell = Blue, Text = White
Rule Destination – UntrustedDst Criticality = Untrusted‘Destination’ cell = Gray, Text = Black
Rule Destination Binding – AnyDst Binding = [\s\S]*any[\s\S]*‘Dst Binding’ cell = None, Text = Red
Rule Destination Binding – HighDst Criticality = High‘Dst Binding’ cell = Red, Text = White
Rule Destination Binding – MediumDst Criticality = Medium‘Dst Binding’ cell = Orange, Text = Black
Rule Destination Binding- LowDst Criticality = Low‘Dst Binding’ cell = Blue, Text = White
Rule Destination Binding – UntrustedDst Criticality = Untrusted‘Dst Binding’ cell = Gray, Text = Black
Rule Destination Criticality – HighDst Criticality = High‘Dst Criticality’ cell = Red, Text = White
Rule Destination Criticality – MediumDst Criticality = Medium‘Dst Criticality’ cell = Yellow, Text = Black
Rule Destination Criticality- LowDst Criticality = Low‘Dst Criticality’ cell = Blue, Text = White
Rule Enabled – TrueEnabled = True‘Enabled’ cell = None, Text = Green
Rule Enabled – FalseEnabled = False‘Enabled’ cell = None, Text = Gray
Rule Enabled – IgnoredEnabled = Ignored‘Enabled’ cell = None, Text = Yellow
Rule Risk – HighRisk Criticality = High‘Risk’ cell = White, Text = Red
Rule Risk – MediumRisk Criticality = Medium‘Risk’ cell = White, Text = Yellow
Rule Risk – LowRisk Criticality = Low‘Risk’ cell = White, Text = Blue
Rule Risk – NoneRisk Criticality = High, Medium, Low‘Risk’ cell = None, Text = Gray
Rule Risk Criticality – HighRisk Criticality = High‘Risk Criticality’ cell = Red, Text = White
Rule Risk Criticality – MediumRisk Criticality = Medium‘Risk Criticality’ cell = Yellow, Text = Black
Rule Risk Criticality – LowRisk Criticality = Low‘Risk Criticality’ cell = Blue, Text = White
Rule Risk Criticality – N/ARisk Criticality = High, Medium, Low‘Risk Criticality’ cell = None, Text = Gray
Rule Service – AnyService = Any‘Source’ cell = None, Text = Red
Rule Source – AnySource = Any‘Source’ cell = None, Text = Red
Rule Source – HighSrc Criticality = High‘Source’ cell = Red, Text = White
Rule Source – MediumSrc Criticality = Medium‘Source’ cell = Yellow, Text = Black
Rule Source – LowSrc Criticality = Low‘Source’ cell = Blue, Text = White
Rule Source – UntrustedSrc Criticality = Untrusted‘Source’ cell = Gray, Text = Black
Rule Source Binding – AnySrc Binding = Any‘Src Binding’ cell = None, Text = Red
Rule Source Binding- HighSrc Criticality = High‘Src Binding’ cell = Red, Text = White
Rule Source Binding – MediumSrc Criticality = Medium‘Src Binding’ cell = Yellow, Text = Black
Rule Source Binding – LowSrc Criticality = Low‘Src Binding’ cell = Blue, Text = White
Rule Source Binding – UntrustedSrc Criticality = Untrusted‘Src Binding’ cell = Gray, Text = Black
Rule Source Criticality – HighSrc Criticality = High‘Src Criticality’ cell = Red, Text = White
Rule Source Criticality – MediumSrc Criticality = Medium‘Src Criticality’ cell = Yellow, Text = Black
Rule Source Criticality – LowSrc Criticality = Low‘Src Criticality’ cell = Blue, Text = White
Rule Source Criticality – UntrustedSrc Criticality = Untrusted‘Src Criticality’ cell = Gray, Text = Black

 


 
Policy Details

On the default Policy page for Table Highlighting we can see that these Policies do not require device selection.

Requirement Details

Selecting a default Requirement for this Policy shows us the requirement details.

For a Table Highlight requirement there are a few more options that are used to target the logic for the action. This is because Table Highlighting requirements allow you to look for information in one table/ column and apply the action in a different table/column. First, we choose the target Table and Column that will receive the Highlighting Action. Then we choose the table and column where we want the logic to run.

Requirement Conditions

Compliance Type Table Highlighting requirements can be set to run only on certain compliance frameworks

Table The target table that the highlighting will be applied to if the logic is found.

Column The target column within the previously chosen target table, that the highlighting will be applied to if the logic is found

When String The string the requirement is searching for

Is found or not found

In Column Table_Column where the requirement is searching for the designated string

Operator And/ or for building compound logic

Highlighting Action If the conditions for the logic are met this is how the cell will be colored and how the text will be colored.

Highlighting Output

Reset

Sometimes there may be a reason to need to reset the risks or the formatting. For this, Administrator or Workspace Admins have access, on both the Risks & Warnings Policies Overview page and the Table Highlighting Policies Overview page, to a reset button.

Risks & Warnings

This action will reset all Risks and Warnings information for this workspace. After, all enabled policies for this workspace will be rerun. Because Policies will be rerun after reset, at least one policy must be enabled at time of reset. Only Risks and Warnings data will be affected.

Table Highlighting

To remove all existing table highlights from a table, select the table you wish to reset and click “Reset Table.” Note: to add formatting back in, each requirement will need to be run again individually.

Table of Contents