Guia Configuración Algosec en R80 Checkpoint - v6-11

AlgoSec Firewall Analyzer
Administrator Guide
Release 6.11
Printed on 25 March, 2017

Copyright © 2003-2017 AlgoSec Ltd. All rights reserved
AlgoSec, FireFlow, and BusinessFlow are registered trademarks of AlgoSec Ltd. and/or its affiliates in the
U.S. and certain other countries.
Check Point, the Check Point logo, ClusterXL, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
INSPECT, INSPECT XL, OPSEC, Provider-1, Safe@Home, Safe@Office, SecureClient,
SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,
SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard,
SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView
Reporter, SmartView Status, SmartViewTracker, UserAuthority, VPN-1, VPN-1 Edge, VPN-1 Pro, VPN-1
SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, are trademarks or
registered trademarks of Check Point Software Technologies Ltd. or its affiliates.
Cisco, the Cisco Logo, Cisco IOS, IOS, PIX, are trademarks or registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the U.S. and certain other countries.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of
Juniper Networks, Inc.
All other product names mentioned herein are trademarks or registered trademarks of their respective
owners.
Specifications subject to change without notice.
Limited Liability Statement
In no event will AlgoSec Ltd be liable for any loss of data; lost opportunity for profits; cost of cover; or
special, incidental, consequential or indirect damages arising from the use of this software.
Proprietary & Confidential Information
This document contains proprietary information. Neither this document nor said proprietary information
shall be published, reproduced, copied, disclosed, or used for any purpose other than the review and
consideration of this material without written approval from AlgoSec Ltd., 65 Challenger Rd., Suite 320,
Ridgefield Park, NJ 07660, USA.
The software contains proprietary information of AlgoSec Ltd; it is provided under a license agreement
containing restrictions on use and disclosure and is also protected by copyright law. Reverse engineering of
the software is prohibited.
Due to continued product development this information may change without notice. The information and
intellectual property contained herein is confidential between AlgoSec Ltd. and the client and remains the
exclusive property of AlgoSec Ltd. If you find any problems in the documentation, please report them to us
in writing. AlgoSec Ltd. does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording or otherwise without the prior written
permission of AlgoSec Ltd.
AlgoSec Ltd.
65 Challenger Rd., Suite 320
Ridgefield Park, NJ 07660
USA
Contents
Introduction ................................................................................................................................................... 8
About AlgoSec Firewall Analyzer ................................................................................................................................................ 8
AlgoSec Firewall Analyzer Components ..................................................................................................................................... 9
AFA Operations and Optimization ..................................................................................................................................... 10
AFA Risk and Compliance Module .................................................................................................................................... 11
AFA Provider Edition ......................................................................................................................................................... 11
AFA ActiveChange ............................................................................................................................................................ 12
Supported Products .................................................................................................................................................................. 12
IPv6 Support ...................................................................................................................................................................... 14
System Requirements............................................................................................................................................................... 15
Quick Start – Configuring AFA .................................................................................................................................................. 15
Installation ................................................................................................................................................... 16
Prerequisites ............................................................................................................................................................................. 16
Hardware Requirements.................................................................................................................................................... 16
Software Requirements ..................................................................................................................................................... 17
Capacity Planning for Your AFA Server ............................................................................................................................ 18
Installation Instructions ............................................................................................................................................................. 19
Installing the AlgoSec Firewall Analyzer Pre-Installer ....................................................................................................... 19
Installing the AlgoSec Firewall Analyzer Software ............................................................................................................ 19
Defining the First Administrator User................................................................................................................................. 20
Obtaining a License ........................................................................................................................................................... 22
Installing a License ............................................................................................................................................................ 23
Installing an "Online" or "inactivated" License ................................................................................................................... 25
Viewing License Information.............................................................................................................................................. 25
Updating a License ............................................................................................................................................................ 26
Upgrading AFA .................................................................................................................................................................. 27
Selecting a Deployment Type .................................................................................................................... 31

Working with Domains .............................................................................................................................................................. 31
Using Domains .................................................................................................................................................................. 32
Enabling Domains ............................................................................................................................................................. 33
Logging in to the Management Interface ........................................................................................................................... 34
Adding and Editing Management Users ............................................................................................................................ 35
Adding and Editing Management Roles ............................................................................................................................ 38
Adding and Editing Domains ............................................................................................................................................. 42
Deleting Management Users and Roles ............................................................................................................................ 44
Deleting Domains .............................................................................................................................................................. 45
Distributed Architecture Overview ............................................................................................................................................. 45
Setting Up a Load Distribution Architecture ....................................................................................................................... 46
Setting Up a Geographic Distribution Architecture ............................................................................................................ 46
Enabling Distributed Processing........................................................................................................................................ 47
Adding and Editing Distribution Slaves.............................................................................................................................. 48
Adding and Editing Remote Agents................................................................................................................................... 50
Deleting Distribution Slaves or Remote Agents................................................................................................................. 51
Disabling Distributed Processing ....................................................................................................................................... 51
AlgoSec Firewall Analyzer Release 6.11
Managing Devices in AFA .......................................................................................................................... 53

Overview ................................................................................................................................................................................... 53
AFA Device Types ............................................................................................................................................................. 54
Data Collection Methods ........................................................................................................................................................... 54
Collecting Data Semi-Automatically .......................................................................................................................................... 55
Preparations for Data Collection........................................................................................................................................ 55
Device Icons ............................................................................................................................................................................. 56
Accessing Devices Setup ......................................................................................................................................................... 57
Adding Devices ......................................................................................................................................................................... 59
Adding a Check Point Provider-1 ...................................................................................................................................... 61
Adding a Check Point SmartCenter/Gateway ................................................................................................................... 71
Adding a Check Point CMA ............................................................................................................................................... 76
Enabling Data Collection for Check Point Devices ............................................................................................................ 80
Check Point FireWall-1 Semi-Automatic Data Collection .................................................................................................. 97
Check Point Provider-1 Manual Data Collection ............................................................................................................. 104
Check Point SmartCenter Manual Data Collection on Solaris/Nokia/Secure Platform/Linux .......................................... 105
Check Point SmartCenter Manual Data Collection on Microsoft Windows ..................................................................... 106
Alternative Methods for Obtaining the Routing Table for Manual Data Collection .......................................................... 107
Adding a CSM-Managed Cisco Device ........................................................................................................................... 108
Adding a Cisco IOS Router or Layer-3 Switch ................................................................................................................ 113
Adding a Cisco Nexus Router ......................................................................................................................................... 116
Adding a Cisco PIX/ASA/FWSM Firewall ........................................................................................................................ 120
Adding a Cisco Application Centric Infrastructure (ACI) .................................................................................................. 125
Defining a Limited-Privilege Cisco User for Data Collection ............................................................................................ 127
Cisco PIX/ASA/FWSM Manual Data Collection .............................................................................................................. 128
Cisco Routers Semi-Automatic Data Collection .............................................................................................................. 129
Cisco Nexus Router Manual Data Collection .................................................................................................................. 130
Adding an F5 BIG-IP ....................................................................................................................................................... 132
Adding a Forcepoint (McAfee) Security Management Center ......................................................................................... 135
Configuring the Forcepoint (McAfee) Security Management Center ............................................................................... 138
Adding a Forcepoint (McAfee) Sidewinder ...................................................................................................................... 144
Forcepoint (McAfee) Sidewinder Manual Data Collection ............................................................................................... 148
Adding a Fortinet FortiGate ............................................................................................................................................. 151
Fortinet FortiGate Manual Data Collection ...................................................................................................................... 154
Adding a Fortinet FortiManager ....................................................................................................................................... 156
Adding a Hillstone Networks Device................................................................................................................................ 161
Adding a Juniper Space .................................................................................................................................................. 163
Adding a Juniper NSM..................................................................................................................................................... 168
Configuring a Read-Only NSM User for Data Collection ................................................................................................. 174
Configuring Juniper STRM to Forward Logs to a Syslog-ng Server................................................................................ 177
Adding a Juniper SRX ..................................................................................................................................................... 178
Juniper SRX Manual Data Collection .............................................................................................................................. 182
Adding a Juniper Netscreen ............................................................................................................................................ 183
Juniper Netscreen Semi-Automatic Data Collection........................................................................................................ 188
Juniper Netscreen Manual Data Collection ..................................................................................................................... 189
Adding a Juniper M/E Router .......................................................................................................................................... 190
Juniper M/E Router Manual Data Collection ................................................................................................................... 192
Adding a Palo Alto Networks Panorama ......................................................................................................................... 193
Adding a Palo Alto Networks Firewall.............................................................................................................................. 197
Palo Alto Networks Firewall Manual Data Collection....................................................................................................... 200
Adding a VMWare NSX Distributed Firewall ................................................................................................................... 202
Adding an Amazon Web Services (AWS) ....................................................................................................................... 203
Adding a Blue Coat Device.............................................................................................................................................. 205
Contents
Blue Coat SGOS Manual Data Collection ....................................................................................................................... 208

Adding Monitoring Devices .............................................................................................................................................. 209
Adding a Microsoft Azure ................................................................................................................................................ 212
Adding a Routing Element ............................................................................................................................................... 214
Setting Up Analysis from a File ....................................................................................................................................... 216
Adding Support for Generic Devices to AFA ................................................................................................................... 217
Adding Additional Device Identifiers Manually ........................................................................................................................ 222
Renaming Devices .................................................................................................................................................................. 223
Editing Data Collection Definitions .......................................................................................................................................... 223
Setting User Permissions........................................................................................................................................................ 223
Deleting Devices ..................................................................................................................................................................... 224
Updating the Passwords for Multiple Devices ......................................................................................................................... 224
Device User Permission Requirements .................................................................................................................................. 227
Managing Device Groups and Matrices .................................................................................................. 234

Groups Overview .................................................................................................................................................................... 234
Adding Groups................................................................................................................................................................. 234
Editing Groups ................................................................................................................................................................. 235
Renaming Groups ........................................................................................................................................................... 236
Deleting Groups............................................................................................................................................................... 237
Matrices Overview .................................................................................................................................................................. 237
Adding Matrices ............................................................................................................................................................... 238
Editing Matrices ............................................................................................................................................................... 239
Renaming Matrices.......................................................................................................................................................... 240
Deleting Matrices ............................................................................................................................................................. 241
Disaster Recovery (DR) Sets Overview .................................................................................................................................. 241
Adding Disaster Recovery Sets ....................................................................................................................................... 241
Editing DR Sets ............................................................................................................................................................... 242
Renaming DR Sets .......................................................................................................................................................... 243
Deleting DR Sets ............................................................................................................................................................. 244
Managing The Graphic Network Map ...................................................................................................... 245

Editing IP Ranges in Clouds ................................................................................................................................................... 245
Removing Devices .................................................................................................................................................................. 246
Removing Device Interfaces ................................................................................................................................................... 247
Working with ActiveChange ..................................................................................................................... 248

Overview ................................................................................................................................................................................. 248
Using ActiveChange ............................................................................................................................................................... 248
Enabling ActiveChange........................................................................................................................................................... 249
Scheduling Analyses and Monitoring ..................................................................................................... 250

Scheduling AFA Analyses....................................................................................................................................................... 250
Adding and Editing Analysis Jobs ................................................................................................................................... 250
Deleting Analysis Jobs .................................................................................................................................................... 253
Scheduling Dashboard E-mails............................................................................................................................................... 254
Adding and Editing Dashboard E-mails ........................................................................................................................... 254
Deleting Scheduled Dashboard E-mails .......................................................................................................................... 256
Activating Real-Time Monitoring ............................................................................................................................................. 256
Users and Roles ........................................................................................................................................ 258

Users Overview....................................................................................................................................................................... 258
Configuring User Authentication ............................................................................................................................................. 259
Configuring Single Sign On (SSO) .................................................................................................................................. 259
Configuring User Authentication via an Authentication Server ........................................................................................ 263
Configuring an LDAP Forest............................................................................................................................................ 271
Adding and Editing Users ....................................................................................................................................................... 277
Deleting Users ........................................................................................................................................................................ 283
Roles Overview ....................................................................................................................................................................... 283
Adding and Editing Roles........................................................................................................................................................ 283
Deleting Roles......................................................................................................................................................................... 288
Changing Your User Settings ................................................................................................................................................. 289
Configuring Mail Server Settings............................................................................................................. 290

Setting Up E-mail Notification ................................................................................................................................................. 291
Risk and Compliance ................................................................................................................................ 293

Customizing Risk Profiles ....................................................................................................................................................... 293
Viewing Risk Profiles ....................................................................................................................................................... 293
Adding Risk Profiles ........................................................................................................................................................ 295
Customizing Risk Items ................................................................................................................................................... 300
Setting Risk and Compliance Options ............................................................................................................................. 308
Compliance ............................................................................................................................................................................. 309
Customizing the Compliance Score Value ...................................................................................................................... 311
Customizing the Compliance Score Severity Thresholds................................................................................................ 312
Customizing Zone Types ........................................................................................................................................................ 314
Adding and Editing Zone Types ...................................................................................................................................... 314
Deleting Zone Types ....................................................................................................................................................... 316
Customizing Host Groups ....................................................................................................................................................... 316
Adding and Editing Host Groups ..................................................................................................................................... 316
Deleting Host Groups ...................................................................................................................................................... 317
Customizing Services ............................................................................................................................................................. 318
Adding and Editing Service Groups................................................................................................................................. 318
Deleting Service Groups.................................................................................................................................................. 319
Customizing Security Rating Settings ..................................................................................................................................... 320
Compliance Options................................................................................................................................................................ 323
Administration Options Settings ............................................................................................................. 324

General/Admin Options........................................................................................................................................................... 325
Language ................................................................................................................................................................................ 326
Display .................................................................................................................................................................................... 326
Adding a Custom Logo .................................................................................................................................................... 327
Log Analysis............................................................................................................................................................................ 329
Proxy ....................................................................................................................................................................................... 330
Mail ......................................................................................................................................................................................... 331
Storage ................................................................................................................................................................................... 332
Managing AFA Storage ................................................................................................................................................... 332
Configuring Report Cleanup ............................................................................................................................................ 333
Workflow ................................................................................................................................................................................. 335
Contents
Authentication ......................................................................................................................................................................... 340

Backup and Restore ............................................................................................................................................................... 341
Backing Up the AlgoSec Suite......................................................................................................................................... 342
Restoring the AlgoSec Suite............................................................................................................................................ 344
Advanced Configuration.......................................................................................................................................................... 346
Enabling/Disabling Custom Report Pages ...................................................................................................................... 347
Setting the Chart Threshold Value Configuration Item .................................................................................................... 348
Setting the Default Dashboard ........................................................................................................................................ 349
Securing the AFA Server .......................................................................................................................... 350

Network Connectivity to the AFA Server................................................................................................................................. 351
Network Connectivity from the AFA Server ............................................................................................................................ 351
Hardening the Linux Operating System .................................................................................................................................. 352
Appendix A: Using the AlgoSec Extension Framework ........................................................................ 353

Overview of the AlgoSec Extension Framework ..................................................................................................................... 353
Adding Support for New Device Types ................................................................................................................................... 353
Tag Reference ................................................................................................................................................................. 354
Configuration File Example ............................................................................................................................................. 370
Collecting Data from AEF Devices.......................................................................................................................................... 370
Appendix B: Importing Users and Devices from a CSV File ................................................................. 374
Importing Users from a CSV File ............................................................................................................................................ 374
Preparing the Users CSV File ......................................................................................................................................... 374
Running the Import Users Script ..................................................................................................................................... 377
Importing and Updating Devices from a CSV File .................................................................................................................. 377
Preparing the Devices CSV File ...................................................................................................................................... 377
Running the Import Devices Script .................................................................................................................................. 380
Appendix C: Creating a JSON File for Generic Device Support ........................................................... 382
NAT Support ........................................................................................................................................................................... 382
Layer 2 Device Support .......................................................................................................................................................... 384
Handling Special Characters .................................................................................................................................................. 384
Tag List ................................................................................................................................................................................... 384
Tag References ...................................................................................................................................................................... 385
config_type ...................................................................................................................................................................... 385
device .............................................................................................................................................................................. 386
hosts ................................................................................................................................................................................ 386
hosts_groups ................................................................................................................................................................... 386
interfaces ......................................................................................................................................................................... 386
services ........................................................................................................................................................................... 387
services_groups .............................................................................................................................................................. 387
policies............................................................................................................................................................................. 387
rules_groups .................................................................................................................................................................... 388
nat_rules .......................................................................................................................................................................... 389
zones ............................................................................................................................................................................... 389
routes............................................................................................................................................................................... 390
schedules ........................................................................................................................................................................ 390
Generic Device JSON File Examples ..................................................................................................................................... 390
JSON File Example for a Policy-Based Device ............................................................................................................... 391
JSON File Example for an Interface-Based Device......................................................................................................... 399

JSON File Example for a Zone-Based Device ................................................................................................................ 406
Troubleshooting ...................................................................................................................................................................... 495
Troubleshooting Files and Folders .................................................................................................................................. 495
Problem: User-defined Generic Device Analysis Failed .................................................................................................. 495
Problem: JSON File Contains a Problematic Line ........................................................................................................... 496
Appendix D: Overriding AFA System Defaults ....................................................................................... 498

Enabling/Disabling Group Traffic Simulation Query Results by Policy ................................................................................... 498
Enabling/Disabling IPT Rule Replacement Recommendations .............................................................................................. 500
Configuring IPT Rule Replacement Recommendations ......................................................................................................... 500
Disabling Sorting and Filtering for Tables ............................................................................................................................... 502
Globally Hiding/Displaying Change Details ............................................................................................................................. 502
Appendix E: Using Baseline Configuration Compliance Profiles ......................................................... 504

Overview ................................................................................................................................................................................. 504
Viewing Baseline Configuration Compliance Profiles ............................................................................................................. 504
Creating Custom Baseline Configuration Compliance Profiles ............................................................................................... 505
Adding New Custom Baseline Configuration Compliance Profiles .................................................................................. 505
Duplicating Baseline Configuration Compliance Profiles................................................................................................. 507
Editing Baseline Configuration Compliance Profiles ....................................................................................................... 509
Deleting Custom Baseline Configuration Compliance Profiles ........................................................................................ 510
Editing Baseline Configuration Compliance Profiles in XML Format ............................................................................... 510
Baseline Configuration Compliance Profile Structure ...................................................................................................... 512
Tag Reference ................................................................................................................................................................. 512
Sample Baseline Configuration Compliance Profile ........................................................................................................ 518
Example: Customizing a Baseline Configuration Compliance Profile ............................................................................. 518
Appendix F: Customizations .................................................................................................................... 523

Customizing the Landing Page ............................................................................................................................................... 523
Creating a Custom Report Page ............................................................................................................................................. 527
Custom Report Configuration File Parameters................................................................................................................ 528
Extract Custom Report Script Flags ................................................................................................................................ 528
Customizing Device Policy Documentation Fields .................................................................................................................. 528
Adding Documentation Fields.......................................................................................................................................... 529
Enabling/Disabling Documentation Fields ....................................................................................................................... 529
Creating Custom Dashboards ................................................................................................................................................. 529
Configuring a Custom Chart ............................................................................................................................................ 530
Configuring a Custom Dashboard ................................................................................................................................... 541
Built-In Charts .................................................................................................................................................................. 544
Customizing the Regulatory Compliance Page ...................................................................................................................... 545
Removing and Adding Compliance Reports.................................................................................................................... 546
Appendix G: Advanced Risk Item Editing ............................................................................................... 548

Advanced Risk Item Editing Overview .................................................................................................................................... 548
Risk Item Types ...................................................................................................................................................................... 548
Traffic Risk Item Guidelines .................................................................................................................................................... 549
Host Group Risk Item Guidelines ............................................................................................................................................ 551
Property Risk Item Guidelines ................................................................................................................................................ 551
Rule Risk Item Guidelines....................................................................................................................................................... 552
Contents
Assessment and Remedy Keywords ...................................................................................................................................... 553
Appendix H: Basic Sanity Check ............................................................................................................. 556

Basic Functionality .................................................................................................................................................................. 556
Testing Basic Functionality ..................................................................................................................................................... 556
ASMS Processes Check ................................................................................................................................................. 557
AlgoSec Firewall Analyzer (AFA) .................................................................................................................................... 557
AlgoSec FireFlow ............................................................................................................................................................ 558
AlgoSec BusinessFlow .................................................................................................................................................... 558
Appendix I: Integrating AFA with Splunk ................................................................................................ 560

Overview ................................................................................................................................................................................. 560
Licensing ................................................................................................................................................................................. 561
Supported Versions ................................................................................................................................................................ 561
Installing the AlgoSec App ...................................................................................................................................................... 561
Retrieving Business Application and Internet Exposure Information ...................................................................................... 562
Isolating a Server .................................................................................................................................................................... 562
Customizing the AlgoSec App ................................................................................................................................................ 562
Customizing the Fields Supporting AlgoSec Workflow Actions ....................................................................................... 562
Configuring the 'Find Affected Business Applications' Workflow Action .......................................................................... 563
Customizing the Parameters used to Calculate Internet Exposure ................................................................................. 563
Customizing the Isolate Server Change Request............................................................................................................ 563
Customizing the Conditions for Business Application Criticality ...................................................................................... 564
Using AlgoSec Capabilities in Other Splunk Apps .................................................................................................................. 564
Using AlgoSec Capabilities in Your Custom Splunk Apps .............................................................................................. 564
Index........................................................................................................................................................... 566
CHAPTER 1
Introduction
In This Chapter
About AlgoSec Firewall Analyzer ...........................................................................................................8
AlgoSec Firewall Analyzer Components .................................................................................................9
Supported Products ................................................................................................................................12
System Requirements .............................................................................................................................15
Quick Start – Configuring AFA .............................................................................................................15
This section introduces the AlgoSec® Firewall Analyzer®.
About AlgoSec Firewall Analyzer

The AlgoSec® Firewall Analyzer (AFA) is a component of the AlgoSec Security Management System. It is
a comprehensive device analysis solution that builds an end to end model of your network’s security posture
and Layer 3 connectivity. This model and its graphical map allow you to automatically detect security holes
in your device policies. This unique solution helps you proactively cover six important areas:
 Advanced Management and Troubleshooting
AFA provides operations and security teams with the ability to run interactive traffic simulation queries,
to diagnose whether the device is blocking operational traffic.
In situations where a new exploit uses ports that could be blocked by the devices, AFA lets you run a
traffic simulation query on all your devices to identify whether you are exposed, and which policies
should be tightened up.
AFA reports are very intuitive and user-friendly, allowing you to quickly locate and resolve critical
problems with three mouse clicks. Although AFA reports are easy to understand, they comprise a
profound analysis of five layers of information, with more than 1500 linked files. The files making up
the average AFA report, total about 75 MB* in size.
The following are traffic types analyzed by AFA:
 Every external IP address
 Every internal IP address (private or public, including NAT)
 Every protocol
 All source and destination port numbers and applications
 Both incoming and outgoing traffic
 Each report is the result of AFA analysis of more than 1030 possible intrusions
 Risk Management
8
Chapter 1 Introduction
Analyzing complex device policies manually is time consuming and requires an understanding of all the
possible options and combinations. As a result, many risks are not detected and impose a threat to the
organization's security. The AFA Risk Management module automatically analyzes every type of
packet that a device may encounter and performs a comprehensive analysis - not just a spot check.
Therefore, customers have the ability to view all the risks and the specific rules that cause them, across
all their devices.
 Change Management
Today's constant demand for application and infrastructure changes poses a significant risk of
compromising security in the process, and exposes organizations to new risks they might not even know
about. That's why an ad hoc approach to change management is not recommended. AFA provides a
comprehensive solution that helps report all the changes made to your device policies, and analyzes their
impact, so that you can review and verify that they are performed correctly. In addition, a complete
change history is logged. With AFA, the change process becomes more efficient, safer and easier to
control.
 Policy Optimization
Devices work more efficiently and are easier to manage when the policies are uncluttered and free of
unused rules and objects. AFA enables customers to optimize policies easily and safely, by providing
information on the following:
 Unused Rules: rules that are not used according to actual traffic logs
 Covered Rules: rules that are covered by previous rules (and will never be used)
 Disabled rules
 Time-inactive rules
 Rules without logging and without comments
 Unattached, Unused and unrouted objects
AFA also includes the Intelligent Policy Tuner, which identifies rules that are too wide and permissive,
and rules which contain sparsely used and unused objects, thereby enabling you to fine tune your policy.
 Regulatory Compliance
AFA helps you comply with standards and regulatory requirements such as: Sarbanes-Oxley, Basel II
Capital Accord, HIPAA, BS 7799 / ISO 17799, NIST 800-41, FISMA, IAVA, Payment Card Industry
Data Security Standard (PCI DSS), Cyber Security Standards (CIP).
 Periodic Audits
With AFA you can incorporate auditing into your work process. Simply define the schedule for analysis.
AFA will automatically perform the analysis according to your defined triggers and e-mail the results to
the relevant people upon completion.
AlgoSec Firewall Analyzer Components

The AlgoSec’s Firewall Analyzer (AFA) Product Suite includes the following product options:
 AFA Operations and Optimization, which is the baseline of the AFA Product Suite.
 AFA Risk and Compliance Module, which is an optional module that can be purchased in addition to AFA
Operations and Optimization, and which adds risk management and compliance verification abilities.
 AFA Provider Edition, which is an optional license that enables definition of multiple virtual domains on
a single AFA physical system.
9
 AFA ActiveChange, which is an optional license that allows automatically implementing AFA
recommendations on the device, directly from the AFA system.
AFA Operations and Optimization

AFA Operations and Optimization is the baseline of the AFA Product Suite. It supports the daily operational
activities and change management requirements of device administrators, as well as maintaining detailed
change history reports for all device configurations. Furthermore, the product enables significant device
performance improvement, by providing a rich set of reports and recommendations for improving the
efficiency of the device configuration, including an Intelligent Rule Re-Ordering algorithm.
Here are some of the main benefits:
 Device analysis and reports for change tracking: Visual display of the device policy, including topology,
traffic, rules and objects. It includes analysis of the routing table and provides a connectivity diagram.
Also, it shows changes from previous reports on the same device.
 Group reports for change tracking: Create a report on a group of devices with either pre-defined or
ad-hoc device definitions.
 Matrix (multi-tiered) analysis: Analyzes several devices together, taking into account their relative
hierarchy in the network.
 Customized report scheduling: Schedule an analysis per device or group of devices, based on
pre-defined intervals (daily, weekly, monthly, etc.) and issue a report.
 Offline Web interface: Offers an offline policy store that delivers unprecedented visibility and insight, to
ensure that current configurations match mandated policies.
 Report comparisons: Compare any two reports – either the same device or different devices or different
device vendors. Track the changes in a device policy between reports of any two dates. Show the
changes in traffic, rules, services, host groups, topology and objects.
 E-mail notifications: Send e-mails to pre-assigned users following a device analysis with the summary of
the analysis and the changes from previous reports.
 Traffic Simulation Queries: Run a traffic simulation query on a specific device or a group of devices to
determine which rules control traffic between specific sources and destinations. This enables help desk
teams to easily troubleshoot and prevent disruptions. It also provides for seamless server IP migration
and security checking.
 Routing Queries: Routing queries allow you to check the end to end routing between two IP addresses on
the map. They are different from the traffic analysis query because they do not take into account any
security rules or NAT rules that may block or alter the routing path.
 Real time change alerting: Continuously poll device policy changes and send e-mail alerts when a
change is detected.
 Basic compliance: By exploring the policy and change history an auditor receives the required
information to produce a report that complies with corporate and regulatory standards such as the
Sarbanes-Oxley Act, Basel II Capital Accord, HIPAA, BS 7799/ISO 17799, FISMA, Payment Card
Security Standard (PCI DSS) and Cyber Security Standards (CIP).
 Rule cleanup and audit: Identify unused, covered, timed out and disabled rules which are candidates for
removal. List rules that may not conform to company security policies, including rules without
comments, rules without logs and rules with comments that do not include a ticket number.
 Usage analysis: Show unused rules, the most used and the least used rules.
 Intelligent Policy Tuner: Refine your device policy, by identifying rules that are too wide and
permissive, and rules which contain rarely used and unused objects.
10
 Intelligent rule re-ordering: Recommendation of new positions for the rules to increase the device
performance. The recommended order retains the policy logic. Typically, by repositioning only a few of
the most used rules a significant improvement in performance is seen.
 Object cleanup and audit: List unused, unattached and empty objects which are candidates for removal.
 VPN cleanup and audit: Show VPN parameters, including unused users, unattached users, expired users,
unused groups, unattached groups and expired groups.
 VPN analysis: Also present the VPN parameters in the change history page and in e-mail notifications.
AFA Risk and Compliance Module

The optional AFA Risk and Compliance Module adds risk management and compliance verification
abilities to AFA Operations and Optimization. Built on AlgoSec's comprehensive knowledge base of
industry best practices for device configurations, it allows users to quickly assess the security posture of
their device configurations and ensure that all devices meet their specific security controls. It also includes
automatically completed compliance reports.
 Deep risk analysis: Identifies every packet the device may encounter. Automatically maps topology and
identifies the most serious threats based on industry best practices, prioritizes subsequent risks and
offers guidance on what and how to remediate.
 Automatic assessment and compliance reports: Generates automatically populated per device
compliance reports to assure continued adherence to external regulatory standards including SOX,
PCI-DSS, ISO 27001, Basel-II, and J-SOX, supplying the end-user or auditor with turnkey reports.
 Continuous security audit: Provides a complete audit trail and replaces error prone manual tasks, to
ensure configuration is aligned with security policy.
 Customize risk assessment: Add risk profiles, based on internal corporate standards and easily
customize out-of-the-box risk profiles, with the AlgoSec wizard-driven Risk Profile Editor.
 eMail notifications: Send e-mails to pre-assigned users, following a device risk analysis with the
summary of the analysis and the changes to the security posture relative to previous reports.
 VPN analysis: Add risks associated with VPN rules and VPN objects to the Change History page and to
e-mail notifications.
AFA Provider Edition

The optional Provider Edition license enables managed security service providers (MSSPs) to create
multiple customer environments on a single AFA system.
 Multiple domains: MSSPs can manage multiple AFA instances, called domains, on a single AFA server.
 Full separation between domains: Each domain has its own devices, groups, matrices, and end-user
accounts. Customers can view only the content of their own domain.
 Central management. MSSPs can centrally manage all domains and configure global settings.
11
AFA ActiveChange
The optional ActiveChange license adds the ability to implement AFA recommendations directly from the
AFA system, for Check Point devices accessed via OPSEC.
 Ability to disable unused, covered, and redundant special case rules: Rules belonging to any of these
three categories can be automatically disabled.
 Policy backup: The policy is backed up before changes are made, enabling one to easily revert to the
pre-change policy.
 Full audit trail: Comments are added to every disabled rule to indicate which user made the change and
when. These comments are visible in the Check Point Smart Dashboard.
Supported Products
The AlgoSec Firewall Analyzer supports the following products:
Supported Products
Product Versions Support Provided

Check Point® FireWall-1®  Supported versions: 3.0, 4.0, Full
and Provider-1® 4.1, NG, NGX, and Software
Blades Architecture (R7x),
including Application Control
blade (R75)
 Supported platforms: Solaris,
SecurePlatformTM, Nokia IPSO,
VSX1 , GAiA, Crossbeam,
Nortel, Linux, UTM-1,
Windows NT/2000/XP,
Windows Server 2003/2008
 English language locale (US or
UK)
Check Point - Security All Full
Management (SmartCenter)
Check Point - Single CMA All Full
Cisco - Firewall via CSM 4.3 and above Full
2
Cisco PIX, ASA and FWSM PIX/ASA v4.4 and above, FWSM Full
v1.0 and above
Cisco IOS Router All Full
Cisco Nexus Router All Full
Cisco Layer-3 Switches All Full
Juniper NSM 2008 and above Full
Juniper NetScreen 5.0 and above Full
12

Juniper M/E Routers All Full
Juniper Space 11.4R1.5 and above Full
Juniper SRX2 All Full
Fortinet FortiManager 3.0 and above Full
Fortinet FortiGate 3.0 and above Full
Forcepoint (McAfee) 7.0 and above Full
SideWinder Note: Layer-2 mode may require
special configuration.
Forcepoint (McAfee) Security 5.6 and above Full
Management Center (formerly
known as StoneGate)
Palo Alto Networks Firewall3 All Full
Note: Layer-2 and Virtual Wire
modes may require special
configuration.
Palo Alto Networks-Panorama 7 Full
Hillstone Networks All Full
F5 BIG-IP LTM® 11 and above Full
VMware NSX All Full
Amazon Web Services (AWS) All Full

Security
Cisco Application Centric All Full
Infrastructure (ACI)
Cisco ACE All Policy change monitoring and routing
analysis4
DELL SonicWALL All Policy change monitoring and routing
analysis4
Juniper Secure Access (SSL All Policy change monitoring and routing
VPN) analysis4
Juniper Routers (non-M/E) All Policy change monitoring and routing
analysis4
Blue Coat Proxy Server and All Policy change monitoring, routing analysis
Web Filter and FireFlow change workflow4
F5 BIG-IP AFM™ All Policy change monitoring4 and routing
analysis
Linux netfilter iptables All Policy change monitoring and routing
analysis4
Microsoft Azure All Policy change monitoring4
13

SECUI MF2 All Policy change monitoring and routing
analysis
Topsec Firewall All Policy change monitoring and routing
analysis4
WatchGuard All Policy change monitoring and routing
analysis4
Avaya - Routing Switch All Policy change monitoring and routing
analysis4
HP H3C Routers All Policy change monitoring and routing
analysis4
Brocade VDX All Policy change monitoring and routing
analysis4
Additional devices, added via All Policy change monitoring and routing
the AlgoSec Extension analysis4
Framework (AEF)6
1
Check Point VSX support includes virtual systems and virtual routers.
2
Some of these devices support IPv6 addresses. See IPv6 Support IPv6 Support (page 14) for more information.
3
Palo Alto Networks Virtual Wire or Layer-2 (transparent) mode devices may require special configuration (contact
AlgoSec support for details). Policy-Based Forwarding (PBF) is not supported.
4
Policy change monitoring includes: E-mail alerts sent to users upon policy changes and viewing changes for a
specified period of time via the AFA Web interface. Routing analysis includes: Routing table collection via SNMP and
topology analysis within the network map and query path analysis.
5
The AlgoSec Extension Framework (AEF) enables you to add your choice of devices. For information on using the
AEF, see Appendix A: Using the AlgoSec Extension Framework (page 353).
IPv6 Support
AFA supports IPv6 addresses for policy rules and network objects for the following devices:
IPv6 Supported Products
Product Versions
Cisco PIX and ASA 7.2 and above
Cisco FWSM 3.1 and above
Cisco IOS 12.0 and above
Juniper SRX 9.6 and above
Note: AFA only supports IPv6 addresses for Juniper SRX when it is defined directly in AFA, not when it is
defined under Juniper Space or NSM.
Note: AFA IPv6 support includes presenting IPv6 objects and rule definitions and detecting and presenting
IPv6 rule and object changes. You must connect to the device's management interface using an IPv4
address.
14
System Requirements
AlgoSec Firewall Analyzer is best viewed with Google Chrome, Internet Explorer 9.0 and up or Firefox 2.0
and up at screen resolution 1280x800 and above.
Quick Start – Configuring AFA

Here are a few typical Administration actions you will want to perform in AFA.
 Configure e-mail notifications
AFA can send a variety of e-mail messages to you and to your team members when reports are ready, or
when changes are made on the monitored security devices. Configure AFA to send you e-mail
notifications when reports are ready and upon policy changes. For complete instructions, see Setting Up
E-mail Notification (page 291).
 Collect your device policy automatically
Add devices for which you want to activate data collection. For complete instructions see Managing
Devices in AFA (page 53).
 Configure AFA to run periodic analyses overnight
Once you have defined your devices for automatic data collection, you can schedule periodic analyses
overnight (or at any other schedule of your choice). For complete instructions see Scheduling AFA
Analyses (page 250).
15
CHAPTER 2
Installation
In This Chapter
Prerequisites ...........................................................................................................................................16
Installation Instructions ..........................................................................................................................19
This section describes AlgoSec Firewall Analyzer (AFA) installation.
Prerequisites
Hardware Requirements
You can run the AlgoSec Security Management Suite (ASMS) with one of the following:
 A pre-installed AlgoSec Hardware Appliance.
If you obtained ASMS preinstalled on an AlgoSec Hardware Appliance, you must designate an IP
address for the appliance. If desired, DHCP can be used. For more information, see the AlgoSec
Hardware Appliance Guide.
 A pre-installed VMware virtual appliance (VM)
 The ASMS AMI for cloud deployment on an Amazon server)
 A physical native linux server on which you install ASMS
Note: The AlgoSec Hardware Appliance, VMware virtual appliance and AMI include the complete ASMS
Suite: AFA, FireFlow and BusinessFlow. Functionality is enabled via licensing and not via installation.
When installing ASMS yourself, you have the option to perform a standalone installation, but FireFlow and
BusinessFlow cannot be installed without AFA.
The environment must meet or exceed the following specifications:
Memory: 2 GB RAM per core
Disk space: 20 GB free disk space plus 75 MB* per report
CPU: 2 GHz or higher
A server with the following specification is recommended:

Memory: 4 GB RAM or more per core
Disk space: 100 GB free
CPU: Quad core or higher
Note: The hardware requirements specified above only apply to a minimal environment. For assistance in
determining the needs of your environment, please contact AlgoSec support. For more information, please
see Capacity Planning for Your AFA Server (page 18).
16
Chapter 2 Installation
Software Requirements
ASMS supports the following operating environments and software:
For physical server: The following distributions/versions are supported for 64-bit operating systems:
 Red Hat Enterprise Linux 6.6
 CentOS Linux 6.6
You must choose "Basic Server" when asked for installation type, to avoid library dependency
issues.
Note: 32 bit operating systems are no longer supported.
For VMware:  VMware ESX
 VMware ESXi 5.x
Note: For more information about the AlgoSec VMware appliance, please see AlgoSec support
(https://portal.algosec.com/en/support/support_home).
17
Capacity Planning for Your AFA Server

Ascertaining the optimal performance and storage requirements for AlgoSec appliances depends on several
factors, including log size and report size, in addition to retention time.
In order to achieve accurate sizing of the AlgoSec appliance, please fill out and return the following
document: AlgoSec Appliances Sizing (2.0).docx.
For more precise provisioning of disk space, use the following examples:
 Example 1 - Daily analysis of 4 devices, stored one year back
If you have 4 devices whose policies are changed daily and you select daily analysis, then AFA reports will
consume about 4 x 75 MB* = 300 MB per day, 7 x 4 x 75 = 2.1 GB per week.
For one year (assuming all four devices' policies are changed every day) you need 2.1 GB x 52 = 109 GB.
If the analysis time is 10 to 30 minutes per device (20 minutes on average) then the daily analysis will
typically run for 1 hour and 20 minutes.
Note: There are some devices (for example, Checkpoint) whose report sizes are larger than 75 MB. This can
affect the storage capacity required.
 Example 2 - Analyze upon install of 50 devices, stored three months back

Suppose you have 50 devices, whose policies are changed twice a week (on average). Set AFA to "analyze
upon install", and configure the system to delete reports older than three months and keep a single report per
each of the previous periods. Then, AFA will generate about 2x13 reports in a three-month period, plus
three representative older reports (one report for each previous quarter) , giving you about 30 reports per
device per year. Therefore the disk space you need is:
50 x 75 MB* (per report) x 30 report = 112 GB
Note: There are some devices (for example, Checkpoint) whose report sizes are larger than 75 MB. This can
affect the storage capacity required.
If the analysis time is 10 to 30 minutes per device (20 minutes on average), the analysis time for all devices
assuming the described change rates will be:
20 min. x 50 devices x 2/7 = about 5 hours.
Note: ASMS v6.8 improves (reduces) the analysis time. Since the analysis time here is given, the calculation
is, of course, valid.
In order to be on the safe side, and avoid analysis batches that overlap in time, you should make sure AFA is
given enough time to run the analysis. In the case of a 5-hour-long analysis, schedule the next analysis to run
at least 7 hours after the onset of the first analysis.
 Example 3 - Larger installations with hundreds of devices
If you are implementing AFA on a system with hundreds of devices, please ask your AlgoSec sales
representative or AlgoSec technical support to assist you in your capacity planning.
Note: 75 MB is a typical report size in an enterprise environment. Yet, in cases of extremely large devices,
report size could reach hundreds of megabytes. For proper capacity planning, it is recommended to analyze
your largest device.
18
Installation Instructions
The AFA installation process includes the following steps:
Note: Step 1 and 2 are only required when installing AFA on a physical native linux server.
1 Installing the AFA pre-installer.
2 Installing the AFA software.
3 Defining the first administrator user.
4 Obtaining the license.
5 Installing the license.
Installing the AlgoSec Firewall Analyzer Pre-Installer

 To install the AFA pre-installer:
1 Download the AlgoSec Firewall Analyzer pre-installation package, by doing the following:
a) Open a Web browser and navigate to http://portal.algosec.com/.
b) Log in using your AlgoSec-supplied password.
If you do not have a password, register at http://www.algosec.com/ and a password will be emailed to
you.
c) In the top menu, click the Downloads tab.
d) In the Software area, click AlgoSec Firewall Analyzer.
e) Download the relevant AlgoSec Firewall Analyzer pre-installation package, and save the file using
its default name: afa-preinstall-x64-version-build.run
where version is the version number and build is the build number.
Note: These are the AFA Pre-Installer's version and build numbers, not AFA's.
2 Log in as root or change user to root.
3 Make the downloaded run file executable by typing
chmod u+x afa-preinstall-x64-version-build.run
4 Run the file by typing
./afa-preinstall-x64-version-build.run
The pre-installer installs. You now should continue by installing the AFA installation package.
Installing the AlgoSec Firewall Analyzer Software

 To install AFA
1 Download the AFA installation package, by doing the following:
a) Open a Web browser and navigate to http://portal.algosec.com/.
b) Log in using your AlgoSec-supplied password.
If you do not have a password, register at http://www.algosec.com/ and a password will be emailed to
you.
19
c) In the top menu, click the Downloads tab.

d) In the Software area, click AlgoSec Firewall Analyzer.
Note: There is an option for a version of AFA that uses encryption packages that are FIPS 140-2
compliant.
e) Download the relevant AlgoSec Firewall Analyzer installation package, and save the file using its
default name:
fa-version-build.x86_64.run
where version is the version number and build is the build number.
2 Log in as root or change user to root.
3 Make the downloaded run file executable by typing
chmod u+x fa-version-build.x86_64.run
4 Run the file by typing
./fa-version-build.x86_64.run
If a compatible version of Java is not found, you will see the following prompt:
Proceed to install Java runtime environment (JRE) [y]:
In this case, press Enter.
5 If you are updating AFA from version 6.3 or below, you are further prompted regarding migrating traffic
log files to the database. See Migrating Traffic Log Files to the Database (page 28).
Note: The installation procedure produces a log file located at /var/log/fa-install.log
Note: If you have a problem during installation or use of AFA, follow the instructions at
http://algosec.com/Support/ContactSupport/
Note: The AFA installation includes a built-in syslog-ng server. If you installed AFA on a machine that was
previously configured with a local syslog-ng server, you must configure the syslog-ng server as described in
the AlgoSec Firewall Analyzer User Guide, Configuring a Syslog-ng Server.
Defining the First Administrator User

Notes:
1. The AFA machine needs to have a fixed DNS name or IP address for your colleagues to access it. This
usually implies that it should be configured not to "obtain an IP address automatically" and not to use
DHCP.
2. Contact your local network administrator to find out the DNS name or IP address of the AFA machine.
 To define the first administrator user

1 In your browser's Address field, type https://<algosec_server>/algosec/ where
<algosec_server> is the AlgoSec server IP address or DNS name.
If a warning message about the Web server's certificate appears, click Accept or OK (depending on your
browser and its security settings).
Note: Once you know the DNS name of the AlgoSec machine, you should create a "self-signed
certificate", and configure Apache to use it. This will stop the certificate-related warnings from showing
up when you or your colleagues access the Web server. Creating, installing and configuring certificates
is an Apache administration topic and is not explained in this manual.
The Security Management Suite page appears.
20
2 In the User Name and Password fields, type the user name and password provided by AlgoSec.
3 Click Login.
The First Administrator configuration page appears.
4 Complete the fields using the information in the table below.

5 Click OK.
A success message appears.
6 Click OK.
21
The Welcome window appears.
Note: To access online training go to: https://portal.algosec.com/en/training/online_courses

7 Click Close.
The Home page appears with the Information dialog box open.
8 Click OK.
Admin User Fields
In this field... Do this...

Username Type a username for the admin user.
Full Name Type the admin user's full name.
E-Mail Address Type the admin user's e-mail address.
Password Type a password for the admin user. The password must have a minimum of 4
characters (letters or numbers).
Repeat Password Re-type the password you entered in the New password field.
Obtaining a License
 To obtain a license
1 Log in to http://portal.algosec.com using your username and password.
2 Under Evaluation, click the License Key Request link.
3 Follow the on-screen instructions.
After you submit your license request, you will receive your license by e-mail.
22
Notes:
1. You must have Internet connectivity in order to activate the license key. If you are an enterprise customer
who purchased a license and do not have Internet connectivity from the AFA machine, you may request that
a pre-activated license be sent to you. Please mention in the comment field of your request form: "Please
provide an offline license". Offline licenses may take several days to issue.
2. To find the MAC address, use the Linux command:
/sbin/ifconfig eth0
and copy the hexadecimal values printed after the HWaddr field.
If you are using an AlgoSec appliance (VMware or hardware), you can also find the MAC address by
browsing to https://<algosec_server>/algosec/ where <algosec_server> is the AlgoSec
server URL, and clicking AlgoSec Appliance Status.
3. If your computer has multiple interfaces, make sure you submit the MAC address of the eth0 interface.
Installing a License
Using AFA requires a license from AlgoSec.
 To install a license
1 Do one of the following:
 Install a license when logging in to AFA for the first time.
 After defining the first administrator, the Welcome to Firewall Analyzer window appears. Click
Install License.
 Install a license via the License Information window.
23
1. In the toolbar, click your username.

A drop-down menu appears.
2. Select License.
The License Information window appears, displaying license information.
3. Click Install License.

The End-User License Agreement appears.
2 Click Accept.
The License Installation window appears.
3 Click Select a File and browse to the license file.

4 Click Install.
5 Log out of the Web interface, and then log in again.
6 If you are running AFA on an HA/DR cluster, apply the license to the secondary appliance by doing the
following:
a) On the secondary appliance, open a terminal and log in using the username "root" and the related
password.
b) Run the following command:
/usr/share/algosec_appliance/scripts/algosec_conf
c) Enter "12".
The following prompt appears on the screen:
Please enter the path to the license file (e.g., /tmp/license.lic).
To abort, press "a".
d) Enter the location of the license file.
24
The license is installed.
Installing an "Online" or "inactivated" License

If you receive an "Online" or an "inactivated" license from AlgoSec, the AFA software needs to access the
AlgoSec license server to activate your license. This means the computer running AFA needs an internet
connection. Additionally, activating a license requires the following:
 If your normal browser setting requires using a proxy server, you must configure AFA to use the proxy
by doing the following:
1. In AFA, in the toolbar, click your username.
2. Select Administration.
The Administration page appears, displaying the Options tab.
3. Click the Proxy sub-tab.
The Proxy sub-tab appears.
4. Configure your proxy settings.
5. Click OK.
 Verify your connection allows HTTPS traffic (TCP/443) from your AlgoSec server to
www.algosec.com and that your outbound web proxies do not manipulate or sanitize the traffic.
Note: No information about the configuration of the audited device is passed to AlgoSec or to any third
party.
Viewing License Information

You can view static information for your license, such as type, version, and expiration, as well as dynamic
information, such as firewall and router usage of licenses.
 To view license information
1 In the toolbar, click your username.
2 Select License.
25
The License Information window appears.
You can track license usage by device by viewing the Usage Details CSV file.
 To view license usage details
1 Click Usage Details at the bottom of the License Information window.
2 Follow your browser prompts to open or save the License Usage.csv file.
Updating a License
You need to update your license in the following cases:
 Expired license. Your AFA license is valid for a certain period of time. In order to ensure continuous use
of your AFA software, it is recommended to update your license before it expires.
Note: In the AFA Web interface, when there are less than 45 days remaining on your license, the License
link in the toolbar appears in red.
 Exceeded license usage. Your license is valid for a certain number of devices or reports, depending on
your license type. If you discover that you require additional devices or reports, you must update AFA
with a new license with the required number of devices or reports.
 AFA upgrade. If you would like to upgrade your AFA by adding additional modules or components, you
must update AFA with a new license.
To update your license, follow the procedures described in Installing a License (page 23).
26
Upgrading AFA
When AFA is installed on a standalone appliance, and a distributed system is not used, the upgrade process
is identical to the installation process. See Installing the AFA Software (page 19).
When AFA is installed on appliances in a High Availability (HA) cluster, and a distributed system is not
used, see Upgrading AlgoSec Firewall Analyzer on a Cluster (page 27).
When AFA is installed either on a standalone appliance or in a HA cluster, and a distributed system is used,
see Upgrading AlgoSec Firewall Analyzer in a Distributed System (page 28).
Note: If you currently have FireFlow and/or BusinessFlow installed and initiated, you must upgrade the
entire suite along with AFA. This is not true for hotfixes.
Note: Upgrading AFA to a new version retains all your existing license information and configuration
settings. All reports are retained as well, unless otherwise specified.
Upgrading AFA on a Cluster

 To upgrade AlgoSec Firewall Analyzer, when it is installed on a HA cluster
1 If this is the first time you upgrade the cluster, you may have to manually replace certain scripts.
See Replacing Scripts before Upgrading Software in a Cluster for the First Time (page 27).
2 Copy new builds (.run files) to the primary appliance’s /root/AlgoSec_Upgrade directory.
3 Connect to the administration interface via SSH.
The administration interface main menu opens automatically.
4 Enter "8".
The newest build that is located in the /root/AlgoSec_Upgrade directory and which has not yet been
installed is automatically installed on the appliance.
5 If you are updating AFA from version 6.3 or below, you are prompted regarding migrating traffic log
files to the database. See Migrating Traffic Log Files to the Database (page 28).
Replacing Scripts before Upgrading Software in a Cluster for the First Time
When upgrading the cluster for the first time, it may be necessary to manually replace certain scripts before
upgrading the AlgoSec software.
The following procedure must be performed on each of the appliances in the cluster.
 To replace scripts before upgrading the software
1 Connect to the administration interface via SSH.
The administration interface main menu opens automatically.
2 Exit the main menu, by pressing Ctrl-C.
3 Check the appliance’s build version, by running the following command:
rpm -q algosec-appliance
The appliance’s build version appears. If the version is lower than 6.1-11, it is necessary to manually
replace the scripts. If the version is 6.1-11 or above, you may skip the rest of this procedure.
4 Back up current scripts, by running the following commands:
cp /usr/share/algosec_appliance/scripts/algosec_conf{,.orig}
27
cp /usr/share/algosec_appliance/ha/ha_conf.sh{,.orig}
5 Place the archive file fix11809.tgz in the directory /tmp/.
This file will be provided by AlgoSec support.
6 Extract the archive file, by running the following command:
tar xzf /tmp/fix11809.tgz -C /
Upgrading AFA in a Distributed System

 To upgrade AFA when a distributed system is used
 In a load distributed environment - upgrade each slave and master, as described in Installing the AFA
Software (page 19).
 In a Geographical distributed environment – upgrade each remote agent and the central manager, as
described in Installing the AFA Software (page 19).
 If you are upgrading to a major version (for example 6.5 to 6.6) - there will be a short disconnection
downtime until master and slaves will be upgraded to the same major version. This is due to the version
compatibility test done upon connection between master and slaves."
Migrating Traffic Log Files to the Database

If you are upgrading AlgoSec Firewall Analyzer from version 6.3 or below, you must migrate your traffic
log files to the database. Immediately after completing the general upgrading procedure, you are prompted
to do this migration. The procedure below instructs you how to respond to these prompts.
 To migrate traffic log files to the database
1 When the upgrade procedure starts, the following prompt appears on the screen:
Upgrade involves migrating traffic logs to database which may take about <time
estimation>. continue? [Y,n]:
where, <time estimation> is an estimation of how long the migration will take.
 If you have time to do the upgrade now, press Enter to continue the upgrade.
 Otherwise, type "n" and press Enter to abort the upgrade.
If you continue with the upgrade, the following prompt appears on the screen:
After this migration, the database will keep the last <default time> days of
traffic logs (assuming they were accumulated previously in AFA). Please
acknowledge this retention time or change it. [<default time>]
where, <default time> is 365 days or the time frame specified for AFA reports to cover (see Log
Analysis (page 329)), whichever is longer.
 If keeping logs for the default time is sufficient for your needs, press Enter.
 Otherwise, type a new value in days and press Enter.
The log retention time is set, and the following prompt appears on the screen:
The installer is going to migrate the file-based traffic log data to the database.
It is HIGHLY recommended to back up the log files prior to the upgrade.
Back up the logs now? [Y/n]
 To back up the log files, press Enter.
28
 Otherwise, type "n" and press Enter.

Note: If you do not respond to this prompt within 60 seconds, the upgrade procedure will continue
automatically, performing the backup.
Backing up the log files may take a few minutes.
5 If you opted to back up your log files, one of the following may occur:
 If you do not have enough disk space for the backup, the following prompt appears on the screen:
Disk space is not sufficient. Minimum required space is <space> MB. Retry?
[Y/n]
where, <space> is the amount of disk space in MB required to back up your log file.
Do one of the following:
 Clean up your disk, and then, retry the back up by pressing Enter.
 Abort the back up by typing "n" and pressing Enter.
 If there is a general error, the following prompt appears on the screen:
Unknown error while trying to backup log files. Retry? [Y/n]
 Retry the back up by pressing Enter.
 Abort the back up by typing "n" and pressing Enter.
After the log file backup is completed successfully, a success message and the location of the backup file
appear on the screen.
6 If you do not have enough disk space for the log migration, one of the following will occur:
 If you did back up your log files, the following prompt appears on the screen:
Disk space is not sufficient. Minimum required space is <space> MB.
Suggestion: move logs backup (<backup file location>) to a different machine.
Retry? [Y/n]
where, <space> is the amount of disk space i
n MB required to migrate your log files to the database, and <backup file location> is the
location of the logs backup file.
 Move your logs file backup to a different machine, and then, retry the log migration by pressing
Enter.
 Clean up your disk, and then, retry the log migration by pressing Enter.
 Abort the upgrade by typing "n" and pressing Enter.
 If you did not back up your log files, the following prompt appears on the screen:
Disk space is not sufficient. Minimum required space is <space> MB. Retry?
[Y/n]
where, <space> is the amount of disk space in MB required to migrate your log files to the
database.
 Clean up your disk, and then, retry the log migration by pressing Enter.
 Abort the upgrade by typing "n" and pressing Enter.
7 If there is sufficient disk space for the log migration, a more accurate log migration time estimation
appears on the screen.
29
The logs are migrated, and a traffic log migration success message appears on the screen.
30
CHAPTER 3
Selecting a Deployment Type

In This Chapter
Working with Domains ..........................................................................................................................31
Distributed Architecture Overview ........................................................................................................45
This section describes how to configure Domains and Distributed Architecture.
Based on your business needs, before you begin working with AFA you may wish to select an advanced
deployment type: Configuring Domains (Provider Edition) and/or Configuring Distributed Architecture
(Load dist. and Geo dist.)
Domains: AFA Provider Edition enables a managed security service provider (MSSP) to create multiple
virtual AFA instances, called domains, on a single server. Each domain acts as a full and independent
AlgoSec Firewall Analyzer, containing the data of a specific customer. See Enabling Domains (page 33).
Distributed architecture: AFA is a scalable solution that allows analyzing a very large number of devices. If
your environment contains more devices than a single AlgoSec appliance can analyze, you can deploy a
distributed architecture that includes multiple appliances. See Enabling Distributed Processing (page 47).
AFA supports two types of distributed architectures:
 Load Distribution
In a Load Distribution architecture, there is a single master AlgoSec appliance and one or more slave
AlgoSec appliances, all in the same geographical location.
 Geographic Distribution
In a Geographic Distribution architecture, you can manage devices across multiple geographical
locations.
Working with Domains

Customers can log into their own domain interface and manage their own devices, groups, matrices, and
user accounts, but cannot view other customers' data. In contrast, the MSSP retains the ability to view and
manage all domains via the management interface, and to view and manage the domains' contents via the
individual domain interfaces.
Note: BusinessFlow does not support domains.
When domains are enabled, AFA users are divided into the following types:
 Management users. Can perform the following tasks according to their user type (administrative or
non-administrative) and access level (see Users and Roles (page 258)):
 Log into the management interface
 Add, edit, and delete domains
 View all domains' reports
31
 Set global preferences, affecting all domains, including: Proxy, Mail, Storage, Backup, and
Workflow
 Set preferences for the management interface only, including: Authentication and Web GUI
 Add, edit, and delete management users
 Log in to the domain interface and manage the contents of any domain for which the user has
permissions
These users are typically part of the MSSP organization.
 Domain users. Can log in to the domain interface of their own domain and perform tasks according to
their user type (administrative or non-administrative) and access level within the domain (see Users and
Roles (page 258)). These users are part of the customer organization.
The procedures in this section are intended for management users only.
Using Domains

 To use domains
1 Install a Provider Edition license.
See Installing a License (page 23).
2 Enable domains.
See Enabling Domains (page 33).
3 Log in to the management interface.
See Logging in to the Management Interface (page 34).
4 (Optional) Add additional management users, as desired.
See Adding and Editing Management Users (page 35).
5 (Optional) Set global preferences, as desired.
See Adminstration Options Settings (page 324).
Note: Changes to the Web GUI and Authentication settings will affect the management interface only.
Changes to the Proxy, Mail, Storage, Backup, and Workflow options will affect all domains.
6 Add a domain for each customer.
See Adding and Editing Domains (page 42).
7 For each domain, do the following:
a) Log in to the domain interface.
See Logging into AFA in the AlgoSec Firewall Analyzer User Guide.
b) Define a local administrator user for the domain.
See Adding and Editing Users (page 277).
c) Provide the customer with the following:
 The URL of the customer's AlgoSec Firewall Analyzer domain interface.
 The username and password of the domain user you defined.
 The name of their domain.
8 Ask each customer's local administrator to log in to their domain and add devices, groups, matrices, and
user accounts as described in the other sections of this guide.
32
Chapter 3 Selecting a Deployment Type
Enabling Domains
Upon enabling domains, all existing users will become management users, and all existing devices, groups,
and matrices will be moved to an automatically generated domain called "domain1".
Important: This action is not reversible. Before enabling domains, it is advisable to contact AlgoSec support
to discuss whether domains are the optimal solution for your organization.
 To enable domains
2 Select Administration.
3 Click the Domains tab.

The Domains page appears.
4 Click Enable domains.
33
A confirmation message appears.

5 Click OK.
Domains are enabled.
The domain domain1 is created, and all existing devices, groups and matrices in AFA are added to it.
All existing users become management users.
You are logged out of AFA.
6 If FireFlow is installed, restart FireFlow.
See the AlgoSec FireFlow Configuration Guide, Restarting FireFlow.
Logging in to the Management Interface

For information on logging in as a domain user, see Logging into AFA in the AlgoSec Firewall Analyzer
User Guide.
 To log in to the management interface
1 In your browser's Address field, type https://<algosec_server>/algosec/ where
<algosec_server> is the AlgoSec server IP address or DNS name.
If a warning message about the Web server's certificate appears, click Accept or OK (depending on your
browser and its security settings).
Note: In order to stop the certificate-related warnings from appearing when you access the server, you
must install a security certificate. For the best performance, AlgoSec recommends installing a certificate
signed by a CA (as opposed to a "self-signed certificate"). For more information, please refer to
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html. Please
note that AlgoSec recommends using a 2048 bit certificate and not 1024 as recommended in the above
link.
The Security Management Suite Login page appears.
2 In the Username and Password fields, type the username and password that were assigned to you by your
AFA administrator.
34
3 In the Domain field, either make sure that the field is left blank, or type "management" (case-insensitive).
4 Click Login.
The Home page appears with a list of all the currently defined domains. The toolbar displays
"admin@Management", where admin is your username.
Adding and Editing Management Users

Note: Management users can use their username and password to log in to both the management interface
and to all specific domain interfaces for which they have permissions.
 To add or edit a management user

1 While logged into the management interface, in the toolbar, click your username.
3 Click the Users/Roles tab.
The Users/Roles tab appears.

 To add a new user, below the list of users, click New.
 To edit an existing user, click on the Edit icon next to the desired user.
35
New fields appear.
5 Complete the fields using the information in the Management User Fields table below.
If you cleared the Access to all domains check box, a table of domains appears.
6 Select the check boxes next to the domains for which the user should be granted access.
Management User Fields

User details
Username Type a username for the user.
Full name Type the user's full name.
E-Mail Type the user's e-mail address.
Notes Type any notes about the user.
Authentication Select the type of authentication to use for this user:
 Local. Authenticate the user against the local AFA user database.
 Radius. Authenticate the user against a RADIUS server.
36

 LDAP. Select this option to enable user authentication against an LDAP server.
For information on configuring AFA to work with a RADIUS server or an LDAP
server, see Configuring User Authentication (page 259).
Landing Page Select one of the three products, or Automatic. For more information, see Customizing
the Landing Page (page 523).
Password
New password Type a password for the user.
Confirm password Re-type the password you entered in the New password field.
General Permissions
Administrator Select this option to make the user an administrator.
FireFlow Administrator - Select this option to make the user a FireFlow advanced configuration user.
Allow FireFlow Advanced
Configuration
Enable Analysis from file Select this option to allow the user to perform analyses from configuration files.
Enable Trusted Traffic -> Select this option to allow the user to view trusted traffic.
global
Domain Permissions
Access to all domains Select this option to enable the management user to access all domains.
If this option is cleared, you must select the check boxes next to the individual domains
to which the user should be granted access.
E-mail Notifications
Changes in risks Select this option to specify that the AFA system should send notifications to the user
when there are changes in risks.
Changes in policy Select this option to specify that the AFA system should send notifications to the user
when changes are made to policies.
Every group report Select this option to specify that the AFA system should send notifications to the user
when a group report is generated.
Every report Select this option to specify that the AFA system should send notifications to the user
when a report is generated.
Every configuration change Select this option to specify that the AFA system should send notifications to the user
when configuration changes are made.
Rules and VPN Users about Select this option to specify that the AFA system should send notifications to the user
to expire when device rules and/or VPN users are about to expire.
For information on configuring the number of days before rule or VPN user expiration
that AFA should send a notification, see General/Admin Options (page 325).
Error messages Select this option to specify that the AFA system should send error messages to the
user. These include low disk space and license expiration warnings.
Changes in customization Select this option to specify that the AFA system should send notifications to the user
when customization changes are made. These include notifications about topology,
trusted traffic and risk profile customizations.
37

Hide change details Select this option to omit change details from emails about new reports and from
change alerts, and include only the device name and a link to the AFA Web interface.
Note: It is possible to hide change details globally, for all users. The global setting
overrides individual users' Hide change details setting. See Globally
Hiding/Displaying Change Details (page 502).
Authorized Views and
Actions
Report Select the report pages/information that the user can view. Select Full Report to indicate
that the user can view all report information.
Pages that are not selected will be inaccessible to the user.
Note: A user can only be given access to Configuration and Logs information if they
have access to the Explore Policy page.
Home Views Select the Home page elements that the user can view. Select All Home Views To
indicate that the user can view all Home page elements.
Reporting Tool Select this option to allow the user to access the Reporting Tool.
Note: Non-administration users that open the Reporting Tool will only see data relevant
to the user's allowed firewalls and domains.
Actions Select the actions that the user can perform in AFA. Select All Actions to indicate that
the user can perform all actions.
Controls used to perform actions that are not selected will be disabled.
Adding and Editing Management Roles

In order to enable quick and easy configuration of management users' permissions, you can define
management roles. Each role represents a set of permissions and access levels, and when a user is assigned a
role, the user is automatically granted the permissions specified by the role.
Roles enable you to manage multiple users more efficiently, since any changes to a role's permissions are
automatically applied to all users with that role.
 To add or edit a management user role
1 While logged into the management interface, in the toolbar, click your username.
38

 To add a new role, in the second table, below the list of user roles, click New.
 To edit an existing role, click on the Edit icon next to the desired role.
39
New fields appear.
5 Complete the fields using the information in the Management User Role Fields table below.
40
If you cleared the Access to all domains check box, a table of domains appears.
6 Select the check boxes next to the domains for which the user should be granted access.
Management User Role Fields

Role details
Role name Type a name for the role.
Role description Type a description of the role.
Role LDAP DN Type the DN of the LDAP group that corresponds to this role.
When users who are members of this LDAP group log in, they will automatically be
granted this role.
For example:
"cn=network_users,ou=organization,o=mycompany,c=us"
General Permissions
FireFlow Administrator - Select this option to make the user a FireFlow advanced configuration user.
Allow FireFlow Advanced
Configuration
global
Domain Permissions
Access to all domains Select this option to enable the management user to access all domains.
If this option is cleared, you must select the check boxes next to the individual domains
to which the user should be granted access.
Actions
41

Adding and Editing Domains

 To add or edit a domain
The Domains tab appears, displaying a list of domains.
When the AFA Provider Edition license enables analyses per device, more fields appear than when the
license enables analyses per report.
4 If the AFA Provider Edition license enables analyses per report, do the following:
a) Do one of the following:
 To add a new domain, click New.
 To edit an existing domain, select the desired domain in the list, then click Edit.
42
The Add New Domain/Edit Domain dialog box appears.
b) In the Name field, type a name for the domain.

This field is disabled when editing a domain.
c) In the Description field, type a description of the domain.
d) Click OK.
The domain is created/edited.
5 If the AFA Provider Edition license enables analyses per device, do the following:
a) Do one of the following:
 To add a new domain, click New.
 To edit an existing domain, select the desired domain in the list, then click Edit.
The Add New Domain/Edit Domain dialog box appears.
b) Complete the fields using the table below.

Name Type a name for the domain.
This field is disabled when editing a domain.
Description Type a description of the domain.
43

Number of Type the maximum number of firewall analyses you want to allocate to this
firewalls domain.
This value must be greater than the currently used number of firewalls for the
domain (if this is a new domain, this field has no minimum value), and must be
less than the number of firewall analyses still available on the AFA Provider
Edition license.
Note: If your license is from version 6.5 or below, even if you are running a
newer version, this field is called Number of devices, and it includes both
firewalls and routers.
Number of routers Type the maximum number of router analyses you want to allocate to this
domain.
Note: Only Cisco IOS and Cisco Nexus are identified as routers. All other
devices must be included in the firewall quota.
This value must greater than the currently used number of routers for the domain
(if this is a new domain, this field has no minimum value), and must be less than
the number of router analyses still available on the AFA Provider Edition license.
Note: If your license is from version 6.5 or below, even if you are running a
newer version, this field is combined with the field above.
Expiration Date Select an expiration date for this domain's license.
This date must be before the AFA Provider Edition license expires.
Modules Select the modules you want to enable for the domain.
Modules that are not available on the AFA Provider license are disabled.
Note: Global modules (FireFlow and BusinessFlow) cannot be
activated/inactivated per domain. These modules appear checked or unchecked,
but cannot be modified.
c) Click OK.
The domain is created/edited.
Deleting Management Users and Roles
 To delete a management user or role

4 Select the check box next to the desired user or role.
5 Click Delete.
6 Click OK.
The user or role is deleted.
44
Deleting Domains
Important: This will delete all the devices, users, and reports defined in the domain. This action cannot be
undone!
Note: You cannot delete the domain1 domain.
 To delete a domain
The Domains tab appears, displaying a list of domains.
4 Select the desired domain in the list.
5 Click Delete.
6 Click OK.
The domain is deleted.
Distributed Architecture Overview

Two types of distributed architectures are supported by AFA: Load Distribution and Geographic
Distribution.
 Load Distribution Architecture
Each device analysis (whether started manually or scheduled) and query is assigned to and processed by
a specific slave appliance. The slave appliances run the required device analysis and query jobs in
parallel and send the results to the master appliance.
Notes:
- The maximum number of concurrently running analyses and queries is equal to the total number of
CPU cores on all of the slaves together. You can view the status of each analysis, and which slave it is
running on, in the Status page of the master's AFA Web interface.
- When distributed processing is enabled, the master appliance will automatically be added a slave, with
half its cores used to run analyses and queries. For example, if the master appliance is an AlgoSec 1080
Hardware Appliance (which has eight cores), four cores will be used for running analyses and queries.
- You can define an unlimited number of slave appliances.
- All reports are stored on the master appliance only. Slaves do not store data, (other than temporary files
created during the analysis itself, which are periodically deleted).
- You can access the AFA Web interface through the master appliance only.
 Geographic Distribution Architecture
45
At each geographical location, a remote agent AlgoSec appliance manages and collects data from the
local devices. The remote agents send all device data to a single central manager, AlgoSec appliance.
The central manager manages the remote agents and can itself act as a remote agent for devices.
In addition, AFA supports HA clusters of remote agents. Upon failover, the master will still connect to
the currently active node.
Notes:
- Two devices that are managed by different remote agents cannot have the same name.
- All reports are stored on the central manager appliance only. Remote agents do not store data, (other
than temporary files created during the analysis itself, which are periodically deleted).
- You can access the AFA Web interface through the central manager appliance only.
Setting Up a Load Distribution Architecture

Note: Load distribution also applies to Virtual Machines but no special configuration is required.
Note: If you are upgrading to a major version (for example from 6.5 to 6.6), there will be a short
disconnection downtime until master and slaves are upgraded to the same major version. This is due to the
version compatibility test performed upon connection between master and slaves.
 To set up a Load Distribution system

1 Install AFA on each of the AlgoSec appliances (master and slaves).
You must install the same AFA build on all of the appliances.
You must use the same Linux user to install AFA on all of the appliances. The default user is "afa".
Note: If you want to use an appliance that was installed with AFA previously, the appliance must be
clean, that is, it should have no reports on it. If reports were generated on the appliance, you must reset it
to default settings before adding it as a slave, and then update the AFA build. For information on
resetting an appliance to default settings, refer to the AlgoSec Hardware Appliance User Guide.
See Installation (page 16).
2 From the AlgoSec appliance chosen to be the master, log in to AFA.
3 Enable distributed processing.
See Enabling Distributed Processing (page 47).
4 Add a distribution slave for each slave appliance.
See Adding and Editing Distribution Slaves (page 48).
5 Run Distributed Architecture Configuration on the master appliance's interface.
This is done via the AlgoSec Hardware Appliance administration interface. For instructions, refer to the
AlgoSec Hardware Appliance User Guide, Configuring a Load Distribution Architecture.
Setting Up a Geographic Distribution Architecture

 To set up a Geographic Distribution system
1 Install AFA on each of the AlgoSec appliances (central manager and remote agents).
46
You must install the same AFA build on all of the appliances.
You must use the same Linux user to install AFA on all of the appliances. The default user is "afa".
Note: If you want to use an appliance that was installed with AFA previously, the appliance must be
clean, that is, it should have no reports on it. If reports were generated on the appliance, you must reset it
to default settings before adding it as a remote agent, and then update the AFA build. For information on
resetting an appliance to default settings, refer to the AlgoSec Hardware Appliance User Guide.
See Installation (page 16).
2 From the AlgoSec appliance chosen to be the central manager, log in to AFA.
3 Enable distributed processing.
4 Add a remote agent, or HA cluster of remote agents for each remote agent appliance.
See Adding and Editing Remote Agents (page 50).
Enabling Distributed Processing

 To enable distributed processing
3 Click the Architecture tab.
47
The Distributed Architecture Management tab appears.
4 Click Enable Distributed Architecture.

5 Click OK.
The master appliance is automatically added as a slave.
Adding and Editing Distribution Slaves

 To add or edit a distribution slave
The Distributed Architecture Management page appears.
4 In the Load Distribution area, do one of the following:

 To add a new slave, click New.
 To edit an existing slave, click on the desired slave's row, then click Edit.
48
The Add New Slave/Edit Slave dialog box appears.
5 Complete the fields using the information in the following table.

6 Click OK.
If you added a new slave machine, AFA attempts to connect to it. The Connect column indicates
whether the connection attempt succeeded (green), failed (red), or is in progress (gray).
Note: After adding the first slave, the number of CPU cores used by the master appliance for running
analyses will be reduced by half.
Add New Slave Fields

Name Type a name for the slave.
When editing a slave, this field is read-only.
IP Address Type the slave appliance's IP address.
When editing a slave, this field is read-only.
Linux User Type the username of the Linux user you used when installing AFA on the slave.
This field only appears when adding a new slave. It is read-only.
Linux Password Type the password of the Linux user you used when installing AFA on the slave.
This field only appears when adding a new slave.
Notes Type notes about the slave.
Enabled Select this option to enable the slave.
49
Adding and Editing Remote Agents

When adding an HA cluster of remote agents to AFA, first do the following:
 Verify both machines have been reset to factory defaults
 Build an HA cluster from two AFA machines.
 To add or edit a remote agent or HA cluster of remote agents
The Distributed Architecture Management tab appears.
4 In the Geographic Distribution area, do one of the following:
 To add a new remote agent, click New.
 To edit an existing remote agent, click on the desired remote agent's row, then click Edit.
The Add New Remote Agent / Edit Remote Agent dialog box appears.

6 Click OK.
If you added a new remote agent machine, AFA attempts to connect to it. The Connect column indicates
whether the connection attempt succeeded (green), failed (red), or is in progress (gray).
Add New Slave Fields

Name Type a name for the remote agent.
Note: Each remote agent must have a unique name.
When editing a remote agent, this field is read-only.
IP Address Type the remote agent appliance's IP address.
When adding an HA cluster of remote agents, type the clusters virtual IP.
50
Note: Each remote agent must have a unique IP address.

When editing a remote agent, this field is read-only.
Linux User Type the username of the Linux user you used when installing AFA on the remote
agent.
This field only appears when adding a new remote agent. It is read-only.
Linux Password Type the password of the Linux user you used when installing AFA on the remote
agent.
This field only appears when adding a new remote agent.
Notes Type notes about the remote agent.
Enabled Select this option to enable the remote agent.
Deleting Distribution Slaves or Remote Agents

Important: You cannot delete a remote agent that has devices assigned to it. You must first edit the devices
so that they are no longer managed by the remote agent. See Editing Data Collection Definitions (page
223).
 To delete a distribution slave or remote agent

4 Click on the desired slave/remote agent's row.
5 Click Delete.
6 Click OK.
The slave/remote agent is deleted.
If you deleted a remote agent, it reverts to acting as a standalone AFA environment; that is, you can
access the AFA user interface through it and define and analyze devices on it.
Disabling Distributed Processing

Note: Before disabling distributed processing, you must first edit all managed devices, so that they are no
longer managed by a remote agent. See Editing Data Collection Definitions (page 223).
Warning: When distributed processing is disabled, all running and queued analyses are canceled, and all
remote agents and slaves are deleted.
 To disable distributed processing

51
4 Click Disable Distributed Architecture.
5 Click OK.
All AlgoSec appliances that were acting as remote agents revert to acting as standalone AFA
enviornments; that is, you can access the AFA user interface through them and define and analyze
devices on them.
52
CHAPTER 4
Managing Devices in AFA

In This Chapter
Overview ................................................................................................................................................53
Data Collection Methods ........................................................................................................................54
Collecting Data Semi-Automatically .....................................................................................................55
Device Icons ...........................................................................................................................................56
Accessing Devices Setup........................................................................................................................57
Adding Devices ......................................................................................................................................59
Adding Additional Device Identifiers Manually ..................................................................................222
Renaming Devices................................................................................................................................223
Editing Data Collection Definitions .....................................................................................................223
Setting User Permissions ......................................................................................................................223
Deleting Devices ..................................................................................................................................224
Updating the Passwords for Multiple Devices .....................................................................................224
Device User Permission Requirements ................................................................................................227
This section describes how to manage devices in AFA. It describes in detail how to define or edit all the
different devices supported by AFA.
Overview
AFA connects to monitored devices periodically in order to obtain the policy, routing, configuration, and
logs needed for analysis. System administrators need to enter their passwords only once. AFA uses
encrypted SSH, SOAP, REST or OPSEC communication to access the devices (according to the firewall
vendor's available API), and utilizes the advanced, high security 128 bit AES encryption method (Advanced
Encryption Standard) to encrypt any stored passwords. Once the device access credentials are entered and
encrypted, system administrators can collect device data repeatedly without compromising security and
without having to enter passwords every time.
Note: Automatic device data collection requires the AFA machine to be connected to the device's network.
This is the recommended and standard method. If If you need to analyze a device that is in a different
location, or on a network that you are not able to connect to, you must use a script to collect data
semi-automatically or to use a manual data collection method. These 3 methods are specified in this chapter.
Note: The level of support provided for a given device depends on the device's type. See Supported
Products (page 12).
53
AFA Device Types

There are four device types found in AFA:
 Fully supported devices: These are devices for which comprehensive reports are generated, including
risk analysis, policy optimization recommendations, regulatory compliance checks and baseline
configuration compliance checks, and more. The routing of these devices is fully analyzed, placed in the
network map and considered in traffic simulation queries. The policies of these devices is analyzed and
simulated to provide accurate and full results, as to whether traffic is allowed or not. Some of these
devices also support ActiveChange capabilities, allowing AlgoSec FireFlow to push changes directly to
these devices.
 Monitoring and Routing (AEF) devices: These are devices for which AFA provides change monitoring,
routing simulation and baseline configuration compliance. The routing of these devices is collected via
SNMP or SSH and they are placed in the the map in the same way as Routing Elements. In addition,
their configurations will be monitored for changes and reports can be generated for them, to include
baseline configuration compliance analysis. Some AEF devices are added to the map with some
additional advanced routing support.
In version 6.8 this is HP H3C and Cisco ACE devices, for which support was added to their VRF
(Cisco)/VPN (HP) configurations.
 Routing Elements: These are devices whose sole purpose is to appear in the network map and connect
previously-disconnected segments in it. Any device that provides routes via SNMP can be added as a
Routing Element. Routing Elements are shown in Traffic Simulation and Routing Query results, but will
not have change monitoring, and reports will not be generated for them.
Note: AlgoSec recommends to not add any device which has a non-standard routing deployment (i.e., in
addition to the standard RFC1213), such as Cisco Routers as routing elements, since their SNMP
response does not include crucial information, mainly concerning VRF instances.
 Monitoring-Only devices: These are devices for which AlgoSec provides only change monitoring
(including change e-mail notifications). These devices will not appear in the network map and will not
be returned in Query Results. Also, these devices will not have reports generated for them.
Data Collection Methods

The standard and easiest method of data collection is by automatically collecting device data via the AFA
GUI, as described in Managing Devices in AFA (page 53). However, this method requires the AFA
machine to be connected to the device's network. In some cases you may need to analyze a device that is in
a different location, or on a network that you are not able to connect to. In these situations, you (or your
colleagues) can collect the device data from the device's command line into a file or archive, bring the
collected data to your AFA machine, and produce the report from the collected data.
The preferred method for data collection from remote or inaccessible devices depends on the type of device
and platform:
 For Check Point devices on all platforms, the preferred data collection method is to use the scripts
provided by AlgoSec to collect data semi-automatically, as described in this section. A less desirable
alternative is to follow the manual file collection procedures (see Collecting Data Manually (page
105)).
54
Chapter 4 Managing Devices in AFA
 For Cisco IOS Router, there are no manual procedures; you are required to use the scripts provided by
AlgoSec to collect data semi-automatically, as described in this section.
For Check Point FireWall-1 devices running on Windows or on the
Sun/Nokia/SecurePlatform/Alteon/Linux platforms, the device data you collect and forward to AFA for
analysis includes components of the Check Point file structure, and the filter module's routing table.
Once you have collected the device data, you will have an archive file with one of the following extensions:
 zip (Check Point FireWall-1 on Windows)
 tar (Check Point FireWall-1 on Sun/Nokia/SecurePlatform/Alteon/Linux)
 pix (Cisco PIX)
 rd (Cisco IOS Router)
 nsc (Juniper Netscreen)
Note: For information about prerequisites to data collection, see
https://portal.algosec.com/en/evaluation/guides_n_requirements/afa_data_collection
(http://www.portal.algosec.com/en/evaluation/guides_n_requirements/afa_data_collection).
Collecting Data Semi-Automatically
Preparations for Data Collection

Accessing Scripts
AlgoSec provides batch files and scripts to automate the device data collection process. You can obtain
these scripts by completing the procedure below.
Note: All of the scripts are non-destructive and safe to use. They use simple file copy and directory creation
commands. You can inspect the scripts, by opening the files that contain them.
Important: If you copy the FireWall-1 Unix data collection script (ckp_collect) from a Windows PC to
the Sun/Nokia/SecurePlatform/Alteon/Linux platform, you must make sure that any carriage returns (^M)
added by the Windows system are removed after the script is put on the target platform.
 To access scripts
1 Open a Web browser and navigate to the following URL:
https://portal.algosec.com/en/evaluation/guides_n_requirements/afa_semi_automatic_data_collection.
2 Log in using your AlgoSec Portal credentials.
All the scripts for each supported platform are listed.
3 Follow the instructions on the Web page to download and run the scripts.
55
Extracting Scripts
If you receive the AlgoSec scripts for FireWall-1 on Sun/Nokia/SecurePlatform/Alteon/Linux platforms as
a compressed file called ckp_collect.Z, you need to uncompress the file as follows:
 To extract the script
1 Copy the file ckp_collect.Z to the Check Point SmartCenter server (running Sun Solaris,
SecurePlatform or Linux).
 For Sun platforms enter the following command:
uncompress ckp_collect.Z
 For Linux/SecurePlatform enter the following command:
gunzip ckp_collect.Z
The uncompressed files ckp_collect and ckp_log_collect are created. The compressed file
ckp_collect.Z is deleted.
This produces the AlgoSec scripts in a format that is suitable for running.
Device Icons
Each device type is represented by an icon which signifies the device's brand or the device's function in
AFA.
Device Icons
Icon Description
Cisco PIX/ASA/FWSM, ACE/ACI, IOS Router, or Nexus Router device or security
context
Check Point Provider-1, Security Management (SmartCenter), or CMA device
Juniper NetScreen, NSM, SRX, Space, M/E Router, Juniper (non-M/E) router, or
Juniper Secure Access (SSL VPN) device
Fortinet FortiGate or FortiManager device
Blue Coat device
Linux netfilter - iptables device
Microsoft Azure device

Palo Alto Networks Firewall or Panorama device
F5 BIG-IP LTM® device
Forcepoint (McAfee) Security Management Center (formerly known as StoneGate)

or Sidewinder device
Topsec Firewall device
WatchGuard device
56
Icon Description
DELL SonicWALL device
Hillstone Networks device
VMware NSX device
Amazon Web Services (AWS)
Avaya - Routing Switch
Brocade VDX device

H3C device
SECUI MF2 device
Routing Element
Device configuration file
User-defined icons A device that was added using the AlgoSec Extension Framework (AEF). For
information on using the AEF, see Appendix A: Using the AlgoSec Extension
Framework (page 353).
Accessing Devices Setup

You can access the Devices Setup are directly from the main menu, or from the Administration area.
 To access the Devices Setup area from the main menu
1 In the main menu, select Devices, Groups, or Matrices.
The main menu expands, displaying the selected entity.
2 Click .
57
The Devices Setup tab in the Administration area appears.
 To access the Devices Setup area from the Administration area

58
3 Click the Devices Setup tab.
The Devices Setup tab in the Administration area appears.
Adding Devices
This section explains how to define or edit devices in AFA in order to collect data from them. It includes
alternative methods of collecting data as well.
Here is a list of the devices which are described in detail in this section. They can be added to AFA
automatically and in certain cases there are descriptions of how to add them semi-automatically and
manually.
AFA Supported Device List
Device Description Location

Check Point
Check Point Provider-1 Adding a Check Point Provider-1 (page 61), Check Point FireWall-1
Semi-Automatic Data Collection (page 97), Check Point Provider-1 Manual Data
Collection (page 104)
Check Point Adding a Check Point SmartCenter/Gateway (page 71), Check Point SmartCenter
SmartCenter/Gateway Manual Data Collection on Solaris/Nokia/Secure Platform/Linux (page 105),
Check Point SmartCenter Manual Data Collection on Microsoft Windows (page
106)
Check Point CMA Adding a Check Point CMA (page 76)
Cisco
CSM-Managed Cisco Device Adding a CSM-Managed Cisco Device (page 108)
Cisco PIX/ASA/FWSM Adding a Cisco PIX/ASA/FWSM Firewall (page 120), Cisco PIX/ASA/FWSM
Manual Data Collection (page 128)
Cisco IOS Router or Layer-3 Adding a Cisco IOS Router or Layer-3 Switch (page 113), Cisco Routers
Switch Semi-Automatic Data Collection (page 129)
Cisco Nexus Router Adding a Cisco Nexus Router (page 116), Cisco Nexus Router Manual Data
Fortinet
Fortinet FortiManager Adding a Fortinet FortiManager (page 156)
Fortinet FortiGate Adding a Fortinet FortiGate (page 151), Fortinet FortiGate Manual Data
Juniper
Juniper NSM Adding a Juniper NSM (page 168), Configuring a Read-Only NSM User for Data
Juniper Space Adding a Juniper Space (page 163)
59
Device Description Location

Juniper Netscreen Adding a Juniper Netscreen (page 183), Juniper Netscreen Semi-Automatic Data
Collection (page 188), Juniper Netscreen Manual Data Collection (page 189)
Juniper SRX Adding a Juniper SRX (page 178), Juniper SRX Manual Data Collection (page
182)
Juniper M/E Adding a Juniper M/E Router (page 190), Juniper M/E Router Manual Data
Forcepoint (McAfee)
Forcepoint (McAfee) Adding a Forcepoint (McAfee) Sidewinder (page 144), Forcepoint (McAfee)
Sidewinder Sidewinder Manual Data Collection (page 148)
Forcepoint (McAfee) Security Adding a Forcepoint (McAfee) Security Management Center (page 135),
Management Center Configuring the Forcepoint (McAfee) Security Management Center (page 138)
Palo Alto Networks
Palo Alto Networks-Panorama Adding a Palo Alto Networks-Panorama (page 193)
Palo Alto Networks Firewall Adding a Palo Alto Networks Firewall (page 197), Palo Alto Networks Manual
Data Collection (page 200)
Blue Coat
Blue Coat Adding a Blue Coat Device (page 205), Blue Coat SGOS Manual Data Collection
(page 208)
Hillstone Networks
Hillstone Networks Device Adding a Hillstone Networks Device (page 203)
F5 BIG-IP
F5 BIG-IP LTM® Device Adding an F5 BIG-IP Device (page 132)
Amazon Web Services (AWS) Adding an Amazon Web Services (AWS) (page 203)
VMWare
VMWare NSX Distributed Adding a VMWare NSX Distributed Firewall (page 202)
Firewall
Monitoring Devices Adding Monitoring Devices (page 209)
Microsoft Azure
Microsoft Azure AEF Adding a Microsoft Azure AEF (page 212)
Routing Element Adding a Routing Element (page 214)
Analysis from a File Setting Up Analysis from a File (page 216)
Generic Devices Adding Support for Generic Devices to AFA (page 217)
Note: It is possible to import devices from a CSV file. See Appendix B: Importing Users and Devices from
a CSV File (page 374).
Note: You may need to configure device user permissions to enable AFA to collect data from a device. See
Setting User Permissions (page 223).
60
Adding a Check Point Provider-1

Check Point Provider-1 integrates multiple 'firewalled' networks within a single administrative framework
by consolidating multiple SmartCenter Servers, referred to as Customer Management Add-ons (CMAs), on
a single host. AFA provides an analysis of the Filter Module security policy via a secure connection to the
Provider-1 server.
 To collect data from a Check Point Provider-1 device
1 Access the Devices Setup page.
See Accessing Devices Setup (page 57).
2 Click New, and then click Devices.
61
The Select a device type page appears.
3 Choose Check Point - Provider-1.

A message appears informing you that if your logs are stored on external log servers, and you would like
log collection to be done through OPSEC (rather than SSH), you should use the Single CMA wizard to
add the modules, as described in Adding a Check Point CMA (page 76).
4 Click Next.
62
The Check Point - Provider-1 - Step 1/3 page appears.
5 Complete the fields using the information in Check Point Properties Fields (page 67).
 If you choose OPSEC (NGX R60 or above) in the Connect via area, new fields appear.
Continue completing the fields using the information in Check Point Properties Fields (page 67).
63
 If you selected the Enable ActiveChange check box, the ActiveChange License Agreement appears.
Select the I Agree check box and click OK.

6 Click Next.
The Check Point - Provider-1 - Step 2/3 page appears. Different fields appear, depending If you chose to
connect to the device via SSH or OPSEC.

 If you chose to connect to the device via SSH, choose the CMA that manages the devices you wish
to analyze by clicking the relevant row.
 If you chose to connect to the device via OPSEC, type the IP address of the CMA that manages the
devices you wish to analyze.
8 Click Next.
64
The Check Point - Provider-1 - Step 3/3 page appears.
This page lets you choose whether AFA will use the Check Point logs to check for unused rules. This
information is displayed in the Policy Optimization section of the AFA report on optimizing your device
policy. (see Policy Optimization Page - Devices section in the AlgoSec Firewall Analyzer User Guide.
9 To specify that AFA should use the logs created by a device, do the following:
a) In the Add Device column, select the check box next to the device's name.
b) In the Log Analysis column, do one of the following:
 Select None to disable logging.
 Select Standard to enable logging.
 Select Extensive to enable logging and the Intelligent Policy Tuner.
For information on using the Intelligent Policy Tuner, see Refining Rules via the Intelligent Policy
Tuner in the AlgoSec Firewall Analyzer User Guide.
c) Click Settings in the Log Server column.
The Log Server dialog box appears.
d) Select the desired log server from the drop-down list.
65
e) If you selected Other, the Other Log Server dialog box appears.
Type the log server's name in the field, and click OK.
f) To edit SSH definitions:
1. Click Edit SSH definitions.
The Check Point Log Server SSH Setup dialog box appears.
2. Specify whether this log server is part of a Multi-domain log module (MLM/CLM) or a Stand-alone
log server.
3. Complete the fields using the information in Log Server Fields (page 69).
4. Click OK.
g) To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
A message informs you whether AFA connected to the log server successfully.
h) Click OK.
10 To enable generation of Baseline Compliance Reports and/or to allow dynamic routing collection for
devices managed by the Check Point Provider-1, do the following:
a) In the Direct access to managed devices area, click Configure.
66
The Direct Access Configuration dialog box appears.
b) Complete the fields using the information in Baseline Configuration Compliance Fields (page 70).
c) Click OK.
11 Complete the remaining fields using the information in Check Point Options Fields (page 70).
12 Click Finish.
The new Check Point Provider-1 device is added to the device tree.
13 If you selected Set user permissions, then the Edit users dialog box appears.
a) Set which users will have access to the reports produced by the device, by doing the following:
1. Select the users to have access.
To select multiple users, hold down the Ctrl key while clicking on the desired users.
2. Click OK.
b) Click OK.
Check Point Properties Fields

Access Information
Host Type the host name or IP address of the device.
R80 or higher Select this option for versions R80 or higher.
67

Connect via Specify how AFA should connect to the device, by choosing one of the following:
 SSH: Connect via SSH (Secure Shell protocol). You must complete the fields in
the SSH Setup and Routing Table Collection areas. This option is not relevant
when adding a Check Point CMA.
 OPSEC (NGX R60 or higher): Connect via OPSEC.
When configuring a SmartCenter on Microsoft Windows, only OPSEC is supported.
Note: For Windows environments, you must choose OPSEC.
Tip: You can configure AFA to use SSH with Public-Key authentication when it
connects to the device. To do so, follow the procedure Administration Options
Settings (page 324), and configure the Use public key authentication in data collection
field as described in General/Admin Options (page 325).
User Name and Password To ensure Management API Settings of the R80 device are configured to accept API
calls from the IP address of the AlgoSec appliance, type user name and password of
Management API Settings.
These fields only appear if you selected R80 or higher.
High Availability Select this option to configure High Availability for CMAs.
Important: AFA connects to the HA cluster using the active IP address, not the virtual
IP address. You must configure access rules for each device in the cluster to allow this
traffic.
This field only appears if you selected OPSEC in the Connect via area. It is not relevant
for Check Point Provider-1.
Secondary Security Type the secondary CMA.
Management (SmartCenter) This field only appears if you selected OPSEC in the Connect via area. It is not relevant
for Check Point Provider-1.
Geographic Distribution
Device managed by Select the remote agent that should perform data collection for the device.
To specify that the device is managed locally, select Central Manager.
This field is relevant when a Geographic Distribution architecture is configured. See
Enabling Distributed Processing (page 47).
SSH Setup This area only appears if you selected SSH in the Connect via area.
User Name Type the user name to use for SSH access to the device.
Password Type the password to use for SSH access to the device.
SecurePlatform Choose this option to specify that the device is installed on a Check Point
SecurePlatform operating system.
You must complete the Expert Password field.
Expert Password Type the expert password, which allows access to all the functions on the SmartCenter
server required for this process.
Solaris / RedHat Linux Choose this option to specify that the device is installed on a Solaris or RedHat Linux
operating system.
68

User credentials above are for Select this option to specify that the user name and password entered in the User Name
root user and Password fields are the credentials for the Solaris root user.
If you clear this option, you must complete the Root Password field.
Root Password Type the root password for Solaris.
Microsoft Windows Choose this option to specify that the device is installed on a Solaris operating system.
This field is only relevant for Check Point SmartCenter.
Log Collection Choose the log collection method to use.
If you choose SSH, you must enable AFA to analyze application control traffic logs,
as described in Enabling AFA to Process Check Point Application Control Traffic
Logs (page 80). If you do not perform this step, then information related to application
control traffic will not appear in the device report's Policy Optimization page.
This area only appears if you selected OPSEC in the Connect via area.
OPSEC Setup This area enables you to specify which certificate to use for OPSEC access to the
Provider-1 / SmartCenter server. See Specifying a Certificate for OPSEC Access to
the Check Point Device (page 82) for instructions.
This area only appears if you selected OPSEC in the Connect via area.
ActiveChange This area only appears if you selected OPSEC in the Connect via area.
Enable ActiveChange Select this option to enable ActiveChange for the device.
Note: This option is unavailable for version R80 or higher.
For information about using ActiveChange, see Working with ActiveChange in the
AlgoSec Firewall Analyzer User Guide.
C
Log Server Fields
Host (MLM) Type the host name or IP address of the log server.
Username Type the user name to use for SSH access to the log server.
Password Type the password to use for SSH access to the log server.
Secure Platform Choose this option to specify that the log server is installed on a Check Point
SecurePlatform operating system.
You must complete the Expert Password field.
Expert Password Type the expert password, which allows access to all the functions on the log server
required for this process.
Solaris Choose this option to specify that the log server is installed on a Solaris operating
system.
User credentials above are for Select this option to specify that the user name and password entered in the
root user Username and Password fields are the credentials for the Solaris root user.
If you clear this option, you must complete the Root Password field.
Root Password If you use a username other than "root" for accessing the Solaris OS, type the root
69
password for Solaris.

If you do use "root" as the username, leave this field empty.
Test Connectivity Click this button to test connectivity to the defined log server.
Baseline Configuration Compliance Fields

Baseline Profile Select the baseline compliance profile to use.
The drop-down list includes all baseline compliance profiles in the system. For more
information on baseline compliance profiles and instructions for adding new baseline
compliance profiles, see Appendix E: Using Baseline Configuration Compliance
Profiles (page 504).
To disable Baseline Compliance Report generation for this device, select None.
The remaining columns are enabled, and must be completed.
Host IP Type the IP address of the device.
Platform Select the device's platform.

This field only appears for Check Point management devices.
Extra Password Type the password to use for running OS commands on the device.
Test Connectivity Click this button to test SSH connectivity to the defined device.
A message informs you whether AFA connected to the device successfully.
Check Point Options Fields

Real-time alerting upon Select this option to enable real-time alerting upon configuration changes. For more
configuration change information, see Activating Real-Time Monitoring (page 256).
Set user permissions Select this option to set user permissions for this device.
Collect audit logs from Select this option to collect audit logs from a CLM.
CLM Note: When this option is enabled, all modules must be configured to collect logs from
the same CLM.
Log collection frequency Type the interval of time in minutes, at which AFA should collect logs for the Check
Point device.
The default value is 10 minutes.
70
Adding a Check Point SmartCenter/Gateway

Check Point products are based on a distributed architecture, where a typical Check Point deployment is
composed of a Filter Module or device and the SmartCenter Server. There are different ways to deploy these
components:
A standalone deployment is the simplest deployment where the SmartCenter Server and the Filter Module
are installed on the same machine. A distributed deployment is a more complex deployment where the Filter
Module and the SmartCenter Server are deployed on different machines. AFA provides an analysis of the
Filter Module's security policy via a secure connection to the SmartCenter server.
 To collect data from a Check Point SmartCenter/Gateway
3 Select Check Point - Security Management (SmartCenter).
4 Click Next.
The Check Point - SmartCenter/Gateway - Step 1/2 page appears.
71
 If you choose OPSEC (NGX R60 or higher) in the Connect via area, new fields appear.
Continue completing the fields using the information in Check Point Properties Fields (page 67).
 If you selected the Enable ActiveChange check box, the ActiveChange License Agreement dialog box
appears.
72
 If you select Microsoft Windows in the SSH Setup area, a pop-up message informs you that you
must choose OPSEC in the Connect via area, if you want to automate data collection from a
Microsoft Windows Security Management device.
Click OK.
6 Click Next.
The Check Point - SmartCenter/Gateway - Step 2/2 page appears.
information is displayed in the Policy Optimization section of the AFA report (see Policy Optimization
Page-Devices in the AlgoSec Firewall Analyzer User Guide).
73

If you selected Other, the Other Log Server dialog box appears.
e) To edit SSH definitions:
74
2. Specify whether this log server is part of a Multi-domain log module (MLM/CLM) or a Stand-alone
log server.
4. Click OK.
f) To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
g) Click OK.
8 To enable generation of Baseline Compliance Reports and/or to allow dynamic routing collection for
devices managed by the Check Point SmartCenter, do the following:
c) Click OK.
10 Click Finish.
The new Check Point SmartCenter/Gateway device is added to the device tree.
2. Click OK.
b) Click OK.
75
Adding a Check Point CMA

You can add single Customer Management Add-ons (CMAs) using the following procedure.
Note: You can add multiple CMAs at once, by adding a Check Point Provider-1. See Adding a Check Point
Provider-1 (page 61).
 To collect data from a Check Point CMA

3 Choose Check Point - Single CMA.
4 Click Next.
The Check Point - Single CMA - Step 1/2 page appears.
76
If you selected the Enable ActiveChange check box, the ActiveChange License Agreement dialog box
appears.

6 Click Next.
The Check Point - Single CMA - Step 2/2 page appears.
information is displayed in the Policy Optimization section of the AFA report (see Policy Optimization
Page-Devices in the AlgoSec Firewall Analyzer User Guide).
77

If you selected Other, the Other Log Server dialog box appears.
e) To edit SSH definitions:
78

2. Specify whether this log server is part of a Multi domain log module (MLM) or a Stand-Alone Log
server.
4. Click OK.
f) To test OPSEC connectivity to the defined log server, click Test OPSEC connectivity.
g) Click OK.
8 To enable generation of Baseline Compliance Reports and/or allow dynamic routing collection for
devices managed by the Check Point CMA, do the following:
a) In the Baseline Configuration Compliance area, click Configure.
The Baseline Configuration dialog box appears.
c) Click OK.
79
10 Click Finish.
The new Check Point CMA device is added to the device tree.
2. Click OK.
b) Click OK.
Enabling Data Collection for Check Point Devices

In order for AFA to collect data from a Check Point device, you must configure certain settings on the
device itself, depending on the method used to collect data from the device. AFA collects data from Check
Point devices using either SSH or OPSEC, and for Check Point versions R80 and higher, AFA additionally
uses REST.
 To enable data collection via SSH, see Enabling AFA to Process Check Point Application Control
Traffic Logs (page 80).
 To enable data collection via OPSEC, see Specifying a Certificate for OPSEC Access to the Check
Point Device (page 82).
 To enable data collection via REST, see Enabling REST Calls to the Security Management Server
(page 96).
Enabling AFA to Process Check Point Application Control Traffic Logs

AFA can be configured to collect logs from a Check Point device via SSH, but special configuration is
required. Application control traffic logs include the app_rule_id field, and this field is masked by default
for the SSH log collection user that is specified when adding the device to AFA. As a result, AFA cannot
process application control logs that are collected via SSH, nor use them to generate information for the
Application Control Rules Cleanup area of the device report's Policy Optimization page.
In order to enable AFA to process application control traffic logs, you must modify permissions for the
app_rule_id field on the Check Point device, as described in the following procedure.
Note: This procedure is required only when AFA is configured to collect logs via SSH.
Note: For Check Point versions R80 and higher, AFA collects data via both SSH/OPSEC and REST. To
enable REST calls, see Enabling REST Calls to the Security Management Server (page 96).
 To enable AFA to process Check Point application control traffic logs

1 Run GuiDBedit.exe, and connect to the Check Point device's management station.
80
The management station is typically located at C:\Program Files

(x86)\CheckPoint\SmartConsole\RXX\PROGRAM
where RXX is the version number.
2 In the left pane, navigate to Other > log_fields.
3 In the right pane, click on app_rule_id.
The bottom pane displays the fields that are displayed for app_rule_id.
4 In the bottom pane, double-click on the permissions field.
81
The Edit dialog box appears.
5 In the Value field, change the value from 2 to 0.

6 Click OK.
7 Save your changes and exit the program.
8 If the device sends its traffic logs to a log server other than the management station (for example, a CLM
or external log server), do the following:
a) Connect to the Check Point device's management station via SmartDashboard.
b) Re-install the Check Point database on the log server, by selecting Policy and then Install Database
from the main menu.
c) Exit the program.
Specifying a Certificate for OPSEC Access to the Check Point Device

If you chose to connect to a Check Point device using OPSEC, you must specify a certificate to use for
authentication purposes.
Note: For instructions on creating the certificate, see Creating a Check Point OPSEC Certificate for Check
Point Devices (Versions R77 and Lower) (page 84) or Creating a Check Point OPSEC Certificate for
Check Point Devices (Versions R80 and Higher) (page 90).
The following procedure is performed in the Check Point - Provider-1 - Step 1/3 or Check Point - SmartCenter
or CMA - Step 1/2 page after selecting OPSEC as the connection method.
 To specify an OPSEC certificate
1 In the OPSEC Setup area, click Certificate.
82
The Retrieve a new OPSEC certificate dialog box appears.
2 Complete the fields using the information in the table below.

3 Click OK to retrieve the certificate from the Check Point SmartCenter, CMA or Provider-1 server.
Once the certificate is installed, a confirmation window appears.
4 Click OK.
The OPSEC Setup area displays the certificate date and time of creation.
Certificate Retrieval Fields

OPSEC Application Name Type the OPSEC application name, as specified in the OPSEC certificate.
The default value is "AlgoSec".
One Time Password Type the one-time password, as specified in the OPSEC certificate.
Advanced Click to display advanced fields.
The CPMI Authorization Type, CPMI Port, LEA Authorization Type, and LEA Port fields
appear.
CPMI Authorization Type Select the CPMI authorization type.
CPMI Port Type the CPMI port number.
The default value is 18190.
LEA Authorization Type Select the LEA authorization type.
LEA Port Type the LEA port number.
83
Creating a Check Point OPSEC Certificate for Check Point Devices (Versions R77 and Lower)
In order to collect the policy and routing table from a Check Point FireWall-1 module, AFA can use the
OPSEC (Open Platform for Security) API. In order for this to happen a certificate needs to be created for
authentication and security purposes. The certificate is created on the SmartCenter server, using Check
Point's SmartDashboard utility, or on the Provider-1 server, using Check Point's Global SmartDashboard
utility.
 To create a Check Point OPSEC certificate
1 Create a network object for the host, by doing the following:
Note: If a network object for the host running AFA is already defined, you can skip this step.
a) In the main SmartDashboard menu panel select Manage and then Network Objects.
84
b) Click New, select Node and then Host.
c) In the Host Node dialog box, enter the Name and IP Address of the host that will run AFA.
d) Click OK.
2 Create an OPSEC application object for this network object, by doing the following:
Note: If an OPSEC application object is already defined, you can skip this step.
85
a) In the SmartDashboard main menu, select Manage and then Servers and OPSEC Applications.
b) In the Servers and OPSEC Applications dialog box, click New and select OPSEC Application.
c) In the OPSEC Application Properties dialog box, enter the OPSEC application name, select the Host
object that will run AFA, and select the CPMI and LEA check boxes.
The LEA Permissions and CPMI Permissions tabs appear.
86
Important: Take note of the OPSEC application name you specified. You will need to specify this name
in AFA, when retrieving a certificate.
d) In the CPMI Permissions tab, choose Permissions Profile (do not use Administrator's credentials).
87
e) For CheckPoint version R76 or above, in the LEA Permissions tab, select Show all log fields.
f) Do one of the following:

 Select the desired permissions profile in the list.
 Create a new permission profile, by doing the following:
88
1. Click New.
2. In the Permissions Profile Properties dialog box's General tab, enter any Name for the
permission set.
3. In the Permissions tab, select permissions.

Important: The minimal permissions required are Read Only All access for the Objects Databases and
Check Point Users Database. However, in order to enable using ActiveChange with the Check Point
device, the permissions required are Read/Write All access for the Objects Databases and Check
Point Users Database. For information on ActiveChange, see Working with ActiveChange in the
89
4. Click OK.
The OPSEC Application Properties dialog box reappears.
g) Click the General tab.
It now contains additional buttons.
3 Create the certificate, by doing the following:
a) Click Communication.
The Communication dialog box appears.
b) In the Activation Key and Confirm Activation Key fields, type a one-time password (any string is
acceptable).
Important: Take note of the key. You will need to type the same one-time password in AFA, in order
to retrieve the certificate.
c) Click Initialize.
The Trust state will change from "Uninitialized" to "Initialized but trust not established." After the
certificate is retrieved by AFA, the trust state will change to "Trusted".
A new certificate can be created by pressing Reset and repeating the previous step.
4 Reinstall the Check Point database on all existing log servers (CLMs or external log servers), by
clicking Save, and then selecting Policy and Install Database from the main menu.
Creating a Check Point OPSEC Certificate for Check Point Devices (Versions R80 and Higher)
In order to collect the policy and routing table from a Check Point FireWall-1 module, AFA can use the
OPSEC (Open Platform for Security) API. In order for this to happen, a certificate needs to be created for
authentication and security purposes. The certificate is created on the SmartCenter server, using Check
Point's SmartDashboard utility, or on the Provider-1 server, using Check Point's Global SmartDashboard
utility.
 To create a Check Point OPSEC certificate
1 Create a network object for the host that will run AFA, by doing the following:
Note: If a network object for the host is already defined, you can skip this step.
a) In the right pane click the New button.
90
b) Select Host.
c) In the New Host dialog box, enter the Name and IP Address of the host that will run AFA.
d) Click OK.
2 Create an OPSEC application object for this network object, by doing the following:
Note: If an OPSEC application object is already defined, you can skip this step.
a) Click the icon at the top left of the screen.
91
b) Select New object > More object types > Server > OPSEC Application > New Application.
c) The OPSEC Application Properties dialog box appears.
d) Do the following:
1. Enter the OPSEC application name.
2. Select the host that will run AFA.
3. Select the LEA and CPMI check boxes.
The LEA Permissions and CPMI Permissions tabs appear.
Important: Take note of the OPSEC application name you specified. You will need to specify this
name in AFA, when retrieving a certificate.
92
e) In the CPMI Permissions tab, select a Permissions Profile (do not use Administrator's credentials).
f) In the LEA Permissions tab, select Show all log fields.
g) Create a new permission profile, by doing the following:

Note: If a profile already exists, you can select it in the Permissions Profile list and skip this step.
93
1. Click New.
2. In the Permissions Profile Properties dialog box's General tab, enter any name for the permission
set.
3. In the Permissions tab, select permissions.

Important: The minimal permissions required are Read Only All access for the Objects Databases and
Check Point Users Database. However, in order to enable using ActiveChange with the Check Point
device, the permissions required are Read/Write All access for the Objects Databases and Check Point
Users Database. For information on ActiveChange, see Working with ActiveChange in the AlgoSec
Firewall Analyzer User Guide.
94
4. Click OK.
The OPSEC Application Properties dialog box reappears.
h) Click the General tab.
It now contains additional buttons.
3 Create the certificate by doing the following:
a) Click Communication.
The Communication dialog box appears.
b) In the Activation Key and Confirm Activation Key fields, type a one-time password (any string is
acceptable).
Important: Take note of the key. You will need to type the same one-time password in AFA, in order
to retrieve the certificate.
c) Click Initialize.
The Trust state will change from "Uninitialized" to "Initialized but trust not established." After the
certificate is retrieved by AFA, the trust state will change to "Trusted".
A new certificate can be created by pressing Reset and repeating the previous step.
4 Reinstall the Check Point database on all existing log servers (CLMs or external log servers), by doing
the following:
a) Click the Publish button at the top of the screen.
b) Click the icon at the top left of the screen.
95
c) Select Install database.
Enabling REST Calls to the Security Management Server

 To enable REST calls to the Security Management Server
1 Open a SmartConsole.
2 In the left pane, navigate to Manage & Settings > Blades > Management API > Advanced Settings.
The Management API Settings window appears.
96
3 To automatically start the API server at Security Management Server startup, select the Automatic Start
check box.
4 Select which IP addresses from which the API server accepts requests:
 All IP addresses that can be used for GUI clients. API server will accept scripts and web service
requests from the same devices that are allowed access to the Security Management Server. Make
sure the AFA server is in this list.
 All IP addresses. The API server will accept scripts and web-service requests from any device.
5 Click OK.
The Management API restart message appears.
6 Click OK and do the following:

a) In the top toolbar, click Publish.
b) In the Management Check Point Server CLI, run the api restart command.
7 Exit the program.
Check Point FireWall-1 Semi-Automatic Data Collection

You can collect FireWall-1 device data using the AlgoSec data collection script ckp_collect, and then
use the collected data to generate device reports. Such reports contain all of the information described in
Device Report Pages (see the AlgoSec Firewall Analyzer User Guide), except for optimization information
that is based on log analysis, such as Unused/Most used/Least used rules, Rule reordering optimization,
Unused objects, and Unused objects within rules.
On Sun/Nokia/SecurePlatform/Alteon/Linux platforms, you can generate reports that contain log-based
optimization information as well, by using the ckp_log_collect script to collect device logs.
Sun/Nokia/SecurePlatform/Alteon/Linux Platforms
Check Point FireWall-1 with a Separate SmartCenter Server and Filter Module
The following procedure applies when you have a FireWall-1 SmartCenter server that is separate from the
filter modules.
 To collect Check Point FireWall-1 data
1 Log in to the SmartCenter server as root (or as a user who has read access to the Check Point
configuration files).
2 To collect device logs, do the following:
a) Copy the ckp_log_collect script (which you uncompressed in Extracting Scripts (page 56) to
the log server where the device logs are located.
This can be the SmartCenter server or a CMA.
b) Enter one of the following commands:
ckp_log_collect: Runs the script and prompts you for all fields.
97
ckp_log_collect <profile>: Runs the script and collects logs using the information in the specified
profile. See Using Saved Profiles (page 102).
ckp_log_collect -l: Runs the script, prompts you to select a profile from a list of available profiles,
and then collects logs using the information in the selected profile. See Using Saved Profiles (page
102).
ckp_log_collect -a: Runs the script and calls for automatic data collection from ckp_data_push.
Note: You can view help information for the script, by entering the command ckp_log_collect -h.
The script creates a log archive file containing log extracts.
Note: Log collection can take a while. Please make sure that your timeout variable is large enough.
To set it from the cpshell, enter the command: idle 999
To set it from expert mode, enter the command: export TMOUT=59940
c) If the log server is a CMA, copy the file to the SmartCenter server, to the same location where you
placed the ckp_collect script.
3 Change directory to the location in which you placed the ckp_collect script (which you
uncompressed in Extracting Scripts (page 56), and make it executable by typing:
chmod a+x ckp_collect
4 Enter the following command:
./ckp_collect
Work directory is /tmp/ckp_collect
Enter 'y' if the firewall module you wish to analyze is remote.
Enter 'n' if the local machine is also the firewall module.
Do you wish to analyze a remote firewall?[y]
5 Enter y.
A list of the devices managed from the machine is displayed.
6 At the prompt, select the device number you wish to analyze.
Note: The default is always listed in brackets before the cursor.
A summary of your choices appears.
ckp_collect displays the chosen device to be analyzed.
7 Enter y to continue.
ckp_collect obtains a routing table of the remote filter module using Check Point's 'cpstat' command,
which uses the OPSEC AMON protocol.
8 At the prompt, enter the IP address or DNS name of the remote filter module.
ckp_collect collects the routing table.
You are asked whether you want to save the created profile of your answers for later use. Saving the
profile will let you to store the answers you provided to the script just described. See Using Saved
Profiles (page 102). To save the profile for later use:
a) Enter y.
b) Enter the name of the new profile. (The name of the device is displayed by default.)
The data archive ~/fa-files/ckp-<hostname>-<date>.tar is created. If you collected logs, the
log archive file is added to the data archive file.
9 Copy ~/fa-files/ckp-<hostname>-<date>.tar to the AFA machine.
98
You can now generate reports for the device. See Manually Generating AFA Reports in the AlgoSec
The process describe above should usually run smoothly, however, difficulties may occur due to various
factors such as your device configuration. Below are some possible solutions and workarounds.
 In case the cpstat connection attempt to the remote computer fails, you will be prompted whether you
wish to correct the IP address. If you choose not to correct the IP address, ckp_collect will attempt to
collect the routing table via SSH.
 If the SSH is unable to connect to the remote machine, you will be alerted of the fact and given
instructions on how to manually collect the routing table:
a) A list of commands, based on the OS installed on the remote machine, will be displayed in order to
create a routing table. Select the appropriate command, and follow the instructions.
b) Finish by copying the resulting file to the directory /tmp/ckp_collect on the SmartCenter server
and run ckp_collect again.
 In case you entered the wrong operating system of the remote computer, you will be instructed to login
to the remote device and check the OS with the 'uname' command. You will then be asked to repeat
the data collection process.
Note: The first time connect via SSH to the remote device you may see messages regarding the
authenticity of the remote device host.
Note: You may safely ignore messages about inappropriate "ioctl".
Check Point Provider-1

 To collect the device data
1 Log in to the Provider-1 server.
a) Copy the ckp_log_collect script which you uncompressed in Extracting Scripts (page 56) to the
log server where the device logs are located.
This can be the Provider-1 or a CMA.
 ckp_log_collect -p. Runs the script and prompts you for all fields.
 ckp_log_collect <profile>. Runs the script and collects logs using the information in the
specified profile. See Using Saved Profiles (page 102).
 ckp_log_collect -l. Runs the script, prompts you to select a profile from a list of available
profiles, and then collects logs using the information in the selected profile. See Using Saved
 ckp_log_collect -a. Runs the script and calls for automatic data collection from
ckp_data_push.
 ckp_log_collect -t. Runs the script and prints a line to the screen every 100,000 logs, specifying
the amount of time it took to extract these logs and the average rate of extraction.
99
Note that this rate only reflects the log extraction speed on the log server, and does not take into
account the time it takes to copy the extracted records to the AFA machine.
For example, the script output may appear as follows:
All files from chosen: (1) = 2011-05-01_142143.log
(fwm logexport -i 2011-05-01_142143.log -n -p -z | awk -f fa_cmd.awk >
/dev/tty) >& /dev/null
Processed record: 100000 In 4 seconds Rate: 25000 records/sec
...
c) If the log server is a CMA, copy the file to the Provider-1, to the same location where you placed the
ckp_collect script.
./ckp_collect -p
A list of CMAs (Customer Management Add-ons) appears with their associated IP addresses.
4 Choose the desired CMA by entering its number.
5 Enter y.
A list of the devices managed from the machine is displayed.
6 At the prompt, select the device number you wish to analyze.
7 ckp_collect will display the chosen device to be analyzed. Enter y to continue.
8 ckp_collect will now obtain a routing table of the remote filter module using Check Point's 'cpstat'
command, which uses the OPSEC AMON protocol. At the prompt, enter the IP address or DNS name of
the remote filter module.
9 ckp_collect will collect the routing table.
10 Next, you will be asked to save the created profile of your answers for later use. Saving the profile will
let you to store the answers you provided to the script just described. See Using Saved Profiles (page
102).
a) To save the profile for later, enter y.
Note: The stored profile includes the Provider-1 information.
b) Enter the name of the new profile (e.g., the name of the device is displayed by default).
100
The data archive file ~/fa-files/ckp-<hostname>-<date>.tar is created. If you collected logs,

the log archive file is added to the data archive file.
11 Copy ~/fa-files/ckp-<hostname>-<date>.tar to the AFA machine.
The process described above should usually run smoothly, however, difficulties may occur due to various
factors such as your device configuration. Below are some possible solutions and workarounds.
 In case the cpstat connection attempt to the remote computer fails, you will be prompted whether you
wish to correct the IP address. If you choose not to correct the IP address, ckp_collect attempts to
collect the routing table via SSH.
 If the SSH is unable to connect to the remote machine, you will be alerted of the fact and given
instructions on how to manually collect the routing table:
a) A list of commands, based on the OS installed on the remote machine, will be displayed in order to
create a routing table. Select the appropriate command, and follow the instructions.
b) Finish by copying the resulting file to the directory /tmp/ckp_collect on the Provider-1 server
and run ckp_collect again.
 In case you entered the wrong operating system of the remote computer, you will be instructed to login
to the remote device and check the OS with the 'uname' command. You will then be asked to repeat
the data collection process.
Note: The first time connecting via SSH to the remote device, you may see messages regarding the
authenticity of the remote device host.
Note: You may safely ignore messages about inappropriate "ioctl".
Check Point FireWall-1 with an Integrated Management and Filter Module

1 Log in to the device.
a) Copy the ckp_log_collect script (which you uncompressed in Extracting Scripts (page 56) to
the log server where the device logs are located.
This can be the management server or a CMA.
ckp_log_collect -p. Runs the script and prompts you for all fields.
ckp_log_collect <profile>. Runs the script and collects logs using the information in the specified
ckp_log_collect -l. Runs the script, prompts you to select a profile from a list of available profiles,
102).
ckp_log_collect -a. Runs the script and calls for automatic data collection from ckp_data_push.
101
c) If the log server is a CMA, copy the file to the management server, to the same location where you
placed the ckp_collect script.
ckp_collect
4 Enter n.
A list of policy names appears.
5 Choose the desired policy by entering its number.
6 Confirm your choices if they are correct by selecting y.
7 Next, you will be asked to save the created profile of your answers for later use. Saving the profile will
let you to store the answers you provided to the script just described. See Using Saved Profiles (page
102).
a) To save the profile for later, enter y.
b) Enter the name of the new profile (e.g., the name of the device is displayed by default).
The data archive file ~/fa-files/ckp-hostname-time.tar is created. If you collected logs, the
log archive file is added to the data archive file.
8 Copy ~/fa-files/ckp-hostname-time.tar to the AFA machine.
Using Saved Profiles

Collecting data entails answering questions to a number of questions. Saving a profile of the answers to
these questions allows you to reuse these answers without going through the whole process again.
 Using a saved profile
 To recollect the data using a saved profile, type
./ckp_collect <profile name>
(where profile name is the name of the saved profile). You will be prompted for your SSH password.
The script will use all the stored answers to collect the data (see the details in the previous section about
Check Point FireWall-1) and an archive will be created.
Notes:
1. The saved profiles do not store your SSH password for security reasons.
2. The stored profiles are located in $home/.fa/datacollection.
3. Using this procedure will collect the default policy installed on the device.
102
 Listing saved profiles and choosing a saved profile

1 Type:
./ckp_collect -l
A list of your saved profiles appears and you will be prompted to select a listed profile.
2 Choose a profile by entering its corresponding number.
3 Enter your SSH password.
The process is complete.
Notes: To view online help, type:
./ckp_collect -h
Windows Platform
Note: These procedures apply only if you have a Check Point FireWall-1 whose SmartCenter server runs on
Windows. If your Windows computer is used only to run the graphical management client (SmartConsole),
the Windows computer is probably not your SmartCenter server. In particular, if you use Check Point
SecurePlatform, follow the procedures for the Sun/Nokia/SecurePlatform/Alteon/Linux platforms
described in Sun/Nokia/SecurePlatform/Alteon/Linux Platforms (page 97).
Check Point FireWall-1 with Separate SmartCenter Server and Filter Module
1 Copy the batch file ckp_collect.bat to the Windows SmartCenter server.
2 Log in to the Windows SmartCenter server.
3 Open a Command Prompt window.
ckp_collect /remote <filter-module-IP-address>
ckp_collect will now obtain a routing table of the remote filter module using Check Point's 'cpstat'
command, which uses the OPSEC AMON protocol.
An archive file called c:\Algosec\ckp_collect\ckp_collect.tar.gz is created.
5 Copy ckp_collect.tar.gz to the AFA machine.
 To collect the device's routing table
There may be situations in which the 'cpstat' command is not present or fails to retrieve the filter module's
routing table. In these cases, you can extract the routing table manually, and add it to the collected archive,
as follows.
1 Copy the batch file ckp_collect.bat to the Windows SmartCenter server.
ckp_collect /manual
5 You will see instructions on how to extract the routing table from each possible module platform.
6 Log in to the filter module.
103
7 Execute the command that is appropriate for the device's operating system, exactly as shown in step 5.
8 Copy the routing table file that is created (e.g., netstat-rn, netstat-rn.lnx, or nokia-iclid) to
the directory c:\Algosec\ckp_collect on the SmartCenter server.
Note:
1. Keep the file name exactly as it was created.
2. Use the command that is appropriate for the filter module's operating system.
9 On the SmartCenter server, run the following command again.
ckp_collect /manual
An archive file called c:\Algosec\ckp_collect\ckp_collect.tar.gz is created.
Check Point FireWall-1 with Integrated SmartCenter Server and Filter Module
ckp_collect /local
Stand by while the script runs. All data files are placed in the directory c:\Algosec\ckp_collect on
the SmartCenter server.
Check Point Provider-1 Manual Data Collection

1 Log in to the Provider-1 computer as admin or root (or a user that has access to the Check Point files).
2 At the Unix prompt, create a temporary work directory, by entering the following commands:
mkdir /tmp/algosec
cd /tmp/algosec
3 Copy one file from the Check Point's global Provider-1 directory to the work directory, and store it with
a different name, as follows:
cp $FWDIR/conf/objects_5_0.C pv1_objects_5_0.C
4 If you know the IP address of the CMA that contains the device for analysis, skip this step. If you do not
know the IP address, the command
mdsstat
will generate a list of all the CMAs available.
5 Use the command
mdsenv <IP_address>
with the IP address of the CMA you need to access.
104
6 Verify that the environment variable $FWDIR now points to the root of your CMA's Check Point
directory tree, by typing
echo $FWDIR
A correct output should show a directory name.
7 Copy files from the Check Point directory to the work directory, as follows:
cp $FWDIR/conf/objects_5_0.C .
cp $FWDIR/conf/rulebases_5_0.fws .
cp $FWDIR/conf/gui-clients .
cp $FWDIR/conf/mv_tag.C .
cp $FWDIR/conf/asm.C .
cp $FWDIR/state/links.C .
Tip: Some of these files may be missing in your Provider-1 system, and AFA will be able to produce a
report without them. The truly essential files are only objects_5_0.C, rulebases_5_0.fws,
links.C, and the routing table file net-rt.cpstat (see below).
8 Run the following two commands
fwm dbexport -f users.C
fwm dbexport -g -f groups.C
9 Get the routing table using the "cpstat" command, as follows:
cpstat os -f routing -h a.b.c.d > net-rt.cpstat
where "a.b.c.d" is the IP address of the filter module.
10 Create an archive that contains all the files in the /tmp/algosec directory, as follows:
cd /tmp/algosec
tar cvf filename.tar *
Check Point SmartCenter Manual Data Collection on

Solaris/Nokia/Secure Platform/Linux
On a Unix-based platform (Solaris/Nokia/Secure Platform/Linux), we assume that the environment variable
$FWDIR points to the root of the Check Point directory tree.
1 At the Unix prompt, create a temporary work directory, by entering the following commands:
mkdir /tmp/algosec
cd /tmp/algosec
cp $FWDIR/conf/objects_5_0.C .
cp $FWDIR/conf/rulebases_5_0.fws .
cp $FWDIR/conf/gui-clients .
cp $FWDIR/conf/mv_tag.C .
cp $FWDIR/conf/asm.C .
cp $FWDIR/state/links.C .
105
Tip: Some of these files may be missing in your SmartCenter system, and AFA will be able to produce
a report without them. The truly essential files are only objects_5_0.C, rulebases_5_0.fws,
3 Run the following three commands
fwm ver | sed 's/fwm ver//' | sed 's/This is//' | sed 's/^ *//' | sed 's/\n//' | sed 's/\r//' > ckp_version
cpstat os -f routing -h a.b.c.d > net-rt.cpstat
5 Create an archive that contains all the files in the /tmp/algosec directory, as follows:
cd /tmp/algosec
tar cvf filename.tar *
Check Point SmartCenter Manual Data Collection on Microsoft

Windows
1 Open a Command Prompt window. Verify that the environment variable %FWDIR% points to the root
of the Check Point directory tree, by typing
echo %FWDIR%
A correct output should show a directory name.
2 Create a temporary work directory, by entering the following commands:
>mkdir C:\algosec
>cd C:\algosec
>copy %FWDIR%\conf\objects_5_0.C C:\algosec
>copy %FWDIR%\conf\rulebases_5_0.fws C:\algosec
>copy %FWDIR%\conf\gui-clients C:\algosec
>copy %FWDIR%\conf\mv_tag.C C:\algosec
>copy %FWDIR%\conf\asm.C C:\algosec
>copy %FWDIR%\state\links.C C:\algosec
Tip: Some of these files may be missing in your SmartCenter system, and AFA will be able to produce
a report without them. The truly essential files are only objects_5_0.C, rulebases_5_0.fws,
4 Run the following two commands
>cpstat os -f routing -h a.b.c.d > C:\algosec\net-rt.cpstat
6 Create a WinZip archive that contains all the files in the C:\algosec directory. It is recommended that
you give the archive file a mnemonic name, such as mydevice.zip.
106
Alternative Methods for Obtaining the Routing Table for Manual Data
Collection
In all the procedures described above , we used the "cpstat" command to collect the filter module's routing
table. There may be circumstances in which the cpstat command is unavailable, or unable to connect to the
module for some reason. For such situations, AlgoSec also lets you collect the module's routing table
directly from the module's command prompt. The exact command differs according to the module's
operating system.
 SecurePlatform:
1 Log in to the filter module (use the default "admin" login).
2 Switch to Expert mode by typing
expert
3 Get the filter module's routing table, by issuing the command
netstat -rn > /tmp/netstat-rn.lnx
Make sure you give the file exactly the name shown.
4 Copy the file /tmp/netstat-rn.lnx from the SecurePlatform and place it in the management
machine in the directory
C:\algosec\ (or /tmp/algosec on Unix SmartCenter servers )
Make sure you keep the exact file name.
5 Create a Zip archive that contains all the files in the C:\algosec directory. It is recommended that you
give the archive file a mnemonic name, such as mydevice.zip.
 Nokia:
1 Log in to the filter module (you do not need to be root on the filter module).
2 Get the filter module's routing table, as follows:
(echo show route | iclid ) > nokia-iclid
Make sure you type the command, including the file name, exactly as shown.
3 Copy the nokia-iclid file to the SmartCenter server and place it in the directory
 Sun Solaris:
1 Log in to the filter module (you do not need to be root on the filter module).
2 Get the filter module's routing table, as follows:
netstat -v -rn > netstat-rn
Make sure you type the command, including the file name, exactly as shown.
3 Copy the netstat-rn file to the SmartCenter server and place it in the directory
give the archive file a mnemonic name, such as mydevice.zip
107
 Alteon:
1 Log in to the filter module (use the default "admin" login).
2 Get the filter module's routing table, by issuing the command
netstat -rn > /tmp/netstat-rn.lnx
Make sure you give the file exactly the name shown.
3 Copy the file /tmp/netstat-rn.lnx from the Alteon and place it in the management machine in the
directory
 Microsoft Windows:
1 Open an Open a Command Prompt window.
Get the filter module's routing table, as follows:
>route print > route-print
2 Copy the route-print file to the SmartCenter server and place it in the directory
C:\algosec\ (or /tmp/algosec on Unix SmartCenter servers).
Adding a CSM-Managed Cisco Device

You can add Cisco devices that are managed by a Cisco CSM. You need to add each Cisco device or
security context managed by the CSM separately (even if they are managed by the same CSM).
Note: You need a Cisco API License for the CSM device.
 To collect data from a CSM-managed Cisco device

3 Choose Cisco - Firewall via CSM (CSM 4.3 or above).
4 Click Next.
108
New fields appear.
5 Complete the fields using the relevant information in Cisco CSM Properties Fields (page 111).
6 If you selected Standard or Extensive in the Log collection method field, you must specify a syslog-ng
server, by doing one of the following:
 To select a syslog-ng server from a list of syslog-ng servers that are already defined in AFA, select
the desired syslog-ng server from the Syslog-ng server drop-down list.
The localhost option represents the built-in syslog-ng server that was automatically installed with
AFA. No credentials are required for using this server. This option is recommended in situations
where it is not practical to allocate a dedicated syslog-ng server, for example if you have a small
number of devices, are using AFA for evaluation purposes, and so on.
 To add a new syslog-ng server to AFA, do the following:
109
1. Click New.
The Syslog Server Settings dialog box appears.
2. Complete the fields using the information in Syslog-ng Server Fields (page 112).
3. Click OK.
The new syslog-ng server is selected in the Syslog-ng server drop-down list.
You can edit the new syslog-ng server, by clicking New again, or by selecting it in the Syslog-ng
server drop-down list and clicking Edit.
Note: The new syslog-ng server will only be added to the system once the new device has been
saved. The syslog-ng server will then be available for selection for any device. Once the new device
has been saved, you must configure the syslog-ng server as described in Configuring a Syslog-ng
Server (page 112).

To edit an existing syslog-ng server, do the following:
1. Select the desired syslog-ng server from the Syslog-ng server drop-down list, then click Edit.
3. Click OK.
7 Click Finish.
The new device is added to the device tree.
2. Click OK.
b) Click OK.
110
Cisco CSM Properties Fields

Access Information
Firewall Host Name Type the host name of the Cisco device to be analyzed, as it appears in the CSM UI.
CSM Server Type the host name or IP address of the Cisco CSM server.
CSM User Name Type the user name to use for SSH access to the Cisco CSM.
CSM Password Type the password to use for SSH access to the Cisco CSM.
Baseline Configuration
Compliance
Baseline Configuration Select the baseline compliance profile to use, in order to enable generation of
Compliance Profile Baseline Compliance Reports for this device.
information on baseline compliance profiles and instructions for adding new
baseline compliance profiles, see Appendix E: Using Baseline Configuration
Compliance Profiles (page 504).
Select None, to disable Baseline Compliance Report generation for this device.
Rules view Specify how rules should be displayed in device reports:
 ASDM: Display rules in the Cisco Adaptive Security Device Manager (ASDM)
graphical interface.
 CLI: Display rules in command line format.
The default value is ADSM.
Note: Intelligent Policy Tuner and the "Unused objects within rules" list are available
only with ADSM.
Log Collection and Monitoring
Log collection method Specify the log collection method that AFA should use when collecting traffic logs
for the Cisco device, by selecting one of the following:
 Hit-counters: Only use hit-counter data. The Change History report page will be
based on "last modified" timestamps, and Intelligent Policy Tuner is disabled.
 Standard: Use hit-counter data for rule usage, and Syslog data for the Change
History report page. Intelligent Policy Tuner is disabled.
 Extensive: Combine data from both hit-counters and Syslog. Intelligent Policy
Tuner is enabled.
The default value is Extensive.
Note: If you choose the Standard or Extensive methods, you must specify a syslog-ng
server to use, as described in the procedure for adding a device.
Note: The Extensive method is only available when the ADSM is selected in the Rules
view area.
111

Additional firewall identifiers Type any additional IP addresses or host names that identify the device. When
adding multiple entries, separate values by a ':'. For example:
"1.1.1.1:2.2.2.2:ServerName".
This is relevant when the device is represented by multiple or non-standard device
identifiers in the logs, for example, in cases of firewall clusters or non-standard
logging settings. If AFA receives logs with an identifier it does not recognize, the
logs will not be processed.
Note: This field is not supported for sub-systems (Juniper VSYS/LSYS, Fortinet
VDOM, Cisco security context, etc.). To configure additional identifiers for
sub-systems, see Adding Additional Device Identifiers Manually (page 222).
Log collection frequency Type the interval of time in minutes, at which AFA should collect logs for the device.
(minutes) The default value is 10 minutes.
Options
Syslog-ng Server Fields

Syslog-ng host Type the syslog-ng server's host name or IP address.
User Name / SSH User Name Type the user name for connecting to the syslog-ng server.
Note: If the specified user does not have root permissions, then logs will not be
collected for the device until you have manually reloaded the syslog-ng server
configuration, as described in Configuring a Syslog-ng Server (page 112).
Password / SSH Password Type the password for connecting to the syslog-ng server.
Test Connectivity Click this button to test connectivity to the defined syslog-ng server.
A message informs you whether AFA connected to the syslog-ng server
successfully.
Configuring a Syslog-ng Server

If you chose to collect logs from a syslog-ng server other than the built-in localhost server, and you specified
"root" as the user for connecting to the syslog-ng server (in the SSH User Name or User Name field), AFA
will automatically perform the initial setup of the syslog-ng server. However, if you specified a user other
than "root", you must perform the following procedure to configure the syslog-ng server for use with AFA.
Note: These steps must be performed after you have finished adding the device to AFA.
 To configure an syslog-ng server for use with AFA

1 Log in to the syslog-ng server as "root".
2 Under /etc/syslog-ng/, open syslog-ng.conf.
3 Add the following line to the file:
include "/home/<user>/algosec/syslog_processor/algosec_syslog-ng.conf";
112
Where <user> is the user name for connecting to the syslog-ng server.
Note: This file may not exist yet.
Note: You configured this user name in the SSH User Name or User Name field, when adding the device.
4 Save your changes.
5 Restart the syslog-ng server configuration, by running the following command:
/./etc/init.d/syslog-ng restart
Adding a Cisco IOS Router or Layer-3 Switch

 To collect data from a Cisco IOS Router or Layer-3 switch
3 Choose Cisco - IOS Router.
4 Click Next.
113
New fields appear.
5 Complete the fields using the relevant information in Cisco IOS Router Properties Field (page 115).
6 Click Finish.
The new Cisco IOS Router or Layer-3 switch is added to the device tree.
114

2. Click OK.
b) Click OK.
Cisco IOS Router Properties Fields

Access Information
Enable User Name Do one of the following:
 Type the enable user name to use.
 If you do not want AFA to enter the enable mode, type "noenable".
Make sure to fill in this field.
Enable User Password Do one of the following:
 Type the enable password to use.
Compliance
Baseline Configuration To enable generation of Baseline Compliance Reports for this device, select the
Compliance Profile baseline compliance profile to use.
In case this router is divided to VRF modules, Baseline Configuration Compliance
reports will only be generated to the root/default VRF.
Additional Information
Include risk analysis and Select this option if you want to run full analyses on the router.
policy optimization When this is not selected, AFA produces condensed router reports which run as if
there is no license for risks, optimization or regular compliance.
This option is disabled by default.
Advanced
115

Show VRFs as separate Select this option to analyze each virtual router separately.
devices This option is enabled by default.
If this option is selected, the virtual routers will be listed in the Data collection setup
window under the relevant device in the following syntax: <system_name>:<virtual
router_name>.
Note: This option is only available when creating a new device. When editing a
device already defined in AFA, this option cannot be enabled.
Include risk analysis and Select this box to include risk analysis and policy optimization analysis for this
policy optimization device.
Devices with this analysis not included will still benefit from these features:
 Addition to the network map
 Change monitoring
 Traffic simulation query
 Device topology analysis
 Presenting the device policy
 Baseline configuration compliance reports (if enabled)
 Integration into AlgoSec FireFlow (if enabled)
Note: Checking this box for this router will increase the analysis time significantly
and might result in a performance degradation.
Remote Management Choose the method of data transmission: SSH or Telnet. If you select Custom Port,
Capabilities type in the port number.
Note: Telnet is the least secure method.
Number of allowed encryption Enter the permitted number of different RSA keys received from this device IP
keys address.
Different RSA keys may be sent from the same IP address in cases of cluster
fail-over, device operating system upgrades, etc.
Options
Real-time change monitoring Select this option to enable real-time change monitoring. For more information, see
Activating Real-Time Monitoring (page 256).
Adding a Cisco Nexus Router

 To collect data from a Cisco Nexus Router
3 Choose Cisco - Nexus Router.
4 Click Next.
116
New fields appear.
5 Complete the fields using the relevant information in Cisco Nexus Router Properties Fields (page 118).
6 Click Finish.
The new Cisco Nexus Router is added to the device tree.
117

2. Click OK.
b) Click OK.
Cisco Nexus Router Properties Fields

Access Information
Compliance
Baseline Configuration Profile To enable generation of Baseline Compliance Reports for this device, select the
baseline compliance profile to use.
Remote Management Choose the method of data transmission and encryption (number of allowed
Capabilities encryption keys).
Advanced
118

Include risk analysis and Selecting this box will include risk analysis and policy optimization analysis for this
policy analysis device.
Devices with this analysis not included will still benefit from these features:
 Addition to the network map
 Change monitoring
 Traffic simulation query
 Device topology analysis
 Presenting the device policy
 Baseline configuration compliance reports (if enabled)
 Integration into AlgoSec FireFlow (if enabled)
Note: Checking this box for this router will increase the analysis time significantly
and might result in a performance degradation.
Remote Management Choose the method of data transmission SSH or Telnet. If you select Custom Port,
Capabilities type in the port number.
keys address.
Different RSA keys may be sent from the same IP address in cases of cluster
Advanced
Show VRFs as separate Select this option to analyze each virtual router separately.
devices This option is enabled by default.
router_name>.
Note: This option is only available when creating a new device. When editing a
device already defined in AFA, this option cannot be enabled.
Include risk analysis and Select this option if you want to run full analyses on the router.
policy optimization When this is not selected, AFA produces condensed router reports which run as if
there is no license for risks, optimization or regular compliance.
This option is disabled by default.
Options
Real-time change monitoring Select this option to enable real-time alerting upon configuration changes. For more
information, see Activating Real-Time Monitoring (page 256).
119
Adding a Cisco PIX/ASA/FWSM Firewall

Note: Cisco FWSM can work in Layer-2 (transparent) mode, and in this mode it supports defining several
bridge-groups on a single FWSM. AFA considers each bridge-group to be a separate device.
In order to analyze such bridge-groups, define the FWSM as usual. AFA will automatically detect the list of
all defined bridge-groups and add each bridge-group to the device tree. You can then analyze each
bridge-group as a regular device (manually, via the scheduler, and so forth).
Important: It is necessary to create a PIX/ASA/FWSM user for the purpose of AFA data collection. This user
should have read-only permissions and be allowed to run only those commands required for data collection.
See Defining a Limited-Privilege Cisco User for Data Collection (page 127). However, in order to
automatically implement changes on the device with ActiveChange, read-write permissions are required.
Intelligent Policy Tuner analysis for Cisco log collection is available for data supplied by devices that have
PIX/ASA version 7.1 and above or FWSM version 3.1 and above. For the device to send the correct log
messages (type 106100), the device's ACLs must contain the keyword "log".
 To collect data from a Cisco PIX/ASA/FWSM firewall

3 Choose Cisco - PIX/ASA/FWSM.
4 Click Next.
120
New fields appear.
5 Complete the fields using the relevant information in Cisco PIX/ASA/FWSM Properties Fields (page
123).
121
If you selected the Allow ActiveChange check box, the ActiveChange License Agreement dialog box
appears.

1. Click New.
3. Click OK.
Server (page 112).
122
To edit an existing syslog-ng server, do the following:

3. Click OK.
7 Click Finish.
2. Click OK.
b) Click OK.
Cisco PIX/ASA/FWSM Properties Fields

Access Information
The default SSH user name on Cisco PIX is called "pix" (lower case) - use this
default unless you have other user names defined on the device.
Note: In order to be able to automatically implement changes on the device with
ActiveChange, read-write permissions are required.
Enable User Password Type the enable password to use.
Make sure to fill in this field.
Note: If this field is left empty, then upon connecting to the device, AFA will issue
the login command (instead of the enable command) and supply the password
specified in the Password field. If this field's value is "noenable", AFA will not issue
the enable command at all. For both these options, the relevant Cisco user must have
enough privileges to run all of the show commands used by AFA during data
collection.
123

Using a Distributed System in the AlgoSec Firewall Analyzer User Guide.
Compliance
Baseline Configuration To enable generation of Baseline Compliance Reports for this device, select the
Compliance Profile baseline compliance profile to use.
Remote Management Choose the method of data transmission (the default is SSH) and encryption (number
Capabilities of allowed encryption keys).
Rules view Specify how rules should be displayed in device reports:

 ASDM: Display rules in the Cisco Adaptive Security Device Manager (ASDM)
graphical interface.
 CLI: Display rules in command line format.
The default value is CLI.
Note: Intelligent Policy Tuner and the "Unused objects within rules" list are available
only with ADSM.
Log Collection and Monitoring
Log collection method Specify the log collection method that AFA should use when collecting traffic logs
for the Cisco device, by selecting one of the following:
 Hit-counters: Only use hit-counter data. The Change History report page will be
based on "last modified" timestamps, and Intelligent Policy Tuner is disabled.
 Standard: Use hit-counter data for rule usage, and Syslog data for the Change
History report page. Intelligent Policy Tuner is disabled.
 Extensive: Combine data from both hit-counters and Syslog. Intelligent Policy
Tuner is enabled.
Note: The Extensive method is only available when the ADSM is selected in the Rules
view area.
124

"1.1.1.1:2.2.2.2:ServerName".
Note: This field is not supported for sub-systems (VSYS, VDOM etc.). To configure
additional identifiers for sub-systems, see Adding Additional Device Identifiers
Manually (page 222).
ActiveChange
Generate commands and push Select this option to enable ActiveChange for the device.
policy changes via FireFlow When using FireFlow to manage a traffic change request for the Cisco device,
(for all Cisco devices) ActiveChange will generate a list of CLI commands required to implement the
desired traffic change. The commands will be displayed in the change request's work
order, and the FireFlow user can either copy and paste them to the command line or
implement the change automatically from FireFlow, in order to implement the
desired change.
Options
Adding a Cisco Application Centric Infrastructure (ACI)

 To collect data from a Cisco Application Centric Infrastructure (ACI)
3 Choose Cisco Application Centric Infrastructure (ACI).
4 Click Next.
125
New fields appear.
5 Complete the fields using the relevant information in Cisco ACI Properties Fields (page 126).
6 Click Finish.
2. Click OK.
b) Click OK.
Cisco ACI Properties Fields

Access Information
126

User Name Type the user name to access the device.
Password Type the password to access the device.
Using a Distributed System in the AlgoSec Firewall Analyzer User Guide.
Options
Defining a Limited-Privilege Cisco User for Data Collection

Note: It is necessary to create a PIX/ASA/FWSM user for the purpose of AFA data collection.
 To create a limited-privilege Cisco user for data collection

1 Log in to the Cisco device with a privileged user.
2 Enter "enable" mode.
3 Run the following commands:
configure terminal
username username password password privilege 5
privilege show level 5 command version
privilege show level 5 command mode
privilege show level 5 command access-list
privilege show level 5 command running-config
privilege show level 5 command route
privilege configure level 5 command pager
For ASA/FWSM devices with security context, also run:
privilege show level 5 command context
A new user is created. This user only has privileges to run the required show commands (all of which are
read-only).
127
Note: Changing the privilege levels of these commands may affect other defined users with limited privilege
levels.
Note: When defining the Cisco device in AFA, it is necessary to specify this user and the related password,
and to enter "noenable" in the Enable Password field. This will cause AFA to skip running the enable
command altogether. Alternatively, if you leave the Enable Password field empty, AFA will issue a login
command instead of the enable command, (re-entering the same password used for the SSH connection).
Note: When a blank password is used for the enable command, it is necessary to enter "Algosec_no_passwd"
in the Enable Password field. This will cause AFA to skip running the enable command when connecting to
the device.
Cisco PIX/ASA/FWSM Manual Data Collection

1 Log into the PIX/ASA/FWSM firewall using SSH (or Telnet), and log the session to a file.
2 Go to "enable" mode by typing enable and the enable password.
show version
show running-config
(when dynamic routing is used:
show route)
show access-list
exit
4 Edit the file with the session recording. Use a text editor such as 'notepad' or 'WordPad', but not
Microsoft Word.
5 Replace the line:
pixfirewall# show access-list
with:
=== show access list ===
Important: Start in the 1st column; use the exact syntax, with one space between each two words.
Remember to replace the "-" with a space!
6 Replace the line:
pixfirewall# show route
with:
=== show route ===
Important: Start in the 1st column; use the exact syntax, with one space between each two words.
7 Save the file with .pix file type.
8 Upload the file to AFA using Analyze from File. See Generating AFA Reports from File in the AlgoSec
128
Cisco Routers Semi-Automatic Data Collection

Note: AlgoSec does not provide a manual procedure for collecting data from a Cisco router because it is
rather tedious and error prone. Data collection from remote or inaccessible Cisco IOS or Nexus devices
must be done using the device data collection script (routerdump.pl) provided by AlgoSec.
The AlgoSec Perl script named routerdump.pl is used to obtain the required device data from your Cisco
Router (IOS or Nexus). Before you can use routerdump.pl, however, Perl must be running on the
computer to which the router configuration will be extracted. Perl is available on most Unix systems. For
PCs running Windows NT/2000/XP, a Windows version of Perl is available through http://www.perl.com
(http://www.perl.com).
The following procedure describes how to run routerdump.pl on a single device or in bulk mode.
 To run routerdump.pl
1 Open a command line window.
2 Enter one of the following commands:
Note: All optional elements appear in square brackets [].
 To run routerdump.pl on a single device:
routerdump.pl [-v] -u user -p password [-U enable-user] [-P enable-password] [-s connection-type]
[-o ssh-port] -t device-brand -O output_path router-IP
Where:
 -v specifies verbose mode.
 -u specifies the user name, where user is the user name.
 -p specifies the password, where password is the password.
 -U specifies the enable username, where enable-user is the enable username.
 -P specifies the enable password, where enable-password is the enable password.
 -s specifies the connection type where connection-type is the connection type. The default is
SSH.
 -o specifies the port number, where ssh-port is the port number. The default is 22.
 -t specifies the device brand, where device-brand is the device brand (nexus or ios).
 -O specifies the output file path, where output_path is the output file path.
 router-IP is the router's IP Address.
For example, the following command will run routerdump.pl on a single nexus device with user
name "admin", password "cisco". The file will be deposited at "~/test_me_now", and the devices IP
is "10.20.1.148".
routerdump.pl -u admin -p cisco -t nexus -O ~/test_me_now 10.20.1.148
 To run routerdump.pl in bulk mode:
routerdump.pl -b [-v] input_file
Where:
 -b specifies bulk mode
 -v specifies verbose mode
 input_file is a CSV file that describes the devices (see below)
129
The CSV input format is as follows:

router,brand,username,password,enable_username,enable_password,connection_type,ssh_port,ver
bose_mode (first line is saved for headlines)
CSV Examples:
10.20.1.148,nexus,admin,cisco,,,SSH,22,V
10.20.15.1,ios,admin,algosec,admin,algosec1,telnet,,
For example, the following command will run routerdump.pl in bulk mode:
routerdump.pl -b routrdumpTest.txt
3 In some cases, you may be prompted with a User prompt. Type your router user name.
4 At the Password prompt, type the router's Telnet password.
5 At the Enable Password prompt, type the enable password.
The routerdump.pl script extracts the appropriate router information and creates a file named
routername-, followed by the creation date. For example, for the router named gw2600, a router
information file created on November 1, 2004, would be named: gw2600-20041101.rd
This is the device data file you would copy to the AFA machine (see Manually Generating AFA Reports in the
AlgoSec Firewall Analyzer User Guide). The ".rd" file that is created is a flat ASCII file.
If you must collect the data from the router manually, then you will need to construct the ".rd" file using a
text editor (such as vi, emacs, or gedit). Use the following guidelines:
1 Log in to the router, and go to "enable" mode.
2 Issue the following six commands:
show version
show ip route
show interface
show ip interface
show ip access-list
show running-config
"cut" the output they produce and paste the cut lines into your ASCII editor.
3 You need to insert the separator lines between command output blocks, in the format
===== command from the list above =====
(5 '=' signs starting on a new line, then the command (like show interface), and then 5 '='. After the
separator line, place the output produced by the router when you issue the command.
4 Make sure you grab the whole output of each command: You'll need a large history buffer in your
terminal emulator so you can scroll up.
5 Set the terminal emulator display to be wide enough so lines don't get truncated or wrapped.
6 Make sure NOT to copy any pager prompts like "More..."
Cisco Nexus Router Manual Data Collection

1 Log into the Cisco Nexus router using SSH (or Telnet), and log the session to a file.
show version
show interface
show ip interface
130
show vrf interface

show ip access-list
show running-config
show ip route
3 Edit the file with the session recording. Use a text editor such as 'Notepad' or 'WordPad', but not
Microsoft Word.
4 Replace the line:
nexusfirewall# show version
with:
=== show version ===
Important: Start in the 1st column; use the exact syntax, with one space between each two words. This is
necessary for all of the following replacements as well.
5 Replace the line:
nexusfirewall# show interface
with:
=== show interface ===
6 Replace the line:
nexusfirewall# show ip interface
with:
=== show ip interface ===
7 Replace the line:
nexusfirewall# show vrf interface
with:
=== show vrf interface ===
8 Replace the line:
nexusfirewall# show ip access-list
with:
=== show ip access list ===
Important: Remember to replace the "-" with a space!
9 Replace the line:
nexusfirewall# show running-config
with:
=== show running config ===
Important: Remember to replace the "-" with a space!
10 Replace the line:
nexusfirewall# show ip route
with:
=== show ip route ===
11 Save the file with .nexus file type.
131
Adding an F5 BIG-IP
F5 BIG-IP AFM™ devices can be added to AFA as monitoring only devices or, for versions 11 and above,
with full support. This procedure describes how to add a fully supported device. For adding a monitoring
only device, see Adding Monitoring Devices (page 209).
 To add an F5 BIG-IP LTM®
3 Choose F5 BIG-IP LTM (Version 11 or above).
4 Click Next.
New fields appear.
5 Complete the fields using the relevant information in F5 BIG-IP LTM Properties Fields (page 133).
132
6 Click Finish.
2. Click OK.
b) Click OK.
F5 BIG-IP LTM® Properties Fields

Access Information
Type F5 BIG-IP LTM® (version 11 or above).
This field is read-only.
See Device User Permission Requirements (page 227).
Using a Distributed System.
Compliance
133
Remote Management Choose the method of data collection. SSH is the only option.
Capabilities
Log Collection and Monitoring If desired, you can configure the device to collect audit logs from a syslog-ng server.
If you define a new syslog-ng server, then after you have finished adding the device,
you must configure the syslog-ng server as described in Configuring an Syslog-ng
Server (page 112).
Log collection method Specify whether AFA should collect logs for the device, by selecting one of the
following:
 None: Do not collect logs.
 Standard: Enable audit log collection.
 Extensive: Enable audit log collection. Note that since AFA currently does not
support collection traffic logs from an F5 BigIP device, there is no log analysis
(unused rules, Intelligent Policy Tuner results, etc.).
Syslog-ng server If desired, you can configure AFA to collect logs from the device through a
syslog-ng server. For information on how to do this, see Adding a Juniper SRX
(page 178).
you must configure the syslog-ng server as described in Configuring a Syslog-ng
Server (page 112).
"1.1.1.1:2.2.2.2:ServerName".
Options
Set user permissions Select this option to set user permissions for the device.
134
Adding a Forcepoint (McAfee) Security Management Center

Note: The Forcepoint (McAfee) Security Management Center was formerly known as Stonesoft StoneGate.
 To collect data from a Forcepoint (McAfee) Security Management Center device

3 Choose Forcepoint (McAfee) Security Management Center.
4 Click Next.
The Forcepoint (McAffe) Security Management Center - Step 1/2 page appears.
5 Complete the fields using the information in Forcepoint (McAfee) Security Management Center
Properties Fields (page 137).
6 Click Next.
135
The Forcepoint (McAffe) Security Management Center - Step 2/2 page appears.
The table displays a list of all the devices that are managed by the Security Management Center,
including standalone devices and virtual systems.
7 Do the following for each device in the table:
a) Select the check box, to specify that the device should be included in the Security Management
Center's definition and analyzed by AFA.
b) In the Log Collection Method column, do one of the following:
For information about using the Intelligent Policy Tuner, see Refining Rules via the Intelligent
Policy Tuner in the AlgoSec Firewall Analyzer User Guide.
8 To enable generation of Baseline Compliance Reports for devices managed by the Security
Management Center, do the following:
136
Note: Specifying this information for a device triggers a direct SSH connection to the device.
c) Click OK.
9 Continue completing the remaining fields using the information in Forcepoint (McAfee) Security
Management Center Properties Fields (page 137).
The Forcepoint Security Management Center is added to the device tree, along with all the devices it
manages.
2. Click OK.
b) Click OK.
Forcepoint (McAfee) Security Management Center Properties Fields

Access Information
Authentication key You must add the authentication key of one of the defined API Clients, defined in the
SMC.
137

Port Enter the port number. The default value is 8082.
High Availability Select this option to configure High Availability.
You must complete the Secondary field.
Secondary StoneGate Type the IP address of the secondary device.
Log Collection and Note: Log collection must additionally be enabled on the Forcepoint (Mcafee) Security
Monitoring Management Center. See Configuring the Forcepoint (page 138).
syslog-ng server Select the syslog-ng server from the drop-down list. Edit, New. If desired, you can
configure the device to collect logs from a syslog-ng server.
If you define a new syslog-ng server, then after you have finished adding the device, you
must configure the syslog-ng server as described in Configuring a Syslog-ng Server
(page 112).
Additional firewall Type any additional IP addresses or host names that identify the device. When adding
identifiers multiple entries, separate values by a ':'. For example: "1.1.1.1:2.2.2.2:ServerName".
identifiers in the logs, for example, in cases of firewall clusters or non-standard logging
settings. If AFA receives logs with an identifier it does not recognize, the logs will not be
processed.
Note: This field is not supported for sub-systems (Juniper VSYS/LSYS, Fortinet VDOM,
Cisco security context, etc.). To configure additional identifiers for sub-systems, see
Adding Additional Device Identifiers Manually (page 222).
Options
Real-time change Select this option to enable real-time change monitoring. For more information, see
monitoring Activating Real-Time Monitoring (page 256).
Configuring the Forcepoint (McAfee) Security Management Center

In order for AFA to collect data from a Forcepoint (McAfee) Security Management Center, you must enable
its API in the SMC client. Additionally, if you want to collect logs, you must enable this in the SMC client as
well.
 To configure the Forcepoint (Mcafee) Security Management Center (SMC)
1 Login to the SMC using credentials with administrator privileges.
138
The Domain Overview - Security Management Center window appears.
2 In the test domain, double click Firewalls.

The System Status window opens.
3 In the left menu, open the Firewalls node, and click on a device.
139
A network diagram appears in the workspace.
4 Right click Management Server.

5 Choose Properties.
140
The Management Server - Properties window appears.
6 Click the SMC API tab.

The SMC API tab appears.
7 Configure the settings as follows:

 The Enable check box must be checked.
141
 The Host Name field must be empty or equivalent to what is defined in AFA.
 The Port Number field (default 8082) must be equivalent to what is defined in AFA.
 The Listen Only on Address and Server Credentials fields must be empty.
8 Click OK.
9 In the header, click the Configuration menu. In the drop-down menu, hover over Configuration, and
select Administration.
The Administration window appears.
10 Create a new client and assign it to any role. (minimal privileges are sufficient)
Note: You must create a new client even if one already exists because it is not possible to view an
existing client's authentication key. This can potentially cause a problem if other systems communicate
with the SMC via its API. Any other systems will have to be updated with the new key.
Upon creation, you can see the Authentication Key which can be used to connect with this client. Use
this Authentication Key when configuring the device in the AFA definition wizard.
11 To enable log collection, do the following:
142
a) Go back to the Domain Overview - Security Management Center window.

b) Under Shared Domain, double click Servers.
The System Status window opens.
c) Right click Servers. In the drop-down menu, hover over New, and select Log Server.
The Properties window appears.
d) Click the Log Forwarding tab.
143
The Log Forwarding tab appears.
e) Click Add.
f) Set the Target Host column to the host that you added as the Syslog Server.
g) Set the Format column to CSV.
h) Click OK.
Adding a Forcepoint (McAfee) Sidewinder

 To add a Forcepoint (McAfee) Sidewinder
3 Choose Forcepoint (McAfee) Sidewinder.
4 Click Next.
144
New fields appear.
5 Complete the fields using the relevant information in Forcepoint (McAfee) Sidewinder Properties
Fields (page 147).
145
1. Click New.
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Finish.
2. Click OK.
b) Click OK.
146
Forcepoint (McAfee) Sidewinder Properties Fields

Access Information
Compliance
Remote Management Choose the method of data collection.
Capabilities Note: Telnet is the least secure method.
Log Collection and Monitoring If desired, you can configure the device to collect logs from a syslog-ng server.
Server (page 112).
following:
 None. Do not collect logs.
 Standard. Enable log collection.
 Extensive. Enable log collection and the Intelligent Policy Tuner.
147

"1.1.1.1:2.2.2.2:ServerName".
Log collection frequency Type the interval of time in minutes, in which AFA should collect logs for the
device.
Options
Forcepoint (McAfee) Sidewinder Manual Data Collection

1 Log into the Sidewinder firewall using SSH (or Telnet), and log the session to a file using the following
command:
ssh @ | tee –ia
srole
echo "VERSION_NUMBER:" ùname -r`
cf policy export type=rule
cf policy export type=net_object
cf service query (for version 7)
cf application query (for version 8)
cf appdb list verbose=on (for version 8)
cf interface query
cf burb query (for version 7)
cf burbgroup query (for version 7)
netstat -rn
cf usergroup query
cf hostname query
cf timeperiod query
cf zone query (for version 8)
cf zonegroup query (for version 8)
cf ipsec query
148
cf policy query
exit
exit
Microsoft Word.
4 At the head of the page add the line:
# Connecting to:
5 Replace the line:
:Admn {1} % echo "VERSION_NUMBER:" ùname -r`
with:
=== echo "VERSION_NUMBER:" ùname -r` ===
6 Replace the line:
:Admn {2} % cf policy export type=rule
with:
=== cf policy export type=rule ===
7 Replace the line:
:Admn {3} % cf policy export type=net_object
with:
=== cf policy export type=net_object ===
8 For Sidewinder version 7:
Replace the line:
:Admn {4} % cf service query
with:
=== cf service query ===
Replace the line:
:Admn {5} % cf application query
with:
=== cf application query ===
Replace the line:
:Admn {6} % cf appdb list verbose=on
with:
=== cf appdb list verbose=on ===
:Admn {5} % cf interface query
with:
=== cf interface query ===
Replace the line:
149
:Admn {6} % cf burb query

with:
=== cf burb query ===
Replace the line:
:Admn {7} % cf burbgroup query
with:
=== cf burbgroup query ===
:Admn {8} % netstat -rn
with:
=== netstat -rn ===
:Admn {9} % cf usergroup query
with:
=== cf usergroup query ===
:Admn {10} % cf hostname query
with:
=== cf hostname query ===
:Admn {11} % cf timeperiod query
with:
=== cf timeperiod query ===
Replace the line:
:Admn {11} % cf zone query
with:
=== cf zone query ===
Replace the line:
:Admn {12} % cf zonegroup query
with:
=== cf zonegroup query ===
:Admn {12} % cf ipsec query
with:
=== cf ipsec query ===
:Admn {13} % cf policy query
with:
=== cf policy query ===
150
22 Save the file with .sidewinder extension.

Adding a Fortinet FortiGate

 To add a Fortinet FortiGate
3 Choose Fortinet FortiGate.
4 Click Next.
New fields appear.
151
5 Complete the fields using the relevant information in Fortinet FortiGate Properties Fields (page 153).
1. Click New.
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Finish.
152
2. Click OK.
b) Click OK.
Fortinet FortiGate Properties Fields

Access Information
Compliance
If you define a new syslog-ng server then after you have finished adding the device,
Server (page 112).
following:
 Standard: Enable log collection.
 Extensive: Enable log collection and the Intelligent Policy Tuner.
153

"1.1.1.1:2.2.2.2:ServerName".
Options
Fortinet FortiGate Manual Data Collection

Note: If the device has several VDOMs, the following procedure must be implemented for each VDOM
separately, hence a separate file for each VDOM.
1 Log into the FortiGate firewall using SSH (or Telnet), and log the session to a file.
config global
get system status
show full-configuration | grep ''
end
3 If there are one or more VDOMs configured on the device, run the following additional command:
config vdom
4 Run the following additional commands for each VDOM.
edit
get system status
show full-configuration | grep ''
5 If dynamic routing is used, run one of the following commands (depending on if the user is read-only or
not):
diagnose ip route list | grep ''
get router info kernel | grep '
end
6 Run the following command:
exit
154
Microsoft Word.
8 Replace the line:
FortiGateFirewall (global) # show full-configuration
with:
=== show full-configuration ===
9 Replace the line (if applicable):
FortiGateFirewall (vdom_name) # get system status
with:
=== get system status ===
FortiGateFirewall (vdom_name) # show full-configuration
with:
=== show full-configuration ===
FortiGateFirewall (vdom_name) # diagnose ip route list
with:
=== diagnose ip route list ===
12 Save the file with .fortigate file type.
155
Adding a Fortinet FortiManager

Important: AFA connects to FortiManager versions 5.2.3 and above through FortiManager's REST API.
AFA connects to previous versions through FortiManager's standard SOAP API. Therefore, in order to
enable AFA to connect to FortiManager, it is necessary to enable FortiManager's Web services as follows:
To connect via REST:
1. In the FortiManager Web interface, click System Settings > Network > Management Interface.
2. Under Administrative Access, select HTTPS and Web Service.
To connect via SOAP:
1. In the FortiManager Web interface, click System Settings > Network > Interface, and then click the
relevant interface.
2. Under Administrative Access, select Web Service.
Note: Routing collection via the Fortimanager only supports static routes. If dynamic routing is used, please
define the Fortigate devices directly, and not via the Fortimanager.
Note: In order for AFA to process logs in cases of special device configurations (such as clusters), you must
add all additional device identifiers, as described in Adding Additional Device Identifiers Manually (page
222). If AFA receives logs with an identifier it does not recognize, the logs will not be processed.
Note: If Administrative Domains (ADOMs) are used:
To analyze only devices under a specific ADOM, specify a specific ADOM's administrator credentials.
To analyze all devices under all ADOMs, provide the credentials of a global administrator.
When analyzing devices as a global administrator, no other action is required. Otherwise, some manual
configuration may be required. Contact AlgoSec support for more information.
 To add a Fortinet FortiManager

3 Choose Fortinet FortiManager.
4 Click Next.
156
The Fortinet Fortimanaer Step 1/2 page appears.
5 Complete the fields using the relevant information in Fortinet FortiManager Properties Step 1 Fields
(page 159).
1. Click New.
157
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Next.
The Fortinet FortiManager Step 2/2 page appears.
The table displays a list of all the devices that are managed by the FortiManager, including standalone
devices and virtual systems.
a) To specify that the device should be included in the FortiManager's definition and analyzed by AFA,
in the Add Device column, select the check box.
158
Select Standard to enable logging.


Select Extensive to enable logging and the Intelligent Policy Tuner.

9 To enable generation of Baseline Compliance Reports for devices managed by the Fortinet
FortiManager, do the following:
c) Click OK.
10 Complete the remaining fields using the information in Fortinet FortiManager Properties Step 2
Fields (page 160).
11 Click Finish.
The new Fortinet FortiManager is added to the device tree, along with all the devices it manages.
2. Click OK.
b) Click OK.
Fortinet FortiManager Properties Step 1 Fields

Access Information
159

User Name Type the user name to use for accessing the device via its SOAP API.
This user name must be a super-user for the API to work.
Password Type the password to use for accessing the device via its SOAP API.
Connect via For FortiManager version 5.2.3 and above, select REST.
For earlier versions, select SSH and SOAP.
ActiveChange Select this option to enable ActiveChange for the device.
This option is relevant for Fortimanager version 5.2.3 and above.
For information about using ActiveChange, see Working with ActiveChange in the
If you define a new syslog-ng server then after you have finished adding the device,
Server (page 112).
following:
Fortinet FortiManager Properties Step 2 Fields
160
Adding a Hillstone Networks Device

 To add a Hillstone Networks device
3 Choose Hillstone Networks.
4 Click Next.
5 New fields appear.
6 Complete the fields using the relevant information in the table below.
7 Click Finish.
161
2. Click OK.
b) Click OK.
Hillstone Networks Properties Fields

Access Information
Type Displays the device type.
Compliance
Remote Management Choose the method of data transmission and encryption. The default is SSH.
Options
162

Adding a Juniper Space

Instead of adding multiple Juniper SRX devices, you can simply add the Juniper Space that manages the
desired devices. AFA will be able to analyze any of the devices managed by the Space.
Note: Automatic migration of a Juniper SRX already defined in AFA to a Juniper Space is not supported. If
you have SRX devices already defined in AFA, please remove them from AFA before adding them via
Space.
Note: Applications monitoring for NAT policy changes and IPv6 rules and objects for SRX are not
supported, when the SRX is defined in AFA via Space.
Note: To add SRX clusters under a Space, you must do one of the following:
Add primary and secondary devices as two separate devices. AFA will display the clusters as two separate
devices, and both devices will appear in the graphic network map with identical traffic log counts.
Configure a VIP interface and add the cluster to Space with this interface as a single device. AFA will
display the device as a single device.
 To collect data from a Juniper Space

Click New, and then click Devices.
2 Choose Juniper - Junos Space.
3 Click Next.
163
The Juniper Space Step 1/2 page appears.
4 Complete the fields using the information in Juniper Space Properties Step 1 Fields (page 166).
Note: When using STRM (Juniper's log server), the logs can be forwarded to a syslog-ng (AFA's built-in
syslog-ng or an external one). Then, define this syslog-ng as the log server. For information on how to
configure STRM to forward the logs, see Configuring Juniper STRM to Forward Logs to a Syslog-ng
Server (page 177).
1. Click New.
164
3. Click OK.
Server (page 112).
 To edit an existing syslog-ng server, do the following:
3. Click OK.
6 Click Next.
The Juniper Space Step 2/2 page appears.
The table displays a list of all the devices that are managed by the Juniper Space, including standalone
devices and virtual systems.
a) To specify that the device should be included in the Juniper Space's definition and analyzed by AFA,
in the Add column, select the check box.
165
Select Standard to enable logging.


Select Extensive to enable logging and the Intelligent Policy Tuner.

8 To enable generation of Baseline Compliance Reports for devices managed by the Juniper Space, do the
following:
c) Click OK.
9 Complete the remaining fields using the information in Juniper Space Properties Step 2 Fields (page
167).
The new Juniper Space is added to the device tree, along with all the devices it manages.
2. Click OK.
b) Click OK.
Juniper Space Properties Step 1 Fields

Access Information
166

User Name Type the user name to use to access the device.
Important: For user requirements, see Device User Permission Requirements (page 227).
Password Type the associated password.
Using a Distributed System.
Log Collection
following:
Syslog-ng server If desired, you can configure the device to collect logs from a syslog-ng server. For
information on how to do this, see Adding a Juniper Space (page 163).
(page 112).
Log collection frequency Select the interval of time in minutes, at which AFA should collect logs for the device.
Juniper Space Properties Step 2 Fields

Options
167
Adding a Juniper NSM

If you are managing multiple Juniper devices, both SRX and Netscreens, using Juniper NSM or Space, you
may prefer to define them via the NSM or Space wizard in AFA, rather than using direct device connections.
As a rule, if you have a management system that manages the devices well, including the ability to push a
policy, it is preferable to use that system.
Instead of adding multiple Juniper Netscreen or SRX devices, you can simply add the Juniper NSM that
manages the desired devices. AFA will be able to analyze any of the devices managed by the NSM.
If individual Netscreen devices are already defined in AFA, then when you add the NSM that manages
them, AFA will enable you to migrate the devices into the NSM. When a device is migrated, it is added as a
member of the NSM, and deleted as a separate device from AFA. The migrated devices' reports are
preserved and associated with the NSM.
Note:The capability to migrate a previously defined device to the NSM is not supported for SRX devices.
Note: AFA uses the NSM API 2008, available in NSM 2008 and above, to connect to the NSM and collect
data. Therefore, if you have a Juniper NSM 2007, you must add each Netscreen device separately (i.e., AFA
will collect data directly from the Netscreen devices via SSH, and not from the NSM) and specify that the
Netscreen devices' logs should be collected from the NSM. For instructions, see Adding a Juniper
Netscreen (page 183).
Important: For the NSM API to be active, the NSM must be set to listen to port 8443 on the IP address of its
interface.
See Juniper Knowledge Base for additional information on activating NSM API:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17530&actp=search&viewlocale=en_US
(http://kb.juniper.net/infocenter/index?page=content&id=kb17530&actp=search&viewlocale=en_us)
Note: During log collection, AFA relies on rule IDs, available in NSM 2009 traffic logs. Therefore, if you
have a Juniper NSM 2007 or 2008, you must enable AFA to translate rule numbers to the rule IDs, by adding
the following line to the AFA configuration file: Use_Rulenum=yes
Note: NAT (Network Address Translation) is not supported for Juniper SRX devices.
Important: It is necessary to configure a read-only user in the NSM, for the purpose of data collection. See
Configuring a Read-Only NSM User for Data Collection (page 174).
Important: In order to accurately analyze Juniper devices that are managed by an NSM and utilize dynamic
routing, you must configure AFA to collect dynamic routes from NSM managed devices. See Configuring
AFA to Collect Dynamic Routes from NSM Managed Devices.
 To collect data from a Juniper NSM

3 Choose Juniper - NSM (NSM 2008 or above).
4 Click Next.
168
The Juniper NSM Step 1/2 page appears.
5 Complete the fields using the information in Juniper NSM Properties Step 1 Fields (page 173).
6 If you selected Syslog-ng in the From field, you must specify a syslog-ng server, by doing one of the
following:
Server (page 177).
169
1. Click New.
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Next.
170
The Juniper NSM Step 2/2 page appears.
The table displays a list of all the devices that are managed by the NSM, including standalone devices
and virtual systems.
If one of the Netscreen devices is already defined in AFA, the Migrate from currently defined Netscreen
column appears.
Note: If a Juniper SRX is already defined in AFA, there will not be an option to migrate it to the NSM. In
order to define the device in AFA as managed by the NSM, you must first delete the SRX from AFA,
and then define it in AFA under the NSM.
a) In the Add column select the check box, to specify that the device should be included in the NSM's
definition and analyzed by AFA.
For information about using the Intelligent Policy Tuner, see Refining Rules via the Intelligent
Policy Tuner in the AlgoSec Firewall Analyzer User Guide.
c) If this device is a Netscreen device that is already defined directly in AFA and you want to migrate it
into the NSM, select the device to migrate in the Migrate from currently defined Netscreen column.
The selected device will be deleted from AFA as a separate device, and added to the NSM along
with any existing reports.
9 To enable generation of Baseline Compliance Reports and dynamic routing collection for devices
managed by the Juniper NSM, do the following:
171
b) To enable baseline compliance reports, do the following:

1. Complete the fields using the information in Baseline Configuration Compliance Fields (page
70).
Note: Specifying this information for a device triggers a direct SSH connection to the device.
c) To access the managed device through the NSM machine (as opposed to specifying credentials for
each device and having AFA access each device directly), do the following:
Note: In this case, AFA will connect to the NSM via SSH, and will open another SSH connection
from the NSM towards the managed devices.
1. Check Access the managed devices through the NSM machine.
2. Type the SSH User Name and the SSH Password.
d) Click OK.
10 Complete the remaining fields using the information in Juniper NSM Properties Step 2 Fields (page
174).
The Juniper NSM is added to the device tree, along with all the devices it manages.
2. Click OK.
b) Click OK.
172
Juniper NSM Properties Step 1 Fields

Access Information
NSM GUI server Type the host name or IP address of the NSM GUI server.
NSM HA Cluster Select this option to enable support for an NSM High Availability (HA). If accessing the
primary NSM GUI server fails, AFA will access the secondary NSM GUI server.
You must complete the Secondary Host field.
Secondary NSM GUI Type the host name or IP address of the secondary NSM GUI server.
server Note: NSM HA cluster support is only available if the NSM GUI server and Dev server
are running on the same server.
User Name Type the user name to use for SSH access to the NSM GUI server.
Note: AlgoSec recommends using a "read-only" user account on the NSM GUI server.
Password Type the password to use for SSH access to the NSM GUI server.
Port Type the port number to use on the NSM GUI server.
The default port on NSMXpress appliances is 443.
Log Collection and
Monitoring
Collect Logs (via SSH) Select this option to specify that AFA should collect traffic logs for the device using SSH.
From Specify from where AFA should collect logs, by selecting one of the following:
 NSM: AFA should collect logs from the NSM.
 Syslog-ng: AFA should collect logs from a syslog-ng server.
The default value is NSM.
Note: If you choose Syslog-ng, you must specify a syslog-ng server to use as described in
the procedure for adding a device, and you must complete the NSM forwarding field. If
you choose NSM, you must complete the NSM Dev server, SSH User Name, and SSH
Password fields described in the continuation of this table.
NSM Dev server Specify the NSM's location, by choosing one of the following:
 Same as NSM GUI server: The NSM Devices server is located on the same machine as
the NSM GUI server.
 Separate server: The NSM is located separately from the NSM GUI server. If you
chose this option, you must type the NSM's host name or IP address in the field
provided.
The default value is Same as NSM GUI server.
Note: In the NSMXpress appliance's setup, the NSM GUI server and the NSM Devices
server are installed on the same machine.
This area only appears if you selected NSM in the From field.
173

SSH User Name Type the user name for connecting to the NSM.
SSH Password Type the password for connecting to the NSM.
NSM forwarding Select this option to indicate that logs are collected on the NSM and then forwarded to the
syslog-ng server.
This field only appears if you selected Syslog-ng in the From field.
Collect audit logs from the Select this option to specify that AFA should collect audit logs in addition to traffic logs.
same server
Log collection frequency Type the interval of time in minutes, at which AFA should collect logs.
Test Connectivity Click this button to test connectivity to the defined NSM server.
A message informs you whether AFA connected to the NSM server successfully.
Juniper NSM Properties Step 2 Fields

Advanced Click the arrow next to the Advanced heading, to display the fields in this area.
Display virtual routers Select this option to analyze each virtual router separately. This is only supported for
(Netscreen devices) Netscreen devices.
router_name>.
Options
Configuring a Read-Only NSM User for Data Collection

It is necessary to configure a read-only user in the NSM, for the purpose of AFA data collection.
 To configure a read-only user in the NSM for data collection
1 Log in to the NSM.
174
2 Click Tools > Manage Administrators and Domains.
The Manage Administrators and Domains dialog box appears.

3 Click + to create a new administrator.
The New - Administrator dialog box appear.
175
4 In the General tab, enter a name for the user.
5 In the Authorization tab, click Set Password and set a password for the user.
6 In the Permissions tab, click +.
176
The New Select Role and Domains dialog box appears.
7 In the Role drop-down list, choose Read-Only System Administrator.

8 Select the check boxes next to the relevant domains.
9 Click OK in each of the open dialog boxes.
Configuring Juniper STRM to Forward Logs to a Syslog-ng Server
 To configure Juniper STRM to forward logs to a syslog-ng server

1 Log in to the STRM Log Manager interface.
177
2 Click the Admin tab.

3 In the lefthand menu, click Data Sources.
4 Click Syslog Forwarding Destinations.
5 Click Add.
6 In the fields provided, type the syslog-ng server’s IP address and port.
7 Click Save.
All logs that are sent to the Juniper STRM device will be forwarded to the syslog-ng server.
Adding a Juniper SRX

 To collect data from a Juniper SRX
3 Choose Juniper - SRX.
4 Click Next.
178
New fields appear.
5 Complete the fields using the relevant information in Juniper SRX Properties Fields (page 181).
Server (page 177).
179
1. Click New.
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Finish.
The new Juniper SRX device is added to the device tree.
2. Click OK.
180
9 Click OK.
Juniper SRX Properties Fields

Access Information
User Name Type the user name "root".
Note: In order to be able to automatically implement changes on the device with
ActiveChange, read-write permissions are required.
Password Type the associated password.
Compliance
Baseline Configuration To enable generation of Baseline Compliance Reports for this device, select the baseline
Profile compliance profile to use.
Display virtual routers Select this to display virtual routers in the map as separate devices (each router will be a
separate node in the Devices tree) and that correct traffic simulation results are generated
for traffic passing through these virtual routers.
Remote Management Choose the method of data transmission.
Capabilities Note: Telnet is a less secure method.
Tip: You can configure AFA to use ssh with Public-Key authentication when it connects to
the SRX. To do so, see Administration Options Settings (page 324), and configure the
Use public key authentication in data collection field as described in Globally
Hiding/Displaying Change Details (page 502).
Number of allowed Enter the permitted number of different RSA keys received from this device IP address.
encryption keys Different RSA keys may be sent from the same IP address in cases of cluster fail-over,
device operating system upgrades, etc.
Log Collection and
Monitoring
181

following:
Syslog-ng server If desired, you can configure the device to collect logs from a syslog-ng server. For
information on how to do this, see Adding a Juniper SRX (page 178).
(page 112).
processed.
Adding Adding Additional Device Identifiers Manually (page 222).
Log collection frequency Select the interval of time in minutes, in which AFA should collect logs for the device.
Options
Juniper SRX Manual Data Collection

1 Log into the SRX firewall using SSH (or Telnet), and log the session to a file.
cli
show configuration
(when dynamic routing is used:
show route extensive all)
show configuration groups junos-defaults applications
exit
Microsoft Word.
182
4 Replace the line:

root@srx_firewall> show configuration
with:
=== show configuration ===
5 Replace the line (only needed if dynamic routing is used):
root@srx_firewall> show route extensive all
with:
=== show route extensive all ===
6 Replace the line:
root@srx_firewall> show configuration groups junos-defaults applications
with:
=== show configuration groups junos-defaults applications ===
7 Save the file with .srx file type.
Adding a Juniper Netscreen

 To collect data from a Juniper Netscreen
2 Click New and select Devices.
3 Choose Juniper - Netscreen.
4 Click Next.
183
New fields appear.
5 Complete the fields using the relevant information in Juniper Netscreen Properties Fields (page 186).
Server (page 177).
184
1. Click New.
3. Click OK.
Server (page 112).
 To edit an existing syslog-ng server, do the following:
3. Click OK.
7 Click Finish.
The new Juniper Netscreen device is added to the device tree.
2. Click OK.
185
b) Click OK.
Juniper Netscreen Properties Fields

Access Information
Note: AlgoSec requires using a "super-user" user account on the device.
Compliance
Compliance Profile compliance profile to use.
Advanced Click the arrow next to the Advanced heading, to display the fields in this area.
Display virtual routers Select this option to analyze each virtual router separately. Each virtual router will appear
separately in the device tree.
window under the relevant device with the following syntax: <system_name>:<virtual
router_name>.
Note: This is required in the rare cases where there are no inter-vrouter routes to/from a
specific vrouter, thus there is an “isolated” vrouter.
the Netscreen. To do so, see Adminstration Options Settings (page 324), and configure
the Use public key authentication in data collection field as described in General/Admin
Options (page 325).
Firewall Log If you manage your Netscreen devices from the Netscreen Security Manager (NSM) then
AFA can collect the logs from the NSM. This will activate the unused rule analysis and
the Rule Reordering analysis in the Policy Optimization page (see Policy
Optimization-Devices in the AlgoSec Firewall Analyzer User Guide). To configure the
collection of logs from the NSM, complete the fields in this area.
Collect logs Specify whether AFA should collect logs for the device, by selecting one of the
following:
186

From Specify from where AFA should collect logs, by selecting one of the following:
 NSM. AFA should collect logs from the NSM.
 Syslog-ng. AFA should collect logs from a syslog-ng server.
The default value is NSM.
Note: If you choose Syslog-ng, you must specify a syslog-ng server to use, as described in
the procedure for adding a device. If you choose NSM, you must complete the NSM Dev
server, SSH User Name, and SSH Password fields described in the continuation of this
table.
NSM Dev server Type the NSM host name or IP address.
This field only appears if you selected NSM in the From field.
User Name Type the user name for connecting to the NSM.
Password Type the password for connecting to the NSM.
Test Connectivity Click this button to test connectivity to the defined NSM server.
A message informs you whether AFA connected to the NSM server successfully.
Collect audit logs from the Select this option to specify that AFA should collect audit logs in addition to traffic logs.
same server
processed.
This field only appears if you selected Syslog-ng in the From field.
Options
187
Juniper Netscreen Semi-Automatic Data Collection

You can use the Juniper Netscreen Web interface to collect a Netscreen configuration file manually, and
then use the configuration file to generate device reports. Such reports contain all of the information
described in Device Report Pages (see the AlgoSec Firewall Analyzer User Guide), except for optimization
information that is based on log analysis, such as Unused/Most used/Least used rules, Rule reordering
optimization, Unused objects, and Unused objects within rules. In order to generate reports that contain
log-based optimization information as well, you must use the nsm_log_collect script to collect device
logs.
1 Use your browser to connect to the Netscreen device, and using the navigation bar on the left select
Configuration à Update à Config File
2 Click Save To File.
3 When prompted, save the file with an extension of ".nsc", such as "myNetscreen.nsc".
a) Copy the nsm_log_collect script to the relevant NSM server.
nsm_log_collect. Runs the script and prompts you for all fields.
nsm_log_collect <profile>. Runs the script and collects logs using the information in the specified
nsm_log_collect -l. Runs the script, prompts you to select a profile from a list of available profiles,
102).
Note: You can view help information for the script, by entering the command nsm_log_collect -h.
188
c) Add both the log archive file and the Netscreen device's configuration file to a new archive file (zip
or tar).
 If you only collected the Netscreen configuration file, copy the *.nsc file to the AFA machine.
 If you collected device logs, copy the archive file you created (containing both the log archive file
and the configuration file) to the AFA machine.
You can now generate reports for the device. See Manually Generating AlgoSec Firewall Analyzer Reports
in the AlgoSec Firewall Analyzer User Guide.
Juniper Netscreen Manual Data Collection

1 Login to the Netscreen device using SSH and log the session to a file.
get system | include Software
get system | include System
get config
get service pre-defined
(when analyzing vsys:
vsys vsys_name)
get route
exit
3 Edit the file with the session recording. Use a text editor such as ‘vi’, 'Notepad' or 'WordPad', but not
Microsoft Word.
4 Replace the following line:
Firewall_name-> get system | include Software
with:
===== NETSCREEN VERSION =====
Firewall_name-> get system | include System
with:
===== SYSTEM MODE =====
Firewall_name-> get config
with:
===== get config =====
Firewall_name-> get service pre-defined
with:
===== get service pre-defined =====
Firewall_name-> get route
with:
===== get route =====
189
9 Replace the following line (only when analyzing vsys):

Firewall_name-> enter vsys vsys_name
with:
===== enter vsys vsys_name =====
10 Save the file with .nsc file type.
Adding a Juniper M/E Router

Support for virtual-routing and VRF routers includes policy analysis for VR reports, and change monitoring,
policy analysis, and baseline configuration for LSYS and Juniper device group reports.
Note: Packet filtering is not supported.
 To collect data from a Juniper M/E Router

2 Click New and select Devices.
3 Select Juniper M/E Routers.
4 Click Next.
190
New fields appear.
5 Complete the fields using the relevant information in Juniper M/E Router Property Fields (page 192).
6 Click Finish.
The new Juniper M/E Router device is added to the device tree.
2. Click OK.
b) Click OK.
191
Juniper M/E Router Property Fields

Juniper M/E Router Properties Fields

Access Information
Note: AlgoSec requires using a "super-user" user account on the device.
Compliance
Compliance Profile compliance profile to use.
the Netscreen. To do so, see Adminstration Options Settings (page 324), and configure
the Use public key authentication in data collection field as described in General/Admin
Options (page 325).
Number of allowed Select the permitted number of different RSA keys received from this device IP address.
encryption keys Different RSA keys might be sent from the same IP address in cases of cluster fail-over,
device operating system upgrades, etc.
Options
Juniper M/E Router Manual Data Collection

1 Log into the Juniper Router using SSH, and log the session to a file: ssh user@host | tee -ia file_name
cli
192
set cli logical-system <logical-system name>

show configuration | display inheritance | no-more
show route active-path all | no-more
clear cli logical-system
show version | no-more
exit
exit
3 Edit the file with the session recording. Use a text editor such as 'vi', 'Notepad' or 'WordPad', but not
Microsoft Word.
4 Replace the line:
[prompt]> show configuration | display inheritance | no-more
with:
=== show configuration | display inheritance | no-more ===
5 Replace the line:
[prompt]> show version | no-more
with:
=== show version | no-more ===
6 Replace the line:
root@srx_firewall> show configuration groups junos-defaults applications
with:
=== show configuration groups junos-defaults applications ===
7 Save the file with .junosmxrouter file type.
Adding a Palo Alto Networks Panorama
 To collect data from a Palo Alto Networks Panorama

3 Choose Palo Alto Networks - Panorama.
4 Click Next.
193
New fields appear.
194
After configuring the above fields click Next.

These additional fields are displayed.
Palo Alto Networks Panorama Properties Fields

Access Information
User name Type the administrative user name to use for SSH access to the device.
If the device is managed by Panorama and Panorama is used to push all or part of the
device's configuration, you must specify a user name of the Superuser type.
In contrast, if the device is either not managed by Panorama, or it is managed by
Panorama but no configuration is pushed from Panorama towards the device, then you
can specify a user name of any of the following types: Superuser, Superuser (Read Only),
Device Admin, or Device Admin (Read-Only).
High Availability Select this option to configure High Availability.
You must complete the Secondary field.
Secondary Panorama Type the secondary device.
195

ActiveChange
Enable ActiveChange Select this to enable ActiveChange.
Log Collection and If desired, you can configure the device to collect logs from a syslog-ng server.
Monitoring If you define a new syslog-ng server, then after you have finished adding the device, you
(page 112).
syslog-ng server Select the syslog-ng server from the drop-down list. Edit, New.
processed.
Host Name Select the host name(s).

Log Collection Method Specify whether AFA should collect logs for the device, by selecting one of the
following:
Direct access to managed Here you configure direct access to the managed devices in order to generate baseline
devices configuration compliance reports. Click Configure to add access credentials to the
managed devices and select the Baseline Profile to enable Baseline Configuration
Compliance analysis.
Options
196
Adding a Palo Alto Networks Firewall
 To collect data from a Palo Alto Networks Firewall

3 Choose Palo Alto Networks.
4 Click Next.
New fields appear.
5 Complete the fields using the relevant information in Palo Alto Networks Properties Fields (page 199).
197
1. Click New.
3. Click OK.
Server (page 112).

3. Click OK.
7 Click Finish.
198

2. Click OK.
b) Click OK.
Palo Alto Networks Properties Fields

Access Information
User Name Type the administrative user name to use for SSH access to the device.
If the device is managed by Panorama and Panorama is used to push all or part of the
device's configuration, you must provide a user of the Superuser type.
If the device is either not managed by Panorama, or it is managed by Panorama but
no configuration is pushed from Panorama towards the device, then you can specify
a user name of any of the following types: Superuser, Superuser (Read Only), Device
Admin, or Device Admin (Read-Only).
Compliance
Server (page 112).
199

following:
None. Do not collect logs.
Standard. Enable log collection.
Extensive. Enable log collection and the Intelligent Policy Tuner.
"1.1.1.1:2.2.2.2:ServerName".
Options
Palo Alto Networks Firewall Manual Data Collection
1 Log into the Palo Alto firewall using SSH (or Telnet), and log the session to a file.
set cli pager off
show config running
configure
show predefined
exit
show config pushed (Please see the note that follows regarding this command.)
show system info
show routing fib
exit
200
Note: The show config pushed command is required only when using Panorama to manage the device.
Issuing this command requires super-user privileges on the Palo Alto Networks device. If Panorama is
not used, this command should be omitted.
If the Palo Alto device is version 5 or above, replace this command with:
show config pushed-shared-policy
If the analysis you want to perform is on a Palo Alto vsys configuration enter one of the following
commands:
show config pushed vsys, if the version is under 5.0 or
show config pushed-shared-policy vsys, if the version is 5.0 or above.
where vsys is the internal name (e.g., "vsys1" rather than "Georgia_vsys").
Microsoft Word.
4 Replace the line:
admin@PA-2020# show config running
with:
=== show config running ===
5 Replace the line:
admin@PA-2020# show predefined
with:
=== show predefined ===
6 Replace the line:
admin@PA-2020# show config pushed (Or the alternatives as specified above)
with:
=== show config pushed ===
7 Replace the line:
admin@PA-2020> show system info
with:
=== show system info ===
8 Replace the line:
admin@PA-2020> show routing fib
with:
=== show routing fib ===
9 Save the file with .paloalto file type.
201
Adding a VMWare NSX Distributed Firewall
 To collect data from a VMWare NSX Distributed Firewall

3 Choose VMWare NSX.
4 Click Next.
New fields appear.
VMWare NSX Distributed Firewall Properties Fields

Access Information
Host Type the host name or route name of the device. This is the name that will be displayed in
the devices tree.
User Name Type the user name to use for REST access to the device.
See Device User Permission Requirements (page 227).
Password Type the password to use for REST access to the device.
202

Learning mode Select this check box to specify that AFA traffic simulation should act as if the default
behavior is to block all traffic that is not explicitly permitted by the device's policy.
In reality, the default behavior for NSX devices is to allow all the traffic that is not
explicitly blocked. Simulating non-explicitly-permitted traffic as blocked will allow
users to better understand the policy they need to put in place before adding a wide
blocking rule to their policy.
Options
Adding an Amazon Web Services (AWS)

AFA supports AWS by separating instances into groups called "containers". A container is a group of
instances with the exact same security group(s) and network ACLs applied to them. Therefore, every
instance in a container has identical security policies. In the device tree, AWS has a three tier hierarchy: user
account, region/VPC, and then container.
 To collect data from an AWS device
2 Click New, and then click Device.
3 Choose Amazon Web Services (AWS).
4 Click Next.
203
New fields appear.
5 Complete the fields using the relevant information in AWS Properties Fields (page 205).
6 Click Finish.
AFA imports all EC2 instances from all AWS regions related to the specified AWS access key ID
(account). The AWS appears in the device tree.
Note: AFA supports AWS by separating instances into groups called "containers". A container is a
group of instances with the exact same security group(s) and network ACLs applied to them. Therefore,
every instance in a container has identical security policies. In the device tree, AWS has a three tier
hierarchy: user account, region/VPC, and then container.
7 If you selected Set user permissions, the Edit users dialog box appears.
204

2. Click OK.
b) Click OK.
AWS Properties Fields

Access Information
Type Amazon Web Services (AWS).
Host Type the host name or route name of the device. This is the name that will be
displayed in the devices tree.
Central Manager is the only choice.
AWS Access Key ID Type the key supplied by Amazon.
Note: You must use credentials with full visibility.
AWS Secret Access Key Type the key supplied by Amazon.
Proxy
Set Proxy Server Click this button to configure a proxy server for connecting to all cloud devices
(AWS and Azure) defined in AFA. See Proxy (page 330).
Options
Adding a Blue Coat Device

 To collect data from a Blue Coat device
3 Choose Blue Coat.
4 Click Next.
205
New fields appear.
5 Complete the fields using the relevant information in Blue Coat Properties Fields (page 207).
6 Click Finish.
206
2. Click OK.
b) Click OK.
Blue Coat Properties Fields

Access Information
Supported Capabilities Displays a list of supported device capabilities.
This field is relevant when a Geographic Distribution architecture is configured.
Compliance
The drop-down list includes all baseline compliance profiles in the system. For
more information on baseline compliance profiles and instructions for adding new
Enable password Type the password for switching to enabled mode.
207

Note: For Juniper Secure Access devices, the only available option is SSH-DMI.
For F5 BIG-IP LTM®, the only available option is SSH.
Policy Configuration Method Choose the method of policy configuration. The following options are available:
 Visual Policy Manager – VPM. The device policy is configured via the Visual
Policy Manager (VPM) only.
 Content Policy Language – CPL (Command-Line). The device policy is
configured via both the command line (CPL) and the Visual Policy Manager
(VPM).
Options
Blue Coat SGOS Manual Data Collection

1 Log into the BlueCoat SGOS device using SSH, enter enable mode and log the session to a file.
show appliance-name
show version
show interface all
show configuration noprompts
configure
content-filter
categories
exit
exit
Microsoft Word.
4 Replace the line:
admin@SGOS> show appliance-name
with:
=== show appliance-name ===
5 Replace the line:
admin@SGOS> show version
with:
=== show version ===
208
6 Replace the line:

admin@SGOS> show interface all
with:
=== show interface all ===
7 Replace the line:
admin@SGOS> show configuration noprompts
with:
=== show configuration noprompts ===
8 Save the file with .bluecoat file type.
Adding Monitoring Devices

This procedure can be used to add the following supported monitoring devices:
 Cisco ACE
 DELL SonicWALL
 F5 BIG-IP AFM™
 HP H3C Routers
 Juniper Secure Access (SSL VPN)
 Juniper (non-M/E) Routers
 Linux netfilter iptables devices
 Microsoft Azure
 SECUI MF2
 Topsec Firewall
 WatchGuard
 Avaya – Routing Switch
 Brocade VDX
 Blue Coat Proxy Server and Web Filter
 To collect data from a monitoring device
3 Select the desired device type from the devices listed in the Monitoring area.
4 Click Next.
209
New fields appear.
5 For Microsoft Azure, complete the fields using relevant information in Microsoft Azure Properties
Fields (page 212). For all other devices, complete the fields using relevant information in Device
Properties Fields (page 211).
6 Click Finish.
210

2. Click OK.
b) Click OK.
Note: To add a Microsoft Azure device, see Adding a Microsoft Azure (page 212).
Device Properties Fields

Access Information
Supported Capabilities Displays a list of device capabilities.
This field is read-only and only appears for some devices.
Compliance
SNMP Polling
SNMP Version Select the SNMP version from the drop-down list.
SNMP community Type the SNMP community string.
This field only appears for Juniper Secure Access, Topsec Firewall, WatchGuard,
and Linux netfilter - iptables devices.
Remote Management Choose the method of data collection: SSH or Telnet or select Custom Port and enter
Capabilities the port number.
keys address. Different RSA keys may be sent from the same IP address in cases of cluster
211
Options
Microsoft Azure AEF Device Properties Fields

Access Information
This field is read-only and only appears for some devices.
Name Type the host name or IP address of the device.
Subscription ID Type the subscription ID of the Azure account.
Tenant ID Type the ID of the Active Directory Application.
See more information on the Microsoft Azure website
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-
service-principal-portal/.
Client ID Type the application Client ID.
Key Type the application key.
Proxy
Set Proxy Server Click this button to configure a proxy server for connecting to all cloud devices
(AWS and Azure) defined in AFA. See Proxy (page 330).
Options
Adding a Microsoft Azure
 To collect data from a Microsoft Azure AEF monitoring device

1 Create an Active Directory Application
a) Open a terminal and log in using the username "afa" and the related password.
b) Access a Microsoft Azure account.
212
c) Select Active Directory from the left pane.
d) Select the Active Directory you want to use for creating the new application.
Note: If you have more than one Active Directory, you usually want to create the application in the
directory where your subscription resides. You can only grant access to resource in your
subscription for applications in the same directory as your subscription.
e) If you need to find the directory for your subscription, select Settings and look for the directory
name.
f) To view the applications in your directory, click the Applications tab.
g) If you haven’t created an application in that directory before you should see something similar to
following image.
h) Do one of the following:

 Click Add An Application.
 Click Add in the bottom pane.
i) Select the type of application you would like to create.
j) Type a name for the application in the Name field.
k) In the Type field, select Web Application and/or Web API.
l) Fill in the properties for your application:
 For Sign-On URL, provide the URI to a website that described your application.
The existence of the website is not validated.
 For App ID URI, provide the URI that identifies your application.
2 Create service principal. See Creating service principal with a portal
(https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-
portal/#assign-application-to-role).
213
Note: AFA collects monitoring data via REST using the Azure Resource Manager REST APIs. The
monitoring data collected pertains only to the application added for the given resources.
Adding a Routing Element

A Routing Element is a generic device which performs SNMPv1, SNMPv2 and SNMPv3 connections for
retrieving routing tables, without collecting configurations.
Notes: The supported MIB is RFC-1213, and the OID we look for from the device is ipRouteEntry (object
identifier: 1.3.6.1.2.1.4.21.1).
Advanced routing data (such as VRF indication) is usually not available via the standard SNMP MIB (RFC
1213) and therefore is not supported for Routing Elements.
If you wish to define a Cisco router (IOS, Nexus, etc.) to AFA, you should use one of the other available
manners of definition (full access via SSH/telnet or the semi-automatic data collection).
 To collect data from a routing element

3 Choose Routing Element.
4 Click Next.
New fields appear.
5 Complete the fields using the relevant information in Routing Element Properties Fields (page 215).
214
6 Click Finish.
The device is added to AFA.
2. Click OK.
b) Click OK.
Routing Element Properties Fields

Access Information
SNMP community Type the SNMP community string.
Options
Update Network Map upon Select this option to enable automatically updating the graphoc network map upon
routing change routing changes.
215
Setting Up Analysis from a File
Note: Keep in mind that offline file-based analysis is done on a configuration specific for the given moment
of collection and does not allow you real time change monitoring. It will not allow for monitoring of the
identity of the person making the changes. As specified before, the recommended and standard method is an
online definition of the device.
Analysis from file is meant to support a number of deployment scenarios. In some cases, the files are
collected from production for lab use , in other cases, the firewall team may not have direct access to some
devices (especially non-firewalls). In other cases the organization may already have a tool maintaining the
backup of all files such as BMC BNA, HP or EMC Ionix. In all these cases, AlgoSec can work with offline
files collected manually or collected by those 3rd party systems. One other thing that will not be achievable
is pushing a policy back to those devices, upon change request. Therefore, whenever possible, it is
preferable to connect directly to the devices or to their vendor-provided management system so that full
functionality can be supported. If desired, you can set up AFA to analyze a device directly from a file. The
device will thereafter remain listed in the Devices tab.
 To set up analysis from a file
3 Choose Analyze from a File.
4 Click Next.
New fields appear.
5 Complete the fields using the relevant information in Analysis from File Fields (page 217).
6 Click Finish.
216
2. Click OK.
b) Click OK.
Analysis from File Fields

Access Information
Name Type the name for the analysis job.
File Specify which file to analyze, by choosing one of the following:
 Upload new. Choose this option to upload a file from your computer, then use the
Browse button to browse to the desired file.
Note: When uploading a new file, the file's size must not exceed 20 MB. For a
larger file, copy it to /home/afa/algosec/fwfiles, and then use the
Existing on server option.
 Existing on server. Choose this option to select a file that has already been
uploaded to AFA under /home/afa/algosec/fwfiles, then select the
desired file from the drop-down list.
Options
Adding Support for Generic Devices to AFA

It is possible to add devices to the AlgoSec Security Management Suite that are not currently supported by
AlgSec. Unsupported devices can be analyzed using a static configuration file, a JSON file which represents
the device.
To add and analyze an unsupported device using a static configuration file, follow the procedure in Enabling
Support for a Generic Device Using a Static Configuration File:
 Create a JSON file which contains the necessary device configuration items. See Creating the JSON
File (page 382).
217
 Upload the device information to AlgoSec Firewall Analyzer using the JSON file.
Note: In order to update the device in AlgoSec Firewall Analyzer, you need to create and upload a new file.
Supported Device Types

Currently AlgoSec Firewall Analyzer supports generic devices of the following types:
 Policy-Based. One set of rules per device across all of its interfaces. For example, Check Point devices.
 Host-Based. Device policy refers to the host itself (source or destination is "Me"). For example, Amazon
AWS devices.
 Interface-based. One set of rules per interface. For example, Cisco devices
 Zone-Based. Each policy rule is attached to <source zone/interface, destination zone/interface>. For
example, Fortinet devices managed by FortiManager.
Note: VPN configuration is not supported.
218
Enabling Support for a Generic Device

The following procedure describes how to analyze a generic device from a static configuration file. The new
device will then be available for all of the standard AlgoSec functions.
 To enable the analysis and support for the new device:

1 Manually collect the relevant data from the target device.
2 Manually create a JSON file based on the data collected from the device.
The JSON file structure and content must conform to the AlgoSec-defined JSON file described in
Creating the JSON File (page 382).
3 Log in to AFA as an Administrator.
See Accessing Devices Setup (page 57) in the AlgoSec Firewall Analyzer Administrator Guide.
219
A list of devices appears.
6 In the Select a device type section, select Analyze from a File.

7 Click Next.
220
New fields appear.
8 In the Access Information section, under File, select Upload new.

9 Click Browse.
10 In the Open dialog box, select the JSON file for the new device, and click Open.
11 Go to the main Firewall Analyzer screen.
12 In the Devices list, select the new device, and click Analyze.
221
The Analyze dialog box opens.
13 Click Start Analysis.

When the analysis is complete, the device information is available to the system.
Adding Additional Device Identifiers Manually

In order for AFA to process device logs, it must receive the logs with a device identifier that it recognizes. If
the device is represented by multiple or non-standard device identifiers in the logs, e.g., firewall clusters or
non-standard logging settings, you must configure any additional device identifiers.
You can configure additional device identifiers for the following devices: Cisco CSM, Cisco
PIX/ASA/FWSM, Fortinet FortiGate, Juniper Netscreen, Juniper SRX, Forecpoint (McAfee) Sidewinder,
Forcepoint (McAfee) Security Management Center, Palo Alto Networks-Panorama, Palo Alto Networks,
and F5 BIG-IP LTM®.
Configure additional device identifiers when defining individual devices in AFA. See Adding Devices (page
59). Configure the Additional firewall identifiers properties field as instructed.
Note: This functionality is available for devices sending logs to Syslog only.
Note: This functionality is not available for sub-systems (VSYS, VDOM, etc.). Manually set this parameter
in fwa.meta of the relevant sub-system (.fa/firewalls/<VSYS name>/fwa.meta).
222
Renaming Devices
 To rename a device
2 Select the desired device.
3 Click Rename.
The Rename firewall dialog box appears.
4 In the Firewall name field, modify the device name as desired.

5 Click OK.
6 Click OK.
Editing Data Collection Definitions

Note: It is possible to update devices from a CSV file. See Importing and Updating Devices from a CSV
File (page 377).
 To edit data collection definitions for a device

3 Click Edit.
The device's details and data collection definitions appear.
4 Edit the details and definitions as desired.
5 Click Finish.
6 Click OK.
Setting User Permissions

 To set user permissions for a device
223

3 Click Permissions.
4 The Edit users dialog box appears.
5 Select the users who should have access to the reports produced for this device.
6 Click OK.
7 Click OK.
Deleting Devices
 To delete a device
3 Click Delete.
4 Click OK.
5 Click OK.
Updating the Passwords for Multiple Devices

You have the option of simultaneously updating the password of multiple devices.
 To bulk update passwords
2 Click the Bulk Password Update link.
224
3 The Bulk Update Passwords dialog box appears.
4 Select the devices whose password you want to update.

You can search for devices by typing the name of each device into the text box. You can browse the list
by clicking Previous or Next below the list. Additionally, you can see more devices on the same page by
expanding the size of the dialog box by pulling the bottom corner. You can filter the devices by Device,
Brand and Group by clicking beside the column title.
To update the password of every device, select the check box at the left of the header. Note that this
includes all the devices on all the pages.
For more information about bulk updating password, click .

The devices appear in the text box.
5 In the New password field, type the new password.
6 To get additional permissions for Cisco devices, select the Enable user password (Cisco Only) check box
and type in another password.
7 Click to update.
The Confirm Password dialog box appears.
8 Confirm the password by typing it again in the Confirm new password field.
9 If relevant, confirm the enable user password for Cisco devices by typing the password in the Confirm
enable user password field.
10 Click .
225
The password is updated for all the specified devices.
226
Device User Permission Requirements

The following device brands require the specified user permissions for AFA support. Some permissions are
only required for specific AFA features.
Note: AFA supports baseline configuration compliance functionality for several of the device brands
specified above. When using this functionality, AFA connects via SSH to the modules directly. The required
permissions depend on the profile used (AFA will need permission to read/execute all commands listed in
the baseline configuration profile).
Device Brand Required User Permissions Comments
227
Check Point You can define either data collection or log For retrieving routing data from
collection via SSH or OPSEC. For versions R80 Edge devices, SNMP or SSH access
and higher, you must also define data collection is required.
via REST. See below.
Further details, see here
 OPSEC. You must define OPSEC (https://portal.algosec.com/en/supp
application with read-only permissions for ort/kb_local?arID= 195).
the CPMI and LEA protocols.
The OPSEC requirements are specified in
Enabling Data Collection for Check Point
Devices (page 80).
If using ActiveChange, CPMI write
permissions are required as well.
 SSH. User must have SSH access to the
relevant management and log devices (PV-1,
CMA, SmartCenter, external log server,
CLM etc.).
For SecurePlatform (SPLAT), user must be
allowed to switch to "expert" mode.
For Solaris/RHEL/IPSO, user must be "root"
user.
You can also use public key authentication
(https://portal.algosec.com/en/support/kb_l
ocal?arID=144).
 Read permissions. AFA requires read
permissions on the domain folders
($FWDIR/conf, $FWDIR/log etc.).
 Write permissions. AFA writes a
package containing the required
configuration in /tmp or /var/tmp, based
on the device platform (SP, Solaris etc.).
AFA also requires write permissions in
the $FWDIR/conf folder for temporary
files related to log collection.
 Execution. AFA runs several commands
on the management device, specifically
'fwm logexport', for logs and 'cpstat'- for
routing.
 In R80, data collection is done both by
SSH/OPSEC and REST.
The customer should provide user with
permissions to connect via SSH/OPSEC as
above(as previously to R80).
In addition the AFA server should have
permissions to execute REST calls to the
Security Management Server.
See Enabling REST Calls to the Security
Management Server (page 96).
228
Cisco User requires permission to go into privileged There is a mitigation to this

PIX/ASA/FWSM mode, using "enable" (security level 15). requirement, allowing the user to be
in security level 5. See here
In order to be able to automatically implement
(https://portal.algosec.com/en/supp
changes on the device with ActiveChange,
ort/kb_local?arID=35).
read-write permissions are required.
If ActiveChange is being used, this
mitigation is not applicable.
Cisco Firewalls Requires enabling the CSM API service. To achieve this, on the CSM
via CSM management application, click Tools
> Security Manager Administration >
API.
Check the Enable API Service
setting.
Cisco IOS User requires the ability to go into privileged There is a mitigation to this
mode (using "enable"). requirement, allowing the user to
have read only permissions and use
the special ‘show running-config
view full’ command. See here
Cisco Nexus User requires permission to run the following User requires permission to view all
commands: VDCs for Nexus 7000 and above.
 show version
 show interface
 show ip interface
 show vrf interface
 show vdc membership (relevant only for
nexus 7000 and above)
 show ip access-list
 show running-config
 show ip route
Juniper Netscreen User requires read only permissions.
229
Juniper SRX User must have the super-user login class. SRX allows 4 types of user login
classes: super-user, operator,
In order to be able to automatically implement
read-only and unauthorized. Only
changes on the device with ActiveChange,
"super-user" works properly in
read-write permissions are required.
AFA. All of the other login classes
will result in "ACCESS-DENIED"
results for the data collection
commands AFA runs.
There is a mitigation to this
requirement, allowing the user to be
in a login-class that is not
super-user. If ActiveChange is
being used, this mitigation is not
applicable. See here
Juniper NSM For data collection (via SOAP, from the NSM For retrieving dynamic routing data
GUI server), the user requires the read only from the devices the NSM manages,
System Administrator admin role. SNMP access is required. See here
For log collection, if log collection is done from
the NSM (from its DEV server), the user must be
the "root" user or a different user. If using a For more details on the
different user, you must deploy the install_nsm_sudo script, see here
install_nsm_sudo script on the NSM DEV server (https://portal.algosec.com/en/supp
which is designated to change only a minimal set ort/kb_local?arID=37).
of folder permissions.
Juniper Space The configured user must have one of the

following user roles:
 Super Administrator
 Device Manager
 A custom created read-only role
For details on how to create this role, see
here
(https://portal.algosec.com/en/support/kb_l
ocal?arID=278).
Additionally, the user must have the "API
Access" option enabled.
230
Juniper M/E User must have the super-user login class. Juniper allows 4 types of user
Routers login-class: super-user, operator,
read-only and unauthorized.
Only "super-user" works properly in
AFA. All of the other login classes
will result in "ACCESS-DENIED"
results for the data collection
commands AFA runs.
There is a mitigation to this
requirement, allowing the user to be
in login-class which is not
super-user. See here
(https://sites.google.com/a/algosec.
com/kbg/home/external-vendors/ju
niper/juniper-router/how-to-config
ure-a-juniper-router-read-only-use
r-with-permissions-required-for-af
a-data-collection).
Fortinet Fortigate Read only permissions are sufficient.

Specifically, in the FortiGate administration
"Admin Profile" configuration, the "Access
Control" must be at least "read-only".
If device configuration consists of VDOMs, the
user must be configured with "set scope global"
(AFA doesn't support users configured with 'set
scope vdom').
Note: When a Fortigate device is defined directly
in AFA, AFA does not support using a user
which is defined only on the FortiManager that
manages the Fortigate device.
Fortinet Read only permissions are sufficient.

FortiManager
Palo Alto User must be one of the following: AFA supports (directly) analyzing
Networks PaloAlto devices managed by
 Superuser with read only permissions
Panorama.
 Device Admin
 Device Admin with read only permissions Limitation: User permissions for
managed PA devices must be
SuperUser-read/write or
Admin-read/write, due to a PaloAlto
bug (standalone PA devices can still
use read-only permissions). This
bug was solved in version 4.1.7.
231
Forcepoint User must be an all domains user. Read Only

(McAfee) permissions are sufficient.
Security
Management
Center
Forcepoint Read only permissions are sufficient.

(McAfee)
SideWinder
F5 BIG-IP User must have one of the following roles: For further details, see here
AFM™ (https://support.f5.com/kb/en-us/pr
 Administrator
(monitoring-only oducts/big-ip_ltm/manuals/product
support)  Resource Administrator /tmos_management_guide_10_1/t
 Guest mos_users.html#1023762).
User shell must be configured as "Advanced For retrieving routing data from the
Shell" device, SNMP access is required.
See here
F5 BIG-IP User Role: can be all types. For further details, see here
LTM® (full User Partition: must be "All". (http://support.f5.com/kb/en-us/pro
support) Terminal Access: must be "tmsh" or "Advanced ducts/big-ip_ltm/manuals/product/t
shell". mos_management_guide_10_1/tm
os_users.html#1023762).
BlueCoat SGOS The user must be able to enter “enable” mode. For retrieving routing data from the
device, SNMP access is required.
For further details, see here
(https://sites.google.com/a/algosec.
com/kbg/home/algosec-products/af
a/older-versions/aef/aef-routing-ta
ble-retrieval-via-snmp) and here
(https://docs.google.com/a/algosec.
com/viewer?a=v&pid=sites&srcid=
YWxnb3NlYy5jb218a2JnfGd4OjZi
M2EzZTZkNTExNjFjZg).
232
WatchGuard Read Only permissions are sufficient. AEF support + routing based on
SNMP.
For default usernames and
passwords see here
For further SNMP details, see here
TopSec For further SNMP details, see here

Panorama In Admin Role Profile choose in the XML API

tab:
Configuration
Operational Requests
Export
VMware NSX The IP should be the NSX Manager IP. When adding a NSX device to AFA
The user must be either a NSX Manager user or a with vCenter permissions (both
vCenter user. Read Only permissions are admin and read only), some data will
sufficient. be missing device version, device
host name and NSX Manager.
AWS security AmazonEC2ReadOnly Use credentials with full visibility.

groups
233
CHAPTER 5
Managing Device Groups and Matrices

In This Chapter
Groups Overview .................................................................................................................................234
Matrices Overview ...............................................................................................................................237
Disaster Recovery (DR) Sets Overview ...............................................................................................241
This section describes how to configure Device Groups, Matrices and Disaster Recover (DR) groups.
Groups Overview
A group is a set of devices, in which no information about the relationships between the member devices is
provided, or when the devices are not connected in a tiered network. AFA allows you to quickly define a
group and configure parameters for analyzing the member devices. You can then do the following:
 Schedule an analysis of all the devices in a group at once.
 Produce an additional high-level report that aggregates the reports of all the member devices, so that you
have a bird's-eye view of your group-wide risk exposure.
For information on defining sets of devices, in which information about the relationships between the
member devices is provided, see Matrices Overview (page 237).
In addition to user-defined groups, AFA includes a built-in group called ALL_FIREWALLS. This group
consists of all devices in the system, and you can generate reports for it. You cannot edit or delete this group.
Note: In a distributed system, groups may contain devices that are managed by different remote agents. See
Adding Groups
 To add a group
2 Click New, then click Group.
234
Chapter 5 Managing Device Groups and Matrices
The Create a New Group dialog box appears.
3 In the Name field, type the name of the new group.

4 Select the devices that you want to add to the group.
You can search for devices by typing the name of each device into the search box.
You can browse the list by clicking Previous or Next below the list. Additionally, you can see more
devices on the same page by expanding the size of the dialog box by pulling the bottom corner. You can
filter the devices by Device, Brand and Group by clicking beside the column title.
For more information about creating a new group, click in the dialog box.
The devices appear in the Members box.
5 To remove members from the group, clear the device's check box.
The device is removed from the Members box.
Note: A group must include at least two members.
6 Click Create.
7 Click OK.
Editing Groups
 To edit a group
2 Select the desired group and click Edit.
235
The Edit Groups dialog box appears.
3 Add or remove members from the group, by doing the following:

 Add a member to the group by selecting the device's check box.
 Remove a member from the group, by clearing the device's check box.
4 Click Update.
5 Click OK.
Renaming Groups
 To rename a group
2 Select the desired group from the tree and click Rename.
The Rename group dialog box appears.
3 In the Group name field, change the group name.

4 Click OK.
236
5 Click OK.
Deleting Groups
 To delete a group
2 Select the desired group and click Delete.
3 Click OK.
4 Click OK.
The group is deleted.
Matrices Overview
A matrix is a set of devices, in which information about each device member's position in the network
hierarchy is provided.
When you create a matrix, AFA uses a special algorithm to calculate the relationships between the members.
If desired, you can override the results and edit the topology information.
237
Note: In a distributed system, matrices may contain devices that are managed by different remote agents. See
When a report is generated for the matrix, AFA analyzes the devices' multi-tiered network topology and
enables you to do the following:
 View a network diagram of the device members' topology, including the connections between them.
 View risks associated with traffic that is allowed across all devices in the matrix.
 Run a traffic simulation query on the generated matrix analysis report.
Adding Matrices
 To add a matrix
2 Click New, then click Matrix.
The Create a New Matrix dialog box appears.
3 In the Name field, type the name of the new matrix.

4 Select the devices that you want to add to the matrix.
You can search for devices by typing the name of each device into the search box.
You can browse the list by clicking Previous or Next below the list. Additionally, you can see more
devices on the same page by expanding the size of the dialog box by pulling the bottom corner. You can
filter the devices by Device, Brand and Group by clicking beside the column title.
For more information about creating a new matrix, click in the dialog box.
The devices appear in the Members box.
5 To remove members from the matrix, clear the device's check box.
238
The device is removed from the Members box.

Note: A matrix must include at least two members.
6 Click Create.
A message box appears asking whether you want to customize the matrix settings.
 To customize the matrix's topology at a later time, click No.
 To customize the matrix's topology now, do the following:
1. Click Yes.
The Customize Matrix Topology page appears, enabling you to edit all zones in the matrix's
multi-tiered topology.
2. Customize the matrix topology, as described in Customizing the Matrix Topology in the AlgoSec
3. Click OK.
Editing Matrices
 To edit a matrix
2 Select the desired matrix and click Edit.
239
The Edit Matrix dialog box appears.
3 Add or remove members from the matrix, by doing the following:

 Add a member to the matrix by selecting the device's check box.
 Remove a member from the matrix, by clearing the device's check box.
4 Click Update.
5 Click OK.
A message box appears asking whether you want to customize the matrix settings.
 To customize the matrix's topology at a later time, click No.
 To customize the matrix's topology now, do the following:
1. Click Yes.
The Customize Matrix Topology page appears, enabling you to edit all zones in the matrix's
multi-tiered topology.
2. Customize the matrix topology, as described in Customizing the Matrix Topology in the AlgoSec
3. Click OK.
Renaming Matrices
 To rename a matrix
240
2 Select the desired matrix and click Rename.

The Rename Matrix dialog box appears.
3 In the Matrix name field, modify the matrix name as desired.

4 Click OK.
5 Click OK.
Deleting Matrices
 To delete a matrix
2 Select the desired matrix and click Delete.
3 Click OK.
4 Click OK.
The matrix is deleted.
Disaster Recovery (DR) Sets Overview

From version 6.9, AFA supports defining pairs (or groups) of devices that are Disaster Recovery (DR) pairs,
so that whenever one of them is found in the path of a traffic simulation query, the others will automatically
be tested against the same traffic, ensuring they allow it as well. This capability significantly eases
troubleshooting and change management of DR (backup) device pairs that do not share the same policy.
Adding Disaster Recovery Sets


 To add DR groups
2 Click New then DR Set.
241
The Create a New DR Set dialog box appears.
The devices are displayed according to Device, Brand and Group. If there are many devices, you can
browse the list by clicking Previous or Next below the list. Alternatively, you can expand the size of the
dialog box by pulling the bottom corner, to see more devices on the same page.
You can filter the devices according to Device, Brand and Group by clicking beside the column
title.
Also, you can sort the columns (up/down).
You can search for a particular device by typing part of its name in the search box.
3 Type in the Name field the name of the new DR set (group).
4 Select the devices that you want to add to the DR set (group) by doing one of the following:
 Click the check boxes to the left of the desired devices.
 Type the name of each device directly in the search box.
For more information about creating a new DR set, click in the dialog box.
5 Click Create to create the new DR set (group).
Editing DR Sets
 To edit a DR group
2 Select the desired DR set and click Edit.
242
The Edit DR set dialog box appears.
See the description for Adding Disaster Recovery Sets (page 241) for more information about using this
dialog box.
Renaming DR Sets
 To rename a DR set
2 Select the desired DR set from the tree and click Rename.
The Rename Dr Set dialog box appears.
3 In the DR Set name field, modify the DR set name as desired.

4 Click OK.
5 Click OK.
243
Deleting DR Sets
 To delete a DR Set
2 Select the desired DR set from the tree and click Delete.
3 Click OK.
4 Click OK.
The DR set is deleted.
244
CHAPTER 6
Managing The Graphic Network Map

In This Chapter
Editing IP Ranges in Clouds ................................................................................................................245
Removing Devices ...............................................................................................................................246
Removing Device Interfaces ................................................................................................................247
This section describes advanced configuration changes supported in the graphic network map. This includes
the following:
 Editing IP Ranges in Clouds (page 245)
 Removing Devices (page 246)
 Removing Device Interfaces (page 247)
For all other graphic network map options, see the AlgoSec Firewall Analyzer User Guide, Modifying the
Graphic Network Map.
Editing IP Ranges in Clouds

You can add or remove the automatically generated IP ranges in clouds. Once implemented, any edits will
remain for future map calculations. Additionally, you can display a list of all current cloud edit entries and
disable edits that are no longer relevant.
Note: AFA supports adding or removing ranges from clouds, but not removing clouds.
 To edit IP Ranges in clouds

1 Open a terminal and log in using the username "afa" and the related password.
2 To add a range to a cloud, enter the following command:
fa_map -add CIDR -stub stub_router_IP -comment comment
where, CIDR is the CIDR you want to include, stub_router_IP is the IP address of the adjacent router,
and comment is a comment for the cloud edit entry (in quotations).
The comment parameter is optional.
Note: The input range must be in CIDR format.
The range is added to the cloud.
3 To remove a range from cloud(s),do one of the following:
 To remove a range from all clouds except for specific clouds, enter the following command:
fa_map -remove_from_all CIDR -except_stub stub_router_IP -comment comment
where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of the adjacent
router for which you want to keep the CIDR, and comment is a comment for the cloud edit entry (in
quotations).
245
You can use the except_stub parameter multiple times to include the CIDR in multiple clouds, as in
the following example:
fa_map -remove_from_all 10.0.10.0/24 -except_stub 192.168.1.20 -except_stub
10.155.102.250 -comment "10.0.10.0/24 is only behind 192.168.1.20 and
10.155.102.250"
 To remove a range from a specific cloud, enter the following command:
fa_map -remove CIDR -stub stub_router_IP -comment comment
where, CIDR is the CIDR you want to exclude, stub_router_IP is the IP address of the adjacent
router, and comment is a comment for the cloud edit entry (in quotations).
Note: The comment parameter is optional.
Note: The input range must be in CIDR format.
The range is removed from the cloud.
4 To display a list of all currently configured cloud edit entries, enter the following command:
fa_map -list -stub stub_router_IP
where, stub_router_IP is the IP address of the router for which you would like to see all cloud edit
entries.
Note: The stub parameter is optional. When a router is not specified, all entries in the database are
displayed.
The list of all cloud edit entries in the database is displayed.
5 To disable a cloud edit, do the following:
a) Enter the following command:
fa_map -del-entry CIDR -stub stub_router_IP -action exclude
where, CIDR is the CIDR of the entry you want to delete and stub_router_IP is the IP address of the
router for the entry you want to delete.
Note: The input CIDR and router IP address must be exactly as they are in the cloud edit entry. It is
recommended to display the entries (see above) and verify these inputs before running this
command.
The following prompt appears:
Are you sure you want to delete entry [Y/n]
b) Press Enter.
The cloud is recalculated without the edit.
Removing Devices
You can remove devices from the graphic network map. You can remove devices from the current map
calculation and/or from all future map calculations. If you only remove the device from current map, the
device will appear in the map again once a new report is generated.
Note: A removed device will not appear in traffic simulation query results.
 To remove devices from the graphic network map

246
Chapter 6 Managing The Graphic Network Map
2 To remove devices from the current map, do the following:

fa_map -d DeviceID
where, DeviceID is the name of the device you wish to remove from the current graphic network
map.
3 To cause devices to be omitted from all future map updates, do the following:
a) Open /home/afa/.fa/config.
b) On a new line, add the configuration item MAP_BLACK_LIST, and set the configuration item's value
to a semi-colon separated list of devices that you wish to remove from the graphic network map.
For example, the following removes the devices rose_checkpoint and flower_asa from the
graphic network map, for all future maps.
MAP_BLACK_LIST=rose_checkpoint;flower_asa
c) Save the file.
Removing Device Interfaces

You can specify that certain device interfaces be ignored in the graphic network map. Removed interfaces
will be ignored when performing a traffic simulation query. You can also restore ignored interfaces to the
map, and view a list of all ignored interfaces.
 To remove device interfaces
1 View the graphic network map.
See Viewing the Graphic Network Map, in the AlgoSec Firewall Analyzer User Guide.
2 Right-click on the edge that represents the interface you want to remove.
3 Click Remove Interface.
The interface is removed.
 To restore device interfaces
fa_map -restore_ignore_interface InterfaceName -n DeviceName
where, InterfaceName is the name of the interface you wish to ignore, and DeviceName is the name of
the interface's device.
3 To view a list of all the ignored interfaces for a specific device, do the following:
fa_map -list_ignored_interfaces -n DeviceName
where, DeviceName is the name of the interface's device.
4 To view a list of all the ignored interfaces for all devices, do the following:
fa_map -list_ignored_interfaces
247
CHAPTER 7
Working with ActiveChange

In This Chapter
Overview ..............................................................................................................................................248
Using ActiveChange.............................................................................................................................248
Enabling ActiveChange........................................................................................................................249
This section explains how to use ActiveChange.
Overview
ActiveChange enables you to implement AFA recommendations quickly and easily for the following
devices:
 Check Point devices using OPSEC
 Juniper SRX devices
 Cisco PIX/ASA/FWSM devices
 Cisco IOS devices
ActiveChange enables you to implement AFA recommendations directly from AFA reports. Supported
changes include disabling redundant, unused, and covered rules in a device's policy.
Before implementing a device policy change, AFA creates a backup of the original, unchanged device
policy, enabling you to revert to the original policy at any time. Upon making the requested change, AFA
adds a comment to the affected rule, indicating that the rule was changed via AFA and specifying the user
who made the change. The modified policy is saved under the original policy's name, but not installed.
Note: When using FireFlow, ActiveChange is supported for some device brands as part of the change
request workflow. For more information, see the AlgoSec FireFlow User Guide, Implementing Changes.
Using ActiveChange
 To use ActiveChange with Check Point devices
1 Install an ActiveChange license.
See Installing a License in the AlgoSec Firewall Analyzer Administrator Guide.
2 For each device with which you want to use ActiveChange, enable ActiveChange.
See Enabling ActiveChange (page 249).
3 Generate a report for any Check Point device on which ActiveChange is enabled.
See Generating AFA Reports for Individual Devices.
4 Disable device rules as needed.
248
Chapter 7 Working with ActiveChange
See Disabling Device Rules.

Note: If FireFlow is used, then ActiveChange will enable automatic implementation of changes from within
FireFlow.
 To use ActiveChange with Juniper SRX, Cisco PIX/ASA/FWSM and Cisco IOS devices
1 Install an ActiveChange license.
See Installing a License in the AlgoSec Firewall Analyzer Administrator Guide.
2 Enable ActiveChange.
See Enabling ActiveChange (page 249).
Important: ActiveChange is a global setting, even though it is defined from within a specific device. If
you enable ActiveChange on a single Cisco device, it will enable ActiveChange for all Cisco devices
defined on the system.
3 In FireFlow, generate a work order for any traffic change request that affects a Cisco device on which
ActiveChange is enabled.
For information on generating work orders, refer to the AlgoSec FireFlow User Guide.
4 Either, copy the list of CLI commands, and paste them to the command line to implement them.
Or
Use the “Implement on Device” functionality to push the CLI commands directly to the subject device.
Note: Cisco ActiveChange is only supported from within FireFlow.
Enabling ActiveChange
Note: ActiveChange can only be enabled on Check Point devices connected to AFA via OPSEC or on
Juniper SRX, Cisco PIX, ASA, and FWSM or Cisco IOS devices.
Note: You must have OPSEC write permissions for a Check Point device, in order to enable ActiveChange
for it.
 To enable ActiveChange for a device

 Add a new device.
See Adding Devices (page 59).
 Edit an existing device's collection definition.
See Editing Data Collection Definitions (page 223).
2 Select the Allow ActiveChange check box.
249
CHAPTER 8
Scheduling Analyses and Monitoring

In This Chapter
Scheduling AFA Analyses ...................................................................................................................250
Scheduling Dashboard E-mails ............................................................................................................254
Activating Real-Time Monitoring ........................................................................................................256
This section describes how to schedule analyses and monitoring.
Scheduling AFA Analyses

You can schedule automatic AFA analyses by adding an analysis job to the AFA Scheduler.
Note: AFA can generate multiple reports in parallel, whether manually triggered or scheduled. The
maximum number of reports that can be generated simultaneously is automatically defined as the number of
CPUs (or cores) in your computer. In order to change this value, please contact AlgoSec support.
Note: It is recommended to only run 'All Firewalls' analyses at night, in order to avoid a high strain on your
system during normal operating hours.
Adding and Editing Analysis Jobs

 To add or edit an analysis job
3 Click the Scheduler tab.
250
Chapter 8 Scheduling Analyses and Monitoring
The Scheduler tab appears.

 To schedule a new analysis job, in the Schedule Recurring Analysis area, click New.
 To edit an existing analysis job, click on the Edit icon next to the desired job.
251
New fields appear.
5 In the Job name field, type a name for the job.

6 (Optional) To aggregate a group/matrix members' existing reports into a group/matrix report, (instead of
generating new reports for each member and using those reports to generate a group/matrix report),
select the Base group reports on existing device reports check box.
This field is relevant only when generating group reports and matrix reports.
7 To select a risk profile, select the Select risk profile check box, and select a risk profile from the
drop-down menu.
8 Select one of the following settings in the Run device analysis drop-down menu:
 Only if the policy/topology changed - if a policy is detected as unchanged during a scheduled
analysis, then AFA should not run a full report, but instead create an unchanged report that links to
the last report for the policy.
 Always (slow) - AFA will always run a full analysis, regardless of whether the policy has changed or
not.
Note: Selecting this option will result in longer analysis time and requires more disk space.
252
9 Specify the device, group, or matrix for which you want to schedule an automatic analysis, by doing the
following in the Select a device/group area:
a) Click Select device/group.
A tree of all the devices, groups, and matrices appears.
b) Choose the desired device, group, or matrix.

c) Click OK.
10 In the Recurrence area, specify how often the analysis job should run.
You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or configure the analysis to
occur when a policy is installed on the device(s).
Note: You can only select Upon policy install, if real-time change monitoring is enabled for this device.
The fields in the Recurrence Pattern area change according to your selection.
11 In the Recurrence Pattern area, configure the desired pattern of recurrence.
Note: If you want to see the scheduled job run during the current schedule cycle, schedule your analysis
at least five minutes later than the current time.
12 Click OK.
Deleting Analysis Jobs

 To delete an analysis job
253

The Scheduler tab appears.
4 Select the check box next to the desired job.
5 Click Delete.
6 Click Yes.
The job is deleted.
Scheduling Dashboard E-mails

You can schedule a dashboard e-mail, by adding a dashboard e-mail job to the AFA Scheduler.
Adding and Editing Dashboard E-mails

 To add or edit a dashboard e-mail job
The Scheduler Setup page is appears with a list of scheduled analysis and dashboard e-mail jobs.

 To schedule a new dashboard email, in the Schedule Dashboard E-mail area, click New.
 To edit an existing dashboard e-mail job, click on the Edit icon next to the desired job.
254
New fields appear.
5 In the Job name field, type a name for the job.

6 Select a dashboard from the Select Dashboard drop-down list.
7 In the Recipients field, type one or more addresses of e-mail recipients, separated by commas.
8 In the Email Subject field, type a subject (default is dashboard name).
9 (Optional) Type a message in the Email Body field.
10 In the Recurrence area, specify how often the analysis job should run.
You can select either a daily, weekly, monthly, quarterly, or yearly analysis, or configure the analysis to
occur when a policy is installed on the device(s).
The fields in the Recurrence Pattern area change according to your selection.
11 In the Recurrence Pattern area, configure the desired pattern of recurrence.
a) For Daily, from Set time select the time (hr and min).
b) For Weekly, select the day of the week and from Set time select the time (hr and min).
c) For Monthly, either select the day of the month from the calendar or the day and week of the month
(e.g., 1st, 2nd , etc.). Select the time (hr and min) from Set time.
255
d) For Quarterly, select 4 months of the year and from Set time select the time (hr and min).
e) For Yearly, set the month, the week (e.g., 1st), and day and from Set time select the time (hr and min).
Note: If you want to see the scheduled job run during the current schedule cycle, schedule your analysis
at least five minutes later than the current time.
12 Click OK.
Deleting Scheduled Dashboard E-mails

 To delete a dashboard e-mail job
The Scheduler Setup tab is appears with a list of scheduled analysis and dashboard e-mail jobs.
4 Select the check box next to the desired job.
5 Click Delete.
6 Click Yes.
The job is deleted.
Activating Real-Time Monitoring

When real-time monitoring is activated, AFA will periodically check devices' policies for changes and
display any detected changes in the Web interface. In addition, you can configure AFA to send e-mail
notifications to selected users, and/or to automatically run a full analysis, each time a change is detected.
 To activate real-time monitoring
3 Click the Monitoring tab.
256
The Monitoring page appears.
4 To activate real time monitoring for devices, do the following:

a) Select the Real-time device monitoring enabled option.
b) Set the Monitoring frequency to the interval of time in minutes at which AFA should monitor
devices.
5 To activate real-time monitoring for routing elements, do the following:
a) Select the Real-time Routing Elements monitoring enabled option.
b) Set the Routing Element monitoring frequency to the interval of time in minutes at which AFA should
monitor routing elements.
6 Click Apply.
257
CHAPTER 9
Users and Roles

In This Chapter
Users Overview ....................................................................................................................................258
Configuring User Authentication .........................................................................................................259
Adding and Editing Users ....................................................................................................................277
Deleting Users ......................................................................................................................................283
Roles Overview ....................................................................................................................................283
Adding and Editing Roles ....................................................................................................................283
Deleting Roles ......................................................................................................................................288
Changing Your User Settings ...............................................................................................................289
This section describes users and roles in AFA.
Users Overview
There are two types of AlgoSec Firewall Analyzer users:
 Non-administrative users - Can run analyses, generate reports, view policies and reports, view network
map and monitoring changes, and run traffic simulation queries.
 Administrators - Can perform any task. In addition to the tasks that non-administrative users can
perform, administrators can also manage other users, define and edit monitored devices, configure AFA
general settings and preferences, and schedule AFA analyses.
Note: When domains are enabled, these same user types become sub-types: Users are divided into
management users and domain users, each of which can be an administrator or non-administrative. For
information on domains, management users, and domain users, see Enabling Domains (page 33).
Each user is assigned one of the following access levels as part of their default permission profile:
 Standard Access - Enables users to view existing reports, run traffic simulation queries, initiate new
device analyses, and use the customization features such as customizing the topology.
 ReadOnly Access - Enables users to view existing reports and run traffic simulation queries on these
reports.
 None - Prevents users from having any access at all to the report.
This access level is automatically applied to all devices that the user is authorized to view; however, you can
override the default access level on a per-device basis.
258
Chapter 9 Users and Roles
Configuring User Authentication

supports authenticating users in the following ways:
 Single Sign On
See Configuring Single Sign On (page 259).
 Via an authentication server, such as a RADIUS server, an LDAP server, or the AlgoSec Firewall
Analyzer local database.
See Configuring User Authentication via an Authentication Server (page 263).
 An LDAP forest
See Configuring an LDAP Forest (page 271).
Configuring Single Sign On (SSO)

You can enable users to log in to AFA and FireFlow via a single Login page, and to log out of AFA and
FireFlow via a single Logout page, by configuring Single Sign On (SSO). AlgoSec uses the Security
Assertion Markup Language (SAML) standard for SSO, in which there are two main entities:
 Service Provider (SP). The website providing the SSO service. AlgoSec products can act as SPs, and may
be configured to work with any IdP.
 Identity Provider (IdP). The website where a user is authenticated. The IdP hosts the Login and Logout
pages, where users can log into and out of all AlgoSec products simultaneously.
Note: You must have installed an IdP server prior to configuring SSO. You must also develop a Login and
Logout page on the IdP.
When SSO is configured, the authentication process is as follows:
1 A user browses to an AlgoSec product, which serves as an SP.
2 The user is redirected to the Login page hosted on the IdP.
3 The user authenticates to the IdP.
4 The user is logged in to all AlgoSec products.
The process of logging out is as follows:
1 The user browses to the Logout page hosted on the IdP.
2 The user logs out in whichever way is required by the page.
3 The user is logged out of all AlgoSec products.
259
Note: When SSO is configured, the Logout link will not appear in AlgoSec products.
Note: When logging out via another SP that is supported by the same IdP, the user will be logged out of
AlgoSec products, as well.
If desired, you can configure FireFlow to fetch user data from either the SSO response itself, or from a
separate call to an LDAP server. Refer to the AlgoSec FireFlow Configuration Guide, Configuring Fetching
User Data when Authenticating with Single Sign On.
If necessary, you can force AlgoSec products to perform local authentication when SSO is configured. See
Forcing Local Authentication (page 262).
 To configure Single Sign On
1 In the AFA toolbar, click your username.
The Administration page is displayed with the Options tab selected.
3 In the Options tab, click the Authentication sub-tab.
The Authentication page appears.
4 Choose Single Sign On.
New fields appear.
5 Complete the fields using the information in Single Sign On Fields (page 262).
6 Click OK.
7 To set an encrypted communication between the SP and the IdP, do the following:
a) Open a terminal and log in using the username "afa" and the related password.
b) Save the IdP's certificate in a Base-64 encoded PEM format to
/usr/share/fa/simplesaml/cert/.
You can save the file with any name you like, but the default is server.crt. The default certificate
file is overwritten during upgrades so you are encouraged to use a different filename.
c) If you saved the file under a name other than server.crt, do the following:
260
1. Open /home/afa/.fa/config.
2. Add the configuration item SSOSAML_IdP_Certificate, and set it to the name of the IdP
certificate file.
For example, the following sets the certificate name to MyIdPCert.crt:
SSOSAML_IdP_Certificate=MyIdPCert.crt
3. Save the file.
8 To use an IdP unsolicited SSO method (also known as IdP first SSO), do the following:
a) In the Options tab, click the Advanced Configuration sub-tab.
The Advanced Configuration tab appears.
b) Add the parameters specified in IdP Unsolicited SSO Method Fields (page 262), one at a time, by
doing the following:
1. Click Add.
The Add New Configuration Parameter dialog box appears.
261
2. In the Name field, type the parameter.

3. In the Value field, type the parameter's value.
4. Click OK.
5. Repeat the above steps for each parameter.
c) Click OK.
Note: For an SSO session to expire from AFA, the session timeout in AFA must be set greater to or equal to
the IdP's session timeout. Otherwise, when a user attempts to connect with an expired session, they will be
redirected to the IdP, the IdP will indicate that its session is still valid, and AFA will re-create a session for
the user.
Single Sign On Fields
Field Description
Service Provider identifier The identifier of the AlgoSec SP.

This identifier must be unique, and it must be added to the list of known SPs in your
identity provider's configuration.
Identity Provider identifier The identifier of your installed IdP.
IdP's Single Sign On The URL of the IdP's Login page.
service URL
IdP's Single Sign Out The URL of the IdP's Logout page.
service URL
IdP Unsolicited SSO Method Fields
Set this parameter... To this...

SSOSAML_IdP_Unsolicited_SSO Yes/No. Specifies whether to use the IdP method first.
SSOSAML_IdP_Unsolicited_SSO_URL The IdP's URL.

SSOSAML_IdP_Unsolicited_SSO_SP_ID_KEY The parameter name for the SP unique identifier.
Forcing Local Authentication

If SSO is configured, but the IdP is down or there are configuration errors, you can force AlgoSec products
to perform local authentication. Users will be able to log in via the Algosec Login page, and the Logout link
will appear in the AFA and FireFlow interfaces.
 To force local authentication
 Navigate to https://<Algosec Server>/AFA/php/Login.php?ForceLocalAuth=1
where, <Algosec Server> is the hostname or IP Address of your AlgoSec server.
The local Login page appears.
262
Configuring User Authentication via an Authentication Server

The AlgoSec Security Management Suite supports authenticating users via an authentication server in the
following ways:
 Local user database
The AlgoSec Security Management Suite maintains a local user database that is composed of the
usernames and passwords of users you have added. When a user attempts to log in, the AlgoSec Suite
compares the entered username and password to the local user database. If the entered username exists
in the database, and the password matches the username, then the user is logged in.
 LDAP server
If your company uses an LDAP (Lightweight Directory Access Protocol) server for authenticating
network users (for example, Microsoft Active Directory), you can configure the AlgoSec Suite to
authenticate users against the LDAP server. When a user attempts to log in (using the login credentials
defined for them on the LDAP server), the AlgoSec Suite sends the entered username and password to
the LDAP server. If the entered username exists in the LDAP server, and the password matches the
username, then the user is logged in.
If desired, you can configure additional criteria for authentication. For example, you can specify that the
LDAP server should only search certain parts of its database for the entered username and password, or
that users must belong to a certain LDAP user group.
The AlgoSec Suite additionally supports importing user data from an LDAP Server. When this is
configured, each user is automatically assigned roles based on their LDAP groups. See Importing User
Data from an LDAP Server (page 270).
Note: It is possible to use multiple LDAP servers to authenticate users. See Configuring an LDAP
Forest (page 271).
 RADIUS server
Some companies use a RADIUS (Remote Authentication Dial In User Service) server for authenticating
network users. The AlgoSec Security Suite can be configured to use the corporate RADIUS server to
authenticate users. When a user attempts to log in (using the login credentials defined on the RADIUS
server), the AlgoSec Security Suite sends the entered username and password to the RADIUS server. If
the entered username exists in the RADIUS database, and the password matches the username, then the
user is logged in.
AlgoSec supports importing data from an LDAP server, even when authenticating with a RADIUS
server.
Note: Microsoft Active Directory can be configured as a RADIUS server. For information on
configuring Active Directory, refer to Microsoft documentation.
263
By default, the AlgoSec Security Suite uses the local user database to authenticate users. If you want to use
a RADIUS server and/or an LDAP server in addition to local authentication, you must configure the desired
user authentication method using the following procedure.
Note: When more than one user authentication method is enabled, you can choose which method to use on a
per-user basis.
Note: If importing user data from an LDAP server is not configured, you must manually define privileged
users in AFA.
Note: When domains are enabled and you have configured importing user data from the LDAP server, the
first time a management user who also has permissions to certain domains logs in, he must log into the
management interface. If he first logs in to a domain, he will not be able to access the management interface.
 To configure user authentication via an authentication server

3 In the Options tab, click the Authentication sub-tab.
The Authentication page appears.
4 Choose Authentication Server.

Note: The Local check box is selected by default and cannot be cleared.
5 To enable user authentication using a corporate RADIUS server:
a) Select the RADIUS check box.
264
Radius Authentication fields appear.
b) Complete the fields using the information in RADIUS Authentication Fields (page 267).
If you selected the Use Secondary Servers check box, additional fields appear.
Continue completing the fields using the information in RADIUS Authentication Fields (page
267).
6 To enable user authentication against an LDAP server:
a) Select the LDAP check box.
265
New fields appear.
266
b) Complete the fields using the information in LDAP Authentication Fields (page 267).
If you selected the Use Secondary Servers or Fetch user data from LDAP check boxes, additional
fields appear.
Continue completing the fields using the information in LDAP Authentication Fields (page 267).
7 To test connectivity for a defined RADIUS or LDAP server, click Test connectivity for the specific
server.
A message informs you whether AFA connected to the server successfully.
8 In the Default for new users area, choose the default authentication method for new users.
Note: You can override the default authentication method to use on a per-user basis.
9 If you select Default Mail Domain, you can define your own mail address when Authentication Server is
selected. When it is selected, AFA automatically generates an email address to a edited/created user by
attaching the configurable email suffix to its username (in the case when the user did not insert an email
already).
10 Click OK.
Changes to user authentication settings immediately take effect.
RADIUS Authentication Fields
Server Type the IP address of the RADIUS server's host computer.

Secret key Type the secret key to use for authenticating to the RADIUS server.
Port Type the port number on the RADIUS server's host computer.
Timeout Use the arrow buttons to select the maximum amount of time in seconds to wait for the
RADIUS server's reply.
Fetch user data from Select this option to fetch user data from an LDAP server.
LDAP AFA will perform authentication (check passwords) against the defined RADIUS
server, but will also access the specified LDAP server to obtain user information and
optionally assign roles.
This check box is only enabled if LDAP Authentication is configured and it's Fetch user
data from LDAP check box is checked.
For more information, see Importing User Data from an LDAP Server (page 270).
Use Secondary Servers Select this option to configure one or more secondary RADIUS servers.
You must complete the fields in the Secondary Radius Servers area.
LDAP Authentication Fields
LDAP Server Credentials

Server Type the IP address of the LDAP server's host computer.
LDAP Version Select the version of LDAP used on the LDAP server.
Port Type the port number on the LDAP server's host computer.
267
Timeout Use the arrow buttons to select the maximum amount of time in seconds to wait for the
LDAP server's reply.
Secure Connection Select this option to secure connections with the LDAP server, then choose the method
to use for securing the connection: LDAPS or StartTLS.
The default method is LDAPS.
The value of the Port field changes according to the method selected.
Verify Server Certificate Select this option to specify that AFA should check the LDAP server's certificate against
a locally stored certificate. AFA will only connect to the LDAP server if the certificates
are identical.
The CA Certificate field appears.
CA Certificate Select the locally stored certificate against which AFA should compare the LDAP
server's certificate.
The certificate must be stored under /home/afa/.fa/ca_certs in order to appear
in the drop-down list.
Bind Type Select the bind type to use:
 Simple. AFA sends the entered username and password to the LDAP server. If the
entered username exists in the LDAP server, and the password matches the
 Regular. AFA logs in to the LDAP server using a user DN and password, and then
checks the entered username and password against the LDAP server. If the entered
username exists in the LDAP server, the password matches the username, and any
additional criteria are met, then the user is logged in.
 Anonymous. AFA accesses the LDAP server anonymously, and then checks the
entered username and password against the LDAP server. If the entered username
exists in the LDAP server, the password matches the username, and any additional
criteria are met, then the user is logged in.
If you chose Regular or Anonymous, additional fields appear.
The default value is Regular.
User DN Type the user DN that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.
Password Type the password that AFA should use to log in to the LDAP server.
This field appears only for Regular bind type.
Attribute Mapping
Name Type the attribute that contains a user's name, in user objects in the database.
The default value is sAMAccountName.
Group Membership Type the attribute that contains a user's groups, in user objects in the database.
The default value is member.
Permitted Users
268
Users Under Base DN Type the base DN.

The baseDN is the highest level in the LDAP tree, where AFA should search. Any
entries above this level will not be searched.
Members of Group DN Type the DN of the LDAP group that includes all users who may log in to AFA and
FireFlow.
This field is optional. When it is filled in, users who are not members of this LDAP
group will not be allowed to log in to AFA or FireFlow, even if they are members of
other LDAP groups mapped to AFA or FireFlow roles.
Note: This LDAP group includes all FireFlow requestors. When this field is filled in,
only users who are members of this group are allowed to submit requests to FireFlow.
Extra Filtering Type any additional criteria that users must meet in order to be authenticated.
The default value is (objectClass=*).
Fetch user data from Select this option to import user data from the LDAP server upon each login. For
LDAP example, when a user logs in, data such as the user's telephone number can be imported.
You must complete the fields in the Mapping to LDAP Fields area.
Note: The default values for these fields are taken from Active Directory. If a different
LDAP server is used, the names must be changed accordingly.
Note: Since data is imported only upon user login, the data stored for users who log in
infrequently may be outdated.
Fields Mapping
Associated Roles Select this option to import user group information from the LDAP server. Selecting this
option enables assigning user roles via a specified correspondence between LDAP
groups and AFA/FireFlow roles.
To manage roles from within the AlgoSec Suite (not the LDAP), do not select this
option.
Full Name Type the name of the LDAP server user field from which you want to import data to the
AlgoSec Firewall Analyzer and FireFlow Full Name field.
Email Type the name of the LDAP server user field from which you want to import data to the
AlgoSec Firewall Analyzer and FireFlow Email field.
Notes Type the name of the LDAP server user field from which you want to import data to the
AlgoSec Firewall Analyzer and FireFlow Notes field.
FireFlow specific fields
Organization Type the name of the LDAP server user field from which you want to import data to the
FireFlow Organization field.
Address Type the name of the LDAP server user field from which you want to import data to the
FireFlow Address field.
City Type the name of the LDAP server user field from which you want to import data to the
FireFlow City field.
State Type the name of the LDAP server user field from which you want to import data to the
FireFlow State field.
269
Zip Code Type the name of the LDAP server user field from which you want to import data to the
FireFlow Zip Code field.
Country Type the name of the LDAP server user field from which you want to import data to the
FireFlow Country field.
Home Phone Type the name of the LDAP server user field from which you want to import data to the
FireFlow Home Phone field.
Work Phone Type the name of the LDAP server user field from which you want to import data to the
FireFlow Work Phone field.
Mobile Phone Type the name of the LDAP server user field from which you want to import data to the
FireFlow Mobile Phone field.
Pager Type the name of the LDAP server user field from which you want to import data to the
FireFlow Pager field.
Use Secondary Servers Select this option to configure one or more secondary LDAP servers.
You must complete the fields in the Secondary LDAP Servers area. (See LDAP Server
Credentials at top of this table.)
Importing User Data from an LDAP Server
If the AlgoSec Security Management Suite authenticates users against an LDAP or RADIUS server, you can
configure to import user data from the LDAP server upon each login. Configuring this feature enables
creation of AlgoSec Security Management Suite users when LDAP users logs in for the first time, so you do
not have to define new users manually. can import a user's full name, email address, and role.
Note: If the system is configured to import user information from an LDAP server, changes to user settings
must be made only on the LDAP server (changes made in the AlgoSec Suite may be overridden the next
time the user logs in).
Note: Since data is imported only upon user login, the data stored for users who log in infrequently may be
outdated.
 To import user data from an LDAP database

1 Configure LDAP or RADIUS user authentication to fetch user data from an LDAP authentication server
by doing the following:
a) Go the configuration area for user authentication in AFA, and configure the relevant authentication
server. See Configuring User Authentication via an Authentication Server (page 263).
b) Select the Fetch user data from LDAP check box and complete the fields in the Fields Mapping area.
Note: Many fields in FireFlow appear as options. If you want to import an LDAP field that does not
exist in FireFlow, refer to the AlgoSec FireFlow Configuration Guide, Importing User Data from an
LDAP Server.
c) Click OK.
2 If you selected the Associated Roles option, indicate a correspondence between LDAP groups and
AlgoSec Suite roles doing the following:
270
a) Add/Edit the user role you want to link with an LDAP group. See Adding and Editing Users (page
277).
b) Type the LDAP group name that you want to link with the role in the Role LDAP DN field.
When users log in that are members of this LDAP group, they will automatically be granted the role.
Configuring an LDAP Forest

If you have multiple LDAP servers with different users defined on each one, you can configure an LDAP
forest consisting of these servers. AFA and FireFlow will authenticate LDAP users against the correct
LDAP server.
Adding LDAP Servers to a Forest

Complete this procedure for each LDAP server you want to include in the forest.
 To add an LDAP server to a forest
1 Choose a number to represent the LDAP server.
Number 1 represents the primary LDAP server, and numbers 2 and 3 represent possible backup servers.
If you do not want those servers to be included in the forest, choose a number higher than 3.
4 In the Options tab, click the Advanced Configuration sub-tab.
271
The Advanced Configuration page appears.
5 Add the parameters specified in LDAP Parameters (page 273), one at a time, by doing the following:
a) Click Add.
b) In the Name field, type ParamNumber

Where:
 Param is the parameter name.
 Number is the server number selected in the previous step.
For example, to specify the port number of LDAP server number 4, type LDAP_Port4.
c) In the Value field, type the parameters value.
d) Click OK.
e) Repeat the above steps for each parameter.
6 Click OK.
272
LDAP Parameters

LDAP_Port The port number on the LDAP server's host computer.
This parameter is mandatory.
LDAP_Timeout The maximum amount of time in seconds to wait for the LDAP server's reply.
LDAP_Version The version of LDAP used on the LDAP server.
Ldap_Secured_Authenticati The method to use for securing connections with the LDAP server. This can have the
on_Method following values:
 ldaps
 starstls
LDAP_Server The IP address of the LDAP server's host computer.
LDAP_UseSecured Indicates whether to secure connections with the LDAP server. This can have the
following values:
 yes
 no
LDAP_VerifyCert Indicates whether AFA should check the LDAP server's certificate against a locally
stored certificate. AFA will only connect to the LDAP server if the certificates are
identical.
This can have the following values:
 yes
 no
LDAP_Certificate The locally stored certificate against which AFA should compare the LDAP server's
certificate.
The certificate must be stored under /home/afa/.fa/ca_certs.
LDAP_Domain The LDAP server's domain name.
LDAP_Username The user DN that AFA should use to log in to the LDAP server.
This parameter is optional.
LDAP_Password The password that AFA should use to log in to the LDAP server.
273

LDAP_Bind_Type The bind type to use. This can have the following values:
 Simple. AFA sends the entered username and password to the LDAP server. If
the entered username exists in the LDAP server, and the password matches the
 Regular. AFA logs in to the LDAP server using a user DN and password, and
then checks the entered username and password against the LDAP server. If the
entered username exists in the LDAP server, the password matches the username,
and any additional criteria are met, then the user is logged in.
 Anonymous. AFA accesses LDAP server anonymously, and then checks the
entered username and password against the LDAP server. If the entered username
exists in the LDAP server, the password matches the username, and any additional
criteria are met, then the user is logged in.
LDAP_BaseDN The base DN.
LDAP_ExtraFiltering Any additional criteria that users must meet in order to be authenticated.
The default value is (objectClass=*).
LDAP_NameAttr The attribute that contains a user's name, in user objects in the database.
LDAP_MemberAttr The attribute that contains a user's groups, in user objects in the database.
LDAP_GroupDN The DN of the user group to which users must belong in order to be authenticated.
LDAP_AttrEmail The name of the LDAP server user field from which you want to import data to AFA
and FireFlow Email field.
LDAP_AttrFullName The name of the LDAP server user field from which you want to import data to AFA
and FireFlow Full Name field.
LDAP_AttrNotes The name of the LDAP server user field from which you want to import data to AFA
and FireFlow Notes field.
LDAP_AttrOrganization The name of the LDAP server user field from which you want to import data to the
FireFlow Organization field.
LDAP_AttrAddress1 The name of the LDAP server user field from which you want to import data to the
FireFlow Address field.
LDAP_AttrCity The name of the LDAP server user field from which you want to import data to the
FireFlow City field.
274

LDAP_AttrState The name of the LDAP server user field from which you want to import data to the
FireFlow State field.
LDAP_AttrZip The name of the LDAP server user field from which you want to import data to the
FireFlow Zip Code field.
LDAP_AttrCountry The name of the LDAP server user field from which you want to import data to the
FireFlow Country field.
LDAP_AttrHomePhone The name of the LDAP server user field from which you want to import data to the
FireFlow Home Phone field.
LDAP_AttrWorkPhone The name of the LDAP server user field from which you want to import data to the
FireFlow Work Phone field.
LDAP_AttrMobilePhone The name of the LDAP server user field from which you want to import data to the
FireFlow Mobile Phone field.
LDAP_AttrPagerPhone The name of the LDAP server user field from which you want to import data to the
FireFlow Pager field.
LDAP_AttrCustom The name of a custom FireFlow attribute.
For information on adding custom attributes, refer to the AlgoSec FireFlow
Configuration Guide, Importing User Data from an LDAP Server.
275
Comprehensive Example
In the following example, LDAP server 4 is added to the forest:
LDAP_Port4=349
LDAP_Timeout4=120
LDAP_Version4=3
Ldap_Secured_Authentication_Method4=LDAPS
LDAP_Server4=192.164.2.43
LDAP_UseSecured4=no
LDAP_VerifyCert4=no
LDAP_Certificate4=Algosec_CA.pem
LDAP_Domain4=ldomain4
LDAP_Username4=CN=Bob,OU=Algosec,DC=algosec,DC=local
LDAP_Password4=$FOQABRER$27:A3:BD:F2:90:C7:21:5A:3A:F4:F4:AB:R8:20:6F:25
LDAP_Bind_Type4=Regular
LDAP_BaseDN4=dc=algosec,dc=local
LDAP_ExtraFiltering4=(objectClass=*)
DAP_NameAttr4=sAMAccountName
LDAP_MemberAttr4=memberOf
LDAP_GroupDN4=
LDAP_AttrEmail4=mail
LDAP_AttrFullName4=displayName
LDAP_AttrNotes4=description
LDAP_AttrOrganization4=company
LDAP_AttrAddress14=streetAddress
LDAP_AttrCity4=l
LDAP_AttrState4=st
LDAP_AttrZip4=postalCode
LDAP_AttrCountry4=co
LDAP_AttrHomePhone4=homePhone
LDAP_AttrWorkPhone4=telephoneNumber
LDAP_AttrMobilePhone4=mobile
LDAP_AttrPagerPhone4=pager
LDAP_AttrCustom4=group,primaryGroupID;allowDial,msNPAllowDialin;mark,departmen
t
276
Logging In when an LDAP Forest Is Configured

 To log in to AFA or FireFlow when an LDAP forest is configured
1 In the AFA or FireFlow Login page, type the following in the Username field:
LdapDomain\userName
Where:
 LdapDomain is the domain name of the LDAP server on which they are defined.
 userName is the user's LDAP username.
For example, if Bob is defined on an LDAP server whose domain name is Ldomain4, then he must type
"Ldomain4\Bob" in the Username field.
2 In the Password field, type your LDAP password.
3 Click Login.
Note: The backup servers will not be consulted, in the event that AFA/FireFlow did not locate the user in
the specified LDAP domain.
Adding and Editing Users

Note: If domains are enabled, and you are logged into a domain, this procedure allows you to add and edit
domain users. For information on adding and editing management users, see Adding and Editing
Management Users (page 35).
Note: It is possible to import users from a CSV file. See Appendix B: Importing Users and Devices from a
CSV File (page 374).
 To add or edit a user

277
3 In the Options tab, click the Users/Roles sub-tab.

The User and Role Management page appears.

 To add a new user, under the list of users, click New.
 To edit an existing user, click on the Edit icon in the desired user's row.
278
New fields appear.
5 Complete the fields using the information in User Management Fields (page 280).
6 Specify the devices and groups that the user should be able to view, by doing the following in the
Authorized Devices area:
a) Click Select devices.
279
A tree of all the devices and groups appear.
b) Choose the desired devices and groups.

c) Click OK.
The selected devices and groups are listed in the Authorized Devices area. Each device or group is
assigned the access level specified in the default permission profile.
d) To change the access level for a device or group, in the device or group's Permission profile
drop-down list, select the desired access level.
e) To specify that AFA should send e-mail notifications regarding a device or group, select the device
or group's Notification check box.
7 Click OK.
User and Role Management Fields

User details
Username Type a username for the user.
280

Note: You cannot assign a domain user a username that is identical to a management
user's username.
Full name Type the user's full name.
E-Mail Type the user's e-mail address.
Notes Type any notes about the user.
Authentication Select the type of authentication to use for this user:
 Local. Authenticate the user against the local AFA user database.
 RADIUS. Authenticate the user against a RADIUS server.
 LDAP. Select this option to enable user authentication against an LDAP server.
For information on configuring AFA to work with a RADIUS Server or an LDAP
server, see Configuring User Authentication (page 259).
Password
New password Type a password for the user.
Note: Passwords containing back ticks (`) are not supported.
Confirm password Re-type the password you entered in the New password field.
General Permissions
FireFlow Administrator - Select this option to make the user a FireFlow configuration administrator. This
Allow FireFlow Advanced enables the user to perform advanced configuration tasks in FireFlow.
Configuration
global
Roles
Select the user roles to assign the user. The user will automatically be granted the
permissions specified in the assigned roles.
Note: You can assign additional permissions to this user, as desired. The user will then
have both the permissions inherited from their roles, as well as the permissions
assigned specifically to this user.
E-mail Notifications
Changes in risks Select this option to specify that the AFA system should send notifications to the user
when there are changes in risks.
Changes in policy Select this option to specify that the AFA system should send notifications to the user
when changes are made to policies.
Every group report Select this option to specify that the AFA system should send notifications to the user
when a group report is generated.
Every report Select this option to specify that the AFA system should send notifications to the user
when a report is generated.
281

Every configuration change Select this option to specify that the AFA system should send notifications to the user
when configuration changes are made.
Rules and VPN Users about Select this option to specify that the AFA system should send notifications to the user
to expire when device rules and/or VPN users are about to expire.
For information on configuring the number of days before rule or VPN user expiration
that AFA should send a notification, see General/Admin Options (page 325).
Error messages Select this option to specify that the AFA system should send error messages to the
user. These include low disk space and license expiration warnings.
This field is only relevant for administrators.
Changes in customization Select this option to specify that the AFA system should send notifications to the user
when customization changes are made. These include notifications about topology,
trusted traffic, and risk profile customizations.
This field is only relevant for administrators.
Hide change details Select this option to omit change details from emails about new reports and from
change alerts, and include only the device name and a link to the AFA Web interface.
Note: It is possible to hide change details globally, for all users. The global setting
overrides individual users' Hide change details setting. Globally Hiding/Displaying
Change Details (page 502).
Actions
Authorized Devices
Default permission profile Select the user's default access level to devices.
282
Deleting Users
Note: If domains are enabled, and you are logged into a domain, this procedure allows you to delete domain
users. For information on deleting management users, seeDeleting Management Users (page 44).
 To delete a user
3 In the Options tab, click the Users/Roles sub-tab.
4 Select the check box next to the desired user.
5 Under the list of users, click Delete.
6 Click OK.
The user is deleted.
Roles Overview
In order to enable quick and easy configuration of users' permissions, you can define roles. Each role
represents a set of permissions and access levels, and when a user is assigned a role, the user is automatically
granted the permissions specified in the role.
Roles enable you to manage multiple users more efficiently, since any changes to a role's permissions are
automatically applied to all users with that role.
Furthermore, when importing user data from an LDAP server is enabled, each AFA role can be associated
with an LDAP group. Users who log in to AFA or FireFlow will automatically be assigned the AFA roles
that correspond to the LDAP groups to which they belong. For information on enabling the import of user
data from an LDAP server, see Importing User Data from an LDAP Server (page 270).
Adding and Editing Roles

 To add or edit a user role
The User and Role Management tab appears.
283

 To add a new role, under the list of roles, click New.
 To edit an existing role, click on the Edit icon in the desired role's row.
284
New fields appear.
285
286
5 Complete the fields using the information in Role Fields (page 288).
6 Specify the devices and groups that a user with this role should be able to view, by doing the following
in the Authorized Devices area:
a) Click Select devices.
A tree of all the devices and groups appears.
b) Choose the desired devices and groups.

c) Click OK.
The selected devices and groups appear in the Authorized Devices area. Each device or group is
assigned the access level specified in the default permission profile.
d) To change the access level for a device or group, in the device or group's Permission profile
drop-down list, select the desired access level.
e) To specify that AFA should send e-mail notifications regarding a device or group, select the device
or group's Notification check box.
7 Click OK.
287
Role Fields

Role details
Role name Type a name for the role.
Role description Type a description of the role.
Role LDAP DN Type the DN of the LDAP group that corresponds to this role.
When users who are members of this LDAP group log in, they will automatically be
granted this role.
For example: "cn=network_users,ou=organization,o=mycompany,c=us"
General Permissions
FireFlow Administrator - Select this option to make the user a FireFlow configuration administrator. This
Allow FireFlow Advanced enables the user to perform advanced configuration tasks in FireFlow.
Configuration
Enable Trusted Traffic -> Select this option to allow the user to view and edit trusted traffic settings.
global
Authorized Views and actions
Report Select the report pages that the user can view. Select Full Report to indicate that the user
can view all report pages.
Home Views Select the Home page elements that the user can view. Select All Home Views to indicate
that the user can view all Home page elements.
Authorized Devices
Default permission profile Select the user's default access level to devices.
Deleting Roles
 To delete a role
288

4 Select the check box next to the desired role.
5 Under the list of roles, click Delete.
6 Click OK.
The role is deleted.
Changing Your User Settings

Administrators can change their own user settings (as well as other users' settings), using the procedures in
Users and Roles (page 258).
Non-administrative users can change their own password and e-mail notification settings, using the
following procedure.
 To change your user settings
4 To change your password, do the following in the Password area:
a) In the New password field, type your new password.
b) In the Confirm password field, again type your new password.
c) Click OK.
Note: If AFA is configured to authenticate you using a RADIUS or LDAP authentication server, you
cannot change your password via AFA. Contact your system administrator to change your password.
5 To change your e-mail notification settings, do the following in the E-mail Notifications area:
a) Complete the fields using the relevant information in User and Role Management Fields (page
280).
b) Click OK.
289
CHAPTER 10
Configuring Mail Server Settings

In This Chapter
Setting Up E-mail Notification.............................................................................................................291
In this section there is a description of how to to configure mail server settings.Connection to the email sever
is used for sending notifications. A single server is used for all needs.
 To configure mail server settings
3 In the Options tab, click the Mail sub-tab.
The Mail tab appears.
4 Complete the fields using the information in Mail Fields (page 292).
290
Chapter 10 Configuring Mail Server Settings
5 Click OK.
Setting Up E-mail Notification

In order to configure AFA to send automatic e-mail notifications, follow this procedure:
1 Install the internal Apache Web server.
2 Configure mail server settings.
See Configuring Mail Server Settings (page 290).
3 For each user who should receive e-mail notifications, add or edit the user, making sure to configure the
user's e-mail notifications settings.
See Adding and Editing Users (page 277).
When configuring the Authorized Firewalls tab, note that the user will receive notifications for each
selected device.
Here are two examples of e-mail notifications - the first indicating that AFA analysis of a device has been
completed and another, notifying about changes to a device's risks and policy:
 E-mail Notification Example 1:
291
 E-mail Notification Example 2:
Mail Fields

Server name Type the SMTP server's name.
Use name and password Select this option if your SMTP server requires a username and password.
Username Type the username for your SMTP server.
Password Type the password for your SMTP server.
Use SSL Select this option to use SSL (Secure Socket Layer) when authenticating to the SMTP
server.
Email Notification FROM Type the "From" address of the notification. All e-mail notifications will appear as
address coming from this e-mail account.
Test E-Mail message Click this button to send a test e-mail to all administrators.
Email greeting Type an e-mail greeting you would like to include in the body of the e-mail.
Default Click this button to reset the e-mail greeting to its default setting.
292
CHAPTER 11
Risk and Compliance

In This Chapter
Customizing Risk Profiles ....................................................................................................................293
Compliance...........................................................................................................................................309
Customizing Zone Types......................................................................................................................314
Customizing Host Groups ....................................................................................................................316
Customizing Services ...........................................................................................................................318
Customizing Security Rating Settings ..................................................................................................320
Compliance Options .............................................................................................................................323
Customizing Risk Profiles

The AlgoSec Firewall Analyzer analyzes device configurations and reports security risks by using Risk
Profiles, each of which defines a set of security risk items and their severity levels.
By default, AFA uses the Standard Risk Profile for all devices. This built-in Risk Profile includes a set of
standard risk items, each of which represents an XQL query that AFA performs on the results of the device
simulation engine in order to detect risks. If desired, you can create custom Risk Profiles that include
different combinations of risk items, and you can change the severity level of each risk item. You can then
analyze each device with a different Risk Profile.
Note: AFA allows you to refresh an existing report using different Risk Profiles, without repeating the
complete AFA analysis cycle.
You can further customize Risk Profiles by defining custom risk items. Custom risk items allow you to
define more complex risks by composing the XQL query of your choice. For information on advanced
editing of custom risk items and composing XQL queries, see Appendix B: Importing Users and Devices
from a CSV File (page 374).
Viewing Risk Profiles

 To view a Risk Profile
3 Click the Compliance tab.
293
The Compliance tab appears, displaying the Risk Profiles sub-tab.
The Standard risk profile is loaded, and its risk items appear in the table. For information on the
columns, see Risk Profile Fields.
4 To load a different risk profile, in the Select risk profile drop-down list, select the desired risk profile.
The risk profile loads, and its risk items appear in the table.
Risk Profile Fields
Field Description
Code The risk item's code.
Risk Level The risk item's severity level:
 Low (brown)
 Medium (yellow)
 Suspected High (orange)
 High (red)
 Ignore (gray)
Note: When AFA detects a risk item that was marked Ignore, it will not list the risk in the
main page of the AFA report along with other detected risks. AFA lists ignored risks at
the very bottom of the Risk Assessment summary page where detected risks are
explained. This ensures that dangerous risks are not ignored erroneously.
Title The risk item's title.
From The source zone of connections specified by this risk item.
To The destination zone of connections specified by this risk item.
294
Chapter 11 Risk and Compliance
Field Description
Brand The device brand to which the risk item applies.
Adding Risk Profiles

You can add Risk Profiles in the following ways:
 By creating a new Risk Profile from scratch.
 By modifying an existing Risk Profile (such as the Standard Risk Profile) and saving it under a new
name.
 By importing a spreadsheet that specifies all safe traffic.
Creating New Risk Profiles from Scratch

 To create a new Risk Profile from scratch
1 View the currently loaded Risk Profile.
See Viewing Risk Profiles (page 293).
2 Click + Create new risk profile.
The New profile dialog box appears.
3 In the File name field, type a name for the new Risk Profile.
4 Click OK.
A new empty Risk Profile is created.
5 Customize the risk items as desired.
See Customizing Risk Items (page 300).
6 In the Risk profile notes field, type a description of the Risk Profile.
7 Click Save.
8 Click OK.
Creating New Risk Profiles from Existing Risk Profiles

 To create a new Risk Profile from an existing Risk Profile
1 View an existing Risk Profile on which you want to base the new Risk Profile.
4 Click Save as.
295
The Save as dialog box appears.
5 In the File name field, type a name for the Risk Profile.
The Risk Profile will be saved under the specified name with the file extension *.xml.
6 Click OK.
7 Click OK.
Creating New Risk Profiles from Spreadsheets that Specify Safe Traffic
AFA provides the ability to generate an Allowed Traffic Risk Profile using an excel spreadsheet that
specifies all the traffic you allow. AFA then creates a strict Risk Profile where all traffic not specified in the
spreadsheet is categorized as risks.
Note: When creating a new Risk Profile with a spreadsheet, the new risks will replace all non-standard risks.
Any risk that exists in AFA before the spreadsheet import, that is not part of the standard risk profile, will be
deleted.
 To create a new Risk Profile from a spreadsheet that specifies safe traffic
1 Create an excel spreadsheet that specifies safe traffic.
See Creating the Spreadsheet (page 296).
2 Upload the excel spreadsheet to AFA.
See Uploading the Spreadsheet (page 298).
Creating the Spreadsheet
 To create the spreadsheet:
2 Click Import from spreadsheet.
The Import risk profile dialog box appears.
3 Click Download sample spreadsheet.

The sample spreadsheet downloads to your computer.
4 Open the sample spreadsheet.
296
5 Save the spreadsheet with a new name in a relevant location.

6 Change the values in the spreadsheet to the values that describe the traffic that you allow, using the
following guidelines:
 Your spreadsheet must include the three sheets included in the sample spreadsheet: Traffic,
Networks, and Services.
 The Traffic sheet must describe all permitted traffic in the following manner:
1. The source network objects must be listed down the left column.
2. The destination network objects must be listed across the top row.
3. The service objects must be in the cell which intersects the source and the destination.
The Network and Service object names can use the following characters:
 lowercase letters
 uppercase letters
 digits
 underscore (_)
You can optionally use the following syntax to describe traffic:
 To specify all IP addresses that are not included in one of the specified network objects, type
"Other".
 To specify that all traffic is allowed from the source to the destination, type "Any".
 To specify that no traffic is allowed from the source to the destination, type "-" or "None".
 To specify that all services are allowed except for some service object serviceA, type "not
(serviceA)".
Notes: You must use group/object names. You may not enter IP addresses or services directly into
the Traffic sheet.
You can optionally add columns/rows or remove columns/rows from the sample table.
Object names are case sensitive.
Do not leave any cells empty.
 The Networks sheet must define the network objects used in the Traffic sheet in the following
manner:
1. The network object names must be listed down the left column.
2. The object definition(s) must be listed to in the same row as the network object names, in the
column(s) directly to the right.
The network objects can be defined using subnet notation (192.168.1.0/24) or range notation
(10.0.0.5-10.0.0.10).
You may list multiple subnets and ranges in a row (each subnet/range in its own cell) to assign
multiple values to a network object.
Notes: You can optionally add rows or remove rows from the sample table.
Object names are case sensitive.
 The Services sheet must define the service objects used in the Traffic sheet in the following manner:
297
1. The service object names must be listed down the left column.
2. The object definition(s) must be listed in the same row as the service object names, in the
column(s) directly to the right.
The service objects can be defined using protocol/port syntax or well known names such as SSH,
FTP, etc. (AlgoSec standard services).
You may list multiple services in a row (each service in its own cell) to assign multiple values to a
service object.
Note: Only TCP, UDP, and ICMP protocols are supported.
Uploading the Spreadsheet

 To upload the spreadsheet:
2 Click Import from spreadsheet.
The Import risk profile dialog box appears.
3 Click Browse.
4 Select the spreadsheet you created.
5 Click OK.
The spreadsheet is uploaded and AFA generates a new risk profile where all traffic that is not specified
in the excel spreadsheet is represented as a risk.
AFA optimizes the risks created for the traffic. Similar risks will be combined to create the fewest risks.
6 Click Save as.
The Save as dialog box appears.
7 In the File name field, type the name for the Risk Profile.
8 Click OK.
The Risk Profile is saved.
All the generated risks in this Risk Profile have a medium severity. You can modify the severity of risks
(this can be set in the original Excel) as you can modify any other risks. See Completing Adding or
Editing a Risk Item (page 305).
298
Retrieving the Spreadsheet

You can retrieve the original spreadsheet that was used to generate a Risk Profile.
Note: If changes were manually made to the Risk Profile in AFA, the spreadsheet will not reflect the current
risk profile.
 To retrieve the spreadsheet:

2 Click Download spreadsheet.
The spreadsheet downloads to your computer.
Editing Risk Profiles

Note: You cannot edit the Standard Risk Profile. However, you can use it as the basis for a new Risk Profile,
as described in Adding Risk Profiles (page 295). You can then select the new Risk Profile to be the default
Risk Profile for all future reports, by following the procedure Customizing Risk Profiles (page 293), and
configuring the Default risk profile field as described in General/Admin Options (page 325).
 To edit a Risk Profile

1 View the Risk Profile you want to edit.
4 Click Save.
5 Click OK.
Deleting Risk Profiles

Note: You cannot delete the Standard Risk Profile.
 To delete a Risk Profile

1 View the Risk Profile you want to delete.
2 Below the Risk Profile table, click .
3 Click OK.
4 Click OK.
299
Customizing Risk Items

This procedure can be used to do any of the following:
 Add custom risk items
 Edit custom risk items or standard risk items
 Duplicate risk items
 To add or edit a risk item
 To add a custom risk item that specifies a basic risk, click New > Basic risk, then continue at Basic
Risk, Risk with Destination Threshold, and Risk with Source Threshold (page 300).
 To add a custom risk item that specifies a service with a destination threshold, click New > Risk with
destination threshold, then continue at Basic Risk, Risk with Destination Threshold, and Risk with
Source Threshold (page 300).
 To add a custom risk item that specifies a service with a source threshold, click New > Risk with
source threshold, then continue at Basic Risk, Risk with Destination Threshold, and Risk with
Source Threshold (page 300).
 To add a custom risk item that specifies IP addresses, an IP address range, or a subnet, click New >
Risk with specific IP addresses, then continue at Risk with Specific IP Addresses and PCI Risks
(page 303).
 To add a custom risk item that refers to PCI zones, click New > PCI risk, then continue at Risk with
Specific IP Addresses and PCI Risks (page 303).
 To edit an existing risk item (whether a built-in risk item or a custom one), select the desired risk
item, then click Edit, then continue according to the relevant risk item type (Basic Risk, Risk with
Destination Threshold, and Risk with Source Threshold (page 300) or Risk with Specific IP
Addresses and PCI Risks (page 303).
 To duplicate an existing risk item
1 Select the desired risk item.
2 Click Duplicate.
3 Continue according to the relevant risk item type (Basic Risk, Risk with Destination Threshold, and
Risk with Source Threshold (page 300) or Risk with Specific IP Addresses and PCI Risks (page 303).
Basic Risk, Risk with Destination Threshold, and Risk with Source Threshold
When you select Basic Risk, or Risk with Destination Threshold or Risk with Source Threshold, different
fields are displayed. The following page displays a basic risk.
300
1 In the Risk Info area, do the following:

a) In the Title field, type a name for the risk.
b) In the Level field, choose the risk severity level.
The Template field displays the risk item's type, and the Code field displays the risk item's automatically
assigned code.
Note: If you created a new risk item, it is given a code starting with the letter "U" (for User-defined).
2 In the Risk query area, configure the relevant fields using the information in Risk Query Fields (page
302).
3 Continue at Completing Adding or Editing a Risk Item (page 305).
301
Risk Query Fields

From zone Choose the zone type representing from where the traffic you want to analyze is
coming.
This field is not relevant for PCI risk items and risk items based on IP addresses.
to zone Choose the zone type representing to where the traffic you want to analyze is going.
With service Select or create new services that are considered to be risky in this risk item.
When selecting a service, you can select AlgoSec pre-defined services, user-defined
services, or device-defined services. When a device-defined service is selected, AFA
imports the service from the device and creates a new user-defined service with the
same contents as the device-defined service. The new service's name is the
device-defined service's name with the prefix "algosec_".
If desired, you can define a new service group consisting of one or more services. For
information, see Customizing Services (page 318).
Trust VPN IP addresses Select this option to specify that VPN traffic should be excluded from this risk item
and not shown in the AFA report.
This option is enabled by default.
Threshold on Destination IP Type the threshold for the destination IP address.
address This field is only relevant for risk items based on thresholds.
Threshold on Source IP Type the threshold for the source IP address.
address This field is only relevant for risk items based on thresholds.
Auto Fill Click this button to load pre-defined values from a template to the Risk details area's
Assessment and Remedy fields.
Any existing values in these fields will be overwritten.
302
Risk with Specific IP Addresses and PCI Risks

When you select, Risk with IP Addresses or PCI Risk, different fields are displayed. The following page
displays a PCI risk.
1 In the Risk Info area, do the following:

a) In the Title field, type a name for the risk.
b) In the Level field, choose the risk severity level.
The Template field displays the risk item's type, and the Code field displays the risk item's automatically
assigned code.
Note: If you created a new risk item, it is given a code starting with the letter "U" (for User-defined).
303
2 In the Source field, do one of the following:

 Type the desired IP address.
Multiple IP addresses and IP address ranges must be separated by commas.
 To use a wizard to fill in the field:
1. Click Add beside the Source field.
The Select source dialog box appears.
2. Specify the desired source.

You can specify an individual IP address, a range of IP addresses, or a host group that is defined
on the device. If you want to specify a host group, you can search the defined names
alphabetically, or by using the search filter.
3. If you specified an individual IP address or a range of IP addresses, or if you specified a host
group and would like to import the host group's IP address definition, click Add IP addresses.
4. If you specified a host group and would like to import the host group's hostname, click Add host
group name.
If the host group is modified to include different IP addresses, the risk item will be updated
accordingly.
3 In the Destination or PCI zone field, do one of the following:
 Type the desired IP address.
Multiple IP addresses and IP address ranges must be separated by commas.
 To use a wizard to fill in the field:
304
1. Click Add next to the Destination or PCI zone field.

The Select destination dialog box is displayed.
2. Specify the desired destination or PCI zone.

You can specify an individual IP address, a range of IP addresses, or a host group that is defined
on the device. If you want to specify a host group, you can search the defined names
alphabetically, or by using the search filter.
3. If you specified an individual IP address or a range of IP addresses, or if you specified a host
group and would like to import the host group's IP address definition, click Add IP addresses.
4. If you specified a host group and would like to import the host group's hostname, click Add host
group name.
If the host group is modified to include different IP addresses, the risk item will be updated
accordingly.
4 In the with service field, select or create new services that are considered to be risky in this risk item.
When selecting a service, you can select AlgoSec pre-defined services, user-defined services, or
device-defined services. When a device-defined service is selected, AFA imports the service from the
device, and creates a new user-defined service with the same contents as the device-defined service. The
new service's name is the device-defined service's name with the prefix "algosec_".
If desired, you can define a new service. For information, see Customizing Services (page 318).
5 Continue at Completing Adding or Editing a Risk Item (page 305).
Completing Adding or Editing a Risk Item

1 Define the XQL query for this risk item, by doing the following:
a) Click Advanced.
305
The Advanced Query Editor opens.
b) Define the query as desired, while following the guidelines for the relevant risk item type.
c) For information, see Appendix C: Advanced Risk Item Editing (page 548).
d) Click OK.
Warning: Setting an invalid query format may cause analysis errors during future reports creation.
2 In the Risk details area, do the following:
a) In the Assessment field, type a description of the risk.
This description will be displayed in the AFA report when the risk item is triggered. Note that you
can write the text in any language.
The description can include keywords that link the risk item's assessment to other parts of the AFA
report. You can insert the keywords by typing them directly in the Assessment field, or by selecting
them from a list, as described in the next step. For a list of available keywords, see Assessment and
Remedy Keywords (page 553).
b) To select keywords from a list and insert them in the Assessment field, do the following:
1. Click Insert field in the Assessment field.
The Select a keyword dialog box opens.
306
2. Select a keyword relevant to the risk you are creating.

3. Click OK.
c) In the Remedy field, type a description of the remedy for the risk.
This description will be displayed in the AFA report when the risk item is triggered. Note that you
can write the text in any language.
The description can include keywords that link the risk item's remedy to other parts of the AFA
report. You can insert the keywords by typing them directly in the Remedy field, or by selecting
them from a list, as described in the next step. For a list of available keywords, see Assessment and
Remedy Keywords (page 553).
d) To select keywords from a list and insert them in the Remedy field, do the following:
1. Click Insert Field in the Remedy field.
The Select a keyword dialog box opens.
2. Select a keyword relevant to the risk you are creating.
3. Click OK.
e) In the Description field, type a general description of the risk, using language that is not tied to a
particular device.
This text appears in the Group report, if a device in the group has triggered the risk item.
f) In the Suppressed by field, specify codes of risk items that should cause this risk item not to appear
in AFA reports.
For example, the specific service "TCP on port 1234" is a specific case of the "ALL_TCP" service.
When the "ALL_TCP" service is allowed, you may want to suppress triggering of the "TCP on port
1234" service, since the "ALL_TCP" risk will already have been triggered. Suppressing new risks
helps avoid clutter and double-reporting. In this case, you would specify the following risk item
codes in this field:
 I02 (inbound ALL_TCP) for TCP services
 I03 (inbound ALL_UDP) for UDP service
g) To select risk item codes from a list and insert them in the Suppressed by field, do the following:
1. Click Select.
The Select a risk code dialog box opens.
307
2. Select a risk item code that should cause this risk item not to appear in AFA reports.
3. Click Add.
3 Click OK.
Deleting Risk Items

Note: You cannot delete risk items in a risk profile which is based on the Standard risk profile. However, you
can disable them. See Disabling Risk Items (page 308). Alternately, you can create a new, empty risk
profile, which is not based on the Standard risk profile. Then, you can create whatever risks you want.
Note: We recommend you do not delete any risks with the prefixes unnamed, or AlgoSec. Doing so may
damage a Risk Profile.
 To delete a custom risk item

2 In the Risk Profile table, select the desired custom risk item.
3 Click Delete.
4 Click OK.
The risk item is deleted.
Disabling Risk Items

You can disable any risk item. A disabled risk item will be ignored by AFA.
Note: We recommend you do not disable any risks with the prefixes unnamed, or AlgoSec. Doing so may
damage a Risk Profile.
 To disable a risk item

2 Select the desired risk item, then click Edit.
New fields appear.
3 In the Level field, choose Ignore.
4 Click OK.
Setting Risk and Compliance Options

 To set the Default Risk Profile
3 The Administration page appears, displaying the Options tab.
4 In the Risk and Compliance Options section, select the Default risk profile used to generate reports from
the drop-down list.
308
5 Click OK.
 To set the Trust Private IP Address Option
3 The Administration page appears, displaying the Options tab.
4 In the Risk and Compliance Options section, select Trust private IP addresses. By selecting this option
you specify that traffic from non-routable private IP addresses will not trigger risks.
By default AFA treats private IP addresses like 10.0.0.1 as non-threatening. Since these IP addresses are
not routed on the public Internet, they are typically used by machines that are owned by your corporation
- so traffic coming from such IP addresses will not be considered a risk by AFA. To learn about private
IP addresses and standards (RFC1918) go here: http://www.faqs.org/rfcs/rfc1918.html . However, there
are situations in which you need to change this default behavior, and instruct AFA to treat private IP
addresses just like it treats any other IP addresses - i.e., as posing a threat to your networks.
5 Click OK.
Private IP addresses will not be labeled as risks on the AFA report.
Note: This setting will only take effect in future reports that you generate.
Compliance
These are the regulatory standards for which AFA provides regulatory compliance reports.
Regulatory Standards Supported by AFA
Standard Description
US Centric
SOX Required for publicly traded companies on US markets.
NERC CIP v3, v4, v5 Required for Power manufacturing and distribution, including Oil, Gas and Nuclear. The
customer may choose to analyze against either v3, v4 or v5 of the NERC CIP standards, to
evaluate readiness for future standard deadlines.
HIPAA Required for protecting patient data in US healthcare companies.
NIST SP 800-53 Required by US DoD. This report uses the National Institute of Standards and Technology
(NIST) Security and Privacy Controls for Federal Information Systems and Organizations,
Revision 4 (April 2013).
NIST SP 800-41 Required by US DoD. This report uses the National Institute of Standards and Technology
(NIST) Guidelines on Firewalls and Firewall Policy, Revision 1 (Sep 2009).
GLBA Consumer identity safety requirements for US companies.
Europe Centric
ISO/IEC 27001 ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a
suite of activities concerning the management of information security risks.
Basel-II This addresses the Basel Committee on Banking Supervision's framework International
Convergence of Capital Measurement and Capital Standards (June 2006).
309
Standard Description
Global
PCI DSS 3.0 The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage
and enhance cardholder data security and facilitate the broad adoption of consistent data
security measures globally. PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.
Australia Centric
ASD-ISM Firewall configuration guidelines from Australian Government.
Japan Centric
J-SOX Japanese version of SOX.
Singapore Centric
MAS-TRM Guidelines for information security for Singapore operating banks published by the
government banking regulator.
 To choose which Regulatory Compliance reports to include in the device analysis

4 The Compliance page appears, displaying the Risk Profiles sub-tab.
5 Click the Compliance Options sub-tab.
6 In the Risk and Compliance Options area, click Select.
The Regulatory Compliance Reports dialog box appears.
7 Select the relevant reports to be included in device reports.
310
8 Click Save.
Note: When upgrading AFA, any newly supported reports will be enabled automatically.
Customizing the Compliance Score Value

AFA reports' Regulatory Compliance page displays a compliance score which indicates the device's degree
of compliance with each compliance report.
AFA calculates the compliance score with the following formula:
Compliance score = (X1 + WX2)/(X1 + X2 + X3)
The following table explains the variables:
Compliance Score Variables
This variable... Represents...

X1 The total number of requirements in the compliance report for which the device policy is
compliant. Each of these requirements have a status.
X2 The total number of requirements in the compliance report for which additional
information or manual verification is necessary for the device policy to meet the
requirement. Each of these requirements have a status.
X3 The total number of requirements in the compliance report for which the device policy is
not compliant. Each of these requirements has an status.
W The weight of the number of requirements for which additional information or manual
verification is necessary to meet the requirement.
The default value is 0.5.
You can customize the compliance score value by changing the value of the "W" variable.
 To customize the compliance score value
3 Click the Advanced Configuration tab.
311
4 Click Add.
5 In the Name field, type Compliance_Score_Star_Weight.

6 In the Value field, type the value you wish to assign to the "W" variable.
7 Click OK.
8 Click OK.
Customizing the Compliance Score Severity Thresholds

AFA provides the ability to customize the compliance score severity thresholds. By default, a bad score is
55% and below (red), a moderate score is between 55% and 70% (yellow), and a good score is 70% and
above (green).
 To customize the compliance score severity thresholds
312
4 Click Add.
5 In the Name field, type Compliance_Score_Max_Red.

6 In the Value field, type the maximum value for a bad score.
For example, if you want a score of 60% and below to be a bad score, type 60.
7 Click OK.
8 Again, click Add.
9 In the Name field, type Compliance_Score_Min_Green.
10 In the Value field, type the maximum value for a good score.
For example, if you want a score of 80% and above to be a good score, type 80.
11 Click OK.
313
12 Click OK.
Customizing Zone Types

AFA includes the following default zone types:
Default Zone Types
Zone Type Color Description Example

External Red Represents network zones that are directly The "Outside" zone is assigned
connected to the Internet. to this zone type.
Internal Blue Represents network zones that are not The "Inside" zone is assigned to
connected to the Internet. this zone type.
DMZ Orange Represents the DMZ (Demilitarized Zone). The "DMZ" zone is assigned to
this zone type.
When customizing the network topology, you assign each of the network's zones to a zone type. The zone is
then represented in the zone type's color in all AFA diagrams and reports.
If desired, you can define additional zone types. Configuring user-defined zone types enables you to tailor
risk profiles to your exact network topology.
Adding and Editing Zone Types

 To add or edit a zone type
4 Click .
314
The Edit and define zone types page appears.

 To add a new zone type, click New.
 To edit an existing zone type, select the desired zone type and click Edit.
The Add New Zone Type or Edit Zone Type dialog box appears.

7 Click OK.
Zone Type Fields

Name Type the zone type's name.
This field is read-only when editing a zone.
Color Select a color to represent the zone type.
Like Select an existing zone type from which this zone type should inherit its settings. You
can then override the inherited settings as desired.
This field is read-only when editing a zone.
Automatically create Select this option to automatically use the Standard Risk Profile for the zone.
standard risks for the new This field appears only when adding a new zone.
zone type
315
Deleting Zone Types

Note: You cannot delete a zone type, if it appears in a defined device's topology.
 To delete a zone type

4 Click .
The Edit and define zone types page appears.
5 Select the desired zone type and click Delete.
6 Click OK.
The zone type is deleted.
Customizing Host Groups

You can define host groups that can be used when performing such tasks as running traffic simulation
queries on the device and or configuring the trusted traffic you want to view.
Adding and Editing Host Groups

 To add or edit a host group
4 Click .
316
The Edit ans define hostgroups page appears.

 To add a new host group, click New.
 To edit an existing host group, select the check box next to the desired host group and then click Edit.
The New Hostgroup dialog box appears.
6 In the Name field, type a name for the host group.

7 In the IP Addresses field, type the IP address or IP address range that the host group represents.
8 Click OK.
The new host group appears in the list.
Deleting Host Groups

 To delete a host group
4 Click .
The Edit and define hostgroups page appears.
5 Select the check box next to the desired host group and then click Delete.
317

6 Click OK.
The host group is deleted.
Customizing Services
You can define custom service groups consisting of one or more services. Once defined, these service
groups will be available for selection when performing such tasks as running traffic simulation queries on
the device and or configuring the trusted traffic you want to view.
Adding and Editing Service Groups

Note: To define a single custom service, add a service group that contains only the desired service.
 To add or edit a service group

4 Click .
The User-defined Services window appears.

 To add a new service, click Add.
 To edit an existing service, select the service and then click Edit.
318
The New Service Group / Edit Service Group dialog box appears.
6 In the Service group name field, type the service group's name.
7 To add a service to the group, do the following:
a) If this is not the first service to be added to the group, click New Member.
b) Complete the fields using the information in the following table.
8 To remove a service from the group, select the service in the Service group members list box, then click
Remove.
9 Click Save.
10 Click OK.
11 Click X to close.
Service Fields

Protocol Select the service's protocol.
Destination port Type the destination port range.
Source port Type the source port range.
Deleting Service Groups

 To delete a service group
4 Click .
319
The User-defined Services window appears.

5 Select the desired service and click Delete.
6 Click OK.
The service is deleted.
7 Click Close.
Customizing Security Rating Settings

Note: The Security Rating is calculated as the ratio of number of risks detected vs. the number of risks
searched for. Because the total number of risks searched for on each device is not static, it is possible for a
device with more risks to have a higher security rating than a device with fewer risks. If a device has
multiple interfaces and some are configured as Internal, some as External, and some as DMZ, more risks
will be searched for than on a device with only an Internal and External interface. Also, some risks are
defined only for specific device vendors.
AFA reports' Home and Risks pages display a security rating, which indicates the device's degree of
compliance with security standards.
AFA calculates the security rating with the following formula:
Security rating = 100 x (1 - (W1X1 + W2X2 + W3X3 + W4X4) / (W1T1 + W2T2 + W3T3 + W4T4))
320
The following table explains the variables:

Security Rating Variables
This variable... Represents...
W1 The weight of High risks.

W2 The weight of Suspected High risks.

W3 The weight of Medium risks.

W4 The weight of Low risks.

X1 The number of High risks detected in the current device policy.
X2 The number of Suspected High risks detected in the current device policy.
X3 The number of Medium risks detected in the current device policy.
X4 The number of Low risks detected in the current device policy.
T1 The maximum number of High risks possible for the device, as determined by
the device's brand and topology.
T2 The maximum number of Suspected High risks possible for the device, as
determined by the device's brand and topology.
T3 The maximum number of Medium risks possible for the device, as determined
by the device's brand and topology.
T4 The maximum number of Low risks possible for the device, as determined by
the device's brand and topology.
Note: Group report security ratings are not a simple average of individual report scores. They are calculated
from the union of all possible risks (across all reports) in the denominator, and the union of all detected risks
in the numerator, where each risk can appear at most once. Since there are risk items that are specific to one
vendor and not to others, and the user can configure different risk profiles on different devices, the group
score could be either higher or lower than the simple average of the individual devices. In addition, some
risks have a suppressed by field. If suppressed they will not be counted as part of the possible risks.
You can customize the security rating settings by changing the weight assigned to each type of risk. In
addition, you can customize the security rating bar's appearance in reports, as well as the number of days
included in the Security Rating Trend graph in the Risks page of reports.
321
 To customize security rating settings

4 Click .
The Security Rating Settings dialog box appears.

6 Click OK.
Security Rating Settings Fields

Days in Trend Graph Type the number of days to include in the Security Rating Trend graph in the Risks page
of reports.
The default value is 180 days.
Low Breakpoint Type a number representing the point on the security ratings bar where red and yellow
should meet, if the leftmost end of the bar is 0 and the rightmost end is 100.
High Breakpoint Type a number representing the point on the security ratings bar where yellow and green
should meet, if the leftmost end of the bar is 0 and the rightmost end is 100.
Formula Weights Enter the desired weight for each risk type.
322
Compliance Options
Use the Compliance Options sub-tab to set the following options.
Compliance Fields

Default risk profile Select the default Risk Profile used to generate reports.
Trust private IP addresses Select this option to specify that traffic from non-routable private IP addresses should
not trigger risks.
Regulatory compliance Select the regulatory compliance reports to be included in device reports, by clicking
reports to be included in the Select, selecting the relevant reports, and clicking Save.
device analysis Note: When upgrading AFA, any newly supported reports will automatically be enabled.
323
CHAPTER 12
Administration Options Settings

In This Chapter
General/Admin Options .......................................................................................................................325
Language ..............................................................................................................................................326
Display .................................................................................................................................................326
Log Analysis ........................................................................................................................................329
Proxy ....................................................................................................................................................330
Mail ......................................................................................................................................................331
Storage..................................................................................................................................................332
Workflow .............................................................................................................................................335
Authentication ......................................................................................................................................340
Backup and Restore ..............................................................................................................................341
Advanced Configuration ......................................................................................................................346
This section describes all the Administration Options Settings.
 To set additional Options Menu settings
3 Access the desired configuration options, by clicking the relevant sub-tab in the Options Menu area.
4 After changing a set of options, click OK.
Note: AFA preferences, as well as other information, are stored in the .fa directory in the user's home
directory.
When domains are enabled, and you are logged in to a specific domain interface, only the following options
are available for configuration: General, Web GUI, Authentication, Log Analysis, and Workflow.
When domains are enabled, and you are logged in to the management interface, only the following options
are available for configuration: Language, Web GUI, Proxy, Mail, Storage, Authentication, and Backup.
Changes to the Web GUI and Authentication settings will affect the management interface only. Changes to
the Proxy, Mail, Storage, Backup, and Workflow options will affect all domains.
When domains are not enabled, all of the options are available for configuration. For information on
domains, see Enabling Domains (page 33).
324
Chapter 12 Administration Options Settings
General/Admin Options
Use the General tab to set the following options.
General Fields

Comprehensive mode - Select this option to specify that AFA should analyze all of the services defined on the
analyze every service device, and not only the ones relevant for risks.
defined on the device (slow) Selecting this option results in more comprehensive information in the reports' Policy
tab, and specifically when comparing different reports.
Note: Checking this option will result in longer analysis time and will require more disk
space.
With IP address name Select this option to add the DNS name next to any IP address shown in the report, if a
lookups (slow) DNS name exists. This functionality requires the AFA machine to be connected to the
network and configured to use a name server.
If you want analysis to run faster, clear this option.
Include traffic changes Select this option to specify that the Changes report page should include the calculated
analysis in Change History changes in allowed traffic, (in addition to its regular content).
(slow) If you want analysis to run faster, clear this option.
Timed rules: only apply Select this option to specify that time-dependant rules should only be applied if they are
rules active at analysis time active when AFA analysis is performed. This is relevant to policy optimization criteria.
Use public key Select this option to use public key authentication in SSH connections to the Check
authentication in data Point management station and to Juniper Netscreen devices or NSMs.
collection Note: When configuring a device, the Data collection setup wizard's Password field
must contain the local private key passphrase.
Simulation timeout Type the maximum amount of time in seconds that a query can run.
(seconds)
Data collection timeout Type the amount of time in seconds that the device analyzer should wait for the
(seconds) device's reaction before aborting communications.
If you encounter timeout problems, increase this value.
Days before expiration alerts Type the number of days before a device rule or VPN user expires, so that AFA can
send a notification to users who are configured to receive such notifications.
Report rules whose Select whether you want to find rules whose comments match a regular expression, or
comment field rules whose comments do not match a regular expression.Then type a regular
expression describing a format for a rule comment.
For example, if you select does not match, and then type a regular expression that
defines the required format of a rule comment, you can detect non-compliant rule
comments. For more information concerning non-compliant rule comments detection,
see the AlgoSec Firewall Analyzer User Guide, .
Click on the Details button for more information and examples of regular expressions.
If this field is left empty, rule comment detection will be disabled.
325

Run device analysis Select Only if the policy/topology changed to specify that if a policy is detected as
unchanged during a scheduled analysis, then AFA should not run a full report, but
instead create an unchanged report that links to the last report for the policy.
Select Always to specify that AFA will always run a full analysis, regardless of whether
the policy has changed or not.
Note: Selecting the Always option will result in longer analysis time and will require
more disk space.
Language
Language options are available in the Language tab.
Use the Language tab to choose the language in which reports' risk titles are displayed. Currently only
English and Japanese are supported.
Display
Web interface options are available in the Display tab.
326
Use the Display page to set the following options.
Display Fields

Session timeout (minutes) Type the number of minutes of inactivity, before a user is logged out of the Web
interface.
Enable Custom Logo Select this option to add a custom logo to the top right corner of every page of the AFA,
FireFlow and BusinessFlow Web Interfaces, as well as AFA reports. For more
information, see Adding a Custom Logo.
Adding a Custom Logo

You can add a custom logo to the top right corner of every page of the AlgoSec Firewall Analyzer, FireFlow
and BusinessFlow Web Interfaces.
Note: Additionally, the logo will appear on all new AFA reports. Existing reports will not change.
 To add a custom logo

1 Create a logo file.
The file must be in GIF, JPG, or PNG format, and it must be 115 pixels in width and 50 pixels in height.
It is important to use these exact dimensions, so that the logo image is not distorted.
327
4 Click the Display tab.

The Display page appears.
5 Select the Enable Custom Logo check box.

6 Click Browse and navigate to the custom logo file.
7 Click Open.
8 Click OK.
The custom logo is uploaded.
Click OK.
 To remove a custom logo

3 Click the Display tab.
The Display page appears.
4 Clear the Enable Custom Logo check box.
5 Click OK.
The custom logo is removed.
328
Log Analysis
Log analysis options are available in the Log Analysis tab.
Use the Log Analysis tab to set the following options.
Log Analysis Fields

Use log starting N days Type the number of days before a report date to specify how far back you want to use log
before the report date data when generating AFA reports.
For example, if you set this field to 180, AFA will use all logs generated between 180
days before the report date and the actual report date, when creating the report.
Timeout for log analysis is Type the maximum amount of time in minutes for log analyses to run.
N minutes
Define log collection for Click Define to define log collection for BusinessFlow Discovery. See the AlgoSec
selected devices BusinessFlow User Guide for more information.
329
Proxy
Proxy options are available in the Proxy tab.
Use the Proxy tab to set the following options. Contact your local network administrator if you do not know
the proxy settings in your organization.
Proxy Fields

Use proxy server Select this option to specify that a proxy server is used to access the Internet. This is
relevant for the following situations:
 You want to connect to cloud devices defined in AFA (such as AWS or Azure) via
a proxy server.
 You want to validate your AFA "Online" license via a proxy server. Defining the
proxy server enables AFA to access the license server.
Note: This only applies if you received an "Online" license from AlgoSec.
Note: Only one proxy server can be defined.
Proxy Type the proxy server's IP address.
Port Type the port number used by the proxy server.
Use proxy authentication Select this option if the proxy server requires authentication.
If you select this option, you must complete the Username and Password fields.
Username Type the username to use for authenticating to the proxy server.
Password Type the password to use for authenticating to the proxy server.
330
Mail
Mail server options are available in the Mail tab.
Use the Mail tab to configure a mail server for sending automatic e-mail notifications. Refer to Configuring
Mail Server Settings (page 290).
331
Storage
AFA storage options are available in the Storage tab.
Use this tab to specify whether AFA should delete old reports. See Configuring Remote Report Storage, if
you want to configure AFA to store reports on a remote backup server.
Managing AFA Storage

Each AFA report may consume significant amounts of storage (about 75 MB* per report on average, though
this can greatly vary). For example, if you have four devices whose policies are changed and analyzed daily,
then AFA reports will consume about 4x75 = 300 MB per day, 7x4x75 = 2.1 GB per week. Therefore, you
would require an empty 150 GB disk in order to store 70 weeks worth of reports. For additional provisioning
examples, see Capacity Planning for Your AFA Server (page 18).
To enable you to efficiently manage your available disk space, and to prevent an overload of data on the
AFA server, AFA offers the following report storage and cleanup options:
 Report storage on the AFA server. By default, each time a report is generated it is automatically stored on
the AFA server.
 Report storage on a remote server. You can configure AFA to send all reports to a remote server. This
option can be scheduled to run automatically.
 Cleanup of old reports. You can configure AFA to delete old reports that are stored on the AFA server.
This option can be scheduled to run automatically or triggered manually as needed.
332
Note: AFA checks the amount of local disk space remaining after running each report. If the remaining space
is less than 10 GB, or if more than 95% of the disk is already used, AFA sends a warning e-mail to the users
configured to receive Administrative or Error messages (see Setting up E-mail Notification (page 291)). In
addition, AFA also sends warning Syslog messages (See Configuring Notification via Syslog Messages in the
AlgoSec Firewall Analyzer User Guide).
Note: Storage requirements are affected by the Run analysis only when policy is changed checkbox, in the
AFA general settings (see General/Admin Options (page 325)). When this option is selected, AFA will not
create a report unless the policy has changed, thereby saving both storage and CPU time.
Keeping this option selected ensures that AFA runs a full scheduled analysis only when the device policy
differs from the one analyzed in the most recent report. This saves both the CPU time needed to produce a
report and the disk space needed to store the report.
Configuring Report Cleanup

 To configure report cleanup
3 Click Storage.
333
The Storage tab appears.
4 Complete the fields using the information in Storage Fields (page 334).
5 Click OK.
6 To delete any reports that meet the deletion criteria immediately, rather than wait until the next
scheduled clean-up time, do the following:
a) Click Clean-up now.
b) Click OK.
Storage Fields

Delete reports older than Select this option to enable automatic deletion of reports older than a specified number
of days, then type the number of days after which reports should be deleted.
Leave one report per month Click this option to specify that each month AFA automatically deletes all reports,
for each firewall except for the most recent successful report for each device, for audit purposes.
Leave one report per quarter Click this option to specify that each quarter AFA automatically deletes all reports,
for each firewall except for the most recent successful report for each device, for audit purposes.
Delete all old reports Click this option to specify that AFA should delete all reports that have reached the age
specified in the Delete reports older than field.
Run the clean-up job daily at Use the drop-down lists to specify the time at which AFA should perform automatic
deletion each day.
Note: When remote storage is configured, this field also controls the schedule for
sending reports to the remote server. When AFA backup is configured, this field also
controls the schedule for automatic backup.
Retain change history for Type the number of days that AFA should retain change history.
(The change history will appear in the Change History report and in the AFA Monitoring
334

tab.)
Workflow
Define the parameters for integration with an external corporate Change Management System (CMS) using
the Workflow tab. AFA can connect to AlgoSec FireFlow, BMC Remedy, HP ServiceCenter (ServiceNow),
or any other system supporting Web-based access.
When implementing a requested change in the device, many organizations choose to specify a CMS ticket
ID in the relevant rule comment. AFA will automatically detect such CMS ticket IDs in rule comments.
Wherever a rule is displayed in the AFA report, its comment will include a link to the CMS system, pointing
at the relevant ticket. By a simple click on the link, a browser window with the relevant CMS ticket will
open, to allow further examination of the change (who requested it, who authorized it and when, etc.).
 Change Request ID Format
This option is relevent for all Workfllow types. This option allows you to define a format to which the
device rule comments must comply so AlgoSec recognizes them as containing a change request id. Only
properly formatted rule comments will be linked to the CMS change request.
AFA will look for the following format in the rule comments:
<Before><Chang_Request_id><After>
Where <Before> and <After> are fixed strings, and <Change _Request_id> is a Perl regular expression
(see note below).
Example
Field Input
Before Change Request #
Change Request id \d+
After #
This comment will become a link: 'Change Request #1234#'. This comment will not become a link:
'Change Request 1234#' , because <Before> is not equal to 'Change Request #'.
Note: The required Change_Request_id format must be specified as a Perl regular expression. You can
find tutorials on writing regular expressions on the Internet.
Here are some examples of the type of things you can accomplish:
\d represents a digit, \s represents a space, \w - an alphanumeric character.
Examples:
\d\d\d\d-\d\d - comments must contain a chnage request number like 1234-56
\d\d-\d\d-\d\d\d\d - comments must contain a date like 01-01-2007
[A-Z]{2}\s*\d+ - comments must contain two capital letters, then zero or more spaces, then one or
more digits (e.g. "AK 123")
335
 AlgoSec FireFlow
If you use AlgoSec FireFlow, select AlgoSec Fireflow in the Workflow tab to fill in FireFlow-specific
parameters.
 Server: Name of the AlgoSec FireFlow server to be accessed (usually the AFA server).
 URL Template: The structure of the URL that will be created for change request ID links in AFA
reports. The following keywords will be replaced by the relevant values: __SERVER_NAME__ and
_REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.
336
 BMC Remedy
If you use a BMC Remedy Change Management System, select BMC Remedy in the Workflow tab to fill
in Remedy-specific parameters.
Fill in the different fields, in order to allow AFA to create the correct links. The format of a typical URL
to a Remedy change request is as follows:
<protocol>://<mid_tier_server>/arsys/servlet/ViewFormServlet?server=<server
_name>&form=<form_name>&qual=<query>
Where:
 <protocol>: may be either http or https
 <mid_tier_server>: (required) - the server name or IP where the Mid Tier is installed. May
contain an optional port number, format: 192.168.2.60:8080
 <server_name>: (required) - Name of the AR System server to be accessed.
 <form>: (required) - Name of the AR System form to be accessed.
Example:
If the parameters are:
 Mid Tier Server: 192.168.2.60:8080 (Host: 192.168.2.60, Port: 8080),
Server: remedy (this is its DNS name)
Form: Sample
URL Template: kept at the AlgoSec default.
Then the fully formatted URL for change request id 12345 would look like this (all on one row):
http://192.168.2.60:8080/arsys/servlet/ViewFormServlet?server=remedy&form=Sample&qual=%27C
hange%20ID%2A%2B%27%3D%2212345%22
337
The URL template that AFA uses can be viewed and edited in the URL Template field. It contains the
structure of the URL that will be created for change request ID links in AFA reports. You may change
this field to specify the URL format explicitly (over-ride the defaults). The following keywords will be
replaced by the relevant values: __SERVER_NAME__, __MID_TIER_SERVER__,
__FORM_NAME__, __REQUEST_ID__.
Click Show Full URL to see the resulting URL string.
 HP ServiceCenter (formerly Peregrine)
If you use a HP ServiceCenter (formerly Peregrine) Change Management System, select HP
ServiceCenter (Peregrine) in the Workflow tab to fill in ServiceCenter-specific parameters.
Fill in the different fields, in order to allow AFA to create the correct links. The format of a typical URL
to an HP ServiceCenter change request is as follows:
protocol://<server>/sc/index.do?ctx=docEngine&file=<file>&query=<query>&act
ion=&title=Ticket%20Information
Where:
 <protocol>: may be either http or https
 <server>: The HP ServiceCenter (Peregrine) server (name or IP address)
 <file>: The table name
 <query>: Format of the actual query string, e.g. number="__REQUEST_ID__" or
incident.id="__REQUEST_ID__"
The string "__REQUEST_ID__" must appear in the query, and will be replaced by the actual request ID
in the final link URL.
The URL template that AFA uses can be viewed and edited in the URL Template field. It contains the
structure of the URL that will be created for change request ID links in AFA reports. You may change
this field to specify the URL format explicitly (over-ride the defaults). The following keywords will be
replaced by the relevant values: __SERVER_NAME__, __FILE_NAME__, __QUERY__.
Click Show Full URL to see the resulting URL string.
338
Note: Some versions of HP ServiceCenter may require the URL to contain a hash value in addition to the
query itself. In order to integrate with AFA, this option should be disabled.
In order to configure the Web application to ignore this hash value in ServiceCenter version 6.x and
below, add the following lines to the Web application's web.xml file:
<init-param>
<param-name>sc.querysecurity</param-name>
<param-value>false</param-value>
</init-param>
In HP Service Manager version 9.2 and above, add the following lines to the Web application's
web.xml file om the Service Manager server:
<init-param>
<param-name>querySecurity</param-name>
<param-value>false</param-value>
</init-param>
In addition, you must add the following line to the sm.ini file:
querysecurity:0
 Other
If you use any other CMS system, which supports Web-access, choose Other.
 Server: Name of the HP ServiceCenter server to be accessed.

 URL Template: The structure of the URL that will be created for change request ID links in AFA
reports. The following keywords will be replaced by the relevant values: __SERVER_NAME__,
__REQUEST_ID__.
Click the Show Full URL button to see the resulting URL string.
339
Authentication
User authentication options are available in the Authentication tab.
Use the Authentication tab to configure the methods AFA uses for authenticating users. Refer to
Configuring User Authentication (page 259) for more details.
340
Backup and Restore

Backup and Restore options are available in the Administration > Options > Backup/Restore sub-tab.
Use the Backup/Restore tab to back up the AlgoSec Security Management Suite configuration, including
device change history, logs, and reports, to an archive (*.tar) file on your computer or a remote backup
server. You can then use the backup file to restore the AlgoSec Security Management Suite's configuration
as needed.
Backup can be scheduled to run automatically or triggered manually as needed.
Refer to Restoring the AFA Configuration (page 344) for more details.
Note: When you choose to save backup files to a local machine and to use the existing path, "afa" user
should have permissions to access this path.
Note: Backing up the AFA Configuration backs up the entire AlgoSec Security Management Suite.
341
Backing Up the AlgoSec Suite

Note: You can only restore the AlgoSec Suite to the same version from which the backup was taken. Make
sure you perform any necessary upgrades before backing up the server.
 To back up the AlgoSec Suite

The Administration page is appears, displaying the Options tab.
3 Click the Backup/Restore sub-tab.
The Backup/Restore page appears.
4 Specify the backup server in the Backup Server area, using the information in Backup Server Fields
(page 343).
Note: When remote report storage is configured, the same server is used for storing reports.
5 To schedule automatic backups, do the following:
Note: When report cleanup is configured, the same schedule is used for report cleanup.
Note: When remote report storage is configured, the same schedule is used for sending reports to the
remote server.
342
a) In the Backup Scheduler area, select Schedule Backup.

b) Complete the fields using the information in Backup Configuration Fields (page 344).
c) Click OK.
The backup schedule is saved.
6 To perform a backup immediately, do the following:
a) Click Backup now.
The Backup configuration dialog box appears.
b) Complete the fields using the information in Backup Configuration Fields (page 344).
c) Click Back Up Now.
The AlgoSec Suite is backed up.
 To backup via the CLI
2 Run the following:
backup_restore
3 Follow instructions.
Backup Server Fields

Back up via Select FTP, SFTP or Local to specify how to send backups.
Backup Server name Type the name of the server to which to send the backups.
This is not relevant for local backups.
Username Type the username to use to access the backup server.
Password Type the password to use with the username.
Note: When using SFTP, public key authentication is supported. In this case, enter the
private key's passphrase in this field.
Path Type the path to the directory within which to store the backups.
343
Backup Configuration Fields

Include device change Select this option to include the device change history in the backup.
history For information on configuring the number of days for AFA to keep a change in its
history, see Configuring Report Cleanup (page 333).
Include traffic logs Select this option to include the traffic and audit logs in the backup.
Include reports Select this option to include reports in the backup.

When selecting this option for scheduled backups, all existing reports that were created
since the last successful scheduled backup are always included.
For immediate backups, all existing reports are included, or you can specify to include
only the most recent successful report for each device. Including all existing reports
may require a significant amount of disk space.
Only include last successful Select this option to include only the last successful report for each device.
report per device This option is only available when performing an immediate backup.
Encrypt backup files Select this option to configure encryption for the backup file.
Selecting this option causes the Password and Retype password fields to appear.
Password/Retype password Type and retype the password for accessing the backup file.
Important: Write down your password and keep it in a safe location. Your password is
not stored in AFA or on the backup server, and therefore it cannot be retrieved if you
lose it.
Scheduling Options Specify the period (eveyrday, week, or month) and time for the backup.
This is only relevant for scheduled backups.
Restoring the AlgoSec Suite

Important: Restoring the AlgoSec Suite will replace all existing users, devices, and configurations with those
specified in the backup file.
Note: You can only restore the AlgoSec Suite using a backup of the same version currently running in the
environment. For example, a backup of a v6.9 environment can only be restored to a server running v6.9. If
necessary, make sure to restore your environment before upgrading.
 To restore the AlgoSec Suite

The Administration page appears displaying the Options tab.
3 Click the Backup/Restore sub-tab.
The Backup/Restore page appears.
4 Click Restore now.
344
The Restore configuration dialog box opens.
5 Complete the fields using the information in Restore Fields (page 345).
6 Click Restore Now.
7 Click YES.
The AlgoSec Suite is restored from the selected backup file.
8 Click OK.
Restore Fields

File name Select the desired backup file.
Backup file requires Select this option to specify that the selected backup file is encrypted.
password The Password field appears.
Password Type the password for accessing the backup file.
R
345
Advanced Configuration
The Advanced Configuration tab provides the ability to set advanced configuration parameters.
1 Click Add.
2 In the Name field, type the name of the configuration parameter you want to set.
3 In the Value field, type the value to which you want to set the parameter.
4 Click OK.
346
Enabling/Disabling Custom Report Pages

Creating and installing a custom report page (as described in Creating a Custom Report Page in the AlgoSec
Firewall Analyzer User Guide) automatically enables custom report pages. If desired, you can disable
custom report pages, using the following procedure. The custom report page will no longer appear in AFA
reports.
 To enable/disable custom report pages
3 Click the Advanced Configuration sub-tab.
4 Click Add.
5 In the Name field, type Use_Custom_Report.
347
6 In the Value field, do one of the following:

 Type no to disable custom report pages.
 Type yes to enable custom report pages.
7 Click OK.
8 Click OK.
Setting the Chart Threshold Value Configuration Item

For more information about custom charts, see Configuring a Custom Chart in the AlgoSec Firewall Analyzer
User Guide.
Note: Changing this configuration item will affect all charts of the type condition. This includes the
built-in compliance charts. By default, this parameter is set to 23.
 To set the Chart_Threshold_Val configuration item

4 Click Add.
348
5 In the Name field, type Chart_Threshold_Val.

6 In the Value field, type the threshold you want for your chart(s).
7 Click OK.
8 Click OK.
Setting the Default Dashboard

When you log in to AFA, the default dashboard is displayed in the workspace. By default, the default
dashboard is the Optimizations dashboard. To change the default dashboard, complete the following
procedure.
 To set the default dashboard
349
Securing the AFA Server

4 Click Add.
5 In the Name field, type default_dashboard.

6 In the Value field, do one of the following:
 Type the name of the XML file describing the dashboard that you wish to be the default.
For example, type compliance.xml to set the compliance dashboard as the default dashboard.
 Type none to specify no dashboard should load at login.
7 Click OK.
8 Click OK.
350
Chapter 12 Securing the AFA Server
The AFA server stores sensitive information about your device policies. Therefore, you may wish to secure,
or "harden", the Linux machine on which the AFA software is running. The AlgoSec Hardware Appliance is
already hardened, and is a recommended option for environments requiring high security.
You may wish to place the AFA server in a special zone behind one of your devices, and write very
restricted policy rules to control the access to the AFA server. You may also wish to activate the default
device ("iptables"/"netfilter") that is pre-installed on most Linux computers, and configure it to allow only
the necessary access.
The following sections describe the traffic AFA requires (to and from the AFA server), as well as
information for tightening the Linux Operating system itself.
Network Connectivity to the AFA Server

Inbound connectivity, from other computers to the AFA server, should be very limited. The only
requirement is that your team's computers should be able to browse the AFA reports via the internal Apache
Web server. The internal Apache server is configured to serve pages using SSL (HTTPS), and it listens on
port TCP/443. The TCP/80 port can be closed.
If you want remote access to the AFA machine, the recommended method is via SSH: You should activate
sshd and configure it, and make sure port TCP/22 is accessible.
Network Connectivity from the AFA Server

Part of hardening a Linux server involves filtering network traffic to and from the server. When doing so,
you only need to ensure that the communication ports that AFA uses are still open. The AFA software sends
the following types of traffic:
 AFA issues outbound HTTPS requests (TCP/443), sent only to
http://algosec.com/Support/ContactSupport/ (https://portal.algosec.com/en/support/support_home),
in order to activate its license. Make sure not to block this traffic, and not to let your outbound Web
proxies manipulate or sanitize it.
 AFA may need to issue DNS queries to the local DNS server (UDP/53).
 AFA needs to send e-mail if configured to do so, so it needs to communicate with your local mail server
via SMTP (TCP/25).
 Email retrieval using "fetchmail" over POP3, if used (TCP/110)
 SSH to devices, if used (TCP/22)
 OPSEC ports to Check Point SmartCenter/PV-1, if used (18190/TCP, 18184/TCP)
 OPSEC certificate retrieval ports for Check Point SmartCenter/PV-1, if used (18210/TCP, 18211/TCP)
 NSM API ports to NSM, if used (TCP/443 or TCP/8443, TCP/22)
 LDAP authentication, if used (TCP/389 or TCP/636)
 RADIUS authentication, if used (UDP/1812)
 AlgoSec automatic backup over FTP (TCP/21) or SFTP (TCP/22)
 Syslog messages (if AFA is configured to forward logs to a Syslog server).
351
These are all outgoing requests that require no open (listening) ports. In particular you do not need sendmail
running.
Hardening the Linux Operating System

Beyond filtering traffic to and from the AFA server, you may wish to tighten the security of the Linux
operating system itself, in terms of user permissions, removing unnecessary software components, etc.
There are many good ways to do this and your system administrators may have their own procedures.
One option is to use Bastille. This is a free tool that walks you through a question-and-answer interview, and
then configures many system parameters to the desired security settings:
1 Download, install, and run Bastille from http://www.bastille-linux.org/.
2 During Bastille's Q&A session, it is usually a good idea to accept the default answers for most questions.
3 Among other things, Bastille will install an IPtables filter with a "deny all incoming" policy, except for
the services you explicitly request. Remember to tell Bastille to allow the inbound services that AFA
requires, as listed in "Network connectivity to the AFA server" above.
4 Once the Q&A session is finished, Bastille will change many system parameters and tighten the security
to the desired level.
352
CHAPTER 13
Appendix A: Using the AlgoSec

Extension Framework
In This Chapter
Overview of the AlgoSec Extension Framework .................................................................................353
Adding Support for New Device Types ...............................................................................................353
Collecting Data from AEF Devices......................................................................................................370
This section explains how to use the AlgoSec Extension Framework (AEF) to add support for additional
devices.
Overview of the AlgoSec Extension Framework

AFA supports a variety of network devices, at support levels ranging from policy change monitoring only
to full support. For a full list of devices and their support levels, see Supported Products (page 12).
If desired, you can easily add support for additional network devices using AEF. AEF is a flexible
framework that requires you only to edit a simple configuration file and create icons for the new device. By
default, the support level for devices added via AEF is policy change monitoring, routing and Baseline
Compliance.
Note: You can increase the number of AFA features available for added devices. For information, contact
AlgoSec.
Adding Support for New Device Types

 To add support for a new device type
2 Create a brand_config.xml file and place it in a new directory with the brand name
For example: /usr/share/fa/data/plugins/brand_x
3 Edit the tags using the information in Tag Reference (page 354).
For a comprehensive example, see Configuration File Example (page 370), or refer to other examples
under /usr/share/fa/data/plugins/.
4 Create the following graphics files, and place them in the same directory as the configuration file:
 <brand_id>.16.png - A png icon representing the device brand (16x16 pixels)
353

/usr/share/fa/bin/fa_install_plugin <full path to brand_config.xml>
For example: /usr/share/fa/bin/fa_install_plugin
/usr/share/fa/data/plugins/brandx/brand_config.xml
Note: AEF configuration is loaded only during login. If changes are made to brand_config.xml, they will
take affect only after logging out and logging back in.
Tag Reference
This reference describes the use of each tag in the configuration file. The tags are listed in the same order as
they appear in the configuration file.
Tag syntax is presented as follows:
 All parameters are presented in italics.
 All optional elements of the tag appear in square brackets [ ].
DEVICE
Syntax
DEVICE -[id="id"] [name="name"] [title="title"]
Description
This is the main tag for the device, and it identifies the device.
Parameters
Id String. The ID of the device brand.
Name String. The name of the device brand.
The name will appear throughout the Web interface (for example, in the Home
and Monitoring pages).
Title String. The title of the device brand.
This can be longer than the device brand name.
The title represents the device in the Web interface, in the Administration page
Devices tab, in the list of device types
Subtags
 FORM_FIELD (page 355)
 CONNECTION_CMD (page 356)
 DATA_COLLECTION (page 356)
 DIFF (page 367)
 EXCLUDE (page 367)
 ROUTING (page 368)
 FEATURES (page 369)
354
Chapter 13 Appendix A: Using the AlgoSec Extension Framework
Example
In the following example, the device name FortiGate will appear throughout the Web interface, while the
title Fortinet - FortiGate will appear in the list of device types only.
DEVICE id="fortigate" name="FortiGate" title="Fortinet - FortiGate"
FORM_FIELD
Syntax
FORM_FIELD id="id" title="title" [type="type"]
Description
By default, when adding or modifying a device, the Web interface includes fields for host name, user name,
and password in the Additional Information area. This tag specifies additional fields that should appear for
the new device.
Note: The additional fields can be used when defining the connection and collection commands that AFA
should use for the device.
This tag is optional.
Parameters
id String. The ID of the field.
It can include only the following characters: a-z , _ , -
The ID is used as a tag in the file firewall_data.xml.
title String. The label representing the field in the Web interface.
type String. The field's type. This can have the following values:
 text. The user must input free text in this field.
 password. The user must input a password in this field.
The default value is text.
Subtags
None.
Example
In the following example, a field called "Virtual Domain" was added for the device. The field type was not
specified and is therefore "text".
FORM_FIELD id="vdom" title="Virtual Domain"
355
CONNECTION_CMD
Syntax
CONNECTION_CMD id="id" command="command" title="title"
Description
By default, when adding or modifying a device, the Web interface's Remote Management Capabilities area
includes SSH and Telnet connection options. You can use this tag to add additional options.
Parameters
id String. The ID of the connection option.
It can include only the following characters: a-z, A-Z, 0-9, @, _, !, +, ., :, -, ), (
The ID is used as a tag in the file firewall_data.xml.
command String. The connection command.
This may include the following parameters from the file
firewall_data.xml:
 %attribute%. An attribute, where attribute represents the name of any
attribute defined in the FORM_FIELD tag.
 %password%
 %user_name%
 %host_name%
title String. The label representing the connection option in the Web interface.
Subtags
None.
Example
In the following example, the connection option SSH is defined.
CONNECTION_CMD id="ssh" command="ssh %user_name%@%host_name%" title="SSH"
DATA_COLLECTION
Syntax
DATA_COLLECTION prompt="prompt" [more_prompt="more_prompt"]
Description
This tag specifies device prompts that AFA will encounter when connecting to the device.
Parameters
prompt String. The basic device prompt that appears when the AFA automatic data
collection client connects to the device. This is a regular expression.
more_prompt String. The device prompt that appears when there is additional data that is not
currently displayed. This is a regular expression.
356
Subtags
 LOGIN_PROMPT (page 362)
 POST_LOGIN_PROMPT (page 363)
 COMMANDS_SEQUENCE (page 363)
 EXIT_COMMAND (page 366)
Example
DATA_COLLECTION prompt="#\s*$" more_prompt="^\s*-+\s*[Mm]ore\s*-+\s*$"
LOGIN_PROMPT
Syntax
LOGIN_PROMPT prompt="prompt" response="response" try_again="try_again"
Description
This tag specifies the device prompt that AFA will encounter after successfully connecting to the device.
Usually, this prompt relates to logging in to the device, for example a request for a password.
Parameters
prompt String. A regular expression that describes the device prompt that appears after
the AFA automatic data collection client has connected to the device.
This regular expression should match the device prompt (e.g. "user1@device1
#") as tightly as possible.
response String. The command or string that the AFA automatic data collection client
should send after receiving the prompt.
try_again String. Indicates whether after receiving the device prompt specified by the
prompt parameter, the AFA automatic data collection client should attempt to
log in again, or continue to wait for the basic login prompt. This can have the
following values:
 yes. Attempt to log in again.
 no. Do not attempt to log in again. Instead, wait for the device prompt
specified by the prompt parameter.
Subtags
None.
Example
In the following example, upon receiving the "yes/no?" prompt, the AFA automatic data collection client
will send the response "yes" and then attempt to log in again.
LOGIN_PROMPT prompt="(yes/no)?\s+$" response="yes" try_again="yes"
357
POST_LOGIN_PROMPT
Syntax
POST_LOGIN_PROMPT prompt="prompt" response="response"
Description
This tag specifies device prompts that AFA will encounter after successfully logging in to the device.
Parameters
prompt String. The device prompt that appears after the AFA automatic data collection
client has logged in to the device. This is a regular expression.
Subtags
None.
Example
POST_LOGIN_PROMPT prompt="Terminal type\?.*$" response="xterm"
COMMANDS_SEQUENCE
Syntax
COMMANDS_SEQUENCE
Description
This tag specifies the sequence of commands that AFA should use during data collection.
Parameters
None.
Subtags
 CMD (page 364)
 CMD_VIRT (page 365)
Example
COMMANDS_SEQUENCE
358
CMD
Syntax
CMD id="id" command="command" save_output="save_output" [condition="condition"] [prompt="prompt"]
Description
This tag specifies a command that AFA should use during data collection.
Parameters
id Integer. The command's ID and order number.
Commands are implemented in numerical order.
command String. The connection command that the AFA automatic data collection client
should send to the device.
firewall_data.xml:
 %attribute%. An attribute, where attribute represents the attribute's name.
 %password%
 %user_name%
 %host_name%
save_output String. Indicated whether the result of the command should be added to output
device configuration file. This can have the following values:
 yes. Add the result of the command to the output device configuration file.
 no. Do not add the result of the command to the output device configuration
file.
condition String. The name of an attribute defined in the FORM_FIELD tag, which if
assigned a value (i.e., the parameter is not empty), should cause the AFA
automatic data collection client to send this command. This can have the
following values:
 The name of any attribute added in the FORM_FIELD tag
 FW_VIRT. Run the command only if the device has a virtual system.
prompt String. The device prompt that will appear after the AFA automatic data
collection client has sent this command.
This is a regular expression and may include the following parameters from the
file firewall_data.xml:
 %password%
 %user_name%
 %host_name%
Note: By default, the AFA automatic data collection client will expect to receive
the last defined prompt, (which was specified in the preceding DEVICE, CMD
or LOGIN tag).
359
Subtags
None.
Example
In the following example, the enable command will run only if the device configuration file includes an
enable attribute that is not empty. The result of the command will not be saved.
CMD id="1" command="enable" save_output="no" condition="enable"
prompt="sword:\s*$"
CMD_VIRT
Syntax
CMD_VIRT id="id" command="command" save_output="save_output" [condition="condition"]
[prompt="prompt"]
Description
This tag specifies a command that AFA should use during data collection on a virtual system.
Parameters
firewall_data.xml:
 %password%
 %user_name%
 %host_name%
file.
following values:
 The name of any attribute added in the FORM_FIELD tag.
360
 %password%
 %user_name%
 %host_name%
or LOGIN tag).
Subtags
None.
Example
In the following example, the end command will run only if the device configuration file includes a vdom
attribute that is not empty. The result of the command will not be saved.
CMD_VIRT id="4" command="end" save_output="no" prompt="#\s*$" condition="vdom"
EXIT_COMMAND
Syntax
EXIT_COMMAND command="command"
Description
This tag specifies the command that AFA should use to end the connection to the device.
Parameters
command String. The command that the AFA automatic data collection client should send,
in order to end the connection.
Subtags
None.
Example
In the following example, the command is "exit".
EXIT_COMMAND command="exit"
361
LOGIN_PROMPT
Syntax
LOGIN_PROMPT prompt="prompt" response="response" try_again="try_again"
Description
This tag specifies the device prompt that AFA will encounter after successfully connecting to the device.
Usually, this prompt relates to logging in to the device, for example a request for a password.
Parameters
prompt String. A regular expression that describes the device prompt that appears after
the AFA automatic data collection client has connected to the device.
This regular expression should match the device prompt (e.g. "user1@device1
#") as tightly as possible.
try_again String. Indicates whether after receiving the device prompt specified by the
prompt parameter, the AFA automatic data collection client should attempt to
log in again, or continue to wait for the basic login prompt. This can have the
following values:
 yes. Attempt to log in again.
 no. Do not attempt to log in again. Instead, wait for the device prompt
specified by the prompt parameter.
Subtags
None.
Example
In the following example, upon receiving the "yes/no?" prompt, the AFA automatic data collection client
will send the response "yes" and then attempt to log in again.
LOGIN_PROMPT prompt="(yes/no)?\s+$" response="yes" try_again="yes"
362
POST_LOGIN_PROMPT
Syntax
POST_LOGIN_PROMPT prompt="prompt" response="response"
Description
This tag specifies device prompts that AFA will encounter after successfully logging in to the device.
Parameters
prompt String. The device prompt that appears after the AFA automatic data collection
client has logged in to the device. This is a regular expression.
Subtags
None.
Example
POST_LOGIN_PROMPT prompt="Terminal type\?.*$" response="xterm"
COMMANDS_SEQUENCE
Syntax
COMMANDS_SEQUENCE
Description
This tag specifies the sequence of commands that AFA should use during data collection.
Parameters
None.
Subtags
 CMD (page 364)
 CMD_VIRT (page 365)
Example
COMMANDS_SEQUENCE
363
CMD
Syntax
CMD id="id" command="command" save_output="save_output" [condition="condition"] [prompt="prompt"]
Description
This tag specifies a command that AFA should use during data collection.
Parameters
firewall_data.xml:
 %password%
 %user_name%
 %host_name%
file.
following values:
 The name of any attribute added in the FORM_FIELD tag
 %password%
 %user_name%
 %host_name%
or LOGIN tag).
364
Subtags
None.
Example
In the following example, the enable command will run only if the device configuration file includes an
enable attribute that is not empty. The result of the command will not be saved.
CMD id="1" command="enable" save_output="no" condition="enable"
prompt="sword:\s*$"
CMD_VIRT
Syntax
CMD_VIRT id="id" command="command" save_output="save_output" [condition="condition"]
[prompt="prompt"]
Description
This tag specifies a command that AFA should use during data collection on a virtual system.
Parameters
firewall_data.xml:
 %password%
 %user_name%
 %host_name%
file.
following values:
 The name of any attribute added in the FORM_FIELD tag.
365
 %password%
 %user_name%
 %host_name%
or LOGIN tag).
Subtags
None.
Example
In the following example, the end command will run only if the device configuration file includes a vdom
attribute that is not empty. The result of the command will not be saved.
CMD_VIRT id="4" command="end" save_output="no" prompt="#\s*$" condition="vdom"
DATA_COLLECTION
Syntax
EXIT_COMMAND command="command"
Description
This tag specifies the command that AFA should use to end the connection to the device.
Parameters
command String. The command that the AFA automatic data collection client should send,
in order to end the connection.
Subtags
None.
Example
In the following example, the command is "exit".
EXIT_COMMAND command="exit"
366
DIFF
Syntax
DIFF context_lines="contextLines"
Description
When real-time monitoring and alerting is enabled, specified users receive e-mails upon changes to
monitored devices, and the changes are displayed in the Web interface's Monitoring page. This tag specifies
the number of lines before and after a change to display in e-mails and in the Web interface's Monitoring
page. The lines surrounding a change represent the change's context.
Parameters
contextLines Integer. The number of lines to show before and after a change.
Subtags
None.
Example
In the following example, the 5 lines before and after a change will be displayed.
DIFF context_lines="5"
EXCLUDE
Syntax
EXCLUDE regex="regex" [lines_before="lines_before"] [lines_after="lines_after"] [inline="inline"]
Description
When real-time monitoring is enabled, AFA periodically checks whether the device configuration has
changed. You can use this tag to exclude certain lines in the device configuration from monitoring.
For example, the current date and other counters frequently change, yet do not represent an actual change to
the device configuration. In order to prevent changes to such lines from repeatedly being interpreted as a
device configuration changes and reported via e-mail and the Web interface's Monitoring page, you can
exclude these lines from monitoring.
Parameters
regex String. A regular expression, describing a string in the device configuration file
that should be ignored by AFA when checking for changes to the device
configuration.
line_before Integer. The number of lines preceding the string specified in regex, including
the line in which the string appears, that should be excluded from monitoring.
lines_after Integer. The number of lines following the string specified in regex, including
the line in which the string appears, that should be excluded from monitoring.
367
inline String. Indicates whether the whole line (or any whole lines before or after) or
only the part of the line that matches the regular expression is excluded. This can
have the following values:
 yes. Exclude only the part of the line that matches the regular expression.
 no. Exclude the whole line (or any lines before or after).
Subtags
None.
Example
In the following example, when checking the device configuration for changes, AFA will exclude 30 lines
starting from the string "set private-key".
EXCLUDE regex="set private-key" lines_after="30"
ROUTING
Syntax
ROUTING script="script"
Description
This tag specifies a script that should be used to analyze the device's routing table.
Parameters
script String. The name of the script to use for creating a routing table.
Subtags
None.
Example
In the following example, the script forti2urt.pl is specified for use with the device.
ROUTING script="forti2urt.pl"
368
FEATURES
Syntax
FEATURES
Description
This tag specifies features that are supported for the device.
Note: By default, only real-time monitoring is supported for the device. To add more features, contact
AlgoSec.
Parameters
None.
Subtags
 FEATURE (page 369)
Example
FEATURES
FEATURE
Syntax
FEATURE name="name" script="script" ADD BRACKETS IF OPTIONAL!
Description
This tag specifies a feature that is supported for the device.
Parameters
name String. The name of the feature.
script String. The name of the script to use to run the feature.
Subtags
None.
Example
In the following example, the topology feature is supported for the device.
FEATURE name="topology" script="snmp2urt"
369
Configuration File Example

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<DEVICE id="netfilter" name="iptables" title="Linux netfilter - iptables">
<FORM_FIELD id="root_psw" title="root password" type="password" />
<DATA_COLLECTION prompt="\]\s*[#$]\s*$"
more_prompt="^\s*-+\s*[Mm]ore\s*-+\s*$">
<COMMANDS_SEQUENCE>
<CMD id="1" command="su -" save_output="no"
condition="root_psw" prompt="sword:\s*$" />
<CMD id="2" command="%root_psw%" save_output="no"
condition="root_psw" prompt="\]\s*#\s*$" />
<CMD id="3" command="route" save_output="yes" />
<CMD id="4" command="iptables -L" save_output="yes" />
</COMMANDS_SEQUENCE>
<EXIT_COMMAND command="exit" />
</DATA_COLLECTION>
<DIFF context_lines="5" />
<EXCLUDE regex="no exclusions defined" />
</DEVICE>
Collecting Data from AEF Devices

You can use SNMP to retrieve the routing table of devices added via AEF.
Note: SNMP versions 3 and 2c are supported.
 To collect data from an AEF device

1 Open the AEF device’s brand_config.xml file.
2 Under the main <DEVICE> tag, add the following tag:
<FORM_FIELD id="snmp" title="SNMP" type="fieldset"/>
3 Under the <FEATURES> tag, add the following tag:
<FEATURE name="topology" script="snmp2urt"/>
4 Save your changes.
370
For example, the following brand_config.xml file defines an AEF device with routing collection via
SNMP for a Juniper Netscreen device:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>


<DEVICE id="edev" name="Elad Dev" title="Elad security dev">

<FORM_FIELD id="snmp" title="SNMP" type="fieldset"/>


<CONNECTION_CMD id="ssh" command="ssh -l %user_name% %host_name% "
title="SSH-cmd"/>

<DATA_COLLECTION prompt="ÂSisg1000->"
more_prompt="^\s*---\s*more\s*---\s*$">
371


<COMMANDS_SEQUENCE>

<CMD id="1" command="get conf" save_output="yes" />
</COMMANDS_SEQUENCE>


<EXIT_COMMAND command="\x04"/>
</DATA_COLLECTION>

<DIFF context_lines="5"/>

372


<FEATURES>
<FEATURE name="topology" script="snmp2urt"/>
</FEATURES>
</DEVICE>
373
CHAPTER 14
Appendix B: Importing Users and Devices

from a CSV File
In This Chapter
Importing Users from a CSV File ........................................................................................................374
Importing and Updating Devices from a CSV File ..............................................................................377
This section explains how to import users and devices from CSV files.
Importing Users from a CSV File

You can import multiple local users from a CSV file, into both AFA and FireFlow. This allows you to
onboard large numbers of users, without manually configuring each of them.
In order to do so, you must first prepare the CSV file (see Preparing the Devices CSV File (page 377)), then
run the import script (see Running the Import Users Script (page 377)).
Preparing the Users CSV File

 To prepare the users CSV file
1 Open a new text file.
2 In the first line of the file, type a list of column headers.
For a list of supported headers, refer to the following table. The headers must be separated by commas.
3 For each user you want to import, type a new line containing values that correspond to the column
headers.
Refer to the following table for information about each header's possible values. The values must be
separated by commas. If no value is specified, the default is used.
For example:
username,password,fullname,email,note,policy_change,administrator,authentic
ation_type,default_fw_profile,firewalls
JohnS,JohnSPass,John
Smith,JohnSmith@mycompany.com,customersupport,yes,yes,,readonly,(ECZ_ASA1;y
es;Standard)(ISG1000_root:trust-vr;yes;Standard)
JaneB,,Jane Brown,JaneBrown@mycompany.com,sales,no,no,ldap
4 Save the file.
374
Chapter 14 Appendix B: Importing Users and Devices from a CSV File
Supported Column Headers
Header Name Description Possible Values

username The username to assign the user. Any
This header is mandatory.
fullname The user's full name. Any
email The user's email address. An email address in standard email address
This header is mandatory. format.
note Notes about the user. Any. Can contain spaces.

password The password to assign the user. Any
policy_change Indicates whether the AFA system  yes
should send notifications to the user  no
when changes are made to policies. The default value is no.
group_changes Indicates whether the AFA system  yes
when a group report is generated. The default value is no.
all_changes Indicates whether the AFA system  yes
when a report is generated. The default value is no.
configuration_changes Indicates whether the AFA system  yes
when configuration changes are made. The default value is no.
object_expirations Indicates whether the AFA system  yes
when device rules and/or VPN users are The default value is no.
about to expire.
error Indicates whether the AFA system  yes
should send error messages to the user.  no
These include low disk space and The default value is no.
license expiration warnings.
This header is only relevant for
administrators.
customizations Indicates whether the AFA system  yes
when customization changes are made. The default value is no.
These include notifications about
topology, trusted traffic, and risk profile
customizations.
This header is only relevant for
administrators.
375

authentication_type The type of authentication to use for this  local. Authenticate the user against the
user. local AFA user database.
For information on configuring AFA to  radius. Authenticate the user against a
work with a RADIUS Server or an RADIUS server.
LDAP server, see Configuring User  ldap. Authenticate the user against an
Authentication (page 259). LDAP server.
administrator Indicates whether to make the user an  yes
administrator.  no
The default value is no.
run_file_analysis Indicates whether to allow the user to  yes
perform analyses from configuration  no
files. The default value is no.
global_customisation Indicates whether to make the user a  yes
FireFlow configuration administrator.  no
This enables the user to perform The default value is no.
advanced configuration tasks in
FireFlow.
fireflow_admin Indicates whether the FireFlow user can  yes
perform advanced configuration tasks,  no
such as using VisualFlow to edit The default value is no.
workflows.
default_fw_profile The user's default access level to  readonly
devices.  none
 standard.
The default value is standard.
firewalls A list of devices for which the user Each device in the list must be in the following
should be granted permissions. format:
(deviceName;notify;permissionPr
ofile)
where:
 deviceName is the device's name
 notify indicates whether the user
should receive notifications about the
device (yes/no)
 permissionProfile is the user's
access level to the device
(readonly/none/standard)
Multiple devices should not be separated by
anything:
(device)(device)(device)...
376
Running the Import Users Script

 To import users from a CSV file
import_users -f CSVFile [-d domain]
For information on the command's flags, see the following table.
The import_users script runs and imports users from the file into both AFA and FireFlow.
Import Users Script Flags
Flag Description
-f CSVFile The name of the CSV file.
Note: The file must be located in the current directory.
-d domain Imports the users to the specified domain.
This flag is only relevant if AFA is domains are enabled. See Enabling Domains (page
33).
Importing and Updating Devices from a CSV File

You can import new devices or update existing devices from a CSV file, into both AFA and FireFlow.
In order to do so, you must first prepare the CSV file (see Preparing the Devices CSV File (page 377)), then
run the import script (see Running the Import Devices Script (page 380)).
Note: Importing and updating devices is available for the following devices: Cisco, Juniper Netscreen,
Juniper SRX, Fortinet Fortigate, Palo Alto Networks, and Forcepoint (McAfee) SideWinder.
Note: You cannot import and update devices simultaneously. The script runs in either import or update
mode.
Preparing the Devices CSV File

 To prepare the devices CSV file
1 Open a new text file.
2 In the first line of the file, type a list of column headers.
For a list of supported headers, refer to the following table. The headers must be separated by commas.
3 For each device you want to import or update, type a new line containing values that correspond to the
column headers.
Refer to the following table for information about each header's possible values. The values must be
separated by commas. If no value is specified, the default is used.
For example:
host_name,user_name,passwd,con,rules_view,log_collection_frequency,collect_
log,collector,collect_log_from_adt,collect_log_from,monitoring
377
192.168.2.53,netscreen,netscreen,SSH,ASDM,20,no,Central Manager,nsm,nsm,yes
4 Save the file.
Supported Column Headers

baseline_profile The baseline compliance profile to use Any
when generating reports for the device.
brand The device brand for devices with the For this brand... Set this to...
GEN (generic) device type. See
Juniper SRX junos
Running the Import Devices Script
(page 380) for more information. Fortinet Fortigate fortigate
Palo Alto Networks paloalto
Forcepoint (McAfee) sidewinder
Sidewinder
Blue Coat bluecoat
F5 BIG-IP LTM® f5bigip
Juniper Secure Access (SSL junipersa
VPN)
Linux netfilter iptables netfilter
Forcepoint (McAfee) stonegate
Security Management Center
Cisco ACE ace
Cisco Nexus Router nexus
WatchGuard watchguard
Topsec Firewall topsec
collect_log Indicates whether AFA should collect  yes
logs for the device.  no
collect_log_from Indicates from where AFA should  nsm. AFA should collect logs from the
collect logs. NSM.
 syslog. AFA should collect logs from a
syslog-ng server.
The default value is nsm.
collect_log_from_audit Indicates from where AFA should
collect audit logs.
collector Sets the collector when using Geo. dist.  Any
con The connection type.  SSH

This header is mandatory.  SSH(3des)
 SSH (des)
 Telnet
Note: These values are case-sensitive, and you
cannot add spaces.
378

display_name The name of the device under AFA. Any
enable_user_name The user name for switching to enable Any
mode.
This header is relevant for Blue Coat
devices only.
epasswd The Cisco enable password. Any
firewall_users A list of users who should have access Multiple user names must be separated by
to the reports produced for this device. slashes ( / ).
full_analysis This sets whether to create risks and No, default-yes
optimization pages in the report.
host_name The host name or IP address of the Any
device.
log_collection_mode Indicates the mode AFA should use to  standard. Enable log collection.
collect logs for the device.  extensive. Enable log collection and
the Intelligent Policy Tuner.
log_collection_frequency The interval of time in minutes, at which Any
AFA should collect logs for the device.
log_host_name The log servers's host name or IP. Any IP/host name
log_host_name_adt The audit log server's host name or IP Any
address.
log_passwd The password for connecting to the log Any
server.
log_passwd_adt The password for connecting to the Any
audit log server.
log_user_name The user name for connecting to the log Any
server.
log_user_name_adt The user name for connecting to the Any
audit log server.
monitoring Indicates whether to enable real-time yes
alerting upon configuration changes. no
For more information, see Activating
Real-Time Monitoring (page 256).
passwd The password to use for access to the Any
device.
root_psw This sets permissions to root. It is Any

usually not allowed to login as root in
telnet, so this adds better support.
379

rules_view Indicates how rules should be displayed  ASDM. Display rules in the Cisco Adaptive
in device reports. Security Device Manager (ASDM)
This header is relevant for Cisco devices graphical interface.
only.  CLI. Display rules in command line
format.
The default value is ASDM.
separate_vrfs This sets whether to split the router into No, default-yes
VRFs.
Relevant for Cisco IOS & NEXUS only.
set_user_permissions yes , no
snmp_auth_password Any
snmp_auth_protocol for snmp v3 only - authentication md5/sha

protocol
authNoPriv or authPriv modes only
snmp_priv_password Any
snmp_priv_protocol privProtocol des/aes
snmp_version The SNMP version. snmpv2c, snmpv3
user_name The user name to use for access to the Any
device.
Running the Import Devices Script

 To import devices from a CSV file
import_devices -f CSVFile -t deviceType [-u ][-d domainName]
For information on the command's flags, see the following table.
The import_devices script runs and imports or updates devices from the file into both AFA and
FireFlow.
Import Devices Script Flags
Flag Description
-f CSVFile The name of the CSV file.
-t deviceType The type of devices to import or update. This can be one of the following:
 PIX. A Cisco PIX, ASA, or FWSM device.
380
 IOS. A Cisco IOS Router.

 NSC. A Juniper NetScreen device.
 GEN. One of the following device types, specified in the brand column header in
the CSV file:
 A Juniper SRX device.
 A Fortinet Fortigate device.
 A Palo Alto Networks device.
 A Forcepoint (McAfee) Sidewinder device.
 A Forcepoint (McAfee) Security Management Center
 A Blue Coat device.
 A F5 BIG-IP LTM® device.
 A Juniper Secure Access (SSL VPN) device.
 A Linux netfilter iptables device.
 A Cisco ACE device.
 A Cisco Nexus Router.
 A WatchGuard device.
 A Topsec Firewall device.
For more information on the brand column header, see Preparing the Devices
CSV File (page 377).
-u When this flag is used, the script will update existing devices from the file.
When not used, the script will import new devices from the file.
-d domainName The name of the domain for which to import or update the devices.
This is only relevant when domains are enabled.
381
CHAPTER 15
Appendix C: Creating a JSON File for

Generic Device Support
In This Chapter
NAT Support ........................................................................................................................................382
Layer 2 Device Support........................................................................................................................384
Handling Special Characters ................................................................................................................384
Tag List ................................................................................................................................................384
Tag References .....................................................................................................................................385
Generic Device JSON File Examples ..................................................................................................390
Troubleshooting ...................................................................................................................................495
The following procedure describes how to create the JSON file that represents the device.
 To create a JSON file
1 Review the example file located in:
/usr/share/fa/data/plugins/config_parser_template.json
2 Create your own configuration file according to the template. See Tag List (page 384) and Tag
Reference (page 385).
3 Rename the file to XXX.algosec.
4 As user ‘afa’, run the JSON validator to make sure the JSON file is valid:
su - afa
curl –si
‘127.0.0.1:8080/afa/configParser/validate?path=/home/afa/algosec_generic_de
vice.algosec’
NAT Support
Currently AlgoSec supports the following NAT models. Only one model can be used for every device brand
you add.
 NAT rules: A separate set of rules that is not part of the security rule base.
 NAT as part of the rule base: Source or Destination NAT parameters added to the Source and Destination
fields of the security rule base.
NAT Rules
 You must add rules to the NAT rules section of the JSON file.
 If it does not appear, you must add gateway_NAT_rules to the VENDOR_PROPERTIES section of the
brand_config.xml.
Example

382
Chapter 15 Appendix C: Creating a JSON File for Generic Device Support
<VENDOR_PROPERTIES
<PROPERTY name="gateway_NAT_rules" value="yes"/>
</VENDOR_PROPERTIES>
NAT as part of the Rule Base
In this model, use one of the following options to define NAT:
 Object NAT: The source/destination of a security rule will contain the NAT object from list of
nat_objects, objects that contain both the real and mapped addresses.
 Mapping to interface: In order to map the source address to source interface addresses, the user must
define for the rule: "map_source_to_interface" : “true/false.”
 Source or destination NAT defined directly in the rules in the rule base.
 Global NAT: NAT objects that contain real and mapped addresses. This NAT will be applied to security
rules with matching source address. (See “global_nat_rules” hash in template).
 Add your NAT translation for each rule in the policies section of the JSON file.
Make sure to remove the gateway_NAT_rules property from the VENDOR_PROPERTIES section of
brand_config.xml.
 In some cases, you must add several properties in brand_config.xml:
 If this brand is using NAT pools, do the following:
1. Add use_nat_pools to the VENDOR_PROPERTIES section of the brand_config.xml.
2. Set its value to “yes”.
NAT addresses (“src_nat” and ”dst_nat” fields of policy, and “mapped_ips” field of
“global_nat_rules”) will be referenced to “nat_pools” hash, instead of to “hosts”/”host_groups”
hash.
 To give global NAT higher priority over NAT defined in the rule (src_nat/dst_nat in policies), do the
following:
1. Add prefer_global_nat_over_rule_nat to the VENDOR_PROPERTIES section of the
brand_config.xml
2. Set its value to “yes”.
If there is a global NAT rule that matches the source address of a rule, source NAT defined for
this rule will be ignored.
Example

<VENDOR_PROPERTIES
<PROPERTY name="use_nat_pools" value="yes"/>
<PROPERTY name="prefer_global_nat_over_rule_nat" value="yes"/>
</VENDOR_PROPERTIES>
383
Layer 2 Device Support

When adding a layer 2 device to AFA, you must signify to AFA that the device is a later 2 device, and
represent the device's topology in layer 3 terminology in a .URT file. You can optionally create the topology
automatically, using an AFA heuristic based on the policy of the device (which is in layer-3 terminology). If
you choose to use the heuristic feature, configure it with the procedure below.
Note: This feature is currently supported only for zone based devices.
 To enable heuristics for layer 2 devices

1 In the device's config_parser.json file, indicate that a device is L2 by defining the is_layer2 field as
"1" in the device hash.
2 In the brand_config.xml file, add the following feature: <FEATURE
name="create_urt_heuristics"/>.
Handling Special Characters

 Special characters should be escaped in the config_parser.json file.
Examples:
1. "comment" : "\"Address mask reply\" messages with any code."
2. "ips" : [
3. "13.76.218.117\/32",
4. "13.76.219.191\/32" ]
 AFA environment variables may be used in brand_config.
Example:
<FEATURE name="parser" script="java $FIRMATO_DIR/bin/PartnerParser.jar"
invocation="json_producer"/>
(Where FIRMATO_DIR=/usr/share/fa/)
Tag List
Following is a list of the tags you can use in the config_parser.json file.
Tag List
Tag Description
config_type The policy model.
device The definition of the device.
384
Tag Description
hosts The host name.
hosts_groups The host group name.
interfaces The interface name.
services The service name.
services_groups The service group name.
policies The rule name.
rules_groups The rules group name. (optional)
nat_rules The rule name.
global_nat_rules The global NAT rule name
nat_objects The NAT object name.
nat_objects_groups The NAT object group name.
nat_pools The NAT pool name.
zones The zone name.
routes The route's ID.
schedules The schedule name.
Tag References
config_type
One of the following values:
 POLICY_BASED: One set of rules per device across all of its interfaces. For example, Check Point
devices.
 INTERFACES_BASED: One set of rules per interface. For example, Cisco devices.
 HOST_BASED: Device policy refers to the host itself (source or destination is "Me"). For example,
Amazon AWS devices.
 ZONE_BASED: Each policy rule is attached to <source zone/interface, dest zone/interface>. For example,
Fortimanager devices.
385
device
The definition of the device.
Parameter Description
name Device name.
major_version Device major version (first number before first dot).
version Device version.
minor_version Device minor version (last number of whole version).
policy Policy name (optional).
hosts
The host name.
name Host name.
comment Host comment, if there is one (optional).
ips List of host IPs.
type PREDEFINED/ANY/IP_ADDRESS/IP_RANGE/DOMAIN/SUBNET/IPS_LIS
T
is_negate true/false (optional)
hosts_groups
The host group name.
name Host group name.
members List of group members (from hosts hash or from
hosts_groups hash).
type GROUP
is_negate true/false (optional)
interfaces
The interface name.
name The interface logical name.
enable enabled/disabled. (optional)
386
ips List of interface's IPs in format of: 'IP

address/CIDR'.
Hwdevice The interface physical name.
zone Interface's zone. (optional)
description Description. (optional)
rules_groups List of rules groups that apply to this interface.
Note: The name of the rule group should be the same as the rule group id
value in rule_group tag.
Note: This parameter is only relevant for INTERFACE_BASED
configuration.
services
The service name.
name Sevice name.
service_definitions List of service definitions in the following format:
 protocol: The protocol name:
tcp/udp/icmp/any/protocol number.
 src_port: The source port number/source port range (if there is no
source port, or range is any, it will be *)/ICMP type. (optional)
 dst_port: The destination port number/destination
port range. If range is any, it will be *.
Type ANY/TCP/UDP/ICMP/TCP_UDP
services_groups
The service group name.
name Service group name.
members List of group members (from services hash or from
services_groups hash).
type GROUP
policies
The rule name.
rule_name Rule's name as appears in the configuration.
rule_display_name Display name.
387
rule_id Rule's ID - unique identifier of the rule, can be the
rule name if it is unique.
line_number Line number of the rule in configuration file.
rule_num Rules number (to save order of rules).
src_zone List of source zones.(optional)
direction Inbound/outbound. (optional)
comments Rule's comment. (optional)
rule_grp Group to which the rule belongs. (optional)
log 0/1
enable Enabled/disabled.
src List of rule's sources.
service List of rule's services.
schedule Schedule name from schedules list. (optional)
action ALLOW/DENY
dst_zone List of destination zones. (optional)
dst List of rule's destinations.
src_nat List of source NAT hosts/addresses. (optional)
src_nat_type Source NAT type - one of the values: static/dynamic.
(optional)
dst_nat List of destination NAT hosts/addresses. (optional)
dst_nat_type Destination NAT type - one of the values:
static/dynamic. (optional)
bi-directional 0/1 (optional). Relevant for static NAT for example, MIP
in NetScreen.
src_negate 0/1 (optional)
dst_negate 0/1 (optional)
policy Policy name. (optional)
rules_groups
The rules group name. (optional).
name Rules group name.
enable Enabled/Disabled.
comments Rules group comment, if there is one (optional).
type Rules group type (optional)
388
nat_rules
The rule name.
rule_name Rule's name as appears in the configuration (without
canonization).
rule_id Rule's ID - unique identifier of the rule, can be the
rule name if it is unique.
line_number Line number of the rule in the configuration file.
src_zone List of source zones. (optional)
rule_display_name Display name.
direction Inbound/outbound. (optional)
comments Rule's comment. (optional)
rule_num Rules number (to save order of rules).
log 0/1
enable Enabled/disabled.
src List of rule's sources.
dst List of rule's destinations.
src_nat List of source NAT hosts/addresses.
src_nat_type Source NAT type - one of the values: static/dynamic.
dst_nat List of destination NAT hosts/addresses.
dst_nat_type Destination NAT type - one of the values: static/dynamic.
bi-directional 0/1. (optional) Relevant for static NAT (e.g. MIP in
NetScreen)
src_negate 0/1 (optional)
dst_negate 0/1 (optional)
service List of rule's services.
schedule Schedule name (from schedules list). (optional)
action ALLOW/DENY
dst_zone List of destination zones. (optional)
zones
The zone name. (optional)
name Zone name.
interfaces List of zone interfaces.
389
description Zone's description.
routes
Key: The route's ID.
id Route's ID.
interface_name Logical name. (optional)
route_mask CIDR of the route.
gateway Gateway (IP address).
interface Physical name. (The Hwdevice value specified in the
"Interfaces" section.)
route IP address of the route.
schedules
The schedule name. (optional)
name Schedule name.
start_date Start date in format of: ‘ddMMMyyyy, HHmm’.
end_date End date in format of: ‘ddMMMyyyy, HHmm’.
Generic Device JSON File Examples

The following are three examples of JSON files for a generic device.
390
JSON File Example for a Policy-Based Device
391
{
"config_type" : "POLICY_BASED",
"device" : {
"name" : "Francesca",
"hostname" : "",
"policy" : "new_policy, Firewall Template 1"
},
"services" : {
"Address Mask Reply (Any Code)" : {
"name" : "Address Mask Reply (Any Code)",
"service_definitions" : [
{
"protocol" : "icmp",
"src_port" : "18",
"dst_port" : "0"
}
],
"type" : "ICMP",
"comment" : "\"Address mask reply\" messages with any code."
},
"Comodo-OCSP" : {
"name" : "Comodo-OCSP",
"service_definitions" : [
{
"protocol" : "tcp",
"src_port" : "80",
"dst_port" : "0"
}
],
"type" : "APPLICATION",
"comment" : "Comodo Online Certificate Status service usage detected"
},
},
"services_groups" : {
"Ping" : {
"name" : "Ping",
"members" : [
"Echo Request (Any Code)"
]
},
"H.323" : {
"name" : "H.323",
"members" : [
"H.323 (Call Signaling)",
"T.120"
]
},
},
"hosts" : {
"ALL-SYSTEMS.MCAST.NET" : {
"name" : "ALL-SYSTEMS.MCAST.NET",
"type" : "IP_ADDRESS",
"ips" : [
"224.0.0.1/32"
]
},
392
"DHCP Broadcast Destination" : {

"name" : "DHCP Broadcast Destination",
"ips" : [
"255.255.255.255/32"
]
},
"Microsoft Lync Online Servers 19" : {
"name" : "Microsoft Lync Online Servers 19",
"type" : "IP_RANGE",
"ips" : [
"66.119.158.0-66.119.158.127"
]
},
},
"hosts_groups" : {
"Microsoft Ex-Fed servers" : {
"name" : "Microsoft Ex-Fed servers",
"members" : [ ],
"type" : "GROUP"
},
"Microsoft Exchange Online Protection servers" : {
"name" : "Microsoft Exchange Online Protection servers",
"members" : [
"Microsoft Exchange Online Protection Servers 1",
393

"Microsoft Exchange Online Protection Servers 9"
],
"type" : "GROUP"
},
},
"hosts_v6" : {
"All Routers (Interface-Local)" : {
"name" : "All Routers (Interface-Local)",
"ips" : [
"FF01::1"
]
},
"All Routers (Link-Local)" : {
"name" : "All Routers (Link-Local)",
"ips" : [
"FF02::2"
]
},
},
"policies" : {
"160" : {
"rule_id" : "160",
"rule_name" : "160.0",
"rule_display_name" : "160.0",
"rule_num" : "1",
"line_number" : "0",
"policy" : "Firewall Template 1",
"type" : "Template",
"enable" : "enabled",
"src" : [
"ANY"
],
"dst" : [
"ANY"
"DNS (UDP)"
],
"action" : "continue",
"additional_properties" : {
"scope" : "before"
}
},
"161" : {
"rule_id" : "161",
"rule_name" : "161.0",
"rule_num" : "2",
394
"src" : [
"NOT Loopback network"
],
"dst" : [
"Loopback network"
],
"service" : [
"ANY"
],
"action" : "discard",
"log" : "1",
"logging" : "Stored",
"scope" : "before"
}
},
},
"nat_rules" : {
"167" : {
"rule_id" : "167",
"rule_name" : "167.0",
"rule_num" : "1",
"action" : "allow",
"src" : [
"ANY"
],
"dst" : [
"DHCP Broadcast Destination",
"Localhost"
],
"service" : [
"ANY"
],
"src_nat_type" : "STATIC",
"dst_nat_type" : "STATIC"
}
},
"policies_v6" : {
"169" : {
"rule_id" : "169",
"rule_name" : "169.0",
"rule_num" : "1",
"src" : [
"ANY"
],
395
"dst" : [
"ANY"
],
"service" : [
"DNS (UDP)"
],
"action" : "continue",
"scope" : "after"
}
},
"170" : {
"rule_id" : "170",
"rule_name" : "170.0",
"rule_num" : "2",
"src" : [
"ANY"
],
"dst" : [
"ANY"
],
"service" : [
"IPv6 Neighbor Advertisement",
"IPv6 Neighbor Solicitation",
"IPv6 Redirect",
"IPv6 Router Advertisement",
"IPv6 Router Solicitation"
],
"action" : "allow",
"scope" : "after"
}
},
},
"interfaces" : {
"NDI-0-192.168.7.24" : {
"name" : "NDI-0-192.168.7.24",
"zone" : "DMZ",
"hwdevice" : "0",
"ips" : [
"192.168.7.24/24"
]
},
"NDI-1-9.9.9.8" : {
"name" : "NDI-1-9.9.9.8",
"zone" : "Internal",
"hwdevice" : "1",
"ips" : [
"9.9.9.8/24"
]
},
396
"NDI-2-5.5.5.4" : {
"name" : "NDI-2-5.5.5.4",
"hwdevice" : "2",
"ips" : [
"5.5.5.4/24"
]
}
},
"device_interfaces" : {
"NDI-0-192.168.7.24" : {
"name" : "NDI-0-192.168.7.24",
"ips" : [
"192.168.7.24"
]
},
"NDI-1-9.9.9.8" : {
"name" : "NDI-1-9.9.9.8",
"ips" : [
"9.9.9.8"
]
},
"NDI-2-5.5.5.4" : {
"name" : "NDI-2-5.5.5.4",
"ips" : [
"5.5.5.4"
]
}
},
"zones" : {
"DMZ" : {
"name" : "DMZ",
"interfaces" : [
"NDI-0-192.168.7.24"
],
"description" : "Interfaces connected to DMZ networks"
},
"External" : {
"name" : "External",
"interfaces" : [ ],
"description" : "Interfaces connected to the Internet or other
external networks"
},
"Guest" : {
"name" : "Guest",
"interfaces" : [ ],
"description" : "Interfaces connected to guest networks"
},
"Internal" : {
"name" : "Internal",
"interfaces" : [
"NDI-1-9.9.9.8",
"NDI-2-5.5.5.4"
],
"description" : "Interfaces connected to internal networks"
},
397
"Node-internal" : {
"name" : "Node-internal",
"interfaces" : [ ],
"description" : "Firewall nodes themselves"
}
},
"routes" : {
"1" : {
"id" : "1",
"route" : "0.0.0.0",
"route_mask" : "0.0.0.0",
"gateway" : "192.168.7.254",
"interface" : "0"
}
}
}
398
JSON File Example for an Interface-Based Device

{
"config_type" : "INTERFACES_BASED",
"device" : {
"name" : "i-91d8adbe",
"version" : "",
"policy" : "GROUP_1, TestGroup, acl-a22588c7",
"major_version" : "",
"protected_cloud_host_ips" : [ "172.31.50.24" ],
"public_ip" : "",
"private_ip" : "172.31.50.24"
},
"policies" : {
"745e667b82c09f32e08b7ede79cd0827" : {
"service" : [ "tcp/8080" ],
"direction" : "inbound",
"action" : "deny",
"log" : 0,
"rule_id" : "745e667b82c09f32e08b7ede79cd0827",
"rule_name" : "745e667b82c09f32e08b7ede79cd0827",
"rule_display_name" : "200",
"line_number" : 0,
"rule_num" : 2,
"rule_grp" : "acl-a22588c7",
"src" : [ "8.8.0.0/16" ],
"dst" : [ "Host" ],
"src_negate" : 0,
"dst_negate" : 0,
"object_nat_source" : false,
"object_nat_destination" : false,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
"global_nat" : "enabled",
399
"map_source_to_interface" : false,
"bi-directional" : 0,
"additional_properties" : { }
},
"ce2ead998e1591cb9cc8bd70a21f7f6e" : {
"service" : [ "icmp/*" ],
"direction" : "outbound",
"action" : "allow",
"log" : 0,
"rule_id" : "ce2ead998e1591cb9cc8bd70a21f7f6e",
"rule_name" : "ce2ead998e1591cb9cc8bd70a21f7f6e",
"line_number" : 0,
"rule_num" : 13,
"rule_grp" : "GROUP_1",
"src" : [ "Host" ],
"dst" : [ "80.1.1.88/32" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
},
"6dec3120ea84e60b382675f690705f96" : {
"service" : [ "tcp/8080" ],
"direction" : "outbound",
"action" : "allow",
"log" : 0,
"rule_id" : "6dec3120ea84e60b382675f690705f96",
"rule_name" : "6dec3120ea84e60b382675f690705f96",
400
"line_number" : 0,
"rule_num" : 5,
"rule_grp" : "acl-a22588c7",
"src" : [ "Host" ],
"dst" : [ "10.20.0.0/16" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
},
"7a066e3eb1bc600dac42a35bd8b5d736" : {
"service" : [ "tcp/143" ],
"direction" : "inbound",
"action" : "allow",
"log" : 0,
"rule_id" : "7a066e3eb1bc600dac42a35bd8b5d736",
"rule_name" : "7a066e3eb1bc600dac42a35bd8b5d736",
"line_number" : 0,
"rule_num" : 18,
"rule_grp" : "TestGroup",
"src" : [ "0.0.0.0/0" ],
"dst" : [ "Host" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
401
"nat" : "enabled",
}
},
"hosts" : {
"959234629017/sg-4cb53a2a" : {
"name" : "959234629017/sg-4cb53a2a",
"comment" : "Allow SSH/HTTP(S)",
"ips" : [ "172.31.52.241" ],
"negate" : false,
"type" : "INTERNAL",
"is_negate" : false
},
"959234629017/sg-d9b4edbc" : {
"name" : "959234629017/sg-d9b4edbc",
"comment" : "Yarin",
"ips" : [ "172.31.50.24", "172.31.7.212", "172.31.33.73", "172.31.33.70" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-d5c47cad" : {
"name" : "959234629017/sg-d5c47cad",
"comment" : "1234",
"ips" : [ "172.31.52.241" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-fec47c86" : {
"name" : "959234629017/sg-fec47c86",
"comment" : "1234",
"ips" : [ "10.2.0.166" ],
"negate" : false,
402
"is_negate" : false
},
"Host" : {
"name" : "Host",
"comment" : "i-91d8adbe",
"ips" : [ "172.31.50.24", "172.31.50.24" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-a60f57c0" : {
"name" : "959234629017/sg-a60f57c0",
"comment" : "launch-wizard-2",
"ips" : [ "10.2.0.166" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-0c683b69" : {
"name" : "959234629017/sg-0c683b69",
"comment" : "launch-wizard-1",
"ips" : [ "172.31.33.73", "172.31.33.70" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-3ee52c5a" : {
"name" : "959234629017/sg-3ee52c5a",
"comment" : "Test1",
"ips" : [ "172.31.50.24", "172.31.7.212", "172.31.33.73", "172.31.33.70" ],
"negate" : false,
"is_negate" : false
},
"959234629017/sg-21683b44" : {
"name" : "959234629017/sg-21683b44",
403
"comment" : "default",
"ips" : [ "172.31.52.241" ],
"negate" : false,
"is_negate" : false
}
},
"interfaces" : {
"internal" : {
"name" : "internal",
"ips" : [ "layer2" ],
"rules_groups" : [ "TestGroup", "GROUP_1" ]
},
"external" : {
"name" : "external",
"ips" : [ "layer2" ],
"rules_groups" : [ "acl-a22588c7" ]
}
},
"routes" : {
"0" : {
"id" : 0,
"route" : "0.0.0.0",
"gateway" : "0.0.0.0",
"interface_name" : "external",
"route_mask" : "0.0.0.0"
},
"1" : {
"id" : 1,
"route" : "172.31.50.24",
"gateway" : "-",
"interface_name" : "internal",
"route_mask" : "255.255.255.255"
}
},
404
"rules_groups" : {
"TestGroup" : {
"id" : "sg-3ee52c5a",
"name" : "TestGroup",
"comments" : "TestGroup",
"type" : "SECURITY_GROUP",
"rule_display_name" : "TestGroup",
"owner_id" : "959234629017",
"vpc_id" : "vpc-4dbb1128"
},
"GROUP_1" : {
"id" : "sg-d9b4edbc",
"name" : "Yarin",
"comments" : "GROUP_1 test",
"type" : "SECURITY_GROUP",
"rule_display_name" : "GROUP_1",
"owner_id" : "959234629017",
},
"acl-a22588c7" : {
"id" : "acl-a22588c7",
"name" : "TEST_NACL",
"type" : "NACL",
"rule_display_name" : "TEST_NACL",
}
},
}
405
JSON File Example for a Zone-Based Device

{
"device" : {
"name" : "Lieberman",
"hostname" : "Lieberman",
"mode" : "layer3",
"version" : "5.2.5,build701",
"serial" : "FG100D3G13808144",
"domain" : "PT_domain",
"major_version" : "5.0",
"protected_cloud_host_ips" : [ ],
"is_layer2" : 0
},
"policies" : {
"1073741825" : {
"service" : [ "gALL" ],
"action" : "deny",
"log" : 0,
"comments" : "TreeSource",
"rule_id" : "1073741825",
"rule_name" : "1073741825",
"line_number" : 1,
"rule_num" : 1,
"rule_grp" : "before",
"src" : [ "gnone" ],
"dst" : [ "gappstore" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_zone" : [ "any" ],
"dst_zone" : [ "any" ],
"src_nat" : [ ],
406
"dst_nat" : [ ],
"nat" : "enabled",
"security-profiles" : { },
"target" : [ ],
},
"1074741826" : {
"service" : [ "gALL" ],
"action" : "accept",
"enable" : "disabled",
"log" : 0,
"comments" : "",
"rule_id" : "1074741826",
"rule_name" : "1074741826",
"line_number" : 5,
"rule_num" : 5,
"rule_grp" : "after",
"src" : [ "gnone" ],
"dst" : [ "gadobe" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
"target" : [ ],
407
},
"1073741827" : {
"service" : [ "service_5" ],
"action" : "deny",
"log" : 0,
"comments" : "",
"rule_id" : "1073741827",
"rule_name" : "1073741827",
"line_number" : 2,
"rule_num" : 2,
"src" : [ "AddressGlobal1" ],
"dst" : [ "address_5" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
"target" : [ ],
},
"1073741828" : {
"service" : ["service_5" ],
"action" : "deny",
"enable" : "disabled",
"log" : 0,
408
"comments" : "",
"rule_id" : "1073741828",
"rule_name" : "1073741828",
"line_number" : 3,
"rule_num" : 3,
"src" : [ "address_5" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
"target" : [ ],
},
"1074741825" : {
"service" : [ "gGOPHER" ],
"action" : "deny",
"log" : 0,
"comments" : "",
"rule_id" : "1074741825",
"rule_name" : "1074741825",
"line_number" : 4,
"rule_num" : 4,
"rule_grp" : "after",
409
"src" : [ "33_Global" ],
"src_negate" : 0,
"dst_negate" : 0,
"src_nat" : [ ],
"dst_nat" : [ ],
"nat" : "enabled",
"target" : [ ],
}
},
"hosts" : {
"ip-10.150.191.25" : {
"name" : "ip-10.150.191.25",
"comment" : "",
"ips" : [ "10.150.191.25/32" ],
"negate" : false,
"type" : "SUBNET",
"is_negate" : false,
"object_container" : "device_group"
},
"google-play" : {
"name" : "google-play",
"comment" : "",
"ips" : [ "82.102.155.49" ],
"negate" : false,
"type" : "DOMAIN",
410
},
"10.30.193.1" : {
"name" : "10.30.193.1",
"comment" : "",
"ips" : [ "10.30.193.1/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.192.28" : {
"name" : "ip-10.30.192.28",
"comment" : "",
"ips" : [ "10.30.192.28/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.44" : {
"name" : "ip-10.120.191.44",
"comment" : "",
"ips" : [ "10.120.191.44/32" ],
"negate" : false,
"type" : "SUBNET",
},
"none" : {
"name" : "none",
"comment" : "",
"ips" : [ "0.0.0.0/0" ],
"negate" : false,
"type" : "SUBNET",
},
411
"Addr" : {
"name" : "Addr",
"comment" : "",
"ips" : [ "1.2.3.4/32" ],
"negate" : false,
"type" : "SUBNET",
},
"Address_2" : {
"name" : "Address_2",
"comment" : "",
"ips" : [ "1.1.1.1-20.20.255.1" ],
"negate" : false,
},
"Address_1" : {
"comment" : "",
"ips" : [ "192.168.0.0/16" ],
"negate" : false,
"type" : "SUBNET",
},
"Address_3" : {
"comment" : "",
"ips" : [ "100.0.0.1-200.0.0.2" ],
"negate" : false,
},
"ip-10.10.125.75" : {
412
"name" : "ip-10.10.125.75",
"comment" : "",
"ips" : [ "10.10.125.75/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.57" : {
"name" : "ip-10.30.191.57",
"comment" : "",
"ips" : [ "10.30.191.57/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.192.25" : {
"name" : "ip-10.30.192.25",
"comment" : "",
"ips" : [ "10.30.192.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"10.110.193.1" : {
"name" : "10.110.193.1",
"comment" : "",
"ips" : [ "10.110.193.1/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.193.25" : {
"name" : "ip-10.10.193.25",
413
"comment" : "",
"ips" : [ "10.10.193.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.20.191.25" : {
"name" : "ip-10.20.191.25",
"comment" : "",
"ips" : [ "10.20.191.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.192.55" : {
"name" : "ip-10.10.192.55",
"comment" : "",
"ips" : [ "10.10.192.55/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.191.85" : {
"name" : "ip-10.10.191.85",
"comment" : "",
"ips" : [ "10.10.191.85/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.20.192.75" : {
"name" : "ip-10.20.192.75",
"comment" : "",
414
"ips" : [ "10.20.192.75/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.46" : {
"name" : "ip-10.30.191.46",
"comment" : "",
"ips" : [ "10.30.191.46/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.192.87" : {
"name" : "ip-10.10.192.87",
"comment" : "",
"ips" : [ "10.10.192.87/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.175" : {
"name" : "ip-10.120.191.175",
"comment" : "",
"ips" : [ "10.120.191.175/32" ],
"negate" : false,
"type" : "SUBNET",
},
"update.microsoft.com" : {
"name" : "update.microsoft.com",
"comment" : "",
"ips" : [ "134.170.58.221" ],
415
"negate" : false,
"type" : "DOMAIN",
},
"ip-10.110.191.85" : {
"name" : "ip-10.110.191.85",
"comment" : "",
"ips" : [ "10.110.191.85/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.40.192.28" : {
"name" : "ip-10.40.192.28",
"comment" : "",
"ips" : [ "10.40.192.28/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.193.27" : {
"name" : "ip-10.110.193.27",
"comment" : "",
"ips" : [ "10.110.193.27/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.158" : {
"name" : "ip-10.110.191.158",
"comment" : "",
"ips" : [ "10.110.191.158/32" ],
"negate" : false,
416
"type" : "SUBNET",
},
"ip-10.30.192.47" : {
"name" : "ip-10.30.192.47",
"comment" : "",
"ips" : [ "10.30.192.47/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.141.191.25" : {
"name" : "ip-10.141.191.25",
"comment" : "",
"ips" : [ "10.141.191.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"gauth.gfx.ms" : {
"name" : "gauth.gfx.ms",
"comment" : "",
"ips" : [ "23.37.40.70" ],
"negate" : false,
"type" : "DOMAIN",
"object_container" : "shared"
},
"33" : {
"name" : "33",
"comment" : "",
"ips" : [ "33.33.33.0/24" ],
"negate" : false,
"type" : "SUBNET",
417
},
"ip-10.110.191.71" : {
"name" : "ip-10.110.191.71",
"comment" : "",
"ips" : [ "10.110.191.71/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.75" : {
"name" : "ip-10.110.191.75",
"comment" : "",
"ips" : [ "10.110.191.75/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.20.192.57" : {
"name" : "ip-10.20.192.57",
"comment" : "",
"ips" : [ "10.20.192.57/32" ],
"negate" : false,
"type" : "SUBNET",
},
"a_10.132.22.10" : {
"name" : "a_10.132.22.10",
"comment" : "",
"ips" : [ "10.132.22.10/32" ],
"negate" : false,
"type" : "SUBNET",
418
},
"44" : {
"name" : "44",
"comment" : "",
"ips" : [ "44.44.44.0/24" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.191.55" : {
"name" : "ip-10.10.191.55",
"comment" : "",
"ips" : [ "10.10.191.55/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.14" : {
"name" : "ip-10.30.191.14",
"comment" : "",
"ips" : [ "10.30.191.14/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.15" : {
"name" : "ip-10.30.191.15",
"comment" : "",
"ips" : [ "10.30.191.15/32" ],
"negate" : false,
"type" : "SUBNET",
419
},
"ip-10.10.192.25" : {
"name" : "ip-10.10.192.25",
"comment" : "",
"ips" : [ "10.10.192.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.192.55-1" : {
"name" : "ip-10.10.192.55-1",
"comment" : "",
"ips" : [ "10.10.192.55/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.88" : {
"name" : "ip-10.120.191.88",
"comment" : "",
"ips" : [ "10.120.191.88/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.140.191.48" : {
"name" : "ip-10.140.191.48",
"comment" : "",
"ips" : [ "10.140.191.48/32" ],
"negate" : false,
"type" : "SUBNET",
},
420
"ip-10.110.191.175" : {
"name" : "ip-10.110.191.175",
"comment" : "",
"ips" : [ "10.110.191.175/32" ],
"negate" : false,
"type" : "SUBNET",
},
"all" : {
"name" : "all",
"comment" : "",
"ips" : [ "0.0.0.0/0" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.193.28" : {
"name" : "ip-10.30.193.28",
"comment" : "",
"ips" : [ "10.30.193.28/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.191.47" : {
"name" : "ip-10.10.191.47",
"comment" : "",
"ips" : [ "10.10.191.47/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.191.45" : {
421
"name" : "ip-10.10.191.45",
"comment" : "",
"ips" : [ "10.10.191.45/32" ],
"negate" : false,
"type" : "SUBNET",
},
"@345" : {
"name" : "@345",
"comment" : "",
"ips" : [ "1.1.1.1/32" ],
"negate" : false,
"type" : "SUBNET",
},
"h_10.10.192.44" : {
"name" : "h_10.10.192.44",
"comment" : "",
"ips" : [ "10.10.192.44/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.56" : {
"name" : "ip-10.110.191.56",
"comment" : "",
"ips" : [ "10.110.191.56/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.72" : {
"name" : "ip-10.120.191.72",
422
"comment" : "",
"ips" : [ "10.120.191.72/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.58" : {
"name" : "ip-10.110.191.58",
"comment" : "",
"ips" : [ "10.110.191.58/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.178" : {
"name" : "ip-10.30.191.178",
"comment" : "",
"ips" : [ "10.30.191.178/32" ],
"negate" : false,
"type" : "SUBNET",
},
"33_Global" : {
"name" : "33_Global",
"comment" : "",
"ips" : [ "33.33.33.0/24" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.88" : {
"name" : "ip-10.30.191.88",
"comment" : "",
423
"ips" : [ "10.30.191.88/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.193.25" : {
"name" : "ip-10.30.193.25",
"comment" : "",
"ips" : [ "10.30.193.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.85" : {
"name" : "ip-10.30.191.85",
"comment" : "",
"ips" : [ "10.30.191.85/32" ],
"negate" : false,
"type" : "SUBNET",
},
"gnone" : {
"name" : "gnone",
"comment" : "",
"ips" : [ "0.0.0.0/0" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.5" : {
"name" : "ip-10.110.191.5",
"comment" : "",
"ips" : [ "10.110.191.5/32" ],
424
"negate" : false,
"type" : "SUBNET",
},
"AddressGlobal1" : {
"name" : "AddressGlobal1",
"comment" : "",
"ips" : [ "10.10.192.75/32" ],
"negate" : false,
"type" : "SUBNET",
},
"h_10.30.192.50" : {
"name" : "h_10.30.192.50",
"comment" : "",
"ips" : [ "10.30.192.50/32" ],
"negate" : false,
"type" : "SUBNET",
},
"address_4" : {
"name" : "address_4",
"comment" : "",
"ips" : [ "192.168.3.96/32" ],
"negate" : false,
"type" : "SUBNET",
},
"net-10.120.191.56-30" : {
"name" : "net-10.120.191.56-30",
"comment" : "",
"ips" : [ "10.120.191.56/30" ],
"negate" : false,
425
"type" : "SUBNET",
},
"ip-10.110.191.44" : {
"name" : "ip-10.110.191.44",
"comment" : "",
"ips" : [ "10.110.191.44/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.10.191.72" : {
"name" : "ip-10.10.191.72",
"comment" : "",
"ips" : [ "10.10.191.72/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.110.191.46" : {
"name" : "ip-10.110.191.46",
"comment" : "",
"ips" : [ "10.110.191.46/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.192.75" : {
"name" : "ip-10.120.192.75",
"comment" : "",
"ips" : [ "10.120.192.75/32" ],
"negate" : false,
"type" : "SUBNET",
426
},
"ip-10.110.191.48" : {
"name" : "ip-10.110.191.48",
"comment" : "",
"ips" : [ "10.110.191.48/32" ],
"negate" : false,
"type" : "SUBNET",
},
"a_172.20.120.100" : {
"name" : "a_172.20.120.100",
"comment" : "",
"ips" : [ "172.20.120.100/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.28" : {
"name" : "ip-10.120.191.28",
"comment" : "",
"ips" : [ "10.120.191.28/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.27" : {
"name" : "ip-10.120.191.27",
"comment" : "",
"ips" : [ "10.120.191.27/32" ],
"negate" : false,
"type" : "SUBNET",
427
},
"ip-10.30.191.25" : {
"name" : "ip-10.30.191.25",
"comment" : "",
"ips" : [ "10.30.191.25/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.26" : {
"name" : "ip-10.30.191.26",
"comment" : "",
"ips" : [ "10.30.191.26/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.28" : {
"name" : "ip-10.30.191.28",
"comment" : "",
"ips" : [ "10.30.191.28/32" ],
"negate" : false,
"type" : "SUBNET",
},
"h_10.10.191.56" : {
"name" : "h_10.10.191.56",
"comment" : "",
"ips" : [ "10.10.191.56/32" ],
"negate" : false,
"type" : "SUBNET",
428
},
"address_5" : {
"name" : "address_5",
"comment" : "address_5",
"ips" : [ "0.0.0.0/0" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.120.191.13" : {
"name" : "ip-10.120.191.13",
"comment" : "",
"ips" : [ "10.120.191.13/32" ],
"negate" : false,
"type" : "SUBNET",
},
"ip-10.30.191.158" : {
"name" : "ip-10.30.191.158",
"comment" : "",
"ips" : [ "10.30.191.158/32" ],
"negate" : false,
"type" : "SUBNET",
},
"Address-SUBNET" : {
"name" : "Address-SUBNET",
"comment" : "Simple comment",
"ips" : [ "192.168.0.0/16" ],
"negate" : false,
"type" : "SUBNET",
}
429
},
"services" : {
"gFTP_GET" : {
"name" : "gFTP_GET",
"service_definitions" : [ {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"POP3" : {
"name" : "POP3",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "110"
} ],
},
"SMTPS" : {
"name" : "SMTPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "465"
} ],
},
"gOSPF" : {
"name" : "gOSPF",
"protocol" : "89",
"src_port" : "*",
"dst_port" : "*"
} ],
430
},
"gSSH" : {
"name" : "gSSH",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "22"
} ],
},
"VDOLIVE" : {
"name" : "VDOLIVE",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "7000-7010"
} ],
},
"NNTP" : {
"name" : "NNTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "119"
} ],
},
"gDCE-RPC" : {
"name" : "gDCE-RPC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "135"
}, {
"protocol" : "udp",
"src_port" : "*",
431
"dst_port" : "135"
} ],
},
"gPOP3S" : {
"name" : "gPOP3S",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "995"
} ],
},
"RSH" : {
"name" : "RSH",
"protocol" : "tcp",
"src_port" : "512-1023",
"dst_port" : "514"
} ],
},
"AH" : {
"name" : "AH",
"protocol" : "51",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"gUUCP" : {
"name" : "gUUCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "540"
432
} ],
},
"QUAKE" : {
"name" : "QUAKE",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "26000"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27000"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27910"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27960"
} ],
},
"GOPHER" : {
"name" : "GOPHER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "70"
} ],
},
"service_1" : {
"name" : "service_1",
"protocol" : "120",
433
"src_port" : "*",
"dst_port" : "*"
} ],
},
"service_2" : {
"protocol" : "tcp",
"src_port" : "2-400",
"dst_port" : "1-500"
} ],
},
"gINFO_REQUEST" : {
"name" : "gINFO_REQUEST",
"src_port" : "15",
"dst_port" : "*"
} ],
},
"gAOL" : {
"name" : "gAOL",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5190-5194"
} ],
},
"RTSP" : {
"name" : "RTSP",
"protocol" : "tcp",
"src_port" : "*",
434
"dst_port" : "554"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "7070"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "8554"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "554"
} ],
},
"IRC" : {
"name" : "IRC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "6660-6669"
} ],
},
"PC-Anywhere" : {
"name" : "PC-Anywhere",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5631"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "5632"
} ],
435
},
"INFO_ADDRESS" : {
"name" : "INFO_ADDRESS",
"src_port" : "17",
"dst_port" : "*"
} ],
},
"WINS" : {
"name" : "WINS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1512"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1512"
} ],
},
"DCE-RPC" : {
"name" : "DCE-RPC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "135"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "135"
} ],
},
"L2TP" : {
436
"name" : "L2TP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1701"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1701"
} ],
},
"gTALK" : {
"name" : "gTALK",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "517-518"
} ],
},
"gSAMBA" : {
"name" : "gSAMBA",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "139"
} ],
},
"tcp-441" : {
"name" : "tcp-441",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "441-441"
} ],
437
},
"IMAPS" : {
"name" : "IMAPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "993"
} ],
},
"TFTP" : {
"name" : "TFTP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "69"
} ],
},
"H323" : {
"name" : "H323",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1720"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1503"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1719"
} ],
},
438
"udp-16992" : {
"name" : "udp-16992",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16992"
} ],
},
"gRSH" : {
"name" : "gRSH",
"protocol" : "tcp",
"src_port" : "512-1023",
"dst_port" : "514"
} ],
},
"gMYSQL" : {
"name" : "gMYSQL",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3306"
} ],
},
"gFTP_PUT" : {
"name" : "gFTP_PUT",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"PPTP" : {
439
"name" : "PPTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1723"
} ],
},
"RADIUS-OLD" : {
"name" : "RADIUS-OLD",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1645"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1646"
} ],
},
"gIRC" : {
"name" : "gIRC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "6660-6669"
} ],
},
"RDP" : {
"name" : "RDP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3389"
} ],
440
},
"FTP_GET" : {
"name" : "FTP_GET",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"udp-16992-16995" : {
"name" : "udp-16992-16995",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "16992-16995"
} ],
},
"SMTP" : {
"name" : "SMTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "25"
} ],
},
"IMAP" : {
"name" : "IMAP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "143"
} ],
441
},
"LDAP_UDP" : {
"name" : "LDAP_UDP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "389"
} ],
},
"RLOGIN" : {
"name" : "RLOGIN",
"protocol" : "tcp",
"src_port" : "512-1023",
"dst_port" : "513"
} ],
},
"gSCCP" : {
"name" : "gSCCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2000"
} ],
},
"gMS-SQL" : {
"name" : "gMS-SQL",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1433"
}, {
"protocol" : "tcp",
"src_port" : "*",
442
"dst_port" : "1434"
} ],
},
"tcp-16995" : {
"name" : "tcp-16995",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16995"
} ],
},
"gTIMESTAMP" : {
"name" : "gTIMESTAMP",
"src_port" : "13",
"dst_port" : "*"
} ],
},
"ALL_TCP" : {
"name" : "ALL_TCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1-65535"
} ],
},
"tcp-16996" : {
"name" : "tcp-16996",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16996"
443
} ],
},
"tcp-16993" : {
"name" : "tcp-16993",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16993"
} ],
},
"tcp-16994" : {
"name" : "tcp-16994",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16994"
} ],
},
"tcp-16992" : {
"name" : "tcp-16992",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "16992"
} ],
},
"gL2TP" : {
"name" : "gL2TP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1701"
}, {
444
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1701"
} ],
},
"gTFTP" : {
"name" : "gTFTP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "69"
} ],
},
"VNC" : {
"name" : "VNC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5900"
} ],
},
"TALK" : {
"name" : "TALK",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "517-518"
} ],
},
"SAMBA" : {
"name" : "SAMBA",
"protocol" : "tcp",
445
"src_port" : "*",
"dst_port" : "139"
} ],
},
"SCCP" : {
"name" : "SCCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2000"
} ],
},
"gH323" : {
"name" : "gH323",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1720"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1503"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1719"
} ],
},
"gHTTP" : {
"name" : "gHTTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "80"
446
} ],
},
"gSIP-MSNmessenger" : {
"name" : "gSIP-MSNmessenger",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1863"
} ],
},
"gwebproxy" : {
"name" : "gwebproxy",
"service_definitions" : [ ],
},
"gRDP" : {
"name" : "gRDP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3389"
} ],
},
"BGP" : {
"name" : "BGP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "179"
} ],
},
"HTTP" : {
"name" : "HTTP",
447
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "80"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "81"
} ],
},
"FTP_PUT" : {
"name" : "FTP_PUT",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"tcp-759" : {
"name" : "tcp-759",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "759"
} ],
},
"gFINGER" : {
"name" : "gFINGER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "79"
} ],
448
},
"tcp-757" : {
"name" : "tcp-757",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "757"
} ],
},
"gPING6" : {
"name" : "gPING6",
},
"MMS" : {
"name" : "MMS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1755"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1024-5000"
} ],
},
"gPPTP" : {
"name" : "gPPTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1723"
} ],
},
449
"gALL_ICMP6" : {
"name" : "gALL_ICMP6",
},
"X-WINDOWS" : {
"name" : "X-WINDOWS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "6000-6063"
} ],
},
"gALL_ICMP" : {
"name" : "gALL_ICMP",
"src_port" : "0",
"dst_port" : "*"
} ],
},
"GRE" : {
"name" : "GRE",
"protocol" : "47",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"SIP" : {
"name" : "SIP",
"protocol" : "tcp",
"src_port" : "*",
450
"dst_port" : "5060"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "5060"
} ],
},
"gMMS" : {
"name" : "gMMS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1755"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1024-5000"
} ],
},
"gSIP" : {
"name" : "gSIP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5060"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "5060"
} ],
},
"gBGP" : {
"name" : "gBGP",
451
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "179"
} ],
},
"tcp-527" : {
"name" : "tcp-527",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "527"
} ],
},
"gAH" : {
"name" : "gAH",
"protocol" : "51",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"gSMTPS" : {
"name" : "gSMTPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "465"
} ],
},
"gQUAKE" : {
"name" : "gQUAKE",
"protocol" : "udp",
452
"src_port" : "*",
"dst_port" : "26000"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27000"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27910"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "27960"
} ],
},
"gRTSP" : {
"name" : "gRTSP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "554"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "7070"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "8554"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "554"
} ],
453
},
"HTTPS" : {
"name" : "HTTPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "443"
} ],
},
"gInternet-Locator-Service" : {
"name" : "gInternet-Locator-Service",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "389"
} ],
},
"gPOP3" : {
"name" : "gPOP3",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "110"
} ],
},
"gGRE" : {
"name" : "gGRE",
"protocol" : "47",
"src_port" : "*",
"dst_port" : "*"
} ],
},
454
"MYSQL" : {
"name" : "MYSQL",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3306"
} ],
},
"TELNET" : {
"name" : "TELNET",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "23"
} ],
},
"tcp-775" : {
"name" : "tcp-775",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "775"
} ],
},
"CVSPSERVER" : {
"name" : "CVSPSERVER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2401"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2401"
455
} ],
},
"INFO_REQUEST" : {
"name" : "INFO_REQUEST",
"src_port" : "15",
"dst_port" : "*"
} ],
},
"tcp-1433" : {
"name" : "tcp-1433",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1433"
} ],
},
"gSMTP" : {
"name" : "gSMTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "25"
} ],
},
"gVDOLIVE" : {
"name" : "gVDOLIVE",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "7000-7010"
} ],
456
},
"gNNTP" : {
"name" : "gNNTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "119"
} ],
},
"gVNC" : {
"name" : "gVNC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5900"
} ],
},
"FINGER" : {
"name" : "FINGER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "79"
} ],
},
"gIMAP" : {
"name" : "gIMAP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "143"
} ],
457
},
"RIP" : {
"name" : "RIP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "520"
} ],
},
"gGOPHER" : {
"name" : "gGOPHER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "70"
} ],
},
"gKERBEROS" : {
"name" : "gKERBEROS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "88"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "88"
} ],
},
"POP3S" : {
"name" : "POP3S",
"protocol" : "tcp",
"src_port" : "*",
458
"dst_port" : "995"
} ],
},
"TRACEROUTE" : {
"name" : "TRACEROUTE",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "33434-33535"
} ],
},
"OSPF" : {
"name" : "OSPF",
"protocol" : "89",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"GTP" : {
"name" : "GTP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2123"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2152"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "3386"
} ],
459
},
"gRIP" : {
"name" : "gRIP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "520"
} ],
},
"DNS" : {
"name" : "DNS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "53"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "53"
} ],
},
"MS-SQL" : {
"name" : "MS-SQL",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1433"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1434"
} ],
},
460
"RAUDIO" : {
"name" : "RAUDIO",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "7070"
} ],
},
"gDHCP" : {
"name" : "gDHCP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "67-68"
} ],
},
"gGTP" : {
"name" : "gGTP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2123"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2152"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "3386"
} ],
},
"gTRACEROUTE" : {
"name" : "gTRACEROUTE",
461
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "33434-33535"
} ],
},
"SNMP" : {
"name" : "SNMP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "161-162"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "161-162"
} ],
},
"NONE" : {
"name" : "NONE",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "0"
} ],
},
"testService" : {
"name" : "testService",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5500-5555"
} ],
462
},
"gINFO_ADDRESS" : {
"name" : "gINFO_ADDRESS",
"src_port" : "17",
"dst_port" : "*"
} ],
},
"gTELNET" : {
"name" : "gTELNET",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "23"
} ],
},
"gHTTPS" : {
"name" : "gHTTPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "443"
} ],
},
"SMB" : {
"name" : "SMB",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "445"
} ],
},
463
"UUCP" : {
"name" : "UUCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "540"
} ],
},
"gWINS" : {
"name" : "gWINS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1512"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1512"
} ],
},
"gSYSLOG" : {
"name" : "gSYSLOG",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "514"
} ],
},
"RADIUS" : {
"name" : "RADIUS",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1812"
464
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1813"
} ],
},
"NetMeeting" : {
"name" : "NetMeeting",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1720"
} ],
},
"gCVSPSERVER" : {
"name" : "gCVSPSERVER",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2401"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2401"
} ],
},
"tcp-24601" : {
"name" : "tcp-24601",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "24601"
} ],
465
},
"AFS3" : {
"name" : "AFS3",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "7000-7009"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "7000-7009"
} ],
},
"gLDAP" : {
"name" : "gLDAP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "389"
} ],
},
"FTP" : {
"name" : "FTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"REXEC" : {
"name" : "REXEC",
"protocol" : "tcp",
"src_port" : "*",
466
"dst_port" : "512"
} ],
},
"NTP" : {
"name" : "NTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "123"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "123"
} ],
},
"ONC-RPC" : {
"name" : "ONC-RPC",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "111"
} ],
},
"SIP-MSNmessenger" : {
"name" : "SIP-MSNmessenger",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1863"
} ],
467
},
"gSMB" : {
"name" : "gSMB",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "445"
} ],
},
"my_service" : {
"name" : "my_service",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "0"
} ],
},
"gFTP" : {
"name" : "gFTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "21"
} ],
},
"WINFRAME" : {
"name" : "WINFRAME",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1494"
}, {
"protocol" : "tcp",
468
"src_port" : "*",
"dst_port" : "2598"
} ],
},
"PING" : {
"name" : "PING",
"src_port" : "8",
"dst_port" : "*"
} ],
},
"WAIS" : {
"name" : "WAIS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "210"
} ],
},
"tcp-175" : {
"name" : "tcp-175",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "175"
} ],
},
"IKE" : {
"name" : "IKE",
"protocol" : "udp",
"src_port" : "*",
469
"dst_port" : "500"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "4500"
} ],
},
"ALL_UDP" : {
"name" : "ALL_UDP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1-65535"
} ],
},
"ESP" : {
"name" : "ESP",
"protocol" : "50",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"gDNS" : {
"name" : "gDNS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "53"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "53"
} ],
470
},
"gNetMeeting" : {
"name" : "gNetMeeting",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1720"
} ],
},
"gSOCKS" : {
"name" : "gSOCKS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1080"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1080"
} ],
},
"gSQUID" : {
"name" : "gSQUID",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3128"
} ],
},
"gLDAP_UDP" : {
"name" : "gLDAP_UDP",
"protocol" : "udp",
471
"src_port" : "*",
"dst_port" : "389"
} ],
},
"ALL" : {
"name" : "ALL",
"protocol" : "6",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"webproxy" : {
"name" : "webproxy",
},
"gRAUDIO" : {
"name" : "gRAUDIO",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "7070"
} ],
},
"LDAP" : {
"name" : "LDAP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "389"
} ],
},
472
"gALL_UDP" : {
"name" : "gALL_UDP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1-65535"
} ],
},
"gX-WINDOWS" : {
"name" : "gX-WINDOWS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "6000-6063"
} ],
},
"ALL_ICMP6" : {
"name" : "ALL_ICMP6",
},
"gWAIS" : {
"name" : "gWAIS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "210"
} ],
},
"gPING" : {
"name" : "gPING",
"src_port" : "8",
473
"dst_port" : "*"
} ],
},
"TCP-Serv" : {
"name" : "TCP-Serv",
"protocol" : "tcp",
"src_port" : "2-400",
"dst_port" : "1-500"
} ],
},
"tcp-225" : {
"name" : "tcp-225",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "225"
} ],
},
"PING6" : {
"name" : "PING6",
},
"tcp-55" : {
"name" : "tcp-55",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "55-55"
} ],
},
"gALL" : {
474
"name" : "gALL",
"protocol" : "0",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"TIMESTAMP" : {
"name" : "TIMESTAMP",
"src_port" : "13",
"dst_port" : "*"
} ],
},
"NFS" : {
"name" : "NFS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2049"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2049"
} ],
475
},
"Internet-Locator-Service" : {
"name" : "Internet-Locator-Service",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "389"
} ],
},
"gMGCP" : {
"name" : "gMGCP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2427"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2727"
} ],
},
"MGCP" : {
"name" : "MGCP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2427"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2727"
} ],
},
"gService" : {
476
"name" : "gService",
"protocol" : "tcp",
"src_port" : "999",
"dst_port" : "0"
} ],
},
"SQUID" : {
"name" : "SQUID",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "3128"
} ],
},
"gALL_TCP" : {
"name" : "gALL_TCP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1-65535"
} ],
},
"tcp-232" : {
"name" : "tcp-232",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "232-232"
} ],
},
"ALL_ICMP" : {
"name" : "ALL_ICMP",
477
"src_port" : "0",
"dst_port" : "*"
} ],
},
"gWINFRAME" : {
"name" : "gWINFRAME",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1494"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2598"
} ],
},
"tcp-*" : {
"name" : "tcp-*",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "0-65535"
} ],
},
"service_5" : {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "75"
} ],
478
},
"gIMAPS" : {
"name" : "gIMAPS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "993"
} ],
},
"gIKE" : {
"name" : "gIKE",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "500"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "4500"
} ],
},
"gNTP" : {
"name" : "gNTP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "123"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "123"
} ],
},
"gESP" : {
479
"name" : "gESP",
"protocol" : "50",
"src_port" : "*",
"dst_port" : "*"
} ],
},
"SOCKS" : {
"name" : "SOCKS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1080"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1080"
} ],
},
"DHCP6" : {
"name" : "DHCP6",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "546"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "547"
} ],
},
"gREXEC" : {
"name" : "gREXEC",
480
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "512"
} ],
},
"gRLOGIN" : {
"name" : "gRLOGIN",
"protocol" : "tcp",
"src_port" : "512-1023",
"dst_port" : "513"
} ],
},
"gNONE" : {
"name" : "gNONE",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "0"
} ],
},
"tcp-1701" : {
"name" : "tcp-1701",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "1701"
} ],
},
"AOL" : {
"name" : "AOL",
"protocol" : "tcp",
481
"src_port" : "*",
"dst_port" : "5190-5194"
} ],
},
"tcp-72" : {
"name" : "tcp-72",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "72-72"
} ],
},
"gRADIUS-OLD" : {
"name" : "gRADIUS-OLD",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1645"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1646"
} ],
},
"SSH" : {
"name" : "SSH",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "22"
} ],
},
"KERBEROS" : {
482
"name" : "KERBEROS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "88"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "88"
} ],
},
"gPC-Anywhere" : {
"name" : "gPC-Anywhere",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "5631"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "5632"
} ],
},
"DHCP" : {
"name" : "DHCP",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "67-68"
} ],
},
"gONC-RPC" : {
"name" : "gONC-RPC",
483
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "111"
} ],
},
"udp/16994" : {
"name" : "udp/16994",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "16994"
} ],
},
"gSNMP" : {
"name" : "gSNMP",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "161-162"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "161-162"
} ],
},
"SYSLOG" : {
"name" : "SYSLOG",
"protocol" : "udp",
"src_port" : "*",
484
"dst_port" : "514"
} ],
},
"gRADIUS" : {
"name" : "gRADIUS",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1812"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "1813"
} ],
},
"gNFS" : {
"name" : "gNFS",
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "tcp",
"src_port" : "*",
"dst_port" : "2049"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "111"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "2049"
} ],
485
},
"gDHCP6" : {
"name" : "gDHCP6",
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "546"
}, {
"protocol" : "udp",
"src_port" : "*",
"dst_port" : "547"
} ],
}
},
"zones" : {
"Internal" : {
"name" : "Internal",
"interfaces" : [ "port3" ],
"description" : ""
},
"root-Internal" : {
"name" : "root-Internal",
"interfaces" : [ "port4" ],
"description" : ""
}
},
"interfaces" : {
"VLAN-103" : {
"name" : "VLAN-103",
"ips" : [ "10.30.22.2/24" ],
"rules_groups" : [ ]
},
"VLAN-104" : {
486
"ips" : [ "10.40.22.2/24" ],
},
"VLAN-102" : {
"ips" : [ "10.20.22.2/24" ],
},
"port7" : {
"name" : "port7",
"ips" : [ "10.120.192.1/24" ],
},
"port5" : {
"name" : "port5",
"ips" : [ "10.30.192.1/24" ],
},
"port6" : {
"name" : "port6",
"ips" : [ "10.110.192.1/24" ],
},
"port3" : {
"name" : "port3",
"ips" : [ "10.10.192.1/24" ],
},
"port4" : {
"name" : "port4",
"zone" : "root-Internal",
487
"ips" : [ "10.20.192.1/24" ],
},
"port41" : {
"name" : "port41",
"ips" : [ "10.40.192.1/24" ],
},
"port42" : {
"name" : "port42",
"ips" : [ "10.50.192.1/24" ],
}
},
"routes" : { },
"schedules" : { },
"global_nat_rules" : {
"1" : {
"id" : "1",
"nattype" : "DYNAMIC",
"origin_ips" : [ "ip-10.10.192.87" ],
"mapped_ips" : [ "NAT_Pool" ],
"nat_type" : "DYNAMIC",
"rule_number" : 1,
"enable" : "enabled"
}
},
"nat_objects" : {
"10.30.191.0_vip" : {
"id" : "10.30.191.0_vip",
"comment" : "",
"nattype" : "STATIC",
"origin_ips" : [ "10.30.191.0" ],
"mapped_ips" : [ "10.110.191.1-10.110.191.1" ],
488
"nat_type" : "STATIC"
},
"VipObj1" : {
"id" : "VipObj1",
"comment" : "",
"origin_ips" : [ "10.30.191.158" ],
"mapped_ips" : [ "10.110.191.1-10.110.191.1" ],
},
"Vip_under_all_lan" : {
"id" : "Vip_under_all_lan",
"comment" : "",
"origin_ips" : [ "192.168.100.100" ],
"mapped_ips" : [ "192.168.101.18" ],
},
"new_vip" : {
"id" : "new_vip",
"comment" : "",
"origin_ips" : [ "10.110.191.5-10.110.191.6" ],
"mapped_ips" : [ "10.10.191.5" ],
}
},
"nat_pools" : {
"NAT_Pool" : {
"name" : "NAT_Pool",
"ips" : [ "10.10.192.44" ],
"negate" : false,
"type" : "NAT_POOL",
"is_negate" : false
},
"overload" : {
"name" : "overload",
489
"ips" : [ "10.10.191.1-10.10.191.20" ],
"negate" : false,
"is_negate" : false
},
"ippool-new" : {
"name" : "ippool-new",
"ips" : [ "0.0.0.0" ],
"negate" : false,
"is_negate" : false
}
},
"hosts_groups" : {
"Address_Group_1" : {
"name" : "Address_Group_1",
"members" : [ "Address_1", "Address_2" ],
"negate" : false,
"object_container" : "device_group",
"is_negate" : false
},
"Address_Group_Test" : {
"name" : "Address_Group_Test",
"members" : [ "33", "44", "55" ],
"negate" : false,
"is_negate" : false
}
},
"services_groups" : {
"gWindows AD" : {
"name" : "gWindows AD",
"members" : [ "gDCE-RPC", "gDNS", "gKERBEROS", "gLDAP", "gLDAP_UDP",
"gSAMBA", "gSMB" ],
},
"Windows AD" : {
490
"name" : "Windows AD",

"members" : [ "DCE-RPC", "DNS", "KERBEROS", "LDAP", "LDAP_UDP", "SAMBA",
"SMB" ],
},
"SaHTTP" : {
"name" : "SaHTTP",
"members" : [ "tcp-16992", "tcp-16994" ],
},
"Foo" : {
"name" : "Foo",
"members" : [ "SaHTTP", "tcp-16996" ],
},
"Service_Group_Test" : {
"name" : "Service_Group_Test",
"members" : [ "AH", "ESP", "DNS" ],
},
"Web Access" : {
"name" : "Web Access",
"members" : [ "DNS", "HTTP", "HTTPS" ],
},
"Email Access" : {
"name" : "Email Access",
"members" : [ "DNS", "IMAP", "IMAPS", "POP3", "POP3S", "SMTP", "SMTPS" ],
},
"Exchange Server" : {
"name" : "Exchange Server",
"members" : [ "DCE-RPC", "DNS", "HTTPS" ],
},
"gWeb Access" : {
"name" : "gWeb Access",
491
"members" : [ "gDNS", "gHTTP", "gHTTPS" ],

},
"gExchange Server" : {
"name" : "gExchange Server",
"members" : [ "gDCE-RPC", "gDNS", "gHTTPS" ],
},
"gEmail Access" : {
"name" : "gEmail Access",
"members" : [ "gDNS", "gIMAP", "gIMAPS", "gPOP3", "gPOP3S", "gSMTP",
"gSMTPS" ],
}
},
"nat_objects_groups" : {
"VipGroupObj1" : {
"name" : "VipGroupObj1",
"members" : [ "VipObj1" ],
}
},
"device_interfaces" : {
"VLAN-103" : {
"ips" : [ "10.30.22.2/24" ],
},
"VLAN-104" : {
"ips" : [ "10.40.22.2/24" ],
},
"VLAN-102" : {
492
"ips" : [ "10.20.22.2/24" ],
},
"port7" : {
"name" : "port7",
"ips" : [ "10.120.192.1/24" ],
},
"port5" : {
"name" : "port5",
"ips" : [ "10.30.192.1/24" ],
},
"port6" : {
"name" : "port6",
"ips" : [ "10.110.192.1/24" ],
},
"port3" : {
"name" : "port3",
"ips" : [ "10.10.192.1/24" ],
},
"port4" : {
"name" : "port4",
"zone" : "root-Internal",
"ips" : [ "10.20.192.1/24" ],
},
493
"port41" : {
"name" : "port41",
"ips" : [ "10.40.192.1/24" ],
},
"port42" : {
"name" : "port42",
"ips" : [ "10.50.192.1/24" ],
}
},
"from_to_zone" : {
"any" : {
"any" : [ "1073741825", "1074741826", "1073741827", "1073741828",
"1074741825" ]
}
},
"rules_groups" : {
"middle" : {
"id" : "middle",
"name" : "Main",
"rule_display_name" : "Main"
},
"before" : {
"id" : "before",
"name" : "Header",
"rule_display_name" : "Header"
},
"after" : {
"id" : "after",
"name" : "Footer",
"rule_display_name" : "Footer"
494
}
},
"config_type" : "ZONE_BASED"
}
Troubleshooting
This section provides troubleshooting information.
Troubleshooting Files and Folders

While developing the parser you may encounter some issues. The following table specifies relevant paths
and file names that contain relevant data, based on the context.
Device Definition Analysis Monitor

Working folder /home/afa/algosec/work/ /home/afa/algosec/firewalls/afa-< /home/afa/algosec/monitor/<
collect_gen-<PID> ###> device name>
e.g.: e.g.: e.g.:
/home/afa/algosec/work/ /home/afa/algosec/firewalls/afa-8
/home/afa/algosec/monitor/1
collect_gen-62123 8
0_20_74_1
Configuration file gen_data.txt <device name>.<device brand /home/afa/algosec/monitor/<
suffix> device
e.g. name>/last_config/<device
10_20_74_1.secui name>.<device brand suffix>
Note- At the end of analysis this e.g.
file is compressed and contained
/home/afa/algosec/monitor/1
in raw_files.zip. To clarify, when
0_20_74_1/
the partner parser is launched the
configuration file is not last_config/10_20_74_1.secu
compressed yet. i
Log file /home/afa/.fa-history /home/afa/algosec/firewalls/afa-< /home/afa/algosec/monitor/<

###>/fwa.history device name>/fwa.history
Problem: User-defined Generic Device Analysis Failed

The probable cause for the analysis failure is that the input JSON configuration is invalid: the required data
is missing and/or the file structure is wrong.
Identifying the Problem

In the analysis log file, search for one of the following errors:
 "Invalid JSON format in file: …"
 "Invalid format in file: …"
495
 "…..at /usr/share/fa/bin/config_parser_json2out line … Error: hash creation

failed."
Solution
 To verify that the JSON file is in the correct format:
1 Open the SSH connection to AFA.
2 Run "su - afa"
curl –si ‘127.0.0.1:8080/afa/configParser/validate?path=<full path to JSON
file>’
4 View the validation results and error messages in the file ValidationLogs.txt, which will be in the
same directory as the JSON file.
Problem: JSON File Contains a Problematic Line

A line in the JSON file is causing a problem.
Identifying the Problem

The JSON file contains a problematic line. In this example, the line is missing Quotation marks:
"src" : [
a_ext_10.10.110.88"
],
The following error appears in failed analysis error logs:
Info: running config_parser_json2out -i "gen-algosec_generic_device.algosec" -o
"config_parser.out" malformed JSON string, neither array, object, number,
string or atom, at character offset 163088 (before "a_ext_10.10.110.88"\n...")
at /usr/share/fa/bin/config_parser_json2out line 33.
Error: hash creation failed.
Solution
1 Login to the AlgoSec box using SSH.
2 Run "su - afa".
3 Run the following command on one line
curl –si
‘127.0.0.1:8080/afa/configParser/validate?path=/home/afa/algosec_generic
_device.algosec
In /home/afa/ValidationLogs.txt, an error message identifying the problem and location in the
JSON file will appear:
ERROR: [Validator] [2015-10-25 13:23:54,884]
[ConfigParserValidatorService.java{1}::validate{1}:41] Invalid JSON format
in file =/home/afa/algosec_generic_device.algosec
Line: 6847
Field: policies -> src
Error message: Unexpected character ('a' (code 97)): expected a valid
value (number, String, array, object, 'true', 'false' or 'null')
at [Source: java.io.FileInputStream@86daca; line: 6847, column: 14]
496
4 Edit the JSON file, fixing the error identified in the error message.
497
CHAPTER 16
Appendix D: Overriding AFA System

Defaults
In This Chapter
Enabling/Disabling Group Traffic Simulation Query Results by Policy .............................................498
Enabling/Disabling IPT Rule Replacement Recommendations ...........................................................500
Configuring IPT Rule Replacement Recommendations ......................................................................500
Disabling Sorting and Filtering for Tables ...........................................................................................502
Globally Hiding/Displaying Change Details ........................................................................................502
This section explains how to override the AFA system defaults.
Enabling/Disabling Group Traffic Simulation Query

Results by Policy
By default, group traffic simulation query results include all devices in the group. You can choose to display
group query results grouped by policy, with only one representative device per policy.
Note: This setting affects group traffic simulation query results and batch traffic simulation query results. It
also affects initial plan query results in FireFlow.
 To enable/disable group traffic simulation query results by policy

498
Chapter 16 Appendix D: Overriding AFA System Defaults
The Advanced Configuration page is displayed.
4 Click Add.
5 In the Name field, type QueryByPolicy.

6 In the Value field, type one of the following:
 Type no to disable group query results by policy.
 Type yes to enable group query results by policy.
7 Click OK.
8 Click OK.
499
Enabling/Disabling IPT Rule Replacement

Recommendations
The Policy Optimization page's Intelligent Policy Tuner (IPT) provides recommendations for replacing
permissive rules with new, tighter rules. However, generating these recommendations may take a while,
thus extending the report generation time. If desired, you can disable this feature using the following
procedure.
Note: To determine the amount of time consumed by the generation of rule replacement recommendations,
view the AFA log. The start of this task is marked "IPT recommendations generation – Starting", and the
end of this task is marked "IPT recommendations generation – Finished".
 To enable/disable IPT rule replacement recommendations

4 Click Add.
5 In the Name field, type Disable_IPT_Recommendations.
 Type yes to disable IPT rule replacement recommendations.
 Type no to enable IPT rule replacement recommendations.
7 Click OK.
8 Click OK.
Configuring IPT Rule Replacement Recommendations

The Policy Optimization page's Intelligent Policy Tuner (IPT) provides recommendations for replacing
permissive rules with new, tighter rules, as well as recommendations for new objects to be used in the rules.
For each sparse object, IPT generates recommendations as follows:
1 IPT searches the device configuration for an existing object that contains the exact same IP addresses,
services, and applications as the original object. If such an object is found, IPT suggests it as a
replacement.
2 If no such object is found, IPT suggests a new object as follows:
500
Host objects: If the number of used IP addresses/ranges is smaller than a certain number

(IPT_Recommendation_Max_Subnets_Per_Range), then IPT recommends creating a new
object that contains these IP addresses/ranges. If the number is larger, IPT searches for a set of CIDR
blocks that covers all of the used IP addresses/ranges contained in the original object, and is
composed of no more than a certain number of CIDR blocks
(IPT_Recommendation_Max_Ranges). If such a set is found, IPT suggests a new object that
contains the set.
 Service/application objects: If the number of services/application is less than a certain number
(IPT_Recommendation_Max_Services), IPT suggests a new object that contains these
services/applications. If the number is larger, IPT does not suggest a new object.
3 IPT's recommendations are saved in an XML file and then displayed in the Policy Optimization page.
If desired, you can change the values used in IPT's calculations, by using the following procedure.
Note: For information on disabling IPT rule replacement recommendations altogether, see
Enabling/Disabling IPT Rule Replacement Recommendations (page 500).
 To configure IPT rule replacement recommendations

4 Add the desired items specified in the following table, one at a time, by doing the following:
a) Click Add.
b) In the Name field, type the configuration item.
c) In the Value field, type the item's value.
d) Click OK.
e) Repeat steps a-d for the next item.
5 Click OK.
IPT Rule Replacement Configuration Items
Item Description
IPT_Recommendation_Max The maximum number of CIDR blocks into which IPT will recommend splitting a host
_Subnets_Per_Range object.
IPT_Recommendation_Max The maximum number of CIDR blocks into which IPT will recommend splitting a host
_Ranges object, if the original object contains more than the number of IP addresses/ranges
specified in IPT_Recommendation_Max_Subnets_Per_Range.
501
Item Description
IPT_Recommendation_Max The maximum number of services or applications from which IPT will recommend
_Services composing a new object.
IPT_Density_Action_Limit The maximum density of a sparse object. When this limit is exceeded, the object is
considered semi-dense.
Disabling Sorting and Filtering for Tables

AFA allows sorting and filtering of tables in reports; however, performing these actions for tables with a
large number of rows many take time. If desired, you can disable sorting and filtering for large tables.
 To disable sorting and filtering for ables
4 Click Add.
5 In the Name field, type Max_Rows_To_Sort.
 Type the maximum number of rows for which sorting and filtering should be performed.
 Type 0 to disable sorting and filtering entirely.
The default value is 10,000.
7 Click OK.
8 Click OK.
Globally Hiding/Displaying Change Details

AFA allows you to omit change details from emails about new reports and from change alerts, and includes only the
device name and a link to the AFA Web interface. You can configure this setting for individual users by selecting the
Hide change details check box for each user (see Adding and Editing Users (page 277)), or you can configure this
setting globally for all users by using the following procedure.
 To globally hide/display change details
502

4 Click Add.
5 In the Name field, type hide_change_details.
 Type yes to hide change details for all users. This global setting overrides individual users' Hide
change details setting.
 Type no to display change details for all users. It is possible to override this setting on a per-user
basis.
7 Click OK.
8 Click OK.
503
CHAPTER 17
Appendix E: Using Baseline

Configuration Compliance Profiles
In This Chapter
Overview ..............................................................................................................................................504
Viewing Baseline Configuration Compliance Profiles ........................................................................504
Creating Custom Baseline Configuration Compliance Profiles ...........................................................505
This section explains how to use baseline configuration compliance profiles.
Overview
In order to generate a Baseline Configuration Compliance Report for a device, the device must be
configured with a baseline configuration compliance profile. A baseline configuration compliance profile
contains a set of commands to be run on the device upon analysis, along with the commands' desired output,
and is used to determine the device's compliance with a certain basic configuration.
AFA includes a set of sample baseline configuration compliance profiles for all supported device brands
under the /usr/share/fa/data/baseline_profiles/ directory. The relevant profile must be
selected for each device in the Devices Setup page's Baseline Configuration Compliance Profile drop-down
list.
If desired, you can create custom baseline compliance profiles. See Creating Custom Baseline
Configuration Compliance Profiles (page 505).
Viewing Baseline Configuration Compliance Profiles

 To view a list of baseline configuration compliance profiles
1 Select Administration from the AlgoSec Administrator drop-down list.
3 Click the Baseline Profiles sub-tab.
504
Chapter 17 Appendix E: Using Baseline Configuration Compliance Profiles
A list of baseline profiles appears.
Creating Custom Baseline Configuration Compliance

Profiles
 To create a custom baseline profile
 Create a new baseline profile.
See Adding a New Custom Baseline Configuration Compliance Profile (page 505).
 Create a duplicate of a baseline profile.
See Duplicating Baseline Configuration Compliance Profiles (page 507).
 Edit a baseline profile.
See Editing Baseline Configuration Compliance Profiles (page 509).
 Add, duplicate, or edit a baseline profile in XML format.
See Editing Baseline Configuration Compliance Profiles in XML Format (page 510).
Adding New Custom Baseline Configuration Compliance Profiles

 To add a new custom baseline configuration compliance profile
1 View the list of baseline profiles.
See Viewing Baseline Configuration Compliance Profiles (page 504).
505
2 Click the New button.

A baseline profile form appears.
506
3 Fill in the relevant details. See Example: Customizing a Baseline Configuration Compliance Profile
(page 518).
4 Click Save.
The new custom baseline profile appears in the baseline profile list.
Note: A appears in the Customized field of the new baseline profile.
Duplicating Baseline Configuration Compliance Profiles

You can create a custom baseline configuration compliance profile by duplicating an existing baseline
profile and editing the duplicate.
 To duplicate a baseline configuration compliance profile
2 Select one of the baseline profiles.
3 Click the Duplicate button.
507
A completed baseline profile form appears.
4 Edit the form. See Example: Customizing a Baseline Configuration Compliance Profile (page 518).
Note: To prevent the creation of two baseline profiles with the same display name, change the Profile
Name.
5 Click Save.
508
Editing Baseline Configuration Compliance Profiles

You can create a custom baseline configuration compliance profile by editing an existing baseline profile.
Note: The original baseline profile will remain intact, but it will not be available for use unless you delete the
new custom baseline profile.
 To edit a baseline configuration compliance profile

2 Select a baseline profile.
3 Click the Edit button.
A completed baseline profile form appears.
4 Edit the form. See Example: Customizing a Baseline Configuration Compliance Profile (page 518).
Note: To prevent the creation of two baseline profiles with the same display name, change the Profile
Name.
5 Click Save.
509
Deleting Custom Baseline Configuration Compliance Profiles

 To delete a custom baseline configuration compliance profile
2 Select one of the custom baseline profiles.
3 Click the Delete button.
4 Click OK.
Note: You can only delete custom baseline profiles. Custom baseline profiles are indicated by a in the
Customized field.
Editing Baseline Configuration Compliance Profiles in XML Format

You can define and edit baseline configuration compliance profiles in XML format. For users proficient in
XML, editing in XML provides the user with greater flexibility and ease in manipulating baseline profiles.
 To define or edit a baseline configuration compliance profile in XML format
1 Create, duplicate, or edit a custom baseline configuration compliance profile. See Creating Custom
Baseline Configuration Compliance Profiles (page 505).
2 In the Edit and define baseline profiles area, click the XML tab on the top-right.
510
The XML editor appears.
3 Define or edit the profile.

4 In the top-right part of the workspace, click Save.
Note: If a parsing error exists in the XML code, an error message appears.
511
Baseline Configuration Compliance Profile Structure

A baseline configuration compliance profile is divided into two main sections: Command Definitions and
Baseline Requirements.
Command Definitions are a set of commands to be run on the device during analysis. Once the commands
are running on the device, the items listed in Baseline Requirements are searched for within the command
output. This determines the device's compliance with a particular basic configuration.
The structure of a baseline configuration compliance profile is the following:
<BaselineProfile display_name="">
<CommandsDef>
<Command id="" name="" cmd="" />
<Command id="" name="" cmd=""/>
</CommandsDef>
<BaselineRequirement name="" id="">
<Command id="">
<Criterion type="">
<Item comments=""></Item>
</Criterion>
</Command>
</BaselineRequirement>
<BaselineHeader title=""></BaselineHeader>
<BaselineFooter title=""></BaselineFooter>
</BaselineProfile>
Tag Reference
This reference describes the use of each tag in the baseline configuration compliance profile. The tags are
listed in the same order as they appear in the file.
512
BaselineProfile
Description
This is the main tag for the baseline compliance profile, and it identifies the profile.
Parameters
brand_id String. The ID of the device brand relevant to the baseline configuration
compliance report.
Device Brand ID
Blue Coat bluecoat
Cisco ASA/PIX/FWSM pix
Cisco IOS ios
Cisco Nexus nexus
F5 BigIP f5bigip, f5bigip_full
Fortinet FortiGate fortigate
Check Point cma
Juniper NetScreen nsc
Juniper SRX junos
Forcepoint (McAfee) SideWinder sidewinder
Palo Alto Networks paloalto
display_name String. The name of the baseline configuration compliance profile.
The name will appear at the head of the Baseline Configuration Compliance
Report.
Subtags
 CommandsDef (page 513)
 BaselineRequirement (page 514)
BaselineProfile name="CiscoPIX"
CommandsDef
Syntax
CommandsDef
Description
This tag specifies the sequence of commands that AFA should run on the device during analysis.
Parameters
None.
Subtags
 Command (page 514)
513
Example
CommandsDef
Command
Syntax
Command id="id" [name="name"] cmd="cmd"
Description
This tag specifies a command that AFA should run on the device.
Parameters
name String. The command's name.
cmd String. The command that AFA should run on the device.
Subtags
 Criterion (page 515)
Example
Command id="1" name="Check Access" cmd="show access-list"
BaselineRequirement
Syntax
BaselineRequirement name="name" id="id"
Description
This tag specifies a requirement that the device must meet in order to be considered "in compliance". The
requirement consists of a list of required outputs for the commands that AFA will run on the device
(specified in CommandsDef (page 513).
Parameters
name String. The requirement's name.
id Integer. The requirement's ID and order number.
Commands are displayed in numerical order in the Baseline Compliance Report.
Subtags
 Command (page 514)
Example
BaselineRequirement name="First" id="1"
514
Criterion
Syntax
Criterion type="type"
Description
This tag specifies a criterion that the command output must meet.
Parameters
type String. The criterion type. This can be any of the following:
 Required Line. The line specified in the Item sub-tag must be present
in the command output.
 Required Regexp. The regular expression specified in the Item
sub-tag must be present in the command output.
 Forbidden Line. The line specified in the Item sub-tag must not be
present in the command output.
 Forbidden Regexp. The regular expression specified in the Item
sub-tag must not be present in the command output.
 Custom Function. The custom function specified in the Item sub-tag
must return true when run on the command output.
 Manual Review. The regular expression or line specified in the Item
sub-tag will be searched for in the command output.
Subtags
 Item (page 515)
Example
Criterion type="Custom Function"
Item
Syntax
Item [comments="comments"]
Description
This tag specifies information about a criterion that the command output must meet.
Parameters
comments String. Comments about a criterion that the command output must meet.
515
Contents
This tag contains further details about a criterion that the command output must meet.
Subtags
None.
Example
<Item comments="first required line for command 2">extended permit ip
207.193.122.0 255.255.255.0</Item>
BaselineHeader
Syntax
BaselineHeader title="title"
Description
This tag specifies information about the header text of the Baseline Compliance Report.
Parameters
title String. The title that should appear in the header section of the report page.
Contents
This tag contains the header text that should appear in the Baseline Compliance Report.
Subtags
None.
Example
<BaselineHeader title="Introduction">Introduction to the report</BaselineHeader>
BaselineFooter
Syntax
BaselineFooter title="title"
Description
This tag specifies information about the footer text of the Baseline Compliance Report.
Parameters
title String. The title that should appear in the footer section of the report page.
516
Contents
This tag contains the footer text that should appear in the Baseline Compliance Report.
Subtags
None.
Example
<BaselineFooter title="Summary">Summary of the report</BaselineFooter>
517
Sample Baseline Configuration Compliance Profile

<BaselineProfile display_name="Custom Profile" brand_id="pix">
<CommandsDef>
<Command id="1" name="Check Access" cmd="show access-list" />
</CommandsDef>
<BaselineRequirement name="First" description="This is first requirement."
id="1">
<Command id="1">
<Criterion type="Required Line">
<Item comments="">extended permit ip 207.193.122.0
255.255.255.0</Item>
<Item comments="">extended permit tcp object-group</Item>
</Criterion>
<Criterion type="Required Regexp">
<Item>.*\.company\.com</Item>
</Criterion>
<Criterion type="Forbidden Line">
<Item>extended deny ip host 100.77.20.9
192.168.52.0</Item>
</Criterion>
<Criterion type="Custom Function">
<Item>perl /home/shira/.fa/check_resolv.pl</Item>
</Criterion>
</Command>
</BaselineRequirement>
<BaselineHeader title="Introduction">Introduction to the report -
freetext</BaselineHeader>
<BaselineFooter title="Summary">Summary of the report -
freetext</BaselineFooter>
</BaselineProfile>
Example: Customizing a Baseline Configuration Compliance Profile

The following is an example of adding an additional command and baseline requirement to an existing
Cisco baseline profile.
518
2 Select a baseline profile.

In this example, we selected a Cisco ACE Sample profile. The profile is highlighted in blue.
3 Click Edit.
The baseline profile editor opens.
519
4 To add a command to the profile:

a) Click Commands (CommandDef).
The Commands area is highlighted in blue.
520
b) In the Add Subelement menu on the right side of the workspace, click Command.
An additional Command window appears in the profile.

Note: You can click X at anytime to remove a Top Element, Subelement, or Attribute from the
profile.
c) In the Add Attribute menu on the right side of the workspace, click attributes to add to the command.
Available options are id (Command ID), name (Command Name), and cmd (Command Syntax). See
Tag Reference - Command (page 514) for further details.
d) Fill in attribute fields.
Note: The Command ID must be unique.
5 To add a baseline requirement to the profile:

a) In the Add Top Element menu on the right side of the workspace, click BaselineRequirement.
A additional Baseline Requirement window appears in the profile.
b) In the Add Subelement menu on the right side of the workspace, you can add the following
subelements in hierarchical order:
 Command
 Criterion
 Line (Item)
See Tag Reference (page 512) for further details.
521
c) Click Add Attribute to add attributes to the baseline requirement or any of the subelements.
d) Fill in attribute fields.
Note: The Command ID must be unique.
6 Click Save.
522
CHAPTER 18
Appendix F: Customizations
In This Chapter
Customizing the Landing Page.............................................................................................................523
Creating a Custom Report Page ...........................................................................................................527
Customizing Device Policy Documentation Fields ..............................................................................528
Creating Custom Dashboards ...............................................................................................................529
Customizing the Regulatory Compliance Page ....................................................................................545
This section explains how to perform various customizations.
Customizing the Landing Page

After logging into the AlgoSec Security Management Suite, either AlgoSec Firewall Analyzer, FireFlow, or
BusinessFlow will appear. See below for the default landing page for each user. For administrators,
privileged users, and roles, you can override the default behavior by defining a landing page per user/role.
For unprivileged users (requestors), you can override the default behavior by defining a landing page for all
unprivileged users.
The landing page appears, according to the following precedence:
 If a landing page is defined for the user, that landing page will appear.
 If no landing page is defined for the user, but a landing page is defined for one of the user's roles, that
landing page will appear.
 If no landing page is defined for the user, and the user has multiple roles with different landing pages
defined, the landing page with the highest precedence will appear. The landing page precedence, from
highest to lowest, is as follows:
 BusinessFlow
 FireFlow
 AlgoSec Firewall Analyzer
 If no landing page is defined for the user or any of the user's roles, the following occurs:
 For administrators, AlgoSec Firewall Analyzer appears.
 For privileged (AFA) users, the following occurs:
 If FireFlow is licensed and activated, FireFlow appears.
 If FireFlow is not licensed/activated, but BusinessFlow is and has at least five applications,
BusinessFlow appears.
 Otherwise, AlgoSec Firewall Analyzer appears.
 For unprivileged users (requestors), the following occurs:
 If BusinessFlow is licensed, activated, and has at least five applications, BusinessFlow appears.
 Otherwise, FireFlow appears.
523
Note: Only administrators and privileged (AFA) users can define landing pages. Administrators can define
landing pages for themselves and others. Privileged users can only define landing pages for themselves. See
Customizing the Landing Page in the AlgoSec Firewall Analyzer User Guide.
 To define a landing page as an administrator for an administrator, privileged user, or role:

1 In the toolbar, click your user name.
The Administration page appears, with the Options tab selected.
4 Click in the row of the desired user or role.
524
Chapter 18 Appendix F: Customizations
New fields appear.
5 In the User details area, in the Landing page drop-down menu, select the desired landing page.
6 Click OK.
 To define a landing page for all unprivileged users (requestors)
1 In the toolbar, click your user name.
The Administration page appears, with the Options tab selected.
525
The Advanced Configuration sub-tab appears.
4 Click Add.
5 In the Name field, type FireFlow_Requestors_Landing_Page.

 To set the landing page for all unprivileged users to FireFlow, type aff.
 To set the landing page for all unprivileged users to BusinessFlow, type abf.
7 Click OK.
526
Creating a Custom Report Page

You can create a custom report page that will be included as a separate tab in each new device, group, or
matrix report.
Note: Only one custom report page is supported.
Note: The custom report page cannot be exported to HTML or PDF.
 To create a custom report page

1 Create an XML file called custom_report.xml, containing all of the execution commands in the
following format:
<Custom_Report>
<Report name="report_name">
<device command="device_script_execution_command"
output="device_output_file"></device>
<group command="group_script_execution_command" output="group_output_file"></group>
<matrix command="matrix_script_execution_command"
output="group_output_file"></matrix>
</Report>
</Custom_Report>
For information on the file's parameters, see Custom Report Configuration File Parameters (page
528).
The <device>, <group>, and <matrix> lines are optional. If you include the <device> line but do
not include the <group> or <matrix> lines, the custom report page in the group or matrix report will
display a concatenation of custom device pages.
2 Create a folder called custom_report, containing all of the scripts that must be executed.
3 Create a sub-folder called additional_files under the custom_report folder, containing
additional files that are required for generating the custom report, for example data files, .css files, and
so forth.
4 Add the file custom_report.xml and the folder custom_report (along with all its contents,
including the subfolder additional_files) to a single .zip file.
extract_custom_report -f zip_ file [-d domain_number] [-u user_name]
For information on the command's flags, see Extract Custom Report Script Flags (page 528).
The extract_custom_report script extracts the .zip file.
The next time a report is generated, it will include the custom page.
Note: If desired, you can disable the custom report page. See Enabling/Disabling Custom Report Pages
(page 347).
527
Custom Report Configuration File Parameters

Custom Report Configuration File Parameters
report_name The name of the report page.
device_script_execution_co The script execution command for the custom device report page, including input
mmand parameters. For example: sh device_script.sh
device_output_file The name of the HTML output file for the custom device report page. For example:
custom_device.html
group_script_execution_co The script execution command for the custom group report page, including input
mmand parameters. For example: sh group_script.sh
group_output_file The name of the HTML output file for the custom device report page. For example:
custom_group.html
matrix_script_execution_co The script execution command for the custom matrix report page, including input
mmand parameters. For example: sh matrix_script.sh
matrix_output_file The name of the HTML output file for the custom device report page. For example:
custom_matrix.html
Extract Custom Report Script Flags

Extract Custom Report Script Flags
Flag Description
-f zip_ file The name of the .zip file.
-d domain_number The number of the domain in the .fa directory, where the .zip file should be
extracted.
This flag is optional.
-u user_name The user to use when installing the contents of the .zip file. This user will be granted
permissions for the .zip file's contents.
This flag is optional. If it is not included, the contents of the .zip file will be installed
using the "afa" user.
Customizing Device Policy Documentation Fields

By default, AFA adds a field called Documentation to each device policy, which you can use to add
comments and other information to a rule. See Adding Comments to Device Policies.
If desired, you can disable or enable the Documentation field or add more such fields.
528
Adding Documentation Fields

Each documentation field appears as a column at the far-right side of the device policy.
Note: Documentation fields cannot be deleted, only disabled. See Enabling/Disabling Documentation
Fields (page 529).
 To add a documentation field

update_document_fields ADD "field_name" field_type "field_default_value"
Where:
 field_name is the name of the field, for example "My Doc".
 field_type is the field's type. This can have the following values: Text, Number, Bool, or List.
 field_default_value is the field's default value, for example "Good rule!"
The field is added to all device polices in AFA.
Enabling/Disabling Documentation Fields

 To enable a documentation field
update_document_fields ENABLE "field_name"
Where field_name is the name of the field.
The field is enabled for all device polices in AFA.
Note: When re-enabling a documentation field, all data that was entered in this field before it was
disabled, will appear once again in the device policies.
 To disable a documentation field

update_document_fields DISABLE "field_name"
Where field_name is the name of the field.
The field is disabled for all device polices in AFA.
Creating Custom Dashboards

You can create custom dashboards in AFA that include built-in charts, custom charts, or both. When
creating a dashboard with custom charts, you must configure the custom charts before you configure the
dashboard itself.
529
Configuring a Custom Chart

When configuring a custom chart, you configure the following characteristics of the chart:
 You specify the title of the chart.
 You specify the type of chart.
 You specify the variable for which the chart displays data.
 You specify the Y-axis values the chart displays.
 For bar charts, you also specify the following:
 The number of devices displayed in the chart.
 Whether the chart starts with displaying the devices with the most of the variable or the least of the
variable.
 The direction of the chart.
 For trend charts, you also specify how many days back the chart displays.
 To add a custom chart
2 Create a new file in /home/afa/.fa/charts or, if domains are enabled, in
/home/afa/.fa/domains/<domain>/charts, where <domain> is the domain of this dashboard.
Note: When domains are enabled, dashboards are not available at the management level. Dashboards are
only available for each domain.
3 Name the file chart_name.xml, where chart_name is the name you choose for the chart.
4 Add the CHART tag to the file, using the information in Chart Tag Reference (page 530). For an
example, see Chart Example (page 540).
5 Save the file.
Chart Tag Reference

This reference describes the use of the chart tag and its sub-tags.
 All parameters and content are presented in italics.
530
Note: All tags, parameters, and content are case sensitive, and must be in lower case.
chart
Syntax
chart
Description
This is the main tag for the chart. It specifies all the information included in the chart.
Parameters
None.
Subtags
 title (page 531)
 variable_name (page 532)
 statistics_type (page 534)
 type (page 535)
 limit (page 536)
 order_dir (page 536)
 direction (page 537)
 ymin (page 538)
 ymax (page 539)
 days_back (page 540)
title
Syntax
<title>title</title>
Description
This tag specifies the title of the chart.
Parameters
None.
Subtags
None.
Content
title String. The name that you choose for the title of the chart. You can include the
following variable in the title:
 __GROUP_NAME__. The name of the device group that is analyzed by the chart
(as defined in the dashboard XML file).
 __THRESHOLD__. The value set as the "Chart_Threshold_Val" configuration
item.
 __COUNT__. The number of devices the chart displays.
531
Example
In the following example, if the number of devices in the chart is 8, and the chart analyzes the group
"ALL_FIREWALLS", the title of the chart is "8 Devices with lowest security rating in group
ALL_FIREWALLS".
<title>__COUNT__ Devices with lowest security rating in group
__GROUP_NAME__</title>
variable_name
Syntax
<variable_name [color="color"] [value_condition="value_condition"]
[bar_name="bar_name"]>variable_name</variable_name>
Description
This tag specifies the variable that the chart displays.
Parameters
color String. The color of the bar or series of the variable, expressed in #RGB.
This parameter is for count type and trend_count_group type charts,
and the default chart type only.
value_condition String. A condition, such that, only devices with a variable value that passes the
condition will be counted.
This parameter is for count type and trend_count_group type charts
only. For trend_count_group type charts, only equality is supported, and
the value is stated without the operator.
Note: For trend_count_group type charts, this variable is an integer.
bar_name String. The label of the bar.
This parameter is for count type charts only.
function String. An aggregate function used to compile the chart data. All aggregate SQL
functions are supported (for example: "avg", "min",and "max").
This parameter is for trend_value type charts only.
This parameter is optional. The default function is the average function, which
compiles the average of the data over the group.
legend String. The label of the variable in the legend.
This parameter is for trend_value type charts only.
sum String. The sum of the statistic type.
This parameter is for sum_over_time and trend_sum_over_time type
charts only.
532
Subtags
None.
Content
Variable Content Options Available Statistic Type. Specifies this...

rules simple_count The number of rules for each device.
covered_rules simple_count The number of covered rules for each device.
special_case_rules simple_count The number of special case rules for each
device.
unused_rules simple_count The number of unused rules for each device.
security_rating simple_count The security rating for each device.
highest risk_level The highest risk level of each device.
PCI compliance_pass Whether a device meets PCI compliance.
high risks_per_risk_level The number of high risks for each device.
suspected_high risks_per_risk_level The number of suspected high risks for each
device.
medium risks_per_risk_level The number of medium risks for each device.
low risks_per_risk_level The number of medium risks for each device.
Example
In the following example, the color of the bars for this variable will be #cb3333, only devices with a variable
value of 3 will be counted, and the label of the bars for this variable will be "high".
<variable_name color="#cb3333" value_condition="=3"
bar_name="high">highest</variable_name>
533
statistics_type
Syntax
<statistics_type>statistics_type</statistics_type>
Description
This tag specifies the type of statistic that the chart displays.
Parameters
None.
Subtags
None.
Content
Content Options Specifies this...

simple_count The count of the variable for each device. This statistic type is available for the
following variables: rules, covered_rules, special_case_rules,
unused_rules, and security_rating. For example, if the statistic type is
simple_count, and the variable is rules, the chart will display the number of
rules for each device.
Note: When the simple_count statistic type is used with the
security_rating variable, the security rating for each device is displayed.
risk_level The risk level of each device. This statistic type is available for the highest
variable. When this statistic type/variable combination is used, the chart will display
the number of devices whose highest risk is high, suspected high, medium, and low.
compliance_score The compliance score of each device. This statistics type is available for the
following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.
compliance_color The compliance color of each device. This statistics type is available for the
following variables: HIPAA, BASEL, NIST_800-41, NIST_800-53,
ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI.
baseline_score The baseline compliance score of each device (the score is the percentage of met
requirements).This statistics type is available for the baseline variable.
risks_per_risk_level The number of risks for a specific risk level for each device. This statistic type is
available for the following variables: high, suspected_high, medium, and
low. For example, if the statistic type is risks_per_risk_level, and the
variable is high, the chart will display the number of high risk rules for each device.
total_changes The number of changes on each device. This statistic type is available for the sum
variable. When this statistic type/variable combination is used, the chart will display
the total number of changes on each device.
Example
In the following example, the chart will display a simple count of the specified variable.
<statistics_type>simple_count</statistics_type>
534
type
Syntax
<type>[type]</type>
Description
This tag specifies the type of chart.
Parameters
None.
Subtags
None.
Content

count A bar chart that specifies the count of devices for each variable.
condition A bar chart that displays the number of devices whose variable value is greater than
the Chart_Threshold_Val configuration item, and the number of devices whose
variable value is not, for all devices in the group.
For information regarding setting this threshold, see Setting the Chart Threshold
Value Configuration Item (page 348).
trend_value A trend chart that displays a calculation (defined by the function parameter of
variable_name) of the variable values over all devices in the group, over time.
trend_condition A trend chart that displays the number of devices whose variable value is greater than
the Chart_Threshold_Val configuration item, and the number of devices whose
variable value is not, for all devices in the group, over time.
For information regarding setting this threshold, see Setting the Chart Threshold
Value Configuration Item (page 348).
trend_count_group A trend chart that displays the total count of the variable for all devices in the group,
over time.
sum_over_time A bar chart that displays the accumulation of the statistic for each device in the group.
trend_sum_over_time A trend chart that displays the accumulation of the statistic, over time.
empty (default) A bar chart that displays the count of the variable for each device in the group. There
can be multiple variables per device.
Example
In the following example, the chart will be a bar chart that displays the total count of the variable for each
device in the group. For example, if the chosen variable is unused_rules, the chart will display a bar chart
with the count of unused rules per device.
<type>count</type>
535
limit
Syntax
<limit>[limit]</limit>
Description
This tag specifies the number of devices the chart displays. This tag is only for bar charts.
Parameters
None.
Subtags
None.
Content
Integer. The number of devices the chart will display. If left empty, the LIMIT tag defaults to 25.
Example
In the following example, the chart will display 6 devices.
<limit>6</limit>
order_dir
order_dir
Syntax
<order_dir>[order_dir]</order_dir>
Description
This tag specifies whether the chart starts with displaying the devices with the most of the variable or the
least of the variable. This tag is only for bar charts.
Parameters
None.
Subtags
None.
Content

ASC The bar chart will start with displaying devices with the least of the variable. For
example, if the LIMIT tag is set to 6, this will produce a chart with the bottom 6
devices.
DESC The bar chart will start with displaying devices with the most of the variable. For
example, if the LIMIT tag is set to 6, this will produce a chart with the top 6 devices.
empty The ORDER_DIR tag defaults to DESC.
536
Example
In the following example, the chart will start with displaying devices with the least of the variable.
<order_dir>ASC</order_dir>
direction
Syntax
<direction>[direction]</direction>
Description
This tag specifies the direction the chart displays. This tag is only for bar charts.
Parameters
None.
Subtags
None.
Content

horizontal The bar chart will display horizontally.
vertical The bar chart will display vertically.
empty The DIRECTION tag defaults to vertical.
Example
In the following example, the chart will display vertically.
<direction>vertical</direction>
537
order_dir
Syntax
<ymin>[ymin]</ymin>
Description
This tag specifies the minimum y-axis value displayed in the chart. This tag is optional.
Parameters
None.
Subtags
None.
Content
Integer. The minimum y-axis value displayed in the chart. If left empty, the value is computed to fit the data.
Example
In the following example, the minimum y-axis value displayed in the chart is 0.
<ymin>0</ymin>
538
ymax
Syntax
<ymax>[ymax]</ymax>
Description
This tag specifies the maximum y-axis value displayed in the chart. This tag is optional.
Parameters
None.
Subtags
None.
Content
Integer. The maximum y-axis value displayed in the chart. If left empty, the value is computed to fit the data.
Example
In the following example, the maximum y-axis value displayed in the chart is 100.
<ymax>100</ymax>
days_back
Syntax
<days_back>[days_back]</days_back>
Description
This tag specifies the number of days back displayed in the chart. This tag is optional, and is only for trend
charts.
Parameters
None.
Subtags
None.
Content
Integer. The number of days back displayed in the chart. If left empty, the value defaults to 100 days.
Example
In the following example, the trend chart will display data for the last 200 days.
<days_back>200</days_back>
539
days_back
Syntax
<days_back>[days_back]</days_back>
Description
This tag specifies the number of days back displayed in the chart. This tag is optional, and is only for trend
charts.
Parameters
None.
Subtags
None.
Content
Integer. The number of days back displayed in the chart. If left empty, the value defaults to 100 days.
Example
In the following example, the trend chart will display data for the last 200 days.
<days_back>200</days_back>
Chart Example

<CHART>

<title>Number of devices by leading risk severity in group __GROUP__</title>

<type>count</type>

<statistics_type>risk_level</statistics_type>
540

<variable_name bar_name="high" value_condition="=3"
color="#cb3333">highest</variable_name>
<variable_name bar_name="suspected high" value_condition="=2"
color="#ff8213">highest</variable_name>
<variable_name bar_name="medium" value_condition="=1"
color="#fcf00a">highest</variable_name>
<variable_name bar_name="low" value_condition="=0"
color="#e4c67e">highest</variable_name>

</CHART>
Configuring a Custom Dashboard

When configuring a custom dashboard, you configure the structure of the dashboard in the following ways:
 You specify the charts the dashboard includes. These can be custom charts that you defined, or built-in
charts.
 You specify the device group for which the chart displays data.
 You specify how many charts appear in each row.
 To add a custom dashboard
2 Create a new file in /home/afa/.fa/dashboards or, if domains are enabled, in
/home/afa/.fa/domains/<domain>/dashboards, where <domain> is the domain for this
dashboard.
541
Note: When domains are enabled, dashboards are not available at the management level. Dashboards are
only available for each domain.
3 Name the file dashboard_name.xml, where dashboard_name is the name you choose for the
dashboard.
4 Add the DASHBOARD tag to the file, using the information in Dashboard Tag Reference (page 542).
For an example, see Dashboard Example (page 544).
5 Save the file.
Dashboard Tag Reference

This reference describes the use of the dashboard tag and its subtags.
Note: All tags, parameters, and content are case sensitive, and must be in lower case.
dashboard
Syntax
dashboard name="name" columns="columns"
Description
This is the main tag for the dashboard. It identifies the dashboard, and specifies how the charts are oriented.
Parameters
name String. The name that you chose for the dashboard.
The name will appear at the top of the dashboard.
columns Integer. The number of charts that will appear in each row.
Subtags
 charts (page 543)
Example
In the following example, the dashboard name "Device Changes" will appear at the top of the dashboard,
and the dashboard will have two charts in each row.
<dashboard name="Device Changes" columns="2"/>
542
charts
Syntax
charts
Description
This tag specifies all the charts that appear in the dashboard.
Parameters
None.
Subtags
 chart (page 543)
chart
chart
Syntax
chart group="group" definition_file="definition_file"
Description
This tag specifies the type of data in the chart, and which device group's data appears in the chart.
Parameters
group String. The name of the device group that is analyzed in the chart.
definition_file String. The name of the chart XML file.
You can specify a custom chart that you created or a built-in chart. For a list of
available built-in charts, see Built-In Charts (page 544).
Subtags
None.
Example
The following example defines a bar chart that shows the number of unused rules for each device in the
group "London".
<chart group="London" definition_file="unused_rules_per_fw.xml"/>
543
Dashboard Example

<DASHBOARD columns="2" name="Summary">

<CHARTS>

<CHART definition_file="total_risks_per_type_per_fw.xml"
group="ALL_FIREWALLS"/>
<CHART definition_file="security_rating_trend.xml"
group="ALL_FIREWALLS"/>
<CHART definition_file="rules_per_fw.xml" group="ALL_FIREWALLS"/>
<CHART definition_file="covered_rules_per_fw.xml" group="ALL_FIREWALLS"/>
</CHARTS>
</DASHBOARD>
Built-In Charts
AFA provides the following built-in charts, used in the built-in dashboards:
Chart Description File Name

A bar chart showing the number of devices whose highest risk is high, highest_risk_level.xml
suspected high, medium, and low.
A bar chart showing the number of high, suspected high, medium, and total_risks_per_type_per_fw.xml
low risks per device, for the top 25 devices. There are four bars per
device.
A bar chart showing the number of unused rules per device, for the top unused_rules_per_fw.xml
25 devices.
A bar chart showing the security rating per device, for the top 25 security_rating_per_fw.xml
devices.
A bar chart showing the number of covered rules per device, for the top covered_rules_per_fw.xml
25 devices.
544
A bar chart showing the number of redundant special case rules per special_case_rules_per_fw.xml
device, for the top 25 devices.
A bar chart showing the total number of rules per device, for the top 25 rules_per_fw.xml
devices.
A bar chart showing the total number of changes on each device for the changes_per_fw.xml
top 20 devices, over the last 30 days.
A trend chart showing the number of devices whose highest risk is highest_risk_trend.xml
high, suspected high, medium, and low, over time.
A trend chart showing the average security rating over all devices, over security_rating_trend.xml
time.
A trend chart showing the total number of changes to all devices, over changes_trend.xml
the last 30 days
A bar chart showing the 20 lowest baseline compliance scores per baseline_score_per_fw.xml
firewall.
A trend chart showing the number of firewalls meeting over 50% of baseline_compliance_score_trend.
baseline requirements. xml
A trend chart showing the average and minimum baseline compliance baseline_ave_min_trend.xml
scores of the ALL_FIREWALLS group.
A bar chart showing the 20 lowest GLBA compliance scores per glba_score_per_fw.xml
firewall.*
A trend chart showing the number of firewalls that have green, yellow glba_compliance_color_trend.xml
or red GLBA compliance colors.*
A trend chart showing the average and minimum GLBA compliance glba_ave_min_trend.xml
scores of the ALL_FIREWALLS group.*
* GLBA is just an example. A different chart exists for each regulatory compliance report (HIPAA, BASEL,
NIST_800-41, NIST_800-53, ISO27001, NERC4, GLBA, TRM, DSD, SOX, PCI).
Customizing the Regulatory Compliance Page

AFA provides the ability to customize the Regulatory Compliance page for each AFA report in the following
ways:
 Removing and adding compliance reports
 Customizing the compliance score value
 Customizing the compliance score severity threshold
545
Removing and Adding Compliance Reports

AFA provides the ability to customize the Regulatory Compliance page by adding or removing compliance
reports. You can disable reports that appear by default, enable reports that do not appear by default, or create
custom reports by modifying reports.
Note: To create a completely custom compliance report for your organization, contact AlgoSec support.
 To remove and/or add compliance reports

2 Create a new directory /home/afa/.fa/compliance_reports/. This is the override directory.
3 Copy /usr/share/fa/data/compliance_reports/compliance_reports.xml to
/home/afa/.fa/compliance_reports/.
4 To create a custom report by modifying an existing report, do the following:
a) Create new templates for the report, by doing the following:
1. Find the report template(s) you want to modify in the override directory.
Report templates follow the following naming convention:
 For individual device reports: compliance_rep_templ_reportname.html
 For group device reports: compliance_rep_templ_group_reportname.html
 For matrix device reports: compliance_rep_templ_matrix_reportname.html
where reportname is the name of the compliance report.
2. Copy the report templates you want to modify, and save the copy (in the override directory). Use
the above naming convention, with a new name for your new report.
3. Modify your template copies as you desire.
4. Save the files.
b) Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
Add a new report tag as a sub-tag to the compliance_reports tag. The following table describes
the report tag attributes:
Attribute Description
id Internal key necessary for report creation.
title Title of the report. This title will appear as a link on the Regulatory
Compliance page of the device report. The link leads to the
compliance report.
template_file HTML template file for a single device. This template will be used
to create a single device compliance report.
template_file_gro HTML template file for a device group. This template will be used
up to create a device group compliance report.
template_matrix HTML template file for a device matrix. This template will be used
to create a device matrix compliance report.
546
Attribute Description
active Indicates whether the report is generated when a device is
analyzed. This attribute can take the following values:
yes. Include the report on the Regulatory Compliance page of the
device report.
no. Exclude the report.
sub_title The sub-title for the report. This appears below the title of the
report.
Example
<report title="Payment Card Industry Data Security Standard (PCI-DSS) version 2"
active="yes" template_file_matrix="compliance_rep_templ_matrix_pci2.html"
template_file_group="compliance_rep_templ_group_pci2.html"
template_file="compliance_rep_templ_pci2.html" sub_title="test sub-title" id="pci2"/>
c) Save the file
5 To enable a report already built in to AFA, do the following:
a) Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
b) Set the active attribute of the report you wish to enable to yes.
c) Save the file.
6 To disable a report, do the following:
a) Open /home/afa/.fa/compliance_reports/compliance_reports.xml.
b) Set the active attribute of the report you wish to remove to no.
c) Save the file.
547
CHAPTER 19
Appendix G: Advanced Risk Item Editing

In This Chapter
Advanced Risk Item Editing Overview................................................................................................548
Risk Item Types ...................................................................................................................................548
Traffic Risk Item Guidelines ................................................................................................................549
Host Group Risk Item Guidelines ........................................................................................................551
Property Risk Item Guidelines .............................................................................................................551
Rule Risk Item Guidelines ...................................................................................................................552
Assessment and Remedy Keywords.....................................................................................................553
This section explains how to perform advanced editing of custom risk items.
For information on custom risk items, see Customizing Risk Profiles (page 293).
Advanced Risk Item Editing Overview

You can customize Risk Profiles by defining custom risk items. Custom risk items allow you to define more
complex risks by composing the XQL query of your choice. For example, you can define risks for the
following types of allowed traffic:
 Group of several services from X to Y
 Insecure external access to device
 Over N machines can manage your device
 TCP on over M ports can enter your network
 "From A to B with service C" rules
All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$,
$or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().
Risk Item Types

AFA supports the following types of risk items:
Risk Item Types
Type Description
Traffic Relates to risks regarding traffic allowed through the device.
This type of risk item can be used to detect risky traffic allowed by the device.
In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E. In
custom risk items, this type is represented by the letter U.
548
Chapter 19 Appendix G: Advanced Risk Item Editing
Host Group Relates to risks regarding host group definitions.

This type of risk item can be used to detect certain host groups defined on the device,
according to specific criteria.
In standard risk items, this type is represented by the letter H. In custom risk items,
this type is represented by the letter U.
Properties Relates to risks regarding device property definitions.
This type of risk item can be used to detect the value of certain device properties.
In standard risk items, this type is represented by the letter P. In custom risk items, this
type is represented by the letter U.
Rules Relates to risks regarding rule definitions.
This type of risk item can be used to detect specific rules in the policy, for example
rules with "Any" as their source and so on.
In standard risk items, this type is represented by the letter R. In custom risk items,
this type is represented by the letter U.
Traffic Risk Item Guidelines

Example (Rule I08)
Queries/QIndex[@name="q_srv_Outside_Inside"]
/QEntry[
@srv $eq$ "http" $and$
eval("256", "Number") $lt$ @n_dst_impact_ips
]
/QRes[
@n_risky_dst_ips $ne$ 0 $and$
@n_risky_src_ips $ne$ 0 $and$
@is_vpn $ne$ "yes"
]
QIndex
This section specifies the traffic source and destination zones, by indicating them in the name of the query
results file.
Parameters
@name The query results file's name in the format:
q_srv_srcZone_dstZone
where srcZone is the source zone, and dstZone is the destination zone, as defined in the
AFA's device topology.
Available zones include Outside, Inside, DMZs, and any user-defined zone type
For example:
 In the preceding example, the file name is q_srv_Outside_Inside.
 For traffic going from Inside to DMZs, the relevant file name would be
549
q_srv_Inside_DMZs.
 For traffic between different Internal zones, the relevant file name would be
q_srv_Inside_Inside.
For access to device itself, use the file name q_fw_access.
QEntry
This section describes the type of traffic between the source and destination zones (specified in QIndex) that
will trigger the risk. In the preceding example, a traffic query issued to the device simulation engine will
trigger this risk if the service is HTTP and the number of affected destination IP addresses is over 256.
Parameters
@srv The service that was queried.
@action The action that occurred:
 PASS. Traffic was passed by the device.
 DROP. Traffic was blocked by the device.
@is_external_src Indicates whether the source zone of the traffic is external or not:
 yes. The source zone is external.
 no. The source zone is not external.
@n_src_impact_ips The total number of source IP addresses detected as relevant for this query.
@n_dst_impact_ips The total number of destination IP addresses detected as relevant for this query.
@n_TCP_dst_ports The total number of destination TCP ports detected as relevant for this query.
@n_UDP_dst_ports The total number of destination UDP ports detected as relevant for this query.
QRes
This section describes the type of traffic query results that will trigger the risk. In the preceding example, the
traffic must be encrypted in order for this risk to be triggered.
Parameters
@is_vpn Indicates whether encrypted traffic should trigger the risk or not:
 yes. Encrypted traffic should trigger the risk.
 no. Encrypted traffic should not trigger the risk.
@pass_rule The name of the rule that is relevant for this traffic in AFA.
550
Host Group Risk Item Guidelines

Example (Risk H02)
Hosts
/Host[
@name $eq$ "Trusted_hosts" $and$
eval("20", "Number") $lt$ @n_Total
]
This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can
manage this firewall) contains a certain number of IP addresses.
Parameters
@name The host group's name.
Only alphanumeric characters, '_', '.', and '-' can be used. Other characters are
automatically replaced by '_'.
@n_Total The number of IP addresses contained in the host group.
@internal Indicates whether this host group contains internal IP addresses:
 yes. This host group contains internal IP addresses.
 no. This host group does not contain internal IP addresses.
@external Indicates whether this host group contains external IP addresses:
 yes. This host group contains external IP addresses.
 no. This host group does not contain external IP addresses.
@zone_spanning Indicates whether this host group spans multiple zones:
 yes. This host group spans multiple zones.
 no. This host group does not span multiple zones.
Property Risk Item Guidelines

Property risk items are used to detect the value of certain firewall properties. These properties are extracted
by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report
directory.
Note: Properties will differ between firewall vendors. Parameters can be created for Check Point
firewalls from the asm.C file.
Example (risk P05)
Props[http_enforce_buffer_overflow[@value $ne$ "true"]]
551
Rule Risk Item Guidelines

Example (risk R01)
Rules/Rulebase[@interface="%INTERFACE"]/Rule
[
@dst = "*" $and$
@srv = "*" $and$
@orig_rule $ne$ "" $and$
@orig_rule $ne$ "0" $and$
@vpn $ne$ "VPN_PERMIT" $and$
@vpn $ne$ "VPN" $and$
@action = "PASS"
]
This query detects all rules other than VPN rules, where both the destination and the service are "any", and
the action is "PASS".
Parameters
@src The source object of the rule.
@dst The destination object of the rule.
@srv The service object of the rule.
@src_xlt The translated source hostgroup object.
@dst_xlt The translated destination hostgroup object.
@ruleno The expanded rule ID.
@action The rule action:
 PASS. Pass the specified traffic.
 DROP. Drop the specified traffic.
@orig_rule The original rule number (in vendor format).
@vpn Indicates whether the rule is a VPN rule, as well as whether traffic is encrypted:
 A number. The rule is a VPN rule, and the number indicates the relevant VPN rule's
number. Traffic is not encrypted.
 VPN or VPN_PERMIT. The rule is a VPN rule. Traffic is encrypted.
 Empty (""). The rule is not a VPN rule.
Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device
report, go to Explore Policy -> Expanded Rules.
552
Assessment and Remedy Keywords

The following keywords can be added to risk item assessments and remedies, for richer user-defined risk
descriptions in the report. Keyword use is optional.
For information on adding keywords, see Completing Adding or Editing a Risk Item (page 305).
Traffic Risk Item Keywords
Keyword Description
%AMOUNT The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE Standard text explaining how to eliminate this risk.
%FWNAME A link to the device's host group.
%HGRP{hostgroup} A link to the specified host group, hostgroup.

Can contain a zone name: Inside, Outside, DMZs, or a user-defined
zone name.
%HREF{url} A link to an HTML file, url.
%N_DST_IMPACT_IPS The number of destination IP addresses in the query output (without VPNs).
%N_DST_IMPACT_IPS_COUNT_VP The number of destination IP addresses in the query output (with VPNs).
N
%N_SRC_IMPACT_IPS The number of source IP addresses in the query output (without VPNs).
%N_SRC_IMPACT_IPS_COUNT_VP The number of source IP addresses in the query output (with VPNs).
N
%N_TCP_DST_PORTS The number of reachable destination TCP ports in the query output.
%N_UDP_DST_PORTS The number of reachable destination UDP ports in the query output.
%PCIDS The Payment Card Industry Data Security Standard risk level.
%QREF{QueryInputFile:service} A "Details" button linking to the query results for the specified traffic,
where:
QueryInputFile is the query input file, and
service is the service, as defined in the AFA's device topology.
For example: %QREF{q_srv_Inside_Outside:http}
%QSRC_LIST{QueryInputFile} A list of source host groups that can access the device, as specified in the
query input file, QueryInputFile.
%SRV{service} A link to the specified service, service.
For example, %SRV{smtp} would be replaced by "smtp" and linked to the
definition of this service, as defined on this device.
%SRV_LIST A list of all the services in the query output.
%SRV_TABLE{QueryInputFile} A "Details" button linking to a table of the services in the query results,
where QueryInputFile is the query input file.
553
Host Group Risk Item Keywords
Keyword Description

zone name.
%HOST_TABLE A list of relevant host groups.
%N_OUTSIDE_IPS The number of outside IP addresses in the query output.
%N_TOTAL The total number of IP addresses in the query output.

Property Risk Item Keywords
Keyword Description

zone name.
%META{MetaDataParam} A link to a parameter, MetaDataParam, that was extracted during AFA

analysis.
%PROPERTY{propertyName}{displa A link to the specified device property, propertyName. The link anchor text
yedName} is specified in the parameter displayedName.
Rule Risk Item Keywords
Keyword Description
554
Keyword Description
zone name.
%HOST_TABLE A list of relevant host groups.
%RULE A link to the first rule in the query output.
%RULE_TABLE A list of all the rules in the query output.

%SRV_LIST A list of all the services in the query output.
555
CHAPTER 20
Appendix H: Basic Sanity Check

In This Chapter
Basic Functionality ...............................................................................................................................556
Testing Basic Functionality ..................................................................................................................556
This appendix details the basic steps AlgoSec recommends to ensure basic functionality of the AlgoSec
Security Management Suite (ASMS) after initial installation, upgrading it to a new version, restoring it to a
previous state or applying other major changes to it.
Basic Functionality
Basic functionality will be defined as follows:
 AlgoSec Hardware \ VM Appliance
 All necessary processes are running.
 AlgoSec Firewall Analyzer (AFA)
 Device definition and analysis completed successfully.
 Device changes are identified properly.
 E-mail alerts are received.
 AlgoSec FireFlow
 Requestor and privileged users submit change requests successfully.
 A single change request moves through the different stages of the customized workflow.
 After change is applied on the device, validation and AutoMatching work properly.
 AlgoSec BusinessFlow
 New applications are added successfully.
 Flows are added to the application and connectivity is updated.
 Decommissioning an application works properly.
If one of the tests detailed in Testing Basic Functionality (page 556) fails, please contact AlgoSec support
for further instructions.
Testing Basic Functionality

Run the tests listed in this section to verify basic functionality.
556
Chapter 20 Appendix H: Basic Sanity Check
ASMS Processes Check

As a first step, make sure the processes on the ASMS appliance\VM are running.
To do that, run the following commands on the ASMS appliance\VM1:
 Httpd - /etc/init.d/httpd status
 Crond - /etc/init.d/crond status
 postgresql - /etc/init.d/postgresql status
 tomcat - /etc/init.d/apache-tomcat status
 UI - service seikan status
 Kibana - service kibana4 status
 Elasticsearch - service elasticsearch status
 Logstash - service logstash status
If AlgoSec is configured to utilize either High Availability or Disaster Recovery, run this command as well:
 HA/DR - service DT status
If all commands result with an "is running..." output, proceed to the following steps.
AlgoSec Firewall Analyzer (AFA)

After verifying all processes are running correctly, test your AFA to verify basic functionality.
To do that, follow these steps:
1 Preparations
a) Define an e-mail server.
b) Define a user with permissions to all devices.
c) For this user, define e-mail notifications to every report and real time alerts for every configuration
and policy changes.
2 Device definition and analysis
a) Define a new device and assign a user with permissions to it.
Note: if you can't define a new device, simply choose a defined device.
b) Run a manual analysis on the defined device.
c) Walk through the different sections of the created report to see they all contain valid results.
d) In the Policy Optimization section, make sure to browse to Rule Usage Statistics --> All Rule Usage.
Check the first text line to see that the report is based on logs collected today.
3 Change Monitoring
a) Add a rule to the device's policy.
b) Wait for the next monitoring cycle (by default – 20 minutes).
c) Check the monitoring tab of the device and see the change was detected.
4 E-mail Alerts
a) Check that the defined user (1b) received an e-mail alert about the analysis completion (2b).
b) Check that the defined user (1b) received an e-mail alert about the change detection (3a).
557
AlgoSec FireFlow
1 User Login
 Log into FireFlow with a requestor and with a privileged user and submit a change request with
each. Make sure the request was submitted successfully.
2 Workflow Functionality
a) Choose one of the tickets and move it through the various stages of your organization's customized
workflow.
b) Make sure the following stages contain valid results:
1. Initial Plan, showing the relevant devices for the change request.
2. Risk Check, showing a list of risks.
3. Work Order, showing a valid suggestion to implement the requested change.
3 Change Request Validation and AutoMatching
a) After reaching the last Work Order stage, implement the change on the device and wait for the next
monitoring cycle (by default – 20 minutes).
b) Go to the Validation stage of the workflow and make sure correct validation results are shown.
c) Run an analysis on the device and wait for 2 hours. Then, go to AutoMatching and see that the ticket
and change are is listed in the correct section.
AlgoSec BusinessFlow
To verify basic functionality of BusinessFlow, follow these steps:
1 New Applications
a) Create a new application and add flows to it.
One of the flows should be currently blocked in the organization firewalls.
Make sure the application is added successfully.
b) Apply the draft and check the connectivity of the application.
Make sure connectivity of each flow and of the application itself are updated correctly.
c) In the "Change Requests" tab, make sure a change request was opened for the new flows.
2 Application Decommission
a) Decommission the application you created.
b) Make sure the application is in status "Decommissioned".
c) Make sure proper change requests were opened to drop the traffic of the application.
Note: If the application contains flows that are in use by other applications, change requests for their
traffic will not be opened.
558
Chapter 20 Appendix H: Basic Sanity Check
559
CHAPTER 21
Appendix I: Integrating AFA with Splunk

In This Chapter
Overview ..............................................................................................................................................560
Licensing ..............................................................................................................................................561
Supported Versions ..............................................................................................................................561
Installing the AlgoSec App ..................................................................................................................561
Retrieving Business Application and Internet Exposure Information ..................................................562
Isolating a Server ..................................................................................................................................562
Customizing the AlgoSec App .............................................................................................................562
Using AlgoSec Capabilities in Other Splunk Apps ..............................................................................564
This section explains how to configure AlgoSec's Splunk add-on.
Overview
Splunk is a leading SIEM solution used to detect and analyze potential security breaches. AlgoSec manages
security policies and augments them with business context.The AlgoSec Splunk App is an add-on to the
Splunk product which allows users that have both Splunk and AlgoSec deployed to utilize AlgoSec
capabilities directly from Splunk. This provides the ability to better analyze security incidents, understand
their impact, and quickly accomplish remediation. The application enhances and automates the security
incident response process in the following ways:
 Highlights the potential impact on business applications and business processes.
 Adds information regarding the infected server's exposure to the internet or access to sensitive internal
networks. This provides the security analyst with key information about the severity and urgency of the
incident.
 Optionally automates actions to contain the incident, such as isolating the infected server from the
network.
560
Chapter 21 Appendix I: Integrating AFA with Splunk
Licensing
The AlgoSec Splunk plug-in for Security Incident Response is distributed under the following license:
Copyright (c) 2016 <AlgoSec Systems Ltd.>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without
limitation the rights to use, copy, modify, merge, publish, distribute and/or sublicense, and to permit persons
to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions
of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
Supported Versions
The AlgoSec Splunk App v1.0.1was tested with Splunk v6.4.2 and AlgoSec Security Management Suite
v6.9and v6.10.
Installing the AlgoSec App

 To Install the AlgoSec App
1 Download the App from Splunkbase or from the AlgoSec portal, or install it directly from Splunk
(Browse more Apps then search for "AlgoSec").
2 Configure the AlgoSec App, by doing the following:
a) Under Manage Applications look for the AlgoSec App line and click set up.
b) Provide the AlgoSec server IP Address, username and password.
The AlgoSec Incident Response App is now ready for use.
561
Retrieving Business Application and Internet Exposure

Information
The AlgoSec App provides the ability to retrieve business application information and internet exposure
information for a specific server. The information includes:
 Business Application context from AlgoSec BusinessFlow: names of affected applications, indication as
to whether the application is critical, and more details about the applications, including a link to a
BusinessFlow window with the relevant applications.
 Network Connectivity (exposure to the Internet): AlgoSec Traffic Simulation Query results to indicate
whether the server is open to the Internet.
 To find business application and internet exposure information
1 Go to the Security Incident Response page in the AlgoSec App. This is the home page by default.
2 Complete the Server IP address field.
3 Click Submit.
The boxes below fill with information about the IP address.
Isolating a Server
You can open a FireFlow change request to isolate a risky server. To customize the change request, see
Customizing the Isolate Server Change Request (page 563).
 To isolate a server
1 Go to the Security Incident Response page in the AlgoSec App. This is the home page by default.
2 Complete the IP of Server to Isolate, Change Request Title, and Details fields.
3 Click Submit.
A change request is created in AlgoSec FireFlow, requesting to block all traffic to and from this server.
A link to the change request appears in the page to allow you to track implementation progress.
Customizing the AlgoSec App

The AlgoSec App supports the following customizations.
Customizing the Fields Supporting AlgoSec Workflow Actions

 To customize the fields supporting AlgoSec workflow actions
1 Go to Settings -> Fields and choose Workflow actions.
2 Click one of the AlgoSec actions (ABFAppLookup, algosec_incident_analysis, algosec_isolate_server)
and add the needed field names under Apply only to the following fields.
3 Click Save.
562
4 Repeat for the other actions, as desired.
Configuring the 'Find Affected Business Applications' Workflow Action

In order to use the Find Affected Business Applications action, you must configure the App with the IP
address of your AlgoSec server.
 To configure the 'Find Affected Business Applications' workflow action
1 Go to Settings -> Fields and choose Workflow actions.
2 Choose ABFAppLookup.
3 Update the URL field with your AlgoSec Server IP address.
Customizing the Parameters used to Calculate Internet Exposure

The Security Incident Analysis page includes a box which details Exposure to the Internet. This information
is based on traffic simulation query results performed by AlgoSec Firewall Analyzer.By default, the query
runs with the chosen IP address as the source, '8.8.8.8' (representing the Internet) as the destination, and 'any'
as the service.
If desired, you can customize these parameters. For example, you may want to check connectivity from the
internet to the chosen server, you may wayt to choose a different IP address to represent the Internet, or you
may want to check the connectivity for other areas of the network (critical internal networks, etc.).
 To customize the parameters used to calculate internet exposure
1 Open the AlgoSec App, choose Edit, and then click Edit Source (XML).
2 Scroll down to the last panel and edit the following line to represent the traffic simulation query you
prefer.
<query>| afaquery src="$ip$" dst="8.8.8.8"</query>
3 To add additional queries, do the following:
a) Duplicate the panel by copying all the lines from the <panel> start tag to its end </panel>.
b) Modify the panels to represent the traffic simulation queries you prefer.
4 Click Save.
Customizing the Isolate Server Change Request

By default, the Isolate Server function creates a change request with two traffic lines: one line blocks traffic
from the chosen server to 'any' with 'any' service, and the other blocks traffic from 'any' to the chosen server
with 'any' service. If desired, you can customize these parameters by editing the 'isolate server' script.
 To customize the 'Isolate Server' change request
1 Go to the following path in your Splunk server file system:
\etc\apps\TA-AlgoSec_Incident_Handling\bin
2 Find AFFIsolateServer.py.
3 Edit the script and change the parameters per your needs.
563
Customizing the Conditions for Business Application Criticality

By default, a business application is marked as critical when one of the affected applications has the 'critical'
label. If desired, you can specify different conditions, by editing the relevant script. Similarly, you can also
extract additional information from BusinessFlow (e.g. technical contacts/owners of the affected
applications).
 To customize the conditions for business application criticality
1 Go to the following path in your Splunk server file system:
\etc\apps\TA-AlgoSec_Incident_Handling\bin
2 Find ABFSearch.py.
3 Edit the script as desired.
Using AlgoSec Capabilities in Other Splunk Apps

AlgoSec capabilities can be activated from within other Splunk Apps (built-in or custom) by using the
Workflow Actions. By default, these actions will appear in the Action menus of IP addresses in the following
field names:
 source_ip
 dest_ip
 ip
 src_ip
 dst_ip
 source
 destination
 server_ip
The IP address from the chosen field will be automatically populated in the AlgoSec App pages.To
customize the available fields, see Customizing the Fields Supporting AlgoSec Workflow Actions (page
562).
In addition, the workflow actions also include the pre-defined Find Affected Business Applications (AlgoSec)
action. Clicking on it will open an AlgoSec BusinessFlow window with a list of all the business applications
affected by the chosen IP address. To customize this action, see Configuring the 'Find Affected Business
Applications' Workflow Action (page 563).
Using AlgoSec Capabilities in Your Custom Splunk Apps

You can pick and choose AlgoSec functionality, customize it, and incorporate it in your own custom Splunk
Apps.
 To use AlgoSec capabilities in your custom apps
1 Copy the relevant configuration parameters to your Splunk App (AlgoSec server IP,
username/password, etc.).
2 Copy the scripts and panels to your own Splunk Apps.
You can also use the scripts in the AlgoSec App as a reference.
564
565
Index
Adding Additional Device Identifiers Manually •
A 112, 125, 134, 138, 148, 154, 156, 163, 168,
About AlgoSec Firewall Analyzer • 8 182, 187, 196, 200, 222
Accessing Devices Setup • 57, 61, 71, 76, 108, Adding an Amazon Web Services (AWS) • 60,
113, 116, 120, 125, 132, 135, 144, 151, 156, 203
161, 163, 168, 178, 183, 190, 193, 197, 202, Adding an F5 BIG-IP • 60, 132
203, 205, 209, 214, 216, 219, 223, 224, 234, Adding and Editing Analysis Jobs • 250
235, 236, 237, 238, 239, 240, 241, 242, 243, Adding and Editing Dashboard E-mails • 254
244 Adding and Editing Distribution Slaves • 46, 48
Accessing Scripts • 55 Adding and Editing Domains • 32, 42
Activating Real-Time Monitoring • 70, 112, 116, Adding and Editing Host Groups • 316
119, 125, 127, 134, 138, 148, 154, 160, 162, Adding and Editing Management Roles • 38
167, 174, 182, 187, 192, 196, 200, 203, 205, Adding and Editing Management Users • 32, 35,
208, 212, 217, 256, 379 277
Adding a Blue Coat Device • 60, 205 Adding and Editing Remote Agents • 46, 47, 50
Adding a Check Point CMA • 59, 62, 76 Adding and Editing Roles • 283
Adding a Check Point Provider-1 • 59, 61, 76 Adding and Editing Service Groups • 318
Adding a Check Point SmartCenter/Gateway • Adding and Editing Users • 32, 271, 277, 291,
59, 71 502
Adding a Cisco Application Centric Adding and Editing Zone Types • 314
Infrastructure (ACI) • 125 Adding Blue Coat • 205
Adding a Cisco IOS Router or Layer-3 Switch • Adding Check Point CMA • 76
59, 113 Adding Check Point SmartCenter/Gateway • 71
Adding a Cisco Nexus Router • 59, 116 Adding Cisco IOS Router or Layer-3 Switch •
Adding a Cisco PIX/ASA/FWSM Firewall • 59, 113
120 Adding Cisco Nexus Router • 116
Adding a CSM-Managed Cisco Device • 59, 108 Adding Cisco PIX/ASA/FWSM • 120
Adding a Custom Logo • 327 Adding CSM-Managed Cisco Device • 108
Adding a Forcepoint (McAfee) Security Adding Custom Baseline Configuration
Management Center • 60, 135 Compliance Profiles • 505
Adding a Forcepoint (McAfee) Sidewinder • 60, Adding Devices • 59, 222, 249
144
Adding a Fortinet FortiGate • 59, 151
Adding a Fortinet FortiManager • 59, 156
Adding a Hillstone Networks Device • 161
Adding a Juniper M/E Router • 60, 190
Adding a Juniper Netscreen • 60, 168, 183
Adding a Juniper NSM • 59, 168
Adding a Juniper Space • 59, 163, 167
Adding a Juniper SRX • 60, 134, 178, 182
Adding a Microsoft Azure • 60, 211, 212
Adding a Palo Alto Networks Firewall • 60, 197
Adding a Palo Alto Networks Panorama • 60, 193
Adding a Routing Element • 60, 214
Adding a VMWare NSX Distributed Firewall •
60, 202
Chapter 21 Index
Blue Coat • 205 Adding Support for Device Types • 353

Check Point CMA • 76 Collecting Data from AEF Devices • 370
Check Point Provider-1 • 61 Configuration File Example • 370
Check Point SmartCenter/Gateway • 71 Overview • 353
Cisco Nexus Router • 116 Tag Reference • 354
Cisco PIX/ASA/FWSM • 120 AEF Overview • 353
CSM-Managed Cisco Device • 108 AFA
Fortinet FortiGate • 151 Installation Steps • 19
Fortinet FortiManager • 156 Server Capacity Planning • 18
Juniper Netscreen • 183 AFA ActiveChange • 12
Juniper NSM • 168 AFA Device Types • 54
Juniper Space • 163 AFA Operations and Optimization • 10
Juniper SRX • 178 AFA Provider Edition • 11
McAfee Firewall Enterprise (Sidewinder) • AFA Risk and Compliance Module • 11
144 AFA Server Capacity Planning • 18
Monitoring Devices • 205, 209 AlgoSec BusinessFlow • 558
Palo Alto Networks • 197 AlgoSec FireFlow • 558
Routing Element • 214 AlgoSec Firewall Analyzer (AFA) • 557
Adding Disaster Recovery Sets • 241, 243 AlgoSec Firewall Analyzer Components • 9
Adding Documentation Fields • 529 Alternative Methods for Obtaining the Routing
Adding Fortinet FortiGate • 151 Table for Manual Data Collection • 107
Adding Fortinet FortiManager • 156 Appendix A
Adding Groups • 234 Using the AlgoSec Extension Framework •
Adding Juniper Netscreen • 183 14, 57, 353
Adding Juniper NSM • 168 Appendix B
Adding Juniper Space • 163 Importing Users and Devices from a CSV File
Adding Juniper SRX • 178 • 60, 277, 293, 374
Adding LDAP Servers to a Forest • 271 Appendix C
Adding Matrices • 238 Creating a JSON File for Generic Device
Adding McAfee Firewall Enterprise (Sidewinder) Support • 217, 219, 382
• 144 Appendix D
Adding Monitoring Devices • 60, 132, 209 Overriding AFA System Defaults • 498
Adding New Custom Baseline Configuration Appendix E
Compliance Profiles • 505 Using Baseline Configuration Compliance
Adding Palo Alto Networks • 197 Profiles • 70, 111, 115, 118, 124, 133, 147,
Adding Risk Profiles • 295, 299 153, 162, 181, 186, 192, 199, 207, 211, 504
Adding Routing Element • 214 Appendix F
Adding Support for Generic Devices to AFA • 60, Customizations • 523
217 Appendix G
Adding Support for New Device Types • 353 Advanced Risk Item Editing • 306, 548
Administration Options Settings • 32, 68, 181, Appendix H
186, 192, 324 Basic Sanity Check • 556
Advanced Configuration • 346 Appendix I
Advanced Risk Item Editing Integrating AFA with Splunk • 560
Overview • 548 ASMS Processes Check • 557
Advanced Risk Item Editing Overview • 548 Assessment and Remedy Keywords • 306, 307,
AEF 553
Authentication • 340
Check Point Provider-1 Manual Data Collection •

B 59, 104, 105
Backing Up the AlgoSec Suite • 342 Check Point SmartCenter Manual Data Colection
Backup and Restore • 341 on MS Windows • 105
Baseline Configuration Compliance Profile Check Point SmartCenter Manual Data
Structure • 505, 512 Collection on Microsoft Windows • 59, 106
BaselineFooter • 516 Check Point SmartCenter Manual Data
BaselineHeader • 516 Collection on Solaris/Nokia/Secure
BaselineProfile • 513 Platform/Linux • 54, 59, 105
BaselineRequirement • 513, 514 Cisco
Basic Functionality • 556 Adding Cisco IOS Router or Layer-3 Switch •
Basic Risk, Risk with Destination Threshold, and 113
Risk with Source Threshold • 300 Adding Cisco Nexus Router • 116
Blue Coat Adding Cisco PIX/ASA/FWSM • 120
Adding Blue Coat • 205 Adding CSM Managed Device • 108
SGOS Manual Data Collection • 208 Cisco Routers Semi-Automatic Data
Blue Coat SGOS Manual Data Collection • 60, Collection • 129
208 Nexus Router Manual Data Collection • 130
Built-In Charts • 543, 544 PIX/ASA/FWSM Manual Data Collection •
128
C Cisco Nexus Router Manual Data Collection •
Capacity Planning for Your AFA Server • 16, 18, 130
332 Cisco PIX/ASA/FWSM Manual Data Collection
Changing Your User Settings • 289 • 59, 128
chart • 543 Cisco Routers Semi-Automatic Data Collection •
Chart Example • 530, 540 59, 129
Chart Tag Reference • 530 CMD • 358, 363, 364
charts • 542, 543 CMD_VIRT • 358, 363, 365
Check Point Collecting Data from AEF Devices • 370
Adding CheckPoint SmartCenter/Gateway • Collecting Data Semi-Automatically • 55
71 Command • 513, 514, 521
Adding CMA • 76 COMMANDS_SEQUENCE • 357, 363
Adding Provider-1 • 61 CommandsDef • 513, 514
Creating OPSEC Certificate for Completing Adding or Editing a Risk Item • 298,
SmartCenter/CMA • 84 301, 305, 553
Smart Center Manual Data Collection • 105 Compliance • 309
SmartCenter Manual Data Collection • 105 Compliance Options • 323
Specifying Certificate for OPSEC Access • 82 Comprehensive Example • 276
Check Point FireWall-1 Semi-Automatic Data config_type • 385
Collection • 59, 97 Configuration File Example • 353, 370
Check Point FireWall-1 with a Separate Configuring a Custom Chart • 530
SmartCenter Server and Filter Module • 97 Configuring a Custom Dashboard • 541
Check Point FireWall-1 with an Integrated Configuring a Read-Only NSM User for Data
Management and Filter Module • 101 Collection • 59, 168, 174
Check Point FireWall-1 with Integrated Configuring a Syslog-ng Server • 110, 112, 122,
SmartCenter Server and Filter Module • 104 134, 138, 146, 147, 152, 153, 158, 160, 165,
Check Point FireWall-1 with Separate 167, 170, 180, 182, 185, 196, 198, 199
SmartCenter Server and Filter Module • 103 Configuring an LDAP Forest • 259, 263, 271
Check Point Provider-1 • 99 Configuring IPT Rule Replacement
Recommendations • 500
Chapter 21 Index
Configuring Juniper STRM to Forward Logs to a Customizing the Compliance Score Value • 311
Syslog-ng Server • 164, 169, 177, 179, 184 Customizing the Conditions for Business
Configuring Juniper STRM to Forward Logs to Application Criticality • 564
Syslog-ng Server • 177 Customizing the Fields Supporting AlgoSec
Configuring Mail Server Settings • 290, 291, 331 Workflow Actions • 562, 564
Configuring Read-Only NSM User for Data Customizing the Isolate Server Change Request •
Collection • 174 562, 563
Configuring Report Cleanup • 333, 344 Customizing the Landing Page • 37, 41, 281, 288,
Configuring Single Sign On (SSO) • 259 523
Configuring Syslog-ng Server • 112 Customizing the Parameters used to Calculate
Configuring the 'Find Affected Business Internet Exposure • 563
Applications' Workflow Action • 563, 564 Customizing the Regulatory Compliance Page •
Configuring the Forcepoint (McAfee) Security 545
Management Center • 60, 138 Customizing Zone Types • 314
Configuring User Authentication • 35, 36, 259,
281, 340, 374, 376
D
Configuring User Authentication via an Dashboard Example • 542, 544
Authentication Server • 259, 263, 270 Dashboard Tag Reference • 542
CONNECTION_CMD • 354, 356 data collection
Creating a Check Point OPSEC Certificate for Setup wizard • 55
Check Point Devices (Versions R77 and Data Collection Methods • 54
Lower) • 82, 84 data collecton scripts • 55
Creating a Check Point OPSEC Certificate for DATA_COLLECTION • 354, 356, 357, 366
Check Point Devices (Versions R80 and days_back • 531, 540
Higher) • 82, 90 Defining a Limited-Privilege Cisco User for Data
Creating a Custom Report Page • 527 Collection • 120, 127
Creating Check Point OPSEC Certificate for Defining Limited-Privilege Cisco User for Data
SmartCenter/CMA • 84 Collection • 127
Creating Custom Baseline Configuration Defining the First Administrator User • 20
Compliance Profiles • 504, 505, 510 Deleting Analysis Jobs • 253
Creating Custom Dashboards • 529 Deleting Custom Baseline Configuration
Creating New Risk Profiles from Existing Risk Compliance Profiles • 510
Profiles • 295 Deleting Devices • 224
Creating New Risk Profiles from Scratch • 295 Deleting Distribution Slaves or Remote Agents •
Creating New Risk Profiles from Spreadsheets 51
that Specify Safe Traffic • 296 Deleting Domains • 45
Creating the Spreadsheet • 296 Deleting DR Sets • 244
Criterion • 514, 515 Deleting Groups • 237
Custom Report Configuration File Parameters • Deleting Host Groups • 317
527, 528 Deleting Management Users • 44
Customizing Device Policy Documentation Deleting Management Users and Roles • 44, 283
Fields • 528 Deleting Matrices • 241
Customizing Host Groups • 316 Deleting Risk Items • 308
Customizing Risk Items • 295, 299, 300 Deleting Risk Profiles • 299
Customizing Risk Profiles • 293, 299, 548 Deleting Roles • 288
Customizing Security Rating Settings • 320 Deleting Scheduled Dashboard E-mails • 256
Customizing Services • 302, 305, 318 Deleting Service Groups • 319
Customizing the AlgoSec App • 562 Deleting Users • 283
Customizing the Compliance Score Severity Deleting Zone Types • 316
Thresholds • 312 device • 386
DEVICE • 354 Enabling/Disabling Custom Report Pages • 347,

Device Icons • 56 527
Device User Permission Requirements • 133, Enabling/Disabling Documentation Fields • 529
167, 202, 227 Enabling/Disabling Group Traffic Simulation
Devices Query Results by Policy • 498
Adding Devices • 59 Enabling/Disabling IPT Rule Replacement
Deleting Devices • 224 Recommendations • 500, 501
Device Icons • 56 Example
Devices Overview • 53 Customizing a Baseline Configuration
Renaming Devices • 223 Compliance Profile • 507, 508, 509, 518
Setting User Permissions • 223 EXCLUDE • 354, 367
Devices Overview • 53 Extract Custom Report Script Flags • 527, 528
DIFF • 354, 367 Extracting Scripts • 56, 97, 98, 99, 101
direction • 531, 537
Disabling Distributed Processing • 51
F
Disabling Risk Items • 308 FEATURE • 369
Disabling Sorting and Filtering for Tables • 502 FEATURES • 354, 369
Disaster Recovery (DR) Sets Overview • 241 Forcepoint (McAfee) Sidewinder Manual Data
Display • 326 Collection • 60, 148
Distributed Architecture Overview • 45 Forcing Local Authentication • 260, 262
downloading scripts for data collection • 55 FORM_FIELD • 354, 355
Duplicating Baseline Configuration Compliance Fortinet
Profiles • 505, 507 Adding Fortinet FortiGate • 151
Adding Fortinet FortiManager • 156
E
Fortinet Fortigate Manual Data Collection •
Editing Baseline Configuration Compliance 154
Profiles • 505, 509 Fortinet Fortigate Manual Data Collection • 154
Editing Baseline Configuration Compliance Fortinet FortiGate Manual Data Collection • 59,
Profiles in XML Format • 505, 510 154
Editing Data Collection Definitions • 51, 223,
249 G
Editing DR Sets • 242 General • 35
Editing Groups • 235 General/Admin Options • 37, 68, 186, 192, 282,
Editing IP Ranges in Clouds • 245 299, 325, 333
Editing Matrices • 239 Generic Device JSON File Examples • 390
Editing Risk Profiles • 299 Globally Hiding/Displaying Change Details • 35,
Enabling ActiveChange • 248, 249 38, 181, 282, 502
Enabling AFA to Process Check Point Group setup • 55
Application Control Traffic Logs • 69, 80 Groups Overview • 234
Enabling Data Collection for Check Point
Devices • 80, 228 H
Enabling Distributed Processing • 31, 46, 47, 68, Handling Special Characters • 384
111, 115, 118, 138, 147, 153, 160, 162, 173, Hardening the Linux Operating System • 352
181, 186, 192, 196, 199, 203, 205, 207, 211, Hardware Requirements • 16
212, 215, 234, 238 Host Group Risk Item Guidelines • 551
Enabling Domains • 31, 32, 33, 258, 324, 377 hosts • 386
Enabling REST Calls to the Security hosts_groups • 386
Management Server • 80, 96, 228
Enabling Support for a Generic Device • 219 I
Import Users and Devices from CSV File
Chapter 21 Index
Import and Update Devices • 377 Adding Juniper Netscreen • 183

Import Users • 374 Adding Juniper NSM • 168
Prepare Devices CSV File • 377 Adding Juniper Space • 163
Prepare Users CSV File • 374 Adding Juniper SRX • 178
Run Import Devices Script • 380 Configuring Juniper STRM to forward logs to
Run Import Users Script • 377 Syslog-ng Server • 177
Import Users from a CSV File • 374 Juniper Netscreen Manual Data Collection •
Importing and Updating Devices from a CSV File 189
• 223, 377 Juniper Netscreen Semi-Automatic Data
Importing User Data from an LDAP Server • 263, Collection • 188
267, 270, 283 Juniper SRX Manual Data Collection • 182
Importing Users from a CSV File • 374 Juniper M/E Router Manual Data Collection • 60,
Installation • 16, 46, 47 192
Installation Instructions • 19 Juniper M/E Router Property Fields • 191, 192
Installing a License • 23, 26, 32 Juniper Netscreen Manual Data Collection • 60,
Installing AFA Software • 19 189
Installing an • 25 Juniper Netscreen Semi-Automatic Data
Installing License • 23 Collection • 60, 188
Installing Online or inactivated License • 25 Juniper SRX Manual Data Collection • 60, 182
Installing the AlgoSec App • 561
Installing the AlgoSec Firewall Analyzer
L
Pre-Installer • 19 Language • 326
Installing the AlgoSec Firewall Analyzer Layer 2 Device Support • 384
Software • 19, 27, 28 Licensing • 561
interfaces • 386 limit • 531, 536
Introduction • 8 Log Analysis • 28, 329
IPv6 Support • 14 Logging in to the Management Interface • 32, 34
Isolating a Server • 562 Logging In when an LDAP Forest Is Configured •
Item • 515 277
LOGIN_PROMPT • 357, 362
J
JSON File Example for a Policy-Based Device •
M
391 Mail • 331
JSON File Example for a Zone-Based Device • Managing AFA Storage • 332
406 Managing AlgoSec Firewall Analyzer Users • 31
JSON File Example for an Interface-Based Managing Device Groups and Matrices • 234
Device • 399 Managing Devices in AFA • 15, 53, 54
Juniper Managing The Graphic Network Map • 245
Manual Data Collection
Alternative Methods for Obtaining Routing Preparations for Data Collection • 55

Table • 107 Preparing the Devices CSV File • 374, 377, 380
Blue Coat SGOS • 208 Preparing the Users CSV File • 374
Check Point Provider-1 • 105 Prerequisites • 16
Check Point SmartCenter on MS windows • Problem
105 JSON File Contains a Problematic Line • 496
Cisco Nexus Router • 130 User-defined Generic Device Analysis Failed
Cisco PIX/ASA/FWSM • 128 • 495
Fortinet Fortigate • 154 Property Risk Item Guidelines • 551
Juniper Netscreen • 188, 189 Proxy • 205, 212, 330
Juniper SRX • 182
McAfee Firewall Enterprise (Sidewinder) •
Q
148 Quick Start – Configuring AFA • 15
Palo Alto Networks • 200
Matrices Overview • 234, 237 R
McAfee Removing and Adding Compliance Reports • 546
Adding McAfee Firewall Enterprise Removing Device Interfaces • 245, 247
(Sidewinder) • 144 Removing Devices • 245, 246
McAfee Firewall Enterprise Renaming Devices • 223
(Sidewinder)Manual Data Collection • 148 Renaming DR Sets • 243
McAfee Firewall Enterprise (Sidewinder) Renaming Groups • 236
Manual Data Collection • 148 Renaming Matrices • 240
Migrating Traffic Log Files to Database • 28 Replacing Scripts before Upgrading Software in a
Migrating Traffic Log Files to the Database • 20, Cluster for the First Time • 27
27, 28 Replacing Scripts before Upgrading Software in
Cluster for First Time • 27
N
Restoring the AlgoSec Suite • 341, 344
NAT Support • 382 Retrieving Business Application and Internet
nat_rules • 389 Exposure Information • 562
Network Connectivity from the AFA Server • 351 Retrieving the Spreadsheet • 299
Network Connectivity to the AFA Server • 351 Risk and Compliance • 293
Risk Item Types • 548
O Risk Items
Obtaining a License • 22 Assessment and Remedy Keywords • 553
Obtaining License • 22 Host Group Risk Item Guidelines • 551
order_dir • 531, 536, 538 Property Risk Item Guidelines • 551
Overview • 35, 53, 248, 504, 560 Traffic Risk Item Guidelines • 549
Overview of the AlgoSec Extension Framework • Types of Risk Items • 548
353 Risk with Specific IP Addresses and PCI Risks •
300, 303
P Roles Overview • 283
Palo Alto Networks routes • 390
Adding Palo Alto Networks • 197 ROUTING • 354, 368
Manual Data Collection • 200 Rule Risk Item Guidelines • 552
Palo Alto Networks Firewall Manual Data rules_groups • 388
Collection • 60, 200 Running the Import Devices Script • 377, 378,
Palo Alto Networks Manual Data Collection • 380
200 Running the Import Users Script • 374, 377
policies • 387
POST_LOGIN_PROMPT • 357, 363
Chapter 21 Index
S U
Sample Baseline Configuration Compliance Updating a License • 26
Profile • 518 Updating License • 26
schedules • 390 Updating the Passwords for Multiple Devices •
Scheduling AFA Analyses • 15, 250 224
Scheduling Analyses and Monitoring • 250 Upgrading AFA • 27
Scheduling Dashboard E-mails • 254 Upgrading AFA Cluster • 27
scripts for data collection • 55 Upgrading AFA in a Distributed System • 27, 28
Securing the AFA Server • 350 Upgrading AFA on a Cluster • 27
Selecting a Deployment Type • 31 Upgrading AlgoSec Firewall Analyzer in
Semi-Automatic Data Collection Distributed System • 28
Cisco Routers • 129 Uploading the Spreadsheet • 296, 298
Juniper Netscreen • 188 Users and Roles • 31, 32, 258, 289
services • 387 Users Overview • 258
services_groups • 387 Using ActiveChange • 248
Setting Preferences • 32 Using AlgoSec Capabilities in Other Splunk
Setting Risk and Compliance Options • 308 Apps • 564
Setting the Chart Threshold Value Configuration Using AlgoSec Capabilities in Your Custom
Item • 348, 535 Splunk Apps • 564
Setting the Default Dashboard • 349 Using Domains • 32
Setting Up a Geographic Distribution Using Real-Time Monitoring • 377
Architecture • 46 Using Saved Profiles • 97, 98, 99, 100, 101, 102,
Setting Up a Load Distribution Architecture • 46 188
Setting Up Analysis from a File • 60, 216
Setting Up E-mail Notification • 15, 291, 333 V
Setting User Permissions • 60, 223 variable_name • 531, 532
Software Requirements • 17 Viewing Baseline Configuration Compliance
Specifying a Certificate for OPSEC Access to the Profiles • 504, 505, 507, 509, 510, 518
Check Point Device • 69, 80, 82 Viewing License Information • 25
statistics_type • 531, 534 Viewing Risk Profiles • 293, 295, 296, 298, 299,
Storage • 332 300, 308
Sun/Nokia/SecurePlatform/Alteon/Linux
Platforms • 97, 103 W
Supported Device Types • 218 Windows Platform • 103
Supported Products • 12, 53, 353 Workflow • 335
Supported Versions • 561 Working with ActiveChange • 248
System Requirements • 15 Working with Domains • 31, 377
T Y
Tag List • 382, 384 ymax • 531, 539
Tag Reference • 353, 354, 512, 521
Tag References • 382, 385 Z
Testing Basic Functionality • 556 zones • 389
title • 531
Traffic Risk Item Guidelines • 549
Troubleshooting • 495
Troubleshooting Files and Folders • 495
type • 531, 535

Guia Configuración Algosec en R80 Checkpoint - v6-11

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guia Configuración Algosec en R80 Checkpoint - v6-11

Uploaded by

Copyright:

Available Formats

AlgoSec Firewall Analyzer

Printed on 25 March, 2017

Selecting a Deployment Type .................................................................................................................... 31

Managing Devices in AFA .......................................................................................................................... 53

Blue Coat SGOS Manual Data Collection ....................................................................................................................... 208

Managing Device Groups and Matrices .................................................................................................. 234

Managing The Graphic Network Map ...................................................................................................... 245

Working with ActiveChange ..................................................................................................................... 248

Scheduling Analyses and Monitoring ..................................................................................................... 250

Users and Roles ........................................................................................................................................ 258

Configuring Mail Server Settings............................................................................................................. 290

Risk and Compliance ................................................................................................................................ 293

Administration Options Settings ............................................................................................................. 324

Authentication ......................................................................................................................................................................... 340

Securing the AFA Server .......................................................................................................................... 350

Appendix A: Using the AlgoSec Extension Framework ........................................................................ 353

JSON File Example for an Interface-Based Device......................................................................................................... 399

Appendix D: Overriding AFA System Defaults ....................................................................................... 498

Appendix E: Using Baseline Configuration Compliance Profiles ......................................................... 504

Appendix F: Customizations .................................................................................................................... 523

Appendix G: Advanced Risk Item Editing ............................................................................................... 548

Assessment and Remedy Keywords ...................................................................................................................................... 553

Appendix H: Basic Sanity Check ............................................................................................................. 556

Appendix I: Integrating AFA with Splunk ................................................................................................ 560

About AlgoSec Firewall Analyzer

AlgoSec Firewall Analyzer Components

AFA Operations and Optimization

AFA Risk and Compliance Module

AFA Provider Edition

Product Versions Support Provided

Product Versions Support Provided

Amazon Web Services (AWS) All Full

Product Versions Support Provided

IPv6 Supported Products

Quick Start – Configuring AFA

A server with the following specification is recommended:

Capacity Planning for Your AFA Server

 Example 2 - Analyze upon install of 50 devices, stored three months back

Installing the AlgoSec Firewall Analyzer Pre-Installer

Installing the AlgoSec Firewall Analyzer Software

c) In the top menu, click the Downloads tab.

Defining the First Administrator User

 To define the first administrator user

4 Complete the fields using the information in the table below.

The Welcome window appears.

Note: To access online training go to: https://portal.algosec.com/en/training/online_courses

Admin User Fields

In this field... Do this...

 Install a license via the License Information window.

1. In the toolbar, click your username.

3. Click Install License.

3 Click Select a File and browse to the license file.

The license is installed.

Installing an "Online" or "inactivated" License

Viewing License Information

The License Information window appears.

Upgrading AFA on a Cluster

Upgrading AFA in a Distributed System

Migrating Traffic Log Files to the Database

 Otherwise, type "n" and press Enter.

Selecting a Deployment Type

Working with Domains

3 Click the Domains tab.