Rule Base Overview
In Security Director, you can configure one type or both types (zone-based or global) of rule bases for each policy. All zone-based rules are grouped under Zone and all devices rules are grouped under Global.
If devices are assigned to a policy that does not have one of the rule bases under its management, Security Director still interprets that rule base as being in its scope. For example, if you configure firewall policies out of band on a device in an unmanaged rule base, Security Director deletes those policies. If you do not select the previously configured rule base in the Security Director modify workflow for the policy, Security Director automatically deletes all rules in the policy in the next publish and update.
Example: Removing a Previously Managed Rule Base
You can remove a managed device from Security Director. To remove a previously managed rule base when no other policies are published on the device except the existing policy, follow these guidelines:
Do not select the Manage Global Policy option to modify a device policy in Security Director.
Security Director deletes the global rule base in the design data of the Security Director application.
Publish a policy and update the device. The update deletes all global rules from the device.
On successful update, the all-devices policy for the device is removed from Security Director management.
Security Director will continue to delete any all-devices policy configured on the device through the CLI at subsequent publish updates.
Policy Analysis
Over a period of time, firewall rule bases can become inefficient as rules become disorganized, causing some rules to become ineffective. This primarily occurs because of a lack of timely notification given to end users when new rules, or changed rules, are added, which can adversely affect the other rules in the rule base.
This problem can be addressed by analyzing the policy and reporting the anomalies in the rules of a policy to the end user. Policy analysis reports on shadowing and redundant anomalies in a rule; these reports are available in PDF format. Also, policy analysis finds the anomaly between the address and the service of the rules.
Policy analysis helps you to analyze the firewall rule base for policies managed by Security Director, and it identifies the firewall rules that contain the following issues:
Shadowing—Occurs when a rule higher in the order of the rule base matches with all the packets of a rule lower in the order of the rule base. The shadowed rule is never activated. The possible solution is to reorder the rules, or disable or delete one of the rules. The anomaly calculation is not made for disabled rules.
Redundant—Occurs when there are two or more rules that perform the same action on the same packets along with the same settings or configurations. The solution is to disable or delete the redundant rules.
The policy analysis report is generated in PDF format and can be sent through e-mail to multiple recipients. The reports contain a summary and a pie chart showing all anomalies. You can schedule the report generation.
The following list shows the policy analysis behavior for different types of firewall policies:
All devices policy—Analyzes all the rules present in the firewall policy landing page, within the all-devices policy.
Group policy—Analyzes all the rules present in the firewall policy landing page, within the group policy including the all-devices policy rules.
Device policy—Analyzes all the rules present in the firewall policy landing page, within the device policy including the all-devices policy rules. If you want to analyze all the rules present on a device, you must generate the report by clicking the device policy.
Device exception policy—Analyzes all the rules present in the firewall policy landing page, within the device exception policy including all-device.
Policy analysis is not performed in the following scenarios:
Disabled rules are not considered for the policy analysis calculation.
Apart from the Address (source and destination) and Service columns, no other columns in the firewall landing page are considered for the policy analysis calculation.
Variable address, wild card address, and exclude address are not considered for the policy analysis calculation.