Strata Cloud Manager
Policy Analyzer
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
-
- Strata Copilot
- Command Center: Strata Cloud Manager
-
- Dashboard: Build a Custom Dashboard
- Dashboard: Executive Summary
-
- WildFire Dashboard: Filters
- WildFire Dashboard: Total Samples Submitted
- WildFire Dashboard: Analysis Insights
- WildFire Dashboard: Session Trends For Samples Submitted
- WildFire Dashboard: Verdict Distribution
- WildFire Dashboard: Top Applications Delivering Malicious Samples
- WildFire Dashboard: Top Users Impacted By Malicious Samples
- WildFire Dashboard: Top Malware Regions
- WildFire Dashboard: Top Firewalls
- Dashboard: DNS Security
- Dashboard: AI Runtime Security
- Dashboard: IoT Security
- Dashboard: Prisma Access
-
- Application Experience Dashboard: Mobile User Experience Card
- Application Experience Dashboard: Remote Site Experience Card
- Application Experience Dashboard: Experience Score Trends
- Application Experience Dashboard: Experience Score Across the Network
- Application Experience Dashboard: Global Distribution of Application Experience Scores
- Application Experience Dashboard: Experience Score for Top Monitored Sites
- Application Experience Dashboard: Experience Score for Top Monitored Apps
- Application Experience Dashboard: Application Performance Metrics
- Application Experience Dashboard: Network Performance Metrics
- Dashboard: Best Practices
- Dashboard: Compliance Summary
-
- Prisma SD-WAN Dashboard: Device to Controller Connectivity
- Prisma SD-WAN Dashboard: Applications
- Prisma SD-WAN Dashboard: Top Alerts by Priority
- Prisma SD-WAN Dashboard: Overall Link Quality
- Prisma SD-WAN Dashboard: Bandwidth Utilization
- Prisma SD-WAN Dashboard: Transaction Stats
- Prisma SD-WAN Dashboard: Predictive Analytics
- Dashboard: PAN-OS CVEs
- Dashboard: CDSS Adoption
- Dashboard: Feature Adoption
- Dashboard: On Demand BPA
- Manage: IoT Policy Recommendation
- Manage: Enterprise DLP
- Manage: SaaS Security
- Manage: Prisma Access Browser
- Reports: Strata Cloud Manager
-
-
- Strata Cloud Manager Release Information
-
- New Features in February 2025
- New Features in January 2025
- New Features in December 2024
- New Features in November 2024
- New Features in October 2024
- New Features in September 2024
- New Features in August 2024
- New Features in July 2024
- New Features in June 2024
- New Features in May 2024
- New Features in April 2024
- New Features in March 2024
- New Features in February 2024
- New Features in January 2024
- New Features in November 2023
- New Features in October 2023
- New Features in September 2023
- Known Issues
- Addressed Issues
- Getting Help
Policy Analyzer
Learn about the Policy Analyzer feature.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Updates to your Security policy are often time-sensitive and require you to act
quickly. However, you want to ensure that any update you make to your Security policy
meets your requirements and does not introduce errors or misconfigurations (such as
changes that result in duplicate or conflicting rules).
The Policy Analyzer feature in
Strata Cloud Manager enables you to optimize time and resources when
implementing a change request. Policy Analyzer not only analyzes and provides
suggestions for possible consolidation or removal of specific rules to meet your intent
but also checks for anomalies, such as Shadows, Redundancies, Generalizations,
Correlations, and Consolidations in your rulebase.
Use Policy Analyzer to add or optimize your Security policy:
- Before adding a new Security policy—Check to see if new rules need to be added. Policy Analyzer recommends how best to change your existing Security policy to meet your requirements without adding another rule, if possible.
- Streamline and optimize your existing Security policy rules—See where you can update your rules to minimize bloat and eliminate conflicts and also to ensure that traffic enforcement aligns with the intent of your Security policy.
Analyze your Security policy rules both before and after you
commit your changes.
- Pre-Change Policy Analysis—Enables you to evaluate the impact of a new rule and analyze the intent of the new rules against the rules that already exist to recommend how to best meet the intent.
- Post-Change Policy Analysis—Enables you to clean the existing rulebase by identifying Shadows, Redundancies, and other anomalies that have accumulated over time.
Policy Analyzer supports both NGFW and Prisma Access deployments, managed by Panorama
or Strata Cloud Manager.
Policy Analyzer for Panorama managed deployments requires the following:
- CloudConnector Plugin 1.1.0 or later on your Panorama appliance. You need to enable this plugin using the command:> request plugins cloudconnector enable basicWe recommend you to install the latest version of the CloudConnector plugin.
- Panorama needs to be updated to PAN-OS version 10.2.3 or a later version.
Types of Anomalies That Policy Analyzer Detects
Policy Analyzer detects the following types of anomalies across your
Security policy:
- Shadows—Rules that are not hit because a rule higher in the rulebase covers the same traffic.Security policy rules are evaluated in the rulebase from the top down so shadows are created when a rule higher in the rulebase matches the same traffic that a rule lower in order matches and the rules are configured with a different action. If you remove the rule lower in order, the Security policy does not change.
- Redundancies—Two or more rules that match the same traffic and are configured with the same action.
- Generalizations—When a rule lower in the rulebase matches the traffic of a rule higher in the rulebase, but not the other way around, and the rules take a different action. If the order of the two policy rules is reversed, the Security policy is impacted.
- Correlations—Rules that correlate with another rule when one rule matches some packets of the other rule but results in a different action. If the order of the two rules is reversed, the Security policy is impacted.
- Consolidations—Rules that you can consolidate into a single rule because the action is the same and only one attribute is different. You can merge the rules into a single rule by modifying the attributes of one of the rules and deleting the others.