Policy Analyzer
Provides an overview of Policy Analyzer.
Where Can I Use This? | What Do I Need? |
Updates to your Security policy rules are often time-sensitive and require you to
act quickly. However, you want to ensure that any update you make to your Security
policy rulebase meets your requirements and does not introduce errors or
misconfigurations (such as changes that result in duplicate or conflicting rules).
Policy Analyzer in
Strata Cloud Manager enables you to optimize time and resources when
implementing a change request. Policy Analyzer not only analyzes and provides
suggestions for possible consolidation or removal of specific rules to meet your intent
but also checks for anomalies, such as Shadows, Redundancies, Generalizations,
Correlations, and Consolidations in your rulebase.
Use Policy Analyzer to add or optimize your Security policy rulebase.
Before adding a new rule—Check to see if new rules need to be added. Policy Analyzer
recommends how best to change your existing Security policy rules to meet your
requirements without adding another rule, if possible.
Streamline and optimize your existing rulebase—See where you can update your rules to
minimize bloat and eliminate conflicts and also to ensure that traffic
enforcement aligns with the intent of your Security policy rulebase.
Analyze your Security policy rules both before and after you
commit your changes.
Pre-Change Policy Analysis—Enables you to evaluate the impact of a new rule and analyze
the intent of the new rules against the rules that already exist to recommend
how to best meet the intent.
Post-Change Policy Analysis—Enables you to clean the existing rulebase by identifying
Shadows, Redundancies, and other anomalies that have accumulated over time.
Policy Analyzer requires the
CloudConnector Plugin 1.1.0 or
later on your Panorama appliance. You need to enable this plugin using the
command:
> request plugins cloudconnector enable basic
Policy Analyzer requires Panorama to be updated to PAN-OS version 10.2.3 or a later version.
Types of Anomalies That Policy Analyzer Detects
Policy Analyzer detects the following types of anomalies across your
Security policy rulebase:
Shadows—Rules that are not hit because a rule higher in the rulebase covers
the same traffic.
Security policy rules are evaluated in the rulebase from the top down so
shadows are created when a rule higher in the rulebase matches the same
traffic that a rule lower in order matches and the rules are configured with
a different action. If you remove the rule lower in order, the Security
policy does not change.
Redundancies—Two or more rules that match the same traffic and are configured
with the same action.
Generalizations—When a rule lower in the rulebase matches the traffic of a
rule higher in the rulebase, but not the other way around, and the rules
take a different action. If the order of the two policy rules is reversed,
the Security policy is impacted.
Correlations—Rules that correlate with another rule when one rule matches
some packets of the other rule but results in a different action. If the
order of the two rules is reversed, the Security policy is impacted.
Consolidations—Rules that you can consolidate into a single rule because the
action is the same and only one attribute is different. You can merge the
rules into a single rule by modifying the attributes of one of the rules and
deleting the others.