The policy manager is used to execute predefined policies and requirements that trigger risk messages or format designated table reports, based on string matching logic. Default Policies and individual Requirements can be “Enabled or Disabled” by clicking the toggle button. Policies and Requirements are global in nature and changes made when in one workspace will apply to all workspaces. For example, if a Policy, Requirement, or Device is deactivated in one workspace, that update will apply to all workspaces. Risk Policies are run when new data is imported into NP-View. Table Highlight Policies are run when a modal report is opened.
Key Concepts
Using the policy manager requires the understanding of a few concepts:
Requirement A requirement contains Regex logic to trigger a message or formatting action for one use case.
Policy A policy is a collection of related requirements and does not have any logic associated with it, it is a means for categorization. Policies can be enabled or disabled.
Risks and Warnings Requirements Trigger alert messages based on Regex logic. Individual policies can be enabled or disabled and assigned to one or more devices.
Table Highlighting Requirements Formats the color of cells and text based on Regex logic. Highlighting is report specific.
Default Risks & Warnings Policies
Risk and Warnings messages, which can be found in the Risks & Warnings and Access Rules table reports, are generated using Policies and Requirements located in the Policy Manager. Default Policies and Requirements are automatically assigned to all devices when they are first imported, and run when network device configuration changes are identified.
The following default Risk alert Policies policies are provided for all Compliance modules:
Default Parser Risk Policy – triggers from logs generated during parsing of device configuration files
Default Access Rule Risk Policy – triggers from access rules
Default Policies and Requirements
+
Policy
Requirement
Risk Severity
Default Parser Risk Policy
Unnecessary EIGRP Network
Low
Broadcast traffic permission
Low
Traffic to multicast group
Low
Empty Field
Low
Unused ACL’s
Low
Unused group
Low
Mixed any and not any
Low
Unassigned interface
Low
Missing interfaces
Low
Rule following schedule
Low
Default Access Rule Risk Policy
Any in all fields
High
Any in source
Medium
Any source binding
Medium
Any source IP
Medium
Any destination
Medium
Any destination binding
Medium
Any in destination IP
Medium
Any TCP Service
Medium
Any UDP Service
Medium
Any Service Open
Medium
Default CiS Benchmark Risk Policies
CiS Benchmarks are provided as part of the Best Practices Module. CiS Benchmarks provide a powerful set of secondary policies to help identify risks within your network. CiS Benchmarks are disabled by default and must manually be enabled and assigned to devices. As noted, changes to Risk related Policies, Requirements or Devices apply to all workspaces. CiS Benchmark Policies and Requirements can be deactivated but not edited or deleted.
CiS Benchmark for Check Point
CiS Benchmark for Cisco
CiS Benchmark for Juniper
CiS Benchmark for Palo Alto
CiS Benchmark for Check Point Firewall
+
The below requirements were derived from the CiS Check Point Firewall Benchmark v1.1.0 – 06-29-2020.
Requirement
Risk Severity
Ensure ‘Login Banner’ is set
Low
Ensure CLI session timeout is set to less than or equal to 10 minutes
Low
Ensure Check for Password Reuse is selected and History Length is set to 12 or more
Low
Ensure DHCP is disabled
Low
Ensure DNS server is configured
Low
Ensure Deny access after failed login attempts is selected
Low
Ensure Deny access to unused accounts is selected
Low
Ensure Disk Space Alert is set
Low
Ensure force users to change password at first login after password was changed from Users page is selected
Low
Ensure Host Name is set
Low
Ensure IPv6 is disabled if not used
Low
Ensure Maximum number of failed attempts allowed is set to 5 or fewer
Low
Ensure Minimum Password Length is set to 14 or higher
Low
Ensure NTP is enabled and IP address is set for Primary and Secondary NTP server
Low
Ensure Password Complexity is set to 3
Low
Ensure Password Expiration is set to 90 days or less
Low
Ensure Telnet is disabled
Low
Ensure Warn users before password expiration is set to 7 days or less
Low
Ensure Web session timeout is set to less than or equal to 10 minutes
Low
Ensure Radius or TACACS+ server is configured
Low
Logging should be enabled for all Firewall Rules
Low
CiS Benchmark for Cisco ASA 8.x, 9.x Firewall
+
The below requirements were derived from the CiS Cisco Firewall Benchmark v4.1.0 – 01-16-2018. Supporting ASA 8.x and 9.x.
Requirement
Risk Severity
Ensure ‘Domain Name’ is set
Low
Ensure ‘Failover’ is enabled
Low
Ensure ‘HTTP session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘Host Name’ is set
Low
Ensure ‘LOGIN banner’ is set
Low
Ensure ‘MOTD banner’ is set
Low
Ensure ‘NTP authentication key’ is configured correctly
Low
Ensure ‘Password Policy’ is enabled
Low
Ensure ‘Password Recovery’ is disabled
Low
Ensure ‘SNMP community string’ is not the default string
Low
Ensure ‘SSH session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘TACACS+RADIUS’ is configured correctly
Low
Ensure ‘console session timeout’ is less than or equal to ‘5’ minutes
Low
Ensure ‘local username and password’ is set
Low
Ensure ‘logging with timestamps’ is enabled
Low
Ensure ‘logging’ is enabled
Low
Ensure ActiveX filtering is enabled
Low
Ensure DHCP services are disabled for untrusted interfaces
Low
Ensure DOS protection is enabled for untrusted interfaces
Low
Ensure Master Key Passphrase is set
Low
Ensure email logging is configured for critical to emergency
Low
Ensure explicit deny in access lists is configured correctly
Low
Ensure ‘trusted NTP server’ exists
Low
Ensure Enable Password is set
Low
Ensure Java applet filtering is enabled
Low
Ensure Logon Password is set
Low
Ensure known default accounts do not exist
Low
CiS Benchmark for Juniper JunOS 15.1 Firewall
+
The below requirements were derived from the CiS Cisco Juniper Benchmark v2.1.0 – 11-23-2020. Supporting JunOS v15.1.
Requirement
Risk Severity
Forbid Dial in Access
Low
Ensure VRRP authentication-key is set
Low
Ensure proxy-arp is disabled
Low
Ensure EBGP peers are set to use GTSM
Low
Ensure authentication check is not suppressed
Low
Ensure loose authentication check is not configured
Low
Ensure RIP authentication is set to MD5
Low
Ensure BFD Authentication is Set
Low
Ensure BFD Authentication is Not Set to Loose-Check
Low
Ensure SNMPv1/2 are set to Read Only
Low
Ensure “Default Restrict” is set in all client lists
Low
Ensure AES128 is set for all SNMPv3 users
Low
Ensure SHA1 is set for SNMPv3 authentication
Low
Ensure Accounting of Logins
Low
Ensure Accounting of Configuration Changes
Low
Ensure Archive on Commit
Low
Ensure NO Plain Text Archive Sites are configured
Low
Ensure external AAA is used
Low
Ensure TCP SYN/FIN is Set to Drop
Low
Ensure TCP RST is Set to Disabled
Low
Ensure Minimum Session Time of at least 20 seconds
Low
Ensure Lockout-period is set to at least 30 minutes
Low
Ensure login message is set
Low
Ensure local passwords require multiple character sets
Low
Ensure at least 4 set changes in local passwords
Low
Ensure local passwords are at least 10 characters
Low
Ensure External NTP Servers are set
Low
Ensure Strong Ciphers are set for SSH
Low
Ensure Web-Management is not Set to HTTP
Low
Ensure Web-Management is Set to use HTTPS
Low
Ensure Web-Management is Set to use PKI Certificate for HTTPS
Low
Ensure Session Limited is Set for Web-Management
Low
Ensure Telnet is Not Set
Low
Ensure Reverse Telnet is Not Set
Low
Ensure Finger Service is Not Set
Low
Ensure Log-out-on-disconnect is Set for Console
Low
Ensure Autoinstallation is Set to Disabled
Low
Ensure Hostname is Not Set to Device Make or Model
Low
Ensure Password is Set for PIC-Console-Authentication
Low
CiS Benchmark for Palo Alto 9
+
The below requirements were derived from the CiS Palo Alto Firewall 9 Benchmark v1.0.0 – 03-23-2020.
Requirement
Risk Severity
Ensure ‘Idle timeout’ is less than or equal to 10 minutes for device management’ is set
Low
Ensure ‘Login Banner’ is set
Low
Ensure ‘Minimum Length’ is greater than or equal to 12
Low
Ensure ‘Minimum Lowercase Letters’ is greater than or equal to 1
Low
Ensure ‘Minimum Numeric Letters’ is greater than or equal to 1
Low
Ensure ‘Minimum Password Complexity’ is enabled
Low
Ensure ‘Minimum Special Characters’ is greater than or equal to 1
Low
Ensure ‘Minimum Uppercase Letters’ is greater than or equal to 1
Low
Ensure ‘New Password Differs By Characters’ is greater than or equal to 3
Low
Ensure ‘Permitted IP Addresses’ is set for all management profiles where SSH, HTTPS, or SNMP is enabled
Low
Ensure ‘Permitted IP Addresses’ is set to those necessary for device management
Low
Ensure ‘Prevent Password Reuse Limit’ is set to 24 or more passwords
Low
Ensure ‘Required Password Change Period’ is less than or equal to 90 days
Low
Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not exist
Low
Ensure HTTP and Telnet options are disabled for all management profiles
Low
Ensure HTTP and Telnet options are disabled for the management interface
Low
Ensure System Logging to a Remote Host
Low
Ensure alerts are enabled for malicious files detected by WildFire
Low
Ensure redundant NTP servers are configured appropriately
Low
Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones
Low
Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones
Low
Ensure that the Certificate used for Decryption is Trusted
Low
Ensure valid certificate is set for browser-based administrator interface
Low
Syslog logging should be configured
Low
Risks Walkthrough
To better understand how to use the policy manager, let’s walk through an example using Risks & Warnings Policies and Requirements.
In the above image we can see the policy manager window open. The Risks & Warnings Policies tab has been selected. Below there is a dropdown that contains all the default policies available. The Default Access Rule Risk Policy has been selected.
Policy Details
When a Policy is selected we see its details on the right side of the window. Risks & Warnings Policies are device-specific and it is on this page where we can change what devices the policy applies to. If we change whether or not the Policy is enabled, or the devices included, the Policy will run on next data import or by resetting and rerunning all risk policies. Resetting and rerunning will clear all existing risks and run all the enabled Requirements within that Policy.
Requirement Details
On the left hand side, below our chosen Policy, we can see the Requirements that are included in this Policy and an icon indicating whether or not they are enabled.
In the above image we can see then information for a default Requirement, “Any Service Open”. looking at the details for this requirement we can see its name, its details, and the logic being used to trigger the Risk alert message. This requirement is an example of compound logic being used. This risk will only trigger if all three conditions are met. Conditions have four elements.
Requirement Conditions
Apply To This is the Table_Column that the logic test will be applied
Apply When If the string is found or not found
String What information the requirement is looking for in the specified table_column
Operator Used to build compound logic using and/or
Risks & Warnings Output
When a risk requirement is met, a risk alert will be generated and posted to the Risks & Warnings table as shown below:
The Access Rules table report will also display the highest criticality risk for each access rule as shown below:
Now that we know where the text comes from – let’s find out where the coloring comes from.
Table Highlighting Walkthrough
Table Highlighting Policies and Requirements work in almost the same way as Risks & Warnings, with a few key differences. The main being that it formats cells and texts instead of producing an alert message.
Access rules Default Policies and Requirements
+
Rule Name
Text Match
Action
Action – Allow or Permit or Accept or Trust
Action = Allow or Permit or Accept or Trust
‘Action’ cell = None, Text = Green
Action – Deny or Drop
Action = Deny or Drop
‘Action’ cell = None, Text = Red
Binding (ACL) – Any
ACL = Any and Action = not (deny, drop, false, ignored)
‘Action’ cell = None, Text = Red
Destination – Any
Destination = any and Action = not (deny, drop, false, ignored)
‘Destination’ cell = None, Text = Red
Destination Binding – Any
Dst Binding = any and Action = not (deny, drop, false, ignored)
‘Dst Binding’ cell = None, Text = Red
Enabled – True
Enabled = True
‘Enabled’ cell = None, Text = Green
Enabled – False
Enabled = False
‘Enabled’ cell = None, Text = Red
Enabled – Not Analyzed
Enabled = Ignored
‘Enabled’ cell = None, Text = Gray
Risk – High
Risk Criticality = High
‘Risk’ cell = White, Text = Red
Risk – Medium
Risk Criticality = Medium
‘Risk’ cell = White, Text = Yellow
Risk – Low
Risk Criticality = Low
‘Risk’ cell = White, Text = Blue
Risk – None
Risk Criticality = not (High, Medium, Low)
‘Risk’ cell = None, Text = Gray
Risk Criticality – High
Risk Criticality = High
‘Risk Criticality’ cell = Red, Text = White
Risk Criticality – Medium
Risk Criticality = Medium
‘Risk Criticality’ cell = Yellow, Text = Black
Risk Criticality – Low
Risk Criticality = Low
‘Risk Criticality’ cell = Blue, Text = White
Risk Criticality – N/A
Risk Criticality = not (High, Medium, Low)
‘Risk Criticality’ cell = None, Text = Gray
Service – Any
Enabled = true, Action = not (deny, drop), Service = ‘any to any’ and not (Ping, ICMP)
‘Source’ cell = None, Text = Red
Source – Any
Source = Any, Action not (deny, drop), Enabled = not (true, ignored)
‘Source’ cell = None, Text = Red
Source Binding – Any
Src Binding = Any, Action not (deny, drop), Enabled = not (true, ignored)
‘Src Binding’ cell = None, Text = Red
Connectivity Paths (Interactive Service Ports)
+
Rule Name
Text Match
Action
Apple Remote Desktop (ARD)
Port = 3283
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (Microsoft SQL)
Port = 1433
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (MySQL)
Port = 3306
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (Oracle SQL)
Port = 1521 : 1525
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Database Clients (PostgreSQL)
Port = 5432
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Explorer (NFS)
Port = 2049
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Explorer (SMB)
Port = 445
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
File Transfer Protocol (FTP)
Port = 20 : 21
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
MIB Browser (SNMP)
Port = 161 : 162
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Microsoft Endpoint Mapper (EPMAP)
Port = 135
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Remote Desktop (RDP)
Port = 3389
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Secure Shell (SSH)
Port = 22
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Team Viewer Client
Port = 5938
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Terminal Emulator (Telnet)
Port = 23
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Trivial File Transfer Protocol (TFTP)
Port = 69
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
UNIX r-commands (rlogin, rcp, rsh)
Port = 512 : 514
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Virtual Network Computing (VNC)
Port = 5900 : 5901
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Web Browser (HTTP, HTTPS)
Port = 80, 443, 8000, 8080
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Windows Remote Management Service (WinRM-HTTP)
Port = 5985 : 5986
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
X-Server
Port = 6000 : 6063
‘Port’ cell = None, Text = Yellow‘Protocol’ cell = None, Text = Yellow
Any
Port = Any
‘Port’ cell = None, Text = Red ‘Protocol’ cell = None, Text = Red
Policy Details
On the default Policy page for Table Highlighting we can see that these Policies do not require device selection.
Requirement Details
Selecting a default Requirement for this Policy shows us the requirement details.
For a Table Highlight requirement there are a few more options that are used to target the logic for the action. First, we choose the target Table and Column that will receive the Highlighting Action. Then we choose the table and column where we want the logic to run.
Requirement Conditions
Compliance Type Table Highlighting requirements can be set to run only on certain compliance frameworks
Table The target table that the highlighting will be applied to if the logic is found.
Column The target column within the previously chosen target table, that the highlighting will be applied to if the logic is found
When String The string the requirement is searching for
Is found or not found
In Column Table_Column where the requirement is searching for the designated string
Operator And/ or for building compound logic
Highlighting Action If the conditions for the logic are met this is how the cell will be colored and how the text will be colored.
Highlighting Output
When the modal report is opened that contains a highlight policy, the rules will be automatically applied and the table highlighted accordingly.
Risk Alert Reset
Sometimes there may be a reason to need to reset the risk alerts. For this, Administrator or Workspace Admins have access to a rest function on the Risks & Warnings Policies Overview page. This action will reset all Risks and Warnings information for this workspace. After, all enabled risk policies and requirements for this workspace will be rerun.
Because Policies will be rerun after reset, at least one policy must be enabled at time of reset. Only Risks and Warnings data will be affected.
