Firemon

Policy Optimizer 9.
Copyright Notice
Copyright 2014 - 2022 FireMon, LLC. All rights reserved. This product and related documentation are
protected by copyright and distributed under licensing restricting their use, copying, distribution,
and decompilation. No part of this product or related documentation may be reproduced in any
form or by any means without the written authorization of FireMon, LLC. All right, title, and interest
in the product shall remain with FireMon and its licensors.
This product and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws.
This product and documentation may provide access to or information on content, products, and
services from third parties. FireMon, LLC is not responsible for and expressly disclaim all warranties
of any kind with respect to third-party content, products, and services. FireMon, LLC will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.
The information in this document is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
FireMon is a registered trademark of FireMon, LLC. All other products or company names
mentioned herein are trademarks or registered trademarks of their respective owners.
1 | Copyright Notice
Chapter 1: Policy Optimizer
About Policy Opt imizer 3
Example of Using Policy Optimizer 3
About Workflows and Workflow Packs 4
Policy Planner Integration 4
Customized Workflows 5
How Rules Rout e To Policy Opt imizer 6
Automatically Route Rules 8
Manually Route Rules 8
Route a Single Rule 8
Route Multiple Rules 9
About Licensing 9
Administ rat ive Tasks 10
Attachments 10
Notifications 10
Workflow 10
Permissions 11
Policy Optimizer User's Guide 2

Policy Optimizer 9.8
About Policy Opt imizer

Policy Optimizer is a workflow process that is an add-on module of the Security Intelligence Platform
(SIP). Instead of a process that adds rules, like Policy Planner, the goal of Policy Optimizer is to clean
up rules that are no longer used or are too risky. Or, as part of a compliance process, Policy
Optimizer can be used to create compliance controls within Security Manager to ensure that all
rules are reviewed periodically to confirm that they are still required. The basic process is that
expired and overly risky rules are routed into workflow where a custom web-based module
interface presents the rule to the business owner, at which point the owner chooses one of several
outcomes: Certify, Decertify.
Policy Optimizer is available as a web client that you can access from within SIP. A Policy Optimizer
license is required.
Please contact your sales representative to add the Policy Optimizer module to your current SIP
deployment.
Example of Using Policy Optimizer

Consider this common scenario: a request comes in to open a specific port on a host for a new
vendor. The business opens a change control ticket, and states that the connection should be closed
when the vendor's contract expires in six months. The security engineer implements the change to
the firewall and adds a comment to the rule on the device, attempting to insert all the details about
the business justification and expiration into the limited text field. The port is opened and both the
business and vendor are happy.
However, six months later, who is responsible for ensuring that the rule is removed? Business users
don't think about security rules until they prevent access. Removing access is not at the top of their
minds. For network engineers, the business justifications coded into the comment fields are difficult
to translate, and the full justifications stored in other locations (ticketing systems and shared
spreadsheets are common) make it hard to match the existing state of a policy to each rule's
original intent and requester.
And even when such information is finally matched up, the responsibility for clean up
predominantly falls to a member of the security or infrastructure team, who may not know whether
the rule is still working or required. In the example above, the team would not know immediately
whether the vendor's contract had been extended past the initial six-month period.
3 | Chapter 1: Policy Optimizer

About Workflows and Workflow Packs

Not e: Workflows are administered in the Administration module. See the Workflows chapter in
the Administration User's Guide for more information.
Policy Optimizer is a workflow-based module, and requires that you upload a workflow pack we
created before you can work tickets.
One workflow can have numerous instances, each with a different user group and permission
assignment.
The Workflow page in the Administration module will display:
Workflows List
Value Descript ion
Row Number The number of rows in the list.
Provided so that users have the ID to compare against log files and can
Workflow ID
be used in configuration settings, like for Service Now.
Name The name or type of workflow
The current version of the workflow being used. If a workflow has a

new version to update, a download icon will display next to the work-
Version
flow version. Only new tickets will use the updated version, existing tick-
ets will continue to process in the version they started in.
Workflow Pack Name The name of the workflow pack.
Open Tickets The number of tickets in the queue related to that workflow.
Created By The user who uploaded the workflow.
Status Enabled or Disabled for use.
Action menu with options for tasks to complete at the workflow level.
Not e: You can contact FireMon's Pro Services to help you develop and create a unique workflow
pack.
Policy Planner Integration
Prerequisite: A valid Policy Planner license is required to connect Policy Optimizer.

Integrating Policy Planner with Policy Optimizer means that when a Policy Optimizer ticket with a
Review Decision to decertify is selected, the module will automatically create a Policy Planner ticket
to complete the decertification process.
Setting up Policy Planner integration is completed during the workflow creation process.
1. In the Administration module, go to Workflow > Workflows.
2. Open the Policy Optimizer workflow that you will use for integration.
3. In the Policy Planner Int egrat ion Set t ings section, in the Planner Workflow ID field, select
the Policy Planner workflow ID that Policy Optimizer is being integrated with.
4. You can leave the default settings for Default Priorit y, Summary and Due Dat e Calculat ion
or set your own.
5. Click Save.
Customized Workflows
FireMon's Pro Services team can help you create a customized workflow specific to your business
needs.

How Rules Rout e To Policy Optimizer

Rules can be routed into Policy Optimizer's workflow from one or more user-configured instances of
the Rule Search query. However, instead of the resulting matches being printed to a PDF or HTML
report file, the rules are associated with a work item that is routed to the appropriate review
workflow.
Examples of a Rule Search query, would be:
l Find all rules for a specific device.
l Find all rules with an expiration date in the last 10 days.
l Find all rules that fail the <named> audit checks.
l Find all rules that have been unused for the past 90 days.
Once a rule is inserted into the workflow, the system performs several evaluations to determine
where to appropriately route it for review. The system checks to see whether an Owner is defined
in the Rule Documentation. If no Owner is identified for the rule, it is assigned to either a default
reviewer or left unassigned. Notifications are sent nightly in a batch email message to the
Assignees.
Rules are routed to Policy Optimizer from Security Manager.
Automatic routing is event-driven (an event is a failure of a control). Here are a few examples:
l Expired rules
l Control failures

l Due for a period review
l Failed an on-demand query using Rule Search control
Manual routing of a single rule or group of rules.

Automatically Route Rules

To automatically route rules from Security Manager to Policy Optimizer, you will first create a control
and then create an assessment for that control in the Administration module; because only
assessments route control failures to Policy Optimizer.
Not e: The following control types support Policy Optimizer: Allowed Services, Device Access
Analysis, Network Access Analysis, Rule Search, Rule Usage, and Service Risk Analysis.
To automatically route rules, complete the following steps.
1. Open the Administration module.
2. On the toolbar, click Compliance > Cont rols.
3. Select an existing control or create a new control.
Not e: Please refer to the Administration User's Guide for steps on creating a new control.
4. Expand the <Control Type> Cont rol Propert ies section.
5. Select the Send Failed Rules t o Policy Opt imizer check box.
Selecting the check box will allow the system to automatically create review tickets for all
rules that fail the selected control.
6. Click OK.
7. Click Assessment s, and then click Creat e.
Not e: Please refer to the Administration User's Guide for steps on creating a new assessment.
8. Select the control you routed to Policy Optimizer in above from the Available Cont rols box.
9. Continue building the assessment.
10. Click Save.
After failing, the rule appears in the list of tickets in Policy Optimizer .
Manually Route Rules

You are able to manually route a single rule or multiple rules for review from within Security
Manager to Policy Optimizer that should be analyzed further to cleanup policy inconsistencies.
Route a Single Rule
To manually route a rule, complete the following steps.

l From the Security Rules list, find the rule to route, click the M enu icon , and then click
Rout e Rule t o Policy Opt imizer.
A new review ticket is automatically created in Policy Optimizer and listed in the All Reviews list.
Route Multiple Rules
To bulk route rules, complete the following steps.
1. On the Security Rules page, click Add Filt er. Or use the existing filters of Cleanup Needed,
Improvement Needed, Failed or Changed.
2. After you've filtered the list, click Act ions > Bulk Rout e Rules t o PO.
3. In the Rout e Rule t o Policy Opt imizer dialog box, confirm the number of rules being sent
and then click Send.
Each rule sent automatically creates a new review ticket in Policy Optimizer and listed in the All
Reviews list.
About Licensing
License download and device assignment is completed in the Administration module. Refer to the
Access: License chapter in the Administration User's Guide for more information and licensing
procedures.

Administ rat ive Tasks

All administrative tasks for Policy Optimizer are completed in the Administration module.
Not e: See the Workflow and Settings chapter of the Administration User's Guide for more
information.
All fields contain recommended default settings to ensure the best performance of the module.
However, all fields can be modified to accommodate your business needs.
Attachments
l Allowable Upload File Types is used to determine which file types are acceptable for attach-
ments.
l M ax At t achment Upload Size is used to set the limit on attachment file size in bytes.
l Delet e At t achment s is used to delete Policy Optimizer attachments after they have been
uploaded. To use this feature, a user must have the review assigned to them and have Write
permissions for that stage.
Notifications
l Default Sender is the address that shows in the From field in system-generated email noti-
fications.
l Block Emails is used to prevent emails from sending.
Workflow
l Ticket URL is the IP address of your Policy Optimizer module.
l Default Reviewer is used to set a user as the defaulter ticket reviewer when one is not
assigned to the ticket.
l Cont rol Failure SIQL Query is used to set the query for control failures.
l Cont rol Failure Workflow ID is the workflow ID associated to the control failure workflow.
l Updat e Cont rol Failure Workflow ID on Upgrade is used to automatically update the con-
trol failure workflow ID
l Show is used to select how Review tickets are displayed in Policy Optimizer. Options are:
o All reviews—displays all reviews in the workflow to all users
o Edit able—only displays reviews that are assigned to the logged in user or can be

claimed and assigned by the logged in user

o Assigned—only displays reviews that are assigned to the logged in user
Permissions
Prerequisit e: A Policy Optimizer license is required.
By default, no permissions are set for Policy Optimizer. As with other administrative tasks, setting
permissions for Policy Optimizer is completed in the Administration module.
Workflow permissions are role-based that enable users to perform actions, in the case of Policy
Optimizer it is to review tickets.
Not e: A workflow packet is a common way of referring to a review in Policy Optimizer.
l View Packet —indicates that users are able to view packets for a specific work-
flow. This makes no distinction between what packets can or cannot view, it only
dictates on the workflow level if you can view packets for that workflow.
l View Secure—this is placeholder permission that is not currently used for any-
thing. It is intended to be for fields which contain sensitive data.
l Creat e Packet —indicates that users are able to create packets for a specific
workflow.
l Review—indicates that users are able to review and perform actions in Policy
Optimizer.
To set permissions, complete the following steps.
1. Open the Administration module.
2. On the toolbar, click Access > User Groups.
3. Click the name of the user group to set permissions for.
4. Expand the User Group Permissions section:
l Click the Syst em tab, and click the Read permission check box for Plugins (to grant per-
mission to manage workflows and workflow packs).
l Click the Administ rat ion tab, select permissions for Workflows (to grant permission
to manage workflows and workflow packs) and Administ er Workflows (to grant per-
mission to manage ticket access so that users can only see tickets that have been
assigned to them).

l Click the M odules tab, and click the Read permission check box for Policy Opt imizer.
l Click the Device Group tab, and then select the device groups for the workflow per-
missions to be assigned to.
l Click the Workflows tab, and select the permissions for the different Policy Optimizer
workflow areas.
5. Click Save.

Chapter 2: Dashboard
About t he Dashboard 14
How do I return to the Dashboard? 14
What version of Policy Optimizer am I running? 14
Access Ot her Workflows 14
Filt er Review Ticket s 15
Use Quick Filt ers 15
Open a Review 16
Export Review List 16
Review List Report 16

About t he Dashboard
The Policy Optimizer dashboard is the interface for displaying all open tickets in the database.
Tickets are created from within Security Manager and display in Policy Optimizer. Once routed to
the Review queue, assignees will be notified that a rule is pending their review by an email message
notification.
The following defines the values in the All Reviews table. The order of tickets listed is sorted by
Created Date, but you can sort the list by any column.
All Reviews List

Value Descript ion
The system generated number assigned to the review ticket. Numerical

Review ID
order based on Create Date.
Created Date The date the review ticket was created.
Task Where in the workflow the review ticket is.
Rule The rule from the policy is being reviewed.
Policy The policy it this from.
Device The device it is on.
Assigned Who the review is assigned to.
How do I return to the Dashboard?

After opening a ticket, you can return to the Dashboard by clicking Reviews on the toolbar.
What version of Policy Optimizer am I running?

To view the version of Policy Optimizer currently running, click Help, and then click About .
Access Ot her Workflows

On the toolbar, click the Workflow Home arrow, select from the available workflows.
14 | Chapter 2: Dashboard
This is the workflow icon
Filt er Review Ticket s

Not e: The filter bar is set to Basic by default, which allows you to build queries using filter bricks.
Clicking Advanced allows you to manually enter SIQL queries in the filter bar. For more
information on SIQL and SIQL queries, see the SIQL chapter.
To filter All Review tickets, complete the following steps.
1. On the All Reviews page, click Add Filt er.
The Add Filt er dialog box opens, showing the criteria you can query based on the results
table you are on.
2. Select a filter object.
3. Select a filter operator.
4. If applicable, enter the filter data.
5. To add additional filter data, click .
6. Click Apply.
Use Quick Filt ers

1. On the bar above the All Reviews table, select one of the following options.
a. To view reviews that are already assigned to you, click Assigned t o M e.
b. To view reviews that are unassigned, click Unassigned.
c. To view reviews that have been created in the last five days, click Creat ed (Last 5
Days).
Example:
2. A new page will open with the reviews list filtered to only show reviews that meet the filter cri-
teria.
Open a Review
To open a review ticket, from the All Reviews list, click a Review ID hyperlink.
Export Review List

To export the list of review tickets in a .csv file format, click Export > CSV or PDF on the All Reviews
page.
Review List Report

This report provides a list of rules reviewed for a defined time period or since the last review, with
the option to include the certify or decertify reason.
To run this report, complete the following steps.
1. On the Reviews page, click Export > PDF.
2. The Configure PDF dialog box will open.
a. Select to include or exclude Rule Informat ion and Rule Decision. A blue toggle key
indicates inclusion.
b. Click Download.
Chapter 3: Manage Reviews
Rule Review Page 19
Assign a Review 22
Assign a Review to User 22
Assign a Review to Me 22
Unassign a Review 22
Cancel a Review 23
Cert ify a Rule 23
Decert ify a Rule 23
Review Tabs 25
Analysis Tab 25
Rule Properties 26
Rule Usage 26
Control Failures 27
Severity Levels 27
Det ails Tab 28
View Rule Doc Details 28
Edit Rule Documentation 28
Comment s Tab 29
Add a Comment 29
At t achment s Tab 30
Add an attachment 30
Delete an Attachment 30
Task Hist ory 32
View Rule Activity 32
Review Hist ory Tab 33
View Review History 33

18 Policy Optimizer User's Guide
Rule Review Page

Each review created has its own unique page.
The rule review page displays all information related to a ticket, displaying only information
pertaining to the ticket selected. From this page, you can manage all aspects of the rule review
process.
Not e: Clicking any linked text on the Review page will open a new tab linked to its page in
Security Manager.
Rule Header
Number Value Descript ion
1 Review ID The system generated review ticket number.
2 Rule An overview of the review: Rule - Policy - Device.
3 Actions Actions to take on the review.
4 Status Box Overview of review assignment details.
19 | Chapter 3: Manage Reviews

Rule Information
Value Descript ion
Rule: The number the rule has in the firewall policy.
Policy: The policy for the rule.
Device: The device the rule is set for.
Rule Sum- Comment s—any comments that have been left for the specified object. Often
mary used to describe the object type and use. Click to view.
ID—the unique SIP-generated identifier (not set by a user) for an object. Click
to view.
Rule Document at ion—the meta-data that explains the rule. Click to view.
Source / User
The IP address or addresses from which incoming firewall traffic is allowed.
Object
Destination The IP address or addresses to which outgoing firewall traffic is allowed.
Application Service: The protocol and port for the rule.

Object / Ser- Applicat ion: The layer 7 firewall application for the rule, such as Gmail™or
vice Dropbox™.
Action / Act ion: The action the firewall is set to perform when the rule is used, which can
Security Pro- be ACCEPT or DROP.
file Securit y Profile: The individual profile that has been applied to the rule.

Value Descript ion
Hit Count : The number of times the rule has been used in the last 30 days
(default).
Last Used: The timestamp the rule was last used.
Cleanup Propert ies:Orange rule property labels. The possible rule property icons are
Unused, Logging Disabled, Disabled, Shadowed, Expired, No Comment, Unused
Objects, and Redundant.
Policy Tags: Tags that are applied at the device level. They are normalized during a
retrieval. They cannot be edited within Security Manager.
Failed Cont rols: The number of failed controls by severity assigned to the control
at creation.
Cumulat ive Severit y: The combined total of the severity for each control failing
Compliance
this rule.
Rule Risk Score: The ratio of vulnerabilities not exposed by this rule to total
number of potential vulnerabilities, adjusted by Asset Value and effect multipliers.
Revision: The number of the latest revision.
Change Dat e/ Time: The timestamp of the revision.
User: The user who saved the latest revision.
Tags User: These tags are applied to the rule by a user.
Rule Decision
Value Descript ion
Rule Decision The rule review-related information. Certify (approve) or Decertify (change)
Rule Actions Decertify: remove or modify rule
Remarks Any comments left as to the decision made.
Next Review Date Used for when a rule is certified to set the next review of the rule.

Rule Review Tabs

Value Descript ion
Analysis Information about the rule which could support rule removal.
Details Rule Documentation
Comments Any comments for the rule.
Attachments Any files related to the rule.
Any actions performed on a rule are tracked. Consider this feature to be an audit
Task History
trail for the rule. No action is needed by the user, this is an automatic process.
Review His- Any reviews performed on a rule are tracked. Consider this feature to be an audit
tory trail for the rule. No action is needed by the user, this is an automatic process.
Assign a Review
Assign a Review to User
You can assign specific users to review rules. To assign a rule, do the following:
1. From the All Reviews list, click a Review ID to open its page.
2. Click Assign > Assign t o User.
3. In the Assign Review dialog box, select to whom you want to assign the rule, and then click
Assign.
Assign a Review to Me
You can assign specific users to review rules. To assign a rule, do the following:
2. Click Assign > Assign t o M e.
Unassign a Review
l On the Review ID page, click Assign > Unassign.

Cancel a Review
Not e: You can only cancel a review assigned to you.
l On the Review ID page, click Cancel.
Cert ify a Rule

By certifying a rule, you are agreeing that it must be retained to meet business needs. You will be
required to enter a comment supporting your decision.
To certify a rule, do the following:
2. Click Assign, if the ticket is not already assigned to you.
3. In the Rule Decision box, select Cert ify.
4. In the Remarks box, enter your reason for certifying the rule.
5. Select a Next Review Dat e by clicking the calendar icon.
5. Click Save.
6. If no further actions are required, click Complet e.
Decert ify a Rule

Decertifying a rule means that it either needs to be removed or modified to meet business needs.
You will be required to enter a comment supporting your decision.
To decertify a rule, complete the following steps.
2. Click Assign, if the ticket is not already assigned to you.
3. In the Rule Decision box, select Decert ify.
4. You can select to:
a. Remove Rule, then select a reason for the action from Remove Rule Opt ions.
l Access is no longer needed
l Access is t oo risky

l Ot her, and then type a reason for removing the rule in Descript ion
Not e: If Remove is selected, the application will automatically create a Policy

Planner ticket for the change.
b. M odify Rule, then select a reason for the action from M odify Rule Opt ions.
l M ove t o rule posit ion, and then type a new Posit ion Number
l Remove object (s), and then type which Object s t o Remove
l Ot her, and then type a reason for modifying the rule in Descript ion
c. Disable Rule, then select a reason for the action from Disable Rule Opt ions.
l Access is no longer needed
l Could not find owner
l Ot her
5. In the Remarks box, type your reason for decertifying the rule.
6. Click Save.
7. If no further actions are required, click Complet e.
After a rule has been decertified, you will need to run a query to pull all decertified rules so that the
rules can be permanently removed .

Review Tabs
Analysis Tab
The Analysis tab displays information about the rule which could be used to help determine
whether to certify or decertify the rule.
To view analysis information, do the following:
2. Click the Analysis tab.
You can view:
l Rule Propert ies—displays possible reasons to decertify the rule. Flagged properties will
appear with an orange bar.
l Rule Usage—displays a graphic detailing total hits and daily average hits.
l Cont rol Failures—displays the failed controls by severity assigned to the control at creation.
l Change Hist ory—lists any information about changes made to the device.

Rule Properties
A flagged property will appear with an orange bar, indicating a Best Practice to follow for
determining rule decertifying. The table below lists the property and its definition:
Rule Property Labels

Label Descript ion
Unused The rule has been inactive for the last 90 days.
Logging Disabled Logging has been disabled.
Disabled The rule has been disabled.
A rule higher in the policy matches all the traffic in this rule, but the action
Shadowed
is different.
Expired A user-defined expiration date has passed.
No Comment No comments have been added to the rule.
An object (source, destination or service) has been inactive for the last 90
Unused Objects
days.
Redundant Another rule in the policy matches all the traffic in this rule.
Rule Usage
Rule usage is displayed as a graphic detailing total hits and daily average hits for the rule.

Control Failures
Failed controls by severity assigned to the control at creation.
Value Descript ion
Severity The severity level of the control.
The code for the control. Clicking the link opens the Security Manager over-
Code
view page for the control.
The name of the control. Clicking the link opens the Security Manager over-
Control Name
view page for the control.
The name of the assessment. Clicking the link opens the Assessments Res-
Assessment
ults page in Security Manager.
Severity Levels
There are four severity levels—Critical, High, Medium, Low—for assessments that collectively
culminate into a total severity score where the higher the number, the higher the severity.
The Analysis tab displays the severity level for the rule in the Cont rol Failures section.
Cumulative Severity Levels

Indicat or Level Range
Low Between 0 and 2 (inclusive) (0-2)
Medium Greater than 2 and less than or equal to 5 (3-5)
High Greater than 5 and less than or equal to 7 (6-7)
Critical Greater than 7 (8-9)

Det ails Tab

The Det ails tab displays Rule Documentation information. Rule documentation is the meta-data
that explains a rule. You manually enter this meta-data as values for specified attributes by clicking
Edit and filling in the fields on the Edit Review dialog box. The data is uniquely associated with the
rule for its lifetime, so when the policy or rule is modified, the meta-data is not subject to modified
rule numbers or other transient data.
View Rule Doc Details

To view rule documentation, complete the following steps.
2. Click the Det ails tab.
3. View the data for that rule.
Edit Rule Documentation
Not e: Changes made to Rule Documentation update immediately (in real-time) in Security
Manager.
By completing this task, you will populate Rule Documentation fields. Rule Documentation is the
meta-data that explains a rule. You manually enter this meta-data as values for specified attributes.
To edit a rule, complete the following steps.
2. In the Det ails tab, click Edit .
3. In the Edit ing Rule Document at ion dialog box, update information in any of the fields.
4. Click Save.

Comment s Tab
The Comment s tab will display all comments that have been added to a rule during a review.
Comments are listed from newest to oldest.
Along with the comment, the section will display:
l Name and/or user ID of who added the comment.
l Date and time the comment was posted.
If no comments have been added, the following message will be seen: No comments have been
posted for this review.
Not e: Comments cannot be deleted.
Not e: Numbers on the tab indicate how many Comments are associated with the rule.
Add a Comment
To add a comment to a rule, do the following:
2. Click the Comment s tab.
3. In the New Comment dialog box, type your remarks and then click Add Comment .

At t achment s Tab
The At t achment s tab will display all attachments that have been added to a rule during a review.
Attachments are listed from newest to oldest.
The section will display:
l File
l Size
l Description
If no attachments have been added, the following message will be seen: No attachments have been
added to this review.
Not e Numbers on the tab indicate how many Attachments are associated with the rule.
Add an attachment
Not e: Allowable file types are image/* , .pdf, .txt, .rtf, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .zip, and
.csv.
Not e: The maximum upload size per file is 2.38 MB.
To attach a file that pertains to a specific rule, complete the following steps.
2. Click the At t achment s tab and then click At t ach File.
3. Navigate to the file you want to attach using standard Windows functionality, and then click
Open.
A comment about the attachment will automatically be added to the Comment s tab.
4. Click Save.
Delete an Attachment
To delete a file that has been attached to a rule, do the following:
2. Click the At t achment s tab.

3. Locate the file to delete, then click the delete icon at the end of the row.
4. On the Delet e At t achment dialog box, click Yes to confirm the deletion.
Not e: Although the file is no longer attached, the Comments tab will still display the comment
about the attachment.

Task Hist ory

Any actions performed on a rule are tracked. Consider this feature to be an audit trail for the rule.
No action is needed by the user, this is an automatic process.
View Rule Activity

To view the activity on a rule, complete the following steps.
2. Click the Task Hist ory tab.
3. View the activity history, if any.
The Task Hist ory tab will display all activity that has occurred during a review. Activities are listed
from newest to oldest.
Value Descript ion
Activity The stage the review is in.
Completed By The user working the review.
Start Date Timestamp of when the review began.
End Date Timestamp of when the review finished.
Completed Options: or
Duration The difference of the End Date minus the Start Date.

Review Hist ory Tab

Any reviews performed on a rule are tracked. Consider this feature to be an audit trail for the rule.
No action is needed by the user, this is an automatic process.
View Review History

Any reviews performed on a rule are tracked. To view the review history of a rule, complete the
following steps.
2. Click the Review Hist ory tab.
3. View the rule's review history.
The Review Hist ory tab will display all activity that has occurred during a review. Activities are
listed from newest to oldest.
Value Descript ion
Date/Time The timestamp of each step in the review process.
Event Actions taken on the review.
User The user who initiated the review.
Details Details of the event.

Chapter 4: Tools
Filt er Library 35
Open the Filter Library 35
Create a Filter 35
Save a Filter 36
Apply a Saved Filter 36
Favorite a Filter 36
Remove a Favorite Filter 37
Edit a Filter 37
Delete a Saved Filter 37
Tag Library 38
Open the Tag Library 38
Tag Dashboard 38
Create a Tag 40
Share a Tag 41
Edit a Tag 41
Delete a Tag 41
About SIQL 42
Perform an SIQL Query 42
Review Stanza 42
Query Examples 46

Filt er Library
You can use the filter bricks in the filter bar above the All Reviews able to build simple or complex
filters to return only the results that satisfy certain criteria. These filters can then be saved to the
Filter Library for easy access later.
Open the Filter Library

l On the toolbar, click Tools > Filt er Library
Filter Library Table

Value Descript ion
Name The unique name for the filter.
Description An optional field to describe what the filter is used for.
Will display "who" the filter is being shared with, or if the filter is not
Shared With
being shared, "private" will be displayed.
Category Is where (the type of result list) the filter originated from.
Owner Is either a pre-defined filter (system) or the user who created the filter.
Date Created The timestamp of when the filter was created.
Displays a solid star if the filter has been marked to show in Favor-
Favorite
ites.
Action menu with options for tasks to complete at the filter library level.
Create a Filter
Not e: The filter bar is set to Basic by default, which allows you to build queries using filter bricks.
Clicking Advanced allows you to manually enter SIQL queries in the filter bar.
To create a results-based filter, complete the following steps.
1. On the All Reviews page, click Add Filt er.
The Add Filt er dialog box opens, showing the criteria you can query based on the results
table you are on.
2. Select a filter object.
3. Select a filter operator.
35 | Chapter 4: Tools
4. If applicable, enter the filter data.
5. To add additional filter data, click .
6. Click Apply.
Save a Filter
Not e: Saved filters will be listed in the Filter Library.
To save a created filter, complete the following steps.
1. After you have finished creating the filter and it successfully returns the results you were
searching for, click Save As.
2. In the Save Filt er dialog box, complete the following steps.
a. In the Name box, type a name for the filter.
b. Optional. In the Descript ion box, type a description for the filter.
c. To add the filter to the Favorit e Filt ers table, click Show In Favorit es.
d. To share a filter with a specific user group, click Shared wit h and select a user group
from the list. You may select more than one user group.
3. Click Save.
Apply a Saved Filter

To apply a saved filter from the Filters Library, complete the following steps.
1. On the any results table page, click .
2. The most frequently used filters are listed under Favorit e Filt ers.
3. To choose a different saved filter, click Filt er Library.
4. Click on a filter. A new table opens with the selected filter applied.
Favorite a Filter
To add a filter to your favorites list, click the star next to the filter in the Filter Library.
All favorite filters will be listed in the Favorit e Filt ers dialog box when you click .
Remove a Favorite Filter

To remove a filter from your favorites list, click the star next to the filter in the Filter Library.
Not e: Favorite = , Not Favorite =
Edit a Filter
Not e: Only filters that you created can be modified.
To edit a filter, complete the following steps.
1. On any table list, click > .
2. On the Filt er Library table, click > Edit .
3. Make the edits, and click Save.
Delete a Saved Filter
Not e: Only filters you have created can be deleted.
To delete a saved filter, complete the following steps.
1. On any table list page, click > .
2. On the Filt er Library table, click the M enu icon > Delet e.
3. Confirm the deletion, and then click Delet e.
Tag Library
The ability to apply a tag to a rule allows you to more easily see relationships and grouping, and
identify rules to take action on to improve security.
Benefits of tagging a rule:
l You can choose a color for the tag, reinforcing the visual grouping.
l Help find groups of rules and objects that don't have common data sets.
l Ability to filter a list of rules by tags.
Open the Tag Library

l On the toolbar, click Tools > Tag Library.
The Tag Library is comprised of all the tags that have been created and shared, and are used across
all SIP modules.
Tag Library Table

Value Descript ion
The unique name for the tag. Click the Name to open the dashboard for
Name
the tag.
Description An optional field to describe what the tag is used for.
Will display "who" the tag is being shared with, or if the tag is not being
Shared With
shared, the field will be blank.
Owner The user who created the tag.
Date Created The timestamp of when the tag was created.
References The number of times this tag is used.
Action menu with options for tasks to complete at the tag library level.
Tag Dashboard
The Tag Dashboard resides in the Security Manager module. When you click a tag's link in another
module, it will open in Security Manager.
Not e: Data presented is determined by a user's granted permissions to the modules that use the
selected tag. 'No Data Available' could be a result of not having permission granted to view or a
license for the associated module.
Widgets on the Tag Dashboard

l Tag Summary is the same information listed in the Tag Library table list.
l Tag References is a pie chart used to visualize the reference distribution of the tag.
l Rule References displays the number of security rules for a device, listed in order of
references. Click a device to open the Security Rules listed for that device, filtered by tag.
l Associat ed Ticket s by Creat ed Dat e is based on the workflow that is associated to the tag.
Select a Workflow from the drop-down list to populate the widget data. It also includes a link
to the ticket and the stage that the ticket is currently in. Clicking the linked Ticket Number will
open the ticket in the associated module. If a license for the module does not exist, a product
brief will display.
l Rules by Cumulat ive Severit y lists the cumulative severity scores greater than zero for the
rule referencing the tag. Ordered by descending order of the severity level.
Value Descript ion
The rule number the tag is used on. Click to open the
Rule No.
Security Rules page in Security Manger for the rule.
The name of the rule the tag is used on. Click to open the
Rule Name
Policy The policy name to which the rule is associated.
The device using the tag. Click to open the device's Over-
Device
view Dashboard in Security Manager.
Failed Controls The number of failed controls for each severity level.
Cumulative Severity The overall severity of the rule referencing the tag.
l Riskiest Rules lists the riskiest rules associated to a tag.
Value Descript ion
Rule Risk Score The rule's risk score.
The rule number the tag is used on. Click to open the
Rule No.
The name of the rule the tag is used on. Click to open the
Rule Name
Value Descript ion
The device using the tag. Click to open the device's Over-
Device Name
view Dashboard in Security Manager.
Policy The policy name to which the rule is associated.
The IP address or addresses from which incoming firewall

Source / User Object traffic is allowed. Expand to view all. Click to open the
object page in Security Manager for the rule.
The IP address or addresses to which outgoing firewall

Destination traffic is allowed. Click to open the object page in Security
Manager for the rule.
The protocol and port for the rule. Click to open the
Application Object / Service
object page in Security Manager for the rule.
The action the firewall is set to perform when the rule is

Action
used, which can be ACCEPT or DROP.
Create a Tag
To create a tag, complete the following steps.
1. On the toolbar, click Tools > Tag Library.
2. On the Tag Library page, click Creat e.
3. In the Creat e Tag dialog box:
a. Type a unique Name for the tag. The system will not allow for duplicate names. There
is no case sensitivity.
b. Select a tag Color.
c. Type a brief Descript ion of the tag's use.
d. To share a filter with a specific user group, click Shared wit h and select a user group
from the list. You may select more than one user group.
e. Click Creat e.
Share a Tag
Not e: To share an existing tag you must have created the tag or be a member of a Shared With
group.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Edit .
2. In the Edit Tag dialog box:
a. Enable Shared wit h, if not already in use.
b. Select a user group from the list to share the tag with.
c. Click Save.
Remove a Share
To remove access to a tag for a specific user group, open the Edit dialog box and click the X next to
the user group name.
Edit a Tag
Not e: To edit a tag you must have created the tag or be a member of a Shared With group.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Edit .
2. In the Edit Tag dialog box:
a. You can edit any fields.
b. Click Save.
Delete a Tag
Not e: To delete a tag you must have created the tag or be a member of a Shared With group.
Caut ion: If a tag is referenced by objects, deleting the tag will also delete it from the referenced
objects.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Delet e.
2. Confirm the deletion, and then click Delet e.
About SIQL
Security Intelligence Query Language (SIQL) is a domain-specific query language designed to query
Policy Optimizer tickets. "Domain-specific" means SIQL knows about devices, policies, and rules, as
well as their properties (like a device's name and vendor, a rule's source, source IP address, service
protocol, service port, zones, comments, etc.).
You can use SIQL to answer questions like:
l Which reviews have been completed in the last five days?
l What are all the reviews for the ASA5525 device?
l What are all the reviews to be completed in the next month?
Perform an SIQL Query

To perform an SIQL query search, complete the following steps.
1. On the All Reviews page, in the filter bar, click Advanced.
There is a basic query already entered by default, such as review { workflow = 3 }.
2. Change the default query to the parameters you want. For example, to return all reviews
with an assignee ID of "1", enter review{assignee.id=1}.
3. Click Run.
The All Reviews table now lists all the reviews that match the query parameters.
Review Stanza
The stanza and attributes identify what kind of data you want and where to find it in the database.
Think of stanzas as tables within the database.
Stanzas are the first part of every filter, and must be placed before the curly brackets. They are not
case sensitive.
Review Stanza
The review stanza supports the following attributes. You can use the review stanza to query Policy
Optimizer reviews.
At t ribut e
At t ribut e Name Descript ion
Type
This key can be used as a substitute for the process

businessKey String
instance ID.
created Date The date the review was created.
creator.username String The username who created the review.
creator.id Integer The ID of the user who created the review.
creator.firstname String The first name of the user who created the review.
creator.lastname String The last name of the user who created the review.
completed Date The date the review was closed.
completer.username String The username who completed the review.
completer.id. Integer The ID of the user who completed the review.
completer.firstname String The first name of the user who completed the review.
completer.lastname The last name of the user who completed the review.
id Long The review ID.
If TRUE, returns reviews is currently in a task the user has

WRITE permissions for, the task is not completed, and is
editable Boolean either assigned to the user, or unassigned. If FALSE,
returns reviews that are in a task the user does not have
WRITE permissions for.
Review Stanza
Optimizer reviews.
At t ribut e
Type
lastUpdated Date The date the review was last modified.
Review Stanza
Optimizer reviews.
At t ribut e
Type
p.*
p.summary
p.businessOwner
p.businessUnit
p.deviceId
p.deviceName
p.policyGuid
p.policyName
p.ruleGuid
p.ruleNumber = 2
p.dueDate
A rule property or custom property. Each property has a
p.nextReviewDate ~ defined key value that takes the place of the wildcard char-
Varies
DATE('+365 days') acter. The key value can be a string, boolean, date, integer,
and string array types are supported.
p.reviewedBy
p.ruleDecision =
'decertify' (or = 'certify')
p.ruleActions
p.removeRuleOptions
p.modifyRuleOptions
p.certifyRemarks =
'these are the review
remarks'} (or ~ review')
p.moveToPosition = 2
p.removeObjects
p.removeOther
Review Stanza
Optimizer reviews.
At t ribut e
Type
p.decertifyRuleReason
p.ruleDocComment
processInstanceId String The ID of the workflow process instance.
status String The status of the review.
task Integer The current workflow stage of the review.
The date the task was completed. If the task has not been
task.completed Date
completed, this value is null.
task.name String The display name of the task.
task.started Date The date a task was started.
user String A user in [[[Undefined variable POStandard.Policy Planner]]].
version Integer The workflow version for the review.
workflow Integer The workflow for the review.
workflow.name String The display name for the workflow.
Query Examples
Quest ion Query
Which reviews have been completed in the review{completed ~ date(2016-04-01, 2016-06-

second quarter? 01)}
Which reviews have been completed in the last

review{task.completed ~ DATE('-5 days')}
five days?
Which review dates fall within the next year? review{p.nextReviewDate ~ DATE('+365 days')}
review{p.ruleDecision = 'decertify'} OR review

Which rules have been certified or decertified?
{p.ruleDecision = 'certify'}
Which review comments contain the word

review{p.certifyRemarks = 'invalid'}
"invalid"
Quest ion Query
Show me the reviews of rules where the

review{p.moveToPosition is not null}
reviewer said the rule should be moved.
Which reviews will be completed for the

review{p.deviceName ~ 'ASA5255'}
ASA5525 device?
Which reviews will be completed in the next

review{p.nextReviewDate ~ DATE(‘+31 days’)}
month?
review {assignee.username = 'your user name'

Which reviews are assigned to me?
and task.completed is null}
review {completed is null and assign-

Which reviews are unassigned?
ee.username is null and editable = true}
Which reviews were created in the past five

review {created ~ DATE('-5 days')}
days?

Firemon

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firemon

Uploaded by

Copyright:

Available Formats

Policy Optimizer 9.

Example of Using Policy Optimizer 3

About Workflows and Workflow Packs 4

Policy Planner Integration 4

How Rules Rout e To Policy Opt imizer 6

Automatically Route Rules 8

Manually Route Rules 8

Route a Single Rule 8

Route Multiple Rules 9

Administ rat ive Tasks 10

Policy Optimizer User's Guide 2

About Policy Opt imizer

Example of Using Policy Optimizer

3 | Chapter 1: Policy Optimizer

About Workflows and Workflow Packs

The Workflow page in the Administration module will display:

Row Number The number of rows in the list.

Name The name or type of workflow

The current version of the workflow being used. If a workflow has a

Workflow Pack Name The name of the workflow pack.

Created By The user who uploaded the workflow.

Status Enabled or Disabled for use.

Policy Planner Integration

Prerequisite: A valid Policy Planner license is required to connect Policy Optimizer.

4 | Chapter 1: Policy Optimizer

1. In the Administration module, go to Workflow > Workflows.

5 | Chapter 1: Policy Optimizer

How Rules Rout e To Policy Optimizer

Examples of a Rule Search query, would be:

l Find all rules for a specific device.

l Find all rules with an expiration date in the last 10 days.

l Find all rules that fail the <named> audit checks.

Rules are routed to Policy Optimizer from Security Manager.

6 | Chapter 1: Policy Optimizer

l Due for a period review

l Failed an on-demand query using Rule Search control

Manual routing of a single rule or group of rules.

7 | Chapter 1: Policy Optimizer

Automatically Route Rules

To automatically route rules, complete the following steps.

1. Open the Administration module.

2. On the toolbar, click Compliance > Cont rols.

3. Select an existing control or create a new control.

4. Expand the <Control Type> Cont rol Propert ies section.

7. Click Assessment s, and then click Creat e.

9. Continue building the assessment.

10. Click Save.

Manually Route Rules

Route a Single Rule

To manually route a rule, complete the following steps.

8 | Chapter 1: Policy Optimizer

Route Multiple Rules

To bulk route rules, complete the following steps.

9 | Chapter 1: Policy Optimizer

Administ rat ive Tasks

l Block Emails is used to prevent emails from sending.

10 | Chapter 1: Policy Optimizer

claimed and assigned by the logged in user

Prerequisit e: A Policy Optimizer license is required.

Not e: A workflow packet is a common way of referring to a review in Policy Optimizer.

To set permissions, complete the following steps.

1. Open the Administration module.

2. On the toolbar, click Access > User Groups.

3. Click the name of the user group to set permissions for.