Professional Documents
Culture Documents
Copyright Notice
Copyright 2014 - 2022 FireMon, LLC. All rights reserved. This product and related documentation are
protected by copyright and distributed under licensing restricting their use, copying, distribution,
and decompilation. No part of this product or related documentation may be reproduced in any
form or by any means without the written authorization of FireMon, LLC. All right, title, and interest
in the product shall remain with FireMon and its licensors.
This product and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws.
This product and documentation may provide access to or information on content, products, and
services from third parties. FireMon, LLC is not responsible for and expressly disclaim all warranties
of any kind with respect to third-party content, products, and services. FireMon, LLC will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.
The information in this document is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
FireMon is a registered trademark of FireMon, LLC. All other products or company names
mentioned herein are trademarks or registered trademarks of their respective owners.
1 | Copyright Notice
Chapter 1: Policy Optimizer
About Policy Opt imizer 3
Customized Workflows 5
About Licensing 9
Attachments 10
Notifications 10
Workflow 10
Permissions 11
Policy Optimizer is available as a web client that you can access from within SIP. A Policy Optimizer
license is required.
Please contact your sales representative to add the Policy Optimizer module to your current SIP
deployment.
However, six months later, who is responsible for ensuring that the rule is removed? Business users
don't think about security rules until they prevent access. Removing access is not at the top of their
minds. For network engineers, the business justifications coded into the comment fields are difficult
to translate, and the full justifications stored in other locations (ticketing systems and shared
spreadsheets are common) make it hard to match the existing state of a policy to each rule's
original intent and requester.
And even when such information is finally matched up, the responsibility for clean up
predominantly falls to a member of the security or infrastructure team, who may not know whether
the rule is still working or required. In the example above, the team would not know immediately
whether the vendor's contract had been extended past the initial six-month period.
Policy Optimizer is a workflow-based module, and requires that you upload a workflow pack we
created before you can work tickets.
One workflow can have numerous instances, each with a different user group and permission
assignment.
Workflows List
Value Descript ion
Provided so that users have the ID to compare against log files and can
Workflow ID
be used in configuration settings, like for Service Now.
Open Tickets The number of tickets in the queue related to that workflow.
Action menu with options for tasks to complete at the workflow level.
Not e: You can contact FireMon's Pro Services to help you develop and create a unique workflow
pack.
Integrating Policy Planner with Policy Optimizer means that when a Policy Optimizer ticket with a
Review Decision to decertify is selected, the module will automatically create a Policy Planner ticket
to complete the decertification process.
Setting up Policy Planner integration is completed during the workflow creation process.
2. Open the Policy Optimizer workflow that you will use for integration.
3. In the Policy Planner Int egrat ion Set t ings section, in the Planner Workflow ID field, select
the Policy Planner workflow ID that Policy Optimizer is being integrated with.
4. You can leave the default settings for Default Priorit y, Summary and Due Dat e Calculat ion
or set your own.
5. Click Save.
Customized Workflows
FireMon's Pro Services team can help you create a customized workflow specific to your business
needs.
l Find all rules that have been unused for the past 90 days.
Once a rule is inserted into the workflow, the system performs several evaluations to determine
where to appropriately route it for review. The system checks to see whether an Owner is defined
in the Rule Documentation. If no Owner is identified for the rule, it is assigned to either a default
reviewer or left unassigned. Notifications are sent nightly in a batch email message to the
Assignees.
Automatic routing is event-driven (an event is a failure of a control). Here are a few examples:
l Expired rules
l Control failures
Not e: The following control types support Policy Optimizer: Allowed Services, Device Access
Analysis, Network Access Analysis, Rule Search, Rule Usage, and Service Risk Analysis.
Not e: Please refer to the Administration User's Guide for steps on creating a new control.
5. Select the Send Failed Rules t o Policy Opt imizer check box.
Selecting the check box will allow the system to automatically create review tickets for all
rules that fail the selected control.
6. Click OK.
Not e: Please refer to the Administration User's Guide for steps on creating a new assessment.
8. Select the control you routed to Policy Optimizer in above from the Available Cont rols box.
After failing, the rule appears in the list of tickets in Policy Optimizer .
l From the Security Rules list, find the rule to route, click the M enu icon , and then click
Rout e Rule t o Policy Opt imizer.
A new review ticket is automatically created in Policy Optimizer and listed in the All Reviews list.
1. On the Security Rules page, click Add Filt er. Or use the existing filters of Cleanup Needed,
Improvement Needed, Failed or Changed.
2. After you've filtered the list, click Act ions > Bulk Rout e Rules t o PO.
3. In the Rout e Rule t o Policy Opt imizer dialog box, confirm the number of rules being sent
and then click Send.
Each rule sent automatically creates a new review ticket in Policy Optimizer and listed in the All
Reviews list.
About Licensing
License download and device assignment is completed in the Administration module. Refer to the
Access: License chapter in the Administration User's Guide for more information and licensing
procedures.
Not e: See the Workflow and Settings chapter of the Administration User's Guide for more
information.
All fields contain recommended default settings to ensure the best performance of the module.
However, all fields can be modified to accommodate your business needs.
Attachments
l Allowable Upload File Types is used to determine which file types are acceptable for attach-
ments.
l M ax At t achment Upload Size is used to set the limit on attachment file size in bytes.
l Delet e At t achment s is used to delete Policy Optimizer attachments after they have been
uploaded. To use this feature, a user must have the review assigned to them and have Write
permissions for that stage.
Notifications
l Default Sender is the address that shows in the From field in system-generated email noti-
fications.
Workflow
l Ticket URL is the IP address of your Policy Optimizer module.
l Default Reviewer is used to set a user as the defaulter ticket reviewer when one is not
assigned to the ticket.
l Cont rol Failure SIQL Query is used to set the query for control failures.
l Cont rol Failure Workflow ID is the workflow ID associated to the control failure workflow.
l Updat e Cont rol Failure Workflow ID on Upgrade is used to automatically update the con-
trol failure workflow ID
l Show is used to select how Review tickets are displayed in Policy Optimizer. Options are:
o All reviews—displays all reviews in the workflow to all users
o Edit able—only displays reviews that are assigned to the logged in user or can be
Permissions
By default, no permissions are set for Policy Optimizer. As with other administrative tasks, setting
permissions for Policy Optimizer is completed in the Administration module.
Workflow permissions are role-based that enable users to perform actions, in the case of Policy
Optimizer it is to review tickets.
l View Packet —indicates that users are able to view packets for a specific work-
flow. This makes no distinction between what packets can or cannot view, it only
dictates on the workflow level if you can view packets for that workflow.
l View Secure—this is placeholder permission that is not currently used for any-
thing. It is intended to be for fields which contain sensitive data.
l Creat e Packet —indicates that users are able to create packets for a specific
workflow.
l Review—indicates that users are able to review and perform actions in Policy
Optimizer.
l Click the Syst em tab, and click the Read permission check box for Plugins (to grant per-
mission to manage workflows and workflow packs).
l Click the Administ rat ion tab, select permissions for Workflows (to grant permission
to manage workflows and workflow packs) and Administ er Workflows (to grant per-
mission to manage ticket access so that users can only see tickets that have been
assigned to them).
l Click the M odules tab, and click the Read permission check box for Policy Opt imizer.
l Click the Device Group tab, and then select the device groups for the workflow per-
missions to be assigned to.
l Click the Workflows tab, and select the permissions for the different Policy Optimizer
workflow areas.
5. Click Save.
Open a Review 16
About t he Dashboard
The Policy Optimizer dashboard is the interface for displaying all open tickets in the database.
Tickets are created from within Security Manager and display in Policy Optimizer. Once routed to
the Review queue, assignees will be notified that a rule is pending their review by an email message
notification.
The following defines the values in the All Reviews table. The order of tickets listed is sorted by
Created Date, but you can sort the list by any column.
14 | Chapter 2: Dashboard
Policy Optimizer 9.8
The Add Filt er dialog box opens, showing the criteria you can query based on the results
table you are on.
6. Click Apply.
c. To view reviews that have been created in the last five days, click Creat ed (Last 5
Days).
Example:
15 | Chapter 2: Dashboard
Policy Optimizer 9.8
2. A new page will open with the reviews list filtered to only show reviews that meet the filter cri-
teria.
Open a Review
To open a review ticket, from the All Reviews list, click a Review ID hyperlink.
a. Select to include or exclude Rule Informat ion and Rule Decision. A blue toggle key
indicates inclusion.
b. Click Download.
16 | Chapter 2: Dashboard
Chapter 3: Manage Reviews
Rule Review Page 19
Assign a Review 22
Assign a Review to Me 22
Unassign a Review 22
Cancel a Review 23
Review Tabs 25
Analysis Tab 25
Rule Properties 26
Rule Usage 26
Control Failures 27
Severity Levels 27
Comment s Tab 29
Add a Comment 29
At t achment s Tab 30
Add an attachment 30
Delete an Attachment 30
The rule review page displays all information related to a ticket, displaying only information
pertaining to the ticket selected. From this page, you can manage all aspects of the rule review
process.
Not e: Clicking any linked text on the Review page will open a new tab linked to its page in
Security Manager.
Rule Header
Number Value Descript ion
Rule Information
Value Descript ion
Rule Sum- Comment s—any comments that have been left for the specified object. Often
mary used to describe the object type and use. Click to view.
ID—the unique SIP-generated identifier (not set by a user) for an object. Click
to view.
Rule Document at ion—the meta-data that explains the rule. Click to view.
Source / User
The IP address or addresses from which incoming firewall traffic is allowed.
Object
Action / Act ion: The action the firewall is set to perform when the rule is used, which can
Security Pro- be ACCEPT or DROP.
file Securit y Profile: The individual profile that has been applied to the rule.
Hit Count : The number of times the rule has been used in the last 30 days
(default).
Cleanup Propert ies:Orange rule property labels. The possible rule property icons are
Unused, Logging Disabled, Disabled, Shadowed, Expired, No Comment, Unused
Objects, and Redundant.
Policy Tags: Tags that are applied at the device level. They are normalized during a
retrieval. They cannot be edited within Security Manager.
Failed Cont rols: The number of failed controls by severity assigned to the control
at creation.
Cumulat ive Severit y: The combined total of the severity for each control failing
Compliance
this rule.
Rule Risk Score: The ratio of vulnerabilities not exposed by this rule to total
number of potential vulnerabilities, adjusted by Asset Value and effect multipliers.
Rule Decision
Value Descript ion
Rule Decision The rule review-related information. Certify (approve) or Decertify (change)
Next Review Date Used for when a rule is certified to set the next review of the rule.
Analysis Information about the rule which could support rule removal.
Any actions performed on a rule are tracked. Consider this feature to be an audit
Task History
trail for the rule. No action is needed by the user, this is an automatic process.
Review His- Any reviews performed on a rule are tracked. Consider this feature to be an audit
tory trail for the rule. No action is needed by the user, this is an automatic process.
Assign a Review
Assign a Review to User
You can assign specific users to review rules. To assign a rule, do the following:
1. From the All Reviews list, click a Review ID to open its page.
3. In the Assign Review dialog box, select to whom you want to assign the rule, and then click
Assign.
Assign a Review to Me
You can assign specific users to review rules. To assign a rule, do the following:
1. From the All Reviews list, click a Review ID to open its page.
Unassign a Review
l On the Review ID page, click Assign > Unassign.
Cancel a Review
Not e: You can only cancel a review assigned to you.
1. From the All Reviews list, click a Review ID to open its page.
4. In the Remarks box, enter your reason for certifying the rule.
5. Click Save.
1. From the All Reviews list, click a Review ID to open its page.
a. Remove Rule, then select a reason for the action from Remove Rule Opt ions.
l Access is t oo risky
l Ot her, and then type a reason for removing the rule in Descript ion
b. M odify Rule, then select a reason for the action from M odify Rule Opt ions.
l M ove t o rule posit ion, and then type a new Posit ion Number
l Ot her, and then type a reason for modifying the rule in Descript ion
c. Disable Rule, then select a reason for the action from Disable Rule Opt ions.
l Ot her
5. In the Remarks box, type your reason for decertifying the rule.
6. Click Save.
After a rule has been decertified, you will need to run a query to pull all decertified rules so that the
rules can be permanently removed .
Review Tabs
Analysis Tab
The Analysis tab displays information about the rule which could be used to help determine
whether to certify or decertify the rule.
1. From the All Reviews list, click a Review ID to open its page.
l Rule Propert ies—displays possible reasons to decertify the rule. Flagged properties will
appear with an orange bar.
l Rule Usage—displays a graphic detailing total hits and daily average hits.
l Cont rol Failures—displays the failed controls by severity assigned to the control at creation.
l Change Hist ory—lists any information about changes made to the device.
Rule Properties
A flagged property will appear with an orange bar, indicating a Best Practice to follow for
determining rule decertifying. The table below lists the property and its definition:
Unused The rule has been inactive for the last 90 days.
A rule higher in the policy matches all the traffic in this rule, but the action
Shadowed
is different.
An object (source, destination or service) has been inactive for the last 90
Unused Objects
days.
Redundant Another rule in the policy matches all the traffic in this rule.
Rule Usage
Rule usage is displayed as a graphic detailing total hits and daily average hits for the rule.
Control Failures
Failed controls by severity assigned to the control at creation.
The code for the control. Clicking the link opens the Security Manager over-
Code
view page for the control.
The name of the control. Clicking the link opens the Security Manager over-
Control Name
view page for the control.
The name of the assessment. Clicking the link opens the Assessments Res-
Assessment
ults page in Security Manager.
Severity Levels
There are four severity levels—Critical, High, Medium, Low—for assessments that collectively
culminate into a total severity score where the higher the number, the higher the severity.
The Analysis tab displays the severity level for the rule in the Cont rol Failures section.
1. From the All Reviews list, click a Review ID to open its page.
Not e: Changes made to Rule Documentation update immediately (in real-time) in Security
Manager.
By completing this task, you will populate Rule Documentation fields. Rule Documentation is the
meta-data that explains a rule. You manually enter this meta-data as values for specified attributes.
1. From the All Reviews list, click a Review ID to open its page.
3. In the Edit ing Rule Document at ion dialog box, update information in any of the fields.
4. Click Save.
Comment s Tab
The Comment s tab will display all comments that have been added to a rule during a review.
Comments are listed from newest to oldest.
If no comments have been added, the following message will be seen: No comments have been
posted for this review.
Not e: Numbers on the tab indicate how many Comments are associated with the rule.
Add a Comment
To add a comment to a rule, do the following:
1. From the All Reviews list, click a Review ID to open its page.
3. In the New Comment dialog box, type your remarks and then click Add Comment .
At t achment s Tab
The At t achment s tab will display all attachments that have been added to a rule during a review.
Attachments are listed from newest to oldest.
l File
l Size
l Description
If no attachments have been added, the following message will be seen: No attachments have been
added to this review.
Not e Numbers on the tab indicate how many Attachments are associated with the rule.
Add an attachment
Not e: Allowable file types are image/* , .pdf, .txt, .rtf, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .zip, and
.csv.
To attach a file that pertains to a specific rule, complete the following steps.
1. From the All Reviews list, click a Review ID to open its page.
3. Navigate to the file you want to attach using standard Windows functionality, and then click
Open.
A comment about the attachment will automatically be added to the Comment s tab.
4. Click Save.
Delete an Attachment
To delete a file that has been attached to a rule, do the following:
1. From the All Reviews list, click a Review ID to open its page.
3. Locate the file to delete, then click the delete icon at the end of the row.
4. On the Delet e At t achment dialog box, click Yes to confirm the deletion.
Not e: Although the file is no longer attached, the Comments tab will still display the comment
about the attachment.
1. From the All Reviews list, click a Review ID to open its page.
The Task Hist ory tab will display all activity that has occurred during a review. Activities are listed
from newest to oldest.
Completed Options: or
Duration The difference of the End Date minus the Start Date.
1. From the All Reviews list, click a Review ID to open its page.
The Review Hist ory tab will display all activity that has occurred during a review. Activities are
listed from newest to oldest.
Create a Filter 35
Save a Filter 36
Favorite a Filter 36
Edit a Filter 37
Tag Library 38
Tag Dashboard 38
Create a Tag 40
Share a Tag 41
Edit a Tag 41
Delete a Tag 41
About SIQL 42
Review Stanza 42
Query Examples 46
Filt er Library
You can use the filter bricks in the filter bar above the All Reviews able to build simple or complex
filters to return only the results that satisfy certain criteria. These filters can then be saved to the
Filter Library for easy access later.
Will display "who" the filter is being shared with, or if the filter is not
Shared With
being shared, "private" will be displayed.
Category Is where (the type of result list) the filter originated from.
Owner Is either a pre-defined filter (system) or the user who created the filter.
Displays a solid star if the filter has been marked to show in Favor-
Favorite
ites.
Action menu with options for tasks to complete at the filter library level.
Create a Filter
Not e: The filter bar is set to Basic by default, which allows you to build queries using filter bricks.
Clicking Advanced allows you to manually enter SIQL queries in the filter bar.
The Add Filt er dialog box opens, showing the criteria you can query based on the results
table you are on.
35 | Chapter 4: Tools
Policy Optimizer 9.8
6. Click Apply.
Save a Filter
1. After you have finished creating the filter and it successfully returns the results you were
searching for, click Save As.
b. Optional. In the Descript ion box, type a description for the filter.
c. To add the filter to the Favorit e Filt ers table, click Show In Favorit es.
d. To share a filter with a specific user group, click Shared wit h and select a user group
from the list. You may select more than one user group.
3. Click Save.
2. The most frequently used filters are listed under Favorit e Filt ers.
4. Click on a filter. A new table opens with the selected filter applied.
Favorite a Filter
To add a filter to your favorites list, click the star next to the filter in the Filter Library.
All favorite filters will be listed in the Favorit e Filt ers dialog box when you click .
36 | Chapter 4: Tools
Policy Optimizer 9.8
Edit a Filter
2. On the Filt er Library table, click the M enu icon > Delet e.
37 | Chapter 4: Tools
Policy Optimizer 9.8
Tag Library
The ability to apply a tag to a rule allows you to more easily see relationships and grouping, and
identify rules to take action on to improve security.
l You can choose a color for the tag, reinforcing the visual grouping.
l Help find groups of rules and objects that don't have common data sets.
The Tag Library is comprised of all the tags that have been created and shared, and are used across
all SIP modules.
The unique name for the tag. Click the Name to open the dashboard for
Name
the tag.
Will display "who" the tag is being shared with, or if the tag is not being
Shared With
shared, the field will be blank.
Action menu with options for tasks to complete at the tag library level.
Tag Dashboard
The Tag Dashboard resides in the Security Manager module. When you click a tag's link in another
module, it will open in Security Manager.
Not e: Data presented is determined by a user's granted permissions to the modules that use the
selected tag. 'No Data Available' could be a result of not having permission granted to view or a
license for the associated module.
38 | Chapter 4: Tools
Policy Optimizer 9.8
l Tag References is a pie chart used to visualize the reference distribution of the tag.
l Rule References displays the number of security rules for a device, listed in order of
references. Click a device to open the Security Rules listed for that device, filtered by tag.
l Associat ed Ticket s by Creat ed Dat e is based on the workflow that is associated to the tag.
Select a Workflow from the drop-down list to populate the widget data. It also includes a link
to the ticket and the stage that the ticket is currently in. Clicking the linked Ticket Number will
open the ticket in the associated module. If a license for the module does not exist, a product
brief will display.
l Rules by Cumulat ive Severit y lists the cumulative severity scores greater than zero for the
rule referencing the tag. Ordered by descending order of the severity level.
The rule number the tag is used on. Click to open the
Rule No.
Security Rules page in Security Manger for the rule.
The name of the rule the tag is used on. Click to open the
Rule Name
Security Rules page in Security Manger for the rule.
The device using the tag. Click to open the device's Over-
Device
view Dashboard in Security Manager.
Failed Controls The number of failed controls for each severity level.
Cumulative Severity The overall severity of the rule referencing the tag.
The rule number the tag is used on. Click to open the
Rule No.
Security Rules page in Security Manger for the rule.
The name of the rule the tag is used on. Click to open the
Rule Name
Security Rules page in Security Manger for the rule.
39 | Chapter 4: Tools
Policy Optimizer 9.8
The device using the tag. Click to open the device's Over-
Device Name
view Dashboard in Security Manager.
The protocol and port for the rule. Click to open the
Application Object / Service
object page in Security Manager for the rule.
Create a Tag
To create a tag, complete the following steps.
a. Type a unique Name for the tag. The system will not allow for duplicate names. There
is no case sensitivity.
d. To share a filter with a specific user group, click Shared wit h and select a user group
from the list. You may select more than one user group.
e. Click Creat e.
40 | Chapter 4: Tools
Policy Optimizer 9.8
Share a Tag
Not e: To share an existing tag you must have created the tag or be a member of a Shared With
group.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Edit .
b. Select a user group from the list to share the tag with.
c. Click Save.
Remove a Share
To remove access to a tag for a specific user group, open the Edit dialog box and click the X next to
the user group name.
Edit a Tag
Not e: To edit a tag you must have created the tag or be a member of a Shared With group.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Edit .
b. Click Save.
Delete a Tag
Not e: To delete a tag you must have created the tag or be a member of a Shared With group.
Caut ion: If a tag is referenced by objects, deleting the tag will also delete it from the referenced
objects.
1. On the Tag Library page, for the tag to edit, click the menu icon and then click Delet e.
41 | Chapter 4: Tools
Policy Optimizer 9.8
About SIQL
Security Intelligence Query Language (SIQL) is a domain-specific query language designed to query
Policy Optimizer tickets. "Domain-specific" means SIQL knows about devices, policies, and rules, as
well as their properties (like a device's name and vendor, a rule's source, source IP address, service
protocol, service port, zones, comments, etc.).
2. Change the default query to the parameters you want. For example, to return all reviews
with an assignee ID of "1", enter review{assignee.id=1}.
3. Click Run.
The All Reviews table now lists all the reviews that match the query parameters.
Review Stanza
The stanza and attributes identify what kind of data you want and where to find it in the database.
Think of stanzas as tables within the database.
Stanzas are the first part of every filter, and must be placed before the curly brackets. They are not
case sensitive.
42 | Chapter 4: Tools
Policy Optimizer 9.8
Review Stanza
The review stanza supports the following attributes. You can use the review stanza to query Policy
Optimizer reviews.
At t ribut e
At t ribut e Name Descript ion
Type
creator.firstname String The first name of the user who created the review.
creator.lastname String The last name of the user who created the review.
completer.firstname String The first name of the user who completed the review.
completer.lastname The last name of the user who completed the review.
43 | Chapter 4: Tools
Policy Optimizer 9.8
Review Stanza
The review stanza supports the following attributes. You can use the review stanza to query Policy
Optimizer reviews.
At t ribut e
At t ribut e Name Descript ion
Type
44 | Chapter 4: Tools
Policy Optimizer 9.8
Review Stanza
The review stanza supports the following attributes. You can use the review stanza to query Policy
Optimizer reviews.
At t ribut e
At t ribut e Name Descript ion
Type
p.*
p.summary
p.businessOwner
p.businessUnit
p.deviceId
p.deviceName
p.policyGuid
p.policyName
p.ruleGuid
p.ruleNumber = 2
p.dueDate
A rule property or custom property. Each property has a
p.nextReviewDate ~ defined key value that takes the place of the wildcard char-
Varies
DATE('+365 days') acter. The key value can be a string, boolean, date, integer,
and string array types are supported.
p.reviewedBy
p.ruleDecision =
'decertify' (or = 'certify')
p.ruleActions
p.removeRuleOptions
p.modifyRuleOptions
p.certifyRemarks =
'these are the review
remarks'} (or ~ review')
p.moveToPosition = 2
p.removeObjects
p.removeOther
45 | Chapter 4: Tools
Policy Optimizer 9.8
Review Stanza
The review stanza supports the following attributes. You can use the review stanza to query Policy
Optimizer reviews.
At t ribut e
At t ribut e Name Descript ion
Type
p.decertifyRuleReason
p.ruleDocComment
The date the task was completed. If the task has not been
task.completed Date
completed, this value is null.
Query Examples
Which review dates fall within the next year? review{p.nextReviewDate ~ DATE('+365 days')}
46 | Chapter 4: Tools
Policy Optimizer 9.8
47 | Chapter 4: Tools