How to Optimize Security Policies?

Understanding Limitations and Precautions

Before optimizing security policies, read the following content carefully.

• Back up a configuration file before optimizing security policies. If a service anomaly occurs during policy optimization, use the backup configuration file to restore the service.
• For hot standby networking in active/standby mode, perform policy matching analysis on the active device. If a security policy is deleted or modified on the active device, the change is automatically synchronized to the standby device.
• For hot standby networking in load balancing mode, the policy matching analysis is unavailable. Because traffic may be forwarded by either device, policy-matching logs on the active and standby devices are incomplete and cannot be used to analyze the actual usage of security policies.
• Virtual systems do not support policy redundancy analysis or policy matching analysis.
• Policy redundancy analysis is inapplicable to user-defined services. If a security policy references a user-defined service, the security policy does not participate in policy redundancy analysis.
• Policy redundanc analysis is inapplicable to domain name groups. If a security policy references a domain name group, policy redundancy analysis determines whether the security policy is redundant only based on the name of the domain name group, but not based on domain names in the domain group.
• The device does not perform redundancy analysis on security policies for which no action is configured or which are disabled. A security policy with no action configured is redundant and can be directly deleted. A disabled security policy does not participate in policy matching and can be deleted after the disabling period expires.
• If too many security policies are configured on a device and the matching conditions in the security policies are too complex (for example, the security policies reference mass regions or the address set referenced by the security policies contains mass addresses), policy redundancy analysis takes a long time.
• The policy optimization function provided by firewalls is simple. You can purchase specific security policy management software, such as FireMon Security Manager and AlgoSec Firewall Analyzer.

Policy Redundancy Analysis

1. On the web UI of a firewall, choose Policy > Security Policy > Policy Redundancy Analysis.
2. Click Start. When many security policies are configured, policy redundancy analysis takes a long time and consumes a large number of device resources. In the Confirm dialog box, click OK to start analysis.

   Policy redundancy analysis can analyze only shadow and redundancy anomalies induced by the inclusion relation, but cannot analyze redundancy or correlation anomalies induced by the intersection relation. For details, see Appendix: What Are Security Policy Anomalies?

   For example, in the following figure, Policy 1 and Policy 2 have a shadow anomaly, Policy 3 and Policy 4 have a redundancy anomaly induced by the inclusion relation, and Policy 5 and Policy 6 have a correlation anomaly induced by the intersection relation.

   After policy redundancy analysis is complete, the firewall can identify only policies 1 and 2, and policies 3 and 4. In the following figure, the redundancy identifier indicates full redundancy, indicating that Policy 2 and Policy 4 are the redundant policy of Policy 1 and Policy 3, respectively.

3. Check redundant security policies based on service requirements. You may need to delete redundant security policies or adjust their order.

Policy Matching Analysis

Policy matching analysis relies on traffic logs. Before performing policy matching analysis, ensure that the traffic log function has been enabled and has been running for a long time (at least one month).

1. Run the log type traffic enable command in the system view to enable the traffic log function.

   By default, after the log type traffic enable command is run, all traffic logs that match security policies are recorded in the storage medium. Before you run the traffic logging disable command in the security policy rule view to disable the traffic log function, run the undo traffic logging command to cancel the configuration first. You can run the display current-configuration | include traffic logging disable command to check the configuration.

2. On the web UI of the firewall, choose Policy > Security PolicyPolicy Matching Analysis.
3. Select Last month to view policy matching information. If no traffic matches a security policy for a long time, disable the security policy and pay attention to user reports related to the security policy. If no service anomaly is reported within one month, you can delete the security policy permanently.

Checking Security Policies That Contain Inaccurate Matching Conditions

1. Check and mark the security policy whose matching condition is Any and action is Permit. Generally, the source security zone, destination security zone, source address/region, destination address/region, and service cannot be set to Any.
2. Select and edit the security policy and enable the function of Record Policy Matching Logs.

3. Analyze policy matching logs to identify and refine legitimate services. For example, if a security policy allows any IP address to access a service (that is, the Source Address/Region is set to any), check the source address recorded in the policy-matching logs, determine the valid address range, and create an address set. Change the source address/region of the security policy from any to the new address set.

   On the web UI of the firewall, you can add the security policy as a filter condition to filter policy matching logs in a past period (for example, the last month).

4. Analyze the logs of all security policies and adjust the security policies one by one.