Creating a Policy Analysis Query

This is a Legacy Feature. As of Release 22-1, Policy Analysis Query was removed from new installations and upgrades. To use this feature see Configuring Policy Analysis in StConf.

Overview

Policy Analysis displays all of the rules that could handle traffic defined in the query. Any rule which matches the traffic, even partially, is shown.

  • Within the rule, objects that match the query are highlighted.

  • In group object membership details, matching members are highlighted.

  • The traffic path shows where the source, destination, or service is changed by Check Point NAT rules and Juniper interfaces in NAT mode using MIP.

Create a policy analysis query

  1. Click New Query .

  2. Configure the query:

    You can either click the plus plus to add query parameters for each field or click to use advanced options, including selecting objects from devices. The query returns rules that match at least one object in each query field.

    PA query parameters

    • Device or Policy - Click the plus plus to enter the name of the device to analyze or click Auto Select to let the devices be determined by topology calculations. The matching targets are shown as you type.

      Or, click to select the target from the list of devices.

      For each device or domain, you can select a policy by:

      • Any - The policy analysis query runs on all policies in the target.

      • Automatically by Topology - Analyze only policies that are configured for interfaces in the path of the traffic between the source and destination in the query according to the routing information in Topology. To do this you cannot use Any for the source or destination.

      • Choose from policy list - You can choose specific policies from Check Point targets.

      If you select All devices in the device tree, you can select Any to run the query on all policies for all devices, or Automatically by Topology to only run the query on policies that are configured for interfaces on any device in the path of the traffic between the source and destination.

    • Users (for Palo Alto only) - Click the plus plus to enter the names of the users or groups that you want to find in the policy, or click to paste the names as a comma-delimited list.

    • Source and Destination - Click the plus plus to enter an IP address and netmask for the source or destination that you want to use in the query.

      Or, click to add sources and destinations by:

      • IP - Enter the IP address and netmask, either in decimal (x.x.x.x) or CIDR (xx) notation.

      • Object - Select an object that is defined in a monitored device. SecureTrack uses the object definition as it appears in the most recent policy revision from that device.

      • Zone - Select a zone that is defined in Zones. You can change the subnets in the zone at any time. SecureTrack uses the subnets in the zones at the time you run the query.

      If you select Negate, the query returns all rules using any source or destination except for the ones listed in the query. If you select Exclude Any, the query does not return rules that include the source or destination in the form of an Any object.

    • Service - Click the plus plus to enter the name of a well-known service to use in the query (such as http or ftp).

      Or, click to add services by:

      • Protocol - Select TCP or UDP and enter a port number, select ICMP and enter the ICMP type number, or select Other and enter the protocol number. For example: To add HTTP, select TCP and enter port 80. To add OSPF, select Other and enter port 89.

        You can enter the port, type and protocol numbers in these formats:

        • A single number: 80

        • A range: 100-200

        • An open-ended range of ports with Less Than or Greater Than: >1023

        • A combination of the above formats separated by commas: 21, 80-81, >1023

        • Negate a single number: !80

        You can also type the services into the text editor field. Each line must begin with either TCP, UDP, ICMP or Other and be followed by numbers in the formats above.

      • Object - Select an object that is defined in a monitored device. SecureTrack uses the object definition as it appears in the most recent policy revision from that device.

      If you select Negate, the query returns all rules using any service except for the ones listed in the query. If you select Exclude Any, the query does not return rules that include the service in the form of an Any object.

    • Application (for Palo Alto only) - Click the plus plus to enter the names of the applications that you want to find in the policy, or click to paste the names as a comma-delimited list.

  3. Select the action of the rules for the query as either Any (Allow or Deny), only Allow, or only Deny.

  4. Shadowing: Shadowed rules are rules that include some of the parameters defined in the query but will never actually handle any of this traffic because all of the traffic defined in the query is handled by rules higher up in the rulebase. You can choose to filter:

    • Any - The results include all rules, and the shadowed and partially shadowed rules are marked in the results

    • Fully shadowed - The results only include rules that are fully shadowed so you can clean up your policy

    • Partially or not shadowed - The results only include rules that are partially or not shadowed so you can see the rules that actually affect the network traffic

  5. Either:

    • Click Save to save the query. You can then select the report and Run, Edit, or Delete it.

    • Click Run to see the results immediately. When you run the report, you must select to run the report on either:

      • Last revision - The last revision received by SecureTrack, even if the revision was not installed on a device

      • Last installed - The last revision received by SecureTrack that was installed on a device

      • Date and time - Select a date and time and the query will run on the last revision that was received before that time

After you run a query, you can convert the results to a PDF file:

policy analysis pdf

How do I get here?

SecureTrack > Reports > Policy Analysis.