Overview of Smart Policy
This section describes the definition and objectives of the Smart Policy.
Manually tuning the complex security policies on an NGFW is inefficient and error-prone, some policies will be redundant over time and the redundant policies can be difficult to identify, and some application risks may be overlooked. These challenges can be resolved by the Smart Policy function, whose functions include:
Policy cleanup
Redundant policies are inevitable due to constant policy additions and modifications, and it is difficult for administrators to identify redundant policies or remove them with confidence without the help of the Smart Policy function.
Minimum authorization
The minimum authorization principle means that users can access only necessary applications and extra permissions must be otherwise applied for. However, identifying necessary applications from a large number of applications for a large number of users is challenging for administrators. Nowadays, most NGFWs control applications by application type. For example, if an enterprise needs the instant messaging (IM) applications, all IM applications are permitted. This method may be convenient, but risky. The IM applications may provide more functions that necessary communication. These unnecessary functions, and even necessary communication functions, may have vulnerabilities, malicious code, and backdoors and be exploited. Therefore, the applications must be controlled in a more fine-grained manner to prevent intrusions, viruses, and data leaks.
The Smart Policy function facilitates firewall configuration optimization to improve firewall management efficiency and quality and reduce management cost using the following tools:
Redundant Policy Analysis
The Smart Policy function uses an advanced algorithm to identify redundant and identical policies.
Policy Matching Analysis
The NGFW analyzes policy match counts and identifies policies that have not been matched during a specified period so that the administrators can delete or modify these policies.
Policy Tuning
- Converts service (port)-based security policies into application-based policies that comply with the minimum authorization principle.
- Provides tuning suggestions to optimize security policies and deploy security functions such as intrusion prevention and antivirus.
Network conditions are constantly changing. So are firewall policies. Over time, some policies may become redundant or useless. The Smart Policy function can help you to identify such policies and delete or modify them. As shown in Figure 1, you can use the Smart Policy function to ensure the effectiveness of firewall policies to protect intranet security.
