Known Issues Affecting ACE

Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).

General

  • The procedure for enabling flow logging for multiple Azure NSGs using a PowerShell script (provided by ACE) is not applicable for NSGs that are part of a scale set. Configuring flow logs for NSGs that are part of a scale set can be handled manually.

  • AlgoSec supports the following capabilities for Azure Firewall:

    • Policy visibility

    • Risks

    • Rule usage

    • Traffic Simulation Query

    However, only policy visibility is supported for Azure Firewall (classic).

  • ASMS Connectivity Check from ACE:

    • Is supported only for Azure NSG policies

    • Is not supported in the cases of:

      • AWS SG policies

      • Azure Firewall & Azure Firewall (classic)

      • Google Cloud Projects

      • Service tags having no IPs:  AzureLoadBalancer, GatewayManager

      • NSG rules containing an ASG (Application Security Group) that is not connected to any NICs (Network Interface Controllers)

      • VNETs having no IPs

  • All AlgoSec SaaS products connect to the same Kafka host. Multi-zone is not supported. To change a Kafka host, see this AlgoPedia article.

  • NACL policy visibility, risks and changes are not supported.

  • Support for Azure Firewall requires ASMS build version A32.60.260-94 or higher.

  • For NSG TSQ and FireFlow support, if using ASMS A32.60 upgrade to build version A32.60.260-94 or higher; no upgrade needed for versions A32.50 or below.

Onboarding

  • Only accounts with unique names can be onboarded. If an account name already exists for a specific vendor the account with the duplicate name will not be onboarded. To onboard both accounts, you must rename one of the accounts on the vendor side. This requirement applies to all supported vendors (AWS, Azure, and Google Cloud).

Risks

  • Affected assets are not calculated for Azure Firewall.

  • On the Risks page, tag filtering does not support Azure Firewalls.

  • After activating or suppressing a risk, the Risks page must be refreshed via the browser to properly display the current risk severity.

  • (For Azure NSG) Service Tag support for risk calculations:

    • When using the Standard Risk Profile, risk calculations consider only the following Service Tags: VirtualNetwork, AzureLoadBalancer, and Internet.

    • When using custom risk profiles, risk calculations consider the content of all Service Tags; however, the content of VirtualNetwork and Internet are only partially supported and as a result may cause false positive risk detection.

  • Risks are not supported for Azure Firewall (classic)

  • Exporting Risk reports to CSV files:

    • For Azure: The Virtual Network ID column is always empty.

    • For Google Cloud: The Regions column is empty because this field typically contains an excessive number of entries.

Overview

  • On the Inventory tab, ACE does not display shared VPCs for the Participant account.

  • For AWS: On the VPC summary tab, only the primary CIDR IP is displayed even when there are multiple CIDR IPs.

Manage network policy sets

  • AWS shared VPC Flow logs are collected only for the owner account. For the participant accounts, flow logs are not collected and "Flow logs disabled" is displayed in the Last Used column.

  • For Azure NSGs: If a Network Security Group (NSG) is attached to a network interface or subnet but does not protect any Virtual Machines (VM) or VM Scale Sets, it will appear under Unattached_Network_Security_Groups in the ASMS devices tree and not under its real VNET. Both Map and Traffic Simulation Query functionalities are supported.

  • For Azure Firewall flow logs: When there are two policies on an Azure Firewall, the Last Used information only refers to the child policy rule usage and not the parent policy.

  • For Google Cloud:

    • ACE supports Organization Firewall Policy, Folder Firewall Policy, and VPC Firewall Rules, but does not support Network Firewall Policy.

    • Risk information is not calculated for Network Firewall policies. "N/A" appears in the column in the Network Policies page and "0" in the exported CSV policy report.

    • The flag network-firewall-policy-enforcement-order only supports the value AFTER_CLASSIC_FIREWALL.

    • ACE does not support the following operations on the Network Policy page:

      • Policy merge

      • Policy edit

Fixed Issues

03-Dec-24: Network Policy Search field fixed to filter results based only on policy names.

05-Feb-24: Risk Severity of Outbound “To Any allow ANY Service” rules to Public IP’s (Risk ID: O01-I-SG) in CF was changed from High to Critical.