Advanced Configuration
This topic describes how to add and modify advanced AFA configuration parameters, as well as a reference of parameters available.
In this topic:
Add a new AFA configuration parameter and value
This procedure descries how to add a new advanced configuration parameter to AFA. Use this procedure to override various system defaults or implement hotfix updates.
Do the following:
-
In the toolbar, click your username and select Administration to access the AFAAdministration area.
-
Navigate to Options > Advanced Configuration.
-
Click Add, and enter the name and value of your configuration parameter.
- Click OK to close the dialog, and then OK again to save your changes.
Back to top
Advanced AFA configuration parameter reference
The following tables list commonly used AFA configuration parameters and their possible values.
Use the alphabetical links below to jump between tables.
A-B | C | D | E-I |L | M | N-R | S-W
A-B
Parameter |
Description |
Active_Change_Backups_Number |
CLI only. Define the number of backup files stored by AFA for Cisco firewalls, Juniper SRX devices, or Panorama devices.
Default: 50
|
AddOnlyChildren |
Determines whether the add_device_to_group and create_device_group SOAP APIs add both the parent and children devices to the group.
Possible values:
- 0: Both parents and children are added. (Default)
- 1: Only children are added.
|
ALGOSEC_EA_ARISTA |
Determines whether AFA administrators can add Arista devices to AFA.
Default: FALSE
|
AlgoSec_EA_Azure_ActiveChange |
Determines whether AFA administrators can define ActiveChange options for Azure devices.
Default: FALSE
|
AlgoSec_EA_Cisco_ACI_ActiveChange |
Determines whether AFA administrators can define ActiveChange options for Cisco ACI devices.
Default: FALSE
|
ALGOSEC_EA_CISCOISE |
Determines whether AFA administrators can add Cisco ISE devices to AFA.
Default: FALSE
|
analyze_only_changed_reports |
Determines whether analysis is always run, even if the configuration has not changed.
Possible values:
- yes: Analysis is run only if the configuration has changed
- no: Analysis is always run
|
AWS_Socket_Timeout_Millis |
Configures the socket timeout to AWS. A socket timeout monitors the continuous incoming data flow. If the data flow is interrupted for the specified timeout, the connection is regarded as stalled/broken. This only works with connections that have a continuous flow of data. AWS_Socket_Timeout_Millis = X ms. |
AWS_Connection_Timeout_Millis |
Configures the connection timeout to AWS in milliseconds.A connection timeout occurs if, when attempting to start a TCP connection to AWS, the remote machine does not answer within the specified interval. This can indicate that the server has been shut down, the wrong IP/DNS name was used, the wrong port was used or the network connection to the server is down.AWS_Connection_Timeout_Millis = X ms. |
Backup_Firewall_History |
Determines whether backup files include change history.
Possible values:
- yes. Change history is included
- no. Change history is not included in backups
|
BUSINESSFLOW_ADDRESS |
Determines the IP address of the BusinessFlow host, if not local.
|
C
Parameter |
Description |
CHANGE_HISTORY_DAYS |
Determines the number of days that legacy changes are kept in report change histories.
Default: 90
|
Chart_Threshold_Val |
Defines the chart threshold value for all condition type charts, including the built-in compliance charts.
Possible value: Integer
Default: 23
|
Checkpoint_Adtlog_Exclude_Fields |
Defines a pipe-separated list of Check Point audit log fields that are ignored.
For example:
CKP_Adtlog_Exclude_Fields=CLCStatus|threshold_event_uint
Note: Regular expressions are supported.
|
CKP_optimizations_per_policy |
Determines whether policy optimization items are shown for all rules in the policy, and not only those installed on the analyzed module.
Default: yes
|
CKP_REST_RULEBASE_BATCH_SIZE |
Defines the maximum size for each batch data collection for Check Point devices.
For very large policies, set this parameter to a large value, such as 1000, to shorter the data collection time.
Possible value: Integer
Default: null
|
CKP_turbo_log_collection |
Determines whether a dummy environment is used to speed up log collection on Check Point devices.
Default: no
|
CLUSTER_USE_VIP |
Determines whether a VIP is shown instead of a MIP in Check Point cluster topologies.
Default: yes
|
CollapseDevicesTreeOnLogin |
Determines whether the device tree is collapsed by default.
Possible values:
- true. Collapsed (Default)
- false. Expanded
|
CollapseDevicesTreeOnLogin |
Determines whether the device tree appears fully collapsed or expanded by default.
Possible values:
- True (default). Sets the tree to display collapsed by default.
- False. Sets the tree to display expanded by default.
|
Comments_Regex_Match |
Determines whether comments match or do not match the regular expression defined in Comments_Regex.
Possible values:
- 0: Does not match
- 1: Matches
|
comprehensive_mode |
Determines whether comprehensive
mode is enabled, where AFA queries all services that appear in any rule in the policy.
Default: yes
|
CONSIDER_MULITPLE_NHG |
Determines whether all multiple routes for each range are saved and used for FIP.
Supported only for IOS.
Default: yes
|
covered_exclude_services |
Defines a colon-separated list of values. Rules that contain any of the listed values as services are not listed as covering rules.
Default: null (no exclusions)
|
D
Days_To_Consider_Rules_As_New |
Determines the number of days before which rules are considered as unusued.
Additionally, if defined, rules with no rule creation time are considered to be older than the set value.
For example, if this parameter is set to 30, rules that are less than 30 days old are never defined as unused.
0 = Disable this feature, and instead use the value defined in Log_Analysis_Days_Before instead.
|
Days_Without_Logs_Percentage_Threshold |
Determines the threshold at which warnings are sent for missing log days, in log data-based parts of the policy optimization.
Possible values: Integers, 0-100
0 disables the warning altogether
Default: 50
|
DB_host |
Defines the database host.
Default: localhost
|
DB_name |
Defines the database name.
Default: afa
|
DB_user |
Defines the database username.
Default: afa
|
default_dashboard |
Defines the default AFA dashboard shown.
Possible values:
|
DEFAULT_MAIL_NOTIFICATION_OFF |
Sets default for email notifications to newly created users.
By setting this parameter ON, newly added users will not get email notifications when a new report is generated or when configuration changes are applied.
|
DEFAULT_USER_PERMISSIONS_EMPTY
|
By setting this parameter ON, the following administrative settings will be set OFF:
-
Creating a new user (Firewall Analyzer Administration page > Users / Roles tab > New User):
- General Permissions area> Enable Analysis from file
- General Permissions area> Enable Trusted Traffic - > global
- E-mail Notifications area> Every report
- E-mail Notifications area> Every configuration change
-
Defining a new user's authentication server (via Firewall Analyzer Administration page > Options > Authentication > Authentication server):
|
Disable_IPT_Recommendations |
Determines whether to include Intelligent Policy Optimization recommendations on the Policy Optimization report page.
Possible values:
- yes: Disable IPT recommendations. Recommended if IPT recommendations are causing the report generation to take too long.
- no: Enable IPT recommendations (Default)
Note: To determine the amount of time consumed by the generation of rule replacement recommendations, view the AFA log. The start of this task is marked IPT recommendations generation – Starting, and the end of this task is marked IPT recommendations generation – Finished.
|
Disable_IPT_Time_Checking |
Defines the database username.
Default: afa
|
Disable_Monitoring |
Determines whether global monitoring is disabled.
Possible values:
- yes: Monitoring is disabled for all firewalls.
- no: Monitoring is enabled. (Default)
|
Disable_Routing_Element_Monitoring |
Determines whether to disable monitoring for routing element devices.
Possible values:
- yes: Monitoring on routing element devices is disabled.
- no: Monitoring on routing element devices are enabled. (Default)
|
DISPLAY_REPORT_TOPBAR_IN_REPORTS
|
When set to yes (default), the selected device's hierarchy is shown in the report's top bar.
|
DISPLAY_REPORT_TOPBAR_IN_PDF
|
When set to yes (default), the selected device's hierarchy is displayed in the top bar of the exported PDF report.
|
E-I
Enable_Ms_Traffic_Logs_Processing |
Determines whether traffic log collection is enabled using the ms_trafficlogmanager service.
Possible values:
- yes. Enabled (Default)
- no. Disabled
|
Export_Policy_Tab_With_Objects_Content |
Determines whether the exported PDF report's Policy page shows the network object content as well as the network object names.
Possible values:
- yes. Network object content and names shown
- no. Network object names shown only (Default)
|
EXPECT_TIMEOUT |
Defines the timeout, in seconds, for processing a single command in the Expect data collection.
Default: 120
|
FailCLIOnMissingUIDs |
Determines whether the CLI is generated even in case of missing UIds in Cisco PIX devices.
Possible values:
- yes: CLI generation fails in case of missing UID (Default)
- no: CLI is generated even if there are missing UIDs
|
Fetch_Primary_Routing |
Determines backplane interface between VRs to provide interconnection in order to route traffic when primary routing table is specified.
Note: this parameter is relevant for Juniper (SRX)
Possible values:
|
FIP_MAX_DEVICES_SEARCH_PATHS_FOR_DESTINATION_ANY |
Defines a maximum number of devices for which to run a query with a FIP destination of any.
Default: 100
|
FireFlowXmlEncoding |
Determines whether FireFlow XML change files are encoded as UTF-8 or ISO-8859-1.
Possible values:
- UTF-8 (Default)
- ISO-8859-1. Supports Latin characters
|
FWFiles_Directory |
Defines the path of the Analyze from file firewalls.
Default: $HOME/algosec/fwfiles
|
hide_change_details |
Determines whether to omit change details from emails about new reports and change alerts, for all users.
Possible values:
- yes: Hides change details for all users. Emails about new reports and change alerts include only the device name and a link to AFA.
-
no. Change details are displayed for all users.
Change this setting per user with the Hide change details checkbox. For details, see Manage users and roles in AFA.
|
IPT_Density_Action_Limit
|
The maximum density of a sparse object. When this limit is exceeded, the object is considered semi-dense.
Default: 50
|
IPT_Recommendation_Max_Ranges
|
Defines the maximum number of CIDR blocks into which IPT will recommend splitting a host object, if the original object contains more IP addresses/ranges than defined in IPT_Recommendation_Max_Subnets_Per_Range.
Default: 20
|
IPT_Recommendation_Max_Services
|
The maximum number of services or applications from which IPT will recommend composing a new object.
Default: 20
|
IPT_Recommendation_Max_Subnets_Per_Range
|
Defines the maximum number of CIDR blocks into which IPT will recommend splitting a host object.
IPT recommends creating a new object only when the number of used IP addresses/ranges is smaller than the defined number.
Default: 4
|
L
Locate_in_rules_include_any |
Determines whether rule search results include rules that contain the searched IP only in Any source or destination.
Possible values:
- yes: Rules results include rules where the searched IP address is found in Any source or destination
- no: Rule results do not include rules where the searched IP address is found in Any source or destination (Default)
|
LOCK_WAIT_FREQUENCY |
Defines how often the Check Point and IOS data collection lock file is sampled, in seconds.
The value of this parameter, multiplied by the value of the MAX_LOCK_WAIT parameter equal the total wait time for IOS devices.
Default: 10
|
Log_Analysis_Days_Before |
Defines the analysis log lookup, in days.
Default: 60
|
Log_Analysis_Months_Before |
Defines the time period for which traffic database is retained, in months. Traffic logs older than the defined value are deleted.
Default: 12
|
Log_Time_Interval_Minutes_Before_Error |
Defines the time period, in minutes, before which a device's log collection status is set to failure, in case log collection finds no new logs for a specific server for one of the following reasons:
- No logs have arrived to the log server. This may be an issue in the customer environment.
- No logs were found for the target devices. This may be an AFA misconfiguration or error.
Default: 180
|
Log_Timeout_Minutes |
Defines the timeout for the entire log collection process, in minutes.
Default: 900
(15 hours)
|
M
mailSuffix |
Defines an email address to use as a default if a new or edited user email address is left empty.
Default: null
|
MAP_BLACK_LIST |
Determines whether to ignore defined devices in AFA when creating the map.
Default: null
|
MAX_LOCK_WAIT |
Defines a time to wait for the Check Point, IOS, or NSM data collection lock file, in seconds.
Default: 7200 (2 hours)
|
MAX_LOCK_WAIT_NSC |
Defines a time to wait for the NSC data collection file, in seconds.
Default: 7200
(2 hours)
|
Max_Parallel_Analyses |
Determines the maximum number of analyses that are allowed to run in parallel.
Default: The number of CPUs on the machine.
|
Max_Parallel_Logcollect |
Determines the maximum number of log collections running in parallel.
Possible values:
- Positive integers
- 0: unlimited
|
Max_Rows_To_Sort |
Determines whether sorting and filtering in AFA report tables is enabled, and if so, for how many rows.
Sorting and filtering large tables may take a long time.
Possible values:
- Integer, 1 or greater. Defines the maximum number of rows for which sorting and filtering can be performed.
- 0: Sorting and filtering is disabled.
Default: 10,000
|
MGMT_ROUTING_FREQUENCY |
Defines the frequency of routing information collection for management devices, such as Panorama, in minutes.
Default: 60
|
Monitor_exclude_PIX |
Defines a single regular expression, including a simple string, to exclude from comparisons during monitoring.
Tip: Even though this supports a single regular expression only, define multiple matches using an OR pipe (|). For example: (log\s+in|log\s+out)
|
Monitor_Force_Data_Coll_Ckp_Min |
Defines how often data collection runs on Check Point devices, in minutes, even if no new logs are found.
Default: 720
|
Monitor_Force_Data_Coll_Cycles_Num |
Defines how often a full monitoring cycle is run on Check Point devices, in minutes, even if no new audit logs are found.
Default: 720
|
monitor_frequency |
Defines how often the monitoring process runs, in hours.
Default: 5
If MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY is set to no, or does not exist, monitor_frequency defines the hour of the day at which the monitoring process runs. In such cases, supported hours include the hours between 2:00-24:00, skipping 1:00.
Possible values: Integer, multiple of 60.
Configure twice-a-day monitoring To set twice-a-day monitoring, set monitor_frequencey between the value of 120 and 720 following the the examples below.
For example:
- 60x2 = 120. 120 runs monitoring at 02:00 and 14:00.
- 60x3 = 180. 120 runs monitoring at 03:00 and 15:00.
- 60x4 = 240. 240 runs monitoring at 04:00 and 16:00.
- 60x5 = 300. 240 runs monitoring at 05:00 and 17:00.
- 60x12 = 720. 720 runs monitoring at 00:00 and 12:00.
Configure once-a-day monitoring
- Set the new MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY configuration parameter value to no, or delete this parameter.
- Set the monitor_frequency parameter value to 60x<x>, where <x> is the hour of the day (on the 24-hour clock) at which you want monitoring to run.
Note: monitor_frequency value must be at least 840.
For example, 60x14 = 840. 840 runs monitoring at 14:00.
|
MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY |
Determines whether monitoring processes are defined by setting frequency to the hour of the day.
Possible values:
- no: Monitoring devices interprets the number in the Monitoring dialog as frequency (every x minutes).
- yes: Monitoring processes run once or twic a day at times defined by the monitor_frequency parameter.
|
MONITORING_HISTORY_DAYS |
Defines the number of days to retain monitoring changes.
Default: 90
|
N-R
NSM_optimizations_per_policy |
Determines whether to show policy optimization items for all the rules in a policy, and not only for those that have the analyzed device in their target.
Possible values:
- Yes: Optimizations shown for all rules in policy
- No: Optimizations shown only for rules that have the analyzed device in their target. (Default)
|
PrioritizeFIPDestination |
Determines if routing queries and traffic simulation queries prioritize paths that begin and end with a subnet (and not a cloud) for destinations.
The default setting is yes.
- yes. Enables the preference for subnets in destinations.
- no. Disables the preference for subnets in destinations.
|
PrioritizeFIPSources |
Determines if routing queries and traffic simulation queries prioritize paths that begin and end with a subnet (and not a cloud) for sources.
The default setting is yes.
- yes. Enables the preference for subnets in sources.
- no. Disables the preference for subnets in sources.
|
Query_Timeout |
Defines the timeout for a single query, in seconds.
Default: 15
|
QueryByPolicy |
Determines whether traffic simulation group query results include all devices in device groups, or are grouped by policy with a single representative device for each policy.
Note: This setting affects group traffic simulation query results and batch traffic simulation query results. It also affects initial plan query results in FireFlow.
Possible values:
- yes. Display group query results by policy.
- no. Do not group query results by policy (Default)
|
RADIUS_FetchData |
Determines whether to fetch data and groups from LDAP for users authenticated by a Radius server.
Default: no
|
REMOVE_DELETED_DEVICE_REPORTS |
Determines whether to remove reports for all deleted devices.
Possible values:
- Yes: Remove reports for deleted devices
- No: Keep reports for deleted devices
|
Routing_Element_Monitor_Frequency |
Determines the frequency for which to run monitoring on routing elements, in minutes.
Default: 5
|
Rule_Selection_Limit |
Defines the maximum number of rules allowed to be selected for a single FireFlow change request.
Tip: Avoid using large numbers to prevent performance issues in FireFlow.
Default: 50
|
S-W
Parameter name |
Description |
SharedSyslogConfigRAs |
Allows nodes (Remote Agents / Central Manager) to receive syslog messages for devices they do not directly manage.
-
By default this parameter is not configured.
-
The value format of this parameter is: [Remote Agent1 name], [Remote Agent2 name], [Remote Agent3 name], ...
-
For the Remote Agent name, use the name of the node as it appears in Administration > Architecture in ASMS.
-
When you specify Remote Agents to sync, the Central Manager is implicitly included. You do not need to define it.
For example:
Device syslog configurations are synced between the Central Manager and Remote Agent RemoteOne:
SharedSyslogConfigRAs = RemoteOne
Device syslog configurations are synced between the Central Manager, and Remote Agents RemoteOne and RemoteTwo:
SharedSyslogConfigRAs = RemoteOne,RemoteTwo
Note: After first setting the configuration, edit any device on each Remote Agent to synchronize its configuration with other Remote agents in the shared group.
Note: When this parameter is set, define on the device the node to where the syslog message will be sent.
|
Show_DeviceNet_Threshold |
The maximal number of elements shown when the map initially loads or when it is refreshed. (Default: 500). |
SHOW_ONLY_NODES_IN_PATH |
Determines whether the network map shown in query results shows only the nodes in the network path, without surrounding devices and objects.
Possible values:
- yes: Shows only the nodes in the network path queried, including stub routers, clouds, subnets, and so on.
- no: Shows the nodes in the network path queried, and also surrounding devices and objects. (Default)
|
Skip_Packages |
For CKP devices R80 and higher we collect all packages during data collection. But some of the packages are not related to device or may not be fully configured, causing analysis to fail.
Set the value of this parameter to the package names to skip. Use a comma (",") as the separator between package names.
|
syslog_dump_interval |
Defines the maximum amount of time between syslog collection and memory dump to files, in minutes.
|
TarFormat |
Determines support file download attributes.
|
trust_rfc1918 |
Determines that risk calculation is skipped for private networks. This means that most Z## risks will not be triggered.
Possible values:
- Yes: Skipped for private networks. (Default)
- No: Private networks are included in risk calculation.
|
TSQ_DIRS_LIMIT
|
Maximum number of query (query-xxx) folders that can be created under reports and monitor directories.
Default: 2000 |
Tsq_dirs_Expiration_Hours_Time
|
Maximum number of hours that query-xxx folders persist. Affects auto-remove and disk space usage.
Default: 48
Note: This parameter cannot be set to 0. |
Uncheck_Parent_Addition_Checkbox |
This parameter determines whether or not the Add selected devices and their sub-hierarchies to the group checkbox is selected when adding a group to AFA:
|
Use_Custom_Report |
Determines whether custom report pages are enabled.
For more details, see Custom report pages.
Possible values:
- yes. Enable custom reports. (Default, when a custom report has been created and installed)
- no. Disable custom reports, preventing any custom reports from appearing in AFA reports.
|
Use_Nexus_Wildcards |
Determines whether Traffic Simulation Query results on Cisco Nexus devices use wildcard IP ranges.
Possible values:
- yes: Wildcard IP ranges are included.
- no: Wildcard IP ranges are not included. (Default)
|
VALIDATE_USER_ROUTING_URT |
Applicable to Cisco PIX only.
When set to "yes", AFA produces a log message for any interface in the .urt file that does not exist in user_routing.urt. |
WEBGUI_SESSION_LENGTH |
Defines the maximum length of a UI session that is not active, in minutes. Any session that goes on for longer than the defined setting is automatically ended.
Default: 300
|
Back to top