Configure IPT rule recommendations
The Policy Optimization page's Intelligent Policy Tuner (IPT) provides recommendations for replacing permissive rules with new, tighter rules, as well as recommendations for new objects to be used in the rules.
For each sparse object, IPT generates recommendations as follows:
- IPT searches the device configuration for an existing object that contains the exact same IP addresses, services, and applications as the original object. If such an object is found, IPT suggests it as a replacement.
-
If no such object is found, IPT suggests a new object as follows:
- Host objects: If the number of used IP addresses/ranges is smaller than a certain number (IPT_Recommendation_Max_Subnets_Per_Range), then IPT recommends creating a new object that contains these IP addresses/ranges. If the number is larger, IPT searches for a set of CIDR blocks that covers all of the used IP addresses/ranges contained in the original object, and is composed of no more than a certain number of CIDR blocks (IPT_Recommendation_Max_Ranges). If such a set is found, IPT suggests a new object that contains the set.
- Service/application objects: If the number of services/application is less than a certain number (IPT_Recommendation_Max_Services), IPT suggests a new object that contains these services/applications. If the number is larger, IPT does not suggest a new object.
-
IPT's recommendations are saved in an XML file and then displayed in the Policy Optimization page.
If desired, you can change the values used in IPT's calculations, by using the following procedure.
Note: For more details, see Enable IPT rule recommendations .
To configure IPT rule replacement recommendations:
-
In the toolbar, click your username.
A drop-down menu appears.
-
Select Administration.
The Administration page appears, displaying the Options tab.
-
Click the Advanced Configuration tab.
The Advanced Configuration page appears.
-
Add the desired items specified in the following table, one at a time, by doing the following:
-
Click Add.
The Add New Configuration Parameter dialog is displayed.
-
In the Name field, type the configuration item.
-
In the Value field, type the item's value.
-
Click OK.
Repeat these steps as needed.
-
-
Click OK.
Item |
Description |
---|---|
IPT_Recommendation_Max_Subnets_Per_Range |
The maximum number of CIDR blocks into which IPT will recommend splitting a host object. The default value is 4. |
IPT_Recommendation_Max_Ranges |
The maximum number of CIDR blocks into which IPT will recommend splitting a host object, if the original object contains more than the number of IP addresses/ranges specified in IPT_Recommendation_Max_Subnets_Per_Range. The default value is 20. |
IPT_Recommendation_Max_Services |
The maximum number of services or applications from which IPT will recommend composing a new object. The default value is 20. |
IPT_Density_Action_Limit |
The maximum density of a sparse object. When this limit is exceeded, the object is considered semi-dense. The default value is 50. |