Advanced risk editing
This section explains how to perform advanced editing of custom risk items. For information on custom risk items, see Customize risk profiles.
Overview
You can customize Risk Profiles by defining custom risk items. Custom risk items allow you to define more complex risks by composing the XQL query of your choice. For example, you can define risks for the following types of allowed traffic:
- Group of several services from X to Y
- Insecure external access to device
- Over N machines can manage your device
- TCP on over M ports can enter your network
- "From A to B with service C" rules
All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().
Risk item types
Type |
Description |
---|---|
Traffic |
Relates to risks regarding traffic allowed through the device. This type of risk item can be used to detect risky traffic allowed by the device. In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E, C. In custom risk items, this type is represented by the letter U. |
Host Group |
Relates to risks regarding host group definitions. This type of risk item can be used to detect certain host groups defined on the device, according to specific criteria. In standard risk items, this type is represented by the letter H. In custom risk items, this type is represented by the letter U. |
Properties |
Relates to risks regarding device property definitions. This type of risk item can be used to detect the value of certain device properties. In standard risk items, this type is represented by the letter P. In custom risk items, this type is represented by the letter U. |
Rules |
Relates to risks regarding rule definitions. This type of risk item can be used to detect specific rules in the policy, for example rules with "Any" as their source and so on. In standard risk items, this type is represented by the letter R. In custom risk items, this type is represented by the letter U. |
Traffic risk item guidelines
Sample traffic risk item (Rule I08)
Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[
@srv $eq$ "http" $and$
eval("256", "Number") $lt$ @n_dst_impact_ips
]/QRes[
@n_risky_dst_ips $ne$ 0 $and$
@n_risky_src_ips $ne$ 0 $and$
@is_vpn $ne$ "yes"
]
This section specifies the traffic source and destination zones, by indicating them in the name of the query results file.
Parameters
@name |
The query results file's name in the format: q_srv_srcZone_dstZone where srcZone is the source zone, and dstZone is the destination zone, as defined in the AFA's device topology. Available zones include Outside, Inside, DMZs, and any user-defined zone type For example:
For access to device itself, use the file name q_fw_access. |
This section describes the type of traffic between the source and destination zones (specified in QIndex) that will trigger the risk. In the preceding example, a traffic query issued to the device simulation engine will trigger this risk if the service is HTTP and the number of affected destination IP addresses is over 256.
Parameters
@srv |
The service that was queried. |
@action |
The action that occurred:
|
@is_external_src |
Indicates whether the source zone of the traffic is external or not:
|
@n_src_impact_ips |
The total number of source IP addresses detected as relevant for this query. |
@n_dst_impact_ips |
The total number of destination IP addresses detected as relevant for this query. |
@n_TCP_dst_ports |
The total number of destination TCP ports detected as relevant for this query. |
@n_UDP_dst_ports |
The total number of destination UDP ports detected as relevant for this query. |
This section describes the type of traffic query results that will trigger the risk. In the preceding example, the traffic must be encrypted in order for this risk to be triggered.
Parameters
@is_vpn |
Indicates whether encrypted traffic should trigger the risk or not:
|
@pass_rule |
The name of the rule that is relevant for this traffic in AFA. |
Host group risk item guidelines
Sample host group risk item (RiskH02)
Hosts
/Host[
@name $eq$ "Trusted_hosts" $and$
eval("20", "Number") $lt$ @n_Total
]
This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can manage this firewall) contains a certain number of IP addresses.
@name |
The host group's name. Only alphanumeric characters, '_', '.', and '-' can be used. Other characters are automatically replaced by '_'. |
@n_Total |
The number of IP addresses contained in the host group. |
@internal |
Indicates whether this host group contains internal IP addresses:
|
@external |
Indicates whether this host group contains external IP addresses:
|
@zone_spanning |
Indicates whether this host group spans multiple zones:
|
Property risk item guidelines
Property risk items are used to detect the value of certain firewall properties. These properties are extracted by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report directory.
Note: Properties will differ between firewall vendors. Parameters can be created for Check Point firewalls from the asm.C file.
Sample property risk item (risk P05)
Props[http_enforce_buffer_overflow[@value $ne$ "true"]]
Rule risk item guidelines
Sample rule risk item (risk R01)
Rules/Rulebase[@interface="%INTERFACE"]/Rule
[
@dst = "*" $and$
@srv = "*" $and$
@orig_rule $ne$ "" $and$
@orig_rule $ne$ "0" $and$
@vpn $ne$ "VPN_PERMIT" $and$
@vpn $ne$ "VPN" $and$
@action = "PASS"
]
This query detects all rules other than VPN rules, where both the destination and the service are "any", and the action is "PASS".
@src |
The source object of the rule. |
---|---|
@dst |
The destination object of the rule. |
@srv |
The service object of the rule. |
@src_xlt |
The translated source hostgroup object. |
@dst_xlt |
The translated destination hostgroup object. |
@ruleno |
The expanded rule ID. |
@action |
The rule action:
|
@orig_rule |
The original rule number (in vendor format). |
@vpn |
Indicates whether the rule is a VPN rule, as well as whether traffic is encrypted:
|
Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device report, go to Explore Policy -> Expanded Rules.
Assessment and remedy keywords
The following keywords can be added to risk item assessments and remedies, for richer user-defined risk descriptions in the report. Keyword use is optional.
For more details, see Customize risk items.
Keyword |
Description |
---|---|
%AMOUNT |
The number of rules that contributed to the risk. |
%CUSTOMIZATION_NOTE |
Standard text explaining how to eliminate this risk. |
%FWNAME |
A link to the device's host group. |
%HGRP{hostgroup} |
A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name. |
%HREF{url} |
A link to an HTML file, url. |
%N_DST_IMPACT_IPS |
The number of destination IP addresses in the query output (without VPNs). |
%N_DST_IMPACT_IPS_COUNT_VPN |
The number of destination IP addresses in the query output (with VPNs). |
%N_SRC_IMPACT_IPS |
The number of source IP addresses in the query output (without VPNs). |
%N_SRC_IMPACT_IPS_COUNT_VPN |
The number of source IP addresses in the query output (with VPNs). |
%N_TCP_DST_PORTS |
The number of reachable destination TCP ports in the query output. |
%N_UDP_DST_PORTS |
The number of reachable destination UDP ports in the query output. |
%PCIDS |
The Payment Card Industry Data Security Standard risk level. |
%QREF{QueryInputFile:service} |
A "Details" button linking to the query results for the specified traffic, where: QueryInputFile is the query input file, and service is the service, as defined in the AFA's device topology. For example: %QREF{q_srv_Inside_Outside:http} |
%QSRC_LIST{QueryInputFile} |
A list of source host groups that can access the device, as specified in the query input file, QueryInputFile. |
%SRV{service} |
A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device. |
%SRV_LIST |
A list of all the services in the query output. |
%SRV_TABLE{QueryInputFile} |
A "Details" button linking to a table of the services in the query results, where QueryInputFile is the query input file. |
Keyword |
Description |
---|---|
%AMOUNT |
The number of rules that contributed to the risk. |
%CUSTOMIZATION_NOTE |
Standard text explaining how to eliminate this risk. |
%HGRP{hostgroup} |
A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name. |
%HOST_TABLE |
A list of relevant host groups. |
%HREF{url} |
A link to an HTML file, url. |
%N_OUTSIDE_IPS |
The number of outside IP addresses in the query output. |
%N_TOTAL |
The total number of IP addresses in the query output. |
%PCIDS |
The Payment Card Industry Data Security Standard risk level. |
%SRV{service} |
A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device. |
Keyword |
Description |
---|---|
%CUSTOMIZATION_NOTE |
Standard text explaining how to eliminate this risk. |
%HGRP{hostgroup} |
A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name. |
%HREF{url} |
A link to an HTML file, url. |
%META{MetaDataParam} |
A link to a parameter, MetaDataParam, that was extracted during AFA analysis. |
%PCIDS |
The Payment Card Industry Data Security Standard risk level. |
%PROPERTY{propertyName}{displayedName} |
A link to the specified device property, propertyName. The link anchor text is specified in the parameter displayedName. |
%SRV{service} |
A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device. |
Keyword |
Description |
---|---|
%AMOUNT |
The number of rules that contributed to the risk. |
%CUSTOMIZATION_NOTE |
Standard text explaining how to eliminate this risk. |
%HGRP{hostgroup} |
A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name. |
%HOST_TABLE |
A list of relevant host groups. |
%HREF{url} |
A link to an HTML file, url. |
%PCIDS |
The Payment Card Industry Data Security Standard risk level. |
%RULE |
A link to the first rule in the query output. |
%RULE_TABLE |
A list of all the rules in the query output. |
%SRV{service} |
A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device. |
%SRV_LIST |
A list of all the services in the query output. |