Advanced risk editing
This section explains how to perform advanced editing of custom risk items. For information on custom risk items, see Customize risk profiles .
In this topic:
Overview
You can customize Risk Profiles by defining custom risk items . Custom risk items allow you to define more complex risks by composing the XQL query of your choice. For example, you can define risks for the following types of allowed traffic:
Group of several services from X to Y
Insecure external access to device
Over N machines can manage your device
TCP on over M ports can enter your network
"From A to B with service C" rules
All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().
Back to top
Risk item types
AFA supports the following types of risk items:
Type
Description
Traffic
Relates to risks regarding traffic allowed through the device.
This type of risk item can be used to detect risky traffic allowed by the device.
In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E, C . In custom risk items, this type is represented by the letter U .
Host Group
Relates to risks regarding host group definitions.
This type of risk item can be used to detect certain host groups defined on the device, according to specific criteria.
In standard risk items, this type is represented by the letter H . In custom risk items, this type is represented by the letter U .
Properties
Relates to risks regarding device property definitions.
This type of risk item can be used to detect the value of certain device properties.
In standard risk items, this type is represented by the letter P . In custom risk items, this type is represented by the letter U .
Rules
Relates to risks regarding rule definitions.
This type of risk item can be used to detect specific rules in the policy, for example rules with "Any" as their source and so on.
In standard risk items, this type is represented by the letter R . In custom risk items, this type is represented by the letter U .
Back to top
Traffic risk item guidelines
Sample traffic risk item (Rule I08)
Queries/QIndex[@name="q_srv_Outside_Inside"] /QEntry[
@srv $eq$ "http" $and$
eval("256", "Number") $lt$ @n_dst_impact_ips
] /QRes[
@n_risky_dst_ips $ne$ 0 $and$
@n_risky_src_ips $ne$ 0 $and$
@is_vpn $ne$ "yes"
]
QIndex
This section specifies the traffic source and destination zones, by indicating them in the name of the query results file.
Parameters
@name
The query results file's name in the format:
q_srv_ srcZone _ dstZone
where srcZone is the source zone, and dstZone is the destination zone, as defined in the AFA's device topology.
Available zones include Outside , Inside , DMZs , and any user-defined zone type
For example:
In the preceding example, the file name is q_srv_Outside_Inside.
For traffic going from Inside to DMZs, the relevant file name would be q_srv_Inside_DMZs .
For traffic between different Internal zones, the relevant file name would be q_srv_Inside_Inside .
For access to device itself, use the file name q_fw_access .
Close ⌃
QEntry
This section describes the type of traffic between the source and destination zones (specified in QIndex) that will trigger the risk. In the preceding example, a traffic query issued to the device simulation engine will trigger this risk if the service is HTTP and the number of affected destination IP addresses is over 256.
Parameters
@srv
The service that was queried.
@action
The action that occurred:
PASS . Traffic was passed by the device.
DROP . Traffic was blocked by the device.
@is_external_src
Indicates whether the source zone of the traffic is external or not:
yes . The source zone is external.
no . The source zone is not external.
@n_src_impact_ips
The total number of source IP addresses detected as relevant for this query.
@n_dst_impact_ips
The total number of destination IP addresses detected as relevant for this query.
@n_TCP_dst_ports
The total number of destination TCP ports detected as relevant for this query.
@n_UDP_dst_ports
The total number of destination UDP ports detected as relevant for this query.
Close ⌃
QRes
This section describes the type of traffic query results that will trigger the risk. In the preceding example, the traffic must be encrypted in order for this risk to be triggered.
Parameters
@is_vpn
Indicates whether encrypted traffic should trigger the risk or not:
yes . Encrypted traffic should trigger the risk.
no . Encrypted traffic should not trigger the risk.
@pass_rule
The name of the rule that is relevant for this traffic in AFA.
Close ⌃
Back to top
Host group risk item guidelines
Sample host group risk item (RiskH02)
Hosts
/Host[
@name $eq$ "Trusted_hosts" $and$
eval("20", "Number") $lt$ @n_Total
]
This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can manage this firewall) contains a certain number of IP addresses.
Parameters
@name
The host group's name.
Only alphanumeric characters, '_', '.', and '-' can be used. Other characters are automatically replaced by '_'.
@n_Total
The number of IP addresses contained in the host group.
@internal
Indicates whether this host group contains internal IP addresses:
yes . This host group contains internal IP addresses.
no . This host group does not contain internal IP addresses.
@external
Indicates whether this host group contains external IP addresses:
yes . This host group contains external IP addresses.
no . This host group does not contain external IP addresses.
@zone_spanning
Indicates whether this host group spans multiple zones:
yes . This host group spans multiple zones.
no . This host group does not span multiple zones.
Close ⌃
Back to top
Property risk item guidelines
Property risk items are used to detect the value of certain firewall properties. These properties are extracted by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report directory.
Note: Properties will differ between firewall vendors. Parameters can be created for Check Point firewalls from the asm.C file.
Sample property risk item (risk P05)
Props[http_enforce_buffer_overflow[@value $ne$ "true"]]
Back to top
Rule risk item guidelines
Sample rule risk item (risk R01)
Rules/Rulebase[@interface="%INTERFACE"]/Rule
[
@dst = "*" $and$
@srv = "*" $and$
@orig_rule $ne$ "" $and$
@orig_rule $ne$ "0" $and$
@vpn $ne$ "VPN_PERMIT" $and$
@vpn $ne$ "VPN" $and$
@action = "PASS"
]
This query detects all rules other than VPN rules, where both the destination and the service are "any", and the action is "PASS".
Parameters
@src
The source object of the rule.
@dst
The destination object of the rule.
@srv
The service object of the rule.
@src_xlt
The translated source hostgroup object.
@dst_xlt
The translated destination hostgroup object.
@ruleno
The expanded rule ID.
@action
The rule action:
PASS . Pass the specified traffic.
DROP . Drop the specified traffic.
@orig_rule
The original rule number (in vendor format).
@vpn
Indicates whether the rule is a VPN rule, as well as whether traffic is encrypted:
A number. The rule is a VPN rule, and the number indicates the relevant VPN rule's number. Traffic is not encrypted.
VPN or VPN_PERMIT . The rule is a VPN rule. Traffic is encrypted.
Empty (""). The rule is not a VPN rule.
Close ⌃
Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device report, go to Explore Policy -> Expanded Rules .
Back to top
Assessment and remedy keywords
The following keywords can be added to risk item assessments and remedies, for richer user-defined risk descriptions in the report. Keyword use is optional.
For more details, see Customize risk items .
Traffic Risk Item Keywords
Keyword
Description
%AMOUNT
The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE
Standard text explaining how to eliminate this risk.
%FWNAME
A link to the device's host group.
%HGRP{hostgroup }
A link to the specified host group, hostgroup .
Can contain a zone name: Inside , Outside , DMZs , or a user-defined zone name.
%HREF{url }
A link to an HTML file, url .
%N_DST_IMPACT_IPS
The number of destination IP addresses in the query output (without VPNs).
%N_DST_IMPACT_IPS_COUNT_VPN
The number of destination IP addresses in the query output (with VPNs).
%N_SRC_IMPACT_IPS
The number of source IP addresses in the query output (without VPNs).
%N_SRC_IMPACT_IPS_COUNT_VPN
The number of source IP addresses in the query output (with VPNs).
%N_TCP_DST_PORTS
The number of reachable destination TCP ports in the query output.
%N_UDP_DST_PORTS
The number of reachable destination UDP ports in the query output.
%PCIDS
The Payment Card Industry Data Security Standard risk level.
%QREF{QueryInputFile:service }
A "Details" button linking to the query results for the specified traffic, where:
QueryInputFile is the query input file, and
service is the service, as defined in the AFA's device topology.
For example: %QREF{q_srv_Inside_Outside:http}
%QSRC_LIST{QueryInputFile }
A list of source host groups that can access the device, as specified in the query input file, QueryInputFile .
%SRV{service }
A link to the specified service, service .
For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.
%SRV_LIST
A list of all the services in the query output.
%SRV_TABLE{QueryInputFile }
A "Details" button linking to a table of the services in the query results, where QueryInputFile is the query input file.
Close ⌃
Host Group Risk Item Keywords
Keyword
Description
%AMOUNT
The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE
Standard text explaining how to eliminate this risk.
%HGRP{hostgroup }
A link to the specified host group, hostgroup .
Can contain a zone name: Inside , Outside , DMZs , or a user-defined zone name.
%HOST_TABLE
A list of relevant host groups.
%HREF{url }
A link to an HTML file, url .
%N_OUTSIDE_IPS
The number of outside IP addresses in the query output.
%N_TOTAL
The total number of IP addresses in the query output.
%PCIDS
The Payment Card Industry Data Security Standard risk level.
%SRV{service }
A link to the specified service, service .
For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.
Close ⌃
Property Risk Item Keywords
Keyword
Description
%CUSTOMIZATION_NOTE
Standard text explaining how to eliminate this risk.
%HGRP{hostgroup }
A link to the specified host group, hostgroup .
Can contain a zone name: Inside , Outside , DMZs , or a user-defined zone name.
%HREF{url }
A link to an HTML file, url .
%META{MetaDataParam }
A link to a parameter, MetaDataParam , that was extracted during AFA analysis.
%PCIDS
The Payment Card Industry Data Security Standard risk level.
%PROPERTY{propertyName }{displayedName }
A link to the specified device property, propertyName . The link anchor text is specified in the parameter displayedName .
%SRV{service }
A link to the specified service, service .
For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.
Close ⌃
Rule Risk Item Keywords
Keyword
Description
%AMOUNT
The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE
Standard text explaining how to eliminate this risk.
%HGRP{hostgroup }
A link to the specified host group, hostgroup .
Can contain a zone name: Inside , Outside , DMZs , or a user-defined zone name.
%HOST_TABLE
A list of relevant host groups.
%HREF{url }
A link to an HTML file, url .
%PCIDS
The Payment Card Industry Data Security Standard risk level.
%RULE
A link to the first rule in the query output.
%RULE_TABLE
A list of all the rules in the query output.
%SRV{service }
A link to the specified service, service .
For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.
%SRV_LIST
A list of all the services in the query output.
Close ⌃
Back to top