Advanced risk editing

This section explains how to perform advanced editing of custom risk items. For information on custom risk items, see Customize risk profiles.

Overview

You can customize Risk Profiles by defining custom risk items. Custom risk items allow you to define more complex risks by composing the XQL query of your choice. For example, you can define risks for the following types of allowed traffic:

Group of several services from X to Y
Insecure external access to device
Over N machines can manage your device
TCP on over M ports can enter your network
"From A to B with service C" rules

All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().

Risk item types

AFA supports the following types of risk items:

Type	Description
Traffic	Relates to risks regarding traffic allowed through the device. This type of risk item can be used to detect risky traffic allowed by the device. In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E, C. In custom risk items, this type is represented by the letter U.
Host Group	Relates to risks regarding host group definitions. This type of risk item can be used to detect certain host groups defined on the device, according to specific criteria. In standard risk items, this type is represented by the letter H. In custom risk items, this type is represented by the letter U.
Properties	Relates to risks regarding device property definitions. This type of risk item can be used to detect the value of certain device properties. In standard risk items, this type is represented by the letter P. In custom risk items, this type is represented by the letter U.
Rules	Relates to risks regarding rule definitions. This type of risk item can be used to detect specific rules in the policy, for example rules with "Any" as their source and so on. In standard risk items, this type is represented by the letter R. In custom risk items, this type is represented by the letter U.

Traffic risk item guidelines

Sample traffic risk item (Rule I08)

Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[

@srv $eq$ "http" $and$

eval("256", "Number") $lt$ @n_dst_impact_ips

]/QRes[

@n_risky_dst_ips $ne$ 0 $and$

@n_risky_src_ips $ne$ 0 $and$

@is_vpn $ne$ "yes"

]

QIndex

QEntry

@srv	The service that was queried.
@action	The action that occurred: PASS. Traffic was passed by the device. DROP. Traffic was blocked by the device.
@is_external_src	Indicates whether the source zone of the traffic is external or not: yes. The source zone is external. no. The source zone is not external.
@n_src_impact_ips	The total number of source IP addresses detected as relevant for this query.
@n_dst_impact_ips	The total number of destination IP addresses detected as relevant for this query.
@n_TCP_dst_ports	The total number of destination TCP ports detected as relevant for this query.
@n_UDP_dst_ports	The total number of destination UDP ports detected as relevant for this query.

QRes

Host group risk item guidelines

Sample host group risk item (RiskH02)

Hosts

/Host[

@name $eq$ "Trusted_hosts" $and$

eval("20", "Number") $lt$ @n_Total

]

This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can manage this firewall) contains a certain number of IP addresses.

Parameters

@name	The host group's name. Only alphanumeric characters, '_', '.', and '-' can be used. Other characters are automatically replaced by '_'.
@n_Total	The number of IP addresses contained in the host group.
@internal	Indicates whether this host group contains internal IP addresses: yes. This host group contains internal IP addresses. no. This host group does not contain internal IP addresses.
@external	Indicates whether this host group contains external IP addresses: yes. This host group contains external IP addresses. no. This host group does not contain external IP addresses.
@zone_spanning	Indicates whether this host group spans multiple zones: yes. This host group spans multiple zones. no. This host group does not span multiple zones.

Property risk item guidelines

Property risk items are used to detect the value of certain firewall properties. These properties are extracted by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report directory.

Note: Properties will differ between firewall vendors. Parameters can be created for Check Point firewalls from the asm.C file.

Sample property risk item (risk P05)

Props[http_enforce_buffer_overflow[@value $ne$ "true"]]

Rule risk item guidelines

Sample rule risk item (risk R01)

Rules/Rulebase[@interface="%INTERFACE"]/Rule

[

@dst = "*" $and$

@srv = "*" $and$

@orig_rule $ne$ "" $and$

@orig_rule $ne$ "0" $and$

@vpn $ne$ "VPN_PERMIT" $and$

@vpn $ne$ "VPN" $and$

@action = "PASS"

]

This query detects all rules other than VPN rules, where both the destination and the service are "any", and the action is "PASS".

Parameters

@src	The source object of the rule.
@dst	The destination object of the rule.
@srv	The service object of the rule.
@src_xlt	The translated source hostgroup object.
@dst_xlt	The translated destination hostgroup object.
@ruleno	The expanded rule ID.
@action	The rule action: PASS. Pass the specified traffic. DROP. Drop the specified traffic.
@orig_rule	The original rule number (in vendor format).
@vpn	Indicates whether the rule is a VPN rule, as well as whether traffic is encrypted: A number. The rule is a VPN rule, and the number indicates the relevant VPN rule's number. Traffic is not encrypted. VPN or VPN_PERMIT. The rule is a VPN rule. Traffic is encrypted. Empty (""). The rule is not a VPN rule.

Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device report, go to Explore Policy -> Expanded Rules.

Assessment and remedy keywords

The following keywords can be added to risk item assessments and remedies, for richer user-defined risk descriptions in the report. Keyword use is optional.

For more details, see Customize risk items.

Traffic Risk Item Keywords

Keyword	Description
%AMOUNT	The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE	Standard text explaining how to eliminate this risk.
%FWNAME	A link to the device's host group.
%HGRP{hostgroup}	A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.
%HREF{url}	A link to an HTML file, url.
%N_DST_IMPACT_IPS	The number of destination IP addresses in the query output (without VPNs).
%N_DST_IMPACT_IPS_COUNT_VPN	The number of destination IP addresses in the query output (with VPNs).
%N_SRC_IMPACT_IPS	The number of source IP addresses in the query output (without VPNs).
%N_SRC_IMPACT_IPS_COUNT_VPN	The number of source IP addresses in the query output (with VPNs).
%N_TCP_DST_PORTS	The number of reachable destination TCP ports in the query output.
%N_UDP_DST_PORTS	The number of reachable destination UDP ports in the query output.
%PCIDS	The Payment Card Industry Data Security Standard risk level.
%QREF{QueryInputFile:service}	A "Details" button linking to the query results for the specified traffic, where: QueryInputFile is the query input file, and service is the service, as defined in the AFA's device topology. For example: %QREF{q_srv_Inside_Outside:http}
%QSRC_LIST{QueryInputFile}	A list of source host groups that can access the device, as specified in the query input file, QueryInputFile.
%SRV{service}	A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.
%SRV_LIST	A list of all the services in the query output.
%SRV_TABLE{QueryInputFile}	A "Details" button linking to a table of the services in the query results, where QueryInputFile is the query input file.

Host Group Risk Item Keywords

Keyword	Description
%AMOUNT	The number of rules that contributed to the risk.
%CUSTOMIZATION_NOTE	Standard text explaining how to eliminate this risk.
%HGRP{hostgroup}	A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.
%HOST_TABLE	A list of relevant host groups.
%HREF{url}	A link to an HTML file, url.
%N_OUTSIDE_IPS	The number of outside IP addresses in the query output.
%N_TOTAL	The total number of IP addresses in the query output.
%PCIDS	The Payment Card Industry Data Security Standard risk level.
%SRV{service}	A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

Property Risk Item Keywords

Keyword	Description
%CUSTOMIZATION_NOTE	Standard text explaining how to eliminate this risk.
%HGRP{hostgroup}	A link to the specified host group, hostgroup. Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.
%HREF{url}	A link to an HTML file, url.
%META{MetaDataParam}	A link to a parameter, MetaDataParam, that was extracted during AFA analysis.
%PCIDS	The Payment Card Industry Data Security Standard risk level.
%PROPERTY{propertyName}{displayedName}	A link to the specified device property, propertyName. The link anchor text is specified in the parameter displayedName.
%SRV{service}	A link to the specified service, service. For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

Rule Risk Item Keywords

@srv	The service that was queried.
@app	The application that was queried.
@is_vpn	Indicates whether encrypted traffic should trigger the risk or not. yes (default): Encrypted traffic should trigger the risk no: Encrypted traffic should not trigger the risk
@pass_rule	The name of the rule that is relevant for this traffic in AFA.
@n_risky_src_ips	The total number of source IP addresses detected as risky for this query.
@n_risky_dst_ips	The total number of destination IP addresses detected as risky for this query.