Advanced risk editing

This section explains how to perform advanced editing of custom risk items. For information on custom risk items, see Customize risk profiles.

Overview

You can customize Risk Profiles by defining custom risk items. Custom risk items allow you to define more complex risks by composing the XQL query of your choice. For example, you can define risks for the following types of allowed traffic:

  • Group of several services from X to Y
  • Insecure external access to device
  • Over N machines can manage your device
  • TCP on over M ports can enter your network
  • "From A to B with service C" rules

All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().

Risk item types

AFA supports the following types of risk items:

Type

Description

Traffic

Relates to risks regarding traffic allowed through the device.

This type of risk item can be used to detect risky traffic allowed by the device.

In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E, C. In custom risk items, this type is represented by the letter U.

Host Group

Relates to risks regarding host group definitions.

This type of risk item can be used to detect certain host groups defined on the device, according to specific criteria.

In standard risk items, this type is represented by the letter H. In custom risk items, this type is represented by the letter U.

Properties

Relates to risks regarding device property definitions.

This type of risk item can be used to detect the value of certain device properties.

In standard risk items, this type is represented by the letter P. In custom risk items, this type is represented by the letter U.

Rules

Relates to risks regarding rule definitions.

This type of risk item can be used to detect specific rules in the policy, for example rules with "Any" as their source and so on.

In standard risk items, this type is represented by the letter R. In custom risk items, this type is represented by the letter U.

Traffic risk item guidelines

Sample traffic risk item (Rule I08)

Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[

@srv $eq$ "http" $and$

eval("256", "Number") $lt$ @n_dst_impact_ips

]/QRes[

@n_risky_dst_ips $ne$ 0 $and$

@n_risky_src_ips $ne$ 0 $and$

@is_vpn $ne$ "yes"

]

This section specifies the traffic source and destination zones, by indicating them in the name of the query results file.

Parameters

@name

The query results file's name in the format:

q_srv_srcZone_dstZone

where srcZone is the source zone, and dstZone is the destination zone, as defined in the AFA's device topology.

Available zones include Outside, Inside, DMZs, and any user-defined zone type

For example:

  • In the preceding example, the file name is q_srv_Outside_Inside.
  • For traffic going from Inside to DMZs, the relevant file name would be q_srv_Inside_DMZs.
  • For traffic between different Internal zones, the relevant file name would be q_srv_Inside_Inside.

For access to device itself, use the file name q_fw_access.

This section describes the type of traffic between the source and destination zones (specified in QIndex) that will trigger the risk. In the preceding example, a traffic query issued to the device simulation engine will trigger this risk if the service is HTTP and the number of affected destination IP addresses is over 256.

Parameters

@srv

The service that was queried.
@action

The action that occurred:

  • PASS. Traffic was passed by the device.
  • DROP. Traffic was blocked by the device.
@is_external_src

Indicates whether the source zone of the traffic is external or not:

  • yes. The source zone is external.
  • no. The source zone is not external.
@n_src_impact_ips

The total number of source IP addresses detected as relevant for this query.
@n_dst_impact_ips

The total number of destination IP addresses detected as relevant for this query.
@n_TCP_dst_ports

The total number of destination TCP ports detected as relevant for this query.
@n_UDP_dst_ports

The total number of destination UDP ports detected as relevant for this query.

This section describes the type of traffic query results that will trigger the risk. In the preceding example, the traffic must be not encrypted in order for this risk to be triggered.

Parameters

@srv

The service that was queried.
@app

The application that was queried.
@is_vpn

Indicates whether encrypted traffic should trigger the risk or not.

  • yes (default): Encrypted traffic should trigger the risk
  • no: Encrypted traffic should not trigger the risk
@pass_rule

The name of the rule that is relevant for this traffic in AFA.
@n_risky_src_ips

The total number of source IP addresses detected as risky for this query.
@n_risky_dst_ips

The total number of destination IP addresses detected as risky for this query.

Host group risk item guidelines

Sample host group risk item (RiskH02)

Hosts

/Host[

@name $eq$ "Trusted_hosts" $and$

eval("20", "Number") $lt$ @n_Total

]

This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can manage this firewall) contains a certain number of IP addresses.

@name

The host group's name.

Only alphanumeric characters, '_', '.', and '-' can be used. Other characters are automatically replaced by '_'.
@n_Total

The number of IP addresses contained in the host group.
@internal

Indicates whether this host group contains internal IP addresses:

  • yes. This host group contains internal IP addresses.
  • no. This host group does not contain internal IP addresses.
@external

Indicates whether this host group contains external IP addresses:

  • yes. This host group contains external IP addresses.
  • no. This host group does not contain external IP addresses.
@zone_spanning

Indicates whether this host group spans multiple zones:

  • yes. This host group spans multiple zones.
  • no. This host group does not span multiple zones.

Property risk item guidelines

Property risk items are used to detect the value of certain firewall properties. These properties are extracted by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report directory.

Note: Properties will differ between firewall vendors. Parameters can be created for Check Point firewalls from the asm.C file.

Sample property risk item (risk P05)

Props[http_enforce_buffer_overflow[@value $ne$ "true"]]

Rule risk item guidelines

Sample rule risk item (risk R01)

Rules/Rulebase[@interface="%INTERFACE"]/Rule

[

@dst = "*" $and$

@srv = "*" $and$

@orig_rule $ne$ "" $and$

@orig_rule $ne$ "0" $and$

@vpn $ne$ "VPN_PERMIT" $and$

@vpn $ne$ "VPN" $and$

@action = "PASS"

]

This query detects all rules other than VPN rules, where both the destination and the service are "any", and the action is "PASS".

@src

The source object of the rule.
@dst

The destination object of the rule.
@srv

The service object of the rule.
@src_xlt

The translated source hostgroup object.
@dst_xlt

The translated destination hostgroup object.
@ruleno

The expanded rule ID.
@action

The rule action:

  • PASS. Pass the specified traffic.
  • DROP. Drop the specified traffic.
@orig_rule

The original rule identifier (in vendor format).
@vpn

Indicates whether the rule is a VPN rule, as well as whether traffic is encrypted:

  • A number. The rule is a VPN rule, and the number indicates the relevant VPN rule's number. Traffic is not encrypted.
  • VPN or VPN_PERMIT. The rule is a VPN rule. Traffic is encrypted.
  • Empty (""). The rule is not a VPN rule.

Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device report, go to Explore Policy -> Expanded Rules.

Assessment and remedy keywords

The following keywords can be added to risk item assessments and remedies, for richer user-defined risk descriptions in the report. Keyword use is optional.

For more details, see Customize risk items.

Keyword

Description

%AMOUNT

The number of rules that contributed to the risk.

%CUSTOMIZATION_NOTE

Standard text explaining how to eliminate this risk.

%FWNAME

A link to the device's host group.

%HGRP{hostgroup}

A link to the specified host group, hostgroup.

Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.

%HREF{url}

A link to an HTML file, url.

%N_DST_IMPACT_IPS

The number of destination IP addresses in the query output (without VPNs).

%N_DST_IMPACT_IPS_COUNT_VPN

The number of destination IP addresses in the query output (with VPNs).

%N_SRC_IMPACT_IPS

The number of source IP addresses in the query output (without VPNs).

%N_SRC_IMPACT_IPS_COUNT_VPN

The number of source IP addresses in the query output (with VPNs).

%N_TCP_DST_PORTS

The number of reachable destination TCP ports in the query output.

%N_UDP_DST_PORTS

The number of reachable destination UDP ports in the query output.

%PCIDS

The Payment Card Industry Data Security Standard risk level.

%QREF{QueryInputFile:service}

A "Details" button linking to the query results for the specified traffic, where:

QueryInputFile is the query input file, and

service is the service, as defined in the AFA's device topology.

For example: %QREF{q_srv_Inside_Outside:http}

%QSRC_LIST{QueryInputFile}

A list of source host groups that can access the device, as specified in the query input file, QueryInputFile.

%SRV{service}

A link to the specified service, service.

For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

%SRV_LIST

A list of all the services in the query output.

%SRV_TABLE{QueryInputFile}

A "Details" button linking to a table of the services in the query results, where QueryInputFile is the query input file.

Keyword

Description

%AMOUNT

The number of rules that contributed to the risk.

%CUSTOMIZATION_NOTE

Standard text explaining how to eliminate this risk.

%HGRP{hostgroup}

A link to the specified host group, hostgroup.

Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.

%HOST_TABLE

A list of relevant host groups.

%HREF{url}

A link to an HTML file, url.

%N_OUTSIDE_IPS

The number of outside IP addresses in the query output.

%N_TOTAL

The total number of IP addresses in the query output.

%PCIDS

The Payment Card Industry Data Security Standard risk level.

%SRV{service}

A link to the specified service, service.

For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

Keyword

Description

%CUSTOMIZATION_NOTE

Standard text explaining how to eliminate this risk.

%HGRP{hostgroup}

A link to the specified host group, hostgroup.

Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.

%HREF{url}

A link to an HTML file, url.

%META{MetaDataParam}

A link to a parameter, MetaDataParam, that was extracted during AFA analysis.

%PCIDS

The Payment Card Industry Data Security Standard risk level.

%PROPERTY{propertyName}{displayedName}

A link to the specified device property, propertyName. The link anchor text is specified in the parameter displayedName.

%SRV{service}

A link to the specified service, service.

For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

Keyword

Description

%AMOUNT

The number of rules that contributed to the risk.

%CUSTOMIZATION_NOTE

Standard text explaining how to eliminate this risk.

%HGRP{hostgroup}

A link to the specified host group, hostgroup.

Can contain a zone name: Inside, Outside, DMZs, or a user-defined zone name.

%HOST_TABLE

A list of relevant host groups.

%HREF{url}

A link to an HTML file, url.

%PCIDS

The Payment Card Industry Data Security Standard risk level.

%RULE

A link to the first rule in the query output.

%RULE_TABLE

A list of all the rules in the query output.

%SRV{service}

A link to the specified service, service.

For example, %SRV{smtp} would be replaced by "smtp" and linked to the definition of this service, as defined on this device.

%SRV_LIST

A list of all the services in the query output.