Best Practices for Ongoing Maintenance in ASMS

As new network devices are introduced into your environment, they must be added to ASMS.

Unmanaged devices can be added individually or imported in bulk. For managed devices, you need to add the manager device in ASMS, which will automatically pull in the managed devices.

• For details on adding or updating devices, see Manage devices and Maintain devices.

• For details on adding or updating devices in bulk, see Add/update multiple devices in bulk.

• Automation is possible by using the following APIs:

  1. Add/Edit a device– For adding/editing individual devices or management systems

  2. Get device info about managed devices – Use in conjunction with the add/edit APIs to add/edit devices in a management system

When network devices are decommissioned, they should be removed from ASMS to keep the map modeling accurate and free of outdated information.

• For details on deleting devices, see Manage devices.

• Automation is possible by using the following APIs:

  • Delete a device

If you are using standard or custom risk profiles based on security zones, it's necessary to update the topology of newly added or modified devices to ensure accurate risk analysis.

Automation Options:

1. Partial automation is possible as a custom process via API. Dependent on provided inventory source or specified logic. Use the following APIs:

   • Get zones data from a device; or

   • Retrieve interfaces

2. Full automation is possible with assistance of AlgoSec Professional Services.

If ConnectStubs is implemented in your environment, ensure the configuration file is updated as needed. ConnectStubs is used solely to address specific gaps in the network that cannot be modeled by ASMS.

1. Such situations were identified during the initial configuration and any changes to the gap areas would require an update to the ConnectStubs configuration.

2. For example, if ConnectStubs was used to represent MPLS networks, then any changes such as new connections, removed connections, or modified connections to the MPLS networks would require an update to the ConnectStubs configuration

AlgoSec Professional Services will provide the necessary documentation if ConnectStubs is implemented in your environment.

Automation can be achieved by using scripts to update the required configuration files.

Layer 2 devices require manual URT creation for accurate analysis. If you have a large number of Layer 2 devices, a semi-automated solution for generating these URTs can be implemented with assistance from AlgoSec Professional Services.

For details on configuring Layer 2 Devices, see Manage layer 2 devices in the map, Specify routing data manually.

Automation is possible by using scripts to place the devices into subnets and generate the URT files. For assistance with this, contact AlgoSec Professional Services.

Devices that are unsupported by AlgoSec or have specific unsupported configurations may require manual URT creation to accurately represent them on the map and ensure precise map modeling..

For details on configuring Manual URTs, see Specify routing data manually

Automation is possible via custom scripts that collect the routes and interfaces from the device and convert to the URT file format.

The Topology Advisor helps identify missing routers or other devices and can be used to detect gaps in the network or recognize newly added devices.

• For details on adding or updating devices,see Improve the map or Improve the map (CLI).

• Automation is possible by using the following APIs:

  • Identify missing routers

The credentials used to connect to the network devices must be updated when they are updated in your environment.

• For details on updating device passwords, see Manage Devices, Update a password for multiple devices.

• Automation is possible by using the following APIs:

  • Add/Edit a device – For editing individual devices or management systems.

If LDAP authentication is configured, a bind account is typically used. When the password for this account is updated, it must also be updated in ASMS.

• For details on updating authentication passwords, see User authentication via authentication servers.

• Automation is not currently possible for this task,

The service status should be checked to ensure the system is operating as expected.

• For details on checking the status of system services, see Test ASMS processes.

• Information on critical services is alerted on via the AlgoSec Watchdog process. These messages can be forwarded to an external system for automated alerting. See ASMS Monitoring and syslog messages.

Disk space and memory usage should be monitored to prevent resource exhaustion and ensure optimal system performance.

• Disk space and memory usage can be checked by using standard Linux utilities df, du and free.

• Information on disk space or memory thresholds is alerted on via the Algosec Watchdog process. These messages can be forwarded to an external system for automated alerting. See ASMS Monitoring and syslog messages.

If HA or DR are used, the status of synchronization between nodes should be checked on a regular basis to ensure that the system is available.

• For details on checking the status of HA / DR services, see Configure HA/DR Parameters.

• Information on HA/DR events is alerted via the AlgoSec Watchdog process. These messages can be forwarded to an external system for automated alerting. See ASMS Monitoring and syslog messages.

When the Distributed Architecture is used the system should be checked on a regular basis to ensure that the distributed nodes and communicating and functioning correctly

• Check for a “green” status on the Distributed Architecture page. For details on the Distributed Architecture configuration, see Configure a distributed architecture.

• Information on Load-Distribution or Geo Distribution connection events is alerted via the AlgoSec Watchdog process. These messages can be forwarded to an external system for automated alerting. See ASMS Monitoring and syslog messages.

When hotfixes are released, review the release notes to identify any fixes relevant to your specific ASMS environment.

• For details on upgrade the ASMS system, see Upgrade your system.

• Automation is not currently possible for this task.

Privileged users should first be added to Firewall Analyzer. Afterward, their roles and permissions for AppViz can be updated accordingly.

• For details on managing permissions on Privileged users, see Manage permissions and roles (SaaS)/AppViz users, permissions, and roles (on-prem).

• Automation is possible using the following APIs: AppViz Permissions REST APIs (SaaS)/AppViz Permissions REST APIs (on-prem).

Privileged users should first be added to Firewall Analyzer. Afterward, their roles and permissions for FireFlow can be updated as needed.

• For details on managing Privileged users in FireFlow, see Manage privileged users.

• Automation is not currently possible for this task.