AFA components

This topic describes the AFA components, including the baseline Operations and Optimization component, and additional options for Risk and Compliance,and ActiveChange for direct change implementations.

AFA Operations and Optimization module

AFA operations and optimization are the baseline of ASMS, supporting device administrators while they perform daily operations and change management activities, as well as providing detailed change history reports for all device configurations.

AFA also enables significant device performance improvements with a rich set of reports and recommendations that help improve device configuration efficiency, such as the Intelligent Rule Re-Ordering algorithm.

For more details, see:

AFA Risk and Compliance

The optional AFA Risk and Compliance Module adds risk management and compliance verification abilities to AFA Operations and Optimization. Built on AlgoSec's comprehensive knowledge base of industry best practices for device configurations, it allows users to quickly assess the security posture of their device configurations and ensure that all devices meet their specific security controls. It also includes automatically completed compliance reports.

Highlights include:

  • Deep risk analysis: Identifies every packet the device may encounter. Automatically maps topology and identifies the most serious threats based on industry best practices, prioritizes subsequent risks and offers guidance on what and how to re-mediate.
  • Automatic assessment and compliance reports: Generates automatically populated per device compliance reports to assure continued adherence to external regulatory standards including SOX, PCI-DSS, ISO 27001, Basel-II, and J-SOX, supplying the end-user or auditor with turnkey reports.
  • Continuous security audit: Provides a complete audit trail and replaces error prone manual tasks, to ensure configuration is aligned with security policy.
  • Customize risk assessment: Add risk profiles, based on internal corporate standards and easily customize out-of-the-box risk profiles, with the AlgoSec wizard-driven Risk Profile Editor.
  • E-mail notifications: Send e-mails to pre-assigned users, following a device risk analysis with the summary of the analysis and the changes to the security posture relative to previous reports.
  • VPN analysis: Add risks associated with VPN rules and VPN objects to the Change History page and to e-mail notifications.

AFA ActiveChange

The optional ActiveChange license adds the ability to implement AFA recommendations directly from the AFA system for Check Point devices accessed via OPSEC.

Note: When FireFlow is being used, ActiveChange is used from FireFlow and supports many other device brands. For details, see Implement changes with ActiveChange.

Highlights include:

  • Ability to disable unused, covered, and redundant special case rules: Rules belonging to any of these three categories can be automatically disabled.
  • Policy backup: The policy is backed up before changes are made, enabling one to easily revert to the pre-change policy.
  • Full audit trail: Comments are added to every disabled rule to indicate which user made the change and when. These comments are visible in the Check Point Smart Dashboard.