AFA components

This topic describes the AFA components, including the baseline Operations and Optimization component, and additional options for Risk and Compliance,and ActiveChange for direct change implementations.

AFA Operations and Optimization module

AFA operations and optimization are the baseline of ASMS, supporting device administrators while they perform daily operations and change management activities, as well as providing detailed change history reports for all device configurations.

AFA also enables significant device performance improvements with a rich set of reports and recommendations that help improve device configuration efficiency, such as the Intelligent Rule Re-Ordering algorithm.

For more details, see:

Visual display of the device policy, including topology, traffic, rules and objects, including an analysis of the routing table and provides a connectivity diagram changes from previous reports on the same device.

  • Create a report on a group of devices with either pre-defined or ad-hoc device definitions.
  • Analyze several devices together, taking into account their relative hierarchy in the network.
  • Schedule an analysis per device or group of devices, based on pre-defined intervals (daily, weekly, monthly, etc.) and issue a report.
  • Compare any two reports – either the same device or different devices or different device vendors. Track the changes in a device policy between reports of any two dates. Show the changes in traffic, rules, services, host groups, topology and objects

Run a traffic simulation query on a specific device or a group of devices to determine which rules control traffic between specific sources and destinations. This enables help desk teams to easily troubleshoot and prevent disruptions. It also provides for seamless server IP migration and security checking.

Routing queries allow you to check the end to end routing between two IP addresses on the map. They are different from the traffic analysis query because they do not take into account any security rules or NAT rules that may block or alter the routing path.

By exploring the policy and change history an auditor receives the required information to produce a report that complies with corporate and regulatory standards. For more information, see REGULATORY COMPLIANCE page.

Identify unused, covered, timed out and disabled rules that are candidates for removal.

  • List rules that may not conform to company security policies, including rules without comments, rules without logs and rules with comments that do not include a ticket number.
  • Show unused rules, the most used and the least used rules.
  • Refine your device policy using AFA's Intelligent Policy Tuner. Identify rules that are too wide and permissive, and rules which contain rarely used and unused objects.
  • Reorder your rules intelligently.AFA recommends new positions for the rules to increase the device performance. The recommended order retains the policy logic. Typically, by repositioning only a few of the most used rules a significant improvement in performance is seen.
  • List unused, unattached and empty objects that are candidates for removal.

Continuously poll device policy changes and send e-mail alerts when a change is detected

Send e-mails to pre-assigned users following a device analysis with the summary of the analysis and the changes from previous reports.

AFA Risk and Compliance

The optional AFA Risk and Compliance Module adds risk management and compliance verification abilities to AFA Operations and Optimization. Built on AlgoSec's comprehensive knowledge base of industry best practices for device configurations, it allows users to quickly assess the security posture of their device configurations and ensure that all devices meet their specific security controls. It also includes automatically completed compliance reports.

Highlights include:

  • Deep risk analysis: Identifies every packet the device may encounter. Automatically maps topology and identifies the most serious threats based on industry best practices, prioritizes subsequent risks and offers guidance on what and how to re-mediate.
  • Automatic assessment and compliance reports: Generates automatically populated per device compliance reports to assure continued adherence to external regulatory standards including SOX, PCI-DSS, ISO 27001, Basel-II, and J-SOX, supplying the end-user or auditor with turnkey reports.
  • Continuous security audit: Provides a complete audit trail and replaces error prone manual tasks, to ensure configuration is aligned with security policy.
  • Customize risk assessment: Add risk profiles, based on internal corporate standards and easily customize out-of-the-box risk profiles, with the AlgoSec wizard-driven Risk Profile Editor.
  • E-mail notifications: Send e-mails to pre-assigned users, following a device risk analysis with the summary of the analysis and the changes to the security posture relative to previous reports.
  • VPN analysis: Add risks associated with VPN rules and VPN objects to the Change History page and to e-mail notifications.

AFA ActiveChange

The optional ActiveChange license adds the ability to implement AFA recommendations directly from the AFA system for Check Point devices accessed via OPSEC.

Note: When FireFlow is being used, ActiveChange is used from FireFlow and supports many other device brands. For details, see Implement changes with ActiveChange.

Highlights include:

  • Ability to disable unused, covered, and redundant special case rules: Rules belonging to any of these three categories can be automatically disabled.
  • Policy backup: The policy is backed up before changes are made, enabling one to easily revert to the pre-change policy.
  • Full audit trail: Comments are added to every disabled rule to indicate which user made the change and when. These comments are visible in the Check Point Smart Dashboard.