Early availability features

This topic describes features available as Early Availability (EA) and how to enable ASMS's Early Availability features.

ASMS's Early Availability features enable you to access new functionality and support earlier than general availability. Customers partaking of Early Availability often provide invaluable feedback on the design and implementation of these features. Early Availability features have shorter QA cycles than GA features, and therefore are disabled by default.

Warning: We recommend that you do not use Early Availability features in production. They should be enabled only in testing systems, and disabled in production systems.

Enable ActiveChange for MSO- and NDO-managed Cisco ACI tenants

ActiveChange for Cisco ACI tenants managed by a Cisco MSO (Multi-Site Orchestrator) and NDO (Network Data Orchestrator) is available as an early availability feature.

Note: By default, ActiveChange is supported for tenants managed by an APIC.

With this early availability feature enabled, you can add, modify and remove rules from the policy directly from FireFlow.

When Cisco ACI tenants are managed by an MSO/NDO, each APIC in turn can manage one or more tenants. Each tenant contains one schema, with one or more associated templates. Schemas and templates are configured in FireFlow in order to implement ActiveChange on the device.

To enable/disable early availability ActiveChange for MSO- and NDO-managed Cisco ACI in AFA

  1. In the AFA Administration area, navigate to the Options > Advanced Configuration tab.

  2. Click ADD to add a new configuration parameter, and enter the following details

    Name AlgoSec_EA_MSO_ActiveChange
    Value

    Enter one of the following:

    • true = Enable MSO-and NDO-managed Cisco ACI tenants ActiveChange support
    • false (default) = Disable MSO-and NDO-managed Cisco ACI tenants ActiveChange support
  3. Click OK

Note: After switching EA/GA mode, we recommend you restart your system.

Configure ActiveChange behavior for MSO- and NDO-managed Cisco ACI tenants in FireFlow

In ACI MSO/NDO, there is no default value for the schema and template. In order to implement ActiveChange for the MSO- and NDO- managed Cisco ACI tenants, user-defined schema and templates are required for each tenant.

Configuration Parameter Name Value
CiscoMsoActiveChangePolicyTargets

Defines policy targets (schema and templates) for each tenant.

Format:

{ <Apic ID/Name> : {<tenant Name> : 
{ "schema":<Schema name>, "templates":[<template1>,<template2>...]}
}}

Limitation: In this Early Availability version, if you define more than one template for a schema, ActiveChange selects only the first template in the list (defined in the FireFlow parameter CiscoACIMSOActiveChangePolicyTargets, see below).

For example, Schema Payroll has templates Detroit, Baltimore and Abu Dhabi. Since changes are applied to the MSO and deployed on the first template defined in the schema, ActiveChange only selects Detroit.

Changes will be made only on the Filters and Contracts that are defined in the template that is configured in FireFlow.

CiscoMsoActiverChangeCommit

By default, FireFlow will apply changes on the MSO/NDO and deploy the changes to the relevant MSO- or NDO-managed Cisco ACI APICs. If required, you can change this so changes will be applied only to the MSO/NDO and you can manually commit the changes to the APICs later.

The value assigned to this parameter determines whether or not ActiveChange deploys changes to APICs.

The possible values are:

  • deploy (default): Changes are applied on MSO/NDO and deployed to APICs.

  • commit: Changes are only applied on MSO/NDO.

To configure ActiveChange behavior for MSO- and NDO-managed Cisco ACI tenants:

  1. Switch to FireFlow.

  2. Click the Advanced Configuration tab.

    The Advanced Configuration page is displayed.

  3. In FireFlow Configuration, Click ActiveChange and filter for CiscoACIMSOActiveChangePolicyTargets or just scroll to find it.

  4. Click on the edit icon next to the current value field. Define the schema and templates for one tenant.

    For example:

    Copy
    {
                                "10_20_30_40": {
                                "10_20_30_40_ActiveChangeEA": {
                                "schema": "Payroll",
                                "templates": [
                                "Detroit",
                                "Baltimore",
                                "Abu Dhabi"
                                ]
                                }
                                }
                            }
  5. Click Update below the current value field to update the value.
  6. Filter for CiscoMsoActiverChangeCommit or just scroll to find it.

    Assign a value to this parameter to determine whether or not ActiveChange deploys changes to APICs.

  7. Click Update below the current value field to update the value.

  8. Click Store Changes at the top of the page.
  9. Restart FireFlow.

Support for NSX-T deployed on AWS (VMC)

This section describes the ASMS Early Availability support for NSX-T deployed on AWS (VMC).

Important: We recommend that you enable this Early Availability feature only in a lab environment.

Supported Features

ASMS supports NSX-T deployed in AWS (VMC) as follows:

  • VRFs separation

  • Rules visibility

  • Report Generation

  • Topology

  • Change History

  • Risks Calculation

  • Map Visibility

  • Regulatory Compliance

  • Traffic Simulation Query

  • Monitor Cycle

Unsupported Functionality

The following functionality is not supported:

  • ActiveChange

  • L2 Rules

  • Changed by (Audit Logs collection)

  • Traffic-related recommendations

  • IPT and unused rules (Traffic Logs collection)

  • IPV6 rules and NSGroups with IPV6 content

Limitations

NSX-T on AWS has the same limitations as NSX-T on-premise, e. g.:​​

  • NSX-T is shown only in TSQ result mini map​

  • ASMS supports only Distributed Firewall (for East-West traffic)

Network connectivity

VMware Cloud on AWS uses NSX-T to create and manage internal SDDC networks and provide endpoints for VPN connections from your on-premises network infrastructure.

Device permissions

Enable / Disable early availability support for NSX-T deployed in AWS

This procedure describes how to enable or disable support for NSX-T deployed in AWS in ASMS.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the parameter value as follows:

    Name AlgoSec_EA_NSXT_Cloud
    Value

    One of the following:

    • yes = Enable NSX-T deployed in AWS device support
    • no = Disable NSX-T deployed in AWS device support

For more details, see Advanced Configuration. Continue with Add a VMware NSX-T to AFA.

Add a VMware NSX-T to AFA

This procedure describes how to add a VMware NSX-T that is hosted on AWS (VMC) to AFA.

Do the following:

  1. From the Administration area, access the Devices Setup page. For details, see Access the DEVICES SETUP page

  2. Click New > Devices > VMware > NSX-T. In the vendor device selection page, click VMware > NSX-T.

  3. For NSX-T that is hosted on AWS (VMC), select In Cloud.

  4. Complete the fields as needed.

    Access Information NSX-T that is hosted on AWS (VMC)

    Device name

    Give the device a name. This is the name that will be displayed in the devices tree.

    Tip: To avoid future confusion, we recommend you use the SDDC name for the device name.

    Organization ID Organization ID (from VMware Cloud interface)
    SDDC ID Software-Defined Data Center (SDDC) ID number (from VMware Cloud interface). Each SDDC needs to be added separately.
    API Token API token. Generate a token from your VMware Cloud services account. Specify the roles required for on-boarding:
  5. Click Finish. The new device is added to the device tree.
  6. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

  7. A success message appears to confirm that the device is added.

Palo Alto Networks Prisma Access devices in ASMS

Note: AlgoSec supports only Panorama Managed Prisma Access.

This section describes the ASMS Early Availability support for Palo Alto Networks Prisma Access devices:

Supported features in Early Availability

ASMS supports Prisma Access devices as follows:

  • Policy visibility

  • Risk analysis

  • Traffic Simulation Query

  • Remote Networks and Service Connections

  • Mobile users

The following functionality is not supported:

  • Changes

  • Policy optimization recommendations based on traffic like Intelligent Policy Tuner (IPT) and unused rules

  • FireFlow support

Limitations

Panorama Prisma Access has the following limitations:

  • Basic Search: Possible inaccurate results from RuleBase searches when using exact match.

Network connectivity

The connection to Prisma Access is done via the Panorama device that manages it:

Device permissions

Use same permissions required for Palo Alto Panorama devices. See Panorama device permissions.

Prisma Access visibility in the device tree

Prisma Access is added under the existing Panorama tree as follows:

  1. Level 1 Panorama Host (IP/Name )

  2. Level 2 Cloud_Services (Prisma Access) managed by single Panorama devices

  1. Level 3 Cloud_Services_Remote_Networks / Cloud_Services_Service_Connections / Cloud_Services_Mobile_Users

  1. Level 4 Cloud_Services_Remote_Networks_<Remote_Network_Name> / Cloud_Services_Service_Connections_<Remote_Network_Name> / Cloud_services_Mobile_users_<Portal_Host-Name or Host>

Enable / Disable early availability support for Prisma Access

By default Prisma Access is disabled. This procedure describes how to enable support for Prisma Access devices in ASMS.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter. For more details, see Advanced Configuration.

  3. Define the parameter value as follows:

    Name AlgoSec_EA_Panorama_Prisma_Support
    Value

    One of the following:

    • yes = Enable Prisma Access device support
    • no = Disable Prisma Access device support
  1. Logout from ASMS and then login again.

  2. If you already have Panorama device(s) that manage Prisma Access onboarded to ASMS, run Edit-Next (Edit device wizard) on this/these Panorama(s). If you do not have Panorama device(s) that manage Prisma Access onboarded, onboard them. See Add Palo Alto Networks devices.

  3. Continue with Configure a Panorama device that manages a Prisma Access .

Configure a Panorama device that manages a Prisma Access

This procedure describes how to configure Panorama device that manages a Prisma Access in AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page

  2. In the device tree, select the Panorama device to configure for Prisma Access. Click Edit.

  3. Click Next. You should be on the Panorama 2/2 page.

    Prisma Access Tenants are shown with the prefix Cloud Services.

  4. Select the check boxes of the tenants you want AFA to control.

    Note: Log collection Method drop downs are disabled for Prisma Access tenants.

  5. Click Finish. The tree of the Panorama is updated to include Prisma Access elements.

Data visualizations for reports

This Early Availability feature allows you to see report data in a customizable graph.

Note: Visualizations are built into the following reports: Risks report and Changes Summary report (on the Risks tab). You can also create your own custom visualizations for these reports as well as the Policy Optimization group report summary tables.

View data visualizations

For Risks reports and Changes Summary reports (on the Risks tab)

To view visualizations:

  • Click Graphs on the relevant report page. The section expands to show the graphs.

Create visualizations

For Risks reports and Changes Summary reports (on the Risks tab): individual and grouped devices

For Policy Optimization reports: grouped devices only

You can define a range of data to include in a new custom visualization. This is helpful when you want to create a graph from a specific set of data, and can even be used to visualize data that doesn't include numeric data.

Do the following:

  1. From the list, drag to select the rows and columns to use for the visualization.

  2. Right click in the selection to bring up a popup menu.

  3. Select Chart range and visualization style you require.

    Your custom visualization appears.

Tip: In cases where the list does not include numeric data (such as many of the Changes summaries tabs), you can create a custom visualization by first grouping the data.

Work with visualizations

  1. To change the layout and style, click the arrow on the right side of a graph.

    A tabbed menu of options appears where you can change the appearance and select which data is graphed.

  2. To change the title of the visualization, double click the title text.

    Note: If you don't see a title, you can enable it as follows:

    1. Click the arrow on the right side of the graph.

      The layout and style options appear.

    2. Select the Format tab.

    3. Click Chart to expand the chart options.

    4. Click Enabled.

  3. Click to save a copy of the displayed visualization onto your computer as a PNG file.

  4. Click to link / unlink the visualization to the list below. When linked, the relevant columns in the list are highlighted, and any rearrangement, filtering, and sorting of the highlighted list columns also update the data visualization.

Add/Update/Delete devices in bulk from xslx file

This section describes the ASMS Early Availability support for Add/Update/Delete devices in bulk from xslx file:

Note: The General Availability feature for bulk device operations (which is based on csv files) is still available for add and update operations for supported device brands. See Add/update multiple devices in bulk.

This Early Availability feature allows you to Add/Update/Delete devices in bulk from an xlsx file and offers you the following advantages:

  • Support for bulk delete devices.

  • Support for the following management devices:

    • PV1

    • CMA

    • Space

    • Panorama

    • Fortimanager

  • Support for these additional brands:

  • Support to define optional fields

  • Support for commenting out a row: if you want to avoid executing a bulk operation from that row

    Known Issue: Cisco Meraki onboarding with children

    Currently there is no Children tab in the Cisco Meraki Excel template. To onboard children, you can use the 'selected_devices' column. The Children tab will be added in the future.

Enable / Disable early availability support for Bulk Add/Update/Delete devices

This procedure describes how to enable or disable support for Bulk Add/Update/Delete devices.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the parameter value as follows:

    Name Bulk_Add_Remove_EA
    Value

    One of the following:

    • ON = Enable bulk Add/Update/Delete devices support using xlsx files.
    • OFF = Use legacy bulk Add/Update devices support using csv files.

For more details, see Advanced Configuration. Continue with How to perform bulk Add/Update/Delete devices.

How to perform bulk Add/Update/Delete devices

To Add/Update/Delete devices in bulk, use the sample files. You download the sample files as part of the procedure, described in Step 4a below. The sample files are in excel (.xlsx) format.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. Click Bulk.

  3. Click Add/Update/Delete devices. The Bulk Device Operations dialog appears.

  1. To use this EA feature:

    1. Click Download sample files to download sample excel files.

    2. Edit the files as required. See How to use the sample files.

    3. XLSX/CSV file: Browse to and select your prepared xlsx file.

    4. Ensure that the devices you plan to change are online and accessible by AFA via SSH.

    5. Select one operation:

      • Add New Devices to bulk add devices

      • Update Devices to bulk update devices

      • Delete Devices to bulk delete devices

    6. Click Add/Update/Delete as required. A confirmation message is displayed when the process is finished.

How to use the sample files

Tips:

  • To comment out rows from the sample file: (add a ‘#’ to the Exclude column of the row ) if you want to avoid executing a bulk operation from that row.

    1. Note or instruction is excluded.

    2. The device will not be considered in the add/update/delete operation.

  • Required fields are shown in blue in the header of the sample files.

PAN Panorama | EDLs (External Dynamic Lists) in policy destinations

This procedure describes how to enable or disable support for EDLs (External Dynamic Lists) for Palo Alto Panorama devices. This early availability feature works with IP address and URL type lists.

  • For IP address type lists: The EDL source will point to a list of IPs (click for an example). You can add it to Source or Destination fields in rules.

  • For URL type lists: The EDL source will point to a list of URLs (click for an example). You can add it to URL Category fields in rules only.

    Note: For URL type lists, URLs with wildcards are ignored. For example: *.office365.us/ will not be read.

To enable support for EDLs

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Add the following new parameter and set its value to yes:

    • ALGOSEC_EA_PANORAMA_EDL=yes

    Note: Other configurable parameters that are related to this feature include:

    • PA_URL_CAT_DNS_LIMIT (default=500)

    • DNS_Lookup_Timeout (default=4)

    • PAN_EDL_COLLECT_TIMEOUT (default=10)

    For more details, see Advanced Configuration.

Google Cloud Map and Traffic Path

This section describes the ASMS Early Availability support for Google Cloud Map and Traffic Path .

Note: To enable this feature, you must first:

  1. Integrate ASMS with AlgoSec Cloud (formerly CloudFlow), see ASMS integration to SaaS services.

  2. Onboard your Google Cloud Project, see Onboard Google Cloud Project.

Supported Features

AlgoSec already supports visibility, risks calculations, and policy clean-up for Google Cloud Projects. In this Early Availability feature, additional ASMS capabilities include:

  • Map topology

  • Project hierarchy visibility in the ASMS tree: You will see project levels in the tree see Device tree display of Google Cloud Project.

  • Traffic path: When you run a Traffic Simulation Query, relevant Google Cloud VPCs and other virtual cloud firewalls are identified in the path. (In this first phase, Google Cloud VPC traffic is always shown as allowed, ignoring the existing firewall rules in the VPC).

Note about VPC urt files: Since it is possible to configure a subnet with the same name in different regions, the region name is added as a postfix to the subnet name in VPC urt files. For example:

Network connectivity

Enable / Disable early availability support for Google Cloud Map and Traffic Simulation Query

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the parameter value as follows:

    Name ALGOSEC_EA_GCP
    Value

    One of the following:

    • yes = Enable support for Google Cloud Map and Traffic Path.
    • no = Do not enable support for Google Cloud Map and Traffic Path.

Device tree display of Google Cloud Project

in the device tree, Google Cloud has a three-tier hierarchy:

  1. Organization

  2. Project

  3. VPC

View AlgoSec Cloud Risks and Policy pages for a selected Google Cloud entity

As part of this early availability feature, you can view the AlgoSec Cloud (formerly CloudFlow) Risks and Policy pages for a selected Google Cloud entity in the ASMS tree by following these steps:

Do the following:

  1. In the ASMS device tree, select the Google Cloud entity. The details page for the entity opens.

  2. On the entity's details page, click the link Risks Page or the Policy Page. The selected page for the entity opens in AlgoSec Cloud.

Onboard AWS accounts to both AlgoSec Cloud and ASMS simultaneously

This early availability feature allows you to onboard AWS accounts from one central location—AlgoSec Cloud (formerly CloudFlow). Once you add accounts to AlgoSec Cloud, they will automatically be onboarded to ASMS, using the permissions set in AlgoSec Cloud.

Note: Accounts that are added to ASMS but not to AlgoSec Cloud will continue to operate in ASMS without interruption.

In environments that include Load Distribution Units, set the flag Data_Collection_Slaves=false.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Add the following new parameter and set its value to yes:

    EA_CF_Auto_Onboard=yes

  4. In ASMS environments with Load Distribution, add the following new parameter and set its value to false:

    Data_Collection_Slaves=false.

    (In ASMS environments with Load Distribution, this feature will not work unless this flag is set)

  5. Integrate ASMS with AlgoSec Cloud: If ASMS is not yet integrated with AlgoSec Cloud, refer ASMS integration to SaaS services for guidance.

  6. In AFA, click your username, and select Administration > Integrations.

  7. Click Sync Now. This aligns AlgoSec Cloud entity inventory including permissions with ASMS.

    Added accounts to AlgoSec Cloud, will automatically be onboarded to ASMS, including all associated permissions.

  8. For instructions on how to add new accounts, visit AWS Account Management in AlgoSec Cloud Tech Docs.

Sync between ASMS and AlgoSec Cloud

When you make changes to the status of accounts in AlgoSec Cloud (formerly CloudFlow), you need to sync these changes to ASMS to ensure alignment.
This is particularly useful:

  • After upgrading to A33.00.

  • After updating ActiveChange permissions for AWS accounts in AlgoSec Cloud.

  • After initially connecting ASMS and AlgoSec Cloud.

  • If there is a discrepancy in account listings between ASMS and AlgoSec Cloud.

You can initiate a sync in one of two ways:

  • In AFA: click your username, and select Administration > Integrations.

    Click Sync Now. This aligns AlgoSec Cloud entity inventory including permissions with ASMS.

  • Use the Sync AWS Accounts API: by sending a POST request to /aws-accounts/sync. See Sync AlgoSec Cloud Resources with ASMS .

Edit AWS accounts onboarded with AlgoSec Cloud

After onboarding an AWS account with AlgoSec Cloud (formerly CloudFlow), you can still update AWS account details directly in ASMS.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. Select the AWS account from the device tree that you want to edit and click Edit.

    The Web Services (AWS) EC2 page opens.

  3. Complete the fields as needed.

    Access Information

    In the Display Name field, enter the name that you want to appear in the device tree for this account.

    Tip: Use the account's host or route name.

    Active Change This read-only field displays whether ActiveChange is enabled or not. To update the ActiveChange status of an onboarded AWS account, see Update AWS details.

    Additional Information

    Network Elements Collection Source This read-only field displays the source module that collects the network elements of the subject AWS account and updates the network map.

    The default source is Firewall Analyzer. To switch to AlgoSec Cloud for better AWS network element support in the network map, set the AWS_Network_Elements_Parse_From_AFA parameter to false.For instructions on how to modify this parameter, see Configuring the AWS Network Elements Collection Source in Algopedia .

    Note: When connected with AlgoSec Cloud, you no longer need to provide an AWS Access Key ID or AWS Secret Access Key.

    Route Collection

    Select one of the following to determine how AFA should acquire the device's routing data.

    • Automatic. Automatically generate routing data upon analysis or monitoring.

    • Static Routing Table (URT). Take the device's routing data from a static file that you provide.

      For details, see Specify routing data manually.

    Options

    Select the following options for your AWS account as needed:

    • Real-time change monitoring.Select this option to enable real-time alerting upon configuration changes. For more details, see Configure real-time monitoring.
    • Set user permissions. Select this option to set user permissions for this device.

    Proxy

    Click Set Proxy Server to configure a proxy server to connect all cloud devices defined in AFA, including both AWS and Azure.

    For more details, see Define a proxy server .

  4. Click Edit to save your changes.

  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

Device tree context menu

This early availability feature allows you to make frequently used actions more accessible. You can perform key operations quickly and efficiently straight from the Device Tree, reducing the need for multiple clicks and improving overall navigation comfort.

Enable / Disable early availability support for the context menu

This procedure describes how to enable or disable support for the context menu.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the parameter value as follows:

    Name ALGOSEC_EA_TREE_RIGHT_CLICK_MENU
    Value

    One of the following:

    • yes = Enable the context menu
    • no = Disable the context menu (default)

Access the context menu

To access the context menu, simply right-click on any device within the Device Tree. A menu appears, offering the following options:

Option Description

Analyze

Opens the Analyze dialog to start device analysis on the selected device.

Traffic Simulation Query

Opens the Traffic Simulation Query form on the selected device.

Latest Report

Opens the latest report of the selected device in a new tab.

Edit Device

Opens the Edit Device dialog to modify selected device settings. Supported for For Panorama, Arista, Cisco Firepower, Cisco Meraki, Juniper Space, Panorama Prisma, Versa, NSX-T)

Show on Map

Displays the selected device's location on the map.

Routing Information

Opens the Routing Information dialog for the selected device in the Map tab.

Miscellaneous early availability fixes

Missing AWS VPCs from the map and tree

Known issue: AWS VPCs do not appear in the ASMS map and tree if they are in regions where none of the VPCs have load balancers or AWS instances. This early availability fix allows them to appear.

Do the following:

  1. In AFA, click your username, and select Administration > Advanced Configuration.

  2. Click Add to add a new configuration parameter.

  3. Define the following parameters as true:

    • SHOW_REGIONS_WITHOUT_ASSETS_AWS

    • SHOW_UNASSIGNED_SECURITY_GROUPS_AWS

SHOW_REGIONS_WITHOUT_ASSETS_AWS

Enable this parameter to display in the ASMS map and tree AWS VPCs which are which are located in regions where none of the VPCs have assets (load balancers or AWS instances).

Note: In the tree, these VPCs will appear in the AWS unassigned section.

By default, this parameter is not defined.

Possible values:

  • false (default): Do not display VPCs under regions with no assets.

  • true: Display VPCs under regions with no assets.

    Note: In addition, set the parameter SHOW_UNASSIGNED_SECURITY_GROUPS_AWS to true.

SHOW_UNASSIGNED_SECURITY_GROUPS_AWS

For more details, see SHOW_UNASSIGNED_SECURITY_GROUPS_AWS.