Advanced Configuration

This topic describes how to add and modify advanced AFA configuration parameters, as well as a reference of parameters available.

Add a new AFA configuration parameter and value

This procedure descries how to add a new advanced configuration parameter to AFA. Use this procedure to override various system defaults or implement hotfix updates.

Do the following:

  1. In the toolbar, click your username and select Administration to access the AFA Administration area.

  2. Navigate to Options > Advanced Configuration.

  3. Click Add, and enter the name and value of your configuration parameter.

  4. Click OK to close the dialog, and then OK again to save your changes.

Advanced AFA configuration parameter reference

The following tables list commonly used AFA configuration parameters and their possible values.

Use the alphabetical links below to jump between tables.

A-B | C | D | E-J |L | M | N-R | S-W

A-B

Parameter Description

Active_Change_Backups_Number

CLI only. Define the number of backup files stored by AFA for Cisco firewalls, Juniper SRX devices, Fortinet or Panorama devices.

Default= 50

AddOnlyChildren

Determines whether the add_device_to_group and create_device_group SOAP APIs add both the parent and children devices to the group.

Possible values:

  • 0: Both parents and children are added. (Default)
  • 1: Only children are added.

ADV_SEARCH_MAX_RESULTS

Defines the maximum number of rules returned by Advanced Policy Search . If exceeded, the search is aborted and an error message is displayed.

  • Default= 15,000 (rules) for ASMS UI

Note: This parameter also controls the behavior of the following API parameters:

The actual maximum number of rules returned for the APIs will be the lower value between ADV_SEARCH_MAX_RESULTS parameter and BASIC_ADV_SEARCH_MAX_RESULTS/FULL_ADV_SEARCH_MAX_RESULTS, respectively.

ADV_SEARCH_MAX_COMPARISONS

Defines maximum number of comparisons (== and !=) that can be used in a search query in Advanced Policy Search. If the number of comparisons exceeds this value, the search is aborted and an error message is displayed.

  • Default= 150 (comparisons)

(Setting the parameter affects both UI and API behavior).

ADV_SEARCH_TIMEOUT_SECONDS

Defines the maximum duration for Advanced Policy Search. If exceeded, the search is aborted and an error message is displayed.

  • Default= 7,200 (seconds)

(Setting the parameter affects both UI and API behavior).

AFA_URL

Defines the server used for email notification and other AFA related links. Can be an IP address or host name.

For example:

  • AFA_URL=https://127.0.0.1/AFA/

  • AFA_URL=https://My_AFA_Server/AFA/

ALGOSEC_EA_PANORAMA_EDL

Enables early access support for parsing for Panorama EDLs.

  • yes: Enable

  • no (default): Disable

ALLOW_ALL_IPS_SUBNET

By default, interfaces are not created for 0.0.0.0/0 subnets. To enable the creation of interfaces for 0.0.0.0/0 subnets, add the following parameter:

ALLOW_ALL_IPS_SUBNET=yes

Allow_Copy_Paste_Password

Determines whether or not a user can copy their password and paste it into the Password Confirmation input field when resetting their password.

  • yes: Password Confirmation input field permits pasting text when resetting their password

  • no (default): Password Confirmation input field does not allow pasting text when resetting their password

analyze_only_changed_reports

Determines whether analysis is always run, even if the configuration has not changed.

Possible values:

  • yes: Analysis is run only if the configuration has changed
  • no: Analysis is always run
AUDIT_LOG

Determines if the system will send suite-level syslog log messages.

  • yes (default): Send suite-level messages
  • no: Do not send suite-level messages

Auto_Create_Users

Automatically create user in AFA from LDAP (if LDAP is defined).

  • yes (default): Automatically create user

  • no: Do not create

AUTOREMOVE_REPORT_NAS_CONFIGURED

Customers with NAS configured might experience disk space issues due to a non-optimized file cleanup. In such a case, setting this parameter to true could potentially resolve this.

  • true: Optimized disk cleanup for NAS based storage

  • false (default): Local storage cleanup

Avoid_Unnamed_Object_Htmls

Determines whether or not device analysis will skip unnamed objects in the Hostgroup and Service HTMLs. This can significantly reduce the size of reports containing a large number of internal "AFA created" Hostgroups and Services.

(By default, this parameter is not defined)

Possible values:

  • yes: Omit unnamed objects from the report HTML files

  • no (default): Include unnamed objects in the report HTML files

AWS_DC_FILTERS_USED

When an AWS account has resources with a different Owner-ID (such as in the case of shared VPCs), AFA data collection filters out those resources. Set this parameter to false to collect the missing resources.

  • true (default): Filter AWS resources by Owner-ID

  • false: Do not filter AWS resources by Owner-ID

AWS_ENABLE_VPC_REPORTS

Determines whether or not to generate reports for AWS devices on the VPC level.

(By default, this parameter is not defined)

  • yes: Generate reports on both the VPC and ACL levels

  • no (default): Generate reports only on the ACL level

AWS_Network_Elements_Parse_From_AFA

If required, use this parameter to switch between AlgoSec Cloud and Firewall Analyzer as the Network Elements Collection Source.

  • AWS_Network_Elements_Parse_From_AFA=false: Parses and pushes routing data via AlgoSec Cloud.

  • AWS_Network_Elements_Parse_From_AFA=true (default): Parses and pushes routing data via AFA.

For instructions how to change this parameter setting, see Configuring the AWS Network Elements Collection Source.

Backup_Firewall_History

Determines whether backup files include change history.

Possible values:

  • yes. Change history is included
  • no. Change history is not included in backups

BASIC_ADV_SEARCH_MAX_RESULTS

Defines the maximum number of rules returned by the Advanced Policy Search-Basic API. If exceeded, the search is aborted and an error message is displayed.

  • Default= 10,000 (rules) for Advanced Policy Search-Basic API.

Note: The actual maximum number of rules returned will be the lower value between ADV_SEARCH_MAX_RESULTS parameter and BASIC_ADV_SEARCH_MAX_RESULTS. See ADV_SEARCH_MAX_RESULTS.

Bulk_Delete_Max_Timeout_Seconds

Defines the timeout for each bulk delete device operation as explained in How to perform bulk Add/Update/Delete devices.

Default= 240 (seconds)

Minimum allowed value= 30 (seconds)

BUSINESSFLOW_ADDRESS

Determines the IP address of the BusinessFlow host, if not local.

C

Parameter Description

CHANGE_HISTORY_DAYS

Determines the number of days that legacy changes are kept in report change histories.

Default= 90 (days)

Chart_Threshold_Val

Defines the chart threshold value for all condition type charts, including the built-in compliance charts.

Possible value: Integer

Default= 23

Checkpoint_Adtlog_Exclude_Fields

Defines a pipe-separated list of Check Point audit log fields that are ignored.

For example:

CKP_Adtlog_Exclude_Fields=CLCStatus|threshold_event_uint

Note: Regular expressions are supported.

CKP_ACTIVE_CHANGE_DISABLE_POLICY_BACKUP

Determines policy backup on Checkpoint FW during a policy change/removal.

  • yes (default): disable the generation of a policy backup on Checkpoint FW during a policy change/removal

  • no: enable the generation of a policy backup on Checkpoint FW during a policy change/removal

CKP_Application_Control_For_Legacy

Set this parameter to yes to enable support for application control on older/legacy R80.x Check Point devices running API version lower than 1.6.1.

(By default, this parameter is not defined)

Note: AlgoSec does not recommend enabling this parameter due to the performance impact on the Check Point management device.

CKP_Data_Collection_Collect_Tables_One_By_One

By default, this property is not defined and all firewall policy and rule information is collected via a single request.

If analysis of firewall policy and rule information fails due to a timeout error, using multiple requests to collect each firewall's data individually may speed up processing and resolve this issue. To activate, set value to yes.

CKP_DNS_Cache_Duration_Seconds

Defines the cache duration (in seconds) for Check Point DNS resolution of network objects. By default, DNS resolutions are not cached.

For example: CKP_DNS_Cache_Duration_Seconds=3000

CKP_optimizations_per_policy

Determines whether policy optimization items are shown for all rules in the policy, and not only those installed on the analyzed module.

Default= yes

CKP_PASS_ANALYSIS_ON_DATA_CENTER_FAILURE

no (default): CKP analysis fails when unable to connect to a data center that is not in use.

yes: Prevents analysis from failing if unable to connect to the defined data center.

CKP_turbo_log_collection

Determines whether a dummy environment is used to speed up log collection on Check Point devices.

Default= no

CLOUD_DEVICES_CHECK_ROUTED

Determines whether or not to check if the cloud-connected device has a route to the TSQ destination when generating the TSQ results.

(By default, this parameter is not defined)

Possible values:

  • yes: Check if device is routed.

  • no (default):Do not check if device is routed.

CLUSTER_USE_VIP

Determines whether a VIP is shown instead of a MIP in Check Point cluster topologies.

Default= yes

CollapseDevicesTreeOnLogin

Determines whether the device tree appears fully collapsed or expanded by default.

Possible values:

  • True (default): Sets the tree to display collapsed by default.
  • False: Sets the tree to display expanded by default.
Collector_TO

The SSH connection timeout between the master and collector, in seconds.

Default value (if not defined) is: 180

Comments_Regex_Match

Determines whether comments match or do not match the regular expression defined in Comments_Regex.

Possible values:

  • 0: Does not match
  • 1: Matches

Compliance_Score_Max_Red

Number between 1-99 that defines the point in which the red stops and the yellow starts in the compliance score. (Default= 50)

Compliance_Score_Min_Green

Number between 1-99 that defines the point in which the yellow stops and the green starts in the compliance score. (Default= 85)

Compliance_Score_Star_Weight

Number between 0-1 that defines the weight of the star status when calculating the compliance score. (Default= 0.5)

comprehensive_mode

Determines whether comprehensive mode is enabled, where AFA queries all services that appear in any rule in the policy.

Default= yes

CONSIDER_MULITPLE_NHG

Determines whether all multiple routes for each range are saved and used for FIP.

Supported only for IOS.

Default= yes

CONVERT_ANCHOR_TO_LINK_CUSTOM_FIELD

Determines whether or not to allow clickable URL links in the Custom Document field.

Possible values:

  • yes: Allow clickable links in Custom Document field. A link must be a proper html tag.

  • no (default): Show only text in the Custom Document field.

covered_exclude_services

Defines a colon-separated list of values. Rules that contain any of the listed values as services are not listed as covering rules.

Default= null (no exclusions)

D

Data_Collection_Slaves

Determine if data collection can be done by the LDUs.

Default= yes (data collection can be done by the LDUs)

Days_To_Consider_Rules_As_New

Determines the number of days before which rules are considered as unusued.

Additionally, if defined, rules with no rule creation time are considered to be older than the set value.

For example, if this parameter is set to 30, rules that are less than 30 days old are never defined as unused.

0 = Disable this feature, and instead use the value defined in Log_Analysis_Days_Before instead.

Days_Without_Logs_Percentage_Threshold

Determines the threshold at which warnings are sent for missing log days, in log data-based parts of the policy optimization.

Possible values: Integers, 0-100

0 disables the warning altogether

Default= 50(days)

DB_host

Defines the database host.

Default= localhost

DB_name

Defines the database name.

Default= afa

DB_user

Defines the database username.

Default= afa

default_dashboard

Defines the default AFA dashboard shown.

Possible values:

  • optimizations.xml (default)
  • compliance.xml
  • none - do not load a dashboard at login
DNS_Lookup_Timeout

Determines the max time tol wait (in seconds) for the DNS to convert URL to IP (relevant only to EDL type URL).

  • Default is 4 (seconds)

DEFAULT_MAIL_NOTIFICATION_OFF

Sets default for email notifications to newly created users.

By setting this parameter ON, newly added users will not get email notifications when a new report is generated or when configuration changes are applied.

DEFAULT_MAIL_NOTIFICATION_OFF

Possible values: 

  • yes

  • no (default)

By setting this parameter to Yes, the following administrative settings will be set OFF as a default:

  1. Creating a new user (Firewall Analyzer Administration page > Users / Roles tab > New User):

    • E-mail Notifications area> Every report
    • E-mail Notifications area> Every configuration change

DEFAULT_USER_PERMISSIONS_EMPTY

Possible values: 

  • yes

  • no (default)

By setting this parameter to Yes, the following administrative settings will be set OFF as a default:

  1. Creating a new user (Firewall Analyzer Administration page > Users / Roles tab > New User):

    • General Permissions area> Enable Analysis from file
    • General Permissions area> Enable Trusted Traffic - > global
    • E-mail Notifications area> Every report
    • E-mail Notifications area> Every configuration change

  2. Defining a new user's authentication server (via Firewall Analyzer Administration page > Options > Authentication > Authentication server):

    • LDAP checkbox

Disable_IPT_Recommendations

Determines whether to include Intelligent Policy Optimization recommendations on the Policy Optimization report page.

Possible values:

  • yes: Disable IPT recommendations. Recommended if IPT recommendations are causing the report generation to take too long.
  • no (default): Enable IPT recommendations

Note: To determine the amount of time consumed by the generation of rule replacement recommendations, view the AFA log. The start of this task is marked IPT recommendations generation – Starting, and the end of this task is marked IPT recommendations generation – Finished.

Disable_IPT_Time_Checking

Determines whether filtering is disabled for log records whose time is older than the relevant rule's update time or the IPT_Ranges_number update time.

  • yes: Disable filtering

  • no (default): Enable filtering

DISABLE_MAP

  • yes: remove the map tab from the home GUI and stop the map generation script from running.

  • no (default): Map enabled

Disable_Monitoring

Determines whether global monitoring is disabled.

Possible values:

  • yes: Monitoring is disabled for all firewalls.
  • no (default): Monitoring is enabled.

Disable_Routing_Element_Monitoring

Determines whether to disable monitoring for routing element devices.

Possible values:

  • yes: Monitoring on routing element devices is disabled.
  • no (default): Monitoring on routing element devices are enabled.

DISABLE_VISUAL_FIP

You can use this parameter to enable or disable the Query Visualizer.

  • yes: Disable the Query Visualizer.

  • no (default): Enable the Query Visualizer.

DISPLAY_REPORT_TOPBAR_IN_REPORTS

When set to yes (default), the selected device's hierarchy is shown in the report's top bar.

DISPLAY_REPORT_TOPBAR_IN_PDF

When set to yes (default), the selected device's hierarchy is displayed in the top bar of the exported PDF report.

DUPLICATE_L2_INTERFACES
  • yes: AFA will store information for all duplicate L2 interfaces.

  • no (default): AFA will store information only for one of the duplicate L2 interfaces.

E-J

Email_With_Embeded_Content

Determines whether information about changes detected on the device is included in the email body.

  • yes (default): Enabled

  • no: Disabled

Enable_Ms_Traffic_Logs_Processing

Determines whether traffic log collection is enabled using the ms_trafficlogmanager service.

Possible values:

  • yes (default): Enabled
  • no: Disabled

Export_Policy_Tab_With_Objects_Content

Determines whether the exported PDF report's Policy page shows the network object content as well as the network object names.

Possible values:

  • yes: Network object content and names shown
  • no (default): Network object names shown only

EXPECT_TIMEOUT

Defines the timeout, in seconds, for processing a single command in the Expect data collection.

Default= 120 (seconds)

FailCLIOnMissingUIDs

Determines whether the CLI is generated even in case of missing UIds in Cisco PIX devices.

Possible values:

  • yes (default): CLI generation fails in case of missing UID
  • no: CLI is generated even if there are missing UIDs

Fetch_Primary_Routing

Determines backplane interface between VRs to provide interconnection in order to route traffic when primary routing table is specified.

Note: this parameter is relevant for Juniper (SRX)

Possible values:

  • yes: Backplane interface is enabled

  • no (or left blank): (default) Uses loaned interface logic

FGATE_ENABLE_PROXY_POLICY_LOG_PARSING

To enable support for audit/traffic logs with policytype="proxy-policy", do the following:

  1. Add the parameter FGATE_ENABLE_PROXY_POLICY_LOG_PARSING=yes.

  2. Run the Edit>Next operation on the FortiGate/FortiManager device.

  3. In geographic distribution environments, run the Edit>Next operation on those devices that represent the individual collectors (CM, RAs) to enable configuration changes.

FIP_MAX_DEVICES_SEARCH_PATHS_FOR_DESTINATION_ANY

Defines a maximum number of devices for which to run a query with a FIP destination of any.

Default= 100

FIP_Group_Names_To_Skip

ASMS uses a Firewalls in Path (FIP) algorithm to identify the relevant devices for TSQ. Sometimes members of a group of devices are not found in the path. Use this parameter to force TSQ to go through the devices in the specified group(s).

  • Usage: FIP_Group_Names_To_Skip=group1,group2,group3

In this example, any TSQ executed on groups group1, group2, or group3 will go through all the devices that exist in those groups.

FireFlowXmlEncoding

Determines whether FireFlow XML change files are encoded as UTF-8 or ISO-8859-1.

Possible values:

  • UTF-8 (default)
  • ISO-8859-1. Supports Latin characters

ForceErrorEmailsToAdmins

  • yes: Disable emails sent to admin users

  • no (default): Emails containing errors (EG license expiration,disk space exhaustion, etc) are always sent to admin users

FORTIMANAGER_Auto_Tree_Update_Enabled

This parameter impacts the general behavior for FortiManager and the managed FortiGate/VDOMs throughout the system.

By default, this property is not defined.

  • no (default): Do not automatically add or remove FortiGate/VDOMs for Fortinet FortiManager devices in the AFA devices tree.

  • yes: Automatically add or remove FortiGate/VDOMs for Fortinet FortiManager devices in the AFA devices tree.

    Note: When removing FortiGate devices or VDOMs on the FortiManager, existing history will be lost (reports, change history, etc.).

FORTIMANAGER_ADOM_UNATTACHED_OBJECTS

  • true: Calculate unattached objects (under report's POLICY OPTIMIZATION section) based on all Adom policies for Fortinet FortiManager devices

  • false (default): Do not perform this calculation

FULL_ADV_SEARCH_MAX_RESULTS

Defines the maximum number of rules returned by the Advanced Policy Search-Full API. If exceeded, the search is aborted and an error message is displayed.

  • Default= 5,000 (rules) for Advanced Policy Search-Full API.

Note: The actual maximum number of rules returned will be the lower value between ADV_SEARCH_MAX_RESULTS parameter and FULL_ADV_SEARCH_MAX_RESULTS. See ADV_SEARCH_MAX_RESULTS.

FWFiles_Directory

Defines the path of the Analyze from file firewalls.

Default=  $HOME/algosec/fwfiles

Group_Query_Print_Missing_Paths

Whether to display missing paths table in group query result (useful for FIP troubleshooting)

  • yes

  • no (default)

hide_change_details

Determines whether to omit change details from emails about new reports and change alerts, for all users.

Possible values:

  • yes: Hides change details for all users. Emails about new reports and change alerts include only the device name and a link to AFA.
  • no. Change details are displayed for all users.

    Change this setting per user with the Hide change details checkbox. For details, see Manage users and roles in AFA.

IGNORE_NON_LOCAL_ROUTES_IF_DIRECTLY_CONNECTED

For devices with source-based routing, routing priority can be set as follows:

  • true (default): Prioritize direct device connection over non-local routes

    false: Prioritize non-local routes over direct device connection

IPT_Density_Action_Limit

The maximum density of a sparse object. When this limit is exceeded, the object is considered semi-dense.

Default= 50

IPT_Ranges_Number

Divide each hostgroup range to this number of parts. (default is 256)

IPT_Recommendation_Max_Ranges

Defines the maximum number of CIDR blocks into which IPT will recommend splitting a host object, if the original object contains more IP addresses/ranges than defined in IPT_Recommendation_Max_Subnets_Per_Range.

Default= 20

IPT_Recommendation_Max_Services

The maximum number of services or applications from which IPT will recommend composing a new object.

Default= 20

IPT_Recommendation_Max_Subnets_Per_Range

Defines the maximum number of CIDR blocks into which IPT will recommend splitting a host object.

IPT recommends creating a new object only when the number of used IP addresses/ranges is smaller than the defined number.

Default= 4

Junos_Parallel_Monitoring

Determines whether to change from sequential to parallel monitoring for Juniper SRX firewalls.

Possible values:

  • false (default): Sequential monitoring

  • true: Parallel monitoring

L

Locate_in_rules_include_any

Determines whether rule search results include rules that contain the searched IP only in Any source or destination.

Possible values:

  • yes: Rules results include rules where the searched IP address is found in Any source or destination
  • no (default): Rule results do not include rules where the searched IP address is found in Any source or destination

LOCK_WAIT_FREQUENCY

Defines how often the Check Point and IOS data collection lock file is sampled, in seconds.

The value of this parameter, multiplied by the value of the MAX_LOCK_WAIT parameter equal the total wait time for IOS devices.

Default= 10 (seconds)

Log_Analysis_Days_Before

Defines the analysis log lookup, in days.

Default= 60 (days)

Log_Analysis_Months_Before

Defines the time period for which traffic database is retained, in months. Traffic logs older than the defined value are deleted.

Default= 12 (months)

Log_Time_Interval_Minutes_Before_Error

Defines the time period, in minutes, before which a device's log collection status is set to failure, in case log collection finds no new logs for a specific server for one of the following reasons:

  • No logs have arrived to the log server. This may be an issue in the customer environment.
  • No logs were found for the target devices. This may be an AFA misconfiguration or error.

Default= 180 (minutes)

Log_Timeout_Minutes

Defines the timeout for the entire log collection process, in minutes.

Default= 900 (15 hours)

LowDiskSpaceThreshold

Threshold in MBs, for sending 'low disk space on AlgoSec server' alerts (E-mail + syslog). Even if available disk space less than this value, the operation continues. Checked before space consuming operations such as analysis / log collection / monitoring. (Default = 10000 (10GB))

M

mailSuffix

Defines an email address to use as a default if a new or edited user email address is left empty.

Default= null

MAP_BLACK_LIST

Determines whether to ignore defined devices in AFA when creating the map.

Default= null

Max_Characters_Excel_Cell

When you export a Changes Summary Report to an XLS file, the maximum number of characters allowed in a cell is limited to 255 (default). If there are more than 255 characters, the additional characters are moved to a tool tip that is accessed by hovering over the cell.

By changing the value of this parameter, you can change the maximum characters limit, as long as the new limit is smaller than 255. You cannot exceed the limit of 255 characters per cell.

MAX_LOCK_WAIT

Defines a time to wait for the Check Point, IOS, or NSM data collection lock file, in seconds.

Default= 7200 (2 hours)

MAX_LOCK_WAIT_NSC

Defines a time to wait for the NSC data collection file, in seconds.

Default= 7200 (2 hours)

Max_Parallel_Analyses

Determines the maximum number of analyses that are allowed to run in parallel.

Default: The number of CPUs on the machine.

Max_Parallel_Logcollect

Determines the maximum number of log collections running in parallel.

Possible values:

  • Positive integers
  • 0: unlimited

Max_Parallel_Monitor

Max monitors to run in parallel.

If not set - monitor will go according to Max_Parallel_Analyses.

Max_Rows_To_Sort

Determines whether sorting and filtering in AFA report tables is enabled, and if so, for how many rows.

Sorting and filtering large tables may take a long time.

Possible values:

  • Integer, 1 or greater. Defines the maximum number of rows for which sorting and filtering can be performed.
  • 0: Sorting and filtering is disabled.

Default= 10,000

MGMT_ROUTING_FREQUENCY

Defines the frequency of routing information collection for management devices, such as Panorama, in minutes.

Default= 60 (minutes)

Minimize_Analysis_Logs_History

Use this param to decrease the algosec-support.zip file size and also remove unneeded files from report's directory.

Default= no

Monitor_exclude_PIX

Defines a single regular expression, including a simple string, to exclude from comparisons during monitoring.

Tip: Even though this supports a single regular expression only, define multiple matches using an OR pipe (|). For example: (log\s+in|log\s+out)

Monitor_Force_Data_Coll_Ckp_Min

Defines how often data collection runs on Check Point devices, in minutes, even if no new logs are found.

Default= 720 (minutes)

Monitor_Force_Data_Coll_Cycles_Num

Defines the number of cycles without audit logs before initiating a full monitor cycle with data collection. Not relevant for Check Point and Juniper NSM.

Default: 12

monitor_frequency

Defines how often the monitoring process runs, in hours.

Default= 5 (hours)

If MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY is set to no, or does not exist, monitor_frequency defines the hour of the day at which the monitoring process runs. In such cases, supported hours include the hours between 2:00-24:00, skipping 1:00.

Possible values: Integer, multiple of 60.

Configure twice-a-day monitoring
To set twice-a-day monitoring, set monitor_frequencey between the value of 120 and 720 following the the examples below.

For example:

  • 60x2 = 120. 120 runs monitoring at 02:00 and 14:00.
  • 60x3 = 180. 120 runs monitoring at 03:00 and 15:00.
  • 60x4 = 240. 240 runs monitoring at 04:00 and 16:00.
  • 60x5 = 300. 240 runs monitoring at 05:00 and 17:00.
  • 60x12 = 720. 720 runs monitoring at 00:00 and 12:00.

Configure once-a-day monitoring

  1. Set the new MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY configuration parameter value to no, or delete this parameter.
  2. Set the monitor_frequency parameter value to 60x<x>, where <x> is the hour of the day (on the 24-hour clock) at which you want monitoring to run.
    Note: monitor_frequency value must be at least 840.

For example, 60x14 = 840. 840 runs monitoring at 14:00.

MONITOR_USE_FREQUENCY_AS_HOUR_OF_DAY

Determines whether the monitoring schedule is determined using the monitor_frequency parameter as the hour or hours of the day at which monitoring is started.

Possible values:

  • no: Monitoring schedule won't be determined by the monitor_frequency parameter.
    Note: Setting this value to 'no' or deleting it have same effect.
    However, if it is not deleted, it can be used to toggle the use of the monitor_frequency parameter to set the start hours for monitoring.
  • yes: The monitoring process runs at times defined by the monitor_frequency parameter when the value of monitor_frequency is greater than 60 and divisible by 60.

 

MONITORING_HISTORY_DAYS

Defines the number of days to retain monitoring changes.

Default= 90 (days)

N-R

NSM_optimizations_per_policy

Determines whether to show policy optimization items for all the rules in a policy, and not only for those that have the analyzed device in their target.

Possible values:

  • Yes: Optimizations shown for all rules in policy
  • No (default): Optimizations shown only for rules that have the analyzed device in their target

Num_Of_Status_Recent_Reports

Number of recent reports to show in status page. Set to 0 to show only running analyses in the status page. (Default = 10)
Number_of_covered_rules_per_page

Determines the number of covered rules to display on each page of the Policy Optimization - Covered Rules report.

Possible values: 10 (default) - 500

Note: After setting the parameter, rerun the analysis to update the Policy Optimization results.

PA_URL_CAT_DNS_LIMIT

Determines the max number of URLs parsed (relevant only to EDL type URL).

  • Default is 500

PAN_EDL_COLLECT_TIMEOUT

Determines the max time to wait (in seconds) for retrieving response from an EDL list source.

  • Default is 10 (seconds)

Panorama_Prefer_Other_Objects_Over_Url_Category

When a Panorama local object has the same name as a shared URL category, set this parameter to true to force AFA to prefer the local object instead of the shared URL category.

Possible values:

  • true

  • false (default)

Policy_Tab_Limitation

The max rules to show on the Policy tab. Default value for supported browsers 1000 and less. This value can be overwritten by adding this parameter.

Policy_Tab_Rules_Per_Page

Number of rules per page for the paging of the policy tab (Default = 10).

PrioritizeFIPDestination

Determines if routing queries and traffic simulation queries prioritize paths that begin and end with a subnet (and not a cloud) for destinations.

  • yes (default): Enables the preference for subnets in destinations
  • no: Disables the preference for subnets in destinations

PrioritizeFIPSources

Determines whether subnets are prioritized for sources in routing and traffic simulation queries.

Possible values:

  • yes (default): Subnets are prioritized for sources
  • no: Subnets are not prioritized for sources

Query_Disable_NAT_Logic

If a query destination can be reached by a NAT rule, AFA replaces the query destination to * and then intersects with the destination. This way, even if given the post-NAT address, the query will find the relevant rules.

  • yes (default): Disable this replacement

  • no: Enable this replacement

Query_Disable_NAT_Print

  • yes: Disable print of NAT rules in query results

  • no: Enable print of NAT rules in query results

Query_Timeout

Defines the timeout for a single query, in seconds.

Default= 15 (seconds)

QueryByPolicy

Determines whether traffic simulation group query results include all devices in device groups, or are grouped by policy with a single representative device for each policy.

Note: This setting affects group traffic simulation query results and batch traffic simulation query results. It also affects initial plan query results in FireFlow.

Possible values:

  • yes: Display group query results by policy
  • no (default): Do not group query results by policy

RADIUS_FetchData

Determines whether to fetch data and groups from LDAP for users authenticated by a Radius server.

Default= no

REMOVE_DELETED_DEVICE_REPORTS

Determines whether to remove reports for all deleted devices.

Possible values:

  • Yes: Remove reports for deleted devices
  • No: Keep reports for deleted devices

RISK_CHECK_API_RISK_PROFILE

AppViz uses an improved method for finding risks for traffic flows. In order to determine the risk profile used by the new method, you need to define this global parameter.

If not set, the risk profile used in the last completed report is used for the AppViz risk calculation.

If not set, and there is no last completed report, by default the Standard risk profile will be used.

There are two options:

  1. Standard (default)
  2. Risk profile name in format: [name].xml. For example, RiskProfile1.xml

Routing_Element_Monitor_Frequency

Determines the frequency for which to run monitoring on routing elements, in minutes.

Default= 5

Rule_Selection_Limit

Defines the maximum number of rules allowed to be selected for a single FireFlow change request.

Tip: Avoid using large numbers to prevent performance issues in FireFlow.

Default= 50

run_full_data_collection_always

Relevant for Palo Alto, Juniper SRX, McAfee SideWinder, Cisco ASA/PIX/FWSM brands:

  • no (default): Data collection (routing table, policy rules) is performed only if the device configuration changed
  • yes: Data collection will always be performed (without validating if the device configuration changed before)

S-W

Parameter name Description

SCORE_MAXIMAL_RED

Number between 1-99 that defines the point in which the red stops and the yellow starts in the Security Rating Slider (Default = 30)

SCORE_MINIMAL_GREEN

Number between 1-99 that defines the point in which the yellow stops and the green starts in the Security Rating Slider. (Default = 70)

Security_Rating_Max_Days

Maximum days before current day to display in the security rating graph. (Default = 180 days)
SG_MEMBERS_TO_NAMES

Creates a one-to-one mapping between PBR (policy based redirect) configuration and devices added in AFA.

Example:

To map a PBR (pbr_name1) to 2 AFA devices and map a second PBR (pbr_name2) to a third AFA device:

pbr_name1:afa_device_name1, pbr_name1:afa_device_name2, pbr_name2:afa_device_name3

SharedSyslogConfigRAs

Allows nodes (Remote Agents / Central Manager) to receive syslog messages for devices they do not directly manage.

  • By default this parameter is not configured.

  • The value format of this parameter is: [Remote Agent1 name], [Remote Agent2 name], [Remote Agent3 name], ...

  • For the Remote Agent name, use the name of the node as it appears in Administration > Architecture in ASMS.

  • When you specify Remote Agents to sync, the Central Manager is implicitly included. You do not need to define it.

For example:

Device syslog configurations are synced between the Central Manager and Remote Agent RemoteOne:

SharedSyslogConfigRAs = RemoteOne

Device syslog configurations are synced between the Central Manager, and Remote Agents RemoteOne and RemoteTwo:

SharedSyslogConfigRAs = RemoteOne,RemoteTwo

Note: After first setting the configuration, edit any device on each Remote Agent to synchronize its configuration with other Remote agents in the shared group.

Note: When this parameter is set, define on the device the node to where the syslog message will be sent.

Show_DeviceNet_Threshold

The maximal number of elements shown when the map initially loads or when it is refreshed. (Default= 500).

SHOW_ONLY_NODES_IN_PATH

Determines whether the network map shown in query results shows only the nodes in the network path, without surrounding devices and objects.

Possible values:

  • yes: Shows only the nodes in the network path queried, including stub routers, clouds, subnets, and so on.
  • no (default): Shows the nodes in the network path queried, and also surrounding devices and objects.
SHOW_REGIONS_WITHOUT_ASSETS_AWS

This parameter is currently in Early Availability. See SHOW_REGIONS_WITHOUT_ASSETS_AWS.

SHOW_UNASSIGNED_SECURITY_GROUPS_AWS

Determines whether or not security groups which do not have EC2 resources under them will be displayed in the AFA Device Tree. Not including these security groups in the tree may impact the map content, TSQ, and AFF recommendations.

  • true: Show security groups with no EC2 resources under them. These security groups will be displayed in the AFA Device Tree under the section 'Unassigned security groups'

    Note: 'Unassigned security groups' in this case refers to security groups that are

    • Not assigned to any instance or

    • Assigned to objects that are not EC2 resources (for example, lambda function, RDS, etc).

  • false (default): Show only security groups with EC2 resources under them

Note: If a region has no EC2 resources under any VPCs, see SHOW_REGIONS_WITHOUT_ASSETS_AWS.

Skip_Packages

For Check Point devices R80 and higher we collect all packages during data collection by default. But some of the packages are not related to device or may not be fully configured, causing analysis to fail.

Set the value of this parameter to the package names to skip. Use a comma (",") as the separator between package names.

SKIP_RISKY_RULES_VULNERABILITIES

Determines whether or not vulnerability information will be skipped for the analyzed devices.

When enabled, analysis time is optimized (especially for devices with large number of rules) and vulnerability information in the log file is reduced.

Possible values:

no (default): Collect vulnerability information

yes: Do not collect vulnerability information

Skip_unattached_objects_in_report

Exclude unattached objects from the device report by setting this parameter to yes.

(By default, this property is not defined)

  • To exclude all devices: Add the property 'Skip_unattached_objects_in_report=yes' as a global parameter from within the Advanced Configuration section from Adminstration on ASMS.

  • To exclude specific devices: Add the property 'Skip_unattached_objects_in_report=yes' to the 'fwa.meta' file of the specific device. The property can be defined for parent devices, child devices, or both.

    The path for the CLI files is /home/afa/.fa/firewalls/<select relevant firewall>/fwa.meta.

SMTPUseSSLEnhanced

Adds support for TLS1.1 & 1.2 to SMTP Emails.

  • yes: Add support

  • no (default): Support not added

SpreadhSheetImportRiskSeverity

The severity of the risks imported from spreadsheet (case insensitive). Can be one of: Ignore

  • Low

  • Medium (default)

  • Suspected high

  • High

SRX_parse_Tunnels_WithIp_As_L3

If SRX tunnels are not created correctly, add this parameter to parse the tunnels as layer 3 interfaces instead of layer 2 interfaces.

SRX_parse_Tunnels_WithIp_As_L3=yes

syslog_dump_interval

Defines the maximum amount of time between syslog collection and memory dump to files, in minutes.

TarFormat

Determines support file download attributes.

  • zip: AFA creates zip files for download.
  • tar: AFA creates tar files for download.
  • tgz (default): AFA creates tgz files for download.
  • extended_tgz: AFA creates an extended tgz file for download. Use this option when you have devices with names that are longer than 100 characters.

trust_rfc1918

Determines that risk calculation is skipped for private networks. This means that most Z## risks will not be triggered.

Possible values:

  • yes (default): Skipped for private networks
  • no: Private networks are included in risk calculation

TSQ_DIRS_LIMIT

Maximum number of queries (query-xxx) folders that can be created under reports and monitor directories.
Default= 2000

Tsq_dirs_Expiration_Hours_Time

Maximum number of hours query-xxx folders persist. Affects auto-remove and disk space usage.
Default= 48 (hours)
Note: This parameter cannot be set to 0.

TSQ_HIDE_RESOLVE_BUTTON

Disables the "Resolve" button on the TSQ results page.

  • yes: Disable the "resolved" button

  • no (default)

Uncheck_Parent_Addition_Checkbox

Determines whether or not the Add selected devices and their sub-hierarchies to the group checkbox is selected by default when adding a group to AFA:

  • yes (default): The checkbox is not selected

  • no (or not configured): The checkbox is selected

URLCat_Use_If_Dest_Not_ANY

Controls how the URL Category is considered when the destination is not 'any' and there are URL Categories defined.

  • no (default): URL Categories are not considered. Values in the destination field are.

  • yes: URL category is considered.

Use_Custom_Report

Determines whether custom report pages are enabled.

For more details, see Custom report pages.

Possible values:

  • yes (default): Enable custom reports (when a custom report has been created and installed)
  • no: Disable custom reports, preventing any custom reports from appearing in AFA reports

Use_Nexus_Wildcards

Determines whether Traffic Simulation Query results on Cisco Nexus devices use wildcard IP ranges.

Possible values:

  • yes: Wildcard IP ranges are included
  • no (default): Wildcard IP ranges are not included

VALIDATE_USER_ROUTING_URT

Applicable to Cisco PIX only. When set to "yes", AFA produces a log message for any interface in the .urt file that does not exist in user_routing.urt.

WEBGUI_SESSION_LENGTH

Defines the maximum length of a UI session that is not active, in minutes. Any session that goes on for longer than the defined setting is automatically ended.

Default= 300 (minutes)