Known issues affecting CloudFlow

Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).

General

  • The procedure for enabling flow logging for multiple Azure NSGs using a PowerShell script (provided by CloudFlow) is not applicable for NSGs that are part of a scale set. Configuring flow logs for NSGs that are part of a scale set can be handled manually.

  • AlgoSec supports the following capabilities for Azure Firewall:

    • Policy visibility

    • Risks

    • Rule usage

    • Traffic Simulation Query

    However, only policy visibility is supported for Azure Firewall (classic).

  • ASMS Connectivity Check from CloudFlow:

    • Is supported only for Azure NSG policies

    • Is not supported in the cases of:

      • AWS SG policies

      • Azure Firewall & Azure Firewall (classic)

      • Google Cloud Projects

      • Service tags having no IPs:  AzureLoadBalancer, GatewayManager

      • NSG rules containing an ASG (Application Security Group) that is not connected to any NICs (Network Interface Controllers)

      • VNETs having no IPs

  • All AlgoSec SaaS products connect to the same Kafka host. Multi-zone is not supported. To change a Kafka host, see this AlgoPedia article.

  • NACL policy visibility, risks and changes are not supported.

  • Support for Azure Firewall requires ASMS build version A32.60.260-94 or higher.

  • For NSG TSQ and FireFlow support, if using ASMS A32.60 upgrade to build version A32.60.260-94 or higher; no upgrade needed for versions A32.50 or below.

Risks

  • Affected assets are not calculated for Azure Firewall.

  • On the Risks page, tag filtering does not support Azure Firewalls.

  • After activating or suppressing a risk, the Risks page must be refreshed via the browser to properly display the current risk severity.

  • Risk calculations do not consider the content within Service Tag objects of the following types: VirtualNetwork, AzureLoadBalancer, and Internet.

  • Risks are not supported for Azure Firewall (classic)

  • For risks that are calculated using ASMS risk profiles:

    • Remediation is not shown in CloudFlow

    • ASMS does not calculate risks for deny rules

    • ASMS does not calculate risks for Google Cloud

Inventory

  • On the Inventory page, CloudFlow does not display shared VPCs for the Participant account.

Manage network policy sets

  • AWS shared VPC Flow logs are collected only for the owner account. For the participant accounts, flow logs are not collected and "Flow logs disabled" is displayed in the Last Used column.

  • For Google Cloud:

    • CloudFlow supports Organization Firewall Policy, Folder Firewall Policy, and VPC Firewall Rules, but does not support Network Firewall Policy.

    • CloudFlow does not support the following operations on the Network Policy page:

      • Policy merge

      • Policy edit

  • For Azure Firewall flow logs: When there are two policies on an Azure Firewall, the Last Used information only refers to the child policy rule usage and not the parent policy.

Fixed Issues

05-Feb-24: Risk Severity of Outbound “To Any allow ANY Service” rules to Public IP’s (Risk ID: O01-I-SG) in CF was changed from High to Critical.