If an enterprise configures hundreds or thousands of access control policies and the policies become increasingly complex, the security administrators of the enterprise face great challenges related to issue troubleshooting. Cloud Firewall provides the access control policy analysis feature, which automatically analyzes the access control policies configured for the enterprise in a timely and efficient manner. This topic describes how to use the access control policy analysis feature.
Benefits
The access control policy analysis feature can detect invalid, redundant, duplicate, and discrete policies at the earliest opportunity to reduce specification consumption, reduce costs, and improve policy stability.
The access control policy analysis feature can identify vulnerable ports or default non-deny policies at the earliest opportunity. This helps facilitate the configuration of access control policies and reduce security risks.
The access control policy analysis feature can help you check the items that can affect the effectiveness of the configured policies. The following items are supported:
Policy of no traffic hits
Invalid policy whose source and destination are the same
Duplicate or redundant policy
Policy that conflicts with business
Default policy that does not use the deny all whitelist mechanism
At-risk policy that allows high-risk ports
Policy that is excessively lenient
Quota for access control policy analysis
Quotas in different editions
You can use the access control policy analysis feature free of charge. The following table describes the default quota that is provided for the feature in each Cloud Firewall edition.
Cloud Firewall that uses the pay-as-you-go billing method: 2,000. You can use the quota to analyze access control policies that are created for the Internet firewall, virtual private cloud (VPC) firewalls, and NAT firewalls and the policies that reference address books.
Premium Edition: 3,000. You can use the quota to analyze access control policies that are created for the Internet firewall and NAT firewalls and the policies that reference address books.
Enterprise Edition: 5,000. You can use the quota to analyze access control policies that are created for the Internet firewall, VPC firewalls, and NAT firewalls and the policies that reference address books.
Ultimate Edition: 10,000. You can use the quota to analyze access control policies that are created for the Internet firewall, VPC firewalls, and NAT firewalls and the policies that reference address books.
Quota calculation method
You can use the following formula to calculate the quota that is consumed in access control policy analysis:
Quota = (Number of access control policies + Number of address books) × Number of check items
The Duplicate, Overlap, or Disperse IP Address Book check item does not support access control policies that reference Elastic Compute Service (ECS) tag-based address books.
For example, if a task contains 10 IP address books, 5 ECS tag-based address books, and the Duplicate, Overlap, or Disperse IP Address Book check item, the quota that is consumed by the task is 10 × 1 = 10.
View quota usage
Cloud Firewall provides statistics of quota usage for the access control policy analysis feature. This allows you to control the quota usage in the current edition.
On the Policy Analysis page, you can view various information, including the total number of policies that are checked, the remaining quota for access control policy analysis, the number of unhandled risks, and the distribution of unhandled risks at different boundaries. This helps you identify the risks associated with the policies in your business and rectify the policies.
Check access control policies
Cloud Firewall allows you to check the access control policies that are created for the Internet firewall, NAT firewalls, and VPC firewalls and the access control policies that reference address books.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Policy Analysis page, find the required check item and click Check in the Actions column.
In the message that appears, click OK.
After the check is complete, the check results are displayed on the Check Item Details page.
Handle check results
After you check the access control policies, you must rectify the policies that do not meet your business requirements based on the check results.
Find the check item and click Details in the Actions column.
On the Check Item Details page, you can view the details of the policies.
Check whether an access control policy meets your business requirements and handle the access control policy.
If the access control policy meets your business requirements, click Ignore. The access control policy is no longer included in subsequent checks.
If the access control policy does not meet your business requirements, rectify the access control policy based on the value of the Optimization Suggestions parameter. Then, click Handle to mark the access control policy as handled.
What to do next
Configure or view access control policies for the Internet firewall. For more information, see Create access control policies for the Internet firewall.
Configure or view access control policies for NAT firewalls. For more information, see Create an access control policy for a NAT firewall.
Configure or view access control policies for VPC firewalls. For more information, see Create an access control policy for a VPC firewall.
Configure address books or view information about address books. For more information, see Manage address books.