If your company has hundreds or even thousands of complex access control policies, troubleshooting and locating issues can be a major challenge for security administrators. Cloud Firewall provides an automated policy analysis feature to help you analyze your access control policies promptly and efficiently. This topic describes how to perform access control policy analysis.
Benefits
Policy analysis promptly detects invalid, redundant, duplicate, and fragmented policies. This reduces specification usage, saves costs, and improves policy stability.
Policy analysis promptly detects risks, such as high-risk ports or default policies that are not deny-all rules. This helps you improve your access control policies and reduce security risks.
Policy analysis helps you check the validity of your current policies. For example, it can identify:
Policies with no traffic hits
Invalid policies where the source and destination are the same
Duplicate or redundant policies
Business conflict policies.
Default policies that do not follow a Deny All whitelist mechanism
Risky policies that allow traffic on high-risk ports
Control policies that are too loose
Policy analysis specifications
Analysis specifications for different editions
The access control policy analysis feature of Cloud Firewall is free of charge. The default analysis specifications for different editions are as follows:
Pay-As-You-Go Edition: 2,000 policies. This is the total number of policies that can be analyzed across the Internet Border, VPC Border, NAT Border, and address books.
Premium Edition: 3,000 policies. This is the total number of policies that can be analyzed across the Internet Border, NAT Border, and address books.
Enterprise Edition: 5,000 policies. This is the total number of policies that can be analyzed across the Internet Border, VPC Border, NAT Border, and address books.
Ultimate Edition: 10,000 policies. This is the total number of policies that can be analyzed across the Internet Border, VPC Border, NAT Border, and address books.
Calculation method
The formula to calculate the number of specifications used for policy analysis is as follows:
Number of specifications used = (Number of access control policies + Number of address books) × Number of check items.
The Duplicate, Overlap, or Disperse IP Address Book check item does not support analysis for ECS tag-based address books.
For example, you have 10 IP address books and 5 ECS tag-based address books for IPv4. The check item is Duplicate, Overlap, or Disperse IP Address Book. In this case, the number of specifications used for policy analysis is 10 × 1 = 10.
View specification usage
Cloud Firewall provides statistics on policy analysis usage. This helps you monitor the specification usage of your current edition.
On the Policy Analysis page, you can view the total number of policies checked, remaining quota, number of risks to be handled, and the distribution of risk types for different borders. This helps you accurately identify policy risks in your services and make necessary changes.
Check access control policies
Cloud Firewall can check access control policies for the Internet Border, NAT Border, VPC Border, and address books.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Policy Analysis page, find the check item you need and click Check in the Operation column.
In the confirmation message, click OK.
After the check is complete, the results are displayed on the Check Item Details page.
Handle access control check results
After you check the access control policies, modify any non-compliant policies based on the check results.
Find a completed check item and click Details in the Operation column.
On the Check Item Details page, you can view the details of non-compliant policies.
Based on your business needs, confirm whether the policy is appropriate and take action.
If it is appropriate, click Ignore. The policy will not be checked again.
If it is not appropriate, modify the policy based on the suggestions. Then, click Handle to mark the policy as processed.
References
For more information, see Configure access control policies for the Internet Border.
For more information, see Configure access control policies for the NAT Border.
For more information, see Configure access control policies for the VPC Border.
For more information, see Manage address books.