Policy Analyzer and Optimizer

The AI Assistant identifies gaps and inconsistencies within firewall rules, providing administrators with detailed insights into anomalies or potential issues. This allows administrators to quickly address security vulnerabilities, ensure compliance, and optimize the overall effectiveness of their firewall policies. The rules can be:

  • Mergable Rule: Rules that can be combined or consolidated because they share similar criteria or actions. For example, if two or more rules apply to the same source, destination, or protocol, but have redundant or overlapping conditions, they can be merged to reduce complexity and improve the overall efficiency.

  • Expired Rule: Rules that are no longer active because they have passed a predefined expiration date or time limit.

  • Object Overlap: An element in a field of a rule is a subset of one or more elements in the same field of the rule. For example, the source field might include a network object for 10.1.1.0/24, and another object for the host 10.1.1.1. Because 10.1.1.1 is within the network covered by 10.1.1.0/24, the object for 10.1.1.1 is redundant and can be deleted, simplifying the rule and saving device memory.

  • Duplicate/Redundant Rule: Two rules apply the same action to the same type of traffic and removing the base rule would not change the ultimate result. For example, if a rule permitting FTP traffic for a particular network were followed by a rule allowing IP traffic for that same network, and there were no rules in between denying access, then the first rule is redundant, and you can delete it.

  • Shadowed Rule: This is the reverse of a redundant rule. In this case, one rule will match the same traffic as another rule such that the second rule will never be applied to any traffic because it comes later in the access list. If the action for both rules is the same, you can delete the shadowed rule. If the two rules specify different actions for traffic, you might need to move the shadowed rule or edit one of the two rules to implement your desired policy. For example, the base rule might deny IP traffic, and the shadowed rule might permit FTP traffic, for a given source or destination.

  1. The AI Assistant continuously monitors and analyzes your firewall rules. You can prompt the Assistant to analyze current policies for gaps or inefficiencies (e.g., "Analyze rules for redundant configurations").

  2. The AI Assistant flags any redundant, duplicate, or conflicting rules that could be optimized. It provides suggestions on merging or updating rules to streamline firewall performance.

  3. Based on the analysis, the AI Assistant recommends optimizations, such as removing obsolete rules, adjusting configurations, or tightening access control for better security.

Note

If the AI Assistant detects expiring rules or performance issues within a policy, it automatically generates alerts to prompt timely actions from the administrator.

You can click on View Details.

Tip

Sample Prompts

  • Identify any inconsistencies in my firewall rules.

  • Show me gaps in current firewall policy configurations.

  • Are there any redundant or conflicting rules in my firewall setup?

Resolve Policy Abnormalities

Administrators can address policy rule gaps efficiently using the AI Assistant. With its help, they are able to:

  • Disable all the policy rules that are redundant, shadow rules, and expired.

  • Remove all the policy rules that are redundant, shadow rules, and expired.

  • Merge all the policy rules that are redundant.

Note

In case performing any of these actions does not resolve the issue, you can create a support ticket to contact Cisco Support Team.