Identifying and Fixing Anomalies with Policy Analyzer & Optimizer

You can use the Policy Analyzer & Optimizer to evaluate access control policies for anomalies such as redundant or shadowed rules, and take action to fix discovered anomalies. The Policy Analyzer & Optimizer is hosted in the cloud and is different from the rule analysis available when you are not integrated with the cloud. The non-cloud policy analysis is not available once you integrate with the cloud.

The system automatically performs policy analysis on a daily basis (every 24 hours). You can also manually start an analysis. When you initially enable the service, the system starts an analysis of all existing access control policies.

Note

Before optimizing a policy, create a copy of the policy. If you are then dissatisfied with the results of optimization, you can easily reassign the managed devices to the copy and return the system to its starting state.

Before you begin

  • If you have enabled Change Management, Policy Analyzer & Optimizer automatically creates a ticket for the changes, and submits the ticket. The approver must approve the ticket before the changes can be deployed.

  • Policy Analyzer & Optimizer adds rule comments on rules that are updated, disabled, or merged. You can later search on these comments to find optimized rules.

  • Changes implemented by Policy Analyzer & Optimizer are reflected in the audit log as API calls under the default name internaladmin.

Procedure

Step 1

Choose Policies > Access Control heading > Access Control.

If you have already run an analysis, the Anomaly column shows the number of issues with the policy and the percentage the policy can be optimized, and the state of the policy analysis, such as Error or Completed. Last Analyzed shows the date/time when the analysis was run.

Step 2

Select one or more policy, then click Analyze Policy.

The analysis runs as a background process in the cloud. When the analysis is complete, the results appear in the Anomaly column.

Notes:

  • You can also start an analysis when editing the policy by selecting Analyze > Policy. Other options from that menu allow you to show hit counts and warnings.

  • If you have not connected to the cloud yet, the explanatory dialog that opens when you click this button includes an Integrate button to help get you started. Policy Analyzer & Optimizer operates in the cloud only.

Step 3

When the analysis is complete, click the % Optimizable link in the Anomaly column to launch Policy Analyzer & Optimizer in the cloud.

When you have done all the actions you want to take, click Apply Remediations (in the cloud). You are shown a confirmation of what will be done. Click Proceed to implement the changes.

If the initial analysis ended in an error, you could instead click Re-analyze to restart the process.

Step 4

Deploy the policy to complete the changes.

If you have Change Management enabled, the approver must first approved the ticket that contains the remediations before you can deploy them.