| This sheet explains how to utilize this documentation. Below are the color codes defined for the task. Below listed table give a list of sheets, along with the explanation regarding the filters used & the action needed to remediate the issue. We recommend to prioritize the tasks based on their criticality. | ||||
| Critical | ||||
| High | ||||
| Medium | ||||
| Low | ||||
| Informational | ||||
| Sheet Name | Number of Instances | Explanation | Action Needed | Criticality |
| 1a_NoZPP_UsedinZone | These are the zones with no Zone Protection Profile applied to them. This reduces the visibility on the firewall. We recommend you to have a Zone Protection Profile attached to all Zones, Please review the Zones in the sheet & apply the 'Alert_Only_Zone_Protection' profile to them. | Apply the 'Alert-Only_Zone_Protection_Profile' ZPP to Zones mentioned. | Critical | |
| 1b_NoLFP_UsedinZone | These are the zones with no Log Forwarding Profile applied to them. This reduces the visibility on the firewall. We recommend you to have a Log Forwarding Profile attached to all Zones, Please review the Zones in the sheet & apply the 'default' Log Forwardign Profile to them. | Apply the 'default' Log Forwarding Profile to Zones mentioned. | Critical | |
| 2_NoLFP_UsedinRule | These are the rules with no log forwarding profile attached to them. This reduces the visibility on the firewall. We recommend you to have log forwarding profiles attached to all the security rules. Please review the Rules in the sheet & attach required log forwarding profiles to them. | Apply the 'default' Log Forwarding Profile to rules mentioned. | Critical | |
| 3_NoSPG_in_AllowRule | These are the allow rules which do not have either any Security Profile(s), or a Security Profile Group applied to them. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' Security Profile Group applied to all rules mentioned. | Apply the 'Alert-Only' Security Profile Group to rules mentioned. | Critical | |
| 4a_NoVP_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a Vulnerability Protection Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' VP Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' VP Security Profile to rules mentioned. | Critical | |
| 4b_NoAS_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a Anti-Spyware Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' AS Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' AS Security Profile to rules mentioned. | Critical | |
| 4c_NoAV_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a Antivirus Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' AV Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' AV Security Profile to rules mentioned. | Critical | |
| 4d_NoURL_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a URL Filtering Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' URL Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' URL Security Profile to rules mentioned. | Critical | |
| 4e_NoFB_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a File Blocking Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' FB Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' FB Security Profile to rules mentioned. | Critical | |
| 4f_NoWF_in_AllowRule | These are the allow rules which have at least one Security Profile applied to them, but does not have a Wildfire Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' WF Security Profile applied to all rules mentioned. | Apply the 'Alert-Only' WF Security Profile to rules mentioned. | Critical | |
| 5a_NoAV_Exists_in_SPG | These are Security Profile Groups that do not have an AV Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' AV Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' AV Security Profile to the Security Profile Groups mentioned. | Critical | |
| 5b_NoVP_Exists_in_SPG | These are Security Profile Groups that do not have an VP Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' VP Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' VP Security Profile to the Security Profile Groups mentioned. | Critical | |
| 5c_NoURL_Exists_in_SPG | These are Security Profile Groups that do not have an URL Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' URL Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' URL Security Profile to the Security Profile Groups mentioned. | Critical | |
| 5d_NoFB_Exists_in_SPG | These are Security Profile Groups that do not have an FB Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' FB Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' FB Security Profile to the Security Profile Groups mentioned. | Critical | |
| 5e_NoAS_Exists_in_SPG | These are Security Profile Groups that do not have an AS Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' AS Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' AS Security Profile to the Security Profile Groups mentioned. | Critical | |
| 5f_NoWF_Exists_in_SPG | These are Security Profile Groups that do not have an WF Security Profile applied. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' WF Security Profile applied to all Security Profile Groups mentioned. | Add the 'Alert-Only' WF Security Profile to the Security Profile Groups mentioned. | Critical | |
| 6_SPG_exists_in_DenyRule | Security profiles are not needed on the deny rules. We recommend you to remove the groups from the policy mentioned in the list. | Remove the SPG or SP's from rules mentioned | Low | |
| 7_Log-at-End_Missing_inRule | These rules are not being logged at session end. We recommend to have logging enabled at session end for visibility. | Enable 'Log at session end' on all rules mentioned | Critical | |
| 8a_DefaultSec_NoLog-at-End | These default rules are not being logged at session end. We recommend to have logging enabled at session end for visibility. | Enable 'Log at session end' on all rules mentioned | Critical | |
| 8b_DefaultSec_No_LFP | These are the default rules without Log Forwarding Profile applied to them. This reduces the visibility on the firewall. We recommend you to have a Log Forwarding Profile attached to all Security Rules. Please review the default rules in the sheet & apply the 'default' Log Forwardign Profile to them. | Apply the 'default' Log Forwarding Profile to rules mentioned. | Critical | |
| 8c_DefaultSec_No_SPG-inAllow | This is the default allow rule which does not have either any Security Profile(s), or a Security Profile Group applied to it. This highly limits firewall threat prevention/detection capabilities. We recommend you to have the 'Alert-Only' Security Profile Group applied to the default allow rule. | Apply the 'Alert-Only' Security Profile Group to rules mentioned. | Critical | |
| 8d_DefaultSec_SPG-inDeny | Security profiles are not needed on the default deny rule. We recommend you to remove the groups from the default deny rule. | Remove the SPG or SP's from rules mentioned | Low | |