Pre-Change Policy Analysis

Describes the pre-change policy analysis.
The Security policy rule pre-change analysis includes two functions:
  • New Intent Satisfaction Analysis
    —Checks whether the intent of a new Security policy rule is already covered by an existing rule.
  • Security Policy Anomaly Analysis
    —Checks whether the Security policy rule has shadows, redundancies, or other anomalies.
Before you begin:
  1. From
    AIOps for NGFW
    , select
    Posture > Policy Analyzer > Pre-Change Policy Analysis
  2. At the top of the Policy Analyzer page, select the Panorama instance containing the policy rules that you need to analyze.
  3. Start a Security Policy Analysis
Perform the following steps to start a new analysis:
  1. Enter
    Analysis Name
    Analysis Description
    On a Panorama appliance, device groups are hierarchical. There are four levels of device groups that you can create and you assign NGFWs to the device group at the lowest level of the hierarchy. The policy that you create at a higher level is then inherited by all the device groups under it.
    You can run the analysis for up to ten device groups with NGFWs directly assigned to them, which allows you to analyze all the policy rules that are pushed to that set of directly assigned NGFWs.
  2. Select an existing security policy set to analyze.
    You can select a maximum of ten device groups per analysis.
  3. Specify the type of analysis by selecting one or more analysis types:
    • New Intent Satisfaction Analysis
    • Security Policy Anomaly Analysis
    Add New Security Rule Intent
    for analysis.
    Specify information about the new security rule, and
    AIOps for NGFW
    can check if existing rules cover the intent.
    Enter the values for the components of a security policy rule. The default value for the fields related to a security rule is “Any”.
    the settings.
    Review the summary of the new security rule intent.
    You can create up to 10 new security rules, or you can copy a rule and edit it.
  4. Submit Analysis Request or Save As Draft
    to edit the rule at a later time.
    View the status of an analysis on the Policy Analyzer page under Analysis Requests.
    You can cancel a rule whose status is in-progress and it will be shown as Cancelled.
    After the analysis is complete, view the analysis report.

Recommended For You