Focus

Next-Generation Firewall

Pre-Change Policy Analysis

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Policy Analyzer

Pre-Change Policy Analysis Reports

Pre-Change Policy Analysis

Describes the pre-change policy analysis.

Where Can I Use This?	What Do I Need?
`NGFW (PAN-OS or Panorama Managed)` `VM-Series, funded with Software NGFW Credits` (when managed using Panorama) `Prisma Access (Panorama Managed)`	AIOps for NGFW Premium license (use the Strata Cloud Manager app)

The Security policy rule Pre-Change analysis performs the new intent satisfaction analysis:

New Intent Satisfaction Analysis
—Checks whether the intent of a new Security policy rule is already covered by an existing rule.

Before you begin:

Go to

Manage

Security Posture

Policy Analyzer

Pre-change Policy Analysis

At the top of the Policy Analyzer page, select the Panorama instance containing the policy rules that you need to analyze.

Start a Security Policy Analysis

Perform the following steps to start a new analysis:

Enter

Analysis Name

and

Analysis Description

On a Panorama appliance, device groups are hierarchical. There are four levels of device groups that you can create and you assign NGFWs to the device group at the lowest level of the hierarchy. The policy that you create at a higher level is then inherited by all the device groups under it.

You can run the analysis for up to 10 device groups with NGFWs directly assigned to them, which allows you to analyze all the policy rules that are pushed to that set of directly assigned NGFWs.

Select an existing Security policy set to analyze.

You can select a maximum of 10 device groups per analysis.

Specify the type of analysis by selecting one or more analysis types:

New Intent Satisfaction Analysis

Add New Security Rule Intent

for analysis.

Specify information about the new security rule, and AIOps for NGFW can check if existing rules cover the intent.

Enter the values for the components of a security policy rule. The default value for the fields related to a security rule is “Any”.

Save

the settings.

Review the summary of the new security rule intent.

You can create up to 10 new security rules, or you can copy a rule and edit it.

Submit Analysis Request or Save As Draft

to edit the rule later.

View the status of an analysis on the Policy Analyzer page under Analysis Requests.

You can cancel a rule whose status is in-progress and it will be shown as Canceled.

After the analysis is complete, view the analysis report.

Policy Analyzer

Pre-Change Policy Analysis Reports

Next-Generation Firewall Docs

Pre-Change Policy Analysis

Next-Generation Firewall Docs

Pre-Change Policy Analysis

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner