Focus

Next-Generation Firewall

Pre-Change Policy Analysis Reports

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Pre-Change Policy Analysis

Post-Change Policy Analysis

Pre-Change Policy Analysis Reports

Provides information about pre-change policy analysis reports.

Where Can I Use This?	What Do I Need?
`NGFW (Cloud Managed)` `NGFW (PAN-OS or Panorama Managed)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use Strata Cloud Manager)`

Select an analysis report whose status is completed to view the results of the policy analysis. You can view the following analysis results on the separate tabs:

Intent Satisfaction Results

Security Policy Anomaly Results

Intent Satisfaction Results

From the list of analyses under Analysis Requests, click an analysis to view its analysis results. These results include:

Summary of the analysis with details about device groups and the anomaly count.

Click the name of a device group to view the result of the intent satisfaction analysis:

Intent Fully Met—Your security rule is a duplicate of one of the existing rules in the device group.

Intent Partially Met—Your security rule is partially meeting the intent of one of the existing rules in the device group.

Intent not met—Your security rule is a unique rule that is not present in the device group. You can add this rule to the device group.

View the results of the analysis for the new security rule intent.

In this example, there are two rules. The intent of the first rule matches fully with existing rules and the intent of the second rule matches partially with the existing rules.

View the details of the new security rule and check the intent satisfaction results.

In this example, all the attributes of the new rule intent rule 1 matches the attributes of the existing rule Shared Rule 1. The intent of the new rule fully matches the intent of the existing rule. Therefore, you need not add this new rule to the configuration.

Security Policy Anomaly Results

Run the Security Policy Anomaly Analysis to check if the existing security policy has Shadows, Redundancies, or any other anomalies. You can view all the anomalies or the anomalies based on the high priority.

You can view the following information:

Summary of the analysis for all device groups selected for analysis.

Summary of the analysis for a selected device groups. The colors in the chart indicate the different types of anomalies.

Details of all the rules in a device groups and their anomalies.

View the attributes for a selected rule and the rules that cover the selected rule.

In this example, the DG1_1_rule6 is already covered by DG1_1_rule10, DG1_1_rule10-2, and DG1 Post Rule.

Take action based on the suggested next steps to remove the anomaly.

Pre-Change Policy Analysis

Post-Change Policy Analysis

Next-Generation Firewall Docs

Next-Generation Firewall

Pre-Change Policy Analysis Reports

Next-Generation Firewall Docs

Pre-Change Policy Analysis Reports

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner