The Security policy rule Pre-Change analysis performs the new intent satisfaction
analysis:
New Intent Satisfaction
Analysis—Checks whether the intent of a new Security policy
rule is already covered by an existing rule.
Before
you begin:
Go to ManageSecurity PosturePolicy AnalyzerPre-change Policy Analysis.
At the top of the Policy Analyzer page, select Cloud Manager for Strata
Cloud Manager managed deployments or select a Panorama instance for Panorama
managed deployments containing the policy rules that you need to
analyze.
Start a Security Policy Analysis.
Perform
the following steps to start a new analysis:
Enter Analysis Name and Analysis
Description.
Here’s an image showing the Panorama deployment:
Here’s an image showing the Strata Cloud Manager deployment:
On a Panorama appliance, device groups are hierarchical. There are four levels of device groups
that you can create and you assign NGFWs to the device group at the lowest
level of the hierarchy. The policy that you create at a higher level is then
inherited by all the device groups under it. You can run the analysis for up
to 10 device groups with NGFWs directly assigned to them, which allows you
to analyze all the policy rules that are pushed to that set of directly
assigned NGFWs.
For Strata Cloud Manager managed deployments, folders are hierarchical. The leaf folder or the
final folder containing the devices are shown.
Select an existing Security policy set to analyze.
Specify the type of analysis by selecting one or more
analysis types:
New Intent Satisfaction Analysis
Add
New Security Rule Intent for analysis.
Specify
information about the new security rule, and AIOps for NGFW can
check if existing rules cover the intent.