Login
- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Policy-based NAT
- 06-Interface NAT
- 07-AFT
- 08-QoS
- 09-Bandwidth management
- 10-Application audit
- 11-Application proxy
- 12-IP reputation
- 13-Domain reputation
- 14-Blacklist
- 15-Connection limit
- 16-Server connection detection
- 17-Access rate limit
- 18-DLP
- 19-Server load balancing
- 20-Outbound link load balancing
- 21-Inbound link load balancing
- 22-Transparent DNS proxy
- 23-NetShare control
- 24-Zero trust policy
- 25-Trusted application proxies
- 26-Trusted API proxies
- 27-NAT66
- 28-uRPF
- 29-Load balancing common configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Security policy optimization | 43.93 KB |
Security policy optimization
This help contains the following topics:
¡ Automatic batch optimization
Introduction
About policy optimization
This feature enables the system to discover potential risks in security policies configured with application filtering criteria and enables users to optimize content security settings to lower the risks.
You can use this feature to optimize the existing security policies or to analyze application security risks to provide reference for precise security policy configuration. To analyze application risks for future reference, configure a security policy with loose filtering criteria and then perform policy optimization.
Operating mechanism
Policy optimization operates as follows:
1. Identifies application information in the permitted traffic.
2. Compares the configured content security settings with the recommended settings in the application signature database. The database contains information about the recommended content security settings for each application.
3. Evaluates the security condition of the security policies based on the comparison result.
The feature scores the overall security condition and provides detailed security risk analysis for each security policy configured with application filtering criteria. Table 1 shows the information on the Policy Optimization page.
Table 1 Policy Optimization page information
|
Item |
Description |
|
Overall security score |
Score for the overall security condition of all the security policies. A higher score represents a securer condition. |
|
Security policy name |
Name of the security policy. |
|
Type |
Security policy type. Options include: · IPv4. · IPv6. |
|
Security level |
Security level, in the range of 1 to 5. A higher value represents higher risks. |
|
Total traffic |
Total matching traffic for the security policy. |
|
Application |
Applications identified from the permitted traffic. |
|
Traffic |
Traffic amount and percentage for each application. |
|
Security risks |
Security risks of all identified applications. |
|
Status |
Security policy optimization status: · Unsolved—Indicates that the security policy has not been optimized. · Solved—Indicates that the security policy has been optimized but there still are security risks in the security policy. |
Optimization methods
This feature provides the following optimization methods:
· Automatic batch optimization—Enables the system to optimize content security settings for all the security policies with security risks as recommended in the application signature database.
· Manual optimization—Enables users to optimize content security settings for a security policy as needed.
Table 2 shows the security risks and the corresponding content security measures.
Table 2 Security risks and the corresponding content security measures
|
Security risks |
Content security measures |
|
Vulnerability |
IPS, anti-virus |
|
Malware-vehicle |
IPS, anti-virus |
|
Data-loss |
File filtering, data filtering |
|
Bandwidth-consuming |
URL filtering You can also specify the maximum bandwidth to lower the risk. For more information, see the online help for bandwidth management. |
|
Misoperation |
URL filtering |
|
Tunneling |
IPS |
|
Evasive |
URL filtering |
|
Productivity-loss |
URL filtering You can also specify the maximum bandwidth to lower the risk. For more information, see the online help for bandwidth management. |
Application scenarios
This feature is applicable to the following scenarios:
· Optimize a less specific security policy configured (for example, a security policy with a large IP address or service range) when you do not know which applications exist in the network. You can configure a more specific security policy after this feature identifies applications and risks.
· Optimize a specific security policy.
Restrictions and guidelines
· This feature analyzes security risks only in packets permitted by security policies.
· When a large number of security policies exist, policy optimization might consume a lot of CPU resources. Please use this feature when the network is not busy.
· You cannot add new security policies during automatic batch optimization.
· Automatic batch optimization stops if a master/backup switchover or memory threshold alert occurs during the optimization process. Policies that have been optimized will not be restored. To restart the optimization, click the Auto batch optimization button after the master/backup switchover finishes or the memory usage drops below the threshold.
Perform policy optimization
Prerequisites
Before you perform policy optimization, make sure statistics collection is enabled and security policies configured with application filtering criteria exist.
Automatic batch optimization
1. Click Policies > Security Policies > Policy Optimization.
2. Click Auto batch optimization to start an automatic batch optimization.
Manual policy optimization
1. Click Policies > Security Policies > Policy Optimization.
2. Click the button in the Action field for the security policy to be modified.
3. In the window that opens, change content security settings as needed.
Table 3 Manual policy optimization configuration items
|
Item |
Description |
|
Security policy name |
Name of the security policy. |
|
Application |
Select the applications for which you are to modify the content security settings. |
|
Traffic |
Traffic amount for each application. |
|
Severity level |
Risk severity level in the range of 1 to 5. A higher value represents higher risks. |
|
Security risks |
Security risks of the identified applications. |
|
Content security |
Select content security measures for the selected applications. By default, the field displays content security settings configured for the security policy. If no content security settings are configured, the field displays the default content security settings. |
|
Optimization action |
Select whether to generate a new security policy. Options include: · Generate a new policy—Enables the system to retain the existing security policy and generate a new security policy with the configured settings. The new security policy will be placed before the existing policy and have a higher priority in packet matching. · Optimize the existing policy—Enables the system to modify the content security settings of the existing policy. |
|
Auto optimization |
Enables users to optimize the security policy as recommended. |
4. Click OK.
