Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Device Rules Charts

SUMMARY You can use the Device Rules chart to view firewall rules and the event count of firewall rules that are triggered in your network.

Device Rule reports are used to create a report for the following firewall rules:

  • Most active accept device rules
  • Most active deny device rules
  • Least active accept device rules
  • Least active deny device rules
  • Unused device rules
  • Shadowed device rules

The reports that you generate create better understanding of what rules are accepted, denied, unused, or untriggered across a single device, a specific adapter, or multiple devices. Reports allow JSA Risk Manager to automate reporting about the status of your device rules and display the reports on the JSA Console.

This functionality helps you identify how rules are used on your network devices.

To create a Device Rules Chart container, configure values for the following parameters:

Table 1: Device Rules Chart Parameters
Parameter Description
Container Details - Device Rules
Limit Rules to Top

From the list, select the number of rules to be displayed in the generated report.

For example, if you limit your report to the top 10 rules, then create a report for most used accept rules across all devices, the report returns 10 results. The results contain a list of the 10 most used accept-type rules based on the event count across all devices that are visible to JSA Risk Manager.

Type

Select the type of device rules to display in the report. The following display options can be selected:

Most Used Accept Rules - Displays the most used accept rules by event count for a single device or a group of devices. This report lists the rules with highest accepted event counts, in descending order, for the timeframe you specified in the report.

Most Used Deny Rules - Displays the most used deny rules by event count for a single device or a group of devices. This report lists the rules with the highest deny event counts, in descending order, for the timeframe you specified in the report.

Unused Rules - Displays any rules for a single device or a group of devices that are unused. Unused rules have zero event counts for the timeframe you specified for the report.

Least Used Accept Rules - Displays the least used accept rules for a single device or a group of devices. This report lists rules with the lowest accept event counts, in ascending order, for the timeframe you specified in the report.

Least Used Deny Rules - Displays the least used deny rules for a single device or a group of devices. This report lists rules with the lowest denied event counts, in ascending order, for the timeframe you specified in the report.

Shadowed Rules - Displays any rules for a single device that can never trigger because the rule is blocked by a proceeding rule. The results display a table of the rule that is creating the shadow. The rules can never trigger on your device because they are shadowed by a proceeding rule on the device.

Important: Shadowed rule reports can be run only against a single device. These rules have zero event counts for the timeframe you specified for the report and are identified with an icon in the Status column.
Date/Time Range

Select the timeframe for your report. The options include:

Current Configuration - The results of the Device Rules report is based on the rules that exist in the current device configuration. This report displays rules and event counts for the existing device configuration.

The current configuration for a device is based on the last time Configuration Source Management backed up your network device.

Interval - The results of the Device Rules report is based on the rules that existed during the timeframe of the interval. This report displays rules and event counts for the specified interval from the last hour to 30 days.

Specific Range - The results of the Device Rules report is based on the rules that existed between the start time and end time of the time range. This report displays rules and event counts for the specified timeframe.

Timezone

Select the timezone that you want to use as a basis for your report. The default timezone is based on the configuration of your JSA Console.

When you configure the Timezone parameter for your report, consider the location of the devices that are associated with the reported data. If the report uses data that spans multiple time zones, the data that is used for the report is based on the specific time range of the time zone.

For example, you can configure your JSA Console. for Eastern Standard Time (EST) and schedule a daily report between 1pm and 3pm. Then, if you set the timezone as Central Standard Time (CST), the results in the report contains information from 2pm and 4pm EST.

Targeted Data Selection

Targeted Data Selection is used to filter the Date/Time Range to a specific value. Using the Targeted Data Selection options, you can create a report to view your device rules from a defined time span. You also can include data only from the selected hours and days.

For example, you can schedule a report to run from October 1 to October 31. From there, you can view your most active, least active, or unused rules and their rule counts that occur during your business hours, such as Monday to Friday, 8 AM to 9 PM.

Important: The filter details display only when you select the Targeted Data Selection checkbox in the Report Wizard.
Format

Select the format for your device rules report. The options include:

One aggregate report for specified devices - This report format aggregates the report data across multiple devices.

For example, you can create a report to display the top 10 most denied rules. An aggregate report displays the top 10 most denied rules across all of the devices that you selected for the report. This report returns 10 results in total for the report.

One report per device - This report format displays the report data for one device.

For example, you can create a report to display the top 10 most denied rules. An aggregate report displays the top 10 most denied rules for each device that you selected for the report. This report returns the top 10 results for every device that is selected for the report. If you selected five devices, the report returns 50 results.

Important: Shadowed rule reports are only capable of displaying one report per device.
Devices

Select the devices included in the report. The options include:

All Devices - Select this option to include all devices in JSA Risk Manager in your report.

Adapter - From the list, select an adapter type to include in your report. Only one adapter type can be selected from the list for a report.

Specific Devices - Select this option to include only specific devices in your report. You can select and add devices to your report on the Device Selection window.

To add individual devices to your report:

  1. Click Browse to display the Device Selection window.
  2. Select any devices and click Add Selected.

To add all devices to your report:

  1. Click Browse to display the Device Selection window.
  2. Click Add All.

To search for devices to include in your report:

  1. Click Browse to display the Device Selection window.
  2. Click Search.
  3. Select the search options to filter the full device list by configuration obtained, IP or CIDR address, hostname, type, adapter, vendor, or model.
  4. Click Search.
  5. Select any devices and click Add Selected.