08-23-2017 09:10 PM - edited 08-23-2017 09:10 PM
Hello,
Just a quick question. Unsure if this has been asked previously.
When applying a non-reoccuring schedule to a security policy, I have noticed in pan 8.0.x, once the schedule has expired, the policy in the security policy view does not identify it as expired.
I am trying avoid the obvious scenario of temporary policies being applied either due to a fault, project or change scenario. Generally project teams would not advise the security team of their completion and fail to raise requests to remove such scheduled policies.
Was hoping that the webui would identify it somehow similar to when disabling a rule.
Also is there the possibility of adding a row within the security policy view to identify or segregate policies, similar to checkpoints webui? A divider with a description?
Thanks
08-23-2017 11:55 PM
Hi @mtizani,
You are correct.
The rule is still identified as 'Active' ... however it will never match seeing that the configured timeframe has expired.
That said, PAN-OS doesn't have dividers for the security policy. Instead I'd recommend using tags to identify/segregate policies :
Cheers !
-Kiwi.
08-24-2017 04:17 AM - edited 08-24-2017 04:23 AM
Thanks Kiwi.
That is unfortunate and possibly a feature request I can put through somewhere if you can guide me.. In an environment with over 100+sec policies, would be good to clearly identify the expired scheduled rule by displaying the rule as disabled.
You mentioning tags though might have triggered something here. I can possibly create a tag called 'Scheduled', tag relevant rules with expiry information etc in the description field and filter based on this.
Was also wondering in terms of notifications if it was possible to fire an email/snmptrap etc to advise security admins of the expired rule?
08-24-2017 05:48 AM
Hi @mtizani,
For a feature request, you can reach out to your local SE.
He/She should be able to create a new FR for you or add your vote to an already existing one.
I was able to find some existing FRs that could be of interest for you : Related FRs: 4454, 4669, 4670, 5612
4454 : FR for “graying” out a policy after a schedule has expired.
4669 : FR for generating a system log upon rule schedule end.
4670 : FR for a proactive notification of rules within a configurable threshold that are about to expire or reach the end of their schedule.
5612 : FR so that after the expiration date the policy is disabled and removed automatically.
Seeing that there is currently no system log upon expiration I see no way to use snmptrap/email to inform security admins about this.
Cheers !
-Kiwi.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
