Our organization must review our policies to determine if the existing policies are still valid and need to be retained.
Problem we are having is that “allow” rules do not appear to log anywhere. Short of turning all “allow” rules to be “alert” rules, does anyone have a way to validation if a web access rule is actually being used and needed to be retained?
Not that I know of, maybe if you enable webTX and send all transactions to a SIEM you might be able to. Though it’s probably simpler just to set the rules you need to audit to “alert” for a period of time you want to audit.
Support was able to create a report in Advanced Analytics that they are telling me will show the Allow policies that are being hit with traffic.
Would be interested in seeing how that report was setup as this is a good activity to keep rules cleaned up.
Hi. sure.. if you dont mind that would be great. Thank you
Allow actions are logged in Application Events vs Blocks/Alerts which are logged in both Application Events and Alerts. So you can get a dashboard created with the following fields:
Policy Name
Action
#Events
This would give something similar to:
There’s also measures for Maximum (newest) and Minimum (oldest) Event Date that you can use to see the last time the policy was hit in the specified time filter:
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
