Policy Analysis
Download
Focus Mode
Font Size
Feature Introduction
The Policy Analysis feature performs in-depth analysis on the CFW - Enterprise Security Group and its internal Security Group rules across multiple accounts. By displaying key information such as risk categories, risk levels, and rule classifications, this feature helps administrators accurately identify potential issues like rule redundancy, policy conflicts, and invalid configurations.
Based on the analysis results, the system provides corresponding optimization suggestions to help users refine their security policies, thereby enhancing the product's protection efficiency and resource utilization.
Operation Steps
Initiate Health Check
1. Log in to the FWM console. In the left-side navigation pane, select Policy Analysis and then click Start Analysis.
2. Select the Health Check Product and Health Check Account to be inspected, and then click Start Analysis.
3. After the healt check starts, the page will display a Examining loading status. Please wait patiently for the analysis to complete.
4. You can click to view the Health Check History. The historical records are sorted in reverse chronological order by checkup time.
View Health Check Result
1. After the checkup is completed, you can go to the detail page of the corresponding granularity via the following entries:
Entries | Granularity | Content Displayed After Entry |
The View Details link in a row of the TOP 3 Accounts for Rectification list | Account level | Summary of health check results for all products under the account |
The View Details link at the top-right corner of the account group card | Account level | Summary of health check results for all products under the account |
The View Details link in the operation column of a product row within the account group card | Account level and Product level | Details of all risk rules hit under the account and product |
2. The content of the detail page is as follows:
Checkup Overview: Displays the overall risk profile of all inspected products (Enterprise Security Group + Security Group) under this account.
The Checkup Overview displays key results such as the Health Check Policy Total Count, Risk Policy Count, Policy Pending Rectification
, and Risk Rectification Rate.
Risk Rectification Rate = (Disposed Strategy + Ignored Policies) / Risk Policy Count.
Checkup Details List:
The list is intelligently sorted by default based on risk severity and remediation status to ensure that risky policies pending remediation are displayed first. The specific sorting priority is: High-Risk Pending Rectification > Medium-Risk Pending Rectification > Low-Risk Pending Rectification > High-Risk No Pending Rectification > Medium-Risk No Pending Rectification > Low-Risk No Pending Rectification > High-Risk No Risk > Medium-Risk No Risk > Low-Risk No Risk.
The fields displayed in the list include: Risk Category, Risk Subcategory, Risk Level, at risk, Risk Rule Count, Rules to Rectify, Rectification Rate, Handled Rule Count, Ignored Number of Rules and Rectification Status. It also supports filtering and sorting for some fields.
Rectification Rate = (Disposed + Ignored) / Number of Risky Policies. When the remediation rate reaches 100%, the remediation status is displayed as "Rectified". When it is less than 100%, the status is displayed as "Rectify". For entries not involving any risk, the status is displayed as "-".
For details about the checkup risk items, see the Policy Analysis Health Check Item Description.
Managing Risk Policies
For identified risky policies, click Rectify to go to the details page for risk items pending remediation and manage the policies. You can re-verify and then remediate, ignore, or provide false positive feedback.
Review and Dispose
Because security group rules do not have a unique ID, specific rules in historical snapshots cannot be directly located. Therefore, the system performs a real-time detection again before each remediation to ensure operational accuracy.
1.1 After Review and Dispose is clicked, the system displays a pop-up window and immediately performs a real-time analysis.
If no risk is detected after the real-time analysis, the message "Disposal completed" is displayed, and the process ends.
If risky policies are detected after the real-time analysis, the latest list of risk rules is displayed. (This list may differ from the historical snapshot in the checkup details, which is a normal occurrence.)
1.2 You can directly edit or delete risk rules in the list.
1.3 Remediation Loop: Each time you complete the re-verification and remediation of a risk, the system triggers another real-time detection. If risks persist, they continue to be displayed for you to remediate until all risks are eliminated, at which point the system displays the message "Remediation completed".
1.4 After remediation is completed, the "Review and Dispose" option for that entry becomes non-clickable.
Ignore
For risks that are confirmed as false positives or require no remediation, you can click Ignore. After the risk is ignored, it will still appear in subsequent detections but will be marked as "Ignored".
You can unignore an item after ignoring it.
Report False Alarm: If you believe a risk policy is a false positive, you can click Report False Alarm and enter your custom description (within 3000 characters). Your feedback will be used to continuously optimize the built-in risk detection logic.
Appendix
Policy Analysis Health Check Item Description
Risk Category | Risk Subcategory | Risk Level | Risk Description | Remediation Recommendation |
Blacklist/Allowlist conflict rules | Fully conflicting rules | High | A complete match of the five-tuple between the allowlist and blocklist is detected. | Based on actual business requirements, retain only one rule and delete the other conflicting rules. |
Security baseline deviation rules | Inbound full-allow rule | High | An inbound full-allow rule is detected, and its scope is too broad. | Adjust the rule based on actual business requirements and narrow its coverage to improve rule precision. |
Duplicate and redundant rules | Fully duplicate rules | Low | A complete match between the rule's five-tuple and its matching action is detected. | Retain only one rule and delete the other redundant rules. |
| Mergeable rules | Low | A rule is detected where the IP/CIDR is the same and the ports are consecutive, or where the IP/CIDR is the same but the ports are different. | Merge multiple rules into a single rule. |
High-risk allow rule | High-risk threat intelligence allow rule | High | The source IP address, destination IP address, or domain name in the allow rule is detected to have matched threat intelligence. | Modify the rule content to avoid external attacks. |
| FTP high-risk port allow rule | High | The destination port of the allow rule is detected to be port 20/21, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| DNS high-risk port allow rule | High | The destination port of the allow rule is detected to be port 53, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Elasticsearch high-risk port allow rule | High | The destination port of the allow rule is detected to be port 9200/9300, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Hadoop high-risk port allow rule | High | The destination port of the allow rule is detected to be port 50070/8088, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Kafka high-risk port allow rule | High | The destination port of the allow rule is detected to be port 9092, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Memcached high-risk port allow rule | High | The destination port of the allow rule is detected to be port 11211, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| MongoDB high-risk port allow rule | High | The destination port of the allow rule is detected to be port 27017/27018, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| MySQL high-risk port allow rule | High | The destination port of the allow rule is detected to be port 3306, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| PostgreSQL high-risk port allow rule | High | The destination port of the allow rule is detected to be port 5432, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| RDP high-risk port allow rule | High | The destination port of the allow rule is detected to be port 3389, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Redis high-risk port allow rule | High | The destination port of the allow rule is detected to be port 6379, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| SMTP high-risk port allow rule | High | The destination port of the allow rule is detected to be port 25, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| SSH high-risk port allow rule | High | The destination port of the allow rule is detected to be port 22, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Telnet high-risk port allow rule | High | The destination port of the allow rule is detected to be port 23, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| VNC high-risk port allow rule | High | The destination port of the allow rule is detected to be port 5900-5902, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
| Zookeeper high-risk port allow rule | High | The destination port of the allow rule is detected to be port 2181/3888, which is a high-risk port. | Adjust the port range to avoid data leakage or external attack risks caused by port exposure. |
Invalid rules | Invalid rules | High | It is detected that the templates associated with the rule, such as asset instances, address templates, or resource tags, have been partially deleted. | Delete the invalid rule directly. |
| Rules overridden by higher-priority rules | Low | It is detected that the rule has been overridden by a rule with higher priority. | Delete the invalid rule that has been overridden. |
| Source and destination identical rules | Low | It is detected that the source IP address and destination IP address of the rule are identical. | Delete the invalid rule directly. |
Help and Support
Was this page helpful?
You can also Contact sales or Submit a Ticket for help.
Help us improve! Rate your documentation experience in 5 mins.
Feedback