DocsICP FilingConsole
官方文档
首页

Policy analysis

更新时间:
复制 MD 格式
产品详情
我的收藏

When an enterprise's access control policies grow to hundreds or even thousands and their complexity increases, security administrators face significant challenges in management and troubleshooting. Cloud Firewall provides an automated policy analysis feature to help you efficiently analyze your access control policies. This topic explains how to perform policy analysis.

Benefits

  • Identifies inactive, redundant, duplicate, or discrete policies. This helps reduce quota consumption, lower costs, and enhance policy stability.

  • Detects policies that expose high-risk ports or default policies that do not deny all traffic. This allows you to refine your access control policies and reduce security risks.

Policy analysis helps you check the effectiveness of your current policies by identifying issues such as:

  • Policies with no traffic hits

  • Invalid policies where the source and destination are identical

  • Duplicate or redundant policies

  • Policies that conflict with business requirements

  • The default catch-all policy does not deny all traffic

  • Risky policies that allow traffic on high-risk ports

  • Policies that are overly permissive

Policy analysis quota

Quotas in different editions

Policy analysis in Cloud Firewall is free of charge. The default quota varies by edition:

  • Pay-As-You-Go: 2,000. This is the total analysis quota for access control policies across the Internet boundary, VPC boundary, NAT boundary, and address book.

  • Premium Edition: 3,000. This is the total analysis quota for access control policies across the Internet boundary, NAT boundary, and address book.

  • Enterprise Edition: 5,000. This is the total analysis quota for access control policies across the Internet boundary, VPC boundary, NAT boundary, and address book.

  • Ultimate Edition: 10,000. This is the total analysis quota for access control policies across the Internet boundary, VPC boundary, NAT boundary, and address book.

Quota calculation

Consumed quota = (Number of access control policies + Number of address books) × Number of check items.

The Duplicate, Overlap, or Disperse IP Address Book check item does not support analysis of ECS tag-based address books.

For example, if you have 10 IP-based address books and 5 ECS tag-based address books, and you run the Duplicate, Overlap, or Disperse IP Address Book check, the consumed quota is 10 × 1 = 10.

Quota usage

Cloud Firewall provides quota usage statistics for policy analysis, which helps you monitor consumption for your current edition.

On the Policy Analysis page, you can view the total number of checked policies, remaining quota, number of unhandled risks, and the distribution of unhandled risk types across different boundaries. This information helps you accurately identify policy risks and correct them.

Unhandled risks are categorized into four types: Internet boundary, NAT boundary, VPC boundary, and address book.

Policy checks

You can use Cloud Firewall to check access control policies for the Internet boundary, NAT boundary, VPC boundary, and address book.

  1. Log in to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Policy Optimizer.

  3. On the Policy Analysis page, locate the check item that you need, and click Check in the Actions column.

    At the top of the page, you can switch between the Internet boundary, NAT boundary, VPC boundary, and address book tabs to view the policy check results for the corresponding boundary.

  4. In the confirmation message, click OK.

    After the check is complete, the results are displayed on the Check Item Details page.

Handling check results

After checking your access control policies, you need to correct any non-compliant policies based on the check results.

  1. Locate a completed check item and click Details in the Actions column.

  2. On the Check Item Details page, you can view the details of non-compliant policies.

    The top of the page displays information about the check item, including its name (for example, Policies that are overly permissive), risk level, description (for example, whether the source, destination, or port is set to "Any"), optimization suggestions, last check time, and boundary type. The Non-compliant Policy Details table below lists the affected policies. In this table, the Actions column provides the Ignore and Handle options.

  3. Based on your business requirements, determine whether the policy is appropriate and take the corresponding action.

    • If the policy is compliant with your requirements, click Ignore. This action excludes the policy from future checks.

    • If the policy is not compliant, modify it based on the optimization suggestions. Then, click Handle to mark the policy as processed.

Related documents

Previous:Access control policy backup and rollbackNext:Application control