skyboxdownloads.skyboxsecurity.com/files/installers/skybox... · 2019-06-23 · a reporting engine...

Skybox

Release Notes

10.0.200

Revision: 16

Proprietary and Confidential to Skybox Security. © 2019 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal

https://www.skyboxsecurity.com/support/portal

Skybox version 10.0.200 3

Introduction ........................................................................................... 4

Skybox minimal system requirements........................................................ 5

What’s new in this version ........................................................................ 6 Skybox Web Client .................................................................................... 6

Skybox Web Client - Firewall and Network Assurance ............................. 10 Skybox Web Client - Vulnerability Control ............................................. 12

Skybox platform ..................................................................................... 15 Skybox Change Manager ......................................................................... 19 Skybox Network Assurance ...................................................................... 20 Skybox Vulnerability Control .................................................................... 21

Known limitations................................................................................... 22

What’s new in previous versions .............................................................. 24 Skybox platform ..................................................................................... 24 Skybox Firewall Assurance ....................................................................... 27 Skybox Web UI ...................................................................................... 28 Skybox Change Manager ......................................................................... 30 Skybox Network Assurance ...................................................................... 30 Skybox Vulnerability Control .................................................................... 31

Contents


Chapter 1

This document includes information about new features in version 10.0.200, with a feature list for this version as well as a list for previous versions (9.0.600 and higher).

› Support for all releases of Skybox 8.5 ended in February 2019.

About Skybox products Skybox’s powerful risk analytics platform provides security teams with continuous intelligence about vulnerabilities and network security risks, with no network disruption.

› Skybox solutions prioritize the most critical risks in minutes and provide detailed remediation options.

› Skybox solutions automate the complex security management processes required to maintain security controls and eliminate attack vectors, filtering out irrelevant data and delivering accurate results in a fraction of the security management time.

For more details visit the Skybox website or see the product documentation

Introduction

https://www.skyboxsecurity.com/

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/10.0/10.0.200/Docs


Chapter 2

The minimal system requirements for Skybox are available here

Skybox minimal system requirements

https://lp.skyboxsecurity.com/WICD-2017-12-DS-System-Requirements_03AssetLP.html


Chapter 3

This chapter includes a description of the new features and updates in Skybox version 10.0.200.

In this chapter

Skybox Web Client ................................................................ 6

Skybox platform ................................................................. 15

Skybox Change Manager ..................................................... 19

Skybox Network Assurance .................................................. 20

Skybox Vulnerability Control ................................................ 21

Skybox Web Client Welcome to Skybox® Security Suite v10. We are excited to bring you this major release with many new features, enhanced performance, and improved user experience. The release also includes the debut of Skybox Vulnerability Control’s Web Client and continued enhancements to the Skybox Firewall and Network Assurance Web Client.

In Vulnerability Control, you will find new capabilities and functionality to simplify vulnerability management; such as risk scoring, quick search, customization and more.

The main new features in this version are:

Device Overview: Prioritize risky violations and get a top-down view of the infrastructure.

Customizable Reporting Engine: Easily and quickly generate and export customizable reports based on the current screen view.

Risk Scoring in Vulnerability Management: Increase accuracy and reduce overhead involved in risk mitigation.

Network Map: View all or part of your organization's network in map form.

Future versions will include policy editing, and user and group administration.

Reports (beta) A reporting engine with a number of out-of-the-box reports is now available in Skybox Web Client for both Firewall and Network Assurance and Vulnerability Control. Reports are completely customizable and can contain any entity that appears in Web Client, whether it is a table of rules, a widget, or an explanation. Every dashboard can be also exported to a report.

What’s new in this version

Chapter 3 What’s new in this version


The reports feature supports scheduled tasks that can be configured from Web Client.

To configure scheduled reports, in a task of type Reports – Auto Generation, select Web Client Reports as the type; in the Web Client Reports field, select the report that you want to schedule.

Note: The new Reporting Engine requires new Linux packages to be added, as explained below.

Skybox Release Notes


Reports in Skybox Web Client running on Linux servers If your Skybox Server is running on Linux, an administrator (as root user) must do the following to support the reporting engine in Skybox Web Client:

1 Install the following packages:

• yum -y install libX11 libXcomposite libXcursor libXdamage libXext libXi libXtst cups-libs libXScrnSaver libXrandr alsa-lib pango atk at-spi2-atk gtk3

2 Run the following commands:

• echo user.max_user_namespaces=1000 >> /etc/sysctl.conf

• sysctl -p

Network Map (beta) The network map is a graphical representation of all or part of your

organization’s network. Open the network map by clicking on the toolbar at the top of the Web Client page.



Right-click a node in the map to view its properties in a separate pane.

Out-of-the-Box Reports and Dashboards Skybox Web Client includes various out-of-the-box reports and dashboards. As these may change between versions, it is recommended to clone the ones that you want to use, make any necessary changes, and save them with different names.

Browsers The following browsers are supported when working with Skybox Web Client:

› Firefox › Google Chrome › Microsoft Edge (version 40 and up)



SKYBOX WEB CLIENT - FIREWALL AND NETWORK ASSURANCE

Model module (also available in Vulnerability Control) In the Model module, users can see all the devices in the network, sort them, group them by different categories, filter them, and create related dashboards (as in all the other modules).

Device Overview widget This new widget displays the top devices by Violating Rules, Configuration Violations, Optimization Status, and other device analytics. It is similar to the Firewall table in the Java client, but in Skybox Web Client, the widget scope may include any type of device (not only firewalls), as well as security groups/tags. There is an option to drill down from every piece of information in the table, and to change the sorting of the widget according to the desired use case.

This widget can be added to a dashboard from the Overview unit. It can also be added to the reports.

Open Change Manager tickets for deactivate rules Wherever access rules appear in Firewall and Network Assurance, there is an option to open a deactivate rule ticket, which will be managed in Change Manager. A ticket can include one rule or multiple rules. The main use for this is to deactivate shadowed and redundant rules (from the Optimization & Cleanup module).

The following shows how to deactivate one rule:



Deactivation of multiple rules:

When you click Deactivate Rules, the following dialog box appears:

Automatic ticket for recertification

› In the Rule Review unit, there is an option to open a recertification ticket for an access rule, which will be managed in Change Manager.

Multiple owners for access rules Skybox now supports multiple owners and multiple email addresses for access rules. You can see all the owners and their email addresses in the Tags column, and in the Recertification > Tags tab when you open the rule.



SKYBOX WEB CLIENT - VULNERABILITY CONTROL

Vulnerability Control dashboards: Assets, Vulnerability Occurrences Overview dashboards provide a holistic view of the organization’s assets and vulnerabilities, and their risks. This enables enhanced visibility into the data using customizable dashboards as well as many out-of-the-box dashboard templates and widgets.

Users can quickly move from a high-level view to detailed data views that help them understand how to take action.

Users can choose from a variety of out-of-the-box widgets for common views/uses. Some examples of widgets that are available out-of-the-box are ‘Total Vulnerability Risk Score’, ‘Directly Exposed Vulnerabilities Over Time’, ‘Exposed & Exploitable Vulnerabilities by Business Units’, ‘Top Vulnerability Definitions by Risk’, and ‘Exposed Assets by Location’.



New risk score Skybox provides a simplified, comprehensive and straightforward risk scoring method for Vulnerability Control that enables users to identify and understand the riskiest vulnerabilities and assets in their organization, and therefore make the best remediation decisions. Now, all entities have a risk score: vulnerability occurrences, vulnerability definitions, assets, asset groups, business asset groups, business units, networks, locations, and more.

The new risk scoring takes into consideration exposure, exploitability, CVSS and asset importance. It supports formula flexibility so that the user can control the risk factors and the weight they have in the formula.

The terms in the new risk score methodology are:

› Asset importance: A score from 1-5 that reflects how important an asset is to the organization. The organization can change the asset importance range and the default asset importance value. Asset importance is a factor in the vulnerability occurrence and asset risk score equations.

› Vulnerability rating: A technical severity score for vulnerability occurrences, from 0-10, that takes into consideration exposure, exploitability level, and CVSS score. Vulnerability rating is a factor in the vulnerability occurrence risk score equation. There are 4 options for how the vulnerability rating is calculated:

• Combination of exploitability, exposure and CVSS (this is the default)

• CVSS score

• Maximum of the 1st and 2nd options

• Average of the 1st and 2nd options

Your organization can pick the one that best suits its needs.

› Asset vulnerability rating: A technical severity score for assets, from 0-10. There are 2 options for how this is calculated:

• The sum of weighted vulnerability ratings for all the vulnerability occurrences on the asset

• The maximum vulnerability rating of all the vulnerability occurrences on the asset

› Vulnerability occurrence risk score: The risk score for a vulnerability occurrence, from 0-100. This score is based on the vulnerability rating times the asset importance.

› Vulnerability definition risk score: The sum of the risk scores of all vulnerability occurrences of a vulnerability definition.

› Asset risk score: The risk score for an asset (from 0-100), which takes into consideration the vulnerability occurrences on it, either by as a weighted sum of all the vulnerability occurrence risk scores or by taking the risk score of the vulnerability occurrence with the highest risk score.



Default values are provided for risk scoring; it is not necessary to do any customization. However, the method is intended to be flexible, to fit the needs of different organizations. The values can be changed by an administrator in the Java client, at Tools > Options > Server Options > Vulnerability Control > Risk Score for Web UI.

Asset prioritization Users can now understand risk from the perspective of assets or asset groups, including the risk score of assets and their exposure level.

Vulnerability history Users can track down any changes that have happened to a vulnerability for auditing purposes and to have visibility throughout the vulnerability life cycle.



Search capability Users can search quickly for any asset or vulnerability in the network that has a specific characteristic. For example, searching for ‘WannaCry’:

Another example, searching for vulnerabilities and assets related to ‘finance’:

Skybox platform

Platform upgrade

› Skybox platform was upgraded to Java 1.8.0_202a › Skybox platform was upgraded to MySQL 5.7.25a › Memory configuration: The upgrade to 10.0.200 overwrites the memory

configuration parameters in Skybox_Home/server/conf/jvmargs.properties, which is a system file. If you customized any memory parameters in jvmargs.properties, make sure to copy this information to jvmargs.user.properties before starting the upgrade.



Collection and modeling

› Twistlock collection and full containers modeling

Skybox now supports importing container information from Twistlock container security solutions. Collection of information about running container instances and images in the repository can be done using tasks of type Containers – Twistlock Collection.

› AWS tags

When collecting assets from AWS (via Cloud & Virtualization – Amazon Web Services Collection tasks), Skybox now automatically imports all ec2 asset tags and represents them in the model as tags (custom business attributes).

› Load Balancers – Pulse Secure vTM Collection tasks retrieve configuration data from Pulse Secure Virtual Traffic Manager load balancers and add this data to the current model.

› Support for Cisco ACI was enhanced. It now includes collection of routing rules and external EPGs.

› Support for Check Point R80 devices was enhanced. Skybox now displays inline layers for access rules.

› Palo Alto Networks support enhancements

PAN-OS 9.0 is now supported.

› Check Point R80 log collection: Collection of traffic and audit logs of R80 devices from log servers is now supported.

› Support for Cisco IOS devices was enhanced. Collection of hit counts from web VPN routers and other devices with zone-based policies is now supported.

User authentication

› SAML 2.0 authentication

Users of Skybox Web Client can now log on to the web client via the organization's SSO, such as Okta. Information about how to set up this feature is provided in the Skybox Installation and Administration Guide.

Integration

› Export of Skybox data into Splunk (to be released in the next maintenance patch)

Tasks of type Backup and Export Tasks – Export to Splunk export Skybox database indices to an external Splunk instance.

Using Splunk enriched with information from Skybox enables more contextual incident response.

› Integration of Change Manager with ServiceNow

Skybox now supports integration with the ServiceNow ticketing system. Information about how to set up this feature is provided in the Skybox Change Manager User's Guide.



Automatic creation of custom business attributes for assets It is no longer necessary to create tags (custom business attribute definitions) for assets manually in the Java client (Manager). If any collection task (or CMDB import task) finds a tag, it is automatically represented in the model as a custom business attribute (tag).

Support for IPv6 Skybox now supports IPv6 for the first time.

The following devices are currently supported:

› Palo Alto Networks › Cisco Firepower

The following scanners are currently supported:

› Qualys

Limitations on support for IPv6 In this version, Skybox support for IPv6 includes the following limitations:

› Change Manager does not support IPv6 › IPv6 rule usage analysis is not supported on Firepower › Skybox Appliance on IPv6 is not supported › For Qualys scans, only Host List Detection reports support IPv6, not JSON › Hybrid (IPv4 and IPv6) perimeter clouds are not supported › Interoperability of IPv4 and IPv6 is not supported › Routing rule validations (in Model Validation) do not run on IPv6

How to enable IPv6 in this version IPv6 support is currently disabled by default. To enable it, set the following flags and then restart the Server, the Collector, and the Manager (Java client).

Server side

› /server/conf/sb_server.properties

• model_ipv6=true

› /server/conf/sb_common.properties

• ipv6_collection_toggle=true

• paloalto.shouldModelIPv6=true

• qualys.shouldModelIPv6=true

• cisco_firepower.shouldModelIPv6=true

Collector side

› /collector/conf/sb_collector.properties

• model_ipv6=true



› /collector/conf/sb_common.properties



• qualys.shouldModelIPv6=true

• cisco_firepower.shouldModelIPv6=true

UI side

› \app\conf\sb_common.properties



Custom business attributes for additional entities Custom business attributes can be created manually (via Tools > Options > Business Attributes) for the following entities:

› Access rules › Assets › Asset groups (new) › Networks (new) › Services (new) › Vulnerability occurrences (new) › Vulnerability definitions

In Skybox Web Client, business attributes appear under the Tags column of the relevant entity.

Multiple owners for access rules Skybox now supports multiple owners and multiple email addresses for access rules. Right-click a rule and select Set Business Attributes.



Skybox Change Manager

Revert ticket In some cases, automatically implemented change requests may need to be reverted after they are implemented. Change Manager enables reversion of automatically implemented change requests as follows:

› The ticket must be in the Implementation or Verification phase. › Currently supported change requests:

• Add Rule (derived) change requests for firewalls of type Check Point R80 that were automatically implemented by Change Manager.

Analysis of change requests The Analysis – Change Requests task was deleted. Analysis of change requests is now done as part of Analysis – Change Tracking tasks.

Automatic implementation updates The automatic implementation feature was extended and now supports the following:

› Check Point:

• R80.20 firewalls

• Inline layers for R80.xx firewalls

• Delete Rule

› For Cisco ASA devices (via SSH): Modify Rule, Modify Object, and Delete/Disable Object change requests

› For PAN devices:

• Modify Object change requests

• Shared Objects

Workflow statistics The new Workflow Statistics view - available from the left pane, displays statistics for each workflow; including how many tickets with change requests were opened during a selected period, the firewalls for those change requests, a breakdown of change requests per type, and the total number of change requests for the workflow. You can also export the data to an Excel file.

Recertification for rules with multiple owners Recertification of access rules with multiple owners requires a new functionality called ‘Approvers’.

In the recertification process, each of the rule owners is an approver and has the option to certify or reject the rule. If an owner rejects the rule, they must add a comment. Each owner will be able to view the recertification status of the other owners.

Statuses

› The status of a rule that is unanimously certified is ‘Certified’



› The status of a rule that is unanimously Rejected is ‘Rejected’ › The status of a rule that is partially rejected and partially certified is ‘Partially

Rejected’

Setup For each recertification workflow that uses multiple owners, select Automatically promote recertification tickets that were fully reviewed (in Tools > Options > Change Manager Settings > Workflows) to ensure that tickets that were reviewed by all their owners are promoted to the next phase.

Pending Review A Pending Review section was added to Change Manager. It is accessible from the control panel on the left-hand side. In this section, each of the rule owners can view and respond to each of the rules they own that are in the process of recertification.

Skybox Network Assurance

Access Compliance for applications in Network Assurance It is now possible to configure “No Access” Access Policies on applications in Skybox Network Assurance. These Access Policies refer to both the selected applications and their default services.

Access routes can contain both next generation (NG) firewalls and legacy firewalls.



› For NG firewalls, a violating rule is one that allows both the application and its default services.

› For legacy firewalls, a violating rule is one that allows the default services of the configured application.

Limitation:

› Applications are taken from the firewall's management repository. If a user selects an application from one repository, Skybox might not find violating rules on other firewalls in the route that allow the application but are managed differently.

For example, WhatsApp is declared differently in Palo Alto than in Check Point.

› To work around this issue, configure the Access Policy with all the appearances of this application in every repository. You can select this in the following dialog box.

Skybox Vulnerability Control

Vulnerability Detector for Cisco Catalyst IOS-XE The Vulnerability Detector was extended to support Cisco Catalyst IOS-XE devices.


Chapter 4

This section lists the known limitations for version 10.0.200.

Limitations on Skybox Web Client In this version, the following limitations exist on Skybox web client:

› The web client has styling issues with IE11; it is recommended to work with Microsoft Edge.

› The web client is not fully supported by low-resolution screens (laptops). › The Device Overview widget only shows and prints the top 6 firewalls. › Not all search results are highlighted. › The user may see some duplications in predefined reports, dashboards, and

analyses. › After an upgrade, predefined dashboards are collapsed under the list of

dashboards and not displayed by default. › Drill down is not enabled from Counter widgets. › Widget colors do not always appear as expected. › Send Feedback opens a "monkey survey" and not an email. › To view custom network maps in the web client, you must mark the 'auto

group nodes' in the properties in the Manager (Java client). › Tables are not customizable, there is no resizing / reordering of columns, and

the maximum number of rows per page is 50. › CM ticket status is not set to "verified" even though the change request was

implemented and reconciled by the change tracking task. This is due to a CM limitation: it takes the first change only, which is the new Rule that was requested.

› In Filter Set (or Search) > Network Scope: You cannot select certain predefined groups, such as Routers, Firewalls, or Load Balancers; you must select the individual entities under them.

› In Filter Set (or Search) > Network Scope: You can only use the Filter ( ) button after you have search results. For example, search for all entities with the string "NY", click , and then select "Firewalls" and "Routers".

› User Permissions for Web Client: By default, all user roles can use the Web Client and can see all data. To change this so that only Admin user roles can access the Web Client, in Skybox_Home\server\conf\file sb_server.properties, set the flag disable_web_for_non_admin to true.

Known limitations

Chapter 4 Known limitations


Limitations on IPv6 Support In this version, Skybox support for IPv6 includes the following limitations:

› Change Manager does not support IPv6 › IPv6 rule usage analysis is not supported on Firepower › Skybox Appliance on IPv6 is not supported › For Qualys scans, only Host List Detection reports support IPv6, not JSON › Hybrid (IPv4 and IPv6) perimeter clouds are not supported › Interoperability of IPv4 and IPv6 is not supported › Routing rule validations (in Model Validation) do not run on IPv6

Note: IPv6 is disabled by default. Instructions for enabling it are included in Skybox platform (on page 15).

Miscellaneous Limitations

› Automatic implementation for Palo Alto Networks: Failure in adding rule between shared rules.

› Cisco Firepower: Setting 'Zone type' on the Firepower interface prevents provisioning of an access rule.

› EntityNotFoundException thrown when clicking on Firepower NIC.


Chapter 5

This chapter includes information about new features and updates in previous Skybox versions 9.0.600 and higher.

In this chapter

Skybox platform ................................................................. 24

Skybox Firewall Assurance ................................................... 27

Skybox Web UI ................................................................... 28

Skybox Change Manager ..................................................... 30

Skybox Network Assurance .................................................. 30

Skybox Vulnerability Control ................................................ 31

Skybox platform

Elasticsearch Skybox Server now supports the export of data into Elasticsearch via Skybox tasks or REST API calls.

Further information is available in the Skybox Installation and Administration Guide.

Supported operating systems The list of operating systems on which Skybox Server can run has been expanded to include Windows Server 2016.

New connectors

› Operational Technology – Claroty Collection tasks retrieve vulnerability occurrence data collected by a Claroty Platform and add this data to the current model.

› Operational Technology – Indegy Collection tasks retrieve vulnerability occurrence data collected by an Indegy platform and add this data to the current model.

What’s new in previous versions

Chapter 5 What’s new in previous versions


Saving the model for Skybox support A new option was added to manual file backups (File > Models > Save) to specify whether to save the model without user names and passwords for Skybox tasks.

Important: Do not use this option when backing up the model for your organization; it is intended solely for sending the model to Skybox support.

Specific tasks for user roles A new field named Permitted Tasks was added to the User Role dialog box (under the Operations Console field), which enables the administrator to define a white list of task types for each custom user role.

› For user roles with full or viewing access to the Operational Console, you can select the Skybox tasks that they are permitted to run.

› Users with full access can also edit these tasks.

Changes to Skybox Collector In this version, the infrastructure of the Collector was migrated from a JBoss application server deployment to one based on Spring Boot version 1.5.17 with an embedded Tomcat servlet container, version 8.5.34. Additional information is available in the Migrating the Collector infrastructure chapter, in the Skybox Installation and Administration Guide.

Important: If you have done any customization of the old JBoss Tomcat server.xml file or the TLS setting in <Skybox_Home>/collector/conf/jvmargs.properties for any Collectors you are using, you must customize the new infrastructure as well. Information about customization can be found in Migrating the Collector infrastructure, in the Skybox Installation and Administration Guide.



› On Windows, when the Collector is running as an operating system service, the service is reinstalled on every update.

For this reason, if you changed the service logon options to use a service user for collection, you must specify the service user again after every update.

SSH collection limitation The current SSH client used by the Skybox Collector for remote collection can only use a Diffie-Hellman key of up to 2048 bits. Collection from remote devices that use a larger key will fail.

New task: Install Python tools for Skybox Appliance This task installs the Python infrastructure (version 2.7.13) on Skybox Appliances. Python is required for the following Skybox collection tasks:

› Firewalls – Sophos UTM › Firewalls – Huawei Eudemon › Routers – Dionis NX › Routers – Vyatta › Scanners – AppScan › Scanners – WhiteHat Sentinel › Operational Security – SecurityMatters › Firewalls – Forcepoint NGFW

You only need to run this task once for each Collector (or Server) running on a Skybox Appliance that is used for these tasks.

New connectors

› Firewalls – Huawei Eudemon Collection tasks add configuration data from Huawei Eudemon firewalls to the current model.

› Asset Management – ForeScout Collection tasks retrieve device data from a ForeScout database and add this data to the current model.

Skybox REST APIs Skybox includes REST APIs to retrieve data from Skybox and use its core methods remotely. The base URL is: /skybox/webservice/jaxrs

The REST APIs use basic authentication. For more information, see https://swagger.io/docs/specification/authentication/basic-authentication/

The REST APIs can be viewed and tested at: https://<server_name>:8443/skybox/webservice/swagger-ui/index.html. Log in with your Skybox user to access this site.

The following REST APIs are supported:

› All calls in /accesspolicytemplate/

These calls are used for managing Access Policies and zones.

› All calls in /threatalert/v1 and /threatalerttickets/v1



These calls work with threat alert tickets.

Note: Support is provided only for the API calls mentioned here. Other API calls exist but are not currently supported, and Skybox takes no responsibility for their use.

Fortinet FortiGate traffic syslog in CEF format Skybox now supports rule usage logs in CEF format for FortiGate firewalls.

NetScreen rules from non-Global zones to the Global zone Support in Access Analyzer for NetScreen rules and packet flow from “non-Global” zones to the “Global” zone was improved.

New Connectors

› Firewalls – Sophos UTM Collection tasks retrieve configuration data from Sophos UTM firewalls and add this data to the current model.

› Scanners – Tenable.IO Collection tasks retrieve Nessus scans from Tenable.io scanners and add the vulnerability occurrence data to the current model. The following scan result types are supported:

• Basic scan

• Host discovery

• Advanced scan

Skybox Firewall Assurance

Support for Check Point R80 in Configuration Compliance Support for Check Point Security Management R80 and higher has been added to Configuration Compliance. Standard V14 is a new Configuration Policy whose Check Point section was updated to include tests for these devices.

To use this policy, import it by right-clicking Configuration Policies in either the Firewall Assurance or Network Assurance tree, selecting Import Configuration Policies, and then selecting Standard V14.

Support for Rule Usage Analysis on Cisco Firepower devices Skybox now supports syslog traffic for Firepower devices, thus enabling Rule Usage Analysis.

Define critical access rules for review In Firewall Assurance, users can now define critical access rules for review. They can also receive notifications when any changes are made to these rules.

› To define rules for review: When the Table pane includes a list of access rules (for example, when Rule Review for a single firewall is selected in the Tree pane), select rules in the table pane, right click, and select Set Review Indication.

Display the For Review column to show the selected rules; right-click in the header row of the table, select Customize Current View, and then select For Review from the list of possible columns.



› To set up the notifications mechanism:

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, open or create a trigger of type Change Tracking.

3. In the Change Record Filter tab, select Notify changes in rules marked for review.

› When tasks of type Analysis – Change Tracking are run and there are changes in any rules marked as For Review, the following notification is sent: “Change tracking event was recorded for rule # <Rule number> in <Firewall Name> device.”

› In addition, the For Review column was added as the last column in CSV files produced by the CSV – Access Rules Review Export task.

Note: Notifications cannot be sent when Cisco firewall rules are deleted from a firewall because these rules have no GUID.

Skybox Web UI

Rule Review unit A new Rule Review unit was added to the Firewall and Network Assurance Web UI. This unit provides a convenient way to review access rules.

Dedicated widgets for this section include “Rules by Recertification Status” and “Rules by Next Review Date”.

Drill down from a widget leads to a view of the relevant rules. You can expand each rule to display its recertification information, as well as information from the other units (Compliance, Optimization & Cleanup, and Change Tracking).

The rightmost column in lists of rules for review displays the recertification status of this access rule, and when it is due or how long it is overdue.

Possible recertification statuses are:

• Certified

• Rejected

• In Progress: A recertification ticket is open

• Overdue: The review date has passed but the rule’s status was not changed to either Certified or Rejected by a closed Recertification ticket in Change Manager.

Overdue rules may or may not have open tickets associated with them.

• Unknown: For new rules and or legacy rules that have not yet started the process of recertification



Changes in rule review task The name of the Policy Rule Review task was changed to Rule Recertification. This task now performs all the relevant actions for the rule recertification process:

› Setting the initial next review date for access rules that do not yet have a next review date

The date can be set to the rule’s creation date or to another specific date.

› Computing the Next Review Date according to the defined Rule Review Policies

› Generating recertification tickets according to the defined Rule Recertification Ticket policies (the same action as Ticket – Auto Generation tasks with the Rule Recertification Ticket Policies field checked).

All the task actions are optional. The Compute Next Review Date action is selected by default, as this is the basic action necessary for the Rule Recertification process.

Note: The modified task still supports users who used the Policy Rule Review task.



URL of Skybox Web UI

› The URL of Skybox Web UI has been changed to: https://<server>:8443/skybox/products/home

› The specific URL of Firewall and Network Assurance is: https://<server>:8443/skybox/products/spm

Rule Policies section A new Rule Policies section was added to the Compliance unit. This section provides a convenient way to investigate Rule Policy violations from the perspective of the entire Rule Policy.

Dedicated widgets for this section include “Checks by Rule Compliance Status” and “Rule Checks by Severity”.

As in all the other sections, drill down from a widget leads to a view of the relevant Rule Checks. You can expand each Rule Check to display the list of violating rules, the tested firewalls, and more details about the check itself.

Skybox Change Manager

Automatic implementation for Cisco ASA The automatic implementation feature was extended and now supports Add Rule and Add Object change requests for Cisco ASA devices. Provisioning to Cisco ASA devices is done via SSH interface.

Automatic implementation for Check Point R80 The automatic implementation feature was extended and now supports Deactivate Rule (disable and delete) change requests for Check Point R80 firewalls.

Implementing change requests from the ticket When a ticket is in the Implementation phase, its owner can implement the change requests by selecting them in the list and clicking Implement Change Requests.

Automatic implementation for Cisco Firepower The automatic implementation feature was extended and now supports Add Rule and Add Object change requests for firewalls managed by Cisco Firepower.

Skybox Network Assurance

Support for Check Point R80 in Configuration Compliance Support for Check Point Security Management R80 and higher has been added to Configuration Compliance. Standard V14 is a new Configuration Policy whose Check Point section was updated to include tests for these devices.

To use this policy, import it by right-clicking Configuration Policies in either the Firewall Assurance or Network Assurance tree, selecting Import Configuration Policies, and then selecting Standard V14.



Support for Rule Usage Analysis on Cisco Firepower devices Skybox now supports syslog traffic for Firepower devices, thus enabling Rule Usage Analysis.

Define critical access rules for review In Firewall Assurance, users can now define critical access rules for review. They can also receive notifications when any changes are made to these rules.

› To define rules for review: When the Table pane includes a list of access rules (for example, when Rule Review for a single firewall is selected in the Tree pane), select rules in the table pane, right click, and select Set Review Indication.

Display the For Review column to show the selected rules; right-click in the header row of the table, select Customize Current View, and then select For Review from the list of possible columns.

› To set up the notifications mechanism:

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, open or create a trigger of type Change Tracking.

3. In the Change Record Filter tab, select Notify changes in rules marked for review.

› When tasks of type Analysis – Change Tracking are run and there are changes in any rules marked as For Review, the following notification is sent: “Change tracking event was recorded for rule # <Rule number> in <Firewall Name> device.”

› In addition, the For Review column was added as the last column in CSV files produced by the CSV – Access Rules Review Export task.

Note: Notifications cannot be sent when Cisco firewall rules are deleted from a firewall because these rules have no GUID.

Skybox Vulnerability Control

Custom business attributes for Vulnerability Definitions Business attributes are business information about Vulnerability Definitions that can be stored with the Vulnerability Definition in the model. This information can be used to provide additional business context for the Vulnerability Definitions, and for integration with other systems; the additional information can be cross-referenced by the other system.

Admins create business attributes in Tools > Options > Server Options > Business Attributes > Vulnerability Definitions. Once an attribute is defined, it can be displayed as a column in tables where Vulnerability Definitions are shown (right-click in the header row of the table, select Customize Current View and then select the desired column).

skyboxdownloads.skyboxsecurity.com/files/installers/skybox... · 2019-06-23 · a reporting engine...

Documents