About Policy Analyzer and Optimizer

Cisco Secure Firewall Threat Defense devices with extensive access control policies, especially those generated through the firewall migration process, may have numerous duplicate or shadowed rules. Such bloated policies with unoptimized rulesets can lead to excessive consumption of device memory, delayed loading of rules, long search times, resulting in inefficient security policy enforcement, reduced network speeds, and extended deployment durations.

To deal with such situations, Cisco Defense Orchestrator(CDO) provides Policy Analyzer and Optimizer. It is an intelligent cloud service that can analyze security policies, detect anomalies, and provide recommendations on remediations that can be performed to optimize the policies, thereby improving the firewall performance. The Policy Analyzer and Optimizer can analyze policies both in the cloud-delivered Firewall Management Center and On-Prem Firewall Management Centers that are onboarded to CDO. In addition, this feature can:

  • provide comprehensive visualization of policy health information, including an analysis overview and policy insights based on aggregate hit counts.

  • analyze policies regularly on scheduled intervals or whenever preferred.

  • detect rule anomalies, such as duplicate rules, object overlap in rules, and expired rules.

Analysis Summary

Note that the Policy Analyzer and Optimizer can get launched from CDO's Services page, Insights > Policy Analyzer and Optimizer on the left pane, and on-prem management center's Access Control policies page for the administrator's convenience.