Having a Unified Security Policy (USP) requires to have network zones defined, filled with all relevant networks.
This is done in SecureTrack via Menu > Network > Zones. Only zones defined here can be used in an USP configuration.

There are some pre-defined zones:

  • Internet
    This zone includes all official IP-Adresses that are not defined to be in any other zone
  • Unassociated Networks
    This zone includes all private IP-Adresses (RFC 1918) that are not defined to be in any other zone
  • Users Networks
    This zone includes all networks that users connect to (e.g. used in Check Point Identity Awareness)

Based on interface information of devices, zones are allocated with interfaces automatically - except the zone Internet.

Tufin SecureChange calculates "Risk" in Access Requests in the classic way while SecureTrack uses for the calculation of "Violations" a specific configuration that can be adapted.
To modify interfaces and zones, it's necessary to go to the USP list, i.e. Menu > Audit > Compliance > Unified Security Policy. Here you select an USP to modify the relationship of Interface - Zone. This is done by pressing the button "Preferences". A window opens, so you can modify the allocations manually.

In this example, the Interface "pppoe2" has no associated zone even if (in real live) the "Internet" is connected to this Interface. To configure this, select the interface and then the button "Edit" at the top right. Here, you select the zone that shall be connected to this Interface.

After having done so, the configration is changed by pressing the button "save".

So from now on, calculations regarding "violations" consider this configuration and zone association.

Please regard: Be sure to document well all changes done this way!
In SecureTrack Audit Trail only this message is shown "Unified security policy configuration - Modify - Device - FWGW-Office - Modify was done by MeAdmin on interface/zone mapping for device FWGW-Office".

Changes done here have a direct impact on "violations", so every configuration change needs to be documented well.
The calculation of "violations" is done when a new revision arrives to SecureTrack, a USP is changed or the Topology (Interactive Map) is synchronized.