← Index

Wireframe In Progress

Gaps → Change Request

Round 1 Created 2026-05-23 Section Decide Product Ultra v1 (conceptual)

Desktop

Decide›Gaps gap-241 · server → dmz TCP/3306 Critical · risk 0.92

Workflow

Detect Gap surfaced 3h ago · auto

Auto-generate CR drafted 3h ago · CR-186

Review Approval awaiting G.F + sec

Implement Push to device queued · core-fw-01

Verify Post-push audit queued · 4 checks

Gaps

7 open

All 7 Crit 2 High 2 Med 3

Crit server → dmz · TCP/3306 missing · gap-241 · 3h 0.92

Crit user → server · TCP/22 excessive excessive · gap-232 · 1d 0.84

High iot → server · UDP/161 shadowed shadowed · gap-228 · 2d 0.71

High vpn → admin · conflicting conflicting · gap-218 · 3d 0.68

Med dmz → wan · excessive egress excessive · gap-204 · 5d 0.51

Med admin → vpn · missing ICMP missing · gap-188 · 6d 0.42

Med user → vpn · orphan rule orphan · gap-174 · 8d 0.38

Bulk: select gaps to generate one CR for all

Gap · gap-241 · auto-detected

Server zone allows MySQL from DMZ

Severity · critical Type · missing-deny From · DMZ (trust 25) To · SERVER (trust 75) Protocol · TCP/3306 GNN risk · 0.92

Evidence · why this is a gap

graph traversal · 3 hops

# Modeled policy says SERVER zone forbids inbound from DMZ except :443 zone SERVER inbound-policy: allow from DMZ → port 443 deny from DMZ → port * # ← intent # Discovered firewall rule on core-fw-01 says otherwise core-fw-01 rule 142: allow src 10.10.0.0/24 (DMZ) → dst 10.20.20.8 (db-svr-01, SERVER zone) proto tcp/3306 # ← violation # GNN risk model flagged this edge at 0.92 # reasons: high trust delta (50), sensitive protocol (db), # exposed surface (3 DMZ hosts), no MFA, no rate limit.

Proposed change · CR-186 (auto-generated)

core-fw-01 · 1 rule modify

                        140 
                        allow tcp from 10.10.0.0/24 to 10.20.10.0/24 port 443
                      
                        141 
                        allow tcp from 10.10.0.0/24 to 10.20.10.0/24 port 80
                      
                        142−
                        allow tcp from 10.10.0.0/24 to 10.20.20.8 port 3306
                      
                        142+
                        deny  tcp from 10.10.0.0/24 to 10.20.20.0/24 port 3306 log
                      
                        143 
                        deny  ip from 10.10.0.0/24 to 10.20.0.0/16

Impact

risk score · GNN PolicyGAT v4

Before 0.92 critical · top driver: db exposure

→

After (simulated) 0.14 low · violation removed · audit log added

Affected devices

1 device · 1 rule modify

▣ core-fw-01 10.20.0.1 · cisco asa rule 142 · modify

● db-svr-01 (target) 10.20.20.8 protected

CR · summary

idCR-186 statusPending addressesgap-241 typerule modify devices1 est duration4 min risk Δ−0.78 rollbackyes · pre-image saved

Approvals

G. Felice analyst · author Approved

S. Park CISO · required Pending

M. Bohra ops · informed FYI sent

Verification plan

Re-poll core-fw-01 config confirm rule 142 = deny

Probe TCP/3306 from DMZ host expect connect refused

Re-run gap analysis gap-241 should disappear

Re-score with GNN target risk ≤ 0.20

Audit trail

3h ago · gap-241 detected · SYS

3h ago · CR-186 drafted · SYS

2h ago · author approved · G.F

2h ago · S. Park notified · SYS

30m ago · risk simulated · SYS

(pending) · CISO review

(pending) · push to core-fw-01

(pending) · verify · 4 checks

(pending) · close gap-241

Mobile

Ultra

◇ Decide › Gaps · meridian-prod gap-241 · server → dmz TCP/3306 Critical · risk 0.92

Detect ✓ Auto-gen ✓ Review Push Verify

Gap · gap-241

Server zone allows MySQL from DMZ

crit missing-deny DMZ → SERVER tcp/3306 risk 0.92

Evidence3 hops

zone SERVER: deny from DMZ → port * core-fw-01 rule 142: allow → tcp/3306 ← violation GNN risk 0.92 · db exposure

Proposed change · CR-1861 rule

141allow tcp DMZ → :443
−142allow tcp DMZ → :3306
+142deny tcp DMZ → :3306 log
143deny ip DMZ → SERVER

Risk impactsimulated

Before0.92

→

After0.14

Approvals

G. Felice author Approved

S. Park CISO · req Pending