The Policy Matrix offers a visual representation of all Policy Groups and the relationships that exist between them. It is also an interactive way to rapidly build policies between known and unknown assets and to the internet. The Policy Matrix also offers asset traffic mapping and a look into how traffic is affected by deployed and simulated policies.
You should have an understanding of Security Profiles and Policy Groups before creating policies. Click on the links below to learn about these policy constructs.
Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes identity based attributes such as Active Directory group, Department, Title , device type, device vendor, device model and much more.
There are a couple of ways to select your source and destination objects: using the Policy Matrix, or manually. This article covers deploying a policy using the Policy Matrix. For manually deploying a policy, see this article. As a reminder, all access is allowed by default until a policy explicitly denies it (default allow rule).
The Policy Matrix
The Policy Matrix is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow.
If you have not yet created Policy Groups, your Policy Matrix will be empty with only the default Policy Groups. Go deploy Policy Groups before using the Matrix following this article.
1. The Policy Matrix
The Policy Matrix is simply a structure of cells at the intersection of each Policy Group. You can click on the cells to deploy a policy between two Policy Groups very rapidly, using pre-defined Security Profiles or creating new Security Profiles as you go. Green cells indicate an "Allow All" policy, Red cells indicate a "Deny All" policy, Yellow cells indicate a custom policy. White cells have no policy defined, and allow all traffic by default. You may also notice arrows on some cells - these arrows indicate that this is a return traffic policy. We will get into that later in the article.
Hovering over a source Policy Group, Destination Policy Group, or Policy cell will display information about the Policy Group or a high-level summary of the policy. Clicking on a Policy Group surrounding the Policy Matrix will reveal additional information about the match criteria is being used, as well as a link to view and edit the Policy Group, as seen in the animated image below.
Clicking on a cell will pre-fill the source and destination Policy Groups, allowing users to select a security profile, or create a new Security Profile, choose your final policy action, choose to create a return path policy, and deploy a policy in just a few seconds. To better understand the policy creation page, view this article.
2. Custom Views
1. Choose your view. View your policies in the matrix view or the list view by toggling the view button.
2. Select and manage your custom views. Here you can select between the default view or any of your custom views. You can also modify and delete custom views, giving you ability to manage and select your custom views all from one place.
3. Create custom views of the policy matrix. For example, you may want to have an isolated view of a set of business units or assets, particularly if you have a large number of policy groups. To create a view, click the create custom view button, give your custom view a name, select the policy groups that you would like to be assigned to this view, and click the arrows to move them.
Once you have saved a custom view, you can select it in both list view and matrix view. To view only policies associated with the Policy Groups in your custom view.
Within the table view, you can still view, edit, and set policies as active or simulation (depending on the current state.) Simply click on the three dots to the right of the policy to view what actions are available. For Return-Path Policies, you can only view the policy, which will allow you to then click through to the main policy. For Active and Simulated policies, more options are available to the user that are context dependent.
Starting with Cloud Control Center 15.2, you can multi-select cells in order to apply the same policy across and between multiple Policy Groups rapidly. To enable multi-select, click the Multi-select at the top right corner of the Policy Matrix. Once you are in Multi-Select mode you have several options to select multiple cells at once:
- Click a column or row to highlight the entire column or row
- Shift+click and individually select each cell
- Click and drag mouse over cells to select multiple
For example, let's say you want devices in the Unassigned Policy Group to have no connectivity to devices in all other Policy Groups. Simply enter Multi-Select mode, and then click the Unassigned row as the source and witness how the entire row highlights.
Note how some squares are greyed out automatically. These are Policy Groups that already have policies assigned to them or will be assigned a return policy and cannot be changed via Multi-select.
After the cells have been selected, click the + Create Policies button to the top left of the matrix and define your policy as usual. Once created, the matrix will update to reflect the policies assigned to all multi-selected Policy Group cells.
4. Filters and Traffic Flow View
Different filters are available in both Matrix view and table view.
In table view, there are four buttons that appear giving you view customization options, refresh, and policy download functionality.
In matrix view, you still have filtering functionality, but in addition you will see the "Show Traffic Flow" button. Traffic Flow view allows you to see where traffic has been observed in the network, whether that traffic was allowed or blocked, and if there is a policy in place.
In this view, clicking on a cell with observed traffic flow will enable you to dive deeper into traffic analytics for these Policy Groups. You can then click through and create a policy using this information. This is incredibly useful for quickly deploying policy based on real-world traffic flows.
Users can filter traffic flows to see the last hour, the last 24 hours, the last 7 days, or the last 28 days. The ability to filter traffic flows means that shortly after deploying new Policy Groups or implementing a new policy, administrators can filter down to the most recent traffic flows to get an accurate representation of how the devices in the Policy Group are interacting with the rest of the network, and how a policy change could have affected those traffic flows. Filtering for a longer period like 28 days gives admins a good idea of normal long-term traffic behaviors for established Policy Groups, simplifying policy decisions.
5. Side Bar Buttons
Appearance Settings - toggle between colorized policy matrix view and black and white view.
Zoom - Zoom in and out on the policy matrix without affecting page zoom.
Fullscreen Mode - View the Policy Matrix in full screen.
Legend Button - Toggles the policy matrix legend. Click "Take a Tour" for an interactive guide through the Policy Matrix.