The Policy Matrix offers a visual representation of all Policy Groups and the relationships that exist between them. It is also an interactive way to rapidly build policies between known and unknown assets and to the internet. The Policy Matrix also offers asset traffic mapping and a look into how traffic is affected by deployed and simulated policies.
Overview
You should have an understanding of Security Profiles and Policy Groups before creating policies. Click on the links below to learn about these policy constructs.
Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes identity based attributes such as Active Directory group, Department, Title , device type, device vendor, device model and much more.
There are a couple of ways to select your source and destination objects: using the Policy Matrix, or manually. This article covers deploying a policy using the Policy Matrix. For manually deploying a policy, see this article. As a reminder, all access is allowed by default until a policy explicitly denies it (default allow rule).
The Policy Matrix
The Policy Matrix is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow.
If you have not yet created Policy Groups, your Policy Matrix will be empty with only the default Policy Groups. Go deploy Policy Groups before using the Matrix following this article.
1. The Policy Matrix
The Policy Matrix is simply a structure of cells at the intersection of each Policy Group. You can click on the cells to deploy a policy between two Policy Groups very rapidly, using pre-defined Security Profiles or creating new Security Profiles as you go. GREEN cells indicate an "Allow All" policy, RED cells indicate a "Deny All" policy, and BLUE cells (previously yellow) indicate a custom policy. White cells have no policy defined, and allow all traffic by default. You may also notice arrows on some cells - these arrows indicate that this is a return traffic policy. We will get into that later in the article.
Hovering over a source Policy Group, Destination Policy Group, or Policy cell will display information about the Policy Group or a high-level summary of the policy. Clicking on a Policy Group surrounding the Policy Matrix will reveal additional information about the match criteria is being used, as well as a link to view and edit the Policy Group.
Clicking on a cell will pre-fill the source and destination Policy Groups, allowing users to select a security profile, or create a new Security Profile, choose your final policy action, choose to create a return path policy, and deploy a policy in just a few seconds. To better understand the policy creation page, view this article.
2. Custom Views
1. Choose your view. View your policies in the matrix view or the list view by toggling the view button.
2. Select and manage your custom views. Here you can select between the default view or any of your custom views. You can also modify and delete custom views, giving you ability to manage and select your custom views all from one place.
3. Create custom views of the policy matrix. For example, you may want to have an isolated view of a set of business units or assets, particularly if you have a large number of policy groups. To create a view, click the create custom view button, give your custom view a name, select the policy groups that you would like to be assigned to this view, and click the arrows to move them.
Once you have saved a custom view, you can select it in both list view and matrix view. To view only policies associated with the Policy Groups in your custom view.
Within the table view, you can still view, edit, and set policies as active or simulation (depending on the current state.) Simply click on the three dots to the right of the policy to view what actions are available. For Return-Path Policies, you can only view the policy, which will allow you to then click through to the main policy. For Active and Simulated policies, more options are available to the user that are context dependent.
3. Multi-select
Starting with Cloud Control Center 15.2, you can multi-select cells in order to apply the same policy across and between multiple Policy Groups rapidly. To enable multi-select, click the Multi-select at the top right corner of the Policy Matrix. Once you are in Multi-Select mode you have several options to select multiple cells at once:
- Click a column or row to highlight the entire column or row
- Shift+click and individually select each cell
- Click and drag mouse over cells to select multiple
For example, let's say you want devices in the Unassigned Policy Group to have no connectivity to devices in all other Policy Groups. Simply enter Multi-Select mode, and then click the Unassigned row as the source and witness how the entire row highlights.
Note how some squares are greyed out automatically. These are Policy Groups that already have policies assigned to them or will be assigned a return policy and cannot be changed via Multi-select.
After the cells have been selected, click the + Create Policies button to the top left of the matrix and define your policy as usual. Once created, the matrix will update to reflect the policies assigned to all multi-selected Policy Group cells.
4. Traffic Flow View and Custom Filters
In matrix view, you will see the "Show Traffic Flow" button as previously shown in the dashboard overview. Traffic Flow view allows you to see where traffic has been observed in the network, whether that traffic was allowed or blocked, and if there is a policy in place.
The Traffic Flow Details view, as seen in the image below, provides an overview of network traffic between the example source group IT_Computers_Laptops and the destination group IT_Misc. The key data points available in this view include:
- Protocol: Lists the protocol used for communication (e.g., UDP, TCP, FTP, SMTP).
- Action: Indicates whether traffic is allowed or denied by policy.
-
Service: Shows the service or application being used (e.g.,
ldap
,ms-do
,Unknown
). - Policy Status: Displays the policy state, which can be Active, Simulated, or No Policy.
- Traffic Flow %: Represents the percentage of total traffic contributed by the particular protocol or service.
- No. of Bytes: The amount of data (in megabytes) transferred for each protocol.
- Destination: The specific destination address or port number.
For example, UDP traffic is denied with 98.5% traffic flow and 2.94 MB of data, while TCP (ldap) is allowed with 25.41% traffic flow and 23.25 MB transferred.
This view helps identify how policies are impacting traffic between specific groups, enabling easy policy updates and traffic analysis.
Users can also filter traffic flows to see the last hour, the last 24 hours, the last 7 days, or the last 28 days. The ability to filter traffic flows means that shortly after deploying new Policy Groups or implementing a new policy, administrators can filter down to the most recent traffic flows to get an accurate representation of how the devices in the Policy Group are interacting with the rest of the network, and how a policy change could have affected those traffic flows. Filtering for a longer period like 28 days gives admins a good idea of normal long-term traffic behaviors for established Policy Groups, simplifying policy decisions.
In the Traffic Flow Details view, users have the ability to create custom filters to refine the displayed data. This functionality allows for better visibility into specific traffic patterns or policies by narrowing down the results based on various parameters. The General Filter section provides several options to filter traffic, including:
- Protocol: Filter traffic based on the communication protocol (e.g., TCP, UDP).
- Status: Select to view traffic with either Allow or Deny actions applied.
-
Service: Filter by the specific service being used in the communication (e.g.,
ldap
,ms-do
). - Traffic Flow %: Filter based on the percentage of traffic flow.
- No. of Bytes: Refine data by the amount of data (in bytes) transferred.
- Destination Port: Specify a port number to filter traffic targeting that port.
Users can select an operator, such as "contains," "equals," or "greater than," to apply precise logic to each filter. Once configured, the filter can be applied instantly to the traffic flow view for real-time analysis. Additionally, there is an option to save filters, allowing users to quickly reapply frequently used filtering criteria without manually reconfiguring them each time.
Custom Filters
Custom filters can be created and saved in both table view and matrix view. Both views have their own separate saved filters, offering the flexibility to have different custom filters in each view that leverage the different criteria available.
In table view, there are four buttons that appear giving you view customization options, refresh, and policy download functionality.
Table view offers more columns with data not available in the matrix view for filtering down to specific policies. Some of the column filter options can be seen in the screenshot below.
In Matrix view, the policy matrix can be filtered to show select sources, destinations, and even selected Security Profiles. These filters can be saved and loaded at any time with just a couple of clicks.
To create or load a custom filter in the matrix view, click the filters button in the top right of the Policy Matrix.
Select your Search Type and select the appropriate values.
You can layer multiple filters to create granular, multifaceted filters to narrow down the matrix view to only the data that you need.
To load a filter, go to saved filters and select a previously created filter.
5. Sidebar Navigation and Legend Overview in the Policy Matrix
-
Refresh: Reloads the Policy Matrix to reflect any updates to policies, traffic, or configurations without leaving the view.
-
Reveal More Characters: Expands truncated Policy Group or service names, allowing full visibility of names and details within the matrix.
-
Accessible View: Removes color coding from the Policy Matrix and replaces it with patterns, improving readability for users with colorblindness.
-
Zoom In: Magnifies the Policy Matrix for a closer view of policy intersections.
-
Zoom Out: Reduces the zoom level to provide a broader overview of the Policy Matrix.
-
Full Screen: Expands the Policy Matrix to occupy the entire screen, maximizing workspace for policy management.
-
Info: Opens the matrix legend, providing explanations for the various color codes and icons used in the Policy Matrix, including:
- Default Policy: White
- Deny All: Red
- Allow All: Green
- Custom Policy: Light Blue
- Return Path Policy: Light Blue with a return arrow icon
- Simulation: Light Blue with a dot
- Disabled: Gray
These tools and the legend enhance the user experience by improving navigation, visibility, and understanding of the different policy statuses within the Elisity Cloud Control Center.