The Policy Matrix offers a visual representation of all Policy Groups and the policies that exist between them. It is also an interactive way to rapidly build policies between known and unknown assets and to the internet. The Policy Matrix also offers asset traffic mapping and a look into how traffic is affected by deployed and simulated policies.
You should have an understanding of Security Profiles and Policy Groups before creating policies. Click on the links below to learn about these policy constructs.
Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes identity based attributes such as Active Directory group, Department, Title , device type, device vendor, device model and much more.
There are a couple of ways to select your source and destination objects: using the Policy Matrix, or manually. This article covers deploying a policy using the Policy Matrix. For manually deploying a policy, see this article. As a reminder, all access is allowed by default until a policy explicitly denies it (default allow rule).
The Policy Matrix
The Policy Matrix is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow.
If you have not yet created Policy Groups, your Policy Matrix will be empty with only the default Policy Groups. Go deploy Policy Groups before using the Matrix following this article.
5. Tool Bar and Traffic Flow View
1. The Policy Matrix
The Policy Matrix is simply a structure of cells at the intersection of each Policy Group. You can click on the cells to deploy a policy between two Policy Groups very rapidly, using pre-defined Security Profiles or creating new Security Profiles as you go. GREEN cells indicate an "Allow All" policy, RED cells indicate a "Deny All" policy, and BLUE cells (previously yellow) indicate a custom policy. White cells have no policy defined, and allow all traffic by default. You may also notice arrows on some cells - these arrows indicate that this is a return traffic policy. We will get into that later in the article.
Hovering over a source Policy Group, Destination Policy Group, or Policy cell will display information about the Policy Group or a high-level summary of the policy. Clicking on a Policy Group surrounding the Policy Matrix will reveal additional information about the match criteria is being used, as well as a link to view and edit the Policy Group.
Clicking on a cell will pre-fill the source and destination Policy Groups, allowing users to select a security profile, or create a new Security Profile, choose your final policy action, choose to create a return path policy, and deploy a policy in just a few seconds. To better understand the policy creation page, view this article.
2. Custom Views
1. Choose your view. View your policies in the matrix view or the list view by toggling the view button.
2. Select and manage your custom views. Here you can select between the default view or any of your custom views. You can also modify and delete custom views, giving you ability to manage and select your custom views all from one place.
3. Create custom views of the policy matrix. For example, you may want to have an isolated view of a set of business units or assets, particularly if you have a large number of policy groups. To create a view, click the create custom view button, give your custom view a name, select the policy groups that you would like to be assigned to this view, and click the arrows to move them.
Once you have saved a custom view, you can select it in both list view and matrix view. To view only policies associated with the Policy Groups in your custom view.
Within the table view, you can still view, edit, and set policies as active or simulation (depending on the current state.) Simply click on the three dots to the right of the policy to view what actions are available. For Return-Path Policies, you can only view the policy, which will allow you to then click through to the main policy. For Active and Simulated policies, more options are available to the user that are context dependent.
3. Multiselect
The Policy Matrix offers the ability to multi-select cells in order to apply the same policy across and between multiple Policy Groups rapidly. To enable multi-select, click the Multiselect at the top right corner of the Policy Matrix. Once you are in Multi-Select mode you have several options to select multiple cells at once:
- Click a column or row to highlight the entire column or row
- Shift+click and individually select each cell
- Click and drag mouse over cells to select multiple
For example, let's say you want devices in the Unassigned Policy Group to have no connectivity to devices in all other Policy Groups. Simply enter Multi-Select mode, and then click the Unassigned row as the source and witness how the entire row highlights.
Note how some squares are greyed out automatically. These are Policy Groups that already have policies assigned to them or will be assigned a return policy and cannot be changed via Multi-select.
After the cells have been selected, click the + Create Policies button to the top left of the matrix and define your policy as usual. Once created, the matrix will update to reflect the policies assigned to all multi-selected Policy Group cells.
Multiselect in Traffic Flow View
The Traffic Flow View now supports multiselect for policy deployment, making it significantly easier to manage observed traffic and quickly enforce policies in specific scenarios. This feature is particularly helpful for deploying policies where observed traffic patterns—or lack thereof—guide your decision-making process.
For example, if no traffic is observed over a defined period, such as a week or a month, and as a Network Administrator, you do not expect traffic between the given source and destination Policy Groups, you can quickly enforce a Deny All policy.
To use this feature, follow these steps:
- Open the Traffic Flow View and enable Multiselect from the top right.
- Click and drag over the cells where no traffic is observed, or individually select multiple cells using Shift+click. You can also click on a Policy Group name to select the entire row or column.
- Once the cells are selected, click + Create Policies and define a Deny All policy for the selected traffic flows.
This process not only enables rapid policy deployment but also allows you to make informed decisions while visualizing traffic patterns directly in the Traffic Flow View. By observing the lack of traffic and acting on it immediately, you reduce friction in scenarios that would otherwise require more manual effort to investigate and implement.
The ability to enforce Deny All policies in such cases ensures unused communication paths are secured, thereby minimizing risk and improving the overall security posture of your network.
4. Custom Filters
Custom filters can be created and saved in both table view and matrix view. Both views have their own separate saved filters, offering the flexibility to have different custom filters in each view that leverage the different criteria available.
Saved Filters per Policy Set: Because each Policy Set can have it's own unique subset of Policy Groups, filters are saved per Policy Set. This means that filters saved in one Policy Set will not appear in the list of saved filters for other Policy Sets.
Import and Export Functionality: Saved filters can be exported and imported, allowing filters to be shared between users in Cloud Control Center.
In table view, there are four buttons that appear giving you view customization options, refresh, and policy download functionality.
Table view offers more columns with data not available in the matrix view for filtering down to specific policies. Some of the column filter options can be seen in the screenshot below.
In Matrix view, the policy matrix can be filtered to show select sources, destinations, and even selected Security Profiles. These filters can be saved and loaded at any time with just a couple of clicks.
To create or load a custom filter in the matrix view, click the filters button in the top right of the Policy Matrix.
Select your Search Type and select the appropriate values. You can filter on a number of key values in Matrix view:
| Filter | Description |
|---|---|
| Source | The Policy Group that is defined as the source in the policy, determining which entities the policy applies to. |
| Destination | The Policy Group that is defined as the destination in the policy, specifying the entities affected by the policy. |
| Policy Group Label | The higher-level categorization that groups multiple Policy Groups under a common label for easier policy management and assignment to PSETs. |
| Policy Group | The logical grouping of devices or users that share the same access and security policies. |
| Security Profile | The set of security controls defining how traffic is inspected, monitored, and enforced within the policy. |
| Security Level | A classification indicating the risk or sensitivity of a Policy Group, influencing policy enforcement and access permissions. See Policy Set Enforcement Scores |
You can layer multiple filters to create granular, multifaceted filters to narrow down the matrix view to only the data that you need. You can also import filters shared by colleagues.
To load a filter, go to saved filters and select a previously created filter. Here is also where you can also export any saved filters to share with other Cloud Control Center users.
5. Tool Bar and Traffic Flow View
-
Refresh: Reloads the Policy Matrix to reflect any updates to policies, traffic, or configurations without leaving the view.
-
Show Traffic Flow: Flow view allows you to see where traffic has been observed in the network, whether that traffic was allowed or blocked, and if there is a policy in place.
For full details about the Traffic Flow View feature in Cloud Control Center, click here.
-
Reveal More Characters: Expands truncated Policy Group or service names, allowing full visibility of names and details within the matrix.
-
Accessible View: Removes color coding from the Policy Matrix and replaces it with patterns, improving readability for users with colorblindness.
-
Zoom Options: Resize the Matrix by zooming in, zooming out, or enabling full screen.
-
Legend: Opens the matrix legend, providing explanations for the various color codes and icons used in the Policy Matrix, as seen below. Optionally, click TAKE A TOUR for a guided walkthrough of the Policy Matrix.
These tools and the legend enhance the user experience by improving navigation, visibility, and understanding of the different policy statuses.
6. Policy Set Selection
Policy Sets are distinct groups of network policies that can be assigned to different Virtual Edges and Virtual Edge Nodes, enabling differentiated policy for different sites or business units. You can easily choose which Policy Set is represented on the Policy Matrix by selecting the appropriate policy set from the menu directly above the Policy Matrix.
Active Policy Sets, meaning Policy Sets that have Virtual Edges assigned to them using a Site Label, are indicated by a green dot next to the Policy Set name. Active Policy Sets are always listed at the top.
See the Policy Sets article for more information on creating Policy Sets and how they can be used.