The Policy Matrix offers a visual representation of all Policy Groups and the policies that exist between them. It is also an interactive way to rapidly build policies between known and unknown assets and to the internet. The Policy Matrix also offers asset traffic mapping and a look into how traffic is affected by deployed and simulated policies.
You should have an understanding of Security Profiles and Policy Groups before creating policies.
Click a topic to learn about these policy constructs:
Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes identity based attributes such as Active Directory group, Department, Title , device type, device vendor, device model and much more.
There are a couple of ways to select your source and destination objects: using the Policy Matrix, or manually. This article covers deploying a policy using the Policy Matrix. For manually deploying a policy, see Creating Policies. As a reminder, all access is allowed by default until a policy explicitly denies it (default allow rule).
The Policy Matrix
The Policy Matrix is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow.
If you have not yet created Policy Groups, your Policy Matrix will be empty with only the default Policy Groups. Go deploy Policy Groups before using the Matrix following this article.
Click a topic to jump to the article section:
The Policy Matrix
The Policy Matrix is simply a structure of cells at the intersection of each Policy Group. You can click on the cells to deploy a policy between two Policy Groups very rapidly, using pre-defined Security Profiles or creating new Security Profiles as you go. Green cells indicate an Allow All policy, Red cells indicate a Deny All policy, and Blue cells (previously yellow) indicate a custom policy. White cells have no policy defined, and allow all traffic by default. You may also notice arrows on some cells - these arrows indicate that this is a return traffic policy. We will get into that later in the article.
Hovering over a source Policy Group, Destination Policy Group, or Policy cell will display information about the Policy Group or a high-level summary of the policy. Clicking on a Policy Group surrounding the Policy Matrix will reveal additional information about the match criteria is being used, as well as a link to view and edit the Policy Group.
Hovering over a Policy Group reveals the following:
Policy Group Name - The full length name of the Source or Destination Policy Group.
Number of Matched Assets - How many devices are associated with this Policy Group.
Group Tag Value - The numeric value used to identify the Policy Group on access infrastructure.
Policy Group Description - User-defined description of the Policy Group.
Hovering over a Policy in the Matrix reveals the following:
Name - The name of the Policy
Policy Status - Active or Simulated
Security Profile - The name of the custom or default Security Profile used in the Policy
FInal Policy Action - Allow All or Deny All
Clicking an empty cell will pre-fill the source and destination Policy Groups, allowing users to select a security profile, or create a new Security Profile, choose your final policy action, choose to create a return path policy, and deploy a policy in just a few seconds. To better understand the policy creation page, view this article.
Custom Views
1. Choose your view. View your policies in the matrix view or the list view by toggling the view button.
2. Select and manage your custom views. Here you can select between the default view or any of your custom views. You can also modify and delete custom views, giving you ability to manage and select your custom views all from one place.
3. Create custom views of the policy matrix. For example, you may want to have an isolated view of a set of business units or assets, particularly if you have a large number of policy groups. To create a view, click the create custom view button, give your custom view a name, select the policy groups that you would like to be assigned to this view, and click the arrows to move them.
Once you have saved a custom view, you can select it in both list view and matrix view. To view only policies associated with the Policy Groups in your custom view.
Within the table view, you can still view, edit, and set policies as active or simulation (depending on the current state.) Simply click on the three dots to the right of the policy to view what actions are available. For Return-Path Policies, you can only view the policy, which will allow you to then click through to the main policy. For Active and Simulated policies, more options are available to the user that are context dependent.
Multiselect
Create Multiple Policies
With Create Multiple Policies, you can assign different policy types (Allow All, Deny All, and Custom) across multiple cell selections in a single session — no need to complete a full workflow per policy type before moving to the next.
- Click Create Multiple Policies.
- Select the desired cells using any selection method: click a row or column header, Shift+click individual cells, or click and drag a range.
- In the action panel that appears, assign a policy type to the current selection:
- Allow All
- Deny All
- Custom Policy — opens a configuration drawer where you define the policy rules
- Independent Control — opens a vendor selection popup where you choose from Cisco, Palo Alto Networks, or Other
- Return path is selected by default.
- Repeat steps 1–4 to assign different policy types to additional cell selections within the same session. You do not need to save between assignments.
- Click Save Changes. A Review/Summary drawer appears showing all pending policy changes.
- Choose Save as Simulation or Save as Active.
Note: If another user modified any of the selected cells during your session, a conflict error message is displayed. Resolve the conflict before saving.
Custom Filters
Custom filters can be created and saved in both table view and matrix view. Both views have their own separate saved filters, offering the flexibility to have different custom filters in each view that leverage the different criteria available.
Saved Filters per Policy Set: Because each Policy Set can have its own unique subset of Policy Groups, filters are saved per Policy Set. This means that filters saved in one Policy Set will not appear in the list of saved filters for other Policy Sets.
Import and Export Functionality: Saved filters can be exported and imported, allowing filters to be shared between users in Cloud Control Center.
In Matrix view, the policy matrix can be filtered to show select sources, destinations, and even selected Security Profiles. These filters can be saved and loaded at any time with just a couple of clicks.
To create or load a custom filter in the matrix view, click the Filters button in the top right of the Policy Matrix.
Select your Search Type and select the appropriate values. You can filter on a number of key values in Matrix view:
| Filter | Description |
|---|---|
| Source | The Policy Group that is defined as the source in the policy, determining which entities the policy applies to. |
| Destination | The Policy Group that is defined as the destination in the policy, specifying the entities affected by the policy. |
| Policy Group Label | The higher-level categorization that groups multiple Policy Groups under a common label for easier policy management and assignment to PSETs. |
| Policy Group | The logical grouping of devices or users that share the same access and security policies. |
| Security Profile | The set of security controls defining how traffic is inspected, monitored, and enforced within the policy. |
| Security Level | A classification indicating the risk or sensitivity of a Policy Group, influencing policy enforcement and access permissions. See Policy Set Enforcement Scores |
You can layer multiple filters to create granular, multifaceted filters to narrow down the matrix view to only the data that you need. You can also import filters shared by colleagues.
To load a filter, go to saved filters and select a previously created filter. Here is also where you can also export any saved filters to share with other Cloud Control Center users.
In table view, there are four buttons that appear giving you view customization options, refresh, and policy download functionality.
Table view offers more columns with data not available in the matrix view for filtering down to specific policies. Some of the column filter options can be seen in the screenshot below.
Tool Bar and Traffic View
Toolbar Tools
| Tool | Description |
|---|---|
| Refresh | Reloads the Policy Matrix to reflect any updates to policies, traffic, or configurations without leaving the view. |
| Show (Hide) Traffic Flow | Opens the Flow view to show where traffic has been observed in the network, whether that traffic was allowed or blocked, and whether a policy is in place. For full details about the Traffic Flow View feature in Cloud Control Center, click here. |
| Reveal More Characters | Expands truncated Policy Group or service names, allowing full visibility of names and details within the matrix. |
| Accessible View | Removes color coding from the Policy Matrix and replaces it with patterns to improve readability for users with color vision deficiencies. |
| Zoom Options | Resizes the matrix by zooming in, zooming out, or enabling full screen. |
| Legend |
Opens the matrix legend, which explains color codes and icons used in the Policy Matrix. Optionally, select TAKE A TOUR for a guided walkthrough of the Policy Matrix. This is also where the Policy View and Multiselect keyboard shortcuts can be viewed. |
These tools and the legend improve navigation, visibility, and understanding of policy statuses in the matrix.
Policy Set Selection
Policy Sets are distinct groups of network policies that can be assigned to different Virtual Edges and Virtual Edge Nodes, enabling differentiated policy for different sites or business units. You can easily choose which Policy Set is represented on the Policy Matrix by selecting the appropriate policy set from the menu directly above the Policy Matrix.
Active Policy Sets, meaning Policy Sets that have Virtual Edges assigned to them using a Site Label, are indicated by a green dot next to the Policy Set name. Active Policy Sets are always listed at the top.
See the Policy Sets article for more information on creating Policy Sets and how they can be used.