The Policy Matrix offers a visual representation of all Policy Groups and the relationships that exist between them. It is also an interactive way to rapidly build policies between known and unknown assets and to the internet. The Policy Matrix also offers asset traffic mapping and a look into how traffic is affected by deployed and simulated policies.
You should have an understanding of Security Profiles and Policy Groups before creating policies. Click on the links below to learn about these policy constructs.
Building an Elisity policy is as simple as specifying the source and destination of the traffic as well as the desired security rules. The match criterion for source and destination is very flexible and includes identity based attributes such as Active Directory group, Department, Title , device type, device vendor, device model and much more.
There are a couple of ways to select your source and destination objects: using the Policy Matrix, or manually. This article covers deploying a policy using the Policy Matrix. For manually deploying a policy, see this article. As a reminder, all access is allowed by default until a policy explicitly denies it (default allow rule).
The Policy Matrix
The Policy Matrix is used to show what policies are deployed and give a visualization of the type of traffic that is or is not allowed to flow.
If you have not yet created Policy Groups, your Policy Matrix will be empty with only the default Policy Groups. Go deploy Policy Groups before using the Matrix following this article.
1. The Policy Matrix
The Policy Matrix is simply a structure of cells at the intersection of each Policy Group. You can click on the cells to deploy a policy between two Policy Groups very rapidly, using pre-defined Security Profiles or creating new Security Profiles as you go. Green cells indicate an "Allow All" policy, Red cells indicate a "Deny All" policy, Yellow cells indicate a custom policy. White cells have no policy defined, and allow all traffic by default. You may also notice arrows on some cells - these arrows indicate that this is a return traffic policy. We will get into that later in the article.
Clicking on a cell will pre-fill the source and destination Policy Groups, allowing users to select a security profile, or create a new Security Profile, choose your final policy action, choose to create a return path policy, and deploy a policy in just a few seconds. To better understand the policy creation page, view this article.
2. Custom Views
1. View your policies in the matrix view or the list view by toggling the view button.
2. Sort your Policy Groups on the matrix alphabetically, or by order of creation. This icon shows the current view (example above shows we are viewing from A to Z alphabetically.) Here you can also select custom views after you create them.
3. Create custom views of the policy matrix. For example, you may want to have an isolated view of a set of business units or assets, particularly if you have a large number of policy groups. To create a view, click the create custom view button, give your custom view a name, select the policy groups that you would like to be assigned to this view, and click the arrows to move them.
Once you have saved a custom view, you can select it in both list view and matrix view. To view only policies associated with the Policy Groups in your custom view.
3. Filters and Traffic Flow View
Different filters are available in both Matrix view and table view.
In table view, there are four buttons that appear giving you view customization options, refresh, and policy download functionality.
In matrix view, you still have filtering functionality, but in addition you will see the "Show Traffic Flow" button. Traffic Flow view allows you to see where traffic has been observed in the network, whether that traffic was allowed or blocked, and if there is a policy in place.
In this view, clicking on a cell with observed traffic flow will enable you to dive deeper into traffic analytics for these Policy Groups. You can then click through and create a policy using this information. This is incredibly useful for quickly deploying policy based on real-world traffic flows.
Users can filter traffic flows to see the last hour, the last 24 hours, the last 7 days, or the last 28 days. The ability to filter traffic flows means that shortly after deploying new Policy Groups or implementing a new policy, administrators can filter down to the most recent traffic flows to get an accurate representation of how the devices in the Policy Group are interacting with the rest of the network, and how a policy change could have affected those traffic flows. Filtering for a longer period like 28 days gives admins a good idea of normal long-term traffic behaviors for established Policy Groups, simplifying policy decisions.
4. Side Bar Buttons
Appearance Settings - toggle between colorized policy matrix view and black and white view.
Zoom - Zoom in and out on the policy matrix without affecting page zoom.
Fullscreen Mode - View the Policy Matrix in full screen.
Legend Button - Toggles the policy matrix legend. Click "Take a Tour" for an interactive guide through the Policy Matrix.