1. Elisity
  2. Policy
  3. Policy Deployment

Policy Simulation

Avatar
Taylor Colwell

When creating policies in Cloud Control Center, you may have noticed the option to "Save As Simulation." This article provides insights into the policy simulation feature and the benefits offered.

 

Overview

Simulation Mode allows administrators to validate segmentation policies without enforcing them on production traffic. Simulated policies operate within the same Policy Matrix view as active policies, providing complete visibility into allowed and denied flows based on proposed configurations.

This enables safe testing of segmentation strategies before any changes impact the operational network.

Key Capabilities

  • Traffic Impact Analysis
    Visualize how new policies would affect device communication. Simulation shows permitted and denied flows without altering enforcement.

  • Policy Iteration and Tuning
    Create and modify policies iteratively based on observed traffic patterns. Fine-tune segmentation before moving policies into enforcement mode.

  • Security Validation
    Identify potential security gaps, unintended access, or blocked critical flows. Simulation helps proactively address vulnerabilities before deployment.

  • Operational Risk Reduction
    Avoid downtime and service disruption by validating policy changes in a controlled, non-impacting environment.

  • Unified Management Interface
    Simulated and enforced policies are managed through the same Policy Matrix and Traffic Flow dashboards, providing a seamless workflow from testing to production.

How Simulation Mode Works

  1. Policies are created or modified in Cloud Control Center and saved in Simulation Mode.

  2. The system monitors real network traffic against the simulated policy logic.

  3. Administrators view simulated outcomes directly in the Policy Matrix and Traffic Flow views.

  4. Once validated, policies can be switched to Enforcement Mode with minimal additional configuration.

 

Deploying a Simulated Policy

During the policy creation process in the Elisity Cloud Control Center, you can test your policy before making it live. Follow these steps to save your policy as a simulation:

 

Step 1 - Create Your Policy:

  • Navigate to the Policies section in the left sidebar.
  • Click on Create Policy.
  • Fill in the necessary fields such as Policy Name, Policy Description, Source, Destination, and select a Security Profile.
  • Set the Final Policy Action to either Allow or Deny based on your requirements.
  • Check the box for Create Return Path Policy Enforcement if applicable.

Note: The Policy Name field has a 131 character limit.

 

Step 2 - Opt to Save as Simulation:

  • After configuring your policy, click on the Create button.
  • A prompt will appear asking if you would like to Save as Active or Save as Simulation.
  • Choose Save as Simulation to test your policy without affecting the live environment. This is ideal for reviewing impacts and making necessary adjustments before applying the policy live.

 

Step 3 - Review Traffic Flows for Simulated Policies

  • Monitor the policy's behavior in the simulation mode to ensure it performs as expected.
  • Make any necessary changes based on the results of the simulation.

 

Step 4 - Activate Policy:

  • Once satisfied with the simulation results, you can save the policy as active to enforce it in the live environment.

By following these steps, you can effectively test and validate your policies using the simulation feature before making them live.

 

Viewing Simulated Policies on the Policy Matrix

Any simulation policy is indicated on the Policy Matrix with an asterisk. Hovering over the policy will reveal more details, including the "simulation" status indicating again that this policy is not actually deployed. 

 

 

Clicking on the policy, we can see the matched assets for both the source and destination, as well as our security rules and simulation status of the policy. At the top right of this window, you can quickly EDIT, DELETE, and importantly ACTIVATE this policy, quickly transforming this policy from simulation mode to an active policy on your relevant Virtual Edge Nodes.

 

 

Similarly, if the policy you have selected from the matrix is already active, you can quickly place it into simulation mode with one click.

 

Revealing traffic analytics in the Policy Matrix gives more insight into what protocols we may want to allow or deny in our simulated policy based on traffic that has been observed. Use this data to make informed decisions about policy beyond what traffic you think needs to be allowed.

 

Evaluating Simulated Policies and Making Adjustments

When a simulated policy within Elisity Microsegmentation Platform has observed traffic, it is essential to analyze and evaluate the results before making any enforcement decisions. Here are the recommended steps to follow:

  1. Review the Traffic Analytics: Examine the traffic analytics associated with the simulated policy. Understand the flow patterns, identify any anomalies or unexpected behavior, and assess the impact of the policy on the observed traffic.

  2. Analyze Allowed and Denied Traffic: Determine which traffic flows were allowed or denied by the simulated policy. Pay attention to any connections that should have been allowed but were denied, as well as any connections that should have been denied but were allowed. This analysis helps identify potential misconfigurations or policy conflicts.

  3. Compare with Desired Outcomes: Compare the observed traffic with the desired outcomes and security objectives. Ensure that the simulated policy aligns with the intended network segmentation, access control, and security requirements.

  4. Refine and Optimize the Policy: Based on the insights gained from the observed traffic, make necessary refinements and optimizations to the simulated policy. Address any unintended consequences, adjust rule priorities, or modify policy conditions to achieve the desired security posture and network behavior.

  5. Re-simulate and Validate: After refining the policy, re-run the simulation to observe the impact of the updated policy on traffic flows. Repeat the process of reviewing traffic analytics and assessing the alignment with desired outcomes. Iterate as needed until the simulated policy yields the desired results.

  6. Plan for Enforcement: Once satisfied with the simulated policy's behavior and its impact on traffic flows, carefully plan the enforcement process. Communicate with relevant stakeholders, establish a deployment strategy, and ensure that the necessary infrastructure and devices are prepared for policy enforcement.

  7. Enforce and Monitor: Deploy the policy on the production network, carefully monitoring its effects on traffic in real-time. Continuously monitor network behavior, traffic patterns, and security incidents to validate the effectiveness of the enforced policy and address any emerging issues promptly.

 

This feature offers administrators a powerful tool to evaluate the impact of segmentation policies before enforcing them on live networks. By visualizing traffic flows, affected assets, and the allowed or denied connections based on policy configurations, administrators can make informed decisions, refine policies, and enhance network security. This feature promotes proactive security measures, mitigates operational risks, and ensures the smooth functioning of critical business processes.

 

Was this article helpful?
0 out of 0 found this helpful