1. Elisity
  2. Policy
  3. Policy Deployment

Policy Simulation

Avatar
Taylor Colwell

When creating policies in Cloud Control Center, you may have noticed the option to Save As Simulation. This article provides insights into the policy simulation feature and the benefits offered.

Overview

Simulation Mode allows administrators to validate segmentation policies without enforcing them on production traffic. Simulated policies operate within the same Policy Matrix view as active policies, providing complete visibility into allowed and denied flows based on proposed configurations.

This enables safe testing of segmentation strategies before any changes impact the operational network.

Key Capabilities

  • Traffic Impact Analysis
    Visualize how new policies would affect device communication. Simulation shows permitted and denied traffic without altering enforcement.

  • Policy Iteration and Tuning
    Create and modify policies iteratively based on observed traffic patterns. Fine-tune segmentation before moving policies into enforcement mode.

  • Security Validation
    Identify potential security gaps, unintended access, or blocked critical traffic. Simulation helps proactively address vulnerabilities before deployment.

  • Operational Risk Reduction
    Avoid downtime and service disruption by validating policy changes in a controlled, non-impacting environment.

  • Unified Management Interface
    Simulated and enforced policies are managed through the same Policy Matrix and Traffic View dashboards, providing a seamless workflow from testing to production.

How Simulation Mode Works

  1. Policies are created or modified in Cloud Control Center and saved in Simulation Mode.

  2. The system monitors real network traffic against the simulated policy logic.

  3. Administrators view simulated outcomes directly in the Policy Matrix and Traffic views.

  4. Once validated, policies can be switched to Enforcement Mode with minimal additional configuration.

Deploying a Simulated Policy

During the policy creation process in the Elisity Cloud Control Center, you can test your policy before making it live. Follow these steps to save your policy as a simulation:

Step 1 - Create Your Policy:

  • Navigate to the Policies section in the left sidebar.
  • Click +Create Policy.
  • Fill in the necessary fields such as Policy Name, Policy Description, Source, Destination, and select a Security Profile.
  • Set the Final Policy Action to either Allow or Deny based on your requirements.
  • Check the box for Create Return Path Policy Enforcement if applicable.

Note: The Policy Name field has a 131 character limit.

Step 2 - Opt to Save as Simulation:

After configuring your policy, click Create. A prompt will appear asking if you would like to Save as Active or Save as Simulation.

This view also shows a preview of the Virtual Edge Nodes that will be impacted by this new Policy.

Choose Save as Simulation to test your policy without affecting the live environment. This is ideal for reviewing impacts and making necessary adjustments before applying the policy live.

Step 3 - Review Traffic for Simulated Policies

  • Monitor the policy's behavior in the simulation mode to ensure it performs as expected.
  • Make any necessary changes based on the results of the simulation.

Step 4 - Activate Policy:

  • Once satisfied with the simulation results, you can save the policy as active to enforce it in the live environment.

By following these steps, you can effectively test and validate your policies using the simulation feature before making them live.

Viewing Simulated Policies on the Policy Matrix

The Policy Matrix supports two cell display modes, selectable from the toolbar on the right side of the matrix: Outlined Cells and Filled Cells. Simulated policies are visually distinguished from active policies in both views. In Filled Cells mode, simulated policies use a transparent cell background while active policies use a solid background. In Outlined Cells mode, simulated policies appear with dashed outlines while active policies use solid outlines. In both views, simulated policies are marked with an asterisk, and hovering over a cell reveals additional details including the Simulation status indicating that the policy is not actively enforced.

The following screenshot shows the same Policy Matrix in Outlined Cells mode, where simulated policies are indicated by dashed outlines:

Clicking on the policy, we can see the matched assets for both the source and destination, as well as our security rules and simulation status of the policy. At the top right of this window, you can quickly Edit, Delete, and importantly Activate this policy, quickly transforming this policy from simulation mode to an active policy on your relevant Virtual Edge Nodes.

Similarly, if the policy you have selected from the matrix is already active, you can quickly place it into simulation mode by clicking Set As Simulation.

Revealing traffic analytics in the Policy Matrix gives more insight into what protocols we may want to allow or deny in our simulated policy based on traffic that has been observed. Use this data to make informed decisions about policy beyond what traffic you think needs to be allowed.

Evaluating Simulated Policies and Making Adjustments

When a simulated policy within Elisity Microsegmentation Platform has observed traffic, it is essential to analyze and evaluate the results before making any enforcement decisions. Here are the recommended steps to follow:

  1. Review the Traffic Analytics: Examine the traffic analytics associated with the simulated policy. Understand the traffic patterns, identify any anomalies or unexpected behavior, and assess the impact of the policy on the observed traffic.

  2. Analyze Allowed and Denied Traffic: Determine which traffic was allowed or denied by the simulated policy. Pay attention to any connections that should have been allowed but were denied, as well as any connections that should have been denied but were allowed. This analysis helps identify potential misconfigurations or policy conflicts.

  3. Compare with Desired Outcomes: Compare the observed traffic with the desired outcomes and security objectives. Ensure that the simulated policy aligns with the intended network segmentation, access control, and security requirements.

  4. Refine and Optimize the Policy: Based on the insights gained from the observed traffic, make necessary refinements and optimizations to the simulated policy. Address any unintended consequences, adjust rule priorities, or modify policy conditions to achieve the desired security posture and network behavior.

  5. Re-simulate and Validate: After refining the policy, re-run the simulation to observe the impact of the updated policy on traffic. Repeat the process of reviewing traffic analytics and assessing the alignment with desired outcomes. Iterate as needed until the simulated policy yields the desired results.

  6. Plan for Enforcement: Once satisfied with the simulated policy's behavior and its impact on traffic flows, carefully plan the enforcement process. Communicate with relevant stakeholders, establish a deployment strategy, and ensure that the necessary infrastructure and devices are prepared for policy enforcement.

  7. Enforce and Monitor: Deploy the policy on the production network, carefully monitoring its effects on traffic in real-time. Continuously monitor network behavior, traffic patterns, and security incidents to validate the effectiveness of the enforced policy and address any emerging issues promptly.

This feature offers administrators a powerful tool to evaluate the impact of segmentation policies before enforcing them on live networks. By visualizing traffic, affected assets, and the allowed or denied connections based on policy configurations, administrators can make informed decisions, refine policies, and enhance network security. This feature promotes proactive security measures, mitigates operational risks, and ensures the smooth functioning of critical business processes.

Was this article helpful?
0 out of 0 found this helpful