Let’s look at manually deploying a policy.
Go To: Policies -> Create Policy
Step 1: Give your policy a name and a description if needed.
Step 2: Select a policy group for both your source and destination.
Only previously created Policy Groups will appear here, meaning if you have not yet created a Policy Group for the set of assets you want to use as a policy endpoint, you need to exit and define your Policy Groups. We will select IT_Computers_Laptops as our source and IT_Security as our destination.
Step 3: Define Security Rules OR Select a Security Profile
This step is exactly the same as deploying a policy on the Matrix. Select the button for "Existing Security Profile" to choose a pre-defined security profile, or as we will do in this example, select "Create New Security Profile." Give your Security Profile a name, description if needed, and select your security rules. For more info on creating Security Profiles, go to our article.
It is important to note that security rules are evaluated in the order that they are displayed. This is important to consider in the case where you might have overlapping match criteria (source or destination ports and protocols) and want to set the precedence manually. To change the order of security rules, click and drag the handle to the left of the Rule column, up or down.
Step 4: Choose Your Final Policy Action
Your final policy action is the rule for any protocols not defined in your Security Profile. In our example, we have created a Security Profile with an "allow" rule for SSH, with a final policy action "Deny." This accomplishes our goal of allowing ONLY SSH, and denying all other traffic.
Step 5: Determine if this policy is uni-directional or bi-directional
Click the check box next to "Create Return Path Policy Enforcement" if you would like to deploy a policy for the return path traffic, which will mirror the policy you are defining, and place it on the policy matrix in the mirrored position of your current source/destination policy group. When the box is unchecked, this allows you to create a uni-directional policy that only impacts traffic flows in the specified direction determined by your source and destination Policy Groups.
The automatically created return path policy, indicated by the arrows on the policy in the Policy Matrix, uses the security profile from the original policy. To create a return policy with a different security profile, you can deploy two uni-directional policies on the policy matrix; just click the cells with the opposite source/destination of your first policy.
Click Deploy or Save as Simulation to finish deploying or saving your policy.