Learn how to master the policy management workflow offered by the Policy Matrix.
In Cloud Control Center we have developed a unique and efficient policy creation workflow centered around the Policy Matrix. If you are unfamiliar with the Policy Matrix, read this article to gain an in-depth knowledge of all the cabilities of the matrix. This innovative workflow empowers users to create and manage groups of endpoints called "Policy Groups" and deploy policies between them, providing unparalleled control over network traffic flows. This article covers what you need to know about this workflow, and some of the prerequisites needed before you get started.
There are several components to creating an Elisity policy that you should be familiar with before jumping in:
Before you can begin deploying policies on the matrix, you have to first populate the matrix with Policy Groups. Policy Groups are simply groups of assets with similar security requirements defined by an administrator. Policy Groups are defined using the identity of assets rather than rigid, hard to use network constructs such as IP or MAC address. Policy Groups will appear as both sources and destinations on the matrix, ready to receive policy inputs from the user. You can read our article about Policy Groups for an in-depth review of exactly how to use them.
Once all your needed Policy Groups are in place, it's time to consider what traffic we want to permit between these groups.
To define what traffic is allowed between Policy Groups, we leverage Security Profiles. These can be defined before deploying a policy, or created on the fly when creating a Policy.
Read our Security Profile article to learn more about some of the capabilities.
The Policy Matrix is our graphical tool for deploying, managing, and removing policies in a single user-friendly interface.
With customizable views, filtering, traffic flow view, and more, the Policy Matrix is a powerful tool that makes managing policies incredibly easy.
Read our Policy Matrix article to learn about how these features work to improve your workflow.
Deploying a Policy
To deploy a policy using the Policy Matrix, simply click on the empty square at the intersection between your desired source and destination Policy Groups.
Your source, destination, policy name, and a new security profile with the same name as your policy will be pre-filled upon clicking a cell. You can modify any of these fields during policy creation, or choose to select a pre-defined security profile instead of creating a new one.
Choosing/Creating Your Security Profile
Select the button for "Existing Security Profile" to choose a pre-defined security profile, or as we will do in this example, proceed with creating a new Security Profile with the default name. We can give a description if needed, and select our security rules. For more info on creating Security Profiles, go to our article.
It is important to note that security rules are evaluated in the order that they are displayed. This is important to consider in the case where you might have overlapping match criteria (source or destination ports and protocols) and want to set the precedence manually. To change the order of security rules, click and drag the handle to the left of the Rule column, up or down.
Choose Your Final Policy Action
Your final policy action is the rule for any protocols not defined in your Security Profile. In our example, we have created a Security Profile with an "allow" rule for protocols needed to use print services with a final policy action "Deny." This accomplishes our goal of allowing ONLY PRINTING, and denying all other traffic.
Determine if this policy is uni-directional or bi-directional
Click the check box next to "Create Return Path Policy Enforcement" if you would like to deploy a policy for the return path traffic, which will mirror the policy you are defining, and place it on the policy matrix in the mirrored position of your current source/destination policy group. When the box is unchecked, this allows you to create a uni-directional policy that only impacts traffic flows in the specified direction determined by your source and destination Policy Groups.
The automatically created return path policy, indicated by the arrows on the policy in the Policy Matrix, uses the security profile from the original policy. To create a return policy with a different security profile, you can deploy two uni-directional policies on the policy matrix; just click the cells with the opposite source/destination of your first policy.
Click Deploy or Save as Simulation to finish deploying or saving your policy.
Using Traffic Flow View
Traffic flow views allows you to see all flows that have been observed between policy groups, and what policy action has been taken, both simulated and real. You can filter traffic flows based on a time window, from the last day to the last month. Clicking on a colored cell will show you a list of all observed traffic flows within the specified time frame, and also allows you to click through to create policy based on these flows.
Simulated policies also appear on the traffic flow matrix, as you can see below. We have deployed a simulated "Deny All" policy between the shown Poliocy Groups. You can see on the matrix that this simulated policy would have denied the observed traffic based on the red cell with the star icon. Administrators can use this data to test and verify policies before deploying into their production environment, increasing confidence and reducing disruptions.
Editing and Deleting Policies Using the Policy Matrix
You can fully manage policies from the policy matrix by clicking on any existing policies. After clicking on an existing policy, you have the option to edit or delete the policy. Clicking delete weill prompt you to confirm that you indeed want to delete the policy. Clicking modify will take you to a familiar screen - our policy creation page. The exact same workflow for creating policies is what is used to modify policies, but all fields are populated with current attributes that you can then modify and redeploy.