The Policy Evaluator in Cloud Control Center allows administrators to quickly determine and verify policy actions applied to traffic from a specified source device to a destination Policy Group over a selected protocol. This tool provides clear insights into the behavior of policies between defined sources and destinations, supporting troubleshooting, auditing, and policy refinement.
Accessing the Policy Evaluator
The Policy Evaluator is available under the Tools & Utilities section of the navigation pane in Cloud Control Center.
How to Use the Policy Evaluator
The interface guides you through necessary inputs for a policy evaluation, such as selecting a Source and Destination PG, defining the Policy Set, and choosing the Protocol and Port.
1. Specify the Source and Destination
The source can be chosen as a Policy Group (Dynamic or Static Type), MAC Address, or IP Address of a device. In this example, the Global Verified PCs Policy Group is selected as the source. Policy Groups are chosen from a list, while MAC and IP are searchable after typing at least two characters.
Choose the destination Policy Group to which the traffic is directed. Here, Global IT Print Servers is selected as the destination Policy Group.
2. Specify the Policy Set
Select the Policy Set that includes the policies governing traffic between the chosen source and destination. In the example, the IND-Clinic Policy Set is selected.
3. Protocol and Port Selection
Select the port or port ranges that are being evaluated, if applicable. Ports can be input as comma separated values, or port ranges (ie. 1-10).
Run the Policy Evaluation
After entering all relevant criteria (source, destination, policy set, protocol, and ports), click Run to perform the policy evaluation.
Once the evaluation is complete, the tool provides a visualization of the path from source to destination, showing how traffic is managed across policy groups and virtual edges. In this example, the IND Clinic Policy Set allows traffic from Global Verified PCs to Global IT Print Servers on TCP port 443. Depending on your network requirements, this may be desired or may need remediation.
4. View Ports
Click on View Ports to see a breakdown of how each entered port is handled by the policy in place. Each port is listed with an Allowed or Denied tag, and can be exported as a CSV directly from the View Ports window.
5. Export CSV
Export a CSV from the Policy Evaluator menu. The CSV downloaded shows the same data that is seen in the View Ports window, as seen below.
Benefits of the Policy Evaluator
The Policy Evaluator offers several advantages:
- Quick validation of policies without needing live traffic testing.
- Detailed visualization of traffic flow through the network, aiding in troubleshooting.
- Scenario testing by altering source, destination, and protocol inputs. Easily troubleshoot connectivity issues by first testing if a policy in place is impacting flows.