Policy Evaluator

The Policy Evaluator in Cloud Control Center allows administrators to quickly determine and verify policy actions applied to traffic between a specified source and destination over a selected protocol and ports. Both the source and destination can be defined as a Policy Group, a MAC address, or an IP address. This tool provides clear insights into the behavior of policies between defined sources and destinations, supporting troubleshooting, auditing, and policy refinement.

Accessing the Policy Evaluator

The Policy Evaluator is available under Tools & Utilities in the Cloud Control Center navigation pane.

1. Specify the Source

Select a Policy Group, MAC address, or IP address as the source. Policy Groups are selectable from a list, while MAC and IP addresses are searchable after typing at least two characters.

Note: If a MAC or IP address is not recognized, it is presented as part of the Unassigned Policy Group.

The source definition also includes protocol and source ports. Ports can be entered as individual values, comma-separated lists, or ranges (for example, 400–500).

When a MAC or IP address is specified, the evaluator displays the ITD (Intelligent Tag Distribution) status. ITD enables device tag propagation between Distribution Zones. This is required for policy enforcement when devices exist in different DZs. If ITD is disabled, policy cannot be enforced across zones.

2. Specify the Destination

Define the destination as a Policy Group, MAC address, or IP address. 

Note: If a MAC or IP address is not recognized, it is presented as part of the Unassigned Policy Group.

As with the source, destination ports may be entered as single values, comma-separated lists, or ranges.

When the destination is specified as a MAC or IP address, the evaluator also displays the ITD status. This provides visibility into whether policies can be enforced across Distribution Zones for the evaluated flow.

3. Policy Evaluator Results

Click Run to perform the evaluation. The results window displays the evaluation details, including:

• Source information: the Policy Group, MAC, or IP address, protocol, source ports, and ITD status when applicable.

• Destination information: the Policy Group, MAC, or IP address, destination ports, and ITD status when applicable.

• Policy evaluation details: policy name (the directional relationship between source and destination), policy type (Deny All, Allow All, Return Path, or Custom), policy status (Active or Simulation), and resulting action (Allow, Deny, or Unspecified).

For custom policies, the evaluator shows the applied Security Profile. This replaces the prior ability to view allowed/denied ports or export them as a CSV. The Security Profile reflects the enforcement policy in effect for the evaluated traffic.

Cross-Enterprise Zone Considerations

Policies may apply across multiple Distribution Zones. In cases where devices are in different DZs, ITD must be enabled to propagate tags between zones. If ITD is disabled, enforcement will not be performed by Elisity between zones, even if the evaluator shows a policy match.

Benefits

The Policy Evaluator provides administrators with a reliable method to validate and visualize policy behavior without requiring live traffic. By specifying source and destination parameters, including MAC/IP addresses, ports, and protocols, administrators can:

• Troubleshoot connectivity by simulating traffic flows.

• Confirm whether policies enforce traffic as expected across Distribution Zones.

• View Security Profiles associated with custom policies for clarity on enforcement.