Skip to content

Adding Segmentation Policies

In the Horizon application, network segments are created using segmentation policies which define which types of traffic are allowed. More specifically, a segmentation policy specifies which assets allow incoming connections and which source assets are able to establish these connections over which ports.

Policy Creation

Segmentation policies are added, viewed, and managed from the Management > Policies page.

Policies List

To add a new policy, click on the Add button. This will bring you to the Add Policy page.

Add Policy

You will need to complete the following fields to define your new policy:

  • Description: Enter a descriptive name for this segmentation policy.

  • Publishing: If set to Disabled, the policy will have no effect on your network, but you will still be able to preview the effects of your policy. If set to Monitoring, the publishing of this policy will be simulated. No firewall rules will be modified on your endpoints, but monitored connections will be flagged if they are in violation of your policy list. If set to published, the identified assets will have their firewalls reconfigured according to this policy.

  • Selector: Choose your segmentation taxonomy and enter the set of taxonomy terms that identifies the assets you would like to allow incoming traffic.

  • Service: Choose the service, or port, over which connections should be allowed in this segment. Custom services can be added on the Management > Services Page.

  • Source: Enter the set of taxonomy terms that identifies the assets you would like to be able to establish connections to the assets identified by the selector field. For each term, choose Exact for the Match field if you would like to identify assets tagged with the exact term specified. If you would instead like to match dynamically based on one of the tags of the selector assets, choose the parent of the term and set the Match field to Same. For example, if an asset identified by the selector field was tagged with Location::US East, then adding a Source term Location with the Match field set to Same will identify assets tagged with Location::US East. This would be useful to create many segments with a single policy if you have assets tagged with many different Location terms.

Before clicking Save and returning to the policies list, click Preview to see how the new policy will affect your network. In this preview table, each row corresponds to an asset identified by the selector field. By clicking the expand arrow, you can see all source assets that are allowed to establish connections to the selector asset over the port specified in the policy.

Policy Preview

If some of the expected assets are missing from this preview, review the configuration of your assets to ensure they are properly tagged and promoted to major versions. Otherwise, click Save to finish creating the segmentation policy.

Like assets, policies also use a version control system which distinguishes between major and minor versions. For this new policy to have an effect on your network, it must be promoted to its next major version. This can be done by clicking Actions > Promote major on the policy.

Policy Promote Major

Policy Enforcement

Once your segmentation policy is published, it must be enforced on the Selector assets to trigger reconfiguration of the inbound firewall rules on these endpoints. In order to enforce the policy, navigate to the appropriate asset in the assets database, and click Actions > Enforce Policies.

Enforce Policies

This will trigger remote execution of the firewall management script which will add the necessary firewall rules to enforce all segmentation policies that have this asset identified by their selector fields. After this script has completed, the endpoint is configured to drop incoming traffic from all sources except for those specified by your segmentation policies.

Note

Before enforcing policies on your first asset, make sure that the three built-in policies are published and promoted to a major version. These policies are responsible for keeping remote access open to the Horizon host once the firewall is reconfigured. If policies are enforced on the asset while these policies are disabled, you will lose access to this endpoint from the Horizon app, and you will need to reopen ports for remote access manually.

To undo this operation and restore the default firewall configuration of this endpoint, navigate to this asset in the assets database, and click Actions > Restore Original.