Skip to content

Policies Management

A microsegmentation policy selects assets using the criteria defined by the policy selector. For each selected asset, the policy builds a list of sources (assets or IP lists) that can connect to the service defined in the policy using the specified source selection criteria. With all this information, the policy generates firewall rules for each selected asset for the defined service and selected sources.

In a published state for the assets enabled for microsegmentation, the policy publishes the generated rules to the asset endpoints.

In a monitoring state or for the assets with disabled microsegmentation the policy monitors connections detected on the asset endpoints and marks them with violations in case the connection would be blocked by the firewall when the firewall rules will be published to the asset endpoint.

The segmentation enforcement logic is applied to the policies in major (or approved) versions. When edited, the policy adds a draft (or a minor) version that could be reviewed by network stakeholders before promoting the policy to the major version when it starts to generate, monitor and publish firewall rules to the asset endpoints.

Each microsegmentation policy consists of the following components:

  • Segmentation Taxonomy is the taxonomy for the assets selection as well as for the source assets selections. Policy selections choose assets that include the taxonomy field configured with the policy Segmentation Taxonomy. Note that system owners might add multiple taxonomy fields for the assets thus allowing them to configure policies based on different segmentation taxonomies. In this situation, an asset might be served by the policies based on different taxonomies.

  • Selector is the query to select assets to apply the policy to. Selector is defined as a list of terms from the Segmentation Taxonomy. Policy selects the assets that are tagged with all terms from the Selector list to generate firewall rules for.

  • Service is the service (workflow) affected by the policy.

  • Source is the query applied to each asset found by Selector to choose allowed sources (assets or IP lists) that can connect to the service running on the asset. The Source is defined by as a list of terms from the Segmentation Taxonomy. For each asset from Selector, a policy will select source assets that include all tags in the source criteria. A policy generates firewall rules to affect the ports defined by services for the source IP ranges defined by the sources. The Source could be defined as the tags from the Segmentation Taxonomy or reference the tags from the assets found by the Selector.

Creating a Policy

To create a new policy:

  1. Log in with an Administrator or Segmentation Manager account.
  2. Navigate to Management > Policies and click the Add button.

  3. Click on the parameter name for details about each or follow the guidance provided here:

    1. Description: enter a description of the policy.
    2. Publishing: set the policy status. The following statuses are available:
      • Disabled: the policy is disabled.
      • Monitoring: In the monitoring state the policy marks connections detected on the asset endpoints with violations in case the connection would be blocked by the firewall when the firewall rules will be published to the asset endpoint.
      • Publishing: In the published state for the assets enabled for micro-segmentation, the policy publishes the generated rules to asset endpoints.
    3. Selector: is the query to select assets to apply the policy to. Selector is defined as a list of terms from the Segmentation Taxonomy. Policy selects the assets that are tagged with all terms from the Selector list to generate firewall rules for.
      • Taxonomy: is a term hierarchy for taxonomy fields. When editing assets of this field type users will be able to quickly select a value from the hierarchy of terms using a type-ahead selection control.
      • Selector Segment: is the query to select assets to apply the policy to. Selector is defined as a list of terms from the Segmentation Taxonomy. Policy selects the assets that are tagged with all terms from the Selector list to generate firewall rules for.
    4. Service: is the service (workflow) affected by the policy.

    5. Source: is the query applied to each asset found by Selector to choose allowed sources (assets or IP lists) that can connect to the service run on the asset. The Source is defined by as a list of terms from the Segmentation Taxonomy. For each asset from Selector a policy will select source assets that include all tags in the source criteria. A policy generates firewall rules to affect the ports defined by services for the source IP ranges defined by the sources. The Source could be defined as the tags from the Segmentation Taxonomy or reference the tags from the assets found by the Selector.

      1. Source Segment: Select a term for the source selection with its match style. Match style could be one of the following:
        • Exact match selects source assets tagged with the chosen term for all assets selected by selector.

        • Same match selects source assets tagged with the same sub-term of the chosen term specifically for each asset selected by selector. Same match makes a single policy to define various source criteria for each of the asset selected by selector depending of the terms used for selected assets tagging.

          Change the match style for the selected term using the edit action in the list of the selected terms below. Use the delete action in the table below to remove term selection.

    6. Term: Segmentation taxonomy term for the source selection.

  4. Click the Save button to complete the operation.

Note

New policies are created in a minor state (0.1) and minor version policies cannot be published. To publish a segmentation policy, first promote a policy to a major version.

Previewing Policies

Before you decide on a publishing status, you can use the Preview option to display which assets, based on the selected taxonomy, will be able to communicate with each other hosts within the selected policy. This Preview is a good method to confirm which hosts can or cannot communicate if the policy were applied prior to publishing them.

To preview a policy select the policy and from its Actions menu, select the Preview option. The Policy Query Preview window will appear and it displays the following information:

  • Displays a list of Hosts found based on the Selector Segment terms applied in the policy.
  • Expanding on a Host will further detail which Source hosts will be able to communicate with it.

Managing Policies

Existing policies have options to further be managed by Administrators. Options include:

  • Edit: opens the edit form to make changes to the current policy.
  • History: displays the change history of the selected policy. From the History list, you can Preview an earlier version or choose to Restore an earlier version.
  • Demote Major: use this option to demote a major to a minor version.
  • Promote Major: use this option to promote a minor to a major version.
  • Preview: this option opens the Policy Query Preview window.
  • Disable: this option will switch a monitored or published policy to Disabled.
  • Monitor: this option will switch a disabled or published policy to Monitoring.
  • Publish: this option will switch a disabled or monitored policy to Publishing.
  • Delete: use this option to delete the policy.