Skip to main content

Security Policy Guide 23.2

Policy Generator

The Policy Generator simplifies the Illumio policy creation process by recommending the optimal security policy for your App Groups. You can use it to accelerate security workflows and reduce the risk of human error while creating security policy.

Overview of Policy Generator

The Policy Generator uses network traffic to recommend and generate micro-segmentation policies for every workload and application, regardless of it's location. It can generate rules for applications running on physical devices, virtualized platforms, and behind network devices on-premises or deployed in the cloud.

Policy Generator supports the creation of DNS-based rules under all the wizards (intra-scope, extra-scope, and IP lists). You can edit the proposed virtual services and add wildcards.

Application owners use the Policy Generator to write the following types of rules for the applications they manage:

  • Intra-scope rules

  • Extra-scope rules

  • Rules using IP lists.

For more information about each rule type, see Rulesets, Rules, and IP Lists.

For a selected App Group, the Policy Generator provides:

  • A workflow to create a ruleset that controls internal and external traffic.

  • A way to assess your current rule coverage, which represents the number of detected connections that are controlled by rules divided by the total number of connections.

    You can increase your rule coverage by creating rules for detected connections that are not controlled by rules. The Policy Generator proposes rules for connections that are not allowed currently by rules and displays the consolidated flow count for each new proposed rule to help ensure the maximum impact on rule coverage.

    Note

    The Policy Generator calculates rule coverage automatically every 24 hours or after creating a draft ruleset.

    You can rewrite rules as your datacenter needs change and the Policy Generator will show you the before and after effect of those rules.

  • A way to assess your current rule coverage, which represents the number of detected connections that are controlled by rules divided by the total number of connections.

  • Visualization of the traffic between roles associated with a specific application, as represented by App Groups.

  • Options to select the level of granularity for new rules; see About Granularity Levels for Rules for information.

The first time you use the Policy Generator for an App Group, it creates a new draft ruleset with the title of the selected App Group. When you use Policy Generator again to create additional rules, it adds them to the existing ruleset that was created by the Policy Generator. You review the proposed rules and can customize them before you save them into a draft ruleset. For Windows, the Policy Generator detects and suggests Windows process- and service-based rules accordingly. You can edit the service before saving it.

Note

You must provision the rules to apply them to workloads. See Provisioning for more information.

When an App Group has several consumers communicating with a specific provider, the Policy Generator merges all the consumers into one rule for easy readability and better scalability.

On the Summary tab of the Ruleset page, any rulesets created with Policy Generator have the default description “Automatically generated using the Illumio Policy Generator” and the value of illumio_policy_generator for the External Data Set field. The value for the External Data Reference is the App Group name.

Policy Generator Prerequisites and Limitations

The Policy Generator is bound by the following prerequisites and limitations:

  • You cannot add Role-level rules until Role labels have been added to all workloads in the App Group.

    When some workloads in an App Group do not have Role labels, you can still write an App Group level rule using Policy Generator to allow all the workloads to communicate with each other.

  • Rule coverage is updated one App Group at a time.

About Granularity Levels for Rules

The following options allow you to select the restrictiveness of your security policy.

Intra-Scope Rules

Granularity Level

Description

App Group Level

(Also known as micro-segmentation or Ringfencing) All workloads in the App Group can communicate with each other across all services. This option is best for creating a broad initial policy that can be further refined later if needed.

Role Level - All Services

All workloads with a specific Role label can communicate with all workloads with Role labels matching the observed flows across all services. This option is useful for restricting role-to-role traffic between workloads when you have many core services that need to communicate with these workloads. When a workload is missing the Role label, the Policy Generator excludes that connection from the wizard.

Role Level - Specified Services

(Also known as nano-segmentation) All workloads with a specific Role label can communicate with all workloads with Role labels matching the observed flows across specified services, based on the collected traffic flow summaries. When a matching port/protocol cannot be located in an existing service, a new service with the necessary port/protocol is created when the proposed rules are saved. Use this option to create the most restrictive policy.

Extra-Scope and IP List Rules

Granularity Level

Description

All Services

Workloads can communicate over all services. This service policy type provides less restriction for workload communication.

Specified Services

Workloads can communicate over specified services. This service policy type provides more restriction for workload communication.

Ways to Access Policy Generator

You can access Policy Generator from the following locations in the PCE web console:

Entry Point

Description

Policy Generator

Launches the Policy Generator. You must select an App Group to begin.

App Group Map > App Group panel > Start Policy Generator

Launches the Policy Generator for the App Group selected. When you’ve opened a Consuming App Group and selected the App Group, the Policy Generator creates an extra-scope rule. You can proceed or add more Consuming App Groups.

Illumination > Group panel > Start Policy Generator

Launches the Policy Generator for the App Group selected.

Note

App Groups must be configured to use three labels to start the Policy Generator from the Illumination map.

Rulesets and Rules > Start Policy Generator

Launches the Policy Generator. You must select an App Group to begin.

Rulesets and Rules > Ruleset Details > Start Policy Generator

When a ruleset was created using the Policy Generator, the ruleset scopes and Rules tab includes a Start Policy Generator button. Clicking the Start Policy Generator button, launches the Policy Generator with the App Group selected.

Troubleshooting > Blocked Traffic > Start Policy Generator

Launches the Policy Generator. You must select an App Group to begin.

App Group Map > App Group panel > Mitigate Vulnerabilities

Launches the Policy Generator. You can update your policy to minimize the risks due to the vulnerabilities.

Create Intra-scope Rules with Policy Generator

  1. From the PCE web console menu, choose Policy Generator.

    The Select App Group page appears. The page displays when the Policy Generator last calculated the coverage for each type of rule. Click the refresh icon to recalculate Rule coverage.

  2. Select an App Group.

    See Segment Multiple App Groups with Policy Generator for information about adding App Group level rules for multiple App Groups.

  3. Click the Start with Intra-Scope button.

    The Intra-Scope Rule Configuration page appears.

  4. In the Choose Intra-Scope Rule Configuration section, select a granularity level for the rules.

    See Create Intra-Scope Rules with Policy Generator for a description of these rule granularity levels.

    The detected connections (including details such as provider, port/protocol, and consumer) appear in the Review All Connections section.

    Rule Configuration

    Connections Displayed

    App Group Level

    Labels, ports, and protocols in a single row

    Role Level - All Services

    Number of connections and associated labels

    Role Level - Specified Services

    Associated labels and ports/protocols

    Note

    The Policy Generator displays a truncated list of ports and protocols when the App Group has more than four types of ports or protocols. To display the remaining ports or protocols in a modal window, click the + More link.

  5. (Optional for Role level) To exclude a connection from the proposed rules, click Exclude. The row is grayed out to indicate that no rules will be proposed for this connection and the amount of rule coverage decreases. To include an excluded connection, click Include.

    Note

    At least one connection must be included to continue.

  6. Click Next.

    The proposed rules appear in the Preview page.

    pg_intra-scope1-19-1.png

  7. (Optional) To edit the service for a rule, click the pencil icon pencil_icon.png beside a service. The Edit Service dialog box appears.

    Select a service from the drop-down list or create a new one. You can select services that have broader ranges of ports. The list includes every service that matches that port and protocol. When you’ve added a service that has multiple ports and protocols or ranges, they all appear in the list.

    Select Apply Changes to all matching ports to allow the service to be used in other rules that match that service. You are prompted to allow the Policy Generator to merge rules. To cancel the merge, reload the page and start over.

    When you create a process-based service, the connection appears like it’s not covered.

    For information about creating a service, see Create a Service.

  8. To accept the proposed rules, click Save and OK.

    The Policy Generator Successful message appears which displays the number of new rules and services. The rules are added to a draft ruleset. Click Continue with App Group to add extra-scope rules or rules using IP lists for the same App Group. On the last step of the Policy Generator, you can return to the App Group to add or append to the rules.

    Note

    You must provision the rules to apply them to workloads. See Provisioning for more information.

Create Extra-scope Rules with Policy Generator

When you create extra-scope rules, the Policy Generator displays all traffic that originates from a different App Group and is targeted at the selected App Groups. The Policy Generator displays all App Groups that the selected App Groups communicate with. You can choose which connects to cover with rules.

  1. From the PCE web console menu, choose Policy Generator.

    The Select App Group page appears. The page displays when the Policy Generator last calculated the coverage for each type of rule. Click the refresh icon to recalculate rule coverage.

  2. Select an App Group.

    See Segment Multiple App Groups with Policy Generator for information about adding App Group level rules for multiple App Groups.

  3. Click the Start with Extra-Scope button.

    The Extra-Scope App Group Selection page appears.

  4. Select one or more Consuming App Groups and click Next.

    For each App Group, the Policy Generator displays the current number of connections and connections covered by a rule.

    Note

    Consuming App Groups with 100% rule coverage are not displayed in the page.

    The Configure Extra-Scope page appears.

  5. Select whether to configure rules by App Group or by role:

    • App Group Level: All workloads in the specified App Group can communicate with all workloads in the other App Groups

    • Role Level: Specified workloads in the App Group can communicate with specified workloads in the other App Groups

  6. Select the permitted services for the rules:

    • All Services: Workloads can communicate over all services

    • Specified Services: Workloads can communicate over specified services

    See Extra-scope Rules and IP Lists for more information.

  7. Review the connections selected for the proposed rules.

    App Groups are separated by a thick line and the organization of the connections differs depending on the selected configuration. Connection details are organized based on your selection:

    Selected Configuration

    Details Organized by:

    App Level + Specified Services

    App Group and port/protocol

    App Level + All Services

    App Group

    Role Level + All Services

    Role and App Group

    Role Level + Specified Services

    Role and port/protocol

  8. (Optional for any configuration except App Level + All Services) To exclude a connection from the proposed rules, click Exclude.

    The row is grayed out to indicate that no rules will be proposed for this connection and the amount of rule coverage decreases. To include an excluded connection, click Include.

  9. To preview the rules proposed by Policy Generator, click Next.

    The Extra-Scope Rule Preview page appears.

  10. (Optional) To edit the service for a rule, click the pencil icon beside a service. The Edit Service dialog box appears.

    Select a service from the drop-down list or create a new one. You can select services that have broader ranges of ports. The list includes every service that matches that port and protocol. When you’ve added a service that has multiple ports and protocols or ranges, they all appear in the list.

    Select Apply Changes to all matching ports to allow the service to be used in other rules that match that service. You are prompted to allow the Policy Generator to merge rules. To cancel the merge, reload the page and start over.

    When you create a process-based service, the connection appears like it’s not covered.

    For information about creating a service, see Create a Service.

  11. To accept the proposed rules, click Save and OK.

    The Policy Generator Successful message appears, which displays the number of new rules and services. The rules are added to a draft ruleset. Click Continue with App Group to add intra-scope rules or rules using IP lists for the same App Group.

    Note

    You must provision the rules to apply them to workloads. See Provisioning for more information.

Create Rules Using IP Lists with Policy Generator

Policy Generator creates rules that use IP lists as intra-scope rules.

When using IP lists to create rules, the Policy Generator defines a connection as a role on a port and protocol to an IP address. For example, when you have five IP addresses that are included in an IP list, the Policy Generator displays five connections.

  1. From the PCE web console menu, choose Policy Generator.

    The Select App Group page appears. The page displays when the Policy Generator last calculated the coverage for each type of rule. Click the refresh icon to recalculate rule coverage.

  2. Select an App Group.

    See Segment Multiple App Groups with Policy Generator for information about adding App Group level rules for multiple App Groups.

  3. Click the Start with IP Lists button.

    The IP List Selection page appears.

  4. Select the IP lists for which you want to write rules and click Next.

    The Configure IP List page appears.

    Tip

    • To view the IP addresses configured in a list (not the IP addresses in the traffic), expand an IP list by clicking the arrow icon in the Name column.

    • To write rules covering all connections, select the Any IP list. This list covers all connections because it includes all the IP addresses.

    • Each IP address can be part of more than one IP list and you can choose which list to write your rules to.

    • When you choose overlapping IP lists, you can write overlapping rules.

      When an IP address is in more than one IP lists, the rule is going to be in all those IP lists.

    • You can write rules for inbound and outbound connections, or both. For example, you can write permissive rules for outbound traffic, and specific rules for inbound traffic.

  5. Select whether to configure rules by App Group or by role:

    • App Group Level: All workloads in the specified App Group can communicate with all workloads in the other App Groups

    • Role Level: Specified workloads in the App Group can communicate with specified workloads in the other App Groups

  6. Select the permitted services for the rules:

    • All Services: Workloads can communicate over all services

    • Specified Services: Workloads can communicate over specified services

    It writes a rule for anything that those IP lists applied to.

    Tip

    • To display the IP addresses of the traffic for each port and protocol, hover over the info (i) icon in the Consumer column.

    • To filter connections by the IP address of the traffic, port number, protocol, role, and label, use the search field above the list of connections. You can use the search field to find and exclude specific traffic.

    • To quickly include or exclude all traffic, use the Include and Exclude buttons by the search field. You can exclude all traffic, then selectively include specific connections.

    policy_generator_iplists_screenshot1.png

  7. To preview the rules proposed by Policy Generator, click Next.

    The IP List Rule Preview page appears.

    policy_generator_iplists_screenshot2.png

  8. (Optional) To edit the service for a rule, click the pencil icon beside a service. The Edit Service dialog box appears.

    Select a service from the drop-down list or create a new one. You can select services that have broader ranges of ports. The list includes every service that matches that port and protocol. When you’ve added a service that has multiple ports and protocols or ranges, they all appear in the list.

    Select Apply Changes to all matching ports to allow the service to be used in other rules that match that service. You are prompted to allow the Policy Generator to merge rules. To cancel the merge, reload the page and start over.

    When you create a process-based service, the connection will appear like it’s not covered.

    For information about creating a service, see Create a Service.

  9. To accept the proposed rules, click Save and OK.

    The Policy Generator Successful message appears, which displays the number of new rules and services. The rules are added to a draft ruleset.

Segment Multiple App Groups with Policy Generator

You can apply nano-segmentation (also known as ringfencing) on multiple App Groups using the Policy Generator. Nano-segmenting App Groups allows all workloads to communicate across all services within each App Group.

When segmenting App Groups, the Policy Generator creates one ruleset per App Group. The ruleset includes a rule that covers traffic for all workloads to all workloads on all services.

  1. From the PCE web console menu, choose Policy Generator.

    The Select App Group page appears. The page displays when the Policy Generator last calculated the coverage for each type of Rule. Click the refresh icon to recalculate rule coverage.

  2. In the Select App Group down-down menu, select Segment Multiple App Groups from the bottom of the list.

    The Choose App Groups page appears.

  3. Select the App Groups to segment and click Next.

    Tip

    • To recalculate rule coverage for an App Group, hover over the Last Calculated column and click the refresh icon. The column displays the time that the rule coverage was calculated.

      The column indicates whether the ruleset for the group has been edited since the last calculation and triggers you to recalculate it.

    • To quickly select App Groups using different criteria, click the arrow icon to the right of the Name column:

      policy_generator_segment_screenshot1.png

    • The Choose App Groups page displays all your App Groups regardless of their percentage of rule coverage or whether they have connections. For example, the page displays App Groups that have 100% rule coverage and groups with zero connections.

  4. To accept the proposed rules, click Save and OK.

    The Policy Generator Successful message appears, which displays the number of new rules. The rules are added to a draft ruleset.