Skip to main content

Security Policy Guide 25.2.10

Policy Check and Rule Search

The Policy Check feature enables you to verify whether a rule allowing communication between workloads or between a workload and another IP address already exists. On the Policy Check page, you select two workloads or IP addresses to determine if a rule exists to allow communication between them. Policy checks can utilize a network profile to account for rules that affect outbound traffic to non-corporate interfaces on endpoints. Servers cannot have non-corporate interfaces.

Note

You can do a policy check between two workloads or a single workload and an IP address.

For example, you have created several rule sets for your workloads and applications, and you want to know whether your organization has an existing rule for that traffic before you start writing new rules that duplicate those existing rules.

Perform a Policy Check

  1. From the PCE web console menu, choose Troubleshoot > Policy Check.

  2. In the Source field, type or select a workload or IP address.

  3. In the Destination field, type or select a workload or IP address.

  4. In the Destination Port and Protocol field, enter a port and protocol when the connection runs over TCP or UDP, or just a protocol when it runs over GRE or IPIP.

  5. Choose Corporate, Non-Corporate Networks (Endpoints Only) , or Anyin the Network Profile field.

    If an IP address is specified in the Destination and Source fields, the Network Profile value must be set to Corporate, which means searching within the internal corporate network only.

  6. Click Check Rules.

    If a connection between the selected two workloads or IP addresses is allowed, the page will display at least one rule that allows the connection.

    When a rule does not exist, the page displays “No Rules exist to allow that connection.”

Rule Search

You can't easily search for rules across rule sets when you have many rules organized in rule sets. The segmentation rule search solves this issue by making it simple to search for specific rules.

For example, it is time-consuming to narrow down the search without using this feature when you want to determine the number of rules for SNMP (UDP 161) and have approximately 200,000 rules organized across 700 rule sets.

You can search for and analyze rules that allow communication over a specific port and protocol.

  • Segmentation Rule Search enables you to quickly find rules that apply to sources and destinations.

  • A workload, an IP address, or a set of labels can represent sources and destinations.

  • Using this feature helps you identify rules that are being applied to your workloads due to unnecessarily broad rule sets or human errors.

To search for rules

  1. From the PCE web console menu, select Policies.

  2. Choose the Rule Search tab.

  3. Search for Active or Draft rules.

    1. In release 25.2.10, an additional dropdown list was added to the Rule Search:

      All rules: This includes Override Deny Rules, Allow Rules, Deny Rules, and IP tables rules. All rule types are showing when no type category is selected.

      Subset of rules: Select which rules you want to search by deselecting the other rule types.

    2. Choose an Exact Match of the selected search filters displayed or a match to any of the selected filters (All Results).

    3. Perform a Basic search for all attributes or an Advanced search by destination, source, or both.

    4. Filter by Labels and Rule Attributes. Use these options to narrow your search results. You can search all categories or select only the ones you want to use such as labels and label groups, IP address, IP lists, Rule options, Port and/or Protocol, Port range, Process name, Windows services, Policy services, Provision status, and Status.

  4. Click Run.

  5. Click Export to export the search result in JSON format.