Skip to main content

Security Policy Guide 25.2.10

Rule-Based Labeling

Rule-based labeling allows you to assign labels to one or more workloads when their attributes match the conditions you specify in easily-configurable rules. This simplifies the task of labeling multiple workloads.

Before you begin

Label assignment:

  • You can assign system default and user-defined labels to matching workloads.

  • You can assign only one label of a given type to a workload.

  • Beginning in release 25.21, Rule-Based Labeling can replace existing labels already assigned to workloads if the Overwrite option is selected. Otherwise, existing labels already assigned to workloads can't be overwritten. For example, if Overwrite is selected and a matching workload has an existing Location label of New York and your labeling rule specifies a Location label of London, the existing New York Location label is replaced with the London Location label. If Overwrite is not selected, the London Location label is bypassed and the New York label remains.

Depending on how many workloads match labeling rules, it may take a few minutes for the labels to be assigned to all of them. You can navigate to other areas of the PCE UI while the load process continues in the background. When matching and loading has finished, a notification appears wherever you are in the PCE user interface.

An event is created when a rule-based label is assigned to a workload. The name format of the event differs depending on how the label is assigned:

  • When assigned from the PCE UI: label_mapping_rules_run.assign_labels

  • You can see the difference between a system job and an assignment from the PCE UI in the generated_by field.

    It displays either system for the system, or the user's e-mail when assigned from the PCE UI.

It's impossible to remove a label from the list of labels (Policy Objects > Labels) if used in a labeling rule.

Typical Labeling Rule Workflow

Here is a typical workflow for adding rules, launching a search for matching workloads, and assigning labels.

Step 1: Add a Labeling Rule

Labeling rules work by identifying workloads in your environment that match certain conditions you specify and then assigning one or more labels to those workloads. See Work with Labeling Rules.

Step 2: Find and review matching workloads

After adding labeling rules, let the Rule Labeling feature search your environment for workloads that match the rule conditions, and then review the generated list of workloads. See Find and Review Matching Workloads.

Step 3: Assign labels to matching workloads

Once the feature finds matching workloads, you can assign the labels you specified in Step 1: Add a Labeling Rule. See Assign labels to matching workloads.

Work with Labeling Rules

This section describes how to add, remove, reorder, edit, and enable/disable labeling rules. It also includes procedures for finding and matching workloads and exporting a list of labeling rules to a CSV file.

Add a Labeling Rule

Labeling rules work by identifying workloads in your environment that match conditions you specify and then assigning one or more labels to those workloads.

  1. (Optional) To determine the workload attributes you want your labeling rule to match, it may help to go to Servers & Endpoints > Workloads and examine the workloads in your environment.

  2. Go to Policy Objects > Labels.

  3. Click the Labeling Rules tab.

  4. Click Add.

  5. Specify the matching condition. (For terminology and matching logic, see How Label Matching Works.)

    1. Select an attribute.

    2. Select an operator.

    3. Specify one or more values.

  6. Select one or more labels in the Label field.

  7. (Not available in all releases) Select Overwrite if you want to replace existing labels of the same type. For example, if a labeling rule is set to assign a Location label to matching workloads, any Location label(s) that may have been assigned previously to these workloads will be overwritten by the new Location label if Overwrite is selected. Otherwise, the existing label is preserved. This behavior applies to labels of any type.

    Caution

    Label changes are likely to result in a change to your security policy. Make sure you've thought through potential policy changes before you select the Overwrite option.

  8. Click Save.

Find and Review Matching Workloads

This procedure describes how to search your environment for workloads that match the rule conditions.

  1. Go to Policy Objects > Labels.

  2. Click Apply Rules and then choose Review and Assign Labels.

    apply-rules.png

    The Workloads that match criteria side panel opens showing the workloads in your environment that match your rules (if any).

    Note

    Depending on the number of workloads that match labeling rules, it may take several minutes for the PCE to load the workloads that match your rules. You can close the Workloads that match criteria side panel while the load process continues in the background. A progress message appears on the main page while the operation is underway. When matching and loading has finished, a notification appears wherever you are in the PCE user interface.

  3. Review the list to ensure it includes the workloads you want your rules to match. If the list doesn't include the workloads you intended, click Close, recheck the condition(s) you specified in the rule(s), and then modify the rules if necessary. You may need to return to the Workloads page and re-examine the workloads to make sure you've specified the correct workload attributes in your rule(s).

  4. If the list of matching workloads meets your expectations, assign the specified labels.

Assign labels to matching workloads immediately

Perform these steps to immediately assign labels to the workloads that match your labeling rules.

Note

In certain use cases, it may be preferable to assign labels immediately as described in this procedure rather than using the Apply Rules when triggered option.

  1. Go to Policy Objects > Labels.

  2. Make sure the Workloads that match criteria side panel is open (see Find and Review Matching Workloads).

  3. From the Workloads that match criteria side panel, click Assign. The message Labels have been assigned to _ workloads appears.

To assign labels to workloads programmatically, see Schedule Label Assignments.

Schedule Label Assignments

If you aren't assigning labels immediately as described in the Assign labels to matching workloads immediately procedure, perform these steps to specify when you want to assign labels.

  1. Click  Apply Rules and then select Schedule Label Assignment.

  2. In the Recurring Rule Application dialog box, move the slider(s) to On to enable one or both of the following options:

    • Apply rules when triggered. Enable this option if you want labels to be assigned automatically to the matching workload(s) whenever a VEN is activated. Note the following about using this option.

      Note

      • Four-hour pause between searches. Every four hours, Rule Based Labeling searches for VENs in your environment that were activated within the past four hours. If the search finds such VENs, labels are assigned to the VEN's host workloads if the workloads' conditions match any of your labeling rules. Labels are not re-assigned to previously-labeled workloads because the search ignores VENs that were activated more than four hours previously.

      • Activating multiple VENs over a brief period of time. If your organization uses a tool to automate VEN activation for multiple VENs within a brief time period and you've enabled the Apply rules when triggered option, be aware of the following:

        1. Your tool activates VENs according to the cadence you configured.

        2. Activation of the first VEN triggers Rule Based Labeling to search your environment for matching workloads.

        3. After Rule Based Labeling finds the first matching workload and assigns labels to it, further search for matching workloads and label assignment is halted for four hours, which you may not have expected.

        4. When the four-hour pause has ended, Rule Based Labeling resumes its search for matching workloads and assigns labels to them according to your labeling rules.

        To avoid waiting four hours as described above, you can assign labels to the remaining matching workloads immediately by performing the steps in Assign labels to matching workloads immediately. The subsequent search that occurs after four hours still runs but ignores the workloads to which labels were already assigned. Labels are not overwritten.

    • Apply rules regularly. Enable this option if you want Rule Based Labeling to assign labels automatically according to a schedule. Click through the Date and Time options to configure a schedule.

  3. Click Done.

Edit a Labeling Rule

You can edit a rule's condition and label(s). To learn more about rule components, see Terminology.

To add a statement to an existing rule:

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Click the Edit icon for the rule you want to edit.

  4. Click the down arrow to activate the Condition selectors.

  5. Specify the statement you want to add.

  6. If needed, add or remove label(s) in the Label field.

  7. Click Save.

To delete a value from an existing rule:

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Click the Edit icon for the rule you want to edit.

  4. On the condition you want to delete, click the X to delete it.

    rule-edit-delete-condition.png

  5. If needed, edit label(s) in the Label field.

  6. Click Save.

To edit a value in an existing condition:

Note

To change a value in an existing condition, you must delete the original condition and then re-add it, specifying the value you want. You can't directly edit a value in an existing condition and preserve it.

For example, if you want to change the IP range

10.13.0.26-10.13.8.26

to . . .

10.13.0.26-10.92.8.26

. . . you must add the new range as a new condition and also delete the original condition.

  1. Click the Edit icon for the rule you want to edit.

  2. Click the down arrow to activate the Condition selectors.

  3. Add the new statement.

  4. Delete the original value.

  5. If needed, edit label(s) in the Label field.

  6. Click Save.

Enable/Disable Labeling Rules

The Enable/Disable options allow you to generate different matching results by excluding or including one or more labeling rules from the workload matching process.

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Select one or more labeling rules in the list of rules.

  4. Click Enable or Disable.

  5. To see the effect of the enable/disable option you selected, re-run the workload matching process.

Reorder Labeling Rules

When labeling rules are assigned, evaluation begins from the top of the list in ascending order (Rule 1, then Rule 2, etc), with Rule 1 having the highest precedence.

To change the precedence of a rule, change its rule number in the list of rules. Note that this will also reorder other rules in the list and change their precedence accordingly.

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Click the Edit icon for the rule you want to move. The rule number becomes an editable field.

  4. Enter the new rule number in the field.

  5. Click Save.

    reorder-rule-1.png

    Note

    Note that reordering rules changes the precedence of other rules.

    • The former Rule 3 becomes Rule 1 with the highest precedence.

    • The former Rule 1 moves to become Rule 2.

    • The former Rule 2 moves to become Rule 3.

    reorder-rule-2.png
Remove Labeling Rules

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Select one or more labeling rules in the list of rules.

  4. Click Remove.

Export a Workload-Label-Review List

You can export a CSV file showing the workloads that match your rules and the label(s) that will be assigned to those workloads. This is helpful when you have a large number of rules and workloads.

  1. Go to Policy Objects > Labels.

  2. Click the Labeling Rules tab.

  3. Click Apply Rules and then click Review and Assign Labels.

  4. On the Workloads that match criteria side panel, click Export.

    The generated CSV file is downloaded to your Downloads folder with a filename similar to Workload_Label_Review_(month_day_year).

  5. Open and review the CSV file.

    rule-based-csv.png
How Label Matching Works

This section provides a detailed example of the Rule-Based Labeling feature's label matching logic. It also presents a brief list of terms used throughout this document.

When you click Review and Assign Labels to generate a list of workloads that match your labeling rules, workloads are evaluated against the conditions defined in the rules.

A match occurs if all of the statements in a rule's condition match a workload's attributes.

Terminology

  • Rule: Rules consist of a condition and one or more label(s).

  • Condition: Conditions are the user-defined criteria that workloads must match to be eligible for label assignment. A condition consists of one or more statements connected by AND, ensuring that workloads must satisfy all statements of the condition to match the rule.

  • Statement: Statements define the specific workload attributes, operators, and values that are evaluated. Multiple values within a statement are considered using OR, allowing you to specify match criteria flexibly.

  • Precedence: Rules are numbered, with Rule 1 having the highest precedence. A workload is evaluated against the rules in order, ensuring that rules with the labeling criteria most important to you are considered first.

Matching Logic

Example: Workload and Rule Evaluation

how-matching-works-2.png
Labeling Rule Examples

This section provides several detailed examples of crafting labeling rules.

Keep in mind the following as you craft labeling rules:

  • The operator you select and the particular values you enter in the Values field allow you to control the granularity of the labeling rule.

  • When you include multiple statements in a condition, Rule-Based Labeling automatically inserts an AND between the statements.

  • When you specify multiple values in a statement, Rule-Based Labeling automatically inserts an OR between the values.

Example 1. Hostname Rule to match workloads that contain part of a specified host name

  1. Select Hostname in the Attribute field.

  2. Select contains in the Operator field.

  3. Enter AWS in the Values field.

  4. Click Close.

  5. Select one or more labels in the Label field.

  6. Click Save.

Example 2. OS Rule to match workloads running a specific operating system

Note

Match on OS version or release

You can configure OS labeling rules to match all or part of the workload's OS version or release by selecting operators and entering the details. To find details, go to Servers & Endpoints > Workloads and click the workload. On the Summary tab, go to the Attributes section of the workload's details page.

OS-release-version.png

  1. Select OS in the Attribute field.

  2. Select an Operator.

  3. Select Linux in the Value field.

  4. Click Close.

  5. Select one or more labels in the Label field.

  6. Click Save.

Example 3. IP Address Rule to match workloads within a specific IP address range:

  1. Select IP Address in the Attribute field.

  2. Select is in in the Operator field.

  3. In the Value field, enter a narrow range such as 10.2.0.0 - 10.2.200.0.

  4. Click Close.

  5. Select one or more labels in the Label field.

  6. Click Save.

Example 4. CIDR Block Rule to match workloads within a specific CIDR block:

  1. Select IP Address in the Attribute field.

  2. Select is in in the Operator field.

  3. In the Value field, enter a CIDR block. For example: 10.2.20.0/24

  4. Click Close.

  5. Select one or more labels in the Label field.

  6. Click Save.

Example 5. Rule with multiple attributes, each with a single value:

  1. Specify a hostname:

    • Select Hostname in the Attribute field.

    • Select contains in the Operator field.

    • Enter details in the Values field.

  2. Specify an operating system:

    • Select OS in the Attribute field.

    • Select contains in the Operator field.

    • Select an operating system in the Values field.

  3. Specify an IP address:

    • Select IP Address in the Attribute field.

    • Select is in in the Operator field.

    • In the Values, field enter an IP range or CIDR block.

  4. Specify a listening port and/or protocol:

    • Select Port/Protocol in the Attribute field.

    • In the Operator field, select is for a specific port/protocol; select is in to specify a range.

    • In the Values field, enter either a specific port/protocol or a range as appropriate.

  5. Specify a process path:

    • Select Process in the Attribute field.

    • In the Operator field, select an appropriate operator.

    • In the Values field, enter all or part of a process path according to your selected operator.

  6. Click Close.

  7. Select one or more labels in the Label field.

  8. Click Save.