Skip to main content

Security Policy Guide 25.3

Manage Policies

In this section, you will learn how to enable or disable scopes for policies, view policy status, and create policies.

Create a Policy

You can create a policy to write rules that define the allowed communication between workloads in a single group or multiple groups.

When you write a rule for a Windows workload, you can add a Windows service name without specifying a port or protocol. The rule will allow communication for that service over any port and protocol.

Note

Illumio recommends creating no more than 500 rules per policy; otherwise, the PCE web console will not be able to display all the rules.

If you want to create a policy with more than 500 rules, split the rules across multiple policies or use the REST API, where there is no limit on the number of rules you can create per policy.

The following task creates a single scope, which means the rules in the policy apply to a single group. Add a second scope indicated by the group's labels to apply the rules to another group.

You can use a template or create a policy from scratch.

Create a Policy from Scratch

  1. Choose Policies > Add.

  2. In the Add Policy dropdown list, choose Add from Scratch.

  3. In the Add Policy dialog, type in the new policy's name and description

  4. In the Scope dropdown menu, select:

    Labels and Label groups: Select labels and label groups one by one from the list, or

    Labels and Label Groups Except: For this option, you only need to remove the labels you want excluded.

    These labels define the scope of the policy, which is its range or boundary. The scope defines the workloads affected by this policy or all workloads that share the same labels in the scope.

    Note

    The Scope field only appears when the PCE is configured to display it.

Add a Policy from a Template

  1. Choose Policies > Add.

  2. To create a policy from a template, you have the following choices:

    1. Ransomware: This creates a set of deny rules for services and ports frequently used by Ransomware to spread across the environment.

    2. Inbound Admin Access: This creates a set of rules for inbound traffic using SSH and RDP services and ports (including Jump boxes).

    3. Outbound Admin Access: This creates a set of rules for outbound traffic using SSH and RDP services and ports.

    4. Block Internet Access: This creates a deny rule that restricts all outbound traffic to the internet.

    5. Active Directory: This creates a set of rules for default services and ports for domain controllers in your environment.

    6. ICMP: Internet. Control Message Protocol is used for network maintenance and troubleshooting.

  3. Select one of the templates and click Next.

Add a Policy for Ransomware

When you select the Ransomware template, a list of the existing deny rules is displayed.

You can confirm the selection and save or edit the Sources, Destinations, or Destination Services for any Deny rules.

  • To edit the Source, click on the specific Source link, and the next page will show whether the source can be edited. For example, a default IP List cannot be edited or removed.

  • To edit a Destination, click on the specific Destination link.

    • Click Add to add new members to the label group.

    • Select as many new members from the dropdown list as you wish.

    • Click Ok.

    • The Label Groups page now includes the newly added members.

    • Click Provision to get this provisioned.

    • You can use this same page to remove any existing label groups.

  • To edit the Destination Service, click on the specific link in that group.

    • On the Services page, you can edit the service by clicking Edit.

    • Change the Description, Protection Severity, or Attributes.

    • RANSOMWARE PROTECTION: Choose one of the severity levels: None, Low, Medium, High, or Critical

    • ATTRIBUTES: Use the option Service Definitions to add or remove ports and/or protocols

Add a Policy for Inbound Admin Access

When you select the Inbound Admin Access template, a list of the existing policies and deny rules is displayed.

Policy 1

  • You can edit the name or scope for each policy on the policy page.

  • Scope displays whether the policy contains extra-scope or intra-scope rules.

  • Edit Sources, Destinations, and/or Destination Services for any existing extra- or intra-scope rules (when allowed).

DENY RULES

  • Names of the Deny rules are not editable.

  • Sources and Destinations of the Deny rules are not editable as well.

  • The Destination Services page shows general information and attributes. To edit the service, click Edit.

    • GENERAL: You can edit both the name and the description

    • RANSOMWARE PROTECTION: Choose one of the severity levels: None, Low, Medium, High, or Critical

    • ATTRIBUTES: Use the option Service Definitions to add or remove ports and/or protocols.

Add a Policy for Outbound Admin Access

For the outbound admin access, there are only Deny rules.

DENY RULES

  • Names of the Deny rules are not editable.

  • Sources are editable, and you can add new members to the label groups using the dropdown list.

  • You can also remove any of the existing members of the label group.

Add a Policy that Blocks Internet Access

You can add a deny rule restricting all outbound traffic to the internet.

DENY RULES

  • Names of the Deny rules are not editable.

  • Sources (applications) can be edited by adding new label group members from the dropdown list.

  • Destinations (list of IP addresses) can be edited by removing any existing IKP addresses using a trash icon that appears after you double-click on the address. To add FQDN, type or paste a fully qualified name or FQDN inside the FQDN window.

  • Once the changes are in, click Confirm and Save.

Add a Policy for Active Directory

You can add a policy for default services and ports for domain controllers.

In the Rules for Active Directory page:

  • The Name of the policy is editable.

  • The scope of the policy is editable: add any existing label groups using the dropdown list.

  • Intra-scope rules in the policy

    • Sources:

      • If denoted by all.png (all), rules are not editable.

      • If denoted by any.png (any), rules Destinations and Destination Services are editable.

      • Once the changes are in, click Confirm and Save.

Add a Policy for ICMP

You can add a policy for ICMP (Internet Control Message Protocol).

POLICY 1

  • The Name of the policy is editable.

  • The scope of the policy is editable in the following instances:

    • If denoted by all.png (all), the rule is not editable.

    • If denoted by any.png (any), the Destination Services rules are editable.

    • Once the changes are in, click Confirm and Save.