Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Policy Generation

To configure policy generation:

  1. Create tags.

    In the Command UI, navigate to Security > Tags. Tags are key and value pairs. Create tags as appropriate for your environment. Tags can be created with a Project scope or a Global scope.

  2. Associate tags.

    Tags created can be associated with either individual virtual machines (VMs) or container ports or with groups of virtual machines or containers at either the VN level or the project level. Tags associated with a VN are inherited by all VMs or containers in that VN. Similarly, tags associated with a project get inherited by all VNs in that project and in turn by all VMs or containers in each VN in that project. To associate tags at any of these levels, perform the following steps:

    • Project

      Navigate to the Projects tab, double click on the project and associate the tags.

    • Virtual Network

      Navigate to Overlay > Virtual Networks and click Edit to add appropriate tags.

    • Ports

      Navigate to Overlay > ports and click Edit to add appropriate tags.

  3. When running policy generation for the first time, you must provision the policy generator module using the following commands:

    1. Download the Contrail Security Apps tarball from the Support - Software Downloads site. Untar the .tgz file

      untar contrail-security-apps-*.tgz

    2. cd contrail-security-apps

    3. edit ansible/inventory/inventory.yml file and specify the required values. For a sample of the inventory.yml file, see #configuring-policy-generation__inventory-yml-policy.

    4. ansible-playbook -i ansible/inventory/inventory.yml ansible/playbooks/deploy_and_run_all.yml

  4. Specify the session export rate. Navigate to INFRASTRUCTURE > Cluster > Advanced Options.

    Click the Virtual Routers tab, click Edit under Forwarding Options and enter the Session Export Rate/secs value.

    User interface for managing virtual routers with list of router details and configuration options for forwarding and security logging.
  5. Enable the security policy draft mode, either for the Project scope or for Global scope depending on your requirement.

    For Project scope, navigate to IAM > Projects, select and click the project and enable the Security Policy Draft mode under Settings.

    IAM interface for admin project showing breadcrumb navigation, Users tab with a table listing users and roles, and Settings panel with Security Policy Draft and VxLAN Routing toggles enabled.

    For Global scope, navigate to INFRASTRUCTURE > Cluster > Advanced Options, and click the Global Config tab. The Edit System Configuration page appears. Click Edit and enable the Security Policy Draft mode. Click Save.

  6. Enable policy generation endpoint.

    Navigate to the INFRASTRUCTURE > Cluster > Advanced Options, click the Endpoints tab, and click Create. The Create Endpoint page appears.

  7. Enter generation under Prefix and enter the required URLs. Click Create to save the endpoint.
    User interface for creating an endpoint with fields for prefix, private and public URLs, username, password, and options to enable proxy or add configurations.
  8. Generate traffic between the applications.
  9. Generate policies.

    Navigate to Security > Policy Sets and click Generate Policy. The Generate Project Policy page appears.

    The Generate Project Policy page has three steps.

    User interface for managing Policy Sets in a security app featuring navigation, user details, Project and Global tabs, a table listing policy sets with status and last updated info, and buttons for generating and creating policy sets.

    1. Step 1 Scan Traffic

      Each vRouter scans the traffic it sees between and within applications. The controller analyzes the observed traffic patterns and displays the observed traffic in a graphical visualization. Arcs inside the circular graph represent the different observed flows. Mouse over the arcs to view additional details about the applications involved in that flow, other tags associated with the endpoints, and other flow characteristics.

      The period of traffic considered as an input for policy generation can be customized by editing the Time Range. The default time range is 10 minutes. Click Next to proceed with policy generation.

      Security dashboard showing a chord diagram of traffic insights in Step 1 Scan Traffic of the Generate Project Policy workflow.

    2. Step 2 Filter and Generate

      You can filter traffic and generate a draft policy based on the selected filters. By default, the current project is selected and the predefined tags, application, deployment, tier, and site are selected. Selected tags must be associated with the workloads, because not having these tags in flow records creates unknown flows.

      If you haven’t attached any of the predefined tags to workloads and you don’t need the tags to be part of the policies, deselect them. However, it is mandatory to select at least the application tag, else flows designated with unknown are displayed.

      Click Next. The default firewall rules allow all traffic.

      User interface for generating project policy, showing Step 2: Filter and Generate. Options to filter by Project, Application, and Firewall Rules. Navigation bar path is SECURITY > Policy Sets > Generate Project Policy. User logged in as admin with project name ctest-TestPolicyGen-71110146.

    3. Step 3 Overview

      You can view the application policy sets based on the selected input parameters. You can view the application policy sets in a tabular format as well as JSON format. You can also view traffic flows for untagged applications.

      Click Save to save the application policy set and generate the draft policy.

      Generate Project Policy interface of a security management tool showing Step 3: Overview with Table View tab active, listing policy sets with names, applications, and policies.
  10. Review the draft policy.

    The Security > Policy Sets page is displayed with the draft application policy set. Click the draft application policy set to view details about the policies.

    Select the draft application policy set and click Review.

  11. The Review Changes page appears listing the policies in the draft mode. You can review the draft policy, edit it as required and click Commit to enforce the application policy set.

    Alternatively, click Discard to discard the generated application policy set.

    User interface for managing security policies with a Review changes dialog showing changes to Application and Firewall Policies. Options to Discard or Commit changes.

Sample inventory.yml file

Related Documentation