Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Policy Generation

To configure policy generation:

  1. Create tags.

    In the Command UI, navigate to Security > Tags. Tags are key and value pairs. Create tags as appropriate for your environment. Tags can be created with a Project scope or a Global scope.

  2. Associate tags.

    Tags created can be associated with either individual virtual machines (VMs) or container ports or with groups of virtual machines or containers at either the VN level or the project level. Tags associated with a VN are inherited by all VMs or containers in that VN. Similarly, tags associated with a project get inherited by all VNs in that project and in turn by all VMs or containers in each VN in that project. To associate tags at any of these levels, perform the following steps:

    • Project

      Navigate to the Projects tab, double click on the project and associate the tags.

    • Virtual Network

      Navigate to Overlay > Virtual Networks and click Edit to add appropriate tags.

    • Ports

      Navigate to Overlay > ports and click Edit to add appropriate tags.

  3. When running policy generation for the first time, you must provision the policy generator module using the following commands:
    1. Download the Contrail Security Apps tarball from the Support - Software Downloads site. Untar the .tgz file

      untar contrail-security-apps-*.tgz

    2. cd contrail-security-apps

    3. edit ansible/inventory/inventory.yml file and specify the required values. For a sample of the inventory.yml file, see #configuring-policy-generation__inventory-yml-policy.

    4. ansible-playbook -i ansible/inventory/inventory.yml ansible/playbooks/deploy_and_run_all.yml

  4. Specify the session export rate. Navigate to INFRASTRUCTURE > Cluster > Advanced Options.

    Click the Virtual Routers tab, click Edit under Forwarding Options and enter the Session Export Rate/secs value.

  5. Enable the security policy draft mode, either for the Project scope or for Global scope depending on your requirement.

    For Project scope, navigate to IAM > Projects, select and click the project and enable the Security Policy Draft mode under Settings.

    For Global scope, navigate to INFRASTRUCTURE > Cluster > Advanced Options, and click the Global Config tab. The Edit System Configuration page appears. Click Edit and enable the Security Policy Draft mode. Click Save.

  6. Enable policy generation endpoint.

    Navigate to the INFRASTRUCTURE > Cluster > Advanced Options, click the Endpoints tab, and click Create. The Create Endpoint page appears.

  7. Enter generation under Prefix and enter the required URLs. Click Create to save the endpoint.
  8. Generate traffic between the applications.
  9. Generate policies.

    Navigate to Security > Policy Sets and click Generate Policy. The Generate Project Policy page appears.

    The Generate Project Policy page has three steps.

    1. Step 1 Scan Traffic

      Each vRouter scans the traffic it sees between and within applications. The controller analyzes the observed traffic patterns and displays the observed traffic in a graphical visualization. Arcs inside the circular graph represent the different observed flows. Mouse over the arcs to view additional details about the applications involved in that flow, other tags associated with the endpoints, and other flow characteristics.

      The period of traffic considered as an input for policy generation can be customized by editing the Time Range. The default time range is 10 minutes. Click Next to proceed with policy generation.

    2. Step 2 Filter and Generate

      You can filter traffic and generate a draft policy based on the selected filters. By default, the current project is selected and the predefined tags, application, deployment, tier, and site are selected. Selected tags must be associated with the workloads, because not having these tags in flow records creates unknown flows.

      If you haven’t attached any of the predefined tags to workloads and you don’t need the tags to be part of the policies, deselect them. However, it is mandatory to select at least the application tag, else flows designated with unknown are displayed.

      Click Next. The default firewall rules allow all traffic.

    3. Step 3 Overview

      You can view the application policy sets based on the selected input parameters. You can view the application policy sets in a tabular format as well as JSON format. You can also view traffic flows for untagged applications.

      Click Save to save the application policy set and generate the draft policy.

  10. Review the draft policy.

    The Security > Policy Sets page is displayed with the draft application policy set. Click the draft application policy set to view details about the policies.

    Select the draft application policy set and click Review.

  11. The Review Changes page appears listing the policies in the draft mode. You can review the draft policy, edit it as required and click Commit to enforce the application policy set.

    Alternatively, click Discard to discard the generated application policy set.

Sample inventory.yml file