Skip to content

Policy Rule

The final step in the security posture is to add a ruleset to the Valtix Gateway. Each ruleset will have a set of policies that defines your security posture. When traffic is inspected, Valtix Gateway will go from top to bottom of the ruleset to identify if traffic matches the policy rule, hence the order of the policy matters. Security profiles can be attached to policy rules for deep packet inspection. Below is a diagram of how each security component is related in a ruleset.


Reverse HTTPS proxy

Ingress HTTP proxy requires the gateway to be in Ingress security mode. During the gateway creation, ensure that you have selected Ingress. This will allow Valtix to act as a reverse proxy and send traffic to the application. User will need to change the dns entry for the original application to point to Valtix endpoint. For this example, we'll simply use the ip address of the application.

Step 1: Create a Decryption Profile

  1. Click on Manage -> Profiles -> Decryption.
  2. Click on Create button.
  3. Enter in a Profile Name. (eg. ingress-decryption)
  4. Select Generate (Self-signed) for the "Method" field.
  5. Click on the Generate button to generate a new certificate.
  6. A new window will pop up to ask you information used to generate the new certificate. Click Generate
  7. Enter a name for the newly generated certificate. (eg. demo-certificate)

Step 1: Create an Address Object

  1. Click on Manage -> Security Profiles -> Addresses
  2. Click on Create Address and select Reverse Proxy Target
  3. Add a name to the address object. (eg. webserver)
  4. For Type, select IP/FQDN
  5. Input the private ip address of your spoke-vm

Step 2: Create Service object

  1. Click on Manage -> Security Profiles -> Services
  2. Click on Create
  3. Select Reverse Proxy as service type.
  4. Give the service object a name. (eg. http-ingress-tutorial)
  5. In the Service table, enter the following:
    1. Decryption Profile: ingress-decryption (This is the decryption profile created in above step.)
    2. Dst Port: 443
    3. Protocol: TCP
    4. Target Backend Port: 80
    5. Protocol: TCP
    6. Address: webserver (This is the address object created in the above step.)

Step 3: Create HTTP policy rule in ruleset

  1. Click on Manage -> Security Policies -> Rules
  2. Find the ruleset name that's associated with the Ingress Gateway
  3. Click the rule set name
  4. There is already a rule here to allow the health check traffic from the load balancer on port 65534(this port number was specified during the gateway creation)
  5. Click Create to create a new rule
  6. A new rule editor opens in the slide over panel on the right
  7. Add a name to the rule (e.g. any-ingress-http)
  8. In th Type dropdown select Reverse Proxy
  9. In the Service dropdown menu, select http-ingress-tutorial(or the name provided to the http service created)
  10. In Source dropdown select any
  11. Destination would be hard coded to Gateway. Our gateway will be the landing zone for your application.
  12. In the Action select Allow Log. This allows the Gateway to accept the traffic and log the flows that can be checked in the Investigate section of the Valtix Dashboard
  13. Leave all the profiles to empty, the rules will be enhanced to use these profiles in the later part of the tutorial
  14. Click Add
  15. You can create more rules if required. In this section of the tutorial you will not add any more rules.
  16. Click Save to save all the rules. Click Yes for confirmation.
  17. It takes a few seconds to save the policy. Once the rule set is saved, the Gateway instances pull the ruleset from the controller during the regular message exchange process

Step 4: Verify Traffic

  1. Click on Manage -> Gateways -> Gateway.
  2. The gateway page will show the Gateway Endpoint for the ingress gateway that was created. Copy the fqdn/ip.
  3. Open a browser and paste the FQDN/IP. This should take you to the landing page of your original application.
  4. Go to Investigate -> Flow Analytics -> Traffic Summary -> Logs. You should see a log entry in there.