Rule Set¶
Rule Sets consist of a set of Rules that define a segmentation and advanced security policy that are applied to a set of one or more Gateways to accommodate application and workload protection. The Rules are organized as a priority list where traffic is processed by an matched Rule, a general action is taken to allow or deny, and further inspection is accommodated through advanced security.
Rule Sets and are associated with Valtix Gateways as follows:
- Rule Sets are Cloud agnostic and can be applied to one or more Gateways operation across multiple Clouds
- A Gateway can only be associated with a single Rule Set, although more than one Rule Set can be applied using a Rule Set Group
- A Rule Set can be associated with more than one Gateway
- Rules within a Rule Set can use discovered Cloud asset information to form a dynamic policy - a policy that adapts in real time to changes
- A Rule Set can include Rules that only apply to specific Cloud Accounts and/or Cloud Regions, although the Rule Set is applied to Gateways that cross Clouds. Example:
- A dynamic Tag-based Address Object used in a Rule Set Rule that is applied to two Gateways across two Clouds can resolve to a set of IP addresses that are associated with a Gateway in one Cloud, while resolving to a different set of IP addresses that are associated with a Gateway in another Cloud.
- Rule Sets can be created from the Manage -> Security Policies -> Rule Sets page or from within the Gateway creation workflow
Policy Management¶
Policies are created in the Valtix Dashboard or through orchestration using the Valtix Terraform Provider. The policies are stored and retained as part of the Valtix Controller database. The Gateway retrieves the policy or any policy changes through a periodic heartbeat where the Gateway provides the Controller health and telemetry information, while also requesting if there are any policy changes that need to be applied. The Gateway to Controller communication is fully encrypted and established through a mutual TLS session. The heartbeats occur every 5 seconds to ensure that policies on the Gateway are synchronized with the policies created or modified by the user.
Multiple methods can be used to view the Gateway policy status and ensure the Gateway and Controller policies are synchronized:
Page | Description |
---|---|
Gateway Page | Navigate to Manage -> Gateways -> Gateways and view the Policy Rule Status column |
Rule Sets Page | Navigate to Manage -> Security Policies -> Rule Sets and view the Policy Rule Status column |
Rules Page | Navigate to Manage -> Security Policies -> Rule Sets and select a Rule Set. This will show all the policies for the Rule Set. At the top of the screen, Gateways Updated will show number of Gateways that are updated. Hovering over the info icon will display individual Gateway status. |
Policy Rule Gateway Status¶
- Updated - The policy is active on the Gateway and is synchronized with the Controller
- Updating - The Gateway is actively processing a policy change. The policy change is known to the Gateway, but is not yet active. The Gateway is still process traffic using the current policy.
Policy Rule Set Gateway Change¶
A Policy Rule Set assigned to a Gateway can be changed dynamically to a different Policy Rule Set. If there is a requirement to swap in a different Policy Rule Set to an active Gateway, this operation can be initiated in a non-impactful way. The assignment of the new Policy Rule Set operates similarly to a Gateway update/upgrade process. New Gateway instances are instantiated with the new Policy Rule Set. New traffic sessions are redirected to the new Gateway instances once they are active and healthy. Old traffic sessions are flushed from the old Gateway instances. The old Gateway instances are deleted. The operation completes in a matter of minutes. This change is initiated as part of the Gateway configuration settings (Manage -> Gateways -> Gateways). The change can be initiated using the Valtix Portal or the Valtix Terraform Provider.
Rule Set Group¶
Rule Set Group is a collection of Standalone Rule Sets. Users can combine multiple Standalone Rule Sets into a Rule Set Group and associate the Rule Set Group to one or more Valtix Gateways. Rule Set Groups allow organizations to separate policies in an organized fashion and combine them to an overarching policy.
Notes
- A Rule Set Group can only consist of Rule Set members
- Ensure all Rule Sets associated with a Rule Set Group do not have conflicting Rules
- A Rule Set Group can have a maximum of 100 Rule Set members
Create Policy Rule Set¶
To create a Policy Ruleset:
- Navigate to Manage -> Security Policies -> Rules
- Click Create
- Add a name and description for the policy ruleset
- CLick Save
Once the policy rulesets are created, proceed to add individual Rules.
Create Policy Rule Set Group¶
To create a Policy Rule Set Group:
- Navigate to Manage -> Security Policies -> Rules
- Click Create
- Add a name and description for the policy rule set group
- Select Type as Group
- Add Rule Sets in the Rule Set List section