1

%3Cp%3EIn%20this%20dashboard%20view%2C%20we%20notice%20all%20the%20existing%20security%20policies.%20As%20an%20example%2C%20the%20AllowHTTPSout%20policy%20allows%20HTTPS%20traffic%20outboud%20from%20the%20%22Red%22%20routing%20zone%20or%20the%20second%20policy%20name%20AllowICMP%20allows%20ICMP%20traffic%20between%20a%20couple%20of%20virtual%20networks%20or%20DenyAll%20policy%20denies%20all%20external%20traffic%20to%20internal%20Red%20routing%20zone.%3C/p%3E%0A%3Cp%3EApstra%5C%27s%20advanced%20capabilities%20enables%20conflict%20management%20between%20multiple%20policies.%20Let%20us%20click%20on%20the%20settings%20tab%20to%20understand%20that%20capability%20a%20bit%20more.%3C/p%3E

%3Cp%3EIn%20this%20dashboard%20view%2C%20we%20notice%20all%20the%20existing%20security%20policies.%20As%20an%20example%2C%20the%20AllowHTTPSout%20policy%20allows%20HTTPS%20traffic%20outboud%20from%20the%20%22Red%22%20routing%20zone%20or%20the%20second%20policy%20name%20AllowICMP%20allows%20ICMP%20traffic%20between%20a%20couple%20of%20virtual%20networks%20or%20DenyAll%20policy%20denies%20all%20external%20traffic%20to%20internal%20Red%20routing%20zone.%3C/p%3E%0A%3Cp%3EApstra%5C%27s%20advanced%20capabilities%20enables%20conflict%20management%20between%20multiple%20policies.%20Let%20us%20click%20on%20the%20settings%20tab%20to%20understand%20that%20capability%20a%20bit%20more.%3C/p%3E

%3Cp%3EWe%20can%20choose%20to%20prioritize%20more%20specific%20policies.%20This%20means%20if%20we%20are%20allowing%20a%20SSH%20from%20a%20particular%20host%2C%20but%20later%20on%2C%20choose%20to%20deny%20SSH%20from%20the%20entire%20network%20than%20that%20host%20is%20on%2C%20Apstra%20will%20automatically%20prioritize%20the%20more%20specific%20policy%20over%20the%20more%20generic%20policy.%3C/p%3E%0A%3Cp%3ELet%20us%20see%20what%20happens%20when%20we%20enforce%20this%20priority.%3C/p%3E%0A%3Cp%3EClick%20to%20return%20back%20to%20the%20policies%20view.%3C/p%3E

%3Cp%3EWe%20can%20choose%20to%20prioritize%20more%20specific%20policies.%20This%20means%20if%20we%20are%20allowing%20a%20SSH%20from%20a%20particular%20host%2C%20but%20later%20on%2C%20choose%20to%20deny%20SSH%20from%20the%20entire%20network%20than%20that%20host%20is%20on%2C%20Apstra%20will%20automatically%20prioritize%20the%20more%20specific%20policy%20over%20the%20more%20generic%20policy.%3C/p%3E%0A%3Cp%3ELet%20us%20see%20what%20happens%20when%20we%20enforce%20this%20priority.%3C/p%3E%0A%3Cp%3EClick%20to%20return%20back%20to%20the%20policies%20view.%3C/p%3E

%3Cp%3EFor%20the%20purpose%20of%20this%20demo%2C%20we%20will%20create%20a%20more%20specific%20policy%20as%20opposed%20to%20a%20more%20generic%20AllowHTTPSout%20polcity%20that%20will%20occlude%20that%20policy.%3C/p%3E

%3Cp%3EFor%20the%20purpose%20of%20this%20demo%2C%20we%20will%20create%20a%20more%20specific%20policy%20as%20opposed%20to%20a%20more%20generic%20AllowHTTPSout%20polcity%20that%20will%20occlude%20that%20policy.%3C/p%3E

Enter a new name to the new policy

%3Cp%3E%3Cspan%20style%3D%22font-size%3A%2014px%3B%22%3EFor%20the%20new%20policy%20that%20blocks%20https%20out%20instead%20of%20choosing%20a%20routing%20zone%20which%20the%20earlier%20policy%20uses%2C%20we%20will%20choose%20a%20virtual%20network%20within%20that%20routing%20zone%2C%20pick%20a%20particular%20virtual%20network%20with%20the%20destination%20for%20external%20endpoint.%20Please%20note%20that%20an%20endpoint%20is%20basically%20just%20a%20predefined%20address%20or%20a%20subnet.%3C/span%3E%3C/p%3E

%3Cp%3E%3Cspan%20style%3D%22font-size%3A%2014px%3B%22%3EFor%20the%20new%20policy%20that%20blocks%20https%20out%20instead%20of%20choosing%20a%20routing%20zone%20which%20the%20earlier%20policy%20uses%2C%20we%20will%20choose%20a%20virtual%20network%20within%20that%20routing%20zone%2C%20pick%20a%20particular%20virtual%20network%20with%20the%20destination%20for%20external%20endpoint.%20Please%20note%20that%20an%20endpoint%20is%20basically%20just%20a%20predefined%20address%20or%20a%20subnet.%3C/span%3E%3C/p%3E

Click%20to%20add%20a%20new%20rule

Click%20to%20add%20a%20new%20rule

%3Cp%3EAdd%20a%20new%20name%20and%20then%20Choose%20deny.%20For%20destination%20port%2C%20we%20will%20use%20443.%20Then%20Click%20Create.%3C/p%3E

%3Cp%3EAdd%20a%20new%20name%20and%20then%20Choose%20deny.%20For%20destination%20port%2C%20we%20will%20use%20443.%20Then%20Click%20Create.%3C/p%3E

%3Cp%3EWe%20can%20also%20see%20right%20away%20that%20Apstra%20has%20automatically%20resolved%20this%20policy%20conflict.%20Click%20on%20the%20conflicts%20tab%20to%20view%20more%20details.%3C/p%3E

%3Cp%3EWe%20can%20also%20see%20right%20away%20that%20Apstra%20has%20automatically%20resolved%20this%20policy%20conflict.%20Click%20on%20the%20conflicts%20tab%20to%20view%20more%20details.%3C/p%3E

%3Cp%3ENotice%20the%20more%20specific%20policy%20that%20is%20for%20one%20single%20network%20will%20be%20prioritized%20over%20the%20more%20generic%20policy%20based%20on%20the%20prior%20settings.%3C/p%3E

%3Cp%3ENotice%20the%20more%20specific%20policy%20that%20is%20for%20one%20single%20network%20will%20be%20prioritized%20over%20the%20more%20generic%20policy%20based%20on%20the%20prior%20settings.%3C/p%3E

Thank%20you%21

Thank%20you%21