1
In this dashboard view, we notice all the existing security policies. As an example, the AllowHTTPSout policy allows HTTPS traffic outboud from the "Red" routing zone or the second policy name AllowICMP allows ICMP traffic between a couple of virtual networks or DenyAll policy denies all external traffic to internal Red routing zone.
Apstra's advanced capabilities enables conflict management between multiple policies. Let us click on the settings tab to understand that capability a bit more.
In this dashboard view, we notice all the existing security policies. As an example, the AllowHTTPSout policy allows HTTPS traffic outboud from the "Red" routing zone or the second policy name AllowICMP allows ICMP traffic between a couple of virtual networks or DenyAll policy denies all external traffic to internal Red routing zone.
Apstra's advanced capabilities enables conflict management between multiple policies. Let us click on the settings tab to understand that capability a bit more.
We can choose to prioritize more specific policies. This means if we are allowing a SSH from a particular host, but later on, choose to deny SSH from the entire network than that host is on, Apstra will automatically prioritize the more specific policy over the more generic policy.
Let us see what happens when we enforce this priority.
Click to return back to the policies view.
We can choose to prioritize more specific policies. This means if we are allowing a SSH from a particular host, but later on, choose to deny SSH from the entire network than that host is on, Apstra will automatically prioritize the more specific policy over the more generic policy.
Let us see what happens when we enforce this priority.
Click to return back to the policies view.
For the purpose of this demo, we will create a more specific policy as opposed to a more generic AllowHTTPSout polcity that will occlude that policy.
For the purpose of this demo, we will create a more specific policy as opposed to a more generic AllowHTTPSout polcity that will occlude that policy.
Enter a new name to the new policy
For the new policy that blocks https out instead of choosing a routing zone which the earlier policy uses, we will choose a virtual network within that routing zone, pick a particular virtual network with the destination for external endpoint. Please note that an endpoint is basically just a predefined address or a subnet.
For the new policy that blocks https out instead of choosing a routing zone which the earlier policy uses, we will choose a virtual network within that routing zone, pick a particular virtual network with the destination for external endpoint. Please note that an endpoint is basically just a predefined address or a subnet.
Click to add a new rule
Add a new name and then Choose deny. For destination port, we will use 443. Then Click Create.
Add a new name and then Choose deny. For destination port, we will use 443. Then Click Create.
We can also see right away that Apstra has automatically resolved this policy conflict. Click on the conflicts tab to view more details.
We can also see right away that Apstra has automatically resolved this policy conflict. Click on the conflicts tab to view more details.
Notice the more specific policy that is for one single network will be prioritized over the more generic policy based on the prior settings.
Notice the more specific policy that is for one single network will be prioritized over the more generic policy based on the prior settings.
Thank you!
Welcome! Click to start the walkthrough
You have reached the end of this walkthrough. Thank you!
- In this dashboard view, we notice all the existing security policies. As an example, the AllowHTTPSout policy allows HTTPS traffic outboud from the "Red" routing zone or the second policy name AllowICMP allows ICMP traffic between a couple of virtual networks or DenyAll policy denies all external traffic to internal Red routing zone. Apstra's advanced capabilities enables conflict management between multiple policies. Let us click on the settings tab to understand that capability a bit more.
- We can choose to prioritize more specific policies. This means if we are allowing a SSH from a particular host, but later on, choose to deny SSH from the entire network than that host is on, Apstra will automatically prioritize the more specific policy over the more generic policy. Let us see what happens when we enforce this priority. Click to return back to the policies view.
- For the purpose of this demo, we will create a more specific policy as opposed to a more generic AllowHTTPSout polcity that will occlude that policy.
- Enter a new name to the new policy
- For the new policy that blocks https out instead of choosing a routing zone which the earlier policy uses, we will choose a virtual network within that routing zone, pick a particular virtual network with the destination for external endpoint. Please note that an endpoint is basically just a predefined address or a subnet.
- Click to add a new rule
- Add a new name and then Choose deny. For destination port, we will use 443. Then Click Create.
- We can also see right away that Apstra has automatically resolved this policy conflict. Click on the conflicts tab to view more details.
- Notice the more specific policy that is for one single network will be prioritized over the more generic policy based on the prior settings.
- Thank you!