Discover Policies for One Scope or for a Branch of the Scope Tree
If either option is not possible when you discover policies for a particular scope, the selection is made for you and you will not see a choice of options.
|
A Branch of the Scope Tree |
A Single Scope |
|---|---|
|
Use this method as a starting point, when you are beginning to use Secure Workload, to quickly generate a temporary set of coarse policies that allow existing traffic while helping to protect your network from future threats. |
Use this method to fine-tune segmentation policies and ensure that all allowed flows are expected; the smaller number of policies makes it easier to see any existing anomalies that require investigation. |
|
Typically, you use this method for scopes nearer the top of your scope tree. The top of the branch can be any scope in the tree. |
Typically, you use this method for scopes at or near the bottom of your scope tree, for example for scopes dedicated to a single application. |
|
Discover policies only in one scope – the scope at the top of the branch that you choose. |
Discover policies for each scope in the branch as needed. |
|
All workloads in the chosen scope and all child and descendant scopes are included in discovery. |
Workloads that are also members of any child scope are not included in discovery for this scope. Policies are generated only for workloads that appear in the Uncategorized Inventory tab for that scope on the Organize > Scopes and Inventory page. You can discover policies for workloads in child and descendant scopes separately. |
|
All policies for workloads in all scopes in the branch reside in the scope at the top of the branch. |
Assuming you also create policies for workloads in child and descendant scopes, policies reside in multiple scopes. |
|
This method typically generates a large number of policies. |
This method generates fewer policies in any individual scope. |
|
Discovered policies apply to entire scopes; this option cannot create policies specific to subsets of workloads within scopes. |
This option can generate policies that apply to subsets of workloads within the consumer and/or provider scope. (Workloads can be grouped by generated clusters and/or by configured inventory filters, and policies applied just to these subsets.) |
|
All policies are created in a single scope at the top of the branch, so extra steps are not required when a policy's consumer and provider are in different scopes. |
Allowing traffic between consumers and providers in different scopes requires extra steps. See When Consumer and Provider Are in Different Scopes: Policy Options. |
|
Discovery can run even if a scope does not have any member workloads with installed agents, as long as descendant scopes have agents or external orchestrators or connectors that gather flow data. |
The scope must have member workloads with installed agents or external orchestrators or connectors that gather flow data. |
|
This option is available to root scope owners and site admins only. |
You must have privileges to create policies for this scope. |
|
The maximum number of agents and conversations is different for each option. See Limits Related to Policies. |
|
|
This option was formerly the Deep Policy Generation advanced configuration option for automatic policy discovery. The behavior has not changed. |
This was formerly the default behavior for automatic policy discovery. |
| For additional details, see Discovering Policies for a Branch of the Scope Tree: Additional Information. |
-- |