How to Automatically Discover Policies
Perform the following steps. At any point, you can decide to discover policies again.
Work with colleagues as needed to complete these steps.
|
Step |
Do This |
More Information |
|---|---|---|
|
1 |
Upload and label your workload inventory, and gather flow data that inform policy discovery. |
See Get Started with Segmentation and Microsegmentation and subtopics. |
|
2 |
Choose whether you discover policies for:
|
See Discover Policies for One Scope or for a Branch of the Scope Tree. (You can always discover policies again at any time.) |
|
3 |
Choose the scope in which you discover policies. |
This depends in part on whether you discover policies for a single scope or for a branch of the scope tree. |
|
4 |
Choose the workspace in which you discover policies. |
Generally, you will discover policies in the scope's primary workspace, because you can only analyze policies in a primary workspace. (However, you can always change a workspace to primary later.) If your chosen scope does not yet have a workspace, see Create a Workspace. |
|
5 |
Confirm the inventory that you expect to include in policy discovery. |
|
|
6 |
(Optional) Create inventory filters to group workloads that you want to treat as a group. |
|
|
7 |
Set the Catch-all action for the workspace. |
|
|
8 |
Discover Policies |
Discover Policies Automatically Be sure to complete the prerequisites in the "Before You Begin" section. |
|
9 |
View and manage the clusters (groups of workloads) that policy discovery creates. (This step applies only when you discover policies for a single scope; clusters are not generated when you discover policies for a branch of the tree.) |
See Clusters and subtopics. Evaluate the suggested clusters, optionally edit cluster membership as needed, and approve (or better, convert to inventory filters) any clusters that you want to make permanent. |
|
10 |
Consider complexities such as policy inheritance and cross-scope policies. |
|
|
11 |
Review generated policies. |
See Review Automatically Discovered Policies and subtopics |
|
12 |
Approve policies that you want to keep. |
|
|
13 |
Discover policies again as desired, to reflect additional flow data, changes in scope membership, or other changes. |
Important: Before You Re-run Automatic Policy Discovery You can rerun policy discovery at any time. Review and approve policies and clusters each time you discover policies. |
|
14 |
Run live analysis to see how your policies affect your actual traffic. |
When you believe that your policies do what you expect them to do, start Live Policy Analysis. If you change policies or rediscover policies, restart policy analysis (to analyze the current policies). |
|
15 |
If you re-discover policies or make other changes, restart live analysis. |
|
|
16 |
When you are confident that the policies will not block essential traffic, enforce the workspace. |
See Enforce Policies and subtopics. |
|
17 |
Verify that enforcement is working as expected. |
|
|
18 |
(Optional) Configure default policy discovery settings that optionally apply when discovering policies in any workspace. |
See Default Policy Discovery Config and linked topics. Because these are advanced settings, we recommend that you change them only if you have a specific need to change them. You can change them at any time during your process as you realize a need. |