Enable Policy Enforcement

Enforcing policies delete existing firewall rules and write new firewall rules on every workload in the scope that is affected by this workspace.

If you have not properly verified that your policies are working correctly, enforcing policies can change the way that your applications work and disrupt business operations.

Before you begin

Initially, when you enforce policies, consider setting the catch-all to Allow. Then, monitor traffic to see what matches the catch-all rule. When no necessary traffic is matching the catch-all rule, you can set the catch-all to Deny.
If you enforce workspaces in multiple scopes at once, you can enforce only analyzed workspaces. If you enforce a single workspace using the second method that is described in the procedure below, analyzing the policies in the workspace before you enforce them is recommended but not required.

See Live Policy Analysis and subtopics.
The wizard for enforcing a single scope is more detailed than the wizard that offers the option to enforce multiple scopes simultaneously. If you require the features in Policy Enforcement Wizard, use the second method that is described in the procedure below.
IMPORTANT! Verify that the policies are correct.

Policy results in any workspace may be affected by enforced policies in other scopes. Before policy enforcement is enabled on a workspace, the Policy Enforcement page shows how flows are affected by enforced policies in the workspaces associated with other scopes. For example, a broad “Production hosts should not talk with Non-Production hosts” policy in the enforced workspace of a parent scope may impact traffic on workloads belonging to an application in a child scope.

If no new information is being shown in the Enforcement charts, make sure that the correct time range is selected.

For information about the information you see on the Enforcement page, see Live Analysis Live Policy Analysis and subtopics. (The same information for Live Analysis also applies to the Policy Enforcement page.)

If live analysis results differ from results on the Enforcement page, make sure the scopes, policy versions, and time range being analyzed are the same as the scopes, policy versions, and time range being used to generate results on the Enforcement page.
Understand how agents enforce policies on each platform. See:
- For Windows and Linux workloads, see Policy enforcement with Agents and subtopics.
- For Kubernetes and OpenShift, see Policy Enforcement on Containers.
- For load balancers, see Policy Enforcement on Citrix Netscaler and Policy Enforcement on F5.
- For cloud-based workloads configured using cloud connectors, see:
  - Best Practices when Enforcing Segmentation Policy for AWS Inventory and linked topics.
  - Best Practices when Enforcing Segmentation Policy for Azure Inventory and linked topics.
You must have the required permissions to enforce policies. Ensure you have the ability to enforce or higher access for the scopes. Users with other abilities on the scope can still view this page, but will not be able to enforce (or disable) new policies.
Verify that all relevant installed agents and other enforcement endpoints such as cloud connectors are ready to enforce policy. For a list of agent health and readiness checks, see Check Agent Health and Readiness to Enforce.

Some of these checks must wait until after enforcement; for example, you should enable enforcement on cloud connectors only after you have enabled enforcement in the workspace. For installed agents, you will typically enable enforcement in the agent configuration before you enforce the workspace.

Procedure

From the navigation pane, choose Defend > Segmentation.

You can enforce policies for one scope or for multiple scopes at the same time:

To enforce policy for multiple scopes at the same time:

(Only workspaces that have been analyzed can be enforced using this process.)

Click the caret on the right side of the page to display the Tools pane:
Click Enable Enforcement.
Click Next to start the wizard.
Select one workspace to enforce.

(The option to enforce workspaces for additional scopes is on the last page of the wizard.)
Click Next.
Choose the version of that workspace to enforce, then click Next.
To simultaneously enforce policies for another scope, click + Add Another Workspace and complete the steps.

Repeat as needed for additional scopes.
Click Accept and Enforce.

To enforce policies for a single scope:

Navigate to the primary workspace for the scope for which you want to enforce policy.
Click Manage Policies.
Click Enforcement.
Click Enforce Policies.
Step through the wizard.

For wizard details, see Policy Enforcement Wizard.

Click Accept and Enforce on the final page of the wizard to push new firewall rules to the assets that are affected by policies in this workspace. A label flag is created at the time of enforcement:

Policy Enforcement page showing Label flag after enforcement — ***Figure 1: Policy Enforcement Page with Enforcement Enabled***

You may need to refresh the page to see the flag.

What to do next

If you enforced policy for a single workspace, consider whether workspaces for other scopes must also be enforced to achieve the expected enforcement outcomes.

For example, workspaces for ancestor scopes or scopes that include workloads that are involved in cross-scope policies may also need to be enforced.
Enforcement will not occur until enforcement is enabled for the agents, cloud connectors, and/or external orchestrators that enforce the policies:
- For workloads with installed agents, enforce policy in the agent config for the relevant scopes and inventory filters. See Software Agent Configuration and subtopics.
- For cloud-based workloads configured using cloud connectors, see:
  - Best Practices when Enforcing Segmentation Policy for AWS Inventory and linked topics.
  - Best Practices when Enforcing Segmentation Policy for Azure Inventory and linked topics.
- For Kubernetes and OpenShift, see:
  - For Kubernetes and OpenShift, see Policy Enforcement on Containers.
- For load balancers, see:
  - Policy Enforcement on F5.
  - Policy Enforcement for F5 Ingress Controller.
  - For load balancers, see Policy Enforcement on Citrix Netscaler.
Check to be sure enforcement is working as expected. See Verify Enforcement Works as Expected.
Configure alerts so you are notified of any issues, for example if flows are rejected after enforcement is enabled.

Previous topic Check Agent Health and Readiness to Enforce Next topic Policy Enforcement Wizard