DocumentationAPI Reference

Policy Advisor

Suggest Edits

The Cisco Panoptica Policy Advisor can assist you in defining the right set of policy rules for your protected clusters. This will ensure that your runtime environment is correctly configured for the workloads and traffic patterns you want.

The Advisor suggests rules for you to add to your Panoptica Runtime Policies, based on actual activity in your environments. You can accept the suggestions, or ignore them.

The Policy Advisor offers these suggestions

  • Environments - suggested environments that should be added, for workloads that are are not in environments. These are suggested on the ENVIRONMENTS tab of the Deployments page.
  • Deployment rules - suggested deployment rules to permit workloads to run in environments, that are not otherwise covered by other environment rules. These are suggested on the DEPLOYMENT RULES tab of the Policies page.
  • Connection rules - suggested rules for connections between workloads, not otherwise covered by other connection rules. These are suggested on the CONNECTION RULES tab of the Policies page.
  • Pod Standards - suggested rules for Pod Security Standards. These are suggested on the POD STANDARDS tab of the Policies page.

Environment Advisor

The Environment Advisor suggests environments for your deployments that are not currently in a Panoptica environment.

From the advisor, you can create the suggested Environments, which is then added to the list in the ENVIRONMENTS tab.

539

Click CREATE ENVIRONMENT to create a suggested environment from the Advisor.

Deployment Rule Advisor

The Deployment Rule Advisor suggests deployment rules for workloads that are running on your clusters, but for which no current rules apply.

The default action for these rules will be 'detect', but you can change this to 'allow' or 'block'.

You can open the Policy Advisor at any time. The suggested rules are based on the workloads active at the time you open it.

Click APPLY RULE to apply a selected rule. You also can make bulk selections, and apply several selected rules together. The applied rules will appear on the list of deployment rules. You can modify, delete, or move these rules, as you can with rules you create.

You can also change the time period over which Panoptica monitors activities in your environments, to generate the recommended rules. The default is the last day.

534

Connection Rule Advisor

Panoptica analyzes the actual network traffic in your cluster and, based on this, suggests connection rules that would realize this traffic. These rules are either environment-to-environment (if there is more than one workload connecting in both the source and destination environments) or pod-to-pod (if only a single workload is connecting in either the source or destination environments) connection rules.
The suggested rule also shows the number of connections that are affected (that is, for which no other rule but this rule and default rule, apply).

The default action is 'allow' (corresponding to the observed activity), but you can change this to 'detect' or 'block'.

You can open the Policy Advisor at any time. The rules are based on the the traffic measured up to the time you open it.

Click APPLY RULE to apply a selected rule. You also can make bulk selections, and apply several selected rules together. The applied rules will appear on the list of connection rules. You can modify, delete, or move these rules, as you can with rules you create.

You can also change the time period over which Panoptica monitors activities in your environments, to generate the recommended rules. The default is the last day.

1028

Pod Standards Advisor

The Pod Standards Advisor suggests pod profiles

Create a rule from a Policy Advisor suggestion

  1. Navigate to the Policies page, and then select one of the rules tabs.
  2. Press Policy Advisor, on the right to open the Policy Advisor box.
  3. Select a suggested rule from the list. This will show detail for the rule, including the source & destination, and the suggested action (these will initially be Allow). It also shows the number of connections that are affected by the rule.
  4. Change the action for rule, as necessary.
  5. Press APPLY RULE. The suggested rule will appear a rule in the Connection policy, at the bottom of the list, above the default rule. You can change the position of the rule in the list, as with other rules.
  6. You apply several rules in a bulk action. Select the rules to apply, and then click APPLY SELECTED.

Note, rules created from the Policy Advisor are the same as rules created manually. They can be modified, ranked, enabled/disabled, and deleted.

Updated about 1 month ago