Rule Writing

This topic explains how to create the different types of rules in the Illumio Xpress. For descriptions of the types of rules, see Rules.

TIP:

You can also use the Xpress Explore map to write rules.

Create a Rule

Rules allow or deny communication between a source and a destination.

  1. If necessary, create a Ruleset or open an existing one from Policy > Rulesets and Rules. See Rulesets for more information.
  2. Select the Add button and choose from the following:
  • Add Override Deny Rule
  • Add Allow Rule
  • Add Deny Rule

  1. From the Sources drop-down list, select or type the name of the source of the service.

  2. (Optional) From the Source Process / Service drop-down list, select a process or service. If none are displayed you have the option to add them.

  3. In the Destinations drop-down list, select or type the name of the destination of the service (for example, Database). You can select from a range of entity types, such as an individual workload or an unmanaged workload.

  4. From the Destination Services drop-down list, select a service (for example, PostgreSQL).

    NOTE:

    Only one service or all services can be selected.

  5. (Optional) In the Select Rule Options drop-down list, you may select from an array of options.

  6. After completing your selections, click the Save icon at the end of the row for that rule.

    NOTE:

    To edit this rule, click the Edit icon at the end of the row.

    After adding a rule, the Provision Status column displays a green Pending icon. To enforce this rule, you must provision the change. For more information about provisioning, see Provisioning.

Create a Service While Creating a Rule

To make rule writing easier, you can create a new service in a ruleset as you are writing rules.

  1. Create a rule.

  2. In the Destination Services drop-down list, select Create Service.

  3. In the Create Service pop-up that appears, enter a name for the service in the Name field and optionally a description in the Description field.
  4. In the Attributes section, choose whether you want to create a Port-Based or Windows Service-Based service.
  5. In the Ports section, enter the ports (including any UDP ports) used by the service. To enter a range, separate the port numbers by a hyphen (-). You can also copy and paste lists of services. To delete a row, use Shift+Delete.
  6. Click OK.

Tips for Managing Rules

  • To modify an existing rule, click the Edit icon at the end of the rule row.

  • To disable, remove, duplicate, or reverse an existing rule, click the breadcrumb (...)icon for that rule at the end of the row.

  • To remove multiple rules, select their checkboxes and click the Remove button at the top of the page.
  • To enable or disable multiple rules, select their checkboxes and click the Disable button in at the top of the page.
  • To filter your existing rules, click the Filter icon at the top of the page. The filter drop-down menu appears. Click the drop-down list and select an option to filter rules by label, IP lists, label groups, workloads, user groups, services, All workloads, or Any (0.0.0.0/0 and ::/0). If there are no rules that match the selected criteria, a message appears indicating that no rules match your filter criteria.
  • After creating or modifying a rule, an icon appears in the Provision Status column indicating the current provisioning status of the rule (for example, Addition Pending or Removal Pending).

Add a Note to a Rule

You can add a note to a rule to document more information about that rule for context. The note is visible to all users in the organization, but can only by edited by users with Ruleset Manager privileges for the ruleset.

NOTE:

You must provision the changes after adding a note to a rule.

  1. Select a rule on the Rulesets page.
  2. Click the Edit icon and select Add Note.
  3. Enter the note in the drop-down entry field that appears. You can enter up to 255 characters.

  4. Click the Save icon. You must provision the changes to confirm the note.

Details:

  • To indicate the rule contains a note, a note (text bubble) icon is displayed near the end of the row.
  • To edit an existing note, select the Note icon. The entry field displays the existing text. Make any needed changes, then click the Save icon in the lower-right to save the changes to the note.

Duplicate a Rule

  1. Select the ruleset on the Rulesets page.
  2. Select the breadcrumb (...)icon next to the Edit icon of the rule to be duplicated.
  3. Select Duplicate. The rule is duplicated in Edit mode, allowing you to make any needed changes.
  4. Click the Save icon.

After saving the duplicate rule, you must provision the ruleset changes to apply them.

Reverse a Rule

To expedite the rule writing process, you can duplicate and reverse existing rules. The entity selected as the destination in the original rule will be the source in the reversed rule and the entity selected as the source in the original rule will be the destination.

Caveats: 

  • Only rules that use the following resources are supported: Labels, label groups, workloads, IP lists, All workloads, and Any
  • When you do not have sufficient privileges due to RBAC, an error message displays
  • Only one rule can be reversed at a time
  • When the original rule is disabled, the reversed rule is disabled as well

To reverse (swap source and destinations) in a rule:

  1. Select the ruleset on the Rulesets page.
  2. Select the breadcrumb (...)icon next to the Edit icon of the rule to be reversed.
  3. Select Reverse. The rule is reversed in Edit mode allowing you to make any needed changes.
  4. Click the Save icon.

After saving the reversed rule, you must provision the ruleset changes to apply them.

Reorder Rules

Ruleset owners have the ability to rearrange rules in a specific order to improve readability on the Rulesets details page. Different rule types can be reordered independently.

After reordering the rules, you must provision the changes for them to take effect. Rearranging rules does not affect the order in which they are enforced in the policy.

NOTE:

You can only reorder rules in rulesets that you own. For more information, see Role-Based Access Control in the PCE Administration Guide.

To customize the arrangement of the rules, click Reorder Rules.

When you hover over a rule, it is highlighted in the list. To move it, drag and drop the rule to its new location in the list. The other rules are rearranged to accommodate the move. When you place the rule in its new location, the numbers of the rules are reassigned to reflect the new order. If you delete a rule, it remains in place but is appended with “Deletion Pending.” When you have finished rearranging the rules, click Save Order to confirm the new order for the rules.

NOTE:

If more than one user is reordering the rules at the same time, the most recent changes are saved.