Free Trial: Policy Generator

Policy Generator Lesson

Creating rules to ring-fence an application by using the security policy automatically created by Policy Generator.

Essential concepts

Before you begin the tutorial you need understand the following concepts.

Rulesets and rules: The whitelist policies that use labels to generate customized port connections for each workload. Rules are collected into rulesets for versioning. Policies are pushed out to workloads with the matching labels by a process call provisioning.

Providers and consumers: The whitelist model is provider centric. The Illumio model is provider centric. You declare what ports on providers can be accessed by consumers.

Role labels: The function of a workload; e.g., for a simple two-tier application consisting of a web server and a database server: Web and Database. Assigning Role labels to workloads allows you to create advanced segmentation policies.

Application groups: Are collections of workloads with the same Location, Environment, and Application labels. Applications are a control point for policy. Policy Generator uses application groups as the essential unit.


Lesson prerequisites

This lesson requires you to have the following data, access, and systems.

5 to 20 workloads: That are running and that you’ve paired with the PCE.

Fully-labeled workloads: The workloads have all four labels assigned to them.

Active connections on the workloads: The hosts need to have running applications that are generating traffic data.



About Policy Generator

The PCE web console provides several ways to create security policies for your applications. In this lesson, you will use Policy Generator to create your security policy.

Policy Generator simplifies the Illumio policy creation process by recommending the optimal security policy for your application groups. Policy Generator uses discovered traffic flows to build segmentation policies, thereby saving security teams critical time, accelerating the security workflow, and reducing the risk of human errors. Moreover, it’s the simplest way to micro-segment your applications and does not require that you be a security expert or know the IP addresses of all your workloads.

In this lesson, you will secure and segment an application by creating an application ringfencing; ringfencing separates individual applications, preventing cross-application communications. All the workloads in the application group can communicate with each other across all services.


Ways to access Policy Generator

There are multiple ways to access Policy Generator. In this lesson, you access Policy Generator from Illumination.

1. From the Illumination map, select an App Group’s oval border.
IMPORTANT  Make sure the Illumination map is in Draft view before continuing.

2. In the command panel, click Start Policy Generator. The first page of Policy Generator appears with the application group selected.




Create intra-scope rules at the App Group level

The first time you use Policy Generator for an application group, it creates a new draft ruleset with the title of the selected group. You review the proposed rules before you save them into a draft ruleset. For Windows, Policy Generator detects Windows processes and services and creates the rules accordingly.

1. Click Start with Intra-Scope.




The Intra-Scope Rule Configuration page appears. By default, the option to create policy for application ringfencing (the App Group Level option) is selected.

The page displays all detected connections for the application group, including details about the labels, ports, and protocols, in the Review All Connections section. You cannot exclude any connections from the ruleset because a ringfence policy allows all workloads in the group to talk across all services.

1. Click Next. The preview page appears.

2. To accept the proposed rules, click Save and OK.

Provision policies

Now that the security policy exists, apply it to the affected workloads so that the VENs add the rules to their native OS firewalls. The process of applying a draft policy is called Provisioning.

1. To apply the policy to the workloads, provision the new policy. Click the Provision icon on the web console top toolbar and select Pending Changes.




The list displays all policy items that have been added, modified, or removed. The top of the page shows a summary of changes based on item type. 

2. Select all the new rulesets, rules, and services created for your application ringfence and click Provision.







When a policy is provisioned, the policy is made Active. Viewing the Reported view in the Illumination map confirms that the traffic is now allowed.



You can run Policy Generator as many times as you like to get the right policy model.



Congratulations! You have successfully completed this tutorial to apply an application ringfence to your first set of workloads.

This tutorial is complete.


Any questions, please contact us at

Try Illumio Edge

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Swag Request

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Try Illumio Core

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983