Understanding Clarity Views

In this topic:

    AWS Cloud accounts

    Security groups view

    Security Groups view displays the security group configuration in a visual manner and is interactive in nature.

    Dome9 will visualize the chosen VPC and display the traffic sources, permitted traffic paths, security groups, and to what degree each security group has exposure to the Internet.

    cv1.png

    For detailed information on the different zones see Clarity Controls and symbolization.

    Context and additional information is displayed upon clicking on any object and is displayed to the right in the column.
    cv2.png

    For traffic sources: For individual IPs or ranges, traffic target information is displayed.
    For Dome9 IP list objects, list contents and traffic target information is displayed:
    cv3.png

     

    For security groups: Information displayed for any given security group includes instance assignments, rule sets (that match the color-coding of the Clarity legend indicating exposure to the Internet), Permitted traffic sources and traffic targets.

    cv4.png

    While in Security Groups view, in addition to the context provided when clicking objects, permitted traffic flow is also displayed in the main area when a resource is selected.
    cv5.png


    Permitted traffic sources are displayed in orange and permitted traffic targets are displayed in blue.

    The numbers found in the top right of each security group display how many protected assets have been assigned to each group.
    cv6.png

    If no numbers are displayed, then that security group has no protected assets that are attached to it

    When Show Peered VPC is selected, a Peered VPC security group that appears as source will show with VPC tagging marking it as peered VPC source.

    The Peered Security Group will show as an external source with a link to the security group it is allowed to access. When the Security Group of the peered VPC is highlighted, details about it will show.
    cv7.png


    If the Security group is managed via Dome9 you can open the referenced Security in Dome9 Central or Click on Switch VPC to view the Clarity of the reverse view.

    cv8.png

    Effective Policy View

    Effective Policy view shares some characteristics with Security Groups view (like traffic source visualization) but represents more to do with instance membership within the security groups associated with any given VPC.

    Select 'Effective Policy' view in the drop down or in the VPC view selector.
    cv9.png

    Dome9 will visualize 'common policy groups'. These are groupings of security groups that apply to one or more instances. That is, which security groups, in combination with others, make up the effective policy for any given instance.

    In contrast to the Security Groups view, if security groups are not assigned to any instances, they will not be displayed in the Effective Policy view.
    cv10.png
    Each grouping displayed contains one or more instances as members. The security group names are listed as labels on each grouping. 
    Once clicked upon, the information displayed in the context pain to the right is as follows:

    1. For traffic sources the information is the same as Security Groups view - For individual IPs or ranges, traffic target information is displayed. For Dome9 IP list objects, list contents and traffic target information is displayed.
    2. For individual groupings of effective policy the following information is displayed:
      cv11.png
      The information displayed includes:
      1. The number of security groups grouped together against one or more instances.
      2. The name and description of each of these groups (including links to open them up in Dome9 central).
      3. The number and names of each instance sharing this common policy.
      4. The resulting effective cumulative policy of this' multi security group to one resource' assignment.

     

    Azure Cloud accounts

    Effective Policy View

    We group instances together in order to make large environments more readable.
    grouping is done for instances that share the same:
    • effective network - meaning that they have the same inbound traffic allowed.
    • share a similar names

    cv12.png