Protected Assets

In this topic:

    In this section of the CloudGuard Dome9 console, you can see a summary of assets in your VPCs that are protected by CloudGuard Dome9. These assets can include, for example, instances (such as EC2s), RDSs, and load balancers. Dome9 fetches information about these assets from the cloud platforms (AWS, Azure, Google) and presents it in a console view. Further, CloudGuard Dome9 monitors the security posture of these assets in the Compliance Engine and, for those that are fully protected by Dome9, actively makes corrections (for example, by applying or changing a Security Group policy, if it was incorrectly configured).

    You can filter or search the list according to asset type, region, VPC, and other conditions, for specific ones of interest. You can select an asset in the list, and show more detail. The detail depends on the type of asset, but is typically the security group or firewall policies that are active on the asset. For some assets, you can see flow logs. If your cloud account is managed by CloudGuard Dome9 in full-protection mode, you can also change the network security settings.

    You cannot set other details for your assets here; this is done in your cloud account with your cloud platform.

    Value to customers

    Dome9 presents a single console view of your cloud assets, on all platforms, from which you can search or filter for specific assets of interest, and see details about their security posture.

    For some asset types, you can apply Security Group or IAM policies directly from the CloudGuard Dome9 console.


    Here are some typical use-cases for the CloudGuard Dome9 Protected Asset console view.

    • find assets matching specific criteria

    • quickly access flow logs for an asset

    • review attributes and status for an asset

    • review and change the security policies for an asset



    View your assets

    The main page shows assets that are protected by Dome9, organized by Organizational Unit, cloud provider, account, region, and VPC. Use the filter pane on the left to filter the list, or search for assets by name in the search box.

    Click on one of the assets in the list to see more details for it. This shows an Entity View of the attributes of the asset (varies according to the asset).


    Modify details (instances only)

    You can modify some details for assets that are instances (EC2s on AWS, or virtual machines on Azure or Google), if the asset is in Full Protection mode by Dome9.

    For AWS instances:

    You can add Security Group or NACL policies to AWS instances.

    1. Click on an instance type asset in the list, to show details for it. You can modify network settings, in the Network Security Policies tab, or IAM Policies.

    2. Click to attach a security group or NACL to the instance (from those already defined; to define a new security group or NACL, go to Security Groups).

    3. Select the group or NACL, and then press ATTACH.

    For Azure:

    You can modify the rules for Security Group that are applied to virtual machines. You cannot add or remove the Security Group itself.

    1. Click on the instance in the list.

    2. Click on the Subnet NSG Policy that you wish to modify, and then click on (the security group must be set to Manage, not Read Only, to do this)

    3. Click to change a firewall rule, or to delete it. See Azure Network Security Groups for details about modifying Network Security Groups (NSGs).


    View flow logs

    Some assets are configured to allow Dome9 access to flow logs. These are marked with . Click on this icon to show the flow logs. See VPC Flow Logs for details about controlling this view.

    Export protected asset information

    You can export information for protected assets to a CSV file. 

    1. Select a view of the protected assets of interest, using the filter pane
    2. Click  in the upper right, and then select whether to export the filtered view, or all assets.