Workload group statuses in Xshield

In Xshield, the status of the Workload group determines the phase of Policy enforcement in the Policy building efforts for the Workload group. Workload groups can be set to one of the three statuses -  Observe, Enforced, and Encrypted.

Observed

In this mode, traffic to or from the Workload group is observed for 'possible violations' to the overall policies (SPT, CPT, and custom Access policies) assigned to the Workload group. This observation also applies to traffic between workloads in the group. All newly added Workload groups are placed in the Observed mode and stay in this mode until you want to protect the workloads by enforcing the overall policies. 

Policy-violating traffic is not Blocked but tracked as Unauthorized access attempts. Unauthorized attempts for the last 7 days can be downloaded as a CV file for offline analysis. Also, all such traffic (belonging to other Xshield groups) is reported as Policy recommendations in Policy Builder, an Xshield feature to build policies for all Xshield groups.

For Workloads groups moved to the Observed mode from Enforced or Encrypted mode, Zero Trust-based access is inactive and all new traffic is seen in Policy Builder.

Observe (Block)

While you are in the microsegmentation journey and moving towards achieving a zero trust environment, you can block malicious or suspicious communication using the Observe (Block) mode. This mode allows you to block malicious communication even before you move policies to the Enforced mode. In this mode, you can continue to author policies. The policies will be pushed to the agent only when you move the policies to the Enforce mode. 

Create Block policies on Workload groups

Observe (Block) mode is restricted to Workload groups and is not applicable to User Access groups. Policies are not recommended in this mode.

Create Block Rule

1. Go to Policies > Access Policies > Create Access Policy. 
2. Select the Rule Type as Block and specify the required parameters and save. 

Change Workload group status to Observe (Block) mode

1. Go to Groups > Workload. 
2. Select the Workload group.
3. Click Edit. 
4. Select the status as Block.
5. Click Save.

In Observe (Block) mode, ‘Block’ policies are active and ‘Allow’ policies are inactive. In Enforce mode, ‘Block’ policies are inactive and ‘Allow’ policies are active. The rule state for Network and Domain groups are always inactive as the policies cannot be enforced on these groups.

Enforced

Enforced - In this mode, the policies assigned in the Observed mode are enforced on the workloads in the group. Successful enforcement enables Zero Trust-based access on the workloads. Only the ports and protocols specified in the overall policies are open for access; others are Blocked. 

Typically, policies are enforced on the group (workloads) at the end of Policy simulation efforts. Policies can always be hardened or relaxed by editing the Workload groups or by editing the Policy templates and policies.

Policies can be enforced for Inbound traffic to the Workload group, Outbound traffic from the Workload group, or in both directions.

Encrypted

Encrypted - In this mode, traffic between the workloads in the Enforced Workload groups is encrypted with IPsec. For this mode to work for inter-Workload group traffic, both Workload groups must be in Encrypted mode.

Change Workload group status

Change the status of a Workload group to Enforced or Encrypted when you want to enforce the overall policies (SPTs, CPTs, custom Access policies such as for Xaccess) on the Workload group. Change it back to Observed for any reasons as required. 

Ensure that you gauge the impact of changing the status of a Workload group before you change it.

1. Go to Groups > Workload.

2. Click the Workload group.

3. In the fly panel, click Edit and click Enforce.

4. Select the direction of enforcement ( Inbound and/or Outbound).

5. Click Save.