Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Networking Service Manual Network Insight Recommended Policy Set
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Recommended Policy Set")}}

Recommended Policy Set

{{ $t('productDocDetail.updateTime') }}: 2025-12-26

Policy Generator Configuration

Constraints and Restrictions

The maximum time range is 90 days. Historical traffic beyond 90 days cannot be used for policy generation.

If the access count threshold is set to 0, policies will be generated for all access records, which may result in an excessive number of policies.

Precautions

For easy management, the policy name must reflect the business scenario (Example: E-commerce System - Micro-segmentation Policy V1).

Select only business-related VMs as protected objects. To reduce redundant policies, do not select unrelated VMs as protected objects.

To ensure the accuracy of generated policies, it is recommended to review historical traffic before policy generation.

Steps

Step 1.Log in to SCP and go to Networking > Network Insight > Recommended Policy Set.

Step 2.Click Policy Generator to configure the policy name (Example: Financial System - Micro-segmentation Policy).

Step 3.Select the protected objects (VMs or VM groups).

Step 4.Select the time range (Example: Last 30 days).

Step 5.Set the access count threshold (greater than 0).

Step 6.Select the traffic direction (inbound, outbound, or both).

Step 7.Select the rule generation method (based on VMs or services with access traffic).

Step 8.Click Generate Now. The system starts generating the micro-segmentation policy.

Field Description and Operation Suggestion

Field

Description

Operation Suggestion

Policy Name

Specify a custom name for the policy.

Format: Business System - Policy Type - Version, Example: CRM System - Micro-segmentation Policy - V2

Protected Object

Select the VM or VM group for which the micro-segmentation policy is generated.

Select a critical VM or a VM that requires segmentation (such as a VM that hosts a database cluster or payment system)

Time Range

Select the time range from which historical traffic is obtained for policy generation.

It is recommended to select the last 30 days. Ensure the policy reflects recent access patterns.

Access Count (Greater Than)

Specify the minimum access count for generating a policy.

Set this field to 5-10 for services with high-frequency access or 1-3 for services with low-frequency access.

Traffic Direction

Select inbound, outbound, or bidirectional traffic.

Select bidirectional traffic for internal service communication and inbound traffic for externally exposed services.

Rule Generation

Select the logic for generating rules, based on protected objects, peers, and allowed services.

By default, rules are generated based on VMs and services with access traffic to meet actual business requirements.

Policy Pre-release and Check

Constraints and Restrictions

To prevent business impacts caused by incorrect policies, policies must be pre-released for manual confirmation before being formally released to the distributed firewall.

The policies for access across groups and access within a group must not overlap. Otherwise, policy conflicts will occur.

Precautions

When you check policies, pay close attention to denied objects and rules to allow access to ensure that the policies meet business requirements.

Before pre-releasing a policy, confirm its rationality with the business team to prevent legitimate traffic from being blocked.

If a policy does not meet expectations, you can adjust the parameters to regenerate a policy without manually deleting the original one.

Steps

Step 1.After a policy is generated, go to the results page and select Access Across Groups or Access Within Group to check the policy scope.

Step 2.Select Display historical traffic to view the historical access traffic corresponding to the policy.

Step 3.Confirm the settings and click Pre-Release to pre-release the policy to the distributed firewall for activation.

Field Description and Operation Suggestion

Field

Description

Operation Suggestion

Scope (Access Across Groups or Access Within Group)

Select the network boundary to which the policy applies, covering access across groups or within a group.

Select Access Across Groups for access across business groups, or Access Within Group for fine-grained access isolation within a group.

Display historical traffic

Select whether to display the actual access records corresponding to the policy.

Select this option to check whether the policy is generated based on actual business traffic.

Pre-Release

Pre-release the policy to the distributed firewall.

After the policy is pre-released, confirm its status on the firewall side.