Work with Policies

ACE automatically gathers policies information related to the security controls in your cloud accounts, subscriptions, and projects. This topic describes how you can review and manage your policies to ensure network security.

Policy details

You can review detailed information on policies detected in your cloud accounts. For more information on policies details based on the security control:

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

Next to the policy set name, ACE displays the number of security controls associated with the policy set. Click the security control link to display the name of the security control or the list of multiple security controls. For example:

You can update the properties for each policy set to change the Name, Description, or Security controls, as required.

Note: If you want to add or edit policy rules, drill down into the policy set itself.

If your policy set is currently in Edit mode, you will not be able to modify the policy set properties as described in this section. Commit or discard your changes to exit edit in order to make these modifications.

For more details, see Edit network policy rules.

Do the following:

  1. Click the icon next to the policy set name.

    The Network Policy Set Properties dialog appears.

  2. In the Network Policy Set Properties dialog, update any of the following:

    Name The policy set name.
    Description

    The description for the policy set. This description is shown in the policy set when you hover over the Description icon.
    Security Controls

    This field lists the policy set members.

    • Click X to remove a single member from the merged set.
    • To unmerge the merged policy set and return each policy to its own individual set, click Clear all controls. In the message that appears, click Yes to confirm.

    Tip: To create a new merged policy set, merge the relevant sets together. For details, see Merge policies .

Inbound and Outbound rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

The total number of risk triggers detected at each severity level appear to the right of the policy set name inside squares color-coded by severity level. These totals include risks on both the outbound and inbound tabs.

Click on the risk severity squares to see details of all the risk triggers detected in the policy. For more details, see Work with Policies.

Note: Merged policy sets and policy sets in Edit Mode do not display the total number of risk triggers detected.

You can hover over Risks on policy indicators to see a tool-tip reminder of what their color represents. For example, the color ORANGE represents "High-level risks".

Click on the Risks on policy indicator to see details about rule risks and affected assets. See View rule risks & affected assets.

Note:

  • Severity squares are not displayed in merged policies or when a policy set is in Edit mode. In these cases the Risks column is greyed out (not active).

  • Activating the COMMIT button after making changes (i.e. being in edit mode), displays the risk severity squares again; however, for both displayed risk severity and total risk severity summary, changes made in the risks associated with a policy will not be seen until the next data collection/analysis cycle has occurred. (Since this cycle occurs every hour, the maximum wait time for update should be ~1 hour.)

Note: Risks are not calculated for rules with Action Go to Next.

The Last used column displays one of the following:

Date / Message Description
(Date)

The date that the rule was last used if the rule had at least one hit during the configured inactivity period.

Flow logs disabled

Flow logs are not enabled and as a result logs reporting about the rule usage is not arriving to ACE. See Enable AWS VPC flow logging.
New / modified rule

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has not yet passed

    Example: Traffic did not hit the rule since it was modified 20 days ago and the inactivity period is set for 30 days (i.e., ACE does not consider it an unused rule).

No traffic logged

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has passed

Example: Traffic did not hit the rule since it was modified 40 days ago and the inactivity period is set for 30 days (i.e., ACE considers it an unused rule).

Tip: Delete unused rules to keep your policy clean and avoid risk. For details, see Clean Up Policies.
Log collection failure Contact AlgoSec support for assistance.

Note: For more details about unused rules, see About ACE unused rules.

Click the Edit button to enter edit mode. The policy set remains in edit mode until clicking Commit or Discard Changes. While in edit mode:

  • The Editing label is displayed at the top of the policy set display

  • The risks column is inactive and risk severity circles are not displayed

  • Available action buttons:

    • Commit

    • + Add Rule

    • Discard Changes

See below Edit network policy rules.

A list of the AWS Native Firewalls protecting the selected entity in the tree appears above the list of policies.

  • Hover over the to the right of the name of the firewall to see a tooltip showing the VPC the firewall is installed on, and the networking information including the availability zones and attached subnets.

  • Click on the firewall name to navigate to a page with the relevant VPC and view the protected policies.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

The list of firewalls using this policy.

  • Blue Link: The firewall name appears as a clickable blue link when it is active and onboarded, and you are not currently on its details page. Click the link to access more information.

  • Black (No Link): The firewall name displays in black without a link in the following situations:

    • You are viewing the firewall's details page.

    • The firewall is defined under the subscription but does not protect any VNet or VHub.

    • The subscription on which the firewall is configured is not onboarded to ACE.

      Note: Hover over the firewall name to see a tooltip with the name of the subscription where this firewall is located.

Hover over the to the right of the name of the firewall to see a tooltip showing the VPC the firewall is installed on, and the networking information including the availability zones and attached subnets.

Stateless and Stateful rules are displayed on separate tabs in each expanded policy set with their relevant details.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

Next to the policy set name, ACE displays the number of security controls associated with the policy set. Click the security control link to display the name of the security control or the list of multiple security controls. For example:

You can update the properties for each policy set to change the Name, Description, or Security controls, as required.

Note: If you want to add or edit policy rules, drill down into the policy set itself.

If your policy set is currently in Edit mode, you will not be able to modify the policy set properties as described in this section. Commit or discard your changes to exit edit in order to make these modifications.

For more details, see Edit network policy rules.

Do the following:

  1. Click the icon next to the policy set name.

    The Network Policy Set Properties dialog appears.

  2. In the Network Policy Set Properties dialog, update any of the following:

    Name The policy set name.
    Description

    The description for the policy set. This description is shown in the policy set when you hover over the Description icon.
    Security Controls

    This field lists the policy set members.

    • Click X to remove a single member from the merged set.
    • To unmerge the merged policy set and return each policy to its own individual set, click Clear all controls. In the message that appears, click Yes to confirm.

    Tip: To create a new merged policy set, merge the relevant sets together. For details, see Merge policies .

Inbound and Outbound rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

The total number of risk triggers detected at each severity level appear to the right of the policy set name inside squares color-coded by severity level. These totals include risks on both the outbound and inbound tabs.

Click on the risk severity squares to see details of all the risk triggers detected in the policy. For more details, see Work with Policies.

Note: Merged policy sets and policy sets in Edit Mode do not display the total number of risk triggers detected.

You can hover over Risks on policy indicators to see a tool-tip reminder of what their color represents. For example, the color ORANGE represents "High-level risks".

Click on the Risks on policy indicator to see details about rule risks and affected assets. See View rule risks & affected assets.

Note:

  • Severity squares are not displayed in merged policies or when a policy set is in Edit mode. In these cases the Risks column is greyed out (not active).

  • Activating the COMMIT button after making changes (i.e. being in edit mode), displays the risk severity squares again; however, for both displayed risk severity and total risk severity summary, changes made in the risks associated with a policy will not be seen until the next data collection/analysis cycle has occurred. (Since this cycle occurs every hour, the maximum wait time for update should be ~1 hour.)

Note: Risks are not calculated for rules with Action Go to Next.

The Last used column displays one of the following:

Date / Message Description
(Date)

The date that the rule was last used if the rule had at least one hit during the configured inactivity period.

Flow logs disabled

Resource logs are not enabled and as a result logs reporting about the rule usage is not arriving to ACE. See Enable Azure resource logs for traffic analysis.
New / modified rule

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has not yet passed

    Example: Traffic did not hit the rule since it was modified 20 days ago and the inactivity period is set for 30 days (i.e., ACE does not consider it an unused rule).

No traffic logged

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has passed

Example: Traffic did not hit the rule since it was modified 40 days ago and the inactivity period is set for 30 days (i.e., ACE considers it an unused rule).

Tip: Delete unused rules to keep your policy clean and avoid risk. For details, see Clean Up Policies.
Log collection failure Contact AlgoSec support for assistance.

Note: For more details about unused rules, see About ACE unused rules.

See Work with Policies.

Click the Edit button to enter edit mode. The policy set remains in edit mode until clicking Commit or Discard Changes. While in edit mode:

  • The Editing label is displayed at the top of the policy set display

  • The risks column is inactive and risk severity circles are not displayed

  • Available action buttons:

    • Commit

    • + Add Rule

    • Discard Changes

See below Edit network policy rules.

A list of the Azure Native Firewalls protecting the selected entity in the tree appears above the list of policies. Click on the firewall name to be redirected to the VNet that the firewall is installed on and review the VNet protection.

Note: If the Azure Native Firewall selected in the Network Policies tree has no policies assigned to it then this row of information does not appear.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

The list of firewalls using this policy.

  • Blue Link: The firewall name appears as a clickable blue link when it is active and onboarded, and you are not currently on its details page. Click the link to access more information.

  • Black (No Link): The firewall name displays in black without a link in the following situations:

    • You are viewing the firewall's details page.

    • The firewall is defined under the subscription but does not protect any VNet or VHub.

    • The subscription on which the firewall is configured is not onboarded to ACE.

      Note: Hover over the firewall name to see a tooltip with the name of the subscription where this firewall is located.

You can update the properties for each policy set to change the Name, Description, or Security controls, as required.

Do the following:

  1. Click the icon next to the policy set name.

    The Network Policy Set Properties dialog appears.

  2. In the Network Policy Set Properties dialog, update any of the following:

    Name The policy set name.
    Description

    The description for the policy set. This description is shown in the policy set when you hover over the Description icon.
    Security Controls

    This field lists the policy set members.

    • Click X to remove a single member from the merged set.
    • To unmerge the merged policy set and return each policy to its own individual set, click Clear all controls. In the message that appears, click Yes to confirm.

    Tip: To create a new merged policy set, merge the relevant sets together. For details, see Merge policies .

Child policies inherit the rules of the parent policies. For child policies, click the link of the parent policy to see the parent policy rules.

Network, Application, and DNAT rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

The total number of risk triggers detected at each severity level appear to the right of the policy set name inside squares color-coded by severity level. These totals include risks on both the outbound and inbound tabs.

Click on the risk severity squares to see details of all the risk triggers detected in the policy. For more details, see Work with Policies.

You can hover over Risks on policy indicators to see a tool-tip reminder of what their color represents. For example, the color ORANGE represents "High-level risks".

Click on the Risks on policy indicator to see details about rule risks and affected assets. See View rule risks & affected assets.

Note: Risks are not calculated for rules with Action Go to Next.

The Last used column displays one of the following:

Date / Message Description
(Date)

The date that the rule was last used if the rule had at least one hit during the configured inactivity period.

Note: Required logs for calculating Last Used information include Network, Application, and DNAT. If log collection is partially enabled, the Last Used information will be based only on data from those logs that are enabled.

Flow logs disabled

Flow logs are not enabled and as a result logs reporting about the rule usage is not arriving to ACE. See Enable Azure resource logs for traffic analysis.
New / modified rule

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has not yet passed

    Example: Traffic did not hit the rule since it was modified 20 days ago and the inactivity period is set for 30 days (i.e., ACE does not consider it an unused rule).

No traffic logged

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has passed

Example: Traffic did not hit the rule since it was modified 40 days ago and the inactivity period is set for 30 days (i.e., ACE considers it an unused rule).

Tip: Delete unused rules to keep your policy clean and avoid risk. For details, see Clean Up Policies.
Log collection failure Contact AlgoSec support for assistance.

Note: For more details about unused rules, see About ACE unused rules.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

Next to the policy set name, ACE displays the number of security controls associated with the policy set. Click the security control link to display the name of the security control or the list of multiple security controls. For example:

You can update the properties for each policy set to change the Name, Description, or Security controls, as required.

Note: If you want to add or edit policy rules, drill down into the policy set itself.

If your policy set is currently in Edit mode, you will not be able to modify the policy set properties as described in this section. Commit or discard your changes to exit edit in order to make these modifications.

For more details, see Edit network policy rules.

Do the following:

  1. Click the icon next to the policy set name.

    The Network Policy Set Properties dialog appears.

  2. In the Network Policy Set Properties dialog, update any of the following:

    Name The policy set name.
    Description

    The description for the policy set. This description is shown in the policy set when you hover over the Description icon.
    Security Controls

    This field lists the policy set members.

    • Click X to remove a single member from the merged set.
    • To unmerge the merged policy set and return each policy to its own individual set, click Clear all controls. In the message that appears, click Yes to confirm.

    Tip: To create a new merged policy set, merge the relevant sets together. For details, see Merge policies .

Network and Application rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

Click the Edit button to enter edit mode. The policy set remains in edit mode until clicking Commit or Discard Changes. While in edit mode:

  • The Editing label is displayed at the top of the policy set display

  • The risks column is inactive and risk severity circles are not displayed

  • Available action buttons:

    • Commit

    • + Add Rule

    • + Add Collection

    • Discard Changes

See below Edit network policy rules.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

Inbound and Outbound rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

When activated (default), hierarchical rules used by the Google Cloud VPC firewall are displayed above the firewall rules in the Firewall Policies tab and appear in the list of policy sets.

When disabled, only the firewall rules are shown in the Firewall Policies tab.

The total number of risk triggers detected at each severity level appear to the right of the policy set name inside squares color-coded by severity level. These totals include risks on both the outbound and inbound tabs.

Click on the risk severity squares to see details of all the risk triggers detected in the policy. For more details, see Work with Policies.

The policy which the rule is part of.

Note:ACE displays the policies in the order that traffic encounters the rules.

You can hover over Risks on policy indicators to see a tool-tip reminder of what their color represents. For example, the color ORANGE represents "High-level risks".

Click on the Risks on policy indicator to see details about rule risks and affected assets. See View rule risks & affected assets.

Note:

  • Severity squares are not displayed in merged policies or when a policy set is in Edit mode. In these cases the Risks column is greyed out (not active).

  • Activating the COMMIT button after making changes (i.e. being in edit mode), displays the risk severity squares again; however, for both displayed risk severity and total risk severity summary, changes made in the risks associated with a policy will not be seen until the next data collection/analysis cycle has occurred. (Since this cycle occurs every hour, the maximum wait time for update should be ~1 hour.)

Note: Risks are not calculated for rules with Action Go to Next.

The Last used column displays one of the following:

Date / Message Description
(Date)

The date that the rule was last used if the rule had at least one hit during the configured inactivity period.

Note:

  • The Date refers to TCP and UDP traffic hits only. If additional protocols are in the rule, appears in the Last Used column to indicate the usage information refers only to TCP and UDP protocols / ports.

  • If data collection failed on one or more projects that use this rule, an alert icon appears in the column to indicate that this information may not be accurate.

  • Hierarchical Rules: If a rule is used in multiple onboarded projects, the Date refers to the last time the rule was used in any of the onboarded projects (this includes projects which the user doesn't have permissions to).

Logs disabled

Logs are not enabled and as a result logs reporting about the rule usage is not arriving to ACE. See Enable Google Cloud logs.
New / modified rule

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has not yet passed

    Example: Traffic did not hit the rule since it was modified 20 days ago and the inactivity period is set for 30 days (i.e., ACE does not consider it an unused rule).

No traffic logged

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has passed

Example: Traffic did not hit the rule since it was modified 40 days ago and the inactivity period is set for 30 days (i.e., ACE considers it an unused rule).

Tip: Delete unused rules to keep your policy clean and avoid risk. For details, see Clean Up Policies.

*Note

  • The message No traffic logged refers to TCP and UDP traffic hits only. If additional protocols are in the rule, appears in the Last Used column to indicate the usage information refers only to TCP and UDP protocols / ports.

  • Hierarchical Rules: If a rule is used in multiple onboarded projects, the message No traffic logged refers to the last time the rule was used in any of the onboarded projects (this includes projects which the user doesn't have permissions to).

N/A

 When a rule uses a protocol other than TCP or UDP, ACE does not receive information about the rule and will display N/A.
Log collection failure Contact AlgoSec support for assistance.

Note: For more details about unused rules, see About ACE unused rules.

Click the arrow to the left of each policy to expand the policy set and see additional details.

The policy set location path lists the collection of elements configured in the policy.

The path to the folder where the policy is defined in Google Cloud.

Inbound and Outbound rules are displayed on separate tabs in each expanded policy set. For more details, see Field Reference per Rule Type.

The total number of risk triggers detected at each severity level appear to the right of the policy set name inside squares color-coded by severity level. These totals include risks on both the outbound and inbound tabs.

Click on the risk severity squares to see details of all the risk triggers detected in the policy. For more details, see Work with Policies.

Target networks are the Google Cloud networks using rules from a hierachical policy. Each target network is listed as a combination of its project name and VPC.

  • If there are multiple networks using a hierachical policy, a number indicates how many additional networks there are. Click on the number to see a list of the additional target networks.

  • Target networks in projects that are onboarded to AlgoSec appear in blue. You can click on them to open the VPC and view the relevant network policy. (Target networks in projects that are not onboarded to AlgoSec will not have a link.)

  • When a rule is applied on all projects that inherit a particular policy, the "Target networks" column for that rule displays "All networks".

    • Hover over the information icon to see a list of all projects onboarded to ACE that are using this rule.

    • Click on a project name to open the project with its first policy expanded and the selected rule highlighted.

The Last used column displays one of the following:

Date / Message Description
(Date)

The date that the rule was last used if the rule had at least one hit during the configured inactivity period.

Note:

  • The Date refers to TCP and UDP traffic hits only. If additional protocols are in the rule, appears in the Last Used column to indicate the usage information refers only to TCP and UDP protocols / ports.

  • If data collection failed on one or more projects that use this rule, an alert icon appears in the column to indicate that this information may not be accurate.

  • Hierarchical Rules: If a rule is used in multiple onboarded projects, the Date refers to the last time the rule was used in any of the onboarded projects (this includes projects which the user doesn't have permissions to).

Logs disabled

Logs are not enabled and as a result logs reporting about the rule usage is not arriving to ACE. See Enable Google Cloud logs.
New / modified rule

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has not yet passed

    Example: Traffic did not hit the rule since it was modified 20 days ago and the inactivity period is set for 30 days (i.e., ACE does not consider it an unused rule).

No traffic logged

This message appears when the rule meets both of the following conditions:

  • Traffic did not hit the rule since it was created or modified

  • The inactivity period has passed

Example: Traffic did not hit the rule since it was modified 40 days ago and the inactivity period is set for 30 days (i.e., ACE considers it an unused rule).

Tip: Delete unused rules to keep your policy clean and avoid risk. For details, see Clean Up Policies.

*Note

  • The message No traffic logged refers to TCP and UDP traffic hits only. If additional protocols are in the rule, appears in the Last Used column to indicate the usage information refers only to TCP and UDP protocols / ports.

  • Hierarchical Rules: If a rule is used in multiple onboarded projects, the message No traffic logged refers to the last time the rule was used in any of the onboarded projects (this includes projects which the user doesn't have permissions to).

N/A

 When a rule uses a protocol other than TCP or UDP, ACE does not receive information about the rule and will display N/A.
Log collection failure Contact AlgoSec support for assistance.

Note: For more details about unused rules, see About ACE unused rules.

You can hover over Risks on policy indicators to see a tool-tip reminder of what their color represents. For example, the color ORANGE represents "High-level risks".

Click on the Risks on policy indicator to see details about rule risks and affected assets. See View rule risks & affected assets.

Note: Risks are not calculated for rules with Action Go to Next.

Merge policies

For AWS SG, Azure NSG, and Azure Firewall (classic)

Since each detected network policy is assigned its own individual policies by default, you may want to merge similar policies together to view and manage them together.

Note:

  1. Merging policies is only supported within the same policy type. ACE does not support merging policies across AWS SG, Azure NSG, and Azure Firewall (classic).

  2. For merged policies, risk severity circles are not displayed and the Risks column is greyed out (not active).

Do the following:

  1. View the policies you want to merge, using the search box to search for similar items. For details, see Search Policies.

  2. Expand each policies to inspect its details and confirm that you want to merge them.

  3. Select the check boxes next to each policies you want to merge, and then click Merge.

    Tip: If you have many policies to select, use the Select all or Unselect all links above the grid as needed.

  4. In the Merge Policy dialog box that appears, enter a Name for your new policies , and an optional Description.

    Click Merge to merge the selected policies into a single set.

    The policies grid is updated with your new set. For example:

Tip: To unmerge your merged policies and return each policy to its own individual set, see Work with Policies.

Rules that are installed on multiple security controls in merged policies each have their own downward arrows. Click on these to view details about each target.

When rule displays are expanded by clicking on the downward arrow, the Installed on column indicates the names of each security control on which the rule is installed.

The columns you see may differ, depending on the type of security control or asset you are working with. For more details, see Field Reference per Rule Type.

For example:

Edit network policy rules

For Azure NSG, Azure Firewall (classic), and AWS SG

Edit each of your network policies by adding, deleting, and modifying rules and rule collections in the network policies .

  • Any changes made in a specific rule affect all security controls where the rule is installed.

  • Only one user can edit each policies at a given time. policies s are locked while editing and are opened in read-only mode by default.

    When you're done, click Commit or Discard changes to unlock the policies for others.

For Azure Firewall (classic) only: Once a rule collection is created, its priority, name, and action are all read only. The rules inside a rule collection, however, can be edited.

Note: If you want to make higher-level changes, such as the policies name, description, or member controls, view the policies from its parent level. For more details, see Work with Policies and Network Policies page.

Do the following:

  1. Browse to and expand a specific network policies . For details, see Network Policies page.

    Rules are displayed in a boxed grid that lists the source, destination, and protocol details for each rule, as well as the security controls each rule is installed on.

    If you are in read-only mode, a large Edit button is shown at the top right of the policies box. Click the Edit button to make changes to the expanded policy.

    Note: For Azure Firewall (classic), the rules are grouped by rule collection. Expand the collection to drill down to rule details.

  2. Do any of the following:

    3. Azure Firewall (classic) organizes its rules by rule collections. For more details, see Field Reference per Rule Type.

    Do the following:

    1. At the top of the boxed grid, click + Add Collection.

    2. Enter a unique name and numeric priority, and then define an action for the new collection: either Allow or Deny.

      For example:

    3. Click Done to add your new collection.

    Within your new collection, click + AddRule to create a new rule with the selected collection already defined. For more details, see Add a new rule.

    Note: In Azure Firewall (classic), when rules are defined within a rule collection, each rule inherits the priority and actions defined for the parent collection.

      Do the following:

      1. At the top of the boxed grid, click + Add Rule.

      2. In the New ... Rule dialog that appears, populate the fields as needed.

      3. Click Done to save your rule.

        The new rule appears within the dropdown list for the selected collection.

    To edit or delete an existing rule, do the following:

    1. For Azure Firewall (classic) only, find your collection in the policies and click the dropdown arrow at the right side of the row.

    2. Click on one of the Edit or Delete icons to the right of the target rule.
      EditAn Edit ... Rule dialog opens for the rule you selected to edit. Make your changes as needed, and click Done
      . Delete.The rule is removed from your policies .

      Tip: For AWS SG and Azure NSG with flow logs / resource logs enabled, ACE displays the date each rule was last used, if at all.

      You may want to delete unused rules to keep your policy clean. For details, see Clean Up Policies.

      The page is refreshed with your changes.

  3. Do one of the following:

    • Click Discard changes to revert back to the last saved version of the policies and unlock it for others.

    • Click Commit at the top of the screen to save your changes.

      ACE displays a list of the changes you made. Accept the changes to complete the commit.

      The commit provisions your changes on the security controls and unlocks the policy for others.

Note: Your changes are automatically saved, even if you haven't committed them, closed your browser or logged out of ACE. They will be there for you the next time you browse back to this policies . However, the policies remains locked for others until you commit or discard your changes.