Skip to content

Build a simple policy and push it live

With an engine online, the next step is a policy for it to enforce. CCX policies are composed in the console — no YAML editing required. The policy is structured into three sections matching where the engine sits in the packet path: to-firewall (management), through-firewall (the normal forwarding case), from-firewall (anything the firewall VM itself originates).

Policies list Policies — every policy in the tenant, with status and version.

  1. Sidebar → PoliciesNew policy.
  2. Name it fleet-default (or whatever you’ll bind broadly). Description optional.
  3. Default action: drop. The fail-closed posture — if no rule matches, the packet drops.
  4. Create.

2. Allow the engine to reach its dependencies

Section titled “2. Allow the engine to reach its dependencies”

Add a few rules to the from-firewall section so the engine itself can talk out — DNS, NTP, package updates. Without these the engine still runs (everything it needs to reach the Enforza cloud bypasses policy by design), but operating-system services on the VM start failing.

  1. Open the from-firewall section.
  2. Add rule:
    • Comment: dns
    • Destination: any
    • Protocol: udp / tcp
    • Port: 53
    • Action: Accept
  3. Add another for NTP (UDP 123) and another for HTTPS egress (TCP 443).

Policy editor with rule sections Policy editor — three sections, drag-to-reorder rules, first-match wins.

These are the rules that actually inspect customer traffic. Start permissive while you confirm the policy works, then tighten.

  1. Open the through-firewall section.
  2. Add rule — allow generic web egress:
    • Comment: web egress
    • Source: any (or your protected subnet’s CIDR)
    • Destination: any
    • Protocol: tcp, port 443
    • Action: Accept
  3. Add rule — block SSH from anywhere:
    • Comment: block inbound ssh
    • Source: any
    • Destination: any
    • Protocol: tcp, port 22
    • Action: Drop, with Log ticked so you can see attempts in live logs.
  4. Save.

On the policy’s Compliance tab you can attach one or more guardrail sets in advise (warn) or enforce (block-publish) mode. Skip this for the first push if you don’t have a set yet — you can add it later.

  1. From the policy editor, click Push.
  2. The publish dialog runs two preflight checks:
    • Firewall Policy Schema — validates the rendered policy against the engine’s schema.
    • Guardrails — runs your attached compliance sets. Enforce violations block here.
  3. The dialog shows your bound firewalls (none yet — that’s the next step) and the rendered policy in a collapsed accordion.
  4. Click Confirm push. The policy ring buffer keeps the last 20 versions; you can roll back any time.
  • Your structured policy was rendered to the engine’s canonical form.
  • The schema validator + guardrails ran in the cloud — engines never see invalid policy.
  • A new version row landed in the policy’s history (visible on the policy’s Versions tab).
  • Bound engines (you have none yet — that’s next) would have started fetching the new version within seconds.

Next: Bind a policy to a firewall.

Enforza is a trading name of Synvu Limited, a company registered (15761962) in the United Kingdom. Registered office address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.