Policies and Service Profiles

introduction policies and service profiles define how the nile trust engine enforces communication rules across users, devices, and applications together, they determine which endpoints can communicate, what protocols are permitted, and what enforcement action should be applied this combination gives enterprises precise control over traffic flows while maintaining simplicity and scalability understanding policies a policy represents an explicit rule that dictates whether traffic between two policy groups is allowed, denied, or forwarded every network flow is evaluated against the active policy set, ensuring that only approved connections are established each policy includes the following key components component description source the originating policy group (user, device, or application) destination the target policy group service profile defines which protocols and ports are permitted action determines how the trust engine handles matching traffic (allow, deny, forward, forward to sse) status indicates whether the policy is active or disabled if no matching policy exists, the nile trust engine applies the default security posture of deny all creating policies in nile control center administrators create and manage policies through the trust service > policies section of nile control center step by step workflow select create policy choose the source and destination policy groups select a service profile to define the allowed protocols and ports choose an action (allow, deny, forward, forward to sse) review and save the configuration the new policy becomes part of the tenant’s global policy set and applies automatically across all sites editing or disabling policies policies can be edited to update service profiles or change actions when a policy is disabled, the associated traffic reverts to the default deny behavior until the policy is re enabled the global policy set every nile tenant includes a global policy set that defines how traffic is managed network wide it contains both system defined and administrator defined policies default policies the trust engine automatically includes foundational policies to support essential services source → destination service profile action purpose local → external dns services profile allow enables dns resolution for onboarding and operations local → infrastructure services infrastructure services profile allow supports dhcp, https, and radius traffic for client authentication and onboarding quarantine → internet n/a deny blocks internet access for devices in quarantine external → local n/a deny prevents inbound access to internal resources these defaults ensure the network remains secure and operational immediately after deployment administrators can add new rules to this policy set to reflect organizational security and compliance needs future releases will support multiple policy sets for environments that require site level customization understanding service profiles a service profile defines which ports and protocols are allowed when communication between policy groups is permitted service profiles enforce least privilege access by limiting each connection to only the required services default service profiles open service profile – allows all protocols and ports useful for transitional use during network migration but not recommended for production infrastructure services profile – includes dhcp (udp 67), https (tcp 443) for idp communication, and optional dns supports onboarding and authentication workflows dns services profile – enables communication with local or external dns servers over udp/tcp 53 and tcp 853 (dns over tls) custom service profiles are available in the enterprise tier , providing flexibility for defining traffic rules that match specific application or protocol needs creating a custom service profile navigate to trust service > service profiles select create profile enter a name and description add one or more protocol and port combinations save the configuration administrators can later attach these profiles to policies that govern specific traffic patterns actions and enforcement behavior each policy defines how matching traffic should be handled available actions include action description allow permits traffic to flow between the defined source and destination using the allowed protocols deny blocks matching traffic this is the system’s default behavior if no policy exists forward upstream redirects traffic to an upstream firewall or sd wan appliance for centralized enforcement forward to sse sends traffic to a secure service edge for inspection and policy enforcement in the cloud (available in future releases) policy evaluation and logging when traffic passes through the nile service block, the trust engine evaluates it against active policies in real time each matching flow is logged in nile control center, including details such as timestamp source and destination policy groups ip and mac addresses protocol and port service profile name enforcement action these logs allow administrators to audit traffic, validate policies, and troubleshoot access issues with full visibility best practices for policy design start with broad policies for essential services, then refine with narrower service profiles apply the principle of least privilege by allowing only required protocols and destinations centralize sensitive or regulated traffic for inspection through upstream firewalls or sse platforms regularly review logs and policy effectiveness using nile control center’s monitoring tools summary policies and service profiles give administrators the tools to design and enforce secure, identity based communication rules across the enterprise network through the nile trust engine, every connection—whether user, device, or application—is continuously evaluated and logged, ensuring complete control and visibility next getting started with trust service — learn how to prepare, configure, and activate the trust service for new and existing nile deployments