Support Center > Search Results > SecureKnowledge Details
Understanding CloudGuard Dome9 Clarity Views Technical Level

Understanding Clarity Views

Table of Contents:

  • AWS Cloud accounts
    • Security groups view
    • Effective Policy View
  • Azure Cloud accounts
    • Effective Policy View

AWS Cloud accounts

Security groups view

Security Groups view displays the security group configuration in a visual manner and is interactive in nature.

CloudGuard Dome9 will visualize the chosen VPC and display the traffic sources, permitted traffic paths, security groups, and to what degree each security group has exposure to the Internet.

For detailed information on the different zones see Clarity Controls and symbolization.

Context and additional information is displayed upon clicking on any object and is displayed to the right in the column.

For traffic sources: For individual IPs or ranges, traffic target information is displayed.
For Dome9 IP list objects, list contents and traffic target information is displayed:


For security groups: Information displayed for any given security group includes instance assignments, rule sets (that match the color-coding of the Clarity legend indicating exposure to the Internet), Permitted traffic sources and traffic targets.

While in Security Groups view, in addition to the context provided when clicking objects, permitted traffic flow is also displayed in the main area when a resource is selected.

Permitted traffic sources are displayed in orange and permitted traffic targets are displayed in blue.

The numbers found in the top right of each security group display how many protected assets have been assigned to each group.

If no numbers are displayed, then that security group has no protected assets that are attached to it

When Show Peered VPC is selected, a Peered VPC security group that appears as source will show with VPC tagging marking it as peered VPC source.

The Peered Security Group will show as an external source with a link to the security group it is allowed to access. When the Security Group of the peered VPC is highlighted, details about it will show.

If the Security group is managed via Dome9 you can open the referenced Security in Dome9 Central or Click on Switch VPC to view the Clarity of the reverse view.

Effective Policy View

Effective Policy view shares some characteristics with Security Groups view (like traffic source visualization) but represents more to do with instance membership within the security groups associated with any given VPC.

Select 'Effective Policy' view in the drop down or in the VPC view selector.

CloudGuard Dome9 will visualize 'common policy groups'. These are groupings of security groups that apply to one or more instances. That is, which security groups, in combination with others, make up the effective policy for any given instance.

In contrast to the Security Groups view, if security groups are not assigned to any instances, they will not be displayed in the Effective Policy view.

Each grouping displayed contains one or more instances as members. The security group names are listed as labels on each grouping.
Once clicked upon, the information displayed in the context pain to the right is as follows:

  1. For traffic sources the information is the same as Security Groups view - For individual IPs or ranges, traffic target information is displayed. For Dome9 IP list objects, list contents and traffic target information is displayed.
  2. For individual groupings of effective policy the following information is displayed:

    The information displayed includes:
    1. The number of security groups grouped together against one or more instances.
    2. The name and description of each of these groups (including links to open them up in Dome9 central).
    3. The number and names of each instance sharing this common policy.
    4. The resulting effective cumulative policy of this' multi security group to one resource' assignment.


Azure Cloud accounts

Effective Policy View

We group instances together in order to make large environments more readable.
grouping is done for instances that share the same:
  • effective network - meaning that they have the same inbound traffic allowed.
  • share a similar names

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document