How Policy Copilot works

When a query is submitted, Policy Copilot analyzes the intent, evaluates the existing policy environment, and generates one or more policy recommendations based on the requested access behavior.

Note

  • Policy Copilot displays up to 20 results at a time for policy, rule, and object-related queries.

  • To view additional results, use prompts such as “Show next 20” or “Show next 20 network objects”.

  • Policy Copilot remembers the current policy context and active filters during follow-up interactions, so you do not need to repeat them in subsequent queries.

  • Policy Copilot can capture business justification for rules created through Conversations only.

  • Supported object types include:

    • Network Object: Host (single IP), Range (IP range), Network (CIDR), and FQDN

    • Port Object: TCP and UDP port definitions

    • Network Group Object: Collection of network objects and inline IP/CIDR literals

    • Port Group Object: Collection of named port objects

Procedure

Step 1

In the left pane, click Insights & Reports > Agent Workforce > Conversations.

Step 2

Click New Conversation.

Step 3

Enter a query describing the required policy behavior.

Policy Copilot automatically analyzes the request and extracts relevant rule requirements.

Step 4

Review the available policy recommendations and generated rule options.

Step 5

Provide refinements or additional requirements to modify the generated recommendations if needed.

Step 6

Review any warnings related to missing objects, deployment readiness, overlaps, or policy conflicts.

Step 7

Approve the preferred option to continue with deployment preparation.

Object creation limitations and considerations

  • Policy Copilot supports creation of one object per request. Bulk object creation is not supported.

  • URL objects, SGT objects, Application objects, GeoLocation objects, and unsupported protocol-specific port objects are not currently supported.

  • Network groups support inline IP addresses and CIDR entries during creation workflows.

  • Port group members must reference existing named port objects. Inline port values are not supported for port groups.

  • Nested group references are supported only for existing groups. Creating a new group inline within another group is not supported.