Policy
Define authentication and authorization rules. Authentication is about creating tunnels, who can connect and create secure tunnels. Authorization is about accessing services, after creating tunnels, who can access which services
Authentication (Authn)
Accessing to networks, depends on {first match first execute} otherwise DENY request. If a rule matches from top to bottom, its action (allow or deny) will execute, if no rule matches DENY executes
Lets examine below rule
If a user belongs to group devops, then it will be allowed (because action is allow) to create secure tunnels to network dev
Ip Profile
- Custom white list and ip intelligence whitelist ips are allow immediately
- Then, blacklist and vpn, tor etc..., immediately deny immediately
- Then, only ips from selected countries are allowed
Time Profile
- allow if time is 09:00 to 17:00, at Monday,Tuesday,Wednesday,Thursday,Friday and timezone is America/Newyork.
Warning
This timezone does not mean location, only timezone information.
Device Posture
- Check if device posture matches one of the selected profiles. You can create profiles under settings/device posture
Warning
Test before using it.
Authorization (Authz)
Accessing to services, depends on {first match first execute} otherwise DENY request like authentication. If a rule matches from top to bottom, its allowed, if no rule matches DENY executes.
Lets examine below rule
If connection comes from network dev to service test-map, and if user belongs to group devops, then allow it