Guides
Secure Access Help Center

About ZTA Private Access Enforcement

Secure Access has a single Access policy, which consists of policy rules and settings. There are two types of access rules:

  • Private access rules, which controls access to applications hosted from your data center and private clouds.
  • Internet access rules, which controls access to resources on the internet from managed devices.

Your private access and internet policy rules and the default policy rules control the access and security of your resources and protect the traffic in your organization. Before you start adding rules to your policy, we recommend that you read through the topics in Manage the Access Policy.

Secure Access supports Zero Trust Access (ZTA) for secure remote access connections to configured private resources. We recommend that you read through the topics in Manage Private Resources and Manage Connections to Private Destinations for a thorough understanding of ZTA private access.

You configure private access rules to control the access and security of your private resources and protect the traffic in your organization. By default, traffic is handled by the first rule in the list that matches the traffic. Rules lower in the list have no effect on traffic that matches a rule higher in the list.

Secure Access provides several enforcement modes which provide a flexible approach to policy evaluation by allowing IT administrators to apply rules based on a broader set of criteria. The following topics describe the enforcement modes for ZTA private access:

  • Most specific match enforcement mode — This is the default enforcement mode for ZTA private access.
  • Multi-app match enforcement mode — This enforcement mode option considers all possible private resources matches (including duplicates) for a given access request during policy evaluation, rather than narrowing down to only one most-specific resource match.
  • Multi-app with resolved IP match enforcement mode — This enforcement mode option identifies all the possible private resources that would be matched to resolved IP addresses following DNS resolution, and considers all possible private resources (across both FQDN and resolved IPs) during policy evaluation equally.

Note: For information about changing your organization's enforcement mode, contact Cisco Secure Access Support .

👍

Secure Access Packages and Feature Availability

Not all of the features described here are available to all Secure Access packages. Information about your current package is listed on the Admin > Licensing page. For more information, see Determine Your Current Package. If you encounter a feature here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Secure Access Packages.

About Configuring Destinations in Private Access Rules < About ZTA Private Access Enforcement > Most Specific Match Enforcement Mode

Updated 8 days ago