Components for Private Access Rules
You can create access rules by adding rule components that you or others have configured to a rule. Components described in this topic are reusable. You can use the same component (such as a source) in multiple rules, speeding and simplifying rule creation. For example, you can define a set of users as a source, then use the same source in an internet access rule and in a private access rule for the same set of users. Some components are profiles, or groups of settings bundled together that you choose as a unit when configuring a rule.
Table of Contents
Sources
In a private access rule, add source components. You can also specify sources by entering IP addresses, subnets, and ports, but these are not reusable source components. For more information, see About Configuring Sources in Private Access Rules.
-
Users
You can apply rules to the traffic for the users in the organization. -
User Groups
You can apply rules to the traffic for the groups of users in the organization. -
Security Group Tags
You can apply rules to traffic originating from IP addresses in network segments that include Security Group Tags. -
Network Tunnel Groups
You can apply rules to the traffic originating from IP addresses in network segments defined by Network Tunnel Groups. -
Network Objects
You can apply rules to the traffic originating from IP addresses in network segments defined by Network Objects. -
Network Object Groups
You can apply rules to the traffic originating from IP addresses in network segments defined by Network Objects in Network Object Groups. -
Endpoint Devices
You can apply security controls to endpoint devices on private access rules.
An endpoint device is any user device that has enrolled with Zero Trust Access on the Cisco Secure Client. Once enrolled, the user device appears on the private access rules in the organization's policy.On a private access rule, you can select all endpoint devices in the organization, the endpoint devices with a certain host operating system (for example: macOS or Windows devices), or a single endpoint device.
For more information about the Cisco Secure Client and enrolling in Zero Trust Access, see Manage Zero Trust Access using Cisco Secure Client on Windows and macOS Devices.
Destinations
In a rule, you can also specify destinations by entering IP addresses, subnets, ports, and protocols, but these are not reusable destination components and have serious limitations.
- Private Resources
- Private Resource Groups
- Network Objects
- Network Object Groups
- Service Objects
- Service Object Groups
For more information, see About Configuring Destinations in Private Access Rules.
Private Resources
Secure Workload routes traffic securely to applications and other resources on your network, based on Private Resource configurations.
Define connection requirements for applications in your data center, including resources on private clouds. You will also specify the types of connections permitted for each resource, including Zero Trust Network Access with and without installed client, and VPN.
Private Resource Groups
(Optional) After you add private resources, you can create groups of them for convenience and consistency, to easily apply an access rule to a collection of resources.
See Add a Private Resource Group.
Network Objects
Network Objects are reusable network resources that are managed by your organization. Network Objects can represent IPv4 and IPv6 addresses, CIDR blocks, and ranges of IPv4 addresses. Select the Network Objects on the access rules to apply security controls to the resources.
For more information, see Manage Network Objects.
Network Object Groups
You can create collections of Network Objects and other Network Object Groups in Network Object Groups. Select the Network Object Groups on the access rules to apply security controls to a collection of resources.
For more information, see Manage Network Object Groups.
Service Objects
Service Objects are reusable destination resources. On each service resource, you can define a port, range of ports, protocol, or any protocols. Select the Service Objects on the access rules to apply security controls to the resources.
For more information, see Manage Service Objects.
Service Object Groups
You can create collections of Service Objects and other Service Object Groups in Service Object Groups. Select the Service Object Groups on the access rules to apply security controls to a collection of resources.
For more information, see Manage Service Object Groups.
Endpoint Posture Profiles (for Endpoint Requirements)
You can require endpoints to meet requirements such as operating system version, firewall, and disk encryption before connecting to a network or resource. These requirements are rule-matching criteria that determine whether a rule matches the traffic.
Endpoint requirements are defined in posture profiles. There are several types of posture profile, depending on the type of connection and characteristics of the end-user device:
- Client-based zero-trust posture profiles: For end-user devices on which the Cisco Secure Client is installed
- Browser-based zero-trust posture profiles: For end-user devices on which the Cisco Secure Client is NOT installed
- VPN posture profiles: For end-user devices that are connected to the network using remote access VPN.
When you configure a private resource, you will specify which of the above types of connections are allowed for that resource.
When you create a private access rule, you will specify a posture profile with device requirements for each type of connection allowed by the private resources specified as destinations in the rule.
You can create different posture profiles, each with a different set of requirements, then choose appropriate profiles for each rule.
You can specify default posture profiles for zero-trust access connections (client-based and browser-based.) Create a profile with the desired default endpoint requirements for each connection type, then specify the default profiles on the Rule Defaults page. See Rule Defaults and Edit Rule Defaults and Global Settings.
Posture profile options apply only to User and User Group sources.
VPN posture is evaluated when the user connects to the network, which occurs before access rules evaluate the traffic.
Endpoint posture is not evaluated for branch connections.
Security Controls
Private access rules have (and need) less varied security controls than internet access rules.
Intrusion Prevention (IPS)
Intrusion Prevention protects your network and assets by inspecting traffic for specified threat characteristics. Threat signatures are collected into collections called IPS Profiles.
When you configure an access rule, you can choose a predefined IPS profile such as Balanced Security and Connectivity or Maximum Security, or create a custom profile using Snort signatures that you choose. You can also choose whether to block or just monitor traffic that matches an IPS profile.
You can specify a default IPS profile on the Rule Defaults page that is automatically selected in each new rule. Default settings apply to both private access rules and internet access rules. See Rule Defaults and See Edit Rule Defaults and Global Settings.
See Manage IPS Profiles.
Security Profile, for File Inspection and File Type Controls
Prevent upload and download of malicious files or filetypes such as executables in traffic to private destinations by configuring at least one security profile for private access and selecting that profile in private access rules.
See Security Profiles for Private Access.
Manage Private Access Rules< Components for Private Access Rules > Default Settings for Private Access Rules
Updated 12 days ago