Secure Access Help Center

About Configuring Destinations in Private Access Rules

Let the following information guide you when you add destinations to a private access rule.

Destination components for private access rules

  • When you select a Private Resource Group, resources that are added to the group in the future are automatically included.
  • If you see an option to "Select All", this selects all existing items in the group at the time you select it, but the rule will not include items added to the group in future
  • All configured private resources allow connections from authenticated users on the network, including branch networks.
  • Other connection methods (zero trust client-based and browser-based, VPN) for each resource are determined by the private resource configuration.

Destinations created directly in a private access rule

You can specify IP addresses, CIDR blocks, ports, and protocols directly in an access rule, without creating a private resource first.

All destinations allow connections from authenticated users on the network, including branch networks.

Zero-trust connections are not available for destinations that are not configured as private resources.

🚧

Security controls do not apply to traffic to destinations added directly into a rule:

The following controls are not applied to traffic to destinations that you specify by typing IP addresses, CIDR blocks, ports, or protocols directly into the rule:

  • Endpoint posture requirements
  • Intrusion prevention (IPS)

If destinations include both configured private resources or groups and destinations typed directly into a rule, security controls are applied only to the configured private resources or groups.

If there are multiple destinations in a rule (Boolean logic)

If a private access rule rule includes multiple destinations, the following boolean logic applies:

  • All types of destinations, and all destinations within a type, are treated as using the boolean OR operator: Traffic to each destination you specify in a rule matches the rule.
    For example, if you specify a private resource group and a set of IP addresses as destinations in a single rule, traffic to any destination belonging to either group or set will match the rule.
  • If you type in values of different types (IP address, port, protocol), traffic matches if any of the specified values match the rule.
    For example, if you specify an IP address and a port, traffic to any IP address on the specified port matches the rule, as does traffic to the specified address on any port.
    If you specify ANY protocol, then all traffic will match the rule, regardless of any other destinations you specify.

About Configuring Sources in Private Access Rules< About Configuring Destinations in Private Access Rules > Display a Notification for Blocked Private Destinations

Updated 2 months ago