Get Started With Private Access Rules
Private access rules control and secure access to internal resources and applications that are private and should not be accessed by the general public.
Traffic to private destinations is blocked by default. You must create rules to allow traffic to private destinations.
- Plan your private access rule
Plan your rule so that you get the results you expect. For example, factors such as rule order impact traffic handling. - Create rule components.
You will assemble rules largely from components, including but not limited to source, destination, endpoint posture, and security control components.
See Components for Private Access Rules - Specify rule defaults.
New rules will use the default security controls and other settings that you specify on the Rule Defaults page.
See Default Settings for Private Access Rules - Add private access rules
Generally, you will create rules to allow access to private resources.
See Add a Private Access Rule - Configure logging for the default private access rule
Traffic to private destinations that does not match any other private access rule in the policy will be handled by the default private access rule. Traffic that matches this rule is blocked.
See Edit the Default Access Rules - Edit the global settings
See Global Settings for Private Access Rules - Review the rule order
Make sure the order of the rules on the Policy page will have the results you expect.
See Edit the Order of the Rules on the Policy Page - Distribute dummy access URLs to end users
For rules allowing access to private resources using browser-based connections, distribute the remotely accessible dummy URL to the users who will use it to connect to the resource. You configure a URL for each resource when configuring the resource.
See Add a Private Resource.
Users who are not allowed access may see a Block page
Users that attempt to access a configured private resource will see a Block page if all of the following are true:
- The user's access is blocked by a Block rule, including by the default private access rule.
- The user's device has the Cisco Secure Client installed.
- Decryption is enabled on the private resource configuration page.
- VPN connections are not enabled on the private resource configuration page.
- Zero Trust connections are enabled for the resource.
You cannot customize this block page, and this block page is NOT the same block page that users see when they attempt to access a blocked internet destination.
To use a private access rule to ensure specific egress IP addresses for traffic to specific SaaS internet destinations outside your network, such as YourCompany.OtherCompany.com, see Zero Trust Access to Internet Destinations.
Troubleshoot Internet Access Rules< Get Started With Private Access Rules > Components for Private Access Rules
Updated about 1 month ago