Guides
Secure Access Help Center

Most Specific Match Enforcement Mode

The default enforcement mode for ZTA private access follows a top-down approach to private access rule processing. Each request is evaluated against the defined list of rules in order of priority until it finds a rule that matches its criteria. Once a match is found, the access policy applies the specified action (allow or block).

Note: Traffic to private destinations is blocked by default. You must create rules to allow traffic to private destinations.

For each ZTA private access request, the default mode for policy evaluation functions as follows:

  • Prior to policy evaluation, the ZTA proxy selects the one most-specific private resource to move ahead for the request.
  • Only this one single resource is considered during policy evaluation, and only rules that include that resource in its destination can possibly be matched to.
  • In order for a rule to match a request, along with defined source and destination, endpoint posture profile requirements associated with the rule must also be met.
  • In the case of exactly duplicated private resources (identical IP/FQDN, port and protocol), this approach would have multiple equally specific matches, in which case ZTA would pick an arbitrary one of the matching resources.

About ZTA Enforcement for Private Access < Most Specific Match Enforcement Mode > Multi-App Match Enforcement Mode

Updated 8 days ago