Skip to main content

Managing Private Network Policies

Published on:
.
2 min read

Zenarmor SASE edition implement a robust Zero Trust Network Access model, ensuring that no user or device is inherently trusted. Every connection request is meticulously subjected to rigorous identity verification, stringent access controls, and continuous policy enforcement. This proactive strategy drastically minimizes the risk of lateral movement by attackers, as users are exclusively granted access to specific applications and resources based on well-defined policies. Zenarmor’s cutting-edge approach to access management provides a more secure network environment.

Zenarmor’s private access control feature guarantees consistent policy enforcement and visibility across all users, devices, and locations. Whether your employees are working from home, in a coworking space, or at a branch office, they will experience the same high level of security and protection. This uniformity makes Zenarmor an ideal, scalable solution for organizations striving to support a flexible, location-independent workforce effectively and securely.

Zenarmor’s integrated approach to Zero Trust Network Access (ZTNA) and real-time threat inspection guarantees that trust is consistently evaluated and access is rigorously managed. As a result, Zenarmor SSE and higher editions offer a robust, scalable, and policy-centric solution for organizations embracing Zero Trust as a core security framework.

You may manage private network policies within your organization on Zenconsole by following these steps.

  1. Login Zenconsole.

  2. Select the organization that you want to manage.

  3. Navigate to Policies page on Zenconsole.

  4. Click on the Private Network Policies tab. This will display secure private (overlay) networks in your organization.

    Figure 1. Private Network Policies Page

    tip

    To define access control rules, firstly, you need to create a secure private network.

    Figure 2. Private Networks Lists

  5. Click on the private network you want to add or update a policy for. This will display the existing private network access policy list.

    Figure 3. Private Network Access Policies

tip

Initially, all secure private networks within your organization have a Default Deny access rule. This rule is predefined to block all connections and cannot be configured in any way. Overlay network connections that don't match any existing rule will be subject to this default rule and will be blocked. This approach ensures robust security and protects your organization from unauthorized access.

On the Policies page of a private network within an organization, you can perform the following management tasks.

  • Create a new policy

  • View the list of the policies

  • View the status of the policies

  • Enable/Disable a policy

  • Edit a policy

  • Clone a policy

  • Delete a policy

  • Reorder the policies

  • Trigger Immediate Policy Update

Creating Private Network Access Policy

You may create a new private network access policy by following the next steps.

  1. Navigate to the private network access policy page on Zenconsole.

  2. Click + Create New Rule button at the top right of the page. A dialog box will open to rename the new policy.

  3. You may set the policy status by clicking on the Status toggle bar. By default, a newly created policy is enabled.

  4. Enter a descriptive name into the Name field, such as Administrative Access.

  5. Specify the Source Peers Matching Criteria.

  6. Specify the DestinationPeers Matching Criteria.

  7. Specify the Allowed Applications.

  8. Specify the Time Schedule.

    Figure 4. Creating Private Network Access Policies

  9. Click Create Rule button. This will add the newly created rule to the private network access policy list automatically.

  10. Click Trigger Update button at the top right of the page to activate the access rule in the selected secure private network. This will display a dialog box for confirmation.

  11. Click Start Immediate Policy Update button to initiate an immediate update check to ensure critical policy changes are applied promptly. This feature overrides the periodic update schedule, ensuring all instances are up-to-date without delay.

    Figure 5. Trigger Access Rule Update

  12. Click Close button to close the message box.

    IMPORTANT NOTE

    Please note that all of the criteria for the private network access policy are matched with the AND logical operator. In order for a flow to match your configured policy, all of these criteria need to match the flow information.

Defining Source Peers Matching Criteria

By default, the matching criteria of source peers for a newly created private network access policy has a value of any, which means that all peers match the policy.

You may use the following criteria to restrict the source peers in the private network access rules.

  • Users: You may add users in your organization by clicking on the + Add drop-down list next to the Users option. You may add as many users as you need.

    Figure 6. Specifying Users for the Source of Network Access Rule

  • Groups: You may add groups in your organization by clicking on the + Add drop-down list next to the Groups option. You may add as many groups as you need.

    Figure 7. Specifying Groups for the Source of Network Access Rule

  • Devices: You may add devices in your organization by clicking on the + Add drop-down list next to the Devices option. You may add as many devices as you need.

    Figure 8. Specifying Devices for the Source of Network Access Rule

  • IP Addresses: You may add IP Addresses by clicking on the + Add drop-down list next to the IP Addresses option. You may add as many devices as you need.

    Figure 9. Specifying IP Addresses for the Source of Network Access Rule

  • Ports: You may add a port or a port range for the source peer by clicking on the + Add drop-down list next to the Ports option.

    Figure 9. Specifying Ports for the Source of Network Access Rule

  • Locations: You may add a location for the source peer by clicking on the + Add drop-down list next to the Locations option. This will display a dialog box. You may set the location by selecting a country from the drop-down menu and optionally typing a City name.

    Figure 10. Specifying Locations for the Source of Network Access Rule

Defining Destination Peers Matching Criteria

By default, the matching criteria of destination peers for a newly created private network access policy has a value of any, which means that all peers match the policy.

You may use the following criteria to restrict the destination peers in the private network access rules.

  • Users: You may add users in your organization by clicking on the + Add drop-down list next to the Users option. You may add as many users as you need.

  • Groups: You may add groups in your organization by clicking on the + Add drop-down list next to the Groups option. You may add as many groups as you need.

  • Devices: You may add devices in your organization by clicking on the + Add drop-down list next to the Devices option. You may add as many devices as you need.

  • IP Addresses: You may add IP Addresses by clicking on the + Add drop-down list next to the IP Addresses option. You may add as many devices as you need.

  • Ports: You may add a port or a port range for the destination peer by clicking on the + Add drop-down list next to the Ports option.

  • Locations: You may add a location for the destination peer by clicking on the + Add drop-down list next to the Locations option. This will display a dialog box. You may set the location by selecting a country from the drop-down menu and optionally typing a City name.

    Figure 11. Specifying Criteria for the Destination of Network Access Rule

Defining Allowed Applications

By default, all applications are permitted in a newly created private network access policy. You can specify allowed applications individually by clicking on the + Add drop-down list next to the Applications option. You may add as many applications as you need.

Figure 12. Specifying Apps for the Network Access Rule

The available applications that you can select are as follows.

  • Secure Shel
  • Telnet
  • Telnet over TLS/SSL
  • RealVNC
  • CIFS
  • FTP-DATA
  • TFTP
  • FTP over TLS/SSL
  • AFP
  • MDNS
  • Syslog
  • Radius
  • Kerberos
  • LLMNR
  • NETBIOS Name Service
  • NETBIOS Datagram Service
  • NETBIOS Session Service
  • ElasticSearch
  • Redis DB
  • MongoDB
  • CassandraDB

Defining Time Schedule

By default, an enabled private network access policy is always active. Stated differently, all network access requests that comply with the policy are always approved. To restrict access rules for a specific time, you may define a time schedule by following the next steps.

  1. Scroll down to the Time Schedule pane in the private network access policy settings window.

  2. Switch off the Always active toogle bar.

  3. Select the days on which you want the policy to be active by switching on the toggle bars.

  4. Set starting and ending hours for the policy activation.

    Figure 12. Specifying Time Schedule of Network Access Rule

Viewing Policies List & Status of the Policies

All of the defined policies on a secure network are listed on the Private Network Access Policies page as well as the status of the policies.

Figure 13. Policies list view

Viewing Policy Status

Enabled Policy If the policy is enabled, a solid green circle is displayed in the bottom right corner of the policy's icon to the left of the policy name.

Disabled Policy If it is not enabled, you will see a solid white circle instead of green.

Enabling/Disabling Policy

You can easily change the status of the Policy to Enabled or Disabled by clicking on the Status toggle button on the Policy Configuration page or by clicking on the toggle button next to the policy name on Policy list view.

Figure 14. Enabling/Disabling Policy

Editing a policy

You may edit a private network access policy by simply clicking on the name of the policy in the policy list view. You may follow the steps described in Creating Private Network Access Policy section above.

Figure 15. Editing Private Network Access Policy

Cloning a policy

Zenconsole allows you to clone a policy within the same secure private network. This will create a new policy with the same settings as the original policy. To make a copy of a policy you may follow these steps.

  1. Click on the clone icon Clone Policy next to the policy name that you wish to copy. This will open a dialog box for renaming the clone of the policy.

  2. Enter a descriptive name for the new policy.

  3. Click the Clone button. This automatically create a cloned policy in disabled state. You will see the clone of the policy at the bottom of the policy list.

    Figure 16. Cloning Private Network Access Policy

  4. Click Trigger Update button at the top right of the page to activate the access rule in the selected secure private network. This will display a dialog box for confirmation.

  5. Click Start Immediate Policy Update button to initiate an immediate update check to ensure critical policy changes are applied promptly

Deleting a Policy

To delete a private network access policy, you may follow the next steps.

  1. Click on the trash icon Trash Icon in the Actions column next to the policy name that you want to remove. This will open a dialog box for confirming the deletion of the policy.

  2. Click the Delete button. The policy will be removed from the secure private network.

    Figure 17. Deleting Private Network Access Policy

  3. Click Trigger Update button at the top right of the page to activate the access rule in the selected secure private network. This will display a dialog box for confirmation.

  4. Click Start Immediate Policy Update button to initiate an immediate update check to ensure critical policy changes are applied promptly

Ordering Policies

The sequence of policies is crucial for rule application. The policy at the top of the list is examined and implemented first if a match is found. The default policy is the policy that is implemented if none of the other policies match. The settings of the default policy cannot be modified or removed. It cannot be raised or lowered.

A private network access policy may be easily reordered by dragging and dropping it inside the policy list.

Figure 18. Reordering Private Network Access Policy

Last updated on by Zenarmor