Skip to main content

Managing Private Network Policies

Published on:
.
2 min read

Zenarmor SASE edition implement a robust Zero Trust Network Access model, ensuring that no user or device is inherently trusted. Every connection request is meticulously subjected to rigorous identity verification, stringent access controls, and continuous policy enforcement. This proactive strategy drastically minimizes the risk of lateral movement by attackers, as users are exclusively granted access to specific applications and resources based on well-defined policies. Zenarmor’s cutting-edge approach to access management provides a more secure network environment.

Zenarmor’s private access control feature guarantees consistent policy enforcement and visibility across all users, devices, and locations. Whether your employees are working from home, in a coworking space, or at a branch office, they will experience the same high level of security and protection. This uniformity makes Zenarmor an ideal, scalable solution for organizations striving to support a flexible, location-independent workforce effectively and securely.

Zenarmor’s integrated approach to Zero Trust Network Access (ZTNA) and real-time threat inspection guarantees that trust is consistently evaluated and access is rigorously managed. As a result, Zenarmor SSE and higher editions offer a robust, scalable, and policy-centric solution for organizations embracing Zero Trust as a core security framework.

You may manage private network policies within your organization on Zenconsole by following these steps.

  1. Login Zenconsole.

  2. Select the organization that you want to manage.

  3. Navigate to Policies page on Zenconsole.

  4. Click on the Private Network Policies tab.

    • If your organization already has secure private (overlay) networks, a dropdown will appear listing them.

    Figure 1. Private Access Policies Page

    • If no private networks exist, you will see the “No Private Networks Found” screen. In this case, you must create a private network before defining any access control rules. For detailed steps, see the guide on Creating Secure Private Networks

    Figure 2. Private Network Policies Page - No Private Networks Found

  5. Click on the private network you want to add or update a policy for. This will display the Private Network Access Policies page for the selected network. If no custom rules have been created yet, you will only see the predefined Default Deny rule.

    Figure 3. Private Network Access Policies

tip

Initially, all secure private networks within your organization have a Default Deny access rule. This rule is predefined to block all connections and cannot be configured in any way. Overlay network connections that don't match any existing rule will be subject to this default rule and will be blocked. This approach ensures robust security and protects your organization from unauthorized access.

On the Policies page of a private network within an organization, you can perform the following management tasks.

  • Create a new policy

  • View the list of the policies

  • View the status of the policies

  • Enable/Disable a policy

  • Edit a policy

  • Clone a policy

  • Delete a policy

  • Reorder the policies

  • Trigger Immediate Policy Update

Creating Private Network Access Policy

You may create a new private network access policy by following the next steps.

  1. Navigate to the private network access policy page on Zenconsole.

  2. Click + Create New Rule button at the top right of the page. A dialog box will open to rename the new policy.

  3. You may set the policy status by clicking on the Status toggle bar. By default, a newly created policy is enabled.

  4. Enter a descriptive name into the Name field, such as Administrative Access.

  5. Specify the Source Peers Matching Criteria.

  6. Specify the Destination Peers Matching Criteria.

  7. Specify the Transport Protocol.

  8. Specify the Allowed Applications.

  9. Specify the Device Posture Checks.

  10. Specify the Time Scheduleif the rule should apply only during certain time periods.

    Figure 4. Creating Secure Network Access Rule

  11. Click Create Rule button. This will add the newly created rule to the private network access policy list automatically.

  12. After creating the rule, Zenconsole will display a Configuration Updated notification in the bottom-right corner. Click the Sync Now button in this notification to apply the policy immediately.

tip

If you do not click Sync Now, the changes will still be applied automatically during the next scheduled synchronization interval. However, clicking the Sync Now button, either from the notification or from the Sync Now button located next to the Create New Rule button at the top of the page, immediately applies the new rule across all instances without waiting.

Figure 5. Configutation Updated - Sync Now"

IMPORTANT NOTE

Please note that all of the criteria for the private network access policy are matched with the AND logical operator. In order for a flow to match your configured policy, all of these criteria need to match the flow information.

Defining Source Peers Matching Criteria

By default, the matching criteria of source peers for a newly created private network access policy has a value of any, which means that all peers match the policy.

You may use the following criteria to restrict the source peers in the private network access rules.

  • Users: You may add users in your organization by clicking on the + Add drop-down list next to the Users option. You may add as many users as you need.

    Figure 6. Specifying Users for the Source of Network Access Rule

  • Groups: You may add groups in your organization by clicking on the + Add drop-down list next to the Groups option. You may add as many groups as you need.

    Figure 7. Specifying Groups for the Source of Network Access Rule

  • Devices: You may add devices in your organization by clicking on the + Add drop-down list next to the Devices option. You may add as many devices as you need.

    Figure 8. Specifying Devices for the Source of Network Access Rule

  • IP Addresses: You may add IP Addresses by clicking on the + Add drop-down list next to the IP Addresses option. You may add as many devices as you need.

    Figure 9. Specifying IP Addresses for the Source of Network Access Rule

  • Ports: You may add a port or a port range for the source peer by clicking on the + Add drop-down list next to the Ports option.

    Figure 9. Specifying Ports for the Source of Network Access Rule

  • Locations: You may add a location for the source peer by clicking on the + Add drop-down list next to the Locations option. This will display a dialog box. You may set the location by selecting a country from the drop-down menu and optionally typing a City name.

    Figure 10. Specifying Locations for the Source of Network Access Rule

Defining Destination Peers Matching Criteria

By default, the matching criteria of destination peers for a newly created private network access policy has a value of any, which means that all peers match the policy.

You may use the following criteria to restrict the destination peers in the private network access rules.

  • Users: You may add users in your organization by clicking on the + Add drop-down list next to the Users option. You may add as many users as you need.

  • Groups: You may add groups in your organization by clicking on the + Add drop-down list next to the Groups option. You may add as many groups as you need.

  • Devices: You may add devices in your organization by clicking on the + Add drop-down list next to the Devices option. You may add as many devices as you need.

  • IP Addresses: You may add IP Addresses by clicking on the + Add drop-down list next to the IP Addresses option. You may add as many devices as you need.

  • Ports: You may add a port or a port range for the destination peer by clicking on the + Add drop-down list next to the Ports option.

  • Locations: You may add a location for the destination peer by clicking on the + Add drop-down list next to the Locations option. This will display a dialog box. You may set the location by selecting a country from the drop-down menu and optionally typing a City name.

    Figure 11. Specifying Criteria for the Destination of Network Access Rule

Defining Transport Protocol

By default, the transport protocol for a newly created private network access rule is set to any, meaning the rule applies regardless of whether the traffic uses TCP or UDP.

If you want to restrict the rule to a specific protocol, you can define it manually. To specify a protocol, click the + Add drop-down list next to the Protocol field. You can choose one or both of the available options:

  • TCP

  • UDP

    Figure 12. Selecting Transport Protocol for the Network Access Rule

Defining Allowed Applications

By default, all applications are permitted in a newly created private network access policy. You can specify allowed applications individually by clicking on the + Add drop-down list next to the Applications option. You may add as many applications as you need.

Figure 13. Specifying Apps for the Network Access Rule

The available applications that you can select are as follows.

  • AFP
  • CassandraDB
  • CIFS
  • DNS over HTTPS
  • DNS over TLS
  • Domain Name Resolution
  • Elastic Search
  • Email Access via IMAP
  • Email Access via POP3
  • FTP over TLS/SSL
  • FTP-DATA
  • Kerberos
  • LDAP
  • LDAPS
  • LLMNR
  • MDNS
  • Microsoft-DS SMB
  • MongoDB
  • MS RDP
  • MS SQL Connection
  • MySQL
  • MySQL Connection
  • NETBIOS Datagram Service
  • NETBIOS Name Service
  • NETBIOS Session Service
  • Oracle
  • Oracle DB
  • PostgreSQL
  • Radius
  • RealVNC
  • Redis DB
  • Secure Email Access via IMAP
  • Secure Email Access via POP3
  • Secure Email Transport
  • Secure Shell
  • Secure Web Browsing
  • SIP Telephony
  • SMTP Email Relay Services
  • SMTP Submission Port
  • SNMP
  • SNMP Trap
  • Syslog
  • Telnet
  • Telnet over TLS/SSL
  • TFTP
  • Web Browsing

Defining Device Posture Checks

By default, Device Posture Check is configured to apply to devices using any Internet Security Policy. This means the rule applies to all policies unless you specify otherwise.

If you want to narrow this requirement, click + Add next to Internet Security Policy Assignments and select one or more specific policies. After selection, each chosen policy appears as a tag in the assignment field, and the rule applies only to devices assigned to those policies.

To learn more about the Device Posture Checks, we recommend reviewing the detailed explanation of Device Posture Checks.

Figure 14. Device Posture Checks Panel

tip

Other posture check types, such as OS and System Configuration and EDR/XDR Integrations, are shown as Coming Soon and will become available in future updates.

Defining Time Schedule

By default, an enabled private network access policy is always active. Stated differently, all network access requests that comply with the policy are always approved. To restrict access rules for a specific time, you may define a time schedule by following the next steps.

  1. Scroll down to the Time Schedule pane in the private network access policy settings window.

  2. Switch off the Always active toogle bar.

  3. Select the days on which you want the policy to be active by switching on the toggle bars.

  4. Set starting and ending hours for the policy activation.

    Figure 15. Specifying Time Schedule of Network Access Rule

Viewing Policies List & Status of the Policies

All of the defined policies on a secure network are listed on the Private Network Access Policies page as well as the status of the policies.

Figure 16. Policies list view

Viewing Policy Status

Enabled Policy If the policy is enabled, a solid green circle is displayed in the bottom right corner of the policy's icon to the left of the policy name.

Disabled Policy If it is not enabled, you will see a solid white circle instead of green.

Enabling/Disabling Policy

You can easily change the status of the Policy to Enabled or Disabled by clicking on the Status toggle button on the Policy Configuration page or by clicking on the toggle button next to the policy name on Policy list view.

Figure 17. Enabling/Disabling Policy

Editing a policy

You may edit a private network access policy by simply clicking on the name of the policy in the policy list view. You may follow the steps described in Creating Private Network Access Policy section above.

Figure 18. Editing Private Network Access Policy

Cloning a policy

Zenconsole allows you to clone a policy within the same secure private network. This will create a new policy with the same settings as the original policy. To make a copy of a policy you may follow these steps.

  1. Click on the clone icon Clone Policy next to the policy name that you wish to copy. This will open a dialog box for renaming the clone of the policy.

    Figure 19. Cloning Private Network Access Policy

  2. Enter a descriptive name for the new policy.

    Figure 20. Clone Rule Pop-up

  3. Click the Clone button. This automatically create a cloned policy in disabled state. You will see the clone of the policy at the bottom of the policy list.

  4. Click Sync Nowe button at the top right of the page to activate the access rule in the selected secure private network. This will display a dialog box for confirmation.

  5. Click Sync Now button to initiate an immediate update check to ensure critical policy changes are applied promptly

Deleting a Policy

To delete a private network access policy, you may follow the next steps.

  1. Click on the trash icon Trash Icon in the Actions column next to the policy name that you want to remove. This will open a dialog box for confirming the deletion of the policy.

    Figure 21. Deleting Private Network Access Policy

  2. Click the Delete button. The policy will be removed from the secure private network.

  3. After deleting the rule, Zenconsole will display a Configuration Updated notification in the bottom-right corner. Click the Sync Now button in this notification to apply the policy immediately.

tip

If you do not click Sync Now, the changes will still be applied automatically during the next scheduled synchronization interval. However, clicking the Sync Now button, either from the notification or from the Sync Now button located next to the Create New Rule button at the top of the page, immediately applies the new rule across all instances without waiting.

Ordering Policies

The sequence of policies is crucial for rule application. The policy at the top of the list is examined and implemented first if a match is found. The default policy is the policy that is implemented if none of the other policies match. The settings of the default policy cannot be modified or removed. It cannot be raised or lowered.

A private network access policy may be easily reordered by dragging and dropping it inside the policy list.

Figure 22. Reordering Private Network Access Policy

Last updated on by Zenarmor