How Access rule policy evaluation is done for Any Resource
03/26/2020
6 People found this article helpful
194,698 Views
Description
How Access rule policy evaluation is done for Any Resource
Resolution
In the context of Split tunnel and Redirect-all Tunnel mode, how is Any User - Any Resource Access rule processed?
ACL Filtering:
The rules are filtered to only those that apply to the current user before any of the logic below applies. So that if there is an Any Resource rule that applies only to User A, that would not affect the redirection list that is sent down for other users, the special "Send all resources in the redirection list" logic would only apply to users who have an Any Resource destination rule in their per-user rule list.
Any Resource:
Any Resource refers to the resource redirection ruleset, and how ACLs are applied to incoming traffic. In most cases, Any Resource means just that--any Resource regardless of how it got to the appliance would match the ACL, even if the Resource itself is not defined in AMC. Obviously, if you are not using Any Resource in your ACLs, then you don't have anything to worry about (and matching on specificity takes precedence).
Split Tunnel:
When a user logs in with Connect Tunnel and Split Tunnel enabled, the policy server goes through the ACL list. If it comes across an Any User @ REALM ? Any Resource rule, it sends all resources (defined in AMC) to the client machine as the Redirection Rules. All other rules are ignored permit or deny when you have the Allow All rule defined. The only caveat is the Resource Exclusion list, which is a separate global list sent down to the client and is honored at the time the client requests the traffic (e.g., if it matches the resource exclusion list, it is not redirected to the appliance).
Once the Redirection Rules arrive at the client:
- If the client sends a request for something that does match it's Redirection Rules, the CT client sends that traffic to the appliance, at which point the appliance evaluates it based on the ACL list for the given user/group.
- If the client sends a request for something that does not match it's Redirection Rules, that traffic is not sent to the appliance.
Redirect-All Tunnel:
When a user logs in with Connect Tunnel and Redirect-All mode is enabled, the policy server sends down a Send Everything flag to the client machine, letting it know that its in Redirect-All mode, and that all traffic (regardless of destination) should be sent to the appliance.
Once the client is aware that it's in Redirect-All mode, a few things happen on subsequent requests:
- No matter what the client requests, it's always sent to the appliance.
- When that traffic arrives at the appliance, it is implicitly dealt with as a part of the resource list. So, if there's an Any User @ REALM ? Any Resource rule, access is granted even if the requested resource is not in the resource list in AMC.
If you need any further clarifications on this Policy Server Evaluation, please contact our Support team.
Related Articles
Categories