How Access rule policy evaluation is done for Any Resource
03/26/2020 
5 
11692
DESCRIPTION:
How Access rule policy evaluation is done for Any Resource
RESOLUTION:
In the context of Split tunnel and Redirect-all Tunnel mode, how is Any User - Any Resource Access rule processed?
ACL Filtering:
The rules are filtered to only those that apply to the current user before any of the logic below applies. So that if there is an Any Resource rule that applies only to User A, that would not affect the redirection list that is sent down for other users, the special "Send all resources in the redirection list" logic would only apply to users who have an Any Resource destination rule in their per-user rule list.
Any Resource:
Any Resource refers to the resource redirection ruleset, and how ACLs are applied to incoming traffic. In most cases, Any Resource means just that--any Resource regardless of how it got to the appliance would match the ACL, even if the Resource itself is not defined in AMC. Obviously, if you are not using Any Resource in your ACLs, then you don't have anything to worry about (and matching on specificity takes precedence).
Split Tunnel:
When a user logs in with Connect Tunnel and Split Tunnel enabled, the policy server goes through the ACL list. If it comes across an Any User @ REALM ? Any Resource rule, it sends all resources (defined in AMC) to the client machine as the Redirection Rules. All other rules are ignored permit or deny when you have the Allow All rule defined. The only caveat is the Resource Exclusion list, which is a separate global list sent down to the client and is honored at the time the client requests the traffic (e.g., if it matches the resource exclusion list, it is not redirected to the appliance).
Once the Redirection Rules arrive at the client:
- If the client sends a request for something that does match it's Redirection Rules, the CT client sends that traffic to the appliance, at which point the appliance evaluates it based on the ACL list for the given user/group.
- If the client sends a request for something that does not match it's Redirection Rules, that traffic is not sent to the appliance.
Redirect-All Tunnel:
When a user logs in with Connect Tunnel and Redirect-All mode is enabled, the policy server sends down a Send Everything flag to the client machine, letting it know that its in Redirect-All mode, and that all traffic (regardless of destination) should be sent to the appliance.
Once the client is aware that it's in Redirect-All mode, a few things happen on subsequent requests:
- No matter what the client requests, it's always sent to the appliance.
- When that traffic arrives at the appliance, it is implicitly dealt with as a part of the resource list. So, if there's an Any User @ REALM ? Any Resource rule, access is granted even if the requested resource is not in the resource list in AMC.
If you need any further clarifications on this Policy Server Evaluation, please contact our Support team.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
