- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How Access rule policy evaluation is done for Any Resource
03/26/2020 
6 People found this article helpful
43,036 Views
Description
How Access rule policy evaluation is done for Any Resource
Resolution
In the context of Split tunnel and Redirect-all Tunnel mode, how is Any User - Any Resource Access rule processed?
ACL Filtering:
The rules are filtered to only those that apply to the current user before any of the logic below applies. So that if there is an Any Resource rule that applies only to User A, that would not affect the redirection list that is sent down for other users, the special "Send all resources in the redirection list" logic would only apply to users who have an Any Resource destination rule in their per-user rule list.
Any Resource:
Any Resource refers to the resource redirection ruleset, and how ACLs are applied to incoming traffic. In most cases, Any Resource means just that--any Resource regardless of how it got to the appliance would match the ACL, even if the Resource itself is not defined in AMC. Obviously, if you are not using Any Resource in your ACLs, then you don't have anything to worry about (and matching on specificity takes precedence).
Split Tunnel:
When a user logs in with Connect Tunnel and Split Tunnel enabled, the policy server goes through the ACL list. If it comes across an Any User @ REALM ? Any Resource rule, it sends all resources (defined in AMC) to the client machine as the Redirection Rules. All other rules are ignored permit or deny when you have the Allow All rule defined. The only caveat is the Resource Exclusion list, which is a separate global list sent down to the client and is honored at the time the client requests the traffic (e.g., if it matches the resource exclusion list, it is not redirected to the appliance).
Once the Redirection Rules arrive at the client:
- If the client sends a request for something that does match it's Redirection Rules, the CT client sends that traffic to the appliance, at which point the appliance evaluates it based on the ACL list for the given user/group.
- If the client sends a request for something that does not match it's Redirection Rules, that traffic is not sent to the appliance.
Redirect-All Tunnel:
When a user logs in with Connect Tunnel and Redirect-All mode is enabled, the policy server sends down a Send Everything flag to the client machine, letting it know that its in Redirect-All mode, and that all traffic (regardless of destination) should be sent to the appliance.
Once the client is aware that it's in Redirect-All mode, a few things happen on subsequent requests:
- No matter what the client requests, it's always sent to the appliance.
- When that traffic arrives at the appliance, it is implicitly dealt with as a part of the resource list. So, if there's an Any User @ REALM ? Any Resource rule, access is granted even if the requested resource is not in the resource list in AMC.
If you need any further clarifications on this Policy Server Evaluation, please contact our Support team.
Related Articles
- How to secure Virtual Office portal from all external access
- NetExtender users fail to get connected throwing an Error Failed to get vpn protocol on firmware 10.2.1.2 or above due to misconfigured protocol
- Is SRA/SMA appliance vulnerable to CVE-2016-2183 and CVE-2016-5915?
YES
NO