Access Policy Overview

Cloud Secure Edge (CSE) Access Policies enforce which devices have access to protected services. Admins can configure Access Policies by defining which user Roles and device Trust Levels are required in order to grant access to a resource or network. Once configured, the Access Policy needs to be applied to the relevant service or Service Tunnel in order to become active.

Comparing CSE Access Policies to Firewall Access Rules

A CSE Access Policy acts as a single container for multiple access rules: each Access Policy can contain multiple Access Groups, each of which have their own set of rules for accessing protected resources or networks.

Compared to traditional firewall configurations – which typically consist of a hierarchical list of rules, each specifying their own individual access rules –, a CSE Access Policy is like a consolidated firewall rule list that does not work sequentially but instead evaluates all rules within the policy against the same policy logic. Therefore, rule order within a CSE Access Policy does not affect policy evaluation.

For instance, if a user in an org has 2 Roles and belongs in 2 separate Access Groups, and one Access Group grants access to a specific IP range while the other Access Group denies access to an IP address in this same IP range, the user's granted access will always take precedence over their denied access; The ordering of the Access Groups or Access Policies does not affect the outcome.

This doc outlines some common scenarios that require Service Tunnel policy (i.e., Tunnel Policy) configurations and lists the steps required for a successful configuration.

Service Tunnel Policy Examples

Tunnel Policies define user access to network locations based on CIDR ranges, ports, and protocols from a Service Tunnel.