Resolving Deny Rule Incompatibilities
In a Permit rule, you can safely mix and match resources and access methods. However, Deny rules containing
specific combinations of resources and access methods may prevent subsequent rules from being evaluated.
This can inadvertently block user access to resources referenced later in your access policy.
During its policy evaluation, the appliance may in some cases be unable to determine whether a Deny rule
matches an incoming connection request. As a security precaution, it stops processing your rule set and blocks
If you attempt to define a Deny rule referencing any of the three combinations described in the following table,
AMC displays this warning message:
“Some of the resources in this rule are not supported by the selected access method(s), which could
inadvertently deny access to some resources.”
The below table lists the rule combinations that trigger the warning.
|Rule action||Resource type||Access methods|
Connect and OnDemand
Suppose you create a Deny rule blocking access to a Windows domain and you leave Access methods set to Any.
A Windows domain is accessible from WorkPlace, so when the appliance receives a connection attempt from
WorkPlace, it matches the rule and denies access.
However, if the user makes a connection request from Connect or OnDemand, the appliance is unable to
determine whether the Windows domain rule matches the request (regardless of which destination resource is
requested). The appliance then stops evaluating any further rules in your policy and immediately denies access.
If the Windows domain rule is at the top of your access control rule list, it prevents the user from accessing any
VPN resources. And if the next rule in the list is a Permit rule allowing the user to access a VPN resource, it is not
Resolving the Problem
To resolve rule incompatibilities, modify the rule so it doesn’t reference indeterminate access methods. In the
case of a Windows domain or network share, select Network Explorer as the only access method. For a URL,
select only Web browser or Connect Tunnel and/or OnDemand Mapped Mode.
Was This Article Helpful?
Help us to improve our support portal