Policies
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Policies

      Allow or Deny IP Addresses in Policies

      Background

      The Safous ZTA platform enhances policy enforcement by allowing administrators to configure source IP ranges and categorize them as either "denied" or "allowed" conditions for access to resources. This empowers enterprises to set different policies for both onsite and offsite connectivity.

      Prerequisites

      1. This feature is only applicable for IPv4.

      2. It does not work for Native RDP, Native SSH, Networks, Links, or SaaS types of applications.

      3. To enable IP source lists, the policy must be enabled, and the appropriate IP source must be connected to the policy.

      Creating IP Source

      To create policies that allow or deny access based on IP source addresses, first configure the IP lists and then apply them to the relevant policies as described below:

      Step 1: In the Admin console, navigate to Settings > ZTNA > Policies > IP Source. Click the New IP Source button in the top-right corner, as shown in the screenshot below.

      Step 2: When clicking the New IP Source button, a screen will appear. Select a name for the IP list that is easy to locate and understand (e.g., 'Disallowed IPs'). Enter the IP addresses in the box provided, separating each address by pressing “Enter,” adding a space, or a “.” (e.g., 1.1.1.1/32, 3.3.3.3/31, 172.31.0.0/16), as shown in the screenshot below.

      If an invalid IP address is entered, the box will display a red border and an error notification will appear, instructing the admin to input a valid IP address.

      Step 3: Once the list of IP addresses is completed, click the orange Save button to save the list.

      Connecting IP Source Lists to Policies

      In order for the IP source lists to work, Administrators must enable the feature in the policy and select the IP source list created above. Follow these steps:

      Step 1: In the Admin Portal, go to the Policy page (Settings > ZTNA > Policies) and select the policy where the IP source must be applied. You can either create a new policy or edit an existing one.

      Step 2: On the Policy screen, within the Access Policies section, navigate to the Source IP Address field, as shown in the screenshot below. This is where you enable the IP source feature by connecting the IP source that either allows or denies access based on the selected list.

      User Experience

      When users attempt to access applications that violate the IP source policy, they will see an "Access Denied" screen with instructions to contact their administrator.