The Safous ZTA platform enhances policy enforcement by allowing administrators to configure source IP ranges and categorize them as either "denied" or "allowed" conditions for access to resources. This empowers enterprises to set different policies for both onsite and offsite connectivity.
Prerequisites
-
This feature is only applicable for IPv4.
- It does not work for Native RDP, Native SSH, Networks, Links, or SaaS types of applications.
-
To enable IP source lists, the policy must be enabled, and the appropriate IP source must be connected to the policy.
Creating IP Source
To create policies that allow or deny access based on IP source addresses, first configure the IP lists and then apply them to the relevant policies as described below:
Step 1: In the Admin console, navigate to Settings > ZTNA > Policies > IP Source. Click the New IP Source button in the top-right corner, as shown in the screenshot below.
Step 2: When clicking the New IP Source button, a screen will appear. Select a name for the IP list that is easy to locate and understand (e.g., 'Disallowed IPs'). Enter the IP addresses in the box provided, separating each address by pressing “Enter,” adding a space, or a “.” (e.g., 1.1.1.1/32, 3.3.3.3/31, 172.31.0.0/16), as shown in the screenshot below.
If an invalid IP address is entered, the box will display a red border and an error notification will appear, instructing the admin to input a valid IP address.
Step 3: Once the list of IP addresses is completed, click the orange Save button to save the list.
Applying the IP Source to Policies
In order for the IP source lists to work, Administrators must enable the feature in the policy and select the IP source list created above. Follow these steps:
Step 1: In the Admin Portal, go to the Policy Condition page (Settings > ZTNA > Policies > Conditions) and select the policy where the IP source must be applied. You can either create a new conditions or edit an existing one.
Step 2: On the New Conditions screen, navigate to the Source IP Address field, as shown in the screenshot below. This is where you enable the IP source feature by connecting the IP source that either allows or denies access based on the selected list Then, click Save.
User Experience
When users attempt to access applications that violate the IP source policy, they will see an "Access Denied" screen with instructions to contact their administrator.