Network

On the Network stage page, you can define network rules that apply block, allow, or continue actions to any network traffic that is forwarded to the service, on all ports and protocols. The actions are applied based on source, destination, or specific traffic signatures defined for the network services.

Network rules are checked in priority order, that is the first rule in the list is checked first. The first matching rule is applied, and no further rules are processed.

You can create rules that define source, destination, and network service settings, and apply a default block or allow action for traffic that matches the rule.

A network rule consists of the following elements:
  • Rule: Defines rule name and description.
  • Source: Defines where traffic must originate for the rule to apply. Source can include one or more sites, or source IP address lists. By default, the rule applies to traffic from any source to which the policy applies.
  • Users: Defines the users (or user groups) from which the request must originate to match this rule. Rules can be applied to All Users in order to match any user whose identity is known. Users can be identified by the Web Security Gateway or via SAML-based authentication.
  • Destination: Defines the destination addresses to which traffic must be directed for the rule to apply. Destinations can include one or more destination IP address lists, or domain name lists. By default, the rule applies to traffic to any destination.
  • Network Service: Defines traffic signatures, defined as services, that must match traffic for the rule to apply. By default, the rule applies to any network service.
  • Action: The action applied to the matching traffic. The actions are:
    • Block: Blocks matching traffic by terminating the session. No further policy processing is performed.
    • Allow and Bypass: Allows traffic and bypasses further inspection. Traffic is not decrypted, and no further policy processing stages are applied.
    • Continue Inspection: Allows matching traffic, and applies all further policy processing stages, which can subsequently block or allow the traffic.