Access control rules

Private applications access control rules identify and authenticate the users that are permitted to access your private applications, and filter incoming traffic based on its source IP address. Traffic decryption can be enabled in order to inspect traffic for potential threat signatures using threat inspection rules.

Access control rules are applied to all incoming requests for your internal resources from remote users in your account. Traffic that is routed through the Private Access service edge for policy enforcement is checked against your policy rules for a match.

Policy rules are checked in the order they appear in the Application control table. The first rule found that matches a request is applied, and no further rules are checked.

Note: For private applications using self-signed certificates, Private Access automatically trusts the certificate. Strict certificate validation is not enforced for self-signed certificates.

Default private application rule

The final rule in the list is the default rule: Block access to all other applications. If a request does not match a rule, the traffic is blocked.

Access control rules

Access control rules consist of the following settings:

Table 1.
Property Description/options Default setting
Priority (#)

The processing priority for the rule.

Use the Drag to move handle to change the priority order of the rule in the list.

Rules are checked in order from the first in the list (priority 1) to the last. The first match found is applied.

 N/A
Rule

A name and optional description for the rule.

Tip: The rule name is used in the traffic log to identify the policy rule that was applied to matching traffic. Use a naming convention that is easy to identify in logs.
 A default rule ID is generated for new rules. Edit this rule name to give it a meaningful value.
Users The users and user groups that are permitted to access applications assigned to this rule. All users: the rule applies to all identified users provisioned to your account.
SAML authentication Enable this setting if SAML authentication is required for access to the applications assigned to this rule:
  • When this option not selected, endpoint identification is sufficient to authorize remote access to your applications.
  • When this option is selected, users must be authenticated using SAML-based single sign-on in order to access your applications.
Note: SAML authentication is required in order to identify Mac OS endpoint users.
 None: SAML authentication is not required.
Application

The private applications to which this access rule applies.

Click New to define a new application.

 N/A
Source The source IP addresses that are permitted to access the private applications assigned to this rule.

Click the field or begin typing to select a source IP address list or country IP address range. Click New to define a new source IP address list.

 ANY: traffic is allowed from any source IP address.
Action

The action and TLS inspection setting that is applied to traffic that matches this rule.

Action:
  • Continue inspection: allows matching traffic, and applies threat inspection processing, which can subsequently block or allow the traffic.
  • Allow and bypass: allows traffic and bypasses threat inspection processing. Traffic is not decrypted.
  • Block: blocks matching traffic by terminating the session. No further processing is performed.
TLS inspection:
  • Decrypt: encrypted traffic is decrypted for inspection
  • Do not decrypt: traffic is not decrypted
Note: Decryption is required in order to apply threat inspection. In order to use TLS decryption, you must deploy the Forcepoint root certificate to all client machines for which traffic will be decrypted.

Action: Continue inspection

TLS inspection: Do not decrypt