Policy Builder for User groups

Use Policy Builder to build Xaccess policies (Access policies for remote users) for the User groups in your Xaccess private network. Xaccess policies are identity/user-specific Xshield Access policies that enable Zero Trust network access to users to the on-premises applications and cloud applications (hosted on Azure and AWS) and the infrastructure services and Internet domains.

Policy Builder can help you build Xaccess policies at the level of the Xshield Endpoint groups. An Endpoint group is a collection of Xshield-managed endpoint assets (user assets) that share common access requirements.

Policy recommendations for User groups

For User groups, outbound Policy recommendations (in Policy Builder) are aggregated as follows:

  • Group-level, Policy recommendations for outbound traffic from a User group to the Workload groups, Network groups, and Domain groups

  • Service-level aggregation of a recommendation with the following details for the service - Protocol, Port, Data throughput, Connections count, and Access parameters used.

For recommendations to Domain groups, the service-level aggregation of a recommendation includes the following additional details - Category of the domain and the Threat reputation and Location of the domain (as per Xshield's Threat Intelligence service).

Policy recommendations vary by the status of the User group in Xshield. 

  • For a new User group, Policy recommendations equate to the Observed traffic to other groups. 

  • For a User group that is being observed and has some Access policies assigned (Workload group = Observed), Policy recommendations equate to the Unauthorized traffic to other groups.

Prerequisites

Do this before you start building Xaccess policies for user assets.

  • Onboard user assets (endpoint assets) to the instance - install/deploy Xshield agents (Type = User Access) on the user assets and use One of the Three Onboarding modes to register them with the instance.

  • Group users using the endpoints by their access requirements - group the endpoints into Endpoint groups, by the User groups and User departments of the users who use the endpoints.

  • Group workloads by applications or other Xshield tags - group the managed workloads into Workload groups by Application, Role, and/or Environment and so on.

To build Xaccess policies to infrastructure services and Internet domains, you must do the following too:

  • Group infrastructure services - group the network subnets that endpoints use for infrastructure services into Network groups. Network groups define the private or public corporate infrastructure services that are not managed from Xshield. 

  • Group Internet domains - group the domains that users visit into Domain groups.  

Assign Xaccess policies

Xaccess policies are assigned between the relevant Xshield groups. So, ensure that you know the names of the Xshield groups involved in the policies.

Accept Policy recommendations

Accept the Policy recommendations related to the Xshield-protected applications and the necessary infrastructure services and Internet domains. Existing Xaccess policies on the CT Brokers are recomputed to factor in the accepted recommendations.

  1. Go to Xaccess > Policy Builder.

  2. Select a User group in the Search box.

  3. Select Tabular.

  4. Click View and Edit Policies.

    You will see the Observed traffic (Authorized and between the Endpoint group and other groups) in the selected view. 

  5. To build applications-access Xaccess policies.

    1. Click the Workloads tab, select and accept a Policy recommendation at the level of a Workload group or Services listed in the recommendation. 

    2. (Optional) Repeat step 5a for all applications which the User group must access. 

  6. (Optional) To build Xaccess policies to infrastructure services and Internet domains.

    1. Click the Network & Domain Groups tab, select and accept a Policy recommendation at the level of the group or Services listed in the recommendation. 

    2. (Optional) Repeat step 6a for all Network groups and Domain groups that the User group must access. 

Ignore Policy recommendations

Ignore Policy recommendations to applications, services, and domains that the Endpoint group must not access, either temporarily or permanently. Doing this reduces clutter for recommendations, and you will see the essential recommendations sooner in Policy Builder. 

  1. Click the Workloads or Networks & Domains tab, select a Policy recommendation, and click Ignore.

  2. Select the period to ignore.

    • Until Recurrence - until user access to the same group and using the same services is seen again.

    • Forever - Policy recommendations to the same group and services are never seen again, for the instance, until you choose to see them again. 

  • To see the ignored Policy recommendations, click Show Ignored Recommendations. You can accept the ignored recommendations. 

Assign custom Xaccess policies

Create and assign custom Access policies for forecast access requirements, for which traffic/recommendations are not yet seen in Policy Builder. You can create and assign custom Xaccess policies in one of the following ways:

  • From Policy Builder Tabular view or Visual view - click Create Policy and assign the custom policies.

  • From the Access Policies page - on the Access Policies page, click Create Access Policy, and assign custom policies.

Xaccess policies enforcement

  • For Xaccess policies to Observed Workload groups, the Xaccess policies are enforced only when the Workload groups are moved to the Enforce mode.

  • For Xaccess policies from Endpoint groups, the access is controlled by the relevant policies from the CT Brokers for the Xaccess private network.

  • For Xaccess policies to Network groups and Domain groups, the access is controlled by the relevant policies from the CT Brokers for the Xaccess private network. 

Tune Xaccess policies

After you initially enforce Xaccess policies for Zero Trust network access, you must constantly check the Policy recommendations and tune the Xaccess policies. This is needed to ensure that users can access all the required applications and Internet domains. 

Do the following to tune Xaccess policies:

  • Check the new Policy recommendations for the Workload groups and accept those to allow access to specific Endpoint groups.

  • Check the new Policy recommendations for the Network groups and Domain groups and accept those to allow access to specific Endpoint groups.

  • Check the Policy recommendations for an Endpoint group and accept those to access the related Workload groups.

 The new Xaccess policies you assign to tune the policies are automatically enforced for the User groups.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.