Configuring the Private Access Policy

Note

Note: Please contact feature-releases@catonetworks.com for more information about enabling and using this feature.

Overview

The Private Access Policy defines which users and groups can access published Private Applications. You enforce least-privilege access by allowing only the specific applications that users need. It lets you define application-specific access based on identity and additional conditions, without granting network-level access to the private environment.

Use Device Posture conditions to strengthen ZTNA access to private applications. This lets you grant access only when a user connects from a trusted device that meets your organization’s security requirements, using the same Device Profiles defined across your account.

For more information, see Configuring Cato Private Access

Policy Structure

The Private Access Policy is an ordered rulebase. Rules are evaluated from top to bottom, and the first matching rule determines whether access is allowed or blocked. 

Like other CMA policies, it supports policy revisions for change tracking and rollback, and multi-admin workflows so teams can collaborate on updates. For more information, see Working with Policy Revisions.

Each rule is built from three core components:

  • Users / Groups: Who the rule applies to. Identities are synced from your IdP

  • Criteria: Conditions that must match to apply the rule action (for example, Device Posture requirements)

  • Private Apps: The published Private Applications for the rule

If no rule matches, access is blocked.

Private Access Policy Rules

Create rules for multiple users or user groups to allow access to one or more private applications.

Private Access Policy rules automatically generate events when the rule is matched. The Hit Count for a rule is based on the number of events generated by the rule.

private_access_policy.png

Private Access Policy Criteria Fields

These are details of the fields that you can use to apply continuous device posture requirements to the application access. If you define multiple criteria for a rule, there is an AND relationship between them.

These are different settings that you can use to restrict user access to the applications:

  • User Attributes: User risk signals, for example, allow access only when the user risk level is Low.

  • Origin of the connection: How the user connects, for example, allows access only when users are connecting via the Client.

  • Platforms: Specify operating systems that can connect, for example, allowing access only from Windows devices.

  • Device Posture Profiles: Set device check requirements, for example, require a posture profile that verifies that anti-virus is up to date.

  • Countries: Restrict access by source country based on IP geo-location. For example, allow access only from the United Kingdom and the United States.

criteria.png

Create a Private Access Policy Rule

Use a rule to define the users or groups that can access specific private apps, optionally apply criteria such as device posture, and Allow or Block the traffic.

The Time options define the time range that the rule is enabled. You can configure custom options for a rule, or choose the default working hours that are defined for the account.

To make it easier to work with the policy, you can use sections in the policy to group rules, see Adding Sections to the WAN and Internet Firewalls.

To create a Private Access Policy rule:

  1. From the navigation menu, select Access > Private Access > Private Access Policy.

  2. Click New > New Rule. The New Rule panel opens.

  3. In General, enter a Name and (optional) Description.

  4. In Users / Groups, select the users and user groups that the rule applies to.

  5. In Criteria, configure the device posture conditions for the rule

    • User Attributes - Risk level of the user identity

    • Origin of the connection - Restrict access to sites or Clients

    • Platforms - Device operating system

      Best Practice: For improved security and monitoring, specify the device platforms that are actually used by the users connecting to the application.

    • Device Posture Profiles - Select profiles to apply Device Checks 

    • Countries - Restrict the rule to specific countries where the user is located

  6. Select the Private Apps for the rule.

  7. (Optional) Configure the Time options that define when this rule is enabled.

  8. In Actions, configure the rule behavior:

    1. Action: Set the rule to Allow or Block traffic.

    2. Track: Configure optional tracking options to Send Notification. The frequency starts counting after the first notification is sent.

      For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the section.

  9. Click Save and then Publish.

Was this article helpful?

0 out of 0 found this helpful

0 comments