ACL parameters
The ACL is an ordered list of rules that defines what happens when a
CylanceGATEWAY
user attempts to access a destination on the Internet or your private network. Each rule includes several parameters that can specify destinations, users, and other factors that a rule can match with and the action to take when a rule matches. If a network access attempt does not match any ACL rules, access is blocked.When you add or edit ACL rules, the updates are added to a list of draft rules until you commit them. Each administrator has their own draft rule list. If an administrator commits a rule update, all other administrators with a draft rule list will be notified to delete or update their draft rule list before continuing.
Each rule can include the following parameters:
Item | Description |
---|---|
General information | |
Name | This is a name for the rule. |
Description | This is a brief description of the purpose for the rule. |
Enabled | This setting specifies that the rule is part of the ACL. You can turn off this option to disable the rule without deleting it. |
Action | |
Action | This setting specifies whether to allow or block access if the attempt matches the rule. If allowed to continue, the access attempt may be evaluated again during the next phases of the attempt. |
Check addresses against network protection | If the rule Action allows access, this setting specifies whether CylanceGATEWAY still blocks the connection if it detects a potential network threat. You should keep this option selected unless specified users need to connect to potentially malicious destinations. |
Display a blocked notification message on devices | If the rule Action blocks access, this setting specifies a notification message that displays on the device when an access attempt is blocked. |
Traffic Privacy | This setting specifies whether the network access attempts are displayed in the Network Events screen ( CylanceGATEWAY > Events). You may want to enable Traffic Privacy for liability or privacy reasons. When this setting is enabled, network access attempts are not displayed in the Network Events screen. If your environment sends events to a SIEM solution or syslog server and the connection attempt matches a rule with traffic privacy, the events are not sent to the SIEM solution or syslog server. |
Content logging | This setting specifies whether the Network Events > Events Details page should include originally plain-text, unencrypted HTTP connection data. HTTP flows are not decrypted. When this setting is enabled, a summary of the request and response details of an event are included in the Events Details page. You can view all of the HTTP transactions within an event. The Events Details page includes the first three HTTP events of the total number of events. You can view all the events and the details that are associated with each one. If you create a rule that includes both Traffic Privacy and Content logging, traffic privacy takes precedence. |
Ignore port | This setting specifies whether the destination port of the access control attempt should be evaluated or ignored as part of this rule. |
Destinations | |
Target | Targets can be defined by a network service, a set of addresses, a set of addresses with defined protocols and ports, or only defined protocols and ports. You can select one of the following options:
|
Network services | You can select one or more network services. |
Address | This setting specifies the IP addresses, FQDNs, or wildcard domains for the destination address. IP addresses can be in IPv4 or IPv6 format and can be represented by a single IP, an IP range, or CIDR notation. For example, the following address formats are supported:
In some cases, for example when you target a FQDN destination that is behind a content delivery network (CDN) or a website with a frequently changing IP address, if you add a rule to allow connections to the FQDN and add a second rule which blocks connections to IP addresses that resolve to the same destination, the connection might be blocked. Consider the scenario where your environment includes the following two rules:
BlackBerry recommends that you add the destination's FQDN and IP addresses to rule 1 to allow access. |
Protocol | This setting specifies whether the rule matches connection attempts using TCP, UDP, or both. If you do not select an option, the default is both TCP and UDP on all ports. |
Port | This setting specifies the ports used for the destination. You can specify a single port or a range. |
Category | A category defines the type of content available on a site. CylanceGATEWAY makes a best effort based on available information to determine the category of destination sites. You can select one of the following options:
For more information on the available categories that can be specified, see Destination content categories |
Conditions | |
User properties | This setting specifies users, user groups, or operating systems to include in the rule. You can specify any number of users, user groups, and operating systems or a combination of each. When you click the User properties drop-down, select the user property that you want to specify the condition for. You can select one of the following options:
When you begin typing a name or user group, a list will display a matching list of user names. When you specify the operating system, you must select it from the list. You can select from the following OS options:
You can add rows to specify any number of users, groups, and operating systems. |
Risk | This setting specifies the acceptable risk level of the device as it is configured in the Risk Assessment policy. For information on creating a risk assessment policy, see Create a risk assessment policy.
|