Skip Navigation

ACL parameters

The ACL is an ordered list of rules that defines what happens when a
user attempts to access a destination on the Internet or your private network. Each rule includes several parameters that can specify destinations, users, and other factors that a rule can match with and the action to take when a rule matches. If a network access attempt does not match any ACL rules, access is blocked.
When you add or edit ACL rules, the updates are added to a list of draft rules until you commit them. Each administrator has their own draft rule list. If an administrator commits a rule update, all other administrators with a draft rule list will be notified to delete or update their draft rule list before continuing.
Each rule can include the following parameters:
General information
This is a name for the rule.
This is a brief description of the purpose for the rule.
This setting specifies that the rule is part of the ACL. You can turn off this option to disable the rule without deleting it.
This setting specifies whether to allow or block access if the attempt matches the rule. If allowed to continue, the access attempt may be evaluated again during the next phases of the attempt.
Check addresses against network protection
If the rule Action allows access, this setting specifies whether
still blocks the connection if it detects a potential network threat. You should keep this option selected unless specified users need to connect to potentially malicious destinations.
Display a blocked notification message on devices
If the rule Action blocks access, this setting specifies a notification message that displays on the device when an access attempt is blocked.
Traffic Privacy
This setting specifies whether the network access attempts are displayed in the Network Events screen (
> Events). You may want to enable Traffic Privacy for liability or privacy reasons. When this setting is enabled, network access attempts are not displayed in the Network Events screen. If your environment sends events to a SIEM solution or syslog server and the connection attempt matches a rule with traffic privacy, the events are not sent to the SIEM solution or syslog server.
Content logging
This setting specifies whether the Network Events > Events Details page should include originally plain-text, unencrypted HTTP connection data. HTTP flows are not decrypted. When this setting is enabled, a summary of the request and response details of an event are included in the Events Details page. You can view all of the HTTP transactions within an event. The Events Details page includes the first three HTTP events of the total number of events. You can view all the events and the details that are associated with each one. If you create a rule that includes both Traffic Privacy and Content logging, traffic privacy takes precedence.
Ignore port
This setting specifies whether the destination port of the access control attempt should be evaluated or ignored as part of this rule.
Targets can be defined by a network service, a set of addresses, a set of addresses with defined protocols and ports, or only defined protocols and ports. You can select one of the following options:
  • Not applicable: The rule does not include destinations. For example, the rule specifies only categories, or you may want to create a rule that allows all access attempts for specific users unless the connection is blocked by network protection.
  • Matches any: The rule applies if the destination matches any target specified in the rule.
  • Does not match: The rule applies if the destination does not match any target specified in the rule.
Network services
You can select one or more network services.
This setting specifies the IP addresses, FQDNs, or wildcard domains for the destination address. IP addresses can be in IPv4 or IPv6 format and can be represented by a single IP, an IP range, or CIDR notation. For example, the following address formats are supported:
  • Single IP address:
  • IP Address range: -
  • CIDR:
  • FQDN:
  • Domain with wildcard: *
This setting specifies whether the rule matches connection attempts using TCP, UDP, or both. If you do not select an option, the default is both TCP and UDP on all ports.
This setting specifies the ports used for the destination. You can specify a single port or a range.
A category defines the type of content available on a site.
makes a best effort based on available information to determine the category of destination sites. You can select one of the following options:
  • Not applicable: The rule does not include categories.
  • Matches any: The rule applies if the destination matches any category specified in the rule. If you select this option, a list of categories that you select from is displayed.
  • Does not match: The rule applies if the destination does not match any category specified in the rule. If you select this option, a list of categories that you select from is displayed.
For more information on the available categories that can be specified, see Destination content categories
User properties
This setting specifies users, user groups, or operating systems to include in the rule. You can specify any number of users, user groups, and operating systems or a combination of each. When you click the User properties drop-down, select the user property that you want to specify the condition for. You can select one of the following options:
  • Not applicable: The rule applies to all users, groups, and operating systems.
  • Matches any: The rule applies only to the users, groups, and operating systems you add to the rule. If you select this option, a field to add user properties is displayed.
  • Does not match: The rule applies only to users, groups, and operating systems that are not listed in the rule. If you select this option, a field to add user properties is displayed.
When you begin typing a name or user group, a list will display a matching list of user names. When you specify the operating system, you must select it from the list. You can select from the following OS options:
  • Android
  • iOS
  • macOS
  • Windows
You can add rows to specify any number of users, groups, and operating systems.
This setting specifies the acceptable risk level of the device as it is configured in the Risk Assessment policy. For information on creating a risk assessment policy, see Create a risk assessment policy.
  • Not applicable: The risk level is not a condition for access.
  • Matches any: The device must be within the range of acceptable risk levels to allow the connection. If you select this option, you can select the acceptable risk levels. The default risk level is Secure (no risk).