Skip to main content
Versa Networks

Configure Access Rules on Versa Director

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

You can configure access rules to allow or deny the traffic from client subnets when accessing Versa Director. You configure the rules at the system level (provider rules) or tenant level. The rules can be username-based or role-based. If no rule is configured, access is allowed for all users.

When you configure multiple rules, evaluation of the rules is done from top to bottom in the order that they appear on the screen. To process the rules in a different order, you reorder the list of rules.  If there are multiple denied rules for a user, the rules are executed top to bottom until an exact match for the denial is found. Otherwise, the access is allowed. If you change the default action to deny, only the rules present are executed and for other users access is denied. A rule is processed in the precedence order based on username, role, and default.

If you configure the Director node northbound IP address, high availability IP addresses, and Analytics IP address with the local host (127.0.0.1), the access is allowed by default. For external authentication methods, such as CA certificate, you need to add the CA client Director node IP address to the allowed IP address list of the CA server if any rule for a specific user is configured. Also, you need to add the Concerto node IP address in the allowed subnet list if any rule is configured.

For high availability, all the rules in the primary Director node are applicable in the secondary Director node.

Note that only users with the ProviderDataCenterSystemAdmin role can configure access rules at both the system level and tenant level. Users with the TenantSuperAdmin role can configure access rules at the tenant level.

Note: If source NAT is enabled for LAN users, the NATed IP is used as a client source IP, and you must configure the allowed subnet list.

Configure an Access Rule

To configure an access rule at the system-level or tenant-level:

  1. In Director view, select the Administration tab in the top menu bar.
  2. To add a system-level access rule, select System > Access Rules > System in the left menu bar. Then move to step 4.

    system-access-rules-system.png
  3. To add a tenant-level access rule, select System > Access Rules > Tenant in the left menu bar.

    system-access-rules-tenant.png
  4. To add a username-based access rule, go to the User tab and click the +Add icon.

    system-level-user-tab.png
  5. If you already added one or more rules, the Add Rule popup window displays the rule reorder window. Select where you want to insert the rule, either at the end of the existing rules, the top of the existing rules, or in a specific location in the list of existing rules.

    add-rule-reorder-screen.png
  6. Click Continue.
  7. In the Create User Access Rules window, enter information for the following fields.

    system-create-user-access-rules.png
     
    Field Description
    Name (Required) Enter a name for the username-based access rule or select a name from the Username drop-down list.
    Organization (Required) This field is selected automatically and not editable.
    Rule Type (Required) This field is selected automatically and not editable.
    Allowed Users (Required)  
    • Username (Required)
    		 Select one or more local users from the drop-down list, and then click the Add icon.
    Allowed Source Address Prefixes  
    • IP Address (Required)
    		 Enter one or more source IP address prefixes to to send all traffic from the user device to Versa Director, and then click the add-icon.png Add icon.
    Denied Source Address Prefixes  
    • IP Address (Required)
    		 Enter one or more subnet IP prefixes to drop all traffic that matches the rule, and then click the add-icon.png Add icon.
  8. Click Ok.
  9. To add a role-based access rule, select the Role tab, and then click the +Add icon.
  10. If you already added one or more rules, the Add Rule popup window displays the rule reorder window. Select where you want to insert the policy rule, either at the end of the existing rules, the top of the existing rules, or in a specific location in the list of existing rules.

    add-rule-reorder-screen-role.png
  11. Click Continue.
  12. In the Create Role Access Rules window, enter information for the following fields.

    system-create-role-access-rules.png
     
    Field Description
    Name (Required) Enter a name for the role-based access rule.
    Organization (Required) This field is selected automatically and not editable.
    Rule Type (Required) This field is selected automatically and not editable.
    Allowed Roles (Required)  
    • Role (Required)
    		 Select one or more roles from the drop-down list, and then click the Add icon.
    Allowed Source Address Prefixes  
    • IP Address (Required)
    		 Enter one or more source IP address prefixes to to send all traffic from the user device to Versa Director, and then click the add-icon.png Add icon.
    Denied Source Address Prefixes  
    • IP Address (Required)
    		 Enter one or more subnet IP prefixes to drop all traffic that matches the rule, and then click the add-icon.png Add icon.
  13. Click Ok.
  14. Select Default tab. In the Default Access Rules pane, click the edit-icon.png Edit icon.

    system-default-tab.png
  15. In the Edit Default Access Rules window, select the action to take on matching traffic:
    • Allow (This is the default action)
    • Deny

      system-default-edit.png
  16. Click Ok.

Reorder Access Rules

To reorder system-level or tenant-level access rules:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select System > Access Rules in the left menu bar, and then:
    • To reorder a system-level access rule, select System.
    • To reorder a tenant-level access rule, select Tenant.
  3. Select a rule name, and then click the move-icon.png Move icon.

    move-rule.png
  4. In the Move popup window, select where you want to insert the selected rule, either at the end of the existing rules, the top of the existing rules, or in a specific location in the list of existing rules.

    move-rule1.png
  5. To move rule(s) to a specific location, slide the blue Place Here bar to indicate where you want to place the rule(s).

    move-rule2.png
  6. Click Reorder Rule.

Note: There must be at least one rule to allow a PDCSA user at any time to get the rule updated.

Supported Software Information

Releases 22.1.4 (Service Release dated 2025-02-08) and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.