Configure SASE User-Defined Objects

​Select and Modify Predefined Applications

You can select which predefined applications a tenant is allowed to access. You can also modify a predefined application for use by a tenant. 

To select predefined applications:

1. Go to Configure > Security Service Edge > User-Defined Objects > Applications, then select the Predefined Applications tab.
   
   
2. Select a predefined application from the list to allow a tenant to access it. You can use the Search box to locate an application.
3. To refresh the list of applications, click the  Refresh icon.
4. You can also select an application and then perform the following actions:
   • If the current tenant has subtenants, you can click the Copy to Subtenant icon to copy the application to one or more subtenants.
     Note: If the current tenant does not have any subtenants, this icon does not display.
     
     Select one or more tenants, then click Submit to copy the application.
     
     
   • Click the  View Audit Log icon. The audit log screen for the application displays. You can click the  Download CSV icon to download the audit log in CSV format.
     
     
      

To modify a predefined application:

1. Click the application link in the Predefined Applications screen. The Edit <Application-Name> screen displays. In the following screen shot, the 01NET application has been selected.
   
   
    
2. Change any of the attributes of the predefined application. You can change multiple attributes.
3. Click Submit. The modified predefined application—in this example, 01NET—is now listed under the User Modified Predefined Applications tab.
   
   Note: The original predefined application is still available under the Predefined Applications tab. 
   
   

Select User Modified Predefined Applications

To select user-modified predefined applications that a tenant is allowed to access.

1. Go to Configure > Security Service Edge > User-Defined Objects > Applications, then select the User Modified Predefined Applications tab.
   
   
2. Select a user-modified predefined application from the list. You can use the Search box to locate an application.
3. To refresh the list of applications, click the  Refresh icon.
4. You can also select an application and then perform the following actions:
   • Click the  Delete icon to delete the application.
   • If the current tenant has subtenants, you can click the Copy to Subtenant icon to copy the application to one or more subtenants.
     Note: If the current tenant does not have any subtenants, this icon does not display.
   • Click the  View Audit Log icon. The audit log screen for the application displays. You can click the  Download CSV icon to download the audit log in CSV format.

Configure Client-Native Applications

To configure client-native applications:

1. Go to Configure > Security Service Edge > User-Defined Objects > Applications, the click the Client Native Applications tab. The screen displays any client-native applications that you have previously defined. Note that you use client-native applications when you configure secure client access rules, but you cannot use client-native applications when you configure internet protection rules or private application rules.
   
   
    
2. Click the  Add icon to add a new client application. In the Add Client Native Application screen, select Step 1, Application Details, and enter information for the following fields.
   
   
    

   Field	Description
   FQDN	Enter the fully qualified domain name (FQDN) to use to access the new client application on a remote server. Click the  Add icon to enter additional FQDNs. Note that if you specify the FQDN, you cannot also specify the file path.
   File Path	Enter the path to the new client application on your local computer or laptop. For example, the path to the Outlook application on your local computer or laptop might be /var/lob/apps/outlook.app. Note that if you specify the file path, you cannot also specify the FQDN.
   Digital Experience Monitoring (Group of Fields)	(For Releases 12.2.2 and later.) You configure DEM settings so that DEM can send probes to client-native application servers. In addition, when creating a DEM profile, you can select applications that are based on FQDNs or file paths. The DEM settings are independent of the FQDN or file path selection.
   Host	Enter the IP address or the FQDN of the server that hosts the client-native application.
   Protocol	Enter the protocol to use. The options are: TCP UDP
   Custom Port	Enter the custom port number on the host. Range: 0 through 65535 Default: None
   URI Path	Enter a numeric value for the uniform resource identifier (URI).
   App Protocol	Select the protocol to use. The options are: HTTP HTTPS
   Ignore SSL Warning	Click the slider bar to enable SSL warnings. SSL warnings are disabled by default.

3. Click Next to go to Step 2, Review & Submit. Enter information for the following fields.
   
   
    

   Field	Description
   Name	(Required) Enter a name for the application.
   Description	(Optional) Enter a description of the application.
   Tags	(Optional) Enter one or more tags to to associate with the application. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.
   Upload Application Image	(Optional) Click the  Upload File icon. In the popup window, select an application image and upload it. Images must be in .png or .svg format.

4. Review the configuration. Click the  Edit icon to make changes.
5. Click Submit to add the client-native application.

Configure a User-Defined Application Group

1. Go to Configure > Security Service Edge > User-Defined Objects > Application Groups. 
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The Application Groups screen displays with the User Defined Application Groups tab selected by default.
   
   
    
2. To customize which columns display, click the  Column Selector icon, and then select or deselect the columns to display. Click Reset to return to the default columns settings. The options are:
   • Total Apps
   • Applications
   • Application Image
   • Last Modified
      
3. Click  Add to add a new application group. The Add User Defined Application Group screen displays with the Applications tab selected by default.
   
   
    
4. Click one or more of the user-defined and predefined applications to add. You can use the search bar to find an application.
5. Click Next to go to Step 2, Review & Submit.
   
   
    
6. Enter a name for the application group and, optionally, a description and one or more tags to include. Click the Enter key to add each tag. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.
7. (Optional) Click the  Upload File icon. In the popup window, select an application image and upload it. Images must be in .png or .svg format.
8. Review the configuration. Click the  Edit icon to make changes.
9. Click Save to create the user-defined application group.

Select a Predefined Application Group for a Tenant

To select a predefined application group for a tenant:

1. In the Application Groups landing screen, select the Predefined Application Groups tab. The screen displays the available predefined application groups.
   
   
2. Select an application group by clicking the box to the left of the group name.
3. You can also select an application group and then perform the following actions:
   • Click the  Delete icon to delete the application group.
   • If the current tenant has subtenants, you can click the Copy to Subtenant icon to copy the application group to one or more subtenants.
     Note: If the current tenant does not have any subtenants, this icon does not display.
   • Click the  View Audit Log icon. The audit log screen for the application group displays. You can click the  Download CSV icon to download the audit log in CSV format.

Add Operating System Objects

You can create user-defined operating systems to complement the predefined ones. User-defined operating systems can be used in the match criteria of client-based secure access rules to identify devices connecting to SSE gateways based on their operating system and apply appropriate actions. For information about client-based secure access rules, see Configure SASE Secure Client-Based Access Rules.

To create a custom operating system:

1. Go to Configure > Security Service Edge > User-Defined Objects > Operating Systems.
   
   
   
   If you have not previously added an operating system, the following screen displays. Click Add Operating System and go to Step 2.
   
   
   
   If you have previously added an operating system, the following screen displays. Click the  Add icon.
   
   
2. The Add Operating System screen displays with Step 1, Operating Systems & Versions step and the Predefined Operating System radio button selected by default. You can select a predefined operating system or a pattern, but you cannot select both.
   
   
3. Enter information for the following fields.
   
   Note: The syntax for versions can be a single version, a range of versions, or a comma-separated list of versions. For example:
    
   • Single version
     • 10.0
   • Single version
     • 10-15 (version 10 through 15)
     • 10.2-15 (version 10.2 through 15)
     • 10.2.2-15 (version 10.2.2 through 15)
     • 10.2.2 (version 10.2.2 through later)
     • 10.2- (version 10.2 through later)
     • 10.2 (version prior through 10.2)
     • 10 (version prior through 10)
   • Comma-separated lists
     • 10, 11, 12, 13, 16
     • 10.2, 10.3, 10.6
     • 10.2, 10.3.5, 12.2-18, 20- (10.2,10.3.5, 12.2 through 18, and 20 and later)
     • 4294967295Field

4. Select the Patterns radio button, then enter a regular expression pattern to match the operating system category.
   
   
5. Click Next to go to Step 2, Review & Submit.
   
   
6. Enter a name for the operating system.
7. Review the configuration. Click the  Edit icon to make changes.
8. Click Submit to add the operating system.

Configure SASE Schedules

Security policy rules work at all dates and times. You can define a schedule object to limit a security policy to specific times, and you then use the schedule objects when defining internet protection rules, private application rules, and secure client access rules.

Policy objects support match criteria based on the time of day. For example, you can define a policy rule that is effective only during certain times of the day, such as lunch hours or after normal working hours.

To configure a schedule object, you configure either a fixed date and time range or a recurring daily or weekly schedule.

To configure schedule objects:

1. Go to Configure > Security Service Edge > User-Defined Objects > Schedules in the left menu bar.
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The Schedules screen displays the schedules that are already configured.
   
   
    
2. Click the  Add icon to add a schedule. The Add Schedule screen displays with Step 1, Recurrence & Time Interval selected by default. Enter information for the following fields.
   
   
    

   Field	Description
   Recurrence	Select None, Daily, or Weekly.
   None	If you select None, the schedule does not repeat and only occurs once. Enter the following information: Start Date—Select a start date. Start Time—Select a start time. End Date—Select an end date. End Time—Select an end time.
   Daily	If you select Daily, enter information for the following fields:   All Day—Click to schedule the security policy to be in effect all day. Start Time—If you do not select All Day, select a start time from the drop-down list. End Time—If you do not select All Day, select an end time from the drop-down list.
   Weekly	If you select Weekly, enter information for the following fields:   All Day—Click to schedule the security policy to be in effect all day. Start Time—If you do not select All Day, select a start time. End Time—If you do not select All Day, select an end time. Select the days the security policy is to be in effect.

3. Click Next to go to Step 2, Review & Submit. 
   
   
    
4. Enter a name for the new schedule and, optionally, a description and one or more tags to include. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.
5. Review the configuration. Click the  Edit icon to make changes.
6. Click Submit to add the new schedule.

Configure Custom Security Actions

For Releases 11.4.1 and later.

For URL filtering, you can can select a user-defined action as the action to take when a filter matches.

To configure user-defined security actions:

1. Go to Configure > Security Service Edge > User-Defined Objects > Security Actions.
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The Security Actions screen displays the security actions that are already configured. To locate a particular action, use the search box.
   
   Note: Release 12.2.1 supports three new built-in security actions: GenAI_sanctioned, GenAI_tolerated, and GenAI_unsanctioned. 
   
   
    
2. Click the   Add icon to add a new action. The Add Security Action screen displays with Step 1, Configure Security Actions, selected by default. Enter information for the following fields.
   
   
    

   Field	Description
   Security Action Type	Select the type of action to which to apply the action when the page is redirected. The action type options represent the module for which the user-defined action was configured. For example, if you select URLF, the action can be used only in URL-filtering profiles. All—Apply to all action types. CASB—Apply to cloud access security broker (CASB) profiles. Decryption—Apply for decryption. DNS—Apply for DNS traffic. Intrusion Prevention System (IPS)—Apply for IPS profiles. IP Reputation—Apply for IP-filtering profiles. URL Filtering (URLF)—Apply for URL-filtering profiles.
   Action	Select the action to take when the user is redirected to a captive portal. Note that not all actions are available for all action types. Allow—Forward the current packet without generating an entry in the log. Drop Packet—The browser waits for a response from the server and then drops the packets. Drop Session—The browser waits for a response from the server and then drops the session. Reset Client—The host responds by sending a TCP Reset packet to the client, and the browser displays an error message indicating that the connection has been reset. Reset Server—The host responds by sending a TCP Reset packet to the server. The browser waits for a response from the server and then drops the session. Reset Client and Server—The host responds by sending a TCP Reset packet back to the client and server. The browser displays an error message indicating that the connection was reset. It is not possible to determine whether the web server reset the connection or the firewall reset the session. Block—Present an alert page to the user and block the user from continuing (in the case of HTTP/HTTPS). Inform—The browser presents an information page that prompts the user to continue after clicking OK. Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK. Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK. Override—The browser prompts you to enter an override PIN (4 to 6 digits). Custom Redirection—The browser redirects you to the URL that you configure in the Redirection URL field. The URL should be a valid URL with a protocol (such as, https://acme.com). A redirection URL is a URL that is used to redirect your web browser from one URL to another. Sinkhole—A DNS sinkhole spoofs DNS servers to prevent the resolution of the hostnames associated with URLs and returns a false IP address to the URL, blocking a DNS sinkhole. This action can help you identify infected hosts in a network if a firewall is unable to find the original source IP address of DNS request sender. Sinkhole malware DNS queries create responses to the client host queries directed at malicious domains and try to connect to a sinkhole IP address instead of connecting to malicious domains. You can check the traffic logs to identify infected hosts. You can apply the sinkhole to all, DNS, IP reputation, and URL-filtering action types. Configure the following sinkhole parameters: Domain Name—Enter the domain name in which the LDAP server resides. IP Address—Click the Add icon to enter one or more IP addresses. TTL—Enter the time-to-live (TTL) value, in seconds. TTL refers to the amount of time the action is valid before it expires. Range: 1 through 65535 seconds Default: None
   Decrypt Bypass	Click the slider bar to disable SSL encryption for matching traffic, which allows you to define websites that are not subject to decryption.
   Log Captive Portal Actions	Click the slider bar to log captive portal actions. If you do not enable logging, the custom message that you enter in the Message field is not displayed in the log displayed in Versa Analytics.
   Expiration Time	Enter how often to redirect a user to the URL, in minutes. When a user first enters a URL and is redirected to a captive portal page, the Versa Operating SystemTM (VOSTM) device creates a cache entry, which expires after a global expiration time. While the cache entry is active, the device does not enforce the captive portal action, and users can view the webpage at the initial URL and at all URLs that belong to the same URL category, without seeing the captive portal page, with one exception. If the action is Block, all URLs are redirected to the Block page, regardless of the expiration time Range: 1 through 65535 minutes Default: 1 minute
   Message	Enter a message to display on the captive portal page.

3. Click Next to go to Step 2, Review & Submit, then enter information for the following fields.
   
   
    

   Field	Description
   Name (Required)	Enter a name for the security action.
   Description	Enter a text description.
   Tags	Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching tunnels.

4. Review the configuration. Click the  Edit icon to make changes.
5. Click Submit to add the new security action.

Configure SASE Services

Security policies can reference service objects, which define match criteria based on protocol name and number, and on source and destination port number. Versa provides default predefined services and object definitions, and also provides periodic updates to the default services and objects.

You can also create custom service objects. One reason to do this might be if a well-known service runs on a non-standard port or if the predefined services are missing the desired port and protocol combination. Another reason might be to limit the number of ports that an application can use. For example, you could limit FTP to use only port 21 instead of ports 20 and 21.

The custom service objects that you define for a tenant can be used only by that tenant, and they are not visible to any other tenants.

To define service objects:

1. Go to Configure > Security Service Edge > User-Defined Objects > Services.
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The Services screen displays all services that are already configured. To find a particular service, use the search box.
   
   
    
2. In the drop-down list to the right of the Search box, select one of the following options:
   • All Services (default)
   • User Defined
   • Predefined
      
3. Click the   Add icon to add a new service. The Add Service screen displays with Step 1, Protocol & Port, selected by default. Enter information for the following fields. 
   
   
    

   Field	Description
   Protocol	Select a protocol. The options are: TCP UDP TCP_OR_UDP ICMP AH ESP 0 to 255
   Source OR Destination (Required)	(For TCP, UDP, or TCP_OR_UDP protocols only.) Enter the source or destination port for the protocol. For multiple entries, use comma-separated single port values or range of port values (using hyphens), for example, 1-100,2-200,3. Note: If you select Source OR Destination, you cannot also select Source AND Destination.
   Source AND Destination	(For TCP, UDP, or TCP_OR_UDP protocols only.) Enter the source port and the destination port for the protocol. For multiple entries, use comma-separated single port values or range of port values (using hyphens), for example, 1-100,2-200,3. Note: If you select Source AND Destination, you cannot also select Source OR Destination.

4. Click Next to go to Step 2, Review & Submit.
   
   
    
5. Enter a name for the new service and, optionally, enter a description and one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters that you use for searching objects.
6. Review the configuration. Click the  Edit icon to make changes.
7. Click Submit to add the new service.

Configure Service Groups

You can define custom service groups in addition to the predefined service groups that are provided. Service groups are used when setting up an SASE policy rule.

To configure service groups:

1. Go to Configure > Security Service Edge > User-Defined Objects > Services Groups.
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The Service Groups screen displays all service groups that are already configured. To find a particular service, use the search box.
   
   
2. Click the Add icon to create a new service group.
   
   
    
3. Select one or more user defined and pre-defined services to add to the group, then click Next to go to Step 2, Review & Submit.
   
   Note: To add additional services, click the  Add icon. See Configure SASE Services for information about adding a new service.
   
   
4. Enter a name for the new service group in the Name field.
5. Review the configuration. Click the  Edit icon to make changes.
6. Click Submit to add the new service group.

Configure Custom URL Categories

For Releases 11.4.1 and later.

You can create custom URL category objects on a per-tenant basis. You assign a unique name to each custom URL category, and you use a string or pattern match to define information about the URLs. You also associate a reputation value with the URL category. You can use a custom URL category in NGFW and SD-WAN policy rules to specify match criteria for a Layer 7 URL category. You can also specify custom URL categories in the category-based action rules and reputation-based action rules of a URL-filtering profile.

To configure custom URL categories:

1. Go to Configure > Security Service Edge > User-Defined Objects > URL Categories.
   
   Note: For Releases 12.1.1 and earlier, User-Defined Objects is located at Configure > Security Service Edge > Settings.
   
   
   
   The URL Categories screen displays the URL categories that are already configured. To find a particular category, use the search box.
   
   
    
2. To customize which columns display, click the Column Selector icon, and then select or deselect the columns to display. Click Reset to return to the default columns settings. The options are:
   • File Name
   • URL Feeds
   • Confidence Level
   • Last Modified
      
3. Click the   Add icon to add a new URL category. The Add URL Category screen displays with Step 1, Settings, selected by default. Enter information for the following fields.
   
   
    

   Field	Description
   URL Patterns (Group of Fields)	Enter a RegEx pattern and reputation to match the URLs.
   Patterns	Enter a URL pattern to match and group the URLs. Note that the pattern must be a regular expression in PCRE syntax, subject to the limitations of the Hyperscan library. For example, use "^(www\.)?versa-networks\.com\/" to match Versa Networks URLs. If your regex includes special characters such as a backslash (\) or an open curly brace ({), you must escape them by preceding with an extra backslash.
   Reputation	Select a predefined reputation, and then assign it to the URL match pattern. The options are: Trustworthy Low Risk Moderate Risk Suspicious High Risk Undefined
   URL Strings (Group of Fields)	Enter a URL string and reputation to match the URLs.
   String	Enter a URL string, such as www.versa-networks.com.
   Reputation	Select a predefined reputation, and then assign it to the URL match pattern. The options are: Trustworthy Low Risk Moderate Risk Suspicious High Risk Undefined
   URL Files	(For Releases 12.1.1 and later.)  Select a URL file containing URLs and reputations to match the URLs. Click  Create New in the drop-drop list to upload a new URL file in .csv format.
   URL Feeds	Select one or more URL feeds to receive URLs and their reputations dynamically.
   Set confidence level for URL category	Enter a confidence level for the URL categories.  Range: 1 through 100 Default: 1

4. Click Next to go to Step 2, Review & Submit.
   
   
    
5. Enter a name for the new URL category in the Name field.
6. Review the configuration. Click the  Edit icon to make changes.
7. Click Submit to add the URL category.