Skip to main content
Versa Networks

Enforce OS-Based Secure Access Policy Rules for Remote SASE Clients

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

To help prevent unauthorized access and potential security breaches, organizations must enforce context-aware access policies that adapt to users’ device types, operating systems, and security levels. You can use Concerto to configure secure access policies based on the operating system of remote Versa SASE clients.

The following use case features a global financial services company with thousands of remote employees that use Windows, macOS, Linux, and mobile devices. The company has adopted Versa SASE to provide secure access to corporate applications and cloud services and is setting up zero-trust security policies. Some of the employees may use outdated operating systems which can pose serious security risks. Other employees bring their own devices (BYOD) to access the company resources. This may also pose security risks.

This procedure describes how to create conditional and adaptive security enforcement by identifying the operating system of the user from the SASE client. It explains how to configure allow and deny settings based on two different operating systems (Windows & Linux Ubuntu). The following image depicts this use case showing the allowed operating system (Ubuntu) and the denied operating system (Windows).

enforce-os-rule.png

In this scenario, the user matches an allow rule when they exclusively use Ubuntu to access the network. In this case, the registration is accepted by the SASE portal gateway. When the same user is running Windows, they match a deny rule, and the SASE portal gateway rejects the registration.

To further protect your network you can also combine operating system criteria along with other criteria, such as endpoint information profile (EIP). For details on EIP, see Configure Endpoint Information Profiles.

Configure an Allow Rule Based on User Operating System

To allow a specific user or users access based on operating system:

  1. In Tenant view, select Security Service Edge.
  2. Select Configure > Secure Client Access > Policy Rules.
  3. Click + Add. The Create Secure Client Access Rule workflow displays step 1, Operating System.

    accessrule-os-workflow.png
  4. Select the operating system and the versions you want to include in the access rule. For example, to include all versions of the Linux operating system, click All Linux Operating Systems in the Linux pane.

    linux-allow.png
  5. Click Next. The Users & Groups window displays.
  6. For the User Type, click Selected Users, and then select the authentication type (here, SAML).

    rule-user-OS-1.png 
  7. Select the Users or User Groups tab, and then select the required users or user groups. The example above shows the Users tab with user engin-user1@acsecurity.com selected.
  8. Click Next.
  9. Click step 5, Traffic Action, to define the action to take when the user matches the rule criteria.

    allow-OS-rule-step5-1.png
  10. Click Allow, and then enter a message to display once this user successfully logs into the Versa SASE gateway. For example, "Welcome to sase-org1."
  11. Click Next.
  12. Click step 9, Review & Configure, to complete the configuration. You can skip steps 6 through 8, or continue through the configuration, if needed.
  13. Once the changes are published and the Ubuntu user (engin-user-1) logs into the Versa client and selects Reregister, the Versa client displays the message, "Welcome to sase-org-1", and access is granted.

Configure a Deny Rule Based on User Operating System

To deny a specific user or users access based on operating system:

  1. In Tenant view, select Security Service Edge.
  2. Select Configure > Secure Client Access > Policy Rules.
  3. Click + Add. The Create Secure Client Access Rule workflow displays step 1, Operating System.

    accessrule-os-workflow.png
  4. Select the operating system and the versions for which you want to deny access in the rule. For example, to restrict all versions of the Windows operating system, select the Windows pane, and then click All Windows Operating Systems. 

    SAC-windows.png
  5. Click Next. The Users & Groups window displays.
  6. For the User Type, click Selected Users, and then select the authentication type (here, SAML).

    rule-user-OS-1.png
     
  7. Select the Users or User Groups tab, and then select the required users or user groups. The example above shows the Users tab with user engin-user1@acsecurity.com selected. 
  8. Click Next.
  9. Click step 5, Traffic Action, to define the action to take when the user matches the rule criteria.

    deny-rule-linux-1.png
  10. Click Deny, and then enter a message to display if this user is restricted from accessing the Versa SASE gateway. For example, add the message, "You are not allowed to connect to the enterprise VPN, please contact your administrator."
  11. Click Next.
  12. Click step 6, Review & Configure, to complete the configuration.
  13. Once the changes are published and the Windows user, engin-user-1, logs into the Versa client and selects Reregister, the Versa client displays the message, "You are not allowed to connect to the enterprise VPN, please contact your administrator", and access is denied.

You have configured allow and deny traffic actions for this user and identified specific operating systems for each access rule. Access, or denial of access, using this context-aware policy rule protects your network from unauthorized access. 

Supported Software Information 

Releases 12.1.1 and later support all content described in this article.
Releases 7.8.9 of Versa SASE client and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.