Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jberg712
Contributor

Mobile Access Unified Policy Behavior understanding

So, we are attempting to move the MAB from legacy to using the Unified Access Policy.  So I initially created a 3rd layer.  We have 2 layers in our policy so far.  1) Firewall 2) App Ctrl and URL filtering.  I built a 3rd and selected only Mobile Access Blade, not shared, implicit rule is drop.  It had a cleanup rule and I added the rules for the VPN users.   Once I applied it, it broke all outgoing traffic.  While I was digging, I found where it stated that when it comes to layers, all layers in an access control policy but match before traffic is allowed.  I could see where the traffic was hitting the cleanup rule of the MAB layer.  

I guess what I'm trying to understand is if this 3rd layer only applies to the MAB, then why would normal traffic have to be satisfied?  Or am I mis-understanding that selection means when I select a new layer and only select the specific blade?

I'm curious to know how others are doing this?  Is the MAB being included in a layer with the Firewall blade or the App Ctrl and URLf?  Or should it be a 3rd layer, but above the App Ctrl with implied accept?

What am I missing?

0 Kudos
11 Replies
the_rock
Champion
Champion

Here is all you need to remember...if you have more than 1 ordered layer, traffic has to be ACCEPTED on every single ordered layer. So, here is what I mean by that, let me give you this example...say you have 100 rules in network layer and last one is any any drop...fantastic. Then, you have 2nd ordered url layer with say 10 rules and last one is ALSO any any drop. In that case. ALL traffic will be dropped, no matter what, even if its accepted on 1st ordered layer.

So, make sure that if you have multiple ordered layers, that its 100% fine to have implicit clean up rule on network layer, but I would do any any accept at bottom of every other ordered layer.

Andy

PhoneBoy
Admin
Admin

In the documentation, an Inline layer is used instead of an Ordered one.
Like @the_rock says, if you use Ordered layers, an accept rule must be matched in each ordered layer for the traffic to pass.

jberg712
Contributor

This may be more of a preference topic than a best practice, but i'm curious if it's better to have a single ordered layer with multiple inline layers for all blades or is better to have a Firewall Ordered layer and an App Ctrl Urlf ordered layer?  If it's better to have them separated, what's best for Mobile Access?  

Based off what y'all are saying, if i have a separate ordered layer for MAB, something would have to match even if it's not pertaining to Mobile Access on that layer... which makes total sense by design.  What doesn't make sense is having a separate ordered layer for MAB.  Would it then be more practical to have MAB included with the firewall blade ordered layer?

0 Kudos
the_rock
Champion
Champion

I will tell you my experience, cant speak for anyone else...customers that had been with CP for a long time I find prefer ordered separate layers approach. Customers who came from other vendors prefer one layer with inline layers, as they dont seem to like any any allow approach rule at the bottom of ordered layer. Personally, I like separate ordered layers, as I find its more organized, acceleration works better and traffic is handled more efficiently as well. Thats just me...

Andy

the_rock
Champion
Champion

Overall, I like your approach, good job with this...let us know if any issues!

Andy

0 Kudos
jberg712
Contributor

Thanks Andy (I was wondering if I shouldn't call you Dwayne =D).  

I personally like the separate ordered layers myself.  I'm having trouble seeing it fit if there's one just for the Mobile Access Blade.  All other internal traffic would certainly need a rule to match to allow it (assuming MAB is the 3rd ordered layer).  It would need to match an accept on layer1 (fw), layer2(app), and layer3 (mab).  I do like the idea of layering it this way, but following the logic to include a deny any/any would obviously break all traffic if in layer 3 it was that plus rules for just Remote Access group.  But also having an allow any/any on this layer (or any layer) as some might look at it and think you're allowing all traffic at the end or for mobile access people or for all traffic.  I know now by design how that works, but just to make sure it's going to.  I have in the past had some traffic being allowed by rules that they weren't supposed to hit and I guess I want to be sure it won't cause any extra allowances that shouldn't be allowed since I would be required to have a rule that would need to be matched on that 3rd ordered layer.

the_rock
Champion
Champion

You can call me Dwayne, I dont get offended on anything, all good ; - ). The Rock is the best!

Anyway, you made all the valid points. I will tell you example of what I did for customer last year...they came from Cisco world and they did not feel comfortable having 2nd ordered url layer with any any allow, so we created few rules towards the top of the rule base with access roles (since we have IA enabled) and https inspection and customer loves it, as people get block page presented and works really well and they are very content having one ordered layer with few inline layers to reflect different interfaces/zones.

But again, my PERSONAL preference is different ordered layers for reasons I mentioned in my last response. But, as you know, everyone is different...some people like Ferrari, some Mercedes, its all good 🙂

Andy

0 Kudos
jberg712
Contributor

Thank you Dwayne... err... I mean Andy.

I really do appreciate the information and that will help me with the decision that fits our organization best.  Must appreciated!!

Jonathan

the_rock
Champion
Champion

Happy to help.

Dwayne out

0 Kudos
jberg712
Contributor

Not sure if this should be another post but since this is related to the behavior under Unified policy, I wanted to post here to begin with.

One other piece of behavior that i've noticed with the Unified policy on the MAB when a user connects through the web is that it ALWAYS loads the native application connect option... even when I have a rule that ONLY allows for the Web Application.

I had a case open up with TAC about it and they came back stating this was normal...  That he received the same behavior as we were.  Is this the case all around with unified policy?  Is this something that will possibly change in the future?

The reason I ask is because with Legacy, if I put a uesr/group next to a web application and nothing else, that's all they would see on the web portal.  They would not get the option to click connect to download the SNX client as if they were applied to rule that allowed a Native Application.

0 Kudos
Wolfgang
Mentor
Mentor

This is normal behaviour if you are using unified policy. The connect button is always shown.

have a look at the „Limitations for Mobile Access in the Unified Policy“ Mobile Access R81.10 Administration Guide