03-29-2017 05:11 PM
Hello
It is a silly question, but do multiple identification profiles in one access/decryption policy work with OR/AND operation? Can user belong to either one of them to hit the policy or both?
Async OS 9.1.2-022
Thanks
03-29-2017 05:23 PM
WSA will try to match the Identity firstly and all conditions in Identity are AND. After matching the Identity, WSA will try to match the Access Policy, therefore the Identity being used by Access Policy is independent. There is no relationship between the Identities in one Access Policy.
Please bear in mind that WSA will match from top and it will move to the next stage as soon as it matches.
Hope it helps and please mark my reply as correct answer if it does.
03-29-2017 06:01 PM
Hi Tao
Thanks for the response.
Just need some more clarification based to make sure I understood correctly.
Let's consider a below scenario:
Identification Policy
Policy 1. Match subnet x and exempt for authentification
Policy 2. Any subnet based and use AD realm for authentication
Access Policy
Rule 1: Identification profile - Policy 1 and Policy 2 (AD group HRDept)
Rule 2: Identification profile - Policy 2 (AD Group FinDept)
Rule 3: Identification profile - Policy 1
Based on your answer, WSA first checks the Identification policy and then check Access policy. So in below scenario:
Is that right?
Thanks
Sakun
03-31-2017 02:22 PM
Here Sakun, to answer your questions -
Based on your answer, WSA first checks the Identification policy and then check Access policy. So in below scenario:
Correct : Identify Policy 1 will be hit since we are within the subnet X (+exempt from auth)
Correct: This is correct under the assumption that User does not belong to Subnet X
Correct: This is correct under the assumption that User doest not belong to Subnet X
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide