Configure a dynamic policy - Secure Access Service Edge - Alibaba Cloud Documentation Center

Secure Access Service Edge (SASE) makes dynamic decisions based on employee operations, behavior, and device security status. This allows SASE to detect and respond to security threats in real time and automatically adjust security measures. This helps protect your organization's data and resources. This topic describes how to configure a dynamic policy.

Prerequisites

You have activated SASE. If you have not activated SASE, purchase and activate the service. For more information, see Purchase the service. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.
You must use an Alibaba Cloud account or a Resource Access Management (RAM) user that has permissions to access the SASE service. If you use a RAM user, grant the required access permissions. For more information, see Grant permissions to a RAM user.
The SASE client installed on office devices is version 4.5.1 or later.

Procedure

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Dynamic Decision-making > Dynamic Policy. On the Dynamic Policy page, click Create Policy.

In the Create Policy panel, configure the policy parameters.

Configuration Item		Description
Basic Information	Policy Name	Enter a name for the dynamic policy.
	Policy Status	Enable the dynamic policy.
	Effective Scope	Set the user group to which the policy applies.
Trigger Settings	Trigger Mode	Dynamic: The policy is triggered in real time when the device properties, network environment, or device compliance baseline changes, or when a security event related to a person occurs.
Trigger Settings	Trigger Settings	Two methods are supported to configure the trigger: Manually set policy: Set trigger conditions based on information such as Device Information, Behavior Information, Compliance Baseline, and Time Rule. You can configure one or more trigger conditions and set the logical relationship between them as needed. For more information about the trigger policy parameters, see Trigger configuration parameters. You can click Save as Template to save a manually configured policy as a template for future use. Import existing template: Click : Click Import Existing Template. In the Import Existing Template dialog box, select a custom trigger template and click OK. For more information about how to configure a trigger template, see Configure a trigger template.
Handling Settings	Prohibition	Prohibit App-initiated Connections to Internal Networks: The option takes effect only after you configure a network access policy for users in SASE. Warning This feature requires the SASE app version to be 4.7.0 or later. Prohibit Use of Software: Restricts employees from using specified software, applicable only on qualifying devices. Prohibit Connection to Office Network: The Prohibit Connection to Office Network option takes effect only after you configure a network access policy for users in SASE. For users or devices for which a network access policy is configured, the option takes effect upon their next connection. Access Control Downgrade: You can de-escalate the permissions for a user in violation. In this case, you must first configure a downgrade policy.
Handling Settings	Notifications & Audit	Audit: Audit response and recovery operations. View response and recovery logs in Log Audit. For more information about how to view dynamic decision-making logs, see View the response process. In-client Notification to User: Set the pop-up title and content. If a user triggers the dynamic policy, the SASE client is forcibly logged off, and a pop-up notification is displayed. You can set prompts in both Chinese and English. CloudMonitor Notification to System Administrator: SASE delivers response events to Cloud Monitor.
Restoration Method	Automatic Restoration After Remediation	If an employee or device that triggered a rule is remediated and does not hit the trigger condition the next time the dynamic policy is checked, the response is automatically recovered.
	Restoration After Authentication and Reporting	Validity Period of Reporting: Set the Reported Effective Time. If a user triggers the dynamic policy, the SASE client is forcibly logged off. The user can log on again to resume use. The dynamic policy will not be triggered again within the reported effective time. Authentication Method: Log On Again is selected by default. Log on to the SASE client again to complete the authentication.
	Restoration After Authentication and Reporting

Click OK.

Example of manually setting a trigger policy

In the example shown in the following figure, a dynamic policy is configured. If the SASE client version is earlier than v4.5.1 or the QQ application is detected on an office device, the configured response action is executed.

Trigger configuration parameters

Device information

Basic Device Information

Option	Logical Operator	Contents
SASE Client Version	Greater than, Greater than or equal to, Less than, Less than or equal to	Enter the client version number.
Terminal Type	Is in, Is not in	Windows, macOS, iOS, Linux, Android (multiple selections are supported).
Wi-Fi Connection	Is, Is not	Enter one or more SSIDs. You can enter up to 10 SSIDs.
Device MAC Address	Includes any of, Does not include any of	Enter one or more MAC addresses. You can enter up to 10 MAC addresses.
LAN IPv4 Address	Is in, Is not in	Enter one or more IP addresses or CIDR blocks. You can enter up to 10 entries.
Mac Disk Access	Equals	Select: Enabled, Not enabled.
Screenshot Permissions on Mac	Equals	Select: Enabled, Not enabled.

Device Application Information

Option	Logical Operator	Content
Device Software Information	Includes any of, Does not include any of	Application list from software management.

Behavior information

Logons

Option	Logical Operator	Content
IP Address of Most Recent Logon	Belongs To, Does Not Belong To	Enter one or more IP addresses or CIDR blocks. You can enter up to 10 entries.

Compliance Baseline

Windows

Option	Logical Operator	Content
Windows Version	Version Later Than, Version Equal To or Later Than, Version Earlier Than, Version Equal To or Earlier Than	Select one from 7, 8, 9, 10, or 11.
System Firewall	Include Any, Not Include	Multiple selections are supported. Enable Private Network Firewall Enable Guest and Public Network Firewall Enable Domain Network Firewall System Firewall
Process Detection	Include Any, Not Include	Enter one or more process names.
Baseline Element	Include All	Windows Automatic Updates Not Enabled High-risk Port Enabled Antivirus Software Disabled High-risk Software Used For more information about how to configure baseline elements, see Configure baseline elements.

macOS

Option	Logical Operator	Content
macOS Version	Version Later Than, Version Equal To or Later Than, Version Earlier Than, Version Equal To or Earlier Than	Select one from 10, 11, 12, 13, 14, or 15.
System Firewall	Include Any, Not Include	System Firewall
Process Detection	Include Any, Not Include	Enter one or more process names.
Baseline Element	Include All	High-risk Port Enabled Antivirus Software Disabled High-risk Software Used For more information about how to configure baseline elements, see Configure baseline elements.

Linux

Option	Logical Operator	Content
Process Detection	Include Any, Not Include	Enter one or more process names.
System Firewall	Include Any, Not Include	System Firewall

Time rules

Option	Logical Operator	Content
Effective Time	Greater Than, Less Than, Validity Period	Set a specific time or a time range.

Other operations

The created policy appears in the dynamic policy list. SASE handles the behavior of devices that match the policy based on your settings.

You can perform the following operations as needed:

Filter: Filter policies by Policy Name.
Edit: Click Details to view or modify the configuration of a dynamic policy.
Delete: Click Delete to delete a dynamic policy. You can also select multiple policies and delete them in a batch.
Status: Click the switch in the Status column to enable or disable a dynamic policy.

References

For more information about how to view SASE product events in Cloud Monitor, see View system events.