All Products
Search
Document Center

Secure Access Service Edge:Configure a dynamic policy

Last Updated:Jun 21, 2026

Dynamic decision-making based on employee actions, behavior, and device security status allows SASE to detect and respond to security threats in real time and automatically adjust security measures to more effectively protect your organization's data and resources. This article describes how to configure dynamic policies.

Prerequisites

  • You have activated SASE. If you have not activated SASE, you must purchase and activate the service. For more information, see Purchase service. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.

  • You are using an Alibaba Cloud account or a SASE that has permissions to access SASE. If you use a RAM user, you must grant it the required permissions. For more information, see Grant permissions to a RAM user.

  • The SASE app installed on corporate devices is version 4.5.1 or later.

Procedure

  1. Log on to the Secure Access Service Edge console.

  2. In the left-side navigation pane, choose Dynamic Decision-making > Dynamic Policy. On the Dynamic Policy page, click Create Policy.

  3. In the Create Policy panel, configure the following parameters.

    Parameter

    Description

    Basic Information

    Policy Name

    Enter a name for the dynamic policy.

    Enabled

    Enable or disable the dynamic policy.

    Effective Scope

    Select the user groups to which the policy applies.

    Trigger Settings

    Trigger Mode

    Dynamic Trigger: The policy is triggered in real time when device attributes, the network environment, or the device compliance baseline changes, or when a user-related security event occurs.

    Trigger Settings

    You can configure the trigger conditions in the following ways:

    • Manual policy setting: You can set trigger conditions based on information such as Device Information, Behavior Information, Compliance Baseline, and Time Rules. You can configure trigger policies based on your specific requirements by setting one or more trigger conditions and defining the relationships between policies. For more information about trigger policy parameters, see Trigger configuration parameters. You can click Save as Template to save a manually configured policy as a template, which allows you to directly import it for future configurations.

    • Import existing template: Click Import Existing Template. In the Import Existing Template dialog box, select a custom trigger template and click OK. For more information about how to configure a trigger template, see Configure a trigger template.

    Handling Settings

    Prohibition

    Prohibit App-initiated Connections to Internal Networks: Users who match the policy cannot connect to the SASE with the SASE app.

    Warning

    This feature requires SASE app version 4.7.0 or later.

    Prohibit Connection to Office Network: Users who match the policy cannot connect to the Prohibit Connection to Office Network. Devices that are already connected to the office network are denied access on their next connection attempt.

    Notifications & audit

    • Audit: Logs response and recovery operations. You can view response and recovery logs in Log Audit. For more information about how to view dynamic decision-making logs, see View the response process.

    • In-app Prompt: Prompts are displayed in the app only when the "Prohibit connection to the internal network via the app" action is triggered.

      • In-app Notification Content: Customize the notification content. You can set prompts in both Chinese and English.

    • In-client Notification to User: Set the pop-up title and content. If a user triggers the dynamic policy, the SASE app is forcibly logged out, and a pop-up notification is displayed. You can set prompts in both Chinese and English.

    • CloudMonitor Notification to System Administrator: SASE delivers response events to CloudMonitor.

    Restoration Method

    Automatic Restoration After Remediation

    If a user or device is remediated and no longer matches the trigger conditions, the enforced action is automatically reversed during the next policy evaluation.

    Restoration After Authentication and Reporting

    • Validity Period of Reporting: If a user triggers a dynamic policy, the SASE client is forcibly logged out. The user must log in again to regain access. During the Validity Period of Reporting, the dynamic policy will not be triggered again.

    • Authentication Method: Re-logon is selected by default. The user must log on to the SASE app again to complete authentication.

  4. Click OK.

Example: Manually configure a dynamic policy

If you configure a dynamic policy as described in this example, the specified response actions are triggered when the SASE app version is earlier than v4.5.1 or when the QQ application is detected on an office device.

In the Trigger Configuration panel, for the first condition, choose Device information > Basic device information > SASE app version > Less than, and enter 4.5.1. For the second condition, choose Device information > Device application information > Device software information > Includes any of, and enter QQ. Set the logical operator between the two conditions to OR.

Trigger configuration parameters

Device information

Basic device information

Option

Logical operator

Content

SASE Client Version

Greater than, Greater than or equal to, Less than, Less than or equal to

Enter the app version number.

Terminal Type

Is, Is not

Windows, macOS, iOS, Linux, Android (Select one or more).

Wi-Fi Connection

Is, Is not

Enter one or more SSIDs. You can enter a maximum of 10 SSIDs.

Device MAC Address

Includes any of, Does not include any of

Enter one or more MAC addresses. You can enter a maximum of 10 MAC addresses.

LAN IPv4 addresses

Is in, Is not in

Enter one or more IP addresses or CIDR blocks. You can enter a maximum of 10 entries.

Mac Disk Access

Is

Select Enabled or Disabled.

Screenshot Permissions on Mac

Is

Select Enabled or Disabled.

Device application information

Option

Logical operator

Content

Device Software Information

Includes any of, Does not include any of

The list of managed applications.

Behavior information

Logon behavior

Option

Logical operator

Content

IP Address of Most Recent Logon

Is in, Is not in

Enter one or more IP addresses or CIDR blocks. You can enter a maximum of 10 entries.

Compliance baseline

Windows

Option

Logical operator

Content

Windows Version

Greater than, Greater than or equal to, Less than, Less than or equal to

Select one from 7, 8, 9, 10, or 11.

System Firewall

Includes any of, Does not include any of

You can select multiple options.

  • Private network firewall is enabled

  • Guest or public network firewall is enabled

  • Domain network firewall is enabled

  • Firewall is enabled

Process Detection

Includes any of, Does not include any of

Enter one or more process names.

Baseline Element

Matches all

  • High-risk ports are open

  • High-risk software is used

  • Antivirus software is not enabled

  • Windows automatic updates are not enabled

For more information about how to configure baseline elements, see Configure baseline elements.

macOS

Option

Logical operator

Content

macOS Version

Greater than, Greater than or equal to, Less than, Less than or equal to

Select one from 10, 11, 12, 13, 14, or 15.

System Firewall

Includes any of, Does not include any of

Firewall is enabled.

Process Detection

Includes any of, Does not include any of

Enter one or more process names.

Baseline Element

Matches all

  • High-risk ports are open

  • High-risk software is used

  • Antivirus software is not enabled

For more information about how to configure baseline elements, see Configure baseline elements.

Linux

Option

Logical operator

Content

Process Detection

Includes any of, Does not include any of

Enter one or more process names.

System Firewall

Includes any of, Does not include any of

Firewall is enabled.

Time rule

Option

Logical operator

Content

Effective Time

Greater than, Less than, Time range

Set a specific time or a time range.

Other operations

The created policies are displayed in the dynamic policy list. SASE applies the configured response actions to devices that match a policy.

You can perform the following operations as needed:

  • Filter: Filter policies by Policy Name.

  • Edit: Click Details to view or modify a dynamic policy.

  • Delete: Click Delete to delete a dynamic policy. You can also select multiple policies and delete them in bulk.

  • Status: Click the switch in the Status column to enable or disable a dynamic policy.

Related documents

For more information about how to view SASE product events in CloudMonitor, see View system events.