Dynamic decision-making based on employee actions, behavior, and device security status allows SASE to detect and respond to security threats in real time and automatically adjust security measures to more effectively protect your organization's data and resources. This article describes how to configure dynamic policies.
Prerequisites
-
You have activated SASE. If you have not activated SASE, you must purchase and activate the service. For more information, see Purchase service. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.
-
You are using an Alibaba Cloud account or a SASE that has permissions to access SASE. If you use a RAM user, you must grant it the required permissions. For more information, see Grant permissions to a RAM user.
-
The SASE app installed on corporate devices is version 4.5.1 or later.
Procedure
-
Log on to the Secure Access Service Edge console.
-
In the left-side navigation pane, choose . On the Dynamic Policy page, click Create Policy.
-
In the Create Policy panel, configure the following parameters.
Parameter
Description
Basic Information
Policy Name
Enter a name for the dynamic policy.
Enabled
Enable or disable the dynamic policy.
Effective Scope
Select the user groups to which the policy applies.
Trigger Settings
Trigger Mode
Dynamic Trigger: The policy is triggered in real time when device attributes, the network environment, or the device compliance baseline changes, or when a user-related security event occurs.
Trigger Settings
You can configure the trigger conditions in the following ways:
-
Manual policy setting: You can set trigger conditions based on information such as Device Information, Behavior Information, Compliance Baseline, and Time Rules. You can configure trigger policies based on your specific requirements by setting one or more trigger conditions and defining the relationships between policies. For more information about trigger policy parameters, see Trigger configuration parameters. You can click Save as Template to save a manually configured policy as a template, which allows you to directly import it for future configurations.
-
Import existing template: Click Import Existing Template. In the Import Existing Template dialog box, select a custom trigger template and click OK. For more information about how to configure a trigger template, see Configure a trigger template.
Handling Settings
Prohibition
Prohibit App-initiated Connections to Internal Networks: Users who match the policy cannot connect to the SASE with the SASE app.
WarningThis feature requires SASE app version 4.7.0 or later.
Prohibit Connection to Office Network: Users who match the policy cannot connect to the Prohibit Connection to Office Network. Devices that are already connected to the office network are denied access on their next connection attempt.
Notifications & audit
-
Audit: Logs response and recovery operations. You can view response and recovery logs in Log Audit. For more information about how to view dynamic decision-making logs, see View the response process.
-
In-app Prompt: Prompts are displayed in the app only when the "Prohibit connection to the internal network via the app" action is triggered.
-
In-app Notification Content: Customize the notification content. You can set prompts in both Chinese and English.
-
-
In-client Notification to User: Set the pop-up title and content. If a user triggers the dynamic policy, the SASE app is forcibly logged out, and a pop-up notification is displayed. You can set prompts in both Chinese and English.
-
CloudMonitor Notification to System Administrator: SASE delivers response events to CloudMonitor.
Restoration Method
Automatic Restoration After Remediation
If a user or device is remediated and no longer matches the trigger conditions, the enforced action is automatically reversed during the next policy evaluation.
Restoration After Authentication and Reporting
-
Validity Period of Reporting: If a user triggers a dynamic policy, the SASE client is forcibly logged out. The user must log in again to regain access. During the Validity Period of Reporting, the dynamic policy will not be triggered again.
-
Authentication Method: Re-logon is selected by default. The user must log on to the SASE app again to complete authentication.
-
-
Click OK.
Example: Manually configure a dynamic policy
If you configure a dynamic policy as described in this example, the specified response actions are triggered when the SASE app version is earlier than v4.5.1 or when the QQ application is detected on an office device.
In the Trigger Configuration panel, for the first condition, choose Device information > Basic device information > SASE app version > Less than, and enter 4.5.1. For the second condition, choose Device information > Device application information > Device software information > Includes any of, and enter QQ. Set the logical operator between the two conditions to OR.
Trigger configuration parameters
Other operations
The created policies are displayed in the dynamic policy list. SASE applies the configured response actions to devices that match a policy.
You can perform the following operations as needed:
-
Filter: Filter policies by Policy Name.
-
Edit: Click Details to view or modify a dynamic policy.
-
Delete: Click Delete to delete a dynamic policy. You can also select multiple policies and delete them in bulk.
-
Status: Click the switch in the Status column to enable or disable a dynamic policy.
Related documents
For more information about how to view SASE product events in CloudMonitor, see View system events.