Applies To: WatchGuard Cloud
With zero trust conditions, you can set parameters that must be met for a policy to apply to a user authentication. These parameters enable you to create more granular policies based on factors such as location, time, and user behavior. You configure conditions and then add them to policies.
Zero Trust Condition Types
You can configure these kinds of conditions:
Network Locations
Network location conditions enable you to specify a list of IP addresses. You can then configure authentication policies that apply only when users authenticate from the IP addresses in the specified network location.
Time Schedule
Time schedule conditions enable you to specify the dates and times when authentication policies apply to user authentications. When you add a time schedule to an authentication policy, the policy applies only when a user authenticates during the specified time schedule.
Geofence
Geofence conditions enable you to specify a list of countries. You can then configure authentication policies that apply only when users authenticate from those countries. You might do this if you want to enforce different MFA requirements for different locations or if you want to block authentication from specific countries.
Geokinetics
Geokinetics conditions compare the user's current location and the location of their last valid authentication. Policies with a geokinetic condition automatically deny authentications from a location the user could not have travelled to since their previous authentication, based on the distance and time between authentications.
Conditions Behavior and Recommendations
When you add conditions to an authentication policy, the policy applies only to user authentications that match those conditions.
For example, you add a network location for your corporate network to a policy for Group A. This policy now applies only to user authentications that come from the corporate network. If this is the only policy for Group A, users in that group do not have access to resources when they authenticate outside of the corporate network (because they do not have a policy that applies, not because authentication is denied).
We recommend that you create a second policy for the same groups and resources without the condition. Users who have only a policy that includes a condition do not get access to the resource when the authentication does not meet the settings specified in the condition (because they do not have a policy that applies, not because authentication is denied).
- Users who have only a policy that includes a network location do not get access to the resource when they authenticate outside of that network location.
- Users who have only a policy that includes a time schedule do not get access when they authenticate outside the hours of that time schedule.
- Users who have only a policy to allow access that includes a geofence do not get access to the resource when they authenticate outside of the specified countries.
If you have two policies (one with a condition and one without), assign a higher priority to the policy with the condition. For more information, go to About Policy Precedence.
Geokinetics conditions work differently than other conditions because they apply after an authentication is complete. When you add a geokinetics condition to an authentication policy, you do not have to create a second policy without the geokinetics condition.