FireCloud Access Rules

Applies To: FireCloud Internet Access This topic applies to accounts with a FireCloud Internet Access license.

FireCloud access rules determines when FireCloud allows or denies connections. FireCloud matches each connection to a rule based on the user groups that the connecting user belongs to. You can configure which of these security services apply to the traffic each rule handles:

• Content Filtering — Blocks specific content categories and applications. For more information, go to Content Filtering in FireCloud.
• Geolocation — Detects the geographic locations of connections to and from your network. You can enable and configure Geolocation to block access to and from specific locations. For more information, go to Add Geolocation Actions in FireCloud.
• Content Scanning — Protects against spyware, viruses, malicious applications, spam email, and data leakage. For more information, go to Content Scanning in FireCloud.

FireCloud has a Default rule that applies to all connections from all users. The Default rule has all security services enabled with default configuration settings. You cannot edit or delete the Default rule.

If you do not want to use the Default rule, you can disable it. If the Default rule is disabled and a user connection does not match any other access rules, FireCloud denies the connection.

You do not have to deploy your changes when you add, edit, or reorganize access rules.

Rule Priority

The rules list shows access rules in order of priority, from highest to lowest. For each connection, FireCloud applies the highest priority rule that matches the source (the group that the user belongs to).

When you add a new rule, it shows at the top of the list. To change the order of access rules in the list, you can drag a rule to move it.

You cannot change the priority of the FireCloud Default rule. The Default rule has a lower priority than all other access rules, and is only used if it is the only rule or if no other rules apply.

Add FireCloud Rules

To create new rules for traffic that comes from specific user groups, you can add FireCloud access rules. When you add a rule, all available security services are enabled in the rule by default. In the rule settings for Content Filtering and Geolocation, you select which action the rule uses.

After you add a new rule, we recommend that you review the order of your access rules. FireCloud always adds a new rule to top of the rule list, which makes it the highest priority rule.

To add a FireCloud rule, from WatchGuard Cloud:

1. Select Configure > FireCloud.
2. Click the Access Rules tile.
   The Access Rules page opens.
3. Click Add Access Rule.
   The Add Rule page opens.
4. In the Name text box, type a name for this rule.
5. Specify the user groups the rule applies to. You can specify multiple groups for one rule.
   • If you use WatchGuard Cloud Directories and Domain Services for your identity provider, click Add User Group. Select the user groups that you want the rule to apply to and click Add.
   • If you use a SAML identity provider, type the group names, pressingEnter or Returnbetween each group name.
6. If you do not want to allow end-users to disconnect from FireCloud, disable the Allow users to manually disconnect from FireCloud toggle. This removes the Disconnect option from the Connection Manager.

   When you disable this setting in an access rule, for the change to take effect in the Connection Manager you must go to the Usage Report and manually log out impacted users that have already connected to FireCloud. This resets the cached Connection Manager authentication session.

7. If you want FireCloud to include the X-Forwarded-For (XFF) header, enable the Add XFF header to help websites display the correct language toggle. The XFF header includes the public IP address of the end-user, and web browsers use this IP address for language localization. Some FireCloud users connect to a FireCloud Point of Presence with an egress IP address of a different country, which can cause browsers to show a different language than the user expects. This setting enhances the accuracy of language localization for end-users and improves the FireCloud experience.
8. To enable or disable a security service, select the Internet Access tab and click the toggle for the service. For Content Filtering and Geolocation, select the action for this rule to use from the drop-down list.
9. Click Save.
   Your rule is created and added to the top of the rule list.

Enable or Disable a FireCloud Rule

If you want to keep a rule but do not want the rule to apply to user traffic, you can disable the rule.

To enable or disable a rule:

1. Select Configure > FireCloud.
2. Click the Access Rules tile.
   The Access Rules page opens.
3. In the row for an access rule, click the toggle in the Enabled column to enable or disable the access rule.

Related Topics

Content Scanning in FireCloud

Content Filtering in FireCloud

Add Geolocation Actions in FireCloud