Applies To: WatchGuard Cloud
Configure zero trust policies to specify which resources users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). When you configure a policy, you specify:
- Which user groups the policy applies to.
- Which resources the policy applies to.
- Which conditions apply to the authentications.
- Whether the policy allows or denies authentications.
- Which authentication methods are required.
User groups that do not have a policy for a specific resource do not have access to that resource.
Zero trust policies have several key components:
Targets are the user groups that a policy applies to. You can select any groups that have been added to AuthPoint.
Resources are the applications and services that your users connect to, such as Salesforce, Microsoft 365, a VPN, or your Firebox. Zero trust policies apply only when users from the target groups authenticate to the specified resources. For more information about how to configure resources in AuthPoint, go to Configure MFA.
Conditions are the specific criteria that must be met for a policy to apply.They enable you to create more granular policies based on factors such as location, time, and user behavior. When you add a condition to a policy, the policy applies only to authentications that match that condition. For example, if you add a specific network location to a policy, the policy applies only to user authentications that come from that network location.
- Network location conditions enable you to configure a list of IP addresses. You can then configure specific policies that apply only when users authenticate from these IP addresses.
- Geofence conditions enable you to specify a list of countries. You can then configure policies that apply only when users authenticate from the specified countries.
- Geokinetics conditions compare the user's current location and the location of their last valid authentication. Policies with a geokinetic condition automatically deny authentications from a location the user could not have travelled to since their previous authentication, based on the distance and time between authentications.
- Time schedule conditions enable you to specify the dates and times when authentication policies apply to user authentications.
For more information, go to About Zero Trust Conditions.
The action determines whether the policy allows or denies authentications. If you allow access, you choose what authentication options users can select when they authenticate.
Authentication options include:
- Password
- Push notification
- QR code
- One-time password
Requirements and Recommendations
When you configure zero trust policies, make sure you follow these requirements and recommendations:
- You must have at least one group before you can configure policies.
- RADIUS
- For RADIUS authentication, policies that have a network location or geofence condition do not apply because AuthPoint does not have the IP address of the end user or the origin IP address.
- RADIUS resources do not support QR code authentication.
- If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with that policy use push notifications to authenticate users.
- You must enable the push authentication method for policies with MS-CHAPv2 RADIUS resources.
- Logon app
- We recommend that the policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet.
- Only the Logon app resource supports offline authentication.
- Conditions
- When you add conditions to a policy, the policy applies only to user authentications that match those conditions. Users who have only a policy that includes a condition do not get access to the resource when the authentication does not meet the settings specified in the condition. This is because they do not have a policy that applies, not because authentication is denied.
- Policies with network locations apply only to user authentications that come from that network location. Users who only have a policy that includes a network location cannot access the resource when they authenticate outside of that network location.
- Policies with geofences only apply to user authentications that come from a country specified in the geofence policy object. Users who only have a policy that includes a geofence cannot get access to the resource when they authenticate outside of the specified countries.
- Policies with time schedules only apply to user authentications during the specified time schedule. Users who only have a policy that includes a time schedule cannot access the resource when they authenticate outside the hours of that time schedule.
- Geokinetics do not affect the circumstances of an authentication.
- If you add conditions to a policy, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects.
Geokinetics conditions work differently than other conditions because they apply after an authentication is complete. When you add a geokinetics condition to a policy, you do not have to create a second policy without the geokinetics condition.
- When you add conditions to a policy, the policy applies only to user authentications that match those conditions. Users who have only a policy that includes a condition do not get access to the resource when the authentication does not meet the settings specified in the condition. This is because they do not have a policy that applies, not because authentication is denied.
Add Zero Trust Policies
To configure a zero trust policy, from WatchGuard Cloud:
- Go to Configure > Zero Trust. If you have a Service Provider account, you must select an account from Account Manager.
- Click Add Policy.
- Enter a name to identify your policy.
- In the Target section, from the Content drop-down list, select which groups this policy applies to. You can make multiple selections to add multiple groups.
- In the Resources section, select the AuthPoint resources this policy applies to.
- In the Conditions section, select the conditions that apply to this policy. When you add a condition to an authentication policy, the policy applies only to user authentications that match the policy and the policy conditions. For more information about conditions, go to About Zero Trust Conditions.
- (Optional) To create a new condition, click Add New Condition. After you create a new condition, you must still add the condition to the policy.
- From the Type drop-down list, select the type of condition to add to the policy.
For RADIUS authentication, policies that have a network location or geofence condition do not apply because AuthPoint does not have the IP address of the user or the origin IP address.
- From the Name drop-down list, select which condition of the chosen type to add to the policy.
- To add more conditions, repeat Step 6.
If you add conditions to a policy, we recommend that you create a second policy for the same groups and resources without the conditions. Assign a higher priority to the policy with the policy objects. For more information about priority, go to About Zero Trust Policy Precedence.
- In the Action section, select an option to specify whether to allow or deny authentications for the resources in this policy.
- Allow — Allow user groups in this policy access to the resources associated with this policy.
- Deny — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy.
-
If you allow access with this policy, select the check box for each authentication option users can select when they authenticate to resources in this policy with MFA.
If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with the policy use push notifications to authenticate users.
QR code authentication is not supported for RADIUS resources.
Geokinetics policy objects are not applied for Logon app, RD Web, and ADFS resources if the policy requires only a password (no MFA).
- Click Save.
Your policy is created and added to the end of the policy list. - Review the order of your policies and adjust as necessary. For more information about policy order, go to About Zero Trust Policy Precedence.