Applying ACL rules

ACL rules apply to all Gateway users in the tenant. ACL rules evaluate each network access attempt in the order that they are displayed in the management console, from the top down. The default rule will always be evaluated last, and if none of the previous rules match will block access to all resources. The Default rule cannot be disabled or modified

When you create the ACL rules, BlackBerry recommends that you create your ACL rules and make sure that they are displayed in this order:

  1. Block access to Internet content that contains Gateway specified categories
  2. Block access to non-categorized services based on your organization's requirements
  3. Allow access to organization-wide services in the private network
  4. Allow access to all public Internet destinations
  5. Default

This table provides examples of rules and their necessary settings:

Rule

Description

Allow users to access public Internet destinations

This rule will allow users to access any destination that your organization considers to be the public internet. Users will not be able to access the specified RFC1918 addresses.

To create this rule, you can specify these settings:

  • In the Action section,
    • The Action list displays Allow.
    • Check access attempts against Network Protection check box is selected. This setting allows the rule to pass the ACL, but also allows for further inspection by Gateway.
  • In the Destination section,
    • The Target list displays Does not match.
    • In the Addresses and Ports, Address field, enter the RFC1918 network ranges.

Allow users to access the private network

This rule will allow user to access network services within your private network.

For users to access the private network, these prerequisites must be met:

  • Make sure the Gateway Connector is installed in the network to allow traffic to reach your private network. For instructions on how to install the Gateway Connector in your environment, see Setting up the Gateway Connector.
  • Make sure you defined a network service containing the private network resources that you want users to access. For information on how to define network services, see Define network services.

You can specify these settings:

  • In the Action section:
    • The Action list displays Allow.
    • Optionally, clear the Check access attempts against Network Protection checkbox. No further inspection will be performed by Gateway.
  • In the Destination section:
    • The Target list displays Matches any.
    • In the Network services field, select the network service that you want users to access.