Managing Policy Groups

A Primer on Policy Groups, and Policies.


What are Policy Groups?

Policy Groups in the Byos solution are what Edges are grouped by to which specific policies are assigned.

Notion image

Policy Groups are displayed in the table with the most high level information present:

  • Name Common name given to the Policy Group
  • External Network – The set of routing rules which dictate the behavior of how the Edge routes traffic to the WAN and internet
  • Zone [Membership] A Zone is a sub-network within your Byos Secure Lobby Overlay environment that governs traffic between other Zones on Layer 3. Every Policy Group must have a Zone membership. This enables Edges within the Policy Group to be assigned a Byos IP address to be reachable via the Secure Lobby Overlay.
  • Edges in Group – These are the Edges within this Policy Group, and not your entire Byos environment.
  • Blocked Countries – A count of blocked countries via set via the Country Policy
  • Internal Network – The IP address of the internal interface of the Edge…the Microsegment. This is what is used to access the Local Web Dashboard running on the Edge. It applies to all Edges in the Policy Group.
  • DHCP Enabled – Indicated whether or not DHCP has been enabled for Edges in the Policy Group

What Policies are included?

There are many different types of policies that can be configured by the Edge

  • External Network Settings - ie. how the Edge communicates with the i) local network, ii) the internet, and iii) the Byos Secure Lobby Overlay
  • Internal Network Settings - ie. the internal Microsegment (LAN) side of the Edge.
  • Filtering - which Countries, IPs, ports, and protocols the Edges can communicate with

How do Policy Groups relate to Zones?

Policy Groups inherit the Secure Lobby Overlay network settings from the assigned Zone. Each Policy Group is automatically included in the Default Zone upon creation, until otherwise assigned.

Add a Policy Group

  • Name Policy Group
  • Select which Zone the Policy Group should belong to
  • Select the External Network Settings for the Edges in the Policy Group
    • For more information about the different configurations of the External Network Settings, please view this: Routing Rules
  • Select which Edges should be included in the Policy Group
  • Select whether or not Local Authentication is required
  • Configure the Internal Microsegment’s Network Settings
    • Enable/Disable DHCP
    • Enable/Disable Ping Requests
    • Select the Network ID and CIDR
    • Notion image

Editing Policy Groups

From the table, select the policy group or policy that you want to modify, and the side bar will open to that page so the changes can be made.

Clicking on a specific policy criteria will take you directly to that item to edit.

Notion image

Policy Details

Modify the Policy Group Name

  • From the dropdown menu, select which Zone you want the Policy Group to belong.
  • Every Policy Group must be assigned to a Zone. This enables all Edges within the group to be assigned a Byos IP address to be reached at within the SL overlay. The Edges in the Policy Group will be given Byos IPs in the IP range shown in the brackets, ie.
Notion image


Add or remove Edges from the Policy Group.

  • Note: the brackets display the Byos IP address of the Edge, which i) corresponds to the Zone’s Network ID/CIDR and ii) indicates the Edge is connected to the SL Overlay
  • Note: removing Edges from a Policy Group will put them back into the Default Policy Group.
Notion image


The Byos Secure Edge can filter inbound and outbound traffic by Countries. This works by blocking sessions from being established with Servers in said country

Notion image
The next roadmap filtering features are blocking i) IP addresses and ranges, and ii) Ports

External Network

These are the Network Settings for the Edge port facing the WAN or Network. The External Network setting controls how the Byos Secure Edge routes traffic to the world. For a more comprehensive explanation of all of the routing rules and scenarios, please click here: External Network Routing Rules

Notion image

Microsegment Network

The Microsegment Network Settings determine how the Assets communicate to the Secure Edge within the microsegment. The Network ID what is used to access the Local Web Dashboard running on the Edge.

Reminder: these settings apply to all Edges in the Policy Group, so if you change the network ID, the location of the Local Web Dashboard will change for all Edges assigned to the Policy Group.

There are various internal Network Settings for the Edge port facing the Assets or Assets within the Microsegment

  • Packet Forwarding requiring Edge authentication
  • Enable/Disabling DHCP on the Secure Edge
  • Enable/Disable Ping Requests - to Allow/Disallow Assets to ping the Secure Edge
Notion image

Packet Forwarding

Packet Forwarding is the policy that determines if Authentication to the Edge is required for traffic to reach the internal microsegment. When:

  • Packet Forwarding is Enabled, traffic cannot reach the microsegment without the Edge being authenticated.
  • Packet Forwarding is Disabled, traffic can reach the microsegment without needing local authentication. This setting is typically used in an unattended setting, where a user may not always be present to authenticate.
This feature is a Gateway Edge only feature and is not present on Endpoint Edges. Endpoint Edge devices always require authentication for packet forwarding because of the risk of theft.

Setting a Static IP for the Edge

When the DHCP is turned off in the policy, the Edge Local IP address can be customized to meet static IP requirements.

Notion image
Did this answer your question?

Last updated on May 21, 2024