Managing Policy Groups – Byos

Overview

What are Policy Groups?

Policy Groups in the Byos solution are what Edges are grouped by to which specific policies are assigned.

Policy Groups are displayed in the table with the most high level information present:

Name – Common name given to the Policy Group

External Network – The set of routing rules which dictate the behavior of how the Edge routes traffic to the WAN and internet

Zone [Membership] – A Zone is a sub-network within your Byos Secure Lobby Overlay environment that governs traffic between other Zones on Layer 3. Every Policy Group must have a Zone membership. This enables Edges within the Policy Group to be assigned a Byos IP address to be reachable via the Secure Lobby Overlay.

Edges in Group – These are the Edges within this Policy Group, and not your entire Byos environment.

Blocked Countries – A count of blocked countries via set via the Country Policy

Internal Network – The IP address of the internal interface of the Edge…the Microsegment. This is what is used to access the Local Web Dashboard running on the Edge. It applies to all Edges in the Policy Group.

DHCP Enabled – Indicated whether or not DHCP has been enabled for Edges in the Policy Group

What Policies are included?

There are many different types of policies that can be configured by the Edge

External Network Settings - ie. how the Edge communicates with the i) local network, ii) the internet, and iii) the Byos Secure Lobby Overlay

Internal Network Settings - ie. the internal Microsegment (LAN) side of the Edge.

Filtering - which Countries, IPs, ports, and protocols the Edges can communicate with

How do Policy Groups relate to Zones?

Policy Groups inherit the Secure Lobby Overlay network settings from the assigned Zone. Each Policy Group is automatically included in the Default Zone upon creation, until otherwise assigned.

Add a Policy Group

Name Policy Group

Select which Zone the Policy Group should belong to

Select the External Network Settings for the Edges in the Policy Group

For more information about the different configurations of the External Network Settings, please view this: Routing Rules

Select which Edges should be included in the Policy Group

Select whether or not Local Authentication is required

Configure the Internal Microsegment’s Network Settings

Enable/Disable DHCP

Enable/Disable Ping Requests

Select the Network ID and CIDR

Editing Policy Groups

From the table, select the policy group or policy that you want to modify, and the side bar will open to that page so the changes can be made.

Clicking on a specific policy criteria will take you directly to that item to edit.

Policy Details

Modify the Policy Group Name

From the dropdown menu, select which Zone you want the Policy Group to belong.

Every Policy Group must be assigned to a Zone. This enables all Edges within the group to be assigned a Byos IP address to be reached at within the SL overlay. The Edges in the Policy Group will be given Byos IPs in the IP range shown in the brackets, ie. 10.16.16.0/24)

Edges

Add or remove Edges from the Policy Group.

Note: the brackets display the Byos IP address of the Edge, which i) corresponds to the Zone’s Network ID/CIDR and ii) indicates the Edge is connected to the SL Overlay

Note: removing Edges from a Policy Group will put them back into the Default Policy Group.

Filtering

The Byos Secure Edge can filter inbound and outbound traffic by Countries. This works by blocking sessions from being established with Servers in said country

ℹ️

The next roadmap filtering features are blocking i) IP addresses and ranges, and ii) Ports

External Network

These are the Network Settings for the Edge port facing the WAN or Network. The External Network setting controls how the Byos Secure Edge routes traffic to the world. For a more comprehensive explanation of all of the routing rules and scenarios, please click here: External Network Routing Rules

Internal Network

The Internal Network Settings determine how the Assets communicate to the Secure Edge within the microsegemnt. The Network ID what is used to access the Local Web Dashboard running on the Edge.

ℹ️

Reminder: these settings apply to all Edges in the Policy Group, so if you change the network ID, the location of the Local Web Dashboard will change for all Edges assigned to the Policy Group.

There are various internal Network Settings for the Edge port facing the Assets or Assets within the Microsegment

Enable/Disable DHCP on the Secure Edge

Enable/Disable Ping Requests - to Allow/Disallow Assets to ping the Secure Edge

Local Authentication - see below

Local Authentication

Local Authentication is the policy for preventing/denying a User from changing settings in the local dashboard/app to with/without being logged in. When:

Local Authentication is Enabled, you have to log in to the Dashboard/App to change settings

Local Authentication is Disabled, you can change settings locally without having to log into the Dashboard/App

If a network has previously been connected to and is saved by the Gateway, it will auto-connect and traffic will be able to reach the microsegment even with Local Auth enabled, but for conferences, I would recommend having it Disabled to save you from having to log in every time the session ends.

ℹ️

When the Edge goes through a power cycle, traffic to the microsegment is stopped until the Edge is commanded by the Policy to re-allow it. For that, three factors come into play: 1) the Edge is licensed 2) the policy allows internet access 3) the User has authenticated to the Edge locally The local authentication toggle disables #3.