Ringfence rules control the local inbound and outbound connections of client devices. Review the Before you start section before configuring.
There are a number of points to consider when setting ringfence rules:
When enabled, the last two actions that the client will always apply after the actions from any rules are: "allow out" + "block in". Because these are at the end, these will have the lowest priority. If you want the clients to allow inbound connections then you should include an "allow in" action somewhere in your rules.
Ringfence rules can be used with the default route; and the excluded subnets will be honored and not blocked.
A change in device location forces a reevaluation of policy and renewal of entitlement tokens - so an alternative policy could be specified with different ringfence rules, such as if the user connected to a shared WiFi hotspot in the airport.
Any number of ringfence rules can be created and any number of actions can be specified within each rule.
Select +Add to create a new ringfence rule or select an exiting rule to edit and complete the following fields:
Name. Enter a name for the rule.
Notes. Optional. Enter any notes for the rule.
Tags. Click +Add to add tags to the rule.
Actions. Select +Add to open the Action window and complete the following fields:
Protected Hosts. Specify IP addresses or IP ranges.
Rule. Select ALLOW traffic or BLOCK traffic.
Protocol. Select the protocol and direction. Actions for TCP, UDP, ICMP in IPv4 and IPv6 can be set to ALLOW or BLOCK traffic in or out of the user's device. Actions will be taken from all the policies that apply and will then be ordered based on the type of action and the network resources specified:
The narrowest IP range defined always wins; so ALLOW 1.2.3.4/32 wins over BLOCK 1.2.3.0/24
For two IP ranges that are the same, BLOCK always wins over ALLOW; so BLOCK 1.2.3.4/32 wins over ALLOW 1.2.3.4/32
Ports. Specify the ports or port ranges.