AppGate ZTNA manages access on an individual level, automating the creation and management of firewall rules to minimize errors and prevent over-provisioning.
Application Discovery is essential for transitioning from a traditional network to a ZTNA model. Traditional VPNs often obscure which applications users access, complicating the definition of necessary policies and entitlements. Application Discovery enables organizations to identify user-connected apps and establish appropriate policies and entitlements.
Policies
Policies serve as the entry point to the AppGate ZTNA system, granting rights to users or devices post sign-in. There are five classes of policies:
Access via Gateways based on entitlements and applicable conditions.
Admin rights for administrative roles (admin UI and APIs).
Device controls pushed to the AppGate Client (such as ringfence rules or client profile settings).
DNS settings, including match-domain DNS settings and required entitlements for specified DNS servers.
Stop assigning policies and prevent user/device authentication.
Policies are assigned per user using claims-based expressions, managed by the Controller, which passes the resulting settings/entitlements to the client.
Claims
Claims are key-value pairs that relate to the identity and context of the user or device and are specific to each session.
There are several types of claims:
Context. Based on helpers that evaluate things like is in the IP range.
User. Static, non-changing claims such as username from the IdP, user claims script, or Connector.
Device. Dynamic, changeable claims such as the IP address of the connecting device.
System. Dynamic, changeable claims such the country code from the Gateway.
And two classes of availability within the system:
Built-in (formerly Fixed). Set by the system; will always be gathered.
Scripted (formerly On-demand). Configured by the admin; gathered when required.
The Controller can utilize multiple claims when assigning a policy to a user, which are included in the claims token for Gateway use.
Scripts
The AppGate ZTNA system has evolved to allow nearly all aspects of the access control process to be scriptable, facilitating interoperability with various external systems and network environments. User claim scripts determine what and when access rights are granted, while criteria scripts focus on the timing of specific access rights.
REST API
The Controller APIs enable nearly all administrative functions available through the UI. For example, adding an entitlement to a policy can be scripted externally and executed via the appropriate REST API call, allowing provisioning systems to add related entitlements for newly-created server instances.