Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Get Started With Internet Access Rules Components for Internet Access Rules Sources

Last updated: Aug 14, 2025

Sources

You can configure internet access rules for specific source-destination pairs. Sources are the users, groups of users, or other entities that comprise the "From" end of traffic where Secure Access applies an access rule.

You can use these reusable sources on internet access rules:

  • Users

    You can apply rules to the traffic for the users in the organization.

  • Groups and Organizational Units

    You can apply rules to the traffic for users in AD Groups and Google Workspace Organizational Units.

  • Roaming Devices

    You can apply rules to traffic originating from managed devices that have the Cisco Secure Client installed, but that may not currently be on the corporate network.

  • Network Objects

    You can apply rules to the traffic originating from IP addresses in network segments defined by Network Objects.

  • Network Object Groups

    You can apply rules to the traffic originating from IP addresses in network segments defined by Network Objects in Network Object Groups.

  • Endpoint Devices

    You can apply internet access rule security controls to AD devices in Secure Access. Once provisioned, AD devices are available as sources on internet access rules. You can select all AD devices or individual AD devices identified by device name. For more information about AD device provisioning, see Manage Users, Groups, and Endpoints Devices.

  • Registered Networks

    You can apply rules to traffic originating from IP addresses in network segments defined by Registered Networks.

    • When on a Registered Network, users devices can send traffic to the Secure Access DNS resolvers and the Secure Web Gateway (SWG) directly. In this scenario, user devices are not required to deploy the Cisco Secure Client with the Internet Security and VPN modules or deploy IPsec tunnels (RAVPN).

    • If the user device has the Cisco Secure Client deployed with the Internet Security and VPN modules, then traffic is sent over IPsec tunnels to Secure Access.

  • Sites

    You can apply rules to traffic originating from IP addresses in network segments defined by Secure Access Sites.

  • Network Devices

    You can apply rules to traffic originating from network devices.

  • Security Group Tags

    You can apply rules to traffic originating from IP addresses in network segments that include Security Group Tags.

  • Catalyst SD-WAN Service VPN IDs

    You can apply rules to traffic originating from IP addresses in network segments that include VPN IDs. Be aware that if the same VPN ID (VPN 88 for example) is assigned across different branches, then traffic coming into Secure Access from these branches is subject to the same policy. A Secure Access policy rule cannot differentiate traffic between branches using the same VPN ID.

  • Network Tunnel Groups

    You can apply rules to the traffic originating from IP addresses in network segments defined by Network Tunnel Groups.

In a rule, you can also specify sources by typing in IP addresses and subnets, but these are NOT reusable source components. If you do this, you can type in port and protocol in the rule's destination.

For more information, see About Configuring Sources in Internet Access Rules.

Previous topic Components for Internet Access Rules Next topic Destinations