Multi-App Match Enforcement Mode
This enforcement mode for ZTA private access considers all possible private resources matches (including duplicates) for a given access request during policy evaluation, rather than narrowing down to only one most-specific resource match, while still matching to rules based on the top-down rule priority ordering.
The ZTA private access enforcement evaluation functions as follows:
- Identify all possible private resources that apply to the access request destination.
- In the case of IPs, match all resources that have IPs or CIDRs that contain the requested destination IP.
- In the case of FQDNs, match all resources that have exact domains or wildcards that contain the requested FQDN.
- Evaluate for rules that would apply to the requesting user/source and ANY of the identified possible resource matches.
- Still prioritize the rule priority/definition order to decide which rule to match to:
- Evaluation will be done top-down, with rule #1 being checked before rule #2, and so on.
- Each rule is evaluated and moved past if there is no perfect match (including posture requirements), but in case it is a rule match then evaluation stops with that rule as the selection and the proxy moves past the evaluation phase.
- In the case of a “tie-breaker” scenario the most-specific match resource will be considered.