Starting March 31, 2021, a new feature called "Rule-Based Policy" will be gradually made Generally Available to Umbrella Secure Internet Gateway (SIG) customers. Web policies will be transitioned for their current policy model to a rule model. The old Web policies use a static order of operations for policy components which represent one or more destinations. as the components include Allow/Block Destination Lists, Application Settings, and Content Categories. The static order of operations was as follows:
- Allow Destination Lists
- Allow Application Settings
- Security Category Blocks
- Block Destination Lists
- Block Application Settings
- Content Category Blocks
Another restriction of the policy model was that all identities associated with the policy would receive policy. So if a single user or group of identities need a change in their web policy, a new web policy must be created for them.
However, the new rule model places full control in the hands of the administrator. Some rules may be created that affect a large group of identities while other rules apply to a single identity or smaller groups of identities with no need to move these identities to a separate policy. Also, the order of operations is easily controlled by the administrator by simply reordering rules.
What Else Can Rules Do That the Old Policy Model Could Not?
New rules allow endusers to perform the following while the old model could not:
- Perform a "Warn" Action
- Override security after an "Allow" action is performed
- Time of Day and Day of Week Schedules for rule application
- Perform a "Warn" action for uncategorized destinations and applications
For more information, please see our set up documentation here: Manage Web Policies
What Is Actually Happening In This Transition?
A new rule language had to be created in Umbrella to facilitate the processing of rules, and with that a new database was created to store these rules. The transition has two steps:
- Existing policy components will be copied from the old database used by web policies to the new database used by rules. These components will be stripped of any action, i.e. allow or block, as rules will carry the action. Thus, policy components will become action agnostic, however, the copied components will inherit an “allow” or “block” label to their name to designate what their intention was in the old system for context. Application settings will be a special case because they were unique in that they carried both allow and block actions. Any application settings component that carries both actions will be split into two, one for the allowed apps and one for the blocked apps. Up to 5 rules will be created for each transitioned web policy. If a web policy did not have all types of policy components configured for it, then only the components that were configured for that web policy will be transitioned resulting in fewer auto-generated rules. Below is an example of a web policy that was transitioned with all 5 rules auto-generated.
- Once the backend is fully transitioned the new UI must be enabled. Note that until the new UI is enabled, anyone logging into the dashboard will still see and be able to interact with the old UI. NOTE: Any changes made to web policies at this incomplete stage will not be saved when the new UI is enabled.
When and how will this transition take place?
You will be provided a date and timeframe in which the transition will occur and will be relayed by your Customer Success representative and/or our messaging system in your dashboard. An auto-generated rule will take the place and priority order of each configured policy component for all previous web policies. Once the new UI is enabled the cutover is seamless and, since the auto-generated rules reflect the same action and priority of the legacy web policies, there will be no change in behavior transitioning from web policies to rulesets. There is no down time for Web Policy enforcements during this transition.
What happens to my changes after March 31, 2021?
During the transition, any changes made to your web policies will not be captured in the new rulesets. This is due to copying existing policy components from the old database to the new database. Once the copy is complete there may be a delay in enabling the new UI. Until the new UI is enabled, web policies will still be active and any changes to those web policies will be written to the old database and not converted to rules.
If you are working with a Customer Success Manager, Technical Account Manager, or Service Delivery Manager, then they will be able to address your questions. Technical issues should be directed to Umbrella Support.