Network and Tunnel Identities for AnyConnect Users is now Generally Available to customers. Umbrella can now apply network/tunnel-based rulesets/rules to AnyConnect SWG installed computers when they're connected to a company network. This feature was enabled for all customers on January 27, 2022.
Reviewing Your Deployment
This enhancement may have resulted in a change in the applied policy for a customer in the following scenario...
- Using AnyConnect SWG module
- Have Registered Networks or Network Tunnels in Umbrella
- Have created Web Rulesets for Tunnels / Networks (non-default)
- Have Web Rulesets/Rules for Tunnels at a higher priority than rules for AnyConnect, AD Users, or AD Groups.
Web Policy Settings
Your web policy might not be applied as expected if:
- the Network/Tunnel rules are at a higher precedence than rules which affect AnyConnect clients
- the Network/Tunnel rules are at a higher precedence than rules which affect Users/Groups
To ensure that the rules are behaving as expected, depending on the desired outcome, you can:
- Increase the priority of AnyConnect, User, and Group rules to maintain the current behaviour where AnyConnect provided identities are always applied; or
- Leave the Network/Tunnel rules at a higher priority so that AnyConnect users will be subject to the Network/Tunnel policy when visiting the office network.
If your web policy is not being applied correctly you can check by using the Web Policy Tester on the Umbrella Dashboard:
If you have any questions about how your rules and rulesets are being applied, you can use the Umbrella Policy Debug Tool, copy or download the results, and submit a ticket to Support with the results included.