Network and Tunnel Identities for AnyConnect Users is now in Limited Availability. Umbrella customers can apply network/tunnel based rulesets/rules to AnyConnect SWG installed computers when they're connected to a company network. This feature can now be requested through Support while it is in Limited Availability; it will also become generally available in the future.
Reviewing Your Deployment
To ensure that your current rules and rulesets are being applied correctly, users with the following deployed should check their web policy settings:
- Use AnyConnect SWG module
- Have Registered Networks or Network Tunnels in Umbrella
- Have created Web Rulesets for Tunnels / Networks (non-default)
- Have Web Rulesets/Rules for Tunnels at a higher priority than rules for AnyConnect, AD Users, or AD Groups.
Web Policy Settings
Your web policy might not be applied as expected if:
- the Network/Tunnel rules are at a higher precedence than rules which affect AnyConnect clients
- the Network/Tunnel rules are at a higher precedence than rules which affect Users/Groups
To ensure that the rules are behaving as expected, depending on the desired outcome, you can:
- Increase the priority of AnyConnect, User, and Group rules to maintain the current behaviour where AnyConnect provided identities are always applied; or
- Leave the Network/Tunnel rules at a higher priority so that AnyConnect users will be subject to the Network/Tunnel policy when visiting the office network.
If your web policy is not being applied correctly after this feature has been enabled, or you are unsure which identity is taking precedence, you can check by using the Web Policy Tester on the Umbrella Dashboard:
If you have any questions about how your rules and rulesets are being applied, you can use the Umbrella Policy Debug Tool, copy or download the results, and submit a ticket to Support with the results included.