About Location Context Policy
Location Context Policy can be used to allow or block connections to CloudConnexa based on the IP address of the connecting device. The policy can be configured to block or allow connections based on whether the device's IP address matches a range of IP addresses or a country. The device's country is determined by using IP address geolocation, which refers to locating a device's geographic area based on its IP address.
Location Context Policy can be used to allow or block connections to CloudConnexa based on the IP address of the connecting device. The policy can be configured to block or allow connections based on whether the device's IP address matches a range of IP addresses or a country. The device's country is determined by using IP address geolocation, which refers to locating a device's geographic area based on its IP address.
Location Context policies are often used to enhance security and comply with regulations.
The Location Matching Logic
Here are the high-level steps that CloudConnexa performs to enforce the Location Context policy:
When a device attempts to connect to your WPC, CloudConnexa checks to see if a Location Context policy is associated with the User Group of which the device's user is a member.
Given that there is an associated Location Context policy, CloudConnexa will carry out the enforcement steps in the order that follows:
If a configured range of IP addresses or subnets is present, try to match the device's IP address with the list in the IP Address or Subnet of the Device matches option. If a match exists, CloudConnexa will allow or reject the connection as per the configured action. Otherwise, it will check to see if there is a country match.
Suppose a configured list of countries is present. In that case, CloudConnexa will geolocate the device based on its IP address and try to match the geolocated country with the configured list in the Country matches option. If a match exists, CloudConnexa will allow or reject the connection as per the configured action. Otherwise, it will carry out the block/allow action configured for the IP Address & Country failed to match option.
Policy Configuration Examples
Below is the policy configuration section of a Location Context policy that allows only connections from the Benelux region for a user group.
Below are screenshots of the Location Context Policies section with some example policies.
Adding a Location Context Policy
To add a new Location Context policy, follow the steps below:
Navigate to Users > Location Context.
Click Add Policy.
Provide a Name for the policy and, optionally, a Description.
Add the User Groups for which this policy should apply in the Apply To section.
Configure the Block/Allow action for IP Address range matches, Country matches, and the action that must occur when the device's IP address does not match a configured IP address or Country.
Note
Note that the policy configuration must contain at least a Country or IP Address.
Click Add Policy.
Editing an Existing Location Context Policy
To edit an existing policy, follow the steps below:
Navigate to Users > Location Context.
Click the icon to edit one of the listed policies.
Make the required edits.
Click Update Policy.
Deleting an Existing Location Context Policy
To delete an existing policy, follow the steps below:
Note
To stop policy enforcement for a specific User Group, edit the policy to remove the User Group from the Apply To section instead of deleting the policy.
Navigate to Users > Location Context.
Click on the Name of the policy.
Click on the icon present in the top right corner.
Click Delete in the confirmation dialog.
Location Context Policy FAQ
- 1. Where can I configure the Location Context policy?
- 2. What are some examples of how Location Context policy can be used?
- 3. How is the location of the device determined by its IP address?
- 4. Can multiple Location Context policies be applied to the same user?
- 5. What happens when I add a User Group currently associated with another Location Context policy to a new Location Context policy?
1. | Where can I configure the Location Context policy? |
Location Context policy configuration can be found under the Users menu option of the administration portal. | |
2. | What are some examples of how Location Context policy can be used? |
Location Context policy can be used to enforce company policy or add additional context to zero trust policies. For example, if the company policy is that all data communications should not leave France, then a Location Context policy can be associated with all User Groups to allow connections only from devices in France and block all others. Another example could be to add a layer of security for the User Group that contains users that have privileged access. You can add a Location Context policy that allows connections only from the IP address ranges of office locations for that specific User Group. | |
3. | How is the location of the device determined by its IP address? |
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of IP address allocation. IANA hierarchically assigns IP addresses. Users' devices are given IP addresses by their Internet service providers (ISPs). ISPs obtain IP address allocations from a Local Internet Registry (LIR), National Internet Registry (NIR), or their appropriate Regional Internet Registry (RIR). IANA allocates pools of unallocated IP addresses to the RIRs. There are five RIRs, each responsible for one of these regions: Africa Region; Asia/Pacific Region; Canada, USA, and some Caribbean Islands; Latin America and some Caribbean Islands; Europe, the Middle East, and Central Asia. An individual IP address can be geolocated using a database or service that tracks the hierarchical assignment of IP addresses from the RIR, NIR, and LIR to the various ISPs and their allocation to different ISP regional and metropolitan networks. | |
4. | Can multiple Location Context policies be applied to the same user? |
Currently, a User can be mapped to one User Group, and each User Group can have only ONE Location Context policy associated with it. Therefore, only one Location Context policy can be enforced for a user based on the User Group that the user is a part of. | |
5. | What happens when I add a User Group currently associated with another Location Context policy to a new Location Context policy? |
The User Group will be associated with the new policy. For example, if Location Context policy 'A' is applied to User Group 'Sales' and another Location Context policy 'B' is created or edited and 'Sales' is added to it, on saving of policy 'B,' only policy 'B' will be enforced for 'Sales.' The 'Sales' User Group will be absent from policy 'A.' |