Design Guidelines for Access Rules
Because the appliance processes your access control rules sequentially, the order in which you organize them is
significant in terms of whether access is permitted or denied. Carefully review your security policy settings to
avoid inadvertently placing rules in the wrong order.
• Put your most specific rules at the top of the list. As a general rule, it is best to put your most specific
rules at the top of the list. Putting broader rules that grant more permissions at the top of the list may
cause the appliance to find a match before it has a chance to process your more restrictive rules.
• Be careful with Any rules. If you create a rule that does not restrict access to a particular user or
destination resource, carefully consider its impact on policy rules.
• Optimizing performance. Because the appliance evaluates rules in sequential order, you can optimize
performance by placing the network resources that are accessed most frequently at the top of the list.
• Avoid resource and access method incompatibilities. In some very specific cases, certain combinations
of resource types and access methods can create problems with your access policy. AMC validates your
rule and notifies you of potential problems when you save it. Refer to "Security Administration" in the
Installation and Administration Guide for details on resolving incompatibility issues.
End Point Control
You can use End Point Control to classify devices as they attempt to connect to the appliance. When a device
matches a profile that you have created, it is assigned to an EPC zone of trust, where the device is granted a
certain amount of access, quarantined, or denied access altogether. In addition, once a device is classified into a
given zone, you can keep checking it at a set interval to see if it meets your EPC requirements.
An EPC zone can reference one or more device profiles. Multiple device profiles are useful if users with similar
VPN access needs use different computer platforms. For example, you could configure an EPC zone that
references a device profile for Windows computers, and another zone for Macintosh computers.
Zones are in turn referenced in a community, which determines what data protection agents are deployed.
Optionally, you can reference a zone in an access control rule to determine which resources are available to
users in that zone.
EPC evaluation process illustrates the EPC evaluation process performed by the SMA appliance when a user
connects to it.
EPC evaluation process
SonicWall SMA Connect Tunnel 12.0 Deployment Planning Guide
22
Planning Your VPN