Allow/Deny Rule

An allow rule is where you allow users, groups, or devices access to specific items, such as files, folders, or applications, network connections, and URL redirection without providing full administrative privileges.

A deny rule is where you deny users, groups, or devices access to specific items, such as files, folders, or applications, network connections, and URL redirection.

Rule creation workflow steps:

  1. What Rule do you want to create?
  2. What items do you want to allow/deny? You can allow/deny the following types:
  3. When is the rule assigned?
  4. Summary and Save

The What options

The File/Application option lets you create a rule that will allow/deny specific applications or files to execute.

To configure File/Applications, see Create an Allow/Deny Rule for File/Applications.

Application Network Access Control (ANAC) provides the ability to control outbound network connections by IP Address, Host name, URL, UNC, or Port, based on the outcome of the rules processing.

The following Connection Types are available:

  • IP Address - Select to control access to a specific IP Address.

  • Network Share - Select to control access to UNC paths. The prefix \\ is added to the Host field.

  • Host Name - Select to control access to a specific Host Name.

The following Connection Options are available:

  • Host: The IP Address or Host Name for the network connection. This depends on the type of connection selected. The ? and * wildcards can be used. The - (hyphen) can be used to specify a range, but only when IP Address is selected.

    • An IP Address must be in IP4 octal format. For example, n.n.n.n

    • If Network Share is selected as the connection type, the \\ prefix is required.

    • The full path for the target resource can be entered in Host.

  • Port: The port number of the network connection. This can be used in combination with IP Address or Host Name to control access to a specific port. Ranges and comma separated values are allowed as a part of the port number.
    Click Ports to display a list of commonly used ports. Select as many ports as required.

  • Path: The path of the network connection. The ? and * wildcards can be used. To use:

    • Text contains wildcard characters - Select to use the characters ? and * as wildcards in the Path. If not selected, ? and * are treated as URL delimiters.

    • Use Regular Expressions - Select this option to use regular expressions for the selected path.

    • Include subdirectories - Select to include subdirectories in the rules processing.

    • Only applicable if the connection type Network Share is selected.

    The Path is only relevant for controlling HTTP.

To configure ANAC, see Create an Allow/Deny rule for Network Connection/Application Network Access Control (ANAC).

URL redirection allows administrators to create rules to automatically redirect users when they attempt to access a specified URL. By defining a list of prohibited URLs, you redirect any user attempting to access a listed URL to a default warning page or a custom web page. You can also select to allow certain URLs which, when used in conjunction with redirects, gives you further flexibility and control and lets you create a allowlist of websites.

* The default Access Denied page displays the blocked URL.
* For URL redirection within Chrome and Edge browsers, all managed endpoints must be part of a domain.

To configure URL redirection, see Create an Allow/Deny rule for URL.

Creating the Allow/Deny rule - What do you want to allow?

  1. On the What do you want to do? page, select I want to allow/deny.
  2. Click Next.
    The Allow/Deny Rule - What do you want to allow/deny? page appears.
  3. Select the following option and click Next.
    • File/Application: Allow/Deny specific applications or files to execute.
  4. In Select a source, use the drop-down to select the source of the items. Select from:
    • Blocked by Trusted Owners (only applicable for an Allow rule): This populates the Source Items section with a list of all items that App Control has logged as being blocked because they are not owned by a trusted owner.
    • App Templates: This populates the Source Items section with a list of all App Templates that have been created in App Control.
    • Alternatively, select Add file manually to display the Rule Item Settings panel, here you can specify which file you want to create the allow rule for.
  5. Select the required items. On selection each item is added to the Selected Items section.
    You can edit the item settings: Properties and Metadata by clicking the ellipsis icon to open the Rule Item Settings panel.
  6. Click Next.
    The Allow/Deny Rule - When is this assigned? page appears.
  7. Continue with Creating the Allow/Deny rule - When is this assigned? and Summary steps.
  1. On the What do you want to do? page, select I want to allow/deny.
  2. Click Next.

    The Allow/Deny Rule - What do you want to allow/deny? page appears.
  3. Select the following option:
    • Network Connection: Allow/Deny specific network connections.
  4. In Select a source, use the drop-down to select Network Connections.
  5. In Network Connection, specify the connection type and enter the relevant Host, Port (s), or Path to configure the connection details:
    • IP Address: To Allow/Deny an IP address or a range of IP addresses.
    • Network Share: To Allow/Deny a Network Share. Enter the path to the Network Share in Host.
    • Host Name: To Allow/Deny a Host. Enter a Host Name
  6. Click Add > Next.
    The Allow/Deny Rule - When is this assigned? page appears.
  7. Continue with Creating the Allow/Deny rule - When is this assigned? and Summary steps.
  1. On the What do you want to do? page, select I want to allow/deny.
  2. Click Next.

    The Allow/Deny Rule - What do you want to allow/deny? page appears.
  3. Select the following option:
    • URL: Allow/Deny specific URLs.
  4. In Select a source, use the drop-down to select URLs.
  5. In URLs, specify the URL to Allow/Deny access to.
  6. (Optional): Deny Rule: Select an appropriate option from the following to display for Deny access:

    • Display the Application Control default warning page when URL is denied

    • Display a custom page when URL is denied

      • Enter the URL that you wish to display.

  7. Click Add > Next.
    The Allow/Deny Rule - When is this assigned? page appears.
  8. Continue with Creating the Allow/Deny rule - When is this assigned? and Summary steps.

Creating the Allow/Deny rule - When is this assigned? and Summary

  1. In Select a source, use the drop-down to select the source of the items, any selected or added sources will display in the Selected Items section. Select from:
    • AD Groups: The AD Display and Group names are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a group, by clicking Add manually.
    • AD Users: Enter domain\username and click Add.
    • App Control Users: The username of users that App Control has recorded an event for. Select the required users.
    • Computer Groups: Enter the computer group, for example: CN=ComputerGroup. If you want to include nested groups select Search nested groups. Click Add.
    • Device Organizational Units: Enter the organizational unit, for example: OU=Corporation. If you want to include sub-OUs select Include sub-OUs. Click Add.
    • Devices: The Device and Host names of all Neurons discovered window devices are listed, you can use the search and filter to refine the list. Alternatively, you can manually add a device, by clicking Add manually.
    • IP Addresses: Enter the IP addresses and select whether you want to match regular expressions against IP addresses. Click Add.

      Example:
      • 192.168.0.1: select the client device with an IP of 192.168.0.1
      • 192.168.0.*: select the client devices with an IP of 192.168.0.<any>
      • 192.168.0.15-25: select all client devices within the IP range of 192.168.0.15 to 192.168.0.25

    • Alternatively, select Everyone to create the rule for the Everyone group, this includes any user that logs on to a device that has the configuration successfully deployed, with the exception of Administrators.
  2. Once you are finished with the Selected Items. Click Next.

    The Save Rule and Rule Summary page appears.
  3. Enter a Name for the rule, and provide an optional Description.
  4. In Categories, enter an optional category tag for the rule.

    You can add an existing category, or create a new one. The Categories assigned to a rule are visible in the Configuration Rules table.
    • To add: Click in Categories to display a drop-down list of existing categories, select the required categories.
    • To create: Click in Categories and type the new category tag, click out of the field to create and save the category.
  5. The default status for the rule is to be Active, if you do not want to make the rule active yet, toggle the Rule Status to off.
  6. Click Save to save the rule and return to the configuration, where you'll see the new rule listed in the Rules section.

    Alternatively click Save & Add another, to save the rule and return to the What do you want to do? page to create another rule for the configuration.
  7. When you have added all the rules to the configuration, click Save to save the configuration as draft. Or, click Save & Publish to save the version of the configuration.
    Once published, the configuration is available for assignment to a policy.