To ensure holistic security precautions, we recommend securing each distinct private application with at least two policies:
A Gateway DNS policy with the appropriate identity and device posture values, targeting the domain list that defines your application. Policy enforcement happens at the request resolution event, before the user’s device makes a connection request to the application itself; if denied here, no traffic will reach your private network.
A Gateway network policy with the same identity and device posture values as the DNS policy, targeting the IP list that defines your application. You can optionally include the domain list by matching the SNI header. Then, you can include any combinations of ports or protocols that are relevant for application access. Network policy enforcement happens after the user passes the DNS policy, when the user’s device attempts to connect to the target application.
We recommend adding a catch-all policy to the bottom of your network policy list. An effective Zero Trust model should prioritize default-deny actions to avoid any overly permissive policy building. For example,
Traffic Selector
Operator
Value
Logic
Destination IP
in list
All private network ranges
Or
SNI Domain
in list
All private apex domains
Action
Block
Network policies are evaluated in top-down order, so if a user does not match an explicitly defined policy for an application, they will be blocked.
To learn how multiple policies interact, refer to Order of enforcement.