Configure a Service Access Object

A Service Access object defines the conditions that traffic must meet to access a service, such as remote access VPN on the threat defense device. This object defines conditions as multiple rules to be executed in an order. Each service access rule has an Allow or Deny action and a set of match criteria such as country, continent, or user-defined geolocation objects. These rules manage access based on geolocations and ensure that only traffic from approved regions can access the specified services. If the traffic does not match any rules, the default action is enforced.

Before you begin

Configure geolocation objects. For more information, see Geolocation.
Configure a remote access VPN policy. For more information, see Create a New Remote Access VPN Policy.

Procedure

Step 1

Choose Objects > Object Management.

Step 2

In the left pane, click Access List > Service Access.

Step 3

Click Add Service Access Object to create a new object.

Step 4

In the Add Service Access Object dialog box, configure the following parameters:

In the Name field, enter a name for the object.
Click Add Rule to create service access rules for this object. In the Add Service Access Rule dialog box, configure the following parameters:
1. Choose an action as Allow or Deny from the drop-down list.
2. From Available Countries, select countries, continents, or user-defined geolocation objects and move them to the Selected Geolocation list.
3. Click Add.
After you create a service access rule, a sequence number is assigned to the rule. This number determines the execution order of the rule. You cannot reorder these rules.

Step 5

From the Default Action drop-down list, choose Allow All Countries or Deny All Countries.

Step 6

(Optional) Check the Allow Overrides check box and click + to configure overrides for the service access object for devices.

Note	When you define an override for a device or a domain, whenever the system configures this object on the device or domain, it uses the override value instead of the value defined in the original object.

Step 7

(Optional) In the Add Service Access Override dialog box, configure the following parameters:

From the Target Devices and Domains drop-down list, choose the required devices or domains for the override.
Verify if you require the existing rules. Otherwise, delete them.
Click Add Rule to create service access rules for this object override.
1. Choose an action as Allow or Deny from the drop-down list.
2. From Available Countries, select countries, continents, or user-defined geolocation objects and move them to the Selected Geolocation list.
3. Click Add.
From the Default Action drop-down list, choose Allow All Countries or Deny All Countries.
Click Add.

Step 8

Click Save.

What to do next

Configure the Service Access object in the remote access VPN policy. For more information, see Configure Access Interfaces for Remote Access VPN.