SaaS Applications

Configuring SaaS Application Policies

The Axis SWG (Secure Web Gateway) provides custom SaaS-specific controls to restrict the actions a user can perform within that SaaS application. To apply controls, an administrator simply creates custom SaaS definitions that specify which actions to control, and then adds that SaaS definition in a policy rule.

For example, to block the Google Drive application, a SaaS Application definition that matches “Google Drive”. This SaaS application would then be added to a block rule in the Policy list. Since the Web Traffic Default Rule is set to “Allow” by default, all other SaaS traffic would be allowed except for Google Drive

Create a Custom SaaS Application

  1. Log into the Axis Management console and navigate to the Policy->SaaS Applications screen.

  1. Click on “New SaaS Application” to open a configuration form.
  2. In the “Select Application” field, begin typing the name of the SaaS application to be added. The auto-complete function will guide the selection to the desired application. Once identified, select the application.

Once Selected, the “Category” field should be automatically populated with the associated Web Category.

  1. In the “Name” field, add the name of this application. For example “Google Drive - Uploads”
  2. Optional: Add a description in the “Description” field.
  3. Select the desired connector zone in the “Connector Zone” pulldown. The Connector Zone indicates the network from which SaaS traffic is sent from. The SaaS application will view the user’s SaaS activity as originating from the configured Connector Zone
    By default, the “Public Connector Zone” is pre-selected. However, there are other options that can be configured.
    a. Public Connector Zone: The default pre-selected zone. SaaS destined traffic will egress from an Axis selected public IP.
    b. Custom Zone (Private): This is a customer configured zone under Settings->Connectors->Connector Zones. Use this type of zone if traffic must be sourced from a specific IP address (e.g. SaaS IP anchored to a customer datacenter.

  1. Optional: The “Home Page Address” field is used to create an Axis app portal tile with a pre-configured URL. This URL will become the new “Home Page” a user lands on when connecting to the SaaS application.
    A Home Page address can also be used directly from the Axis app portal without the Atmos agent. When used this way, the app portal tile simply acts as a bookmark.

  2. Optional: In the “App Action Filter” pulldown, select the actions to be controlled. The app actions available in the pulldown are determined by the application selected in the “Select Application” field (configured in step 3).
    Selecting no actions (null filter) is a common configuration since this effectively matches all application traffic. When applied to a block rule, a null filter application will block all traffic matching the specific SaaS application.

Alternatively, individual app actions may be combined for a granular block policy (e.g. “Upload”).
Example: The “Google Drive” application has been selected and the “Upload” action has been selected:

Note - SSL Inspection is required in order to enforce SaaS actions Policies.

  1. Optional: The list of domains that identify a SaaS application can be adjusted through the use of the include and exclude domain fields. Note that in order to filter on a URL (as opposed to a domain or domain wildcard), SSL Inspection must be enabled.

  1. Complete creation of the SaaS application by clicking on the “Submit” button and then clicking on “Apply Changes” at the top of the management page. The SaaS application will now appear under the “Destinations” field in the Policy Rule form.

Configuring a SaaS Application Rule

  1. Create a Custom SaaS Application. More info can be found in the “Configuring SaaS Application Policies” section.
  2. Navigate to the Policy->Rules screen

  1. Click on “New Rule” to open a configuration form.
  2. Create a policy rule using the desired Identity, context and profiles. Additional information can be found in the Adding Policy Rules section.
  3. Click on the “Destination” pulldown, click on the “SaaS” tab and then select the desired SaaS applications (e.g. “Google Drive”). Note that several applications can be selected.

  1. In the “Action” pulldown, select “Block” or "Allow verdict based on the desirable policy.
  2. Complete creation of the Rule by clicking on the “Submit” button and then clicking on “Apply Changes” at the top of the management page.