Secure Access Service Edge:Use the office zone identification feature

Traffic redirection policies

After SASE is deployed, the system automatically redirects user traffic destined for office applications to SASE, authenticates user identities, and forwards the traffic. You can select a traffic redirection policy based on the network topology of your office zones. Then, the SASE client checks whether a user resides in an office zone and redirects user traffic based on the selected policy. If a user resides in an office zone, the SASE client does not redirect traffic or redirects traffic only for specific office applications. This helps reduce public bandwidth consumption at your network egress.

SASE supports the following policies:

• No Traffic Redirection in Office Zone

  This policy is suitable for scenarios in which all office applications are accessible from the office zone and traffic redirection is not required.

• No Traffic Redirection for Specific Office Applications in Office Zone

  This policy is suitable for scenarios in which only specific office applications are accessible from the office zone. For office applications that are inaccessible from the office zone, the SASE client is required for traffic redirection.

Procedure

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Private Access > Terminal Access.

3. On the Access Point Management tab, click Office Zone Identification. On the Office Zone Identification page, select a traffic redirection policy.

4. In the lower part of the page, click Create Identification Rule. Then, create rules for office zone identification. The following table describes the parameters.

   You can create one or more rules. If more than one rule is created and at least one rule is hit, SASE determines that the user resides in an office zone.

   Parameter	Description
   Rule Name	The name of the rule. The name must be 2 to 128 characters in length, and can contain letters, digits, hyphens (-), and underscores (_).
   Conditions	The conditions of a rule. You can add one or more conditions. You can add the following types of conditions: Office Zone SSID: the Service Set Identifier (SSID) of an office zone. The SSID is the name of a wireless local area network (WLAN). Accessible Internal IP Address: the internal IP address that can be accessed only from an office zone. The SASE client automatically checks the connectivity of the internal IP address. When the connectivity is normal, the internal IP address is used as one of the conditions for identifying an office zone. Accessible Internal Domain Name: the internal domain name that can be accessed only from an office zone. The SASE client automatically checks the connectivity of the domain name. When the connectivity is normal, the domain name is used as one of the conditions for identifying an office zone. Office CIDR Block: the internal CIDR block that can be accessed only from an office zone. If you add multiple conditions, you can set the logical operator to OR or AND. The default logical operator is OR. You can click OR to change the logical operator to AND.

5. If you set the Traffic Redirection Policy in Office Zone parameter to No Traffic Redirection for Specific Office Applications in Office Zone, associate applications with the rule.

   To associate an application, click Configure in the upper-right corner of the Conditions section. In the Add Application panel, select an office application on the Tag or Application tab and click OK.

6. Click Save.

Other operations

You can perform the following operations based on your business requirements:

• Modify a rule: Click Edit Rule to modify the conditions of a rule.

• Delete a rule: Click Edit Rule and then click Delete to delete a rule.

  Important

  After a rule is deleted, SASE no longer uses the rule to identify an office zone. Proceed with caution.