Users accessing internal applications via ZTNA segment based application from hosts running WSS Agent.

All applications work fine, but concerns are raised that SMB services on the local network are allowed.

How can Cloud SWG/ZTNA admins block access to these internal services?

Cloud SWG.

ZTNA.

Segment based applications.

Shared services available on internal network.

WSS Agent works at layer 3 and checks destination IP addresses to determine what goes into Cloud SWG/ZTNA or what does direct. It does not act as a firewall and cannot be used to block access to specific services.

As a best practice, use a firewall on the macOS/Windows host running WSS Agent to block access to local services that should not be available for access.

If there are no local firewall options, one change can be made on the Cloud SWG side that forces all traffic destined for local network INTO Cloud SWG, which will eventually fail due to connectivity issues (and block access to local resources). The one gotcha with this is that DNS requests may be blocked if a DNS server on local network is active, and one much point to a public DNS server to overcome this e.g. 8.8.8.8 or 9.9.9.9. Note too that access to all internal services will be blocked using this approach, and local printers will fail.

The local traffic can be forced or tunneled into Cloud using the 'always tunnel' closed network APIs. This functionality is moving into the 'Advanced Traffic Manager' UI configuration for all tenants by mid November 2024 and the screenshot below shows how all traffic on my 192.168.0.0/16 network will be sent into Cloud SWG instead of the local interface. When this is enabled and my WSS Agent RECONNECTs to pick up this configuration, access to local printers, SMB devices, etc will be blocked. Note again that DNS will fail unless the DNS server the host is going to is NOT on the 192.168.0.0/16 network.