SDP zero trust

Introduction

The software-defined perimeter (SDP) zero trust feature allows the device to act as an SDP gateway and cooperate with the SDP controller for user access control. It performs authentication to achieve centralized control over identities and permissions of users that access to the specified applications or APIs, avoiding illegal accesses.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Configure SDP zero trust settings

Prerequisites

Procedure

1. Click the Policies tab.

2. In the navigation pane, select Zero Trust > SDP Zero Trust.

3. Configure SDP zero trust settings.

   Table-1 SDP Zero trust configuration items

   Item	Description
   SDP zero trust	Select this item to enable SDP zero trust, and then configure SDP zero trust settings. Click Apply after configuring SDP zero trust settings. Then, the device will act as an SDP gateway and cooperate with the SDP controller for access control. The SDP controller issues user permissions to internal resources to the SDP gateway for users to access these internal resources through the SDP gateway.
   Access mode	Select an access mode. Options include: Hybrid mode. Web access mode. IP access mode.
   Default API rule	Select a default API rule. Options include: Permit. Deny.
   Single packet authentication	Select this item to enable single packet authentication. After single packet authentication is enabled, the client must send an SPA packet to before accessing the SDP gateway. The SDP gateway identifies whether the client is legal. If the client is legal, the SDP gateway will permits the subsequent access request from the client. If not, the SDP will deny the access request from the client.
   SPA type	Single packet authentication supports the following modes: UDP SPA—Sends SPA authentication packets via UDP. In this mode, the client initiates a knocking request to a UDP port of the server via UDP by sending an SPA authentication packet. The server will only open the service port requested by the client after authentication. The client can establish a TCP connection with the server only after obtaining the port number. TCP SPA—Sends SPA authentication packets via TCP. In this mode, During the establishment of a TCP connection with the server, the client encapsulates the SPA authentication packet into the TCP request packet. The server can establish a TCP connection with the client only after authentication is passed. After this mode is specified, users can only log in and access tunnel resources through the iNode client, and are unable to access Web resources via a browser or access TCP resources through the TCP proxy. UDP SPA + TCP SPA—Supports both UDP SPA and TCP SPA authentication modes. This field is available only in IP access mode and mix access mode.
   Enable anti-replay	After you enable this feature, the device will identify and block authenticated duplicate UDP SPA packets, preventing the device from being vulnerable to replay attacks. However, in some scenarios, such as when the time between the client and device is unsynchronized, it might cause the device to receive packets beyond the anti-replay time window, resulting in misjudgment of replay attacks. In such cases, you can disable the anti-replay feature temporarily until the time synchronization issue is resolved. This can reduce misjudgments of replay attacks and improve user experience. Anti-replay is available only for UDP SPA packets.
   Anti-replay time window for UDP SPA	When the time difference between the timestamp of the received packet and the local time exceeds half of the anti-replay time window, the device considers the packet as a replayed packet. For example, if the anti-replay time window is 50 seconds, a packet is considered as a replay packet if the time difference between the timestamp of the received packet and the local time exceeds 25 seconds.

4. Click Apply.