Managing the Users Networks Zone

The Users Networks zone is a predefined zone in SecureTrack where you add all the valid subnets that users are allowed to use when connecting to your network. TOS requires the Users Networks zone when User Identity is used for a device that does not natively support using LDAP groups. (See Using User Identity in TOS.)

Where the Users Networks Zone Is Used?

The Users Networks zone is used in the following SecureChange features:

• Target Suggestion: For access requests with an LDAP group in the source, SecureChange suggests targets based on the subnets listed in the Users Networks zone.

• Risk Analysis: SecureChange evaluates access requests that include LDAP groups in the source by checking USPs that have Users Networks as the source zone.

• Designer and Verifier: Adds source addresses to devices along the path when those devices do not natively support user identities.

Prerequisites

Configure SecureTrack for LDAP authentication, as described in Configuring User Identity. All users or groups in the LDAP tree listed under the Domain DN field will be authenticated as valid.

Add Subnets to the Users Networks Zone

To add IPv6 subnets to a zone, use the REST API or import the zones using a CSV file.

1. In the Users Networks zone, add all subnets that users are allowed to use when connecting to your network. See Managing Zone Subnets for details.

   

Delete Subnets from the User Networks Zone

1. Select the subnets that you want to delete.

   

2. Click Delete Selected Subnets.

If one or more IP addresses in the Users Networks zones are removed, we recommend that you create a Rule Modification ticket requesting that all of the deleted subnets be removed from the rules that include them. Removing these subnets from the rules reduces attack surface and improves policy strictness.