Creating Network-level (Layer-4) policies for Service Tunnels

  • Updated on May 10, 2023
  • 5 minutes to read
  • Contributors


Banyan’s Service Tunnel policies provide Network-level (Layer-4) access controls so that admins can allow or deny access down to specific protocols, CIDRs, ports, and FQDNs (Fully-Qualified Domain Names).

Steps to Create a Service Tunnel Policy

1. Navigate from Secure Access > Policies > + Create Policy, and create a Tunnel Policy.

2. Enter a Policy Name and a Description.

3. Configure your first Access Group. Specify the required Trust Level, Role, allowed Protocols, CIDR ranges, FQDNs, and Ports.

Note: We strongly recommend FQDN(s) that resolve to the same addresses from different geolocations and do not change very frequently. Wildcard domains are not allowed.

Note: By default, the above parameters are for Allow access. If you wish to deny access, select Add exceptions (DENY rules) for Protocols, CIDRs, and Ports to configure exceptions within these parameters.

4. Optional: If you want to define an additional Access Group, select + New Access Group.

5. Select Create Policy.

Example Use Cases

Allowing all domains except one FQDN

In some cases, admins may want to allow all domains except a specific Fully-Qualified Domain Name (FQDN). This can be specified in the Tunnel Policy by configuring exemptions in the policy:

Can’t find what you’re looking for?

We’re happy to help. Contact our team .