Wildcard and CIDR blocks do not work

I have a scenario where I have an App Segment created for RDP access for system admins. I am using a wildcard discovery for hostnames and a CIDR of for IP access. This app segment is referenced by an access policy where I use user group for criteria to limit RDP access to system admins only.

A small subset of these servers are also SQL servers so I created an app segment to allow SQL access to these servers via an access policy restricted to a user group for SQL users. I used specific hostnames and IPs in this app segment.

Once I created the SQL app segment, I was unable to RDP to these servers. I discovered that for each server where I used a specific FQDN or IP, I then had to add that specific FQDN and IP to the RDP app segment because wildcards and CIDR blocks no longer work.

Any on else running into this issue? I cannot imagine that this is a viable solution for an organization that has thousands of servers.

Support has initially told me that this is “just how it works.” But in an environment where we want to adopt a true ZTNA, this becomes exponentially unmanageable as the number of servers grows (with RDP being just ONE example).

1 Like

Ran into the same issue as you did. Taking it up with support and with our Sales Engineering team.

Let me know what they say. Our post-sales engineer just said “that is just how it works.” I asked why it cannot use IP/FQDN AND port/protocol to make the determination for which app segment is chosen (like a firewall policy) and they said “because we are not a firewall.” Some pretty lame answers for an annoying problem. So if we want to adhere to a true ZTNA, we have to exponentially increase the management overhead of the system. Otherwise, we have to take a more general approach to access in order to utilize the wildcard discovery but that sacrifices a true ZTNA.

Like you said, it is working as they expect it to. To have the evaluation changed to a more logical and consistent manner, it will take a feature request. Fun stuff.