Until today, almost all our roles have a set of ST rules. But now I've a scenario, where I need to disable ST if the users come from a specific network.
I've already create a role where I disable ST.
Map this role to a custom expression, but it never disable ST, neither if it is on top of the role mapping neither if it is at bottom.
What happens if a user have two roles... one say enable ST, and other say disable ST? The order in the role mapping matters?
If you look at the problem the other way and only enable split tunneling if the user is not on the specific network then it should be possible. You would need to move your enable split tunneling configuration to its own role (off on all the other roles) and then use a source IP restriction to deny access to the role if the user is coming from the specific network where you want it disabled.
For merged roles the general behavior is that enabled features take precendence over disabled features.
Yes, this is correct. It would not be recommended to merge roles in this scenario. I would put a stop rule for the specific role and put this at the top of the list so it will only get the disable split tunnel feature.
In my case, each user can have tens of roles at the end... and what I need is, if any user comes from a specefic network, then I what to disable ST. So my intension was to give a certain role for those users if they came from than network then I disable ST in that role.
So I must figure out another way to solve my problem.
Thank you for your precious information.
It could be a solution, but with hundreds of roles and tens of ST policies it would be a huge challenge redo the configuration.
When I tryed this way, I was hoping somehow, if a rule has ST disable it supersede the enabled ST. But as Filbert says, the enable features always take precedence of disable features, so I've no luck.
After some tests, I've discover the disable split tunneling only works if there is no ST policy applyed to that user.
If you create a role with split tunneling disable, and create a ST policy to that role, it will do ST.
If your roles has ST enabled, and no ST policies applyed, it will not do ST.
The radio buttons to enable/disable ST are just to ocuppy space... what matters is the users receives or not a ST policy.
Yes, order should matter and the setting available in first matched role should be used.
Also remember that all role mapping rules are evaluated and the results are merged unless you check the "Stop processing rules when this rule matches" option.