SPS connection policies

Hi,

When you join SPP and SPS, the SSH connection policy (safeguard_default) is auto generated and used by default for SSH sessions on port 22

SPS checks connection policies from top in order and so if the first connection policy matches then it wins the session and no other connection policies will be used if assigned the same port.

Therefore, it would not be possible to use two SPS connection policies with the same port as only the first one would win always.

Not clear on the use-case you are looking to implement with two connection policies for SSH sessions but i would suggest consulting with PSO team on new configurations for a solution based on what you are looking to accomplish.

Thanks!

Hello Tawfiq,

Let me try to explain better my use case:

- as we joint SPP and SPS, the "safeguard_default" connection was automatically created and, as we decided to use the SPP-initiated workflow, in the ARP on the SPP the SPS connection policy chosen is always the "safeguard_default"

- I configured a new connection policy under SSH control on the SPS because I needed to test same features (channel policy and content policy in detail) 

Now, if I try to make a new request toward a target, even though the first connection under SSH control is the new one, it always selects the safeguard_default so I am not able to test these features. I was wondering if in this case I should change the SPP connection policy (as it stands now it does not seem to be possible because in the drop down menu I only see safeguard_default and SPS initiated workflow) or in which way I can simultaneously use two different SPS ssh connections.

Thank you!

Hello Tawfiq,

Let me try to explain better my use case:

- as we joint SPP and SPS, the "safeguard_default" connection was automatically created and, as we decided to use the SPP-initiated workflow, in the ARP on the SPP the SPS connection policy chosen is always the "safeguard_default"

- I configured a new connection policy under SSH control on the SPS because I needed to test same features (channel policy and content policy in detail) 

Now, if I try to make a new request toward a target, even though the first connection under SSH control is the new one, it always selects the safeguard_default so I am not able to test these features. I was wondering if in this case I should change the SPP connection policy (as it stands now it does not seem to be possible because in the drop down menu I only see safeguard_default and SPS initiated workflow) or in which way I can simultaneously use two different SPS ssh connections.

Thank you!

If the purpose of this is to test a different channel rule with a content policy then it may be easier to keep the same default SSH connection policy then inside of the Channel Policy add a new channel rule > select "Session Shell" and select the Content policy you wish to test and specify a target server either by IP address or Hostname then this rule to be the top of the Channel Policy.

In this case you would have the default channel policy "safeguard_default" but inside of it there are two Session Shell channel rules:

1. first session shell rule which has the content policy selected and the target server that will be applicable for this content policy

2. second session shell rule which is the original one and does *not* have any content policy or target listed.

This way if the session is going to the target server in the top channel rule then the content policy is applied

If the session is pointed to a different target then the second channel rule applies and no content policy is applied.

hope this helps?

Thanks!