Frequently Asked Questions
What is the difference between ZTNA and existing NAC products?
The following features have been added to implement Zero-Trust security policies on top of the capabilities of existing NACs. Support for dynamic destination access control for communication/internal network->Cloud/from-home access between sensor managed nodes. ZTNA Client functionality to provide enhanced terminal security and secure communication environment for telecommuters. Cloud information collection for visibility and zero trust access control of the Cloud server band. Cloud Gateway functionality to provide dynamic access control for cloud server bandwidth and Internet access. Cloud Security Group Management for Automated Security Policy Management on Cloud Servers. Netflow (IPFIX)-based NTA capabilities that provide visibility into network traffic. Security news feeding service that informs you of the latest security news and related nodes. New Dashboard / Extended Node Type / Platform Image Based Grid View.
What is Zero Trust security policy and how does ZTNA provide it?
Any device that accesses a network is a concept that takes by default a policy that does not allow other than the services/servers that are essential to that device. To do this, the origin and destination must be categorized very precisely according to their role. (Micro Segmentation) ZTNA can manage node groups for destinations, including origin and Cloud, through node groups that provide more than 500 conditional expressions. The new ZTNA allows node groups to be used when setting up network access that is allowed to finely classified user terminals. When destination control is enabled through node groups, the security policy is automatically updated based on status/properties/Tags, etc.,away from the IP/Subnet security policy provided by existing products.
Do I need new equipment or network configuration for dynamic destination control?
No, no new equipment or network configuration changes are required when operating ZTNA in an existing sensor-installed environment. Dynamic access control is possible without configuration changes through communication between sensors through standard VXLAN SGT. Genians' patented ARP-based virtual in-line access control method allows in-band access control by configuring out-of-band or building an in-line gateway sensor, so you can choose the appropriate method depending on the deployment environment.
How can dynamic destination control be applied when accessing servers (workloads) that exist in the cloud?
Cloud access control can be applied in two ways. The first method is to manage the IP list of devices that have access to the server by synchronizing it with a node group through the Security Group feature provided by the Cloud. The second method is to configure the Cloud Gateway to allow all communications to pass through the Cloud Gateway for access control. In this case, you can use an SSL-VPN-based G2C method for specific terminals only or a G2G method using IPSec for network-level connections.
Is the user's network traffic visibility provided when performing dynamic access control?
Yes, ZTNA provides standard Netflow (IPFIX)-based audit records for connections through sensors/gateways. This provides 5 Tuples, Policy information, as well as GeoIP, BGP AS, HTTPS Encrypted Traffic Analysis (ETA), HTTP Request information, etc.
What is the difference between the dynamic access control provided by ZTNA and the controller-type SDN?
The SDN method, which handles dynamic access control for all connections on one central controller, has a problem that all communication is interrupted in the event of a controller failure. In contrast, Genian ZTNA's dynamic access control method uses the standard VXLAN SGT method, and dynamic access control of previously authorized terminals operates normally even in the event of a policy server failure. In addition, it is provided through Genian's own ARP virtual inline method, so there is no need to change the physical network configuration or network settings at all.
What happens if a ZTNA sensor failure occurs when using dynamic destination access control?
If you are operating in out-of-band host sensor mode, the network access control function is disabled in case of sensor failure. If you're operating in an In-Band manner with Cloud Gateway, you can recover faster than your On-Prem Appliance system with simple instance reboot/replayability.
What are the benefits of ZTNA offered in ZTNA over traditional VPNs?
By default, ZTNA provides IPSec, SSL-VPN capabilities provided by traditional VPNs. The ZTNA Client is integrated within the NAC Agent and supports Zero Config. The PoP can be located in the Cloud, dramatically reducing WAN segment traffic and providing faster network access to users compared to traditional VPN methods where all traffic enters the company. The PoP can be located in various countries/continents, making it suitable for global companies. (Multiple PoP and Latency-based PoP automatic selection) Only devices that have passed the device integrity check provided by the NAC Agent can be controlled to allow network access, and access is controlled through continuous device health check while the network is in use.
Does ZTNA support Multi Cloud environments?
The use of one or more Cloud services is becoming more common due to the complexity of the Cloud environment. ZTNA provides an easy way to simplify and automate the establishment of different security policies for different Cloud providers. When security policies for Cloud servers/services are defined through ZTNA, security groups are automatically applied through the industry standard Terraform without the need for separate UI/API/CLI for each Cloud service.
Can Cloud Security Group Management be applied only to Public Cloud?
No, it is also applicable to private clouds such as VMWare/Citrix, or to HCI and Hybrid clouds such as Nutanix. Furthermore, you can support a variety of providers, including switches, security equipment, and SaaS services. We are providing sequential support according to your request.
What is the difference between ZTNA and SASE?
SASE's approach to service is to ensure that all network access control is through the Cloud Gateway, placing all security systems in the Cloud. This shifts the On-Premises-centric security system to Cloud-centric. ZTNA provides the ZTNA and Cloud Gateway you need to do this. Cloud Gateway offers a variety of tunneling methods, including IPSec, SSL-VPN, GRE, and VXLAN, to help different branch and telecommuters create secure communication channels. ZTNA allows users to create their own built-in SASE services.
Does ZTNA support Multi-Tenancy?
ZTNA supports Kubernetes-based multi-tenant environments that can serve multiple tenants in addition to traditional products for single tenants. This allows you to build a system that provides independent, managed services for multiple domains within the client company.
What is the product release cycle?
Genian ZTNA releases a new minor version every one months.
Can I downgrade my software version?
No, downgrade is not supported. For a downgrade, you should create a backup before you upgrade, and then reinstall software and restore backup data.
Is the communication between each component encrypted?
Yes, communication between each component is encrypted through TLS.
What if I exceed the license amount?
See step 1 on Sizing Software and Hardware
How can I check Windows update of endpoints?
See step 1 on Update Windows
How come the blocked Nodes cannot open the CWP through Genian ZTNA?
See step 1 on Blocked Nodes are not redirected to CWP page
What Regex engine does Genian ZTNA utilize?
Genian ZTNA utilizes Perl Compatible Regular Expressions. For information including syntax reference the following resources:
Can User Credentials from Active Directory be used to access the Web Console?
Yes. To configure, you must configure authentication integration AND user database synchronization with an AD domain controller. Lastly the Active Directory user must be selected in the Genians user database and configured with a superAdmin role.
Can Node info be imported from a wireless controller via SNMP?
No, this function is not supported.
Why can't I collect domain information from my Agentless environment?
Domain name and host name information in an Agentless environment is collected via two methods:
Method 1 - The Sensor extracts domain name and host name from netbios packets. Be sure to add a sensor interface in the subnet you wish to collect this information for.
Method 2 - WMI collection of domain, host name and other information is possible if configured. Reference the following information on how to configure this feature if domain or host name information is not being populated by the Sensor.
Why is the Agentless device host name not collected?
Domain name and host name information in an Agentless environment is collected via two methods:
Method 1 - The Sensor extracts domain name and host name from netbios packets. Be sure to add a sensor interface in the subnet you wish to collect this information for.
Method 2 - WMI collection of domain, host name and other information is possible if configured. Reference the following information on how to configure this feature if domain or host name information is not being populated by the Sensor.
Why can't I collect device information in my Agentless environment, even after configuring Agentless WMI collection?
In Windows 10 version 2004 there are known issues with WMI functioning properly due to DCOM version issues. The recommendation is to upgrade to a later version. If upgrading to a later version is not possible, please contact your technical support representative.
Why there is 'Agent Not Installed' policy even though we are using Agentless?
The default enforcement policy is created based on Agent-installed. you can use it after creating/deleting a policy according to your environment.
When is the update cycle of Genian data?
The Genian data is automatically updated at the set period when the inspection cycle is set at Web Console > Preferences > Miscellaneous > Genian data settings > Scan interval and the bottom Automatic Update item is set as On.
How can I collect wireless LAN SSIDs?
Please refer to the following documents. Controlling WLAN
How do I control access to the terminal wireless LAN?
Terminal wireless LAN access control can be performed in two ways. There are ways to Disable wireless network adapter (Controlling Network Interface)` and restrict wireless LAN AP access using Controlling WLAN.
How do you control unnecessary administrator web access?
Session management(Managing Administrator Connections) allows unnecessary access sessions to be forcibly terminated.