EagleSafe ZTB lets administrators control access between devices using groups and access policies. Policies define which devices can connect, on which protocols and ports, enforcing Zero Trust principles where no connection is permitted unless explicitly allowed.
Concepts
Groups
A group is a set of peers (devices with the ZTB agent installed). Groups are used as the source and destination of access policies. Key properties:
- Each group name is unique.
- A peer can belong to multiple groups simultaneously.
- Groups can be created inline when defining a policy, or from Access Control → Groups.
- Groups can be assigned automatically to peers registered with a setup key — see Setup Keys.
The "All" group
The All group is a built-in group that automatically includes every peer in your tenant network. It cannot be renamed or deleted.
Policies
A policy defines which source group can connect to which destination group. Only ALLOW policies exist — traffic not covered by any policy is denied by default. Each policy has a direction:
- Bidirectional: both groups can initiate the connection.
- Unidirectional: only the source group can initiate.
Policies can be restricted to specific protocols (TCP, UDP, ICMP, or ALL) and port ranges (e.g. 8000-9000).
The Default policy
When your tenant is first provisioned, a Default policy is created that allows all peers to connect to each other (source: All, destination: All). This is suitable for initial testing. For production environments, it is recommended to delete the Default policy and create more restrictive policies using custom groups.
Managing policies
Create a policy
- Go to Access Control → Policies and click Add Policy.
- Select or create the Source and Destination groups.
- Set the protocol (ALL, TCP, UDP, ICMP) and optionally restrict to specific ports or port ranges.
- Set the direction (bidirectional or unidirectional).
- Give the policy a name and click Add Policy.
New policies take effect immediately. If the Default policy is still active, remove it after creating your custom policies to enforce the intended restrictions.
Add peers to a group
Go to Peers, click on a peer, then use the Assigned Groups field to assign it to one or more groups. Alternatively, use setup key auto-grouping to assign peers automatically at registration time.
Update a policy
Click on the policy name in Access Control → Policies to edit its groups, protocols, ports, direction, or description.
Disable a policy
Use the toggle in the Active column of the policy table to temporarily disable a policy without deleting it.
Delete a policy
Click Delete next to the policy in the table and confirm. Deleted policies cannot be recovered.
Managing groups
Create a group
You can create groups in two ways:
- Inline: type a new name in any group input field in the dashboard and press Enter.
- From the Groups page: go to Access Control → Groups and click Create Group.
View group details
Go to Access Control → Groups and click on a group name to see all associated peers, users, policies, network routes, and setup keys that reference that group.
Rename a group
Go to Access Control → Groups, click the menu (⋮) next to the group, select Rename, enter the new name and save. Groups synchronized from an Identity Provider cannot be renamed.
Delete a group
Go to Access Control → Groups, click the menu (⋮) next to the group, select Delete and confirm. Groups with active dependencies (policies, routes, setup keys) must have those dependencies removed first. Groups synchronized from an Identity Provider cannot be deleted.
