Frequently Asked Question
To configure your GENAccess policies, please profile the information below and return it to the helpdesk. Each section explains what is needed and why.
1. User or Group Being Granted Access
Specify who this policy applies to. This is typically a named user, a job role, or a group (e.g., Active Directory or identity provider group).
- User(s) / Group(s): (e.g.,
finance-team,john.smith@example.com)
2. Exit Nodes (Internet Egress)
An exit node routes a peer's internet traffic through a designated gateway, providing a predictable egress IP address. Leave blank if any exit node is allowed.
- Which exit node(s) are permitted? (e.g.,
uk-exit-01, or "any available")
3. Permitted Subnets / Routes
List the network ranges the user should be able to reach. These are advertised routes — typically internal LAN segments or specific subnets behind a relay peer.
| Subnet (CIDR) | Description |
|---|---|
e.g. 192.168.1.0/24 | Office LAN |
e.g. 10.10.0.0/16 | Server VLAN |
- If entire LAN access is required, state the LAN range and confirm full access is intended.
- If access should be restricted to specific hosts, list individual IPs (e.g.,
10.10.0.50/32).
4. Access Policy Rules (Ports & Protocols)
For each subnet or host above, define what traffic is permitted. If no restriction is needed (full access), state "all traffic".
| Source (User/Group) | Destination (Host or Subnet) | Protocol | Port(s) | Purpose |
|---|---|---|---|---|
e.g. finance-team | 10.10.0.50/32 | TCP | 443 | Internal web app |
e.g. finance-team | 192.168.1.0/24 | Any | All | Full LAN access |
e.g. dev-team | 10.10.0.20/32 | TCP | 22 | SSH to dev server |
Common protocol/port examples for reference:
- RDP — TCP
3389 - SSH — TCP
22 - HTTPS — TCP
443 - SMB (file shares) — TCP
445 - All traffic — Protocol:
Any, Ports:All
5. Posture Checks
Posture checks enforce device compliance before access is granted. Indicate which checks should apply to this policy.
| Check | Requirement | Example Value |
|---|---|---|
| NetBird client version | Minimum version | e.g. 0.28.0 |
| Operating system | Allowed OS types | e.g. Windows 11, macOS 14+ |
| OS version (minimum) | Minimum build/version | e.g. Windows 10.0.19041 |
| Geo-location | Permitted countries | e.g. United Kingdom, Ireland |
| Network (peer IP range) | Restrict by source network | e.g. 82.x.x.x/24 (office IP) |
- If no posture checks are required, explicitly state "No posture checks".
- If you are unsure, the helpdesk can advise on appropriate checks based on your risk profile.
6. Policy Direction
Policies are directional. Confirm the required direction:
- Bidirectional — the user peer and the destination can initiate connections to each other.
- Unidirectional — only the user peer can initiate connections (most common for remote access).
7. Additional Notes
Include any time-based restrictions, temporary access requirements, or other constraints not covered above.
