sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-20 09:26:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

New Group and Access Policies Document and Initial Reorganization of Access Control Structure (#477)

Browse Source 
* New Access Control and ReOrg

* Enhance Access Control Documentation and Add New Resources

- Updated `next.config.mjs` to include new redirects for access control documentation.
- Added multiple images related to access control and endpoint detection and response.
- Refactored links in various documentation files to point to the new access control structure.
- Removed outdated documentation files and created new ones for managing access control and endpoint detection.
- Introduced a new section for understanding posture checks and their implementation in access control.

This commit aims to improve the organization and clarity of access control resources, aligning with the recent restructuring of documentation.

* Remove outdated Intune MDM documentation and update links in access control resources. This commit enhances the organization of the documentation by eliminating obsolete files and ensuring all references to Microsoft Intune are correctly aligned with the new structure.

* Fix typos in access control documentation for clarity and accuracy. Updated "Understnading" to "Understanding" and corrected "NerBird" to "NetBird" in relevant sections.
* Fix typo in Access Control section
* Fix formatting in posture checks documentation
* Added a space in the Posture Checks reference for clarity.
This commit is contained in:
Brandon Hopkins
2025-11-18 10:30:45 -08:00
committed by GitHub
parent 5cc53f4ec4
commit a8f91c38b1
99 changed files with 586 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pages/how-to/access-internal-resources-from-autoscaled-environments.mdx
View File

@@ -113,7 +113,7 @@ Once you save your policy, it is a good practice to disable or modify the defaul
This tailored access policy ensures that only authorized devices (your local machine) can communicate with the Kubernetes cluster, significantly improving your network's security posture. As your environment scales, this policy will automatically apply to new pods, maintaining consistent access control.
For more detailed information on configuring access policies, refer to the [NetBird Access Policies documentation](/how-to/manage-network-access).
For more detailed information on configuring access policies, refer to the [NetBird Access Policies documentation](/manage/access-control/manage-network-access).
## 4. Deploying a Sample Application with NetBird Agent

4
src/pages/how-to/accessing-entire-domains-within-networks.mdx
View File

@@ -21,7 +21,7 @@ In this scenario, an AI software company needs secure access to its internal dom
### Implementation Steps
- **Network Setup**: Using NetBird's Networks you can configure a secure network that connects local and remote users to these internal environments through routing peers. This involves configuring wildcard domains for both environments to enable seamless access while accommodating future growth.
- **Access Control**: NetBird's [Access Policies](https://docs.netbird.io/how-to/manage-network-access) allows you to implement stringent policies that enforce zero trust principles, assigning different access permissions to developers and data scientists. For instance, you can grant developers access to `*.dev.example.com`, while data scientists gain access to `*.ai.example.com`. This clear separation ensures that team members only access the resources essential to their roles, maintaining a robust security posture.
- **Access Control**: NetBird's [Access Policies](https://docs.netbird.io/manage/access-control/manage-network-access) allow you to implement stringent policies that enforce zero trust principles, assigning different access permissions to developers and data scientists. For instance, you can grant developers access to `*.dev.example.com`, while data scientists gain access to `*.ai.example.com`. This clear separation ensures that team members only access the resources essential to their roles, maintaining a robust security posture.
- **Operational Benefits**: This configuration supports uninterrupted workflows, allowing developers and data scientists to work efficiently without connectivity issues. Furthermore, NetBird's centralized management of routing peers simplifies handling resources distributed across different networks, ensuring seamless connectivity and reducing complexity. Additionally, the process of creating new resources is streamlined, reducing administrative overhead and accelerating responses to frequent resource requests.
## Pre-requisites
@@ -227,4 +227,4 @@ Available Networks:
Resolved IPs: -
```
However, using your newly acquired knowledge, you can create access policies for each subdomain or organize data scientists into teams with varied permissions. With NetBird, the possibilities are endless.
However, using your newly acquired knowledge, you can create access policies for each subdomain or organize data scientists into teams with varied permissions. With NetBird, the possibilities are endless.

2
src/pages/how-to/accessing-restricted-domain-resources.mdx
View File

@@ -8,7 +8,7 @@ Imagine a company that runs its accounting application at the subdomain `account
To this end, the company deployed [NetBird clients](https://docs.netbird.io/how-to/getting-started) on the devices used by both the finance and support teams. Complementing this, [NetBird routing peers](https://docs.netbird.io/how-to/networks-concept#routing-peers) were configured within the AWS VPC using [setup keys](https://docs.netbird.io/how-to/setup-keys-add-servers-to-network). This configuration guarantees a solid foundation for streamlined and secure connectivity.
More importantly, this setup allows the company to use NetBird's Networks and [Access Policies](https://docs.netbird.io/how-to/manage-network-access), to ensure that only authorized finance and support team members access the restricted website domain as follows:
More importantly, this setup allows the company to use NetBird's Networks and [Access Policies](https://docs.netbird.io/manage/access-control/manage-network-access), to ensure that only authorized finance and support team members access the restricted website domain as follows:
- **Finance Team**: HTTP and HTTPS access to the website frontend at `accounting.example.com` over ports `80` and `443`, respectively.
- **Support Team**: SSH access to backend resources at `example.com` over port `22`, enabling server management, troubleshooting, and support tasks.

2
src/pages/how-to/acronis-netbird-integration.mdx
View File

@@ -25,7 +25,7 @@ Before beginning this tutorial, ensure you have the following prerequisites in p
## Setting Up NetBird Access Policies for Team-Specific Permissions
[NetBird's Access Control Policies](https://docs.netbird.io/how-to/manage-network-access) let you implement a zero-trust security approach alongside Acronis Cyber Protect Cloud. They enable you to define precise permissions based on user groups and resource categories, ensuring that team members can only access what they need for their specific roles. This granular approach aligns with MSP requirements for managing multiple client environments with distinct access requirements.
[NetBird's Access Control Policies](https://docs.netbird.io/manage/access-control/manage-network-access) let you implement a zero-trust security approach alongside Acronis Cyber Protect Cloud. They enable you to define precise permissions based on user groups and resource categories, ensuring that team members can only access what they need for their specific roles. This granular approach aligns with MSP requirements for managing multiple client environments with distinct access requirements.
These policies work in tandem with Acronis RMM's monitoring and management capabilities. While Acronis monitors system compliance and maintains device health, NetBird enforces network-level access restrictions based on predefined group memberships.

2
src/pages/how-to/add-machines-to-your-network.mdx
View File

@@ -40,7 +40,7 @@ Here are a few links that might be handy as you venture further into NetBird:
- [Add users to your network](/how-to/add-users-to-your-network)
- [Require a peer approval from the administrator](/how-to/approve-peers)
- [Allow only managed devices in the network](/how-to/endpoint-detection-and-response)
- [Allow only managed devices in the network](/manage/access-control/endpoint-detection-and-response)
- [Use setup keys to automate NetBird deployments](/how-to/register-machines-using-setup-keys)
<p float="center" >

2
src/pages/how-to/approve-peers.mdx
View File

@@ -37,7 +37,7 @@ To approve a peer, navigate to the [peers tab](https://app.netbird.io/peers) and
## Automate peer approval with EDR integrations
NetBird integrates with popular EDR solutions like [CrowdStrike](https://www.crowdstrike.com/) to automate peer approval
and allow only trusted devices to join the network.
Check the [EDR integrations](/how-to/endpoint-detection-and-response) guide for more information on how to enable this feature.
Check the [EDR integrations](/manage/access-control/endpoint-detection-and-response) guide for more information on how to enable this feature.
## Get started
<p float="center" >

2
src/pages/how-to/auto-offboard-users.mdx
View File

@@ -45,6 +45,6 @@ Let's say the current project is finished, and you no longer want members of the
![IdP Delete Group](/docs-static/img/how-to-guides/auto-offboard-users/TOZjFKC.png)
Once the changes synchronize in NetBird, users and their group memberships will be updated; therefore,
[network access associated with that group](https://docs.netbird.io/how-to/manage-network-access) will automatically be revoked.
[network access associated with that group](https://docs.netbird.io/manage/access-control/manage-network-access) will automatically be revoked.
![NetBird No Group](/docs-static/img/how-to-guides/auto-offboard-users/NKabmN6.png)

6
src/pages/how-to/control-center.mdx
View File

@@ -69,7 +69,7 @@ Use this to see who can access resources in your routed [networks](/how-to/netwo
## Editing policies from the graph
- **Open editor:** Click an access control policy chip in any view to open the standard policy editor.
- **What you can change:** Use the editor to modify the usual policy fields as documented in [Access Control](/how-to/manage-network-access), including sources, destinations, protocols, ports, and posture checks.
- **What you can change:** Use the editor to modify the usual policy fields as documented in [Access Control](/manage/access-control/manage-network-access), including sources, destinations, protocols, ports, and posture checks.
- **Create vs edit:** You can edit existing policies from Control Center. Creating a new policy still happens in the Access Control section.
## Quick start
@@ -88,7 +88,7 @@ Use this to see who can access resources in your routed [networks](/how-to/netwo
## Related docs
- [Manage network access with Groups and Access Policies](/how-to/manage-network-access)
- [Apply posture checks to policies](/how-to/manage-posture-checks)
- [Manage network access with Groups and Access Policies](/manage/access-control/manage-network-access)
- [Apply posture checks to policies](/manage/access-control/posture-checks)
- [Networks and routing peers](/how-to/networks)
- [MSP portal overview](/how-to/msp-portal)

88
src/pages/how-to/crowdstrike-edr.mdx
View File

@@ -1,88 +0,0 @@
# Restrict Network Access with CrowdStrike Falcon®
[CrowdStrike Falcon](https://www.crowdstrike.com/platform/) is a cloud-based endpoint protection platform that provides
comprehensive visibility and threat detection capabilities. CrowdStrike Falcon agent runs on your devices (endpoints),
collects, and analyzes endpoint data to detect and respond to threats in real-time. The agent's presence on endpoints and data
it collects can be utilized to enforce access policies and limit network access according to the "health" status of the
endpoints.
The integration of NetBird with CrowdStrike Falcon provides organizations with network security controls that allow
only IT-managed devices running CrowdStrike to access the network. Additionally, the integration uses [CrowdStrike's Zero Trust Assessment (ZTA) score](https://www.crowdstrike.com/press-releases/crowdstrike-extends-zero-trust-to-endpoint-devices/),
enabling administrators to further limit network access based on the security posture of each device.
CrowdStrike's Zero Trust Assessment (ZTA) score is a numerical representation of the security posture of a device with
a value ranging from 0 to 100. The score is calculated based on various factors, including the device's security configuration,
software vulnerabilities, and CrowdStrike's threat intelligence data. By integrating with CrowdStrike Falcon,
NetBird can ensure that only devices with a high security posture can access the network.
In this guide, we will walk you through the configuration steps to integrate CrowdStrike Falcon with NetBird and use ZTA score
to allow network access to devices that meet a specified ZTA threshold.
## Prerequisites
Before you start creating and configuring a CrowdStrike integration, ensure that you have the following:
- A CrowdStrike account with the permissions to create and manage API keys.
If you don't have the required permissions, ask your CrowdStrike administrator to grant them to you.
## Create a CrowdStrike API Key
- Navigate to the [API clients and keys](https://falcon.eu-1.crowdstrike.com/api-clients-and-keys/) page
- Click `Create API client` at the top, right corner
- Set Hosts - Read permission
- Set Zero Trust Assessment - Read permission
- Click `Create`
- Copy the credentials. You will need these credentials when configuring an integration in NetBird.
## Configure a CrowdStrike Integration in NetBird
- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
- Click `Connect CrowdStrike` to start the configuration wizard
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-integration.png" alt="event-streaming-integration" className="imagewrapper-big"/>
</p>
- First, select the region of your CrowdStrike account
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-region.png" alt="crowdstrike-region" className="imagewrapper"/>
</p>
- Then enter the client ID and secret key you created in [Step 1](#step-1-create-a-crowd-strike-api-key) and click `Continue`
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-credentials.png" alt="crowdstrike-credentials" className="imagewrapper"/>
</p>
- Select groups you want to apply the integration to
- If you would like to apply a ZTA threshold, then enable the [Zero Trust Assessment Score](https://www.crowdstrike.com/blog/tech-center/securing-private-applications-with-crowdstrike-zero-trust-assessment-and-aws-verified-access/) and set the desired limit, and click `Connect`.
<p>
<img src="/docs-static/img/how-to-guides/crowdstrike-groups-zta.png" alt="crowdstrike-groups-zta" className="imagewrapper"/>
</p>
<Note>
The EDR check will apply only to machines in the selected groups and will require a running CrowdStrike agent.
</Note>
<Note>
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
</Note>
- Peers that have the CrowdStrike agent installed will be granted access to the network. Peers without the agent will appear
with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
<p>
<img src="/docs-static/img/how-to-guides/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
</p>
- Optional. You can experiment and see how the integration works by hiding hosts in the CrowdStrike Host management console:
- Navigate to the [Host management](https://falcon.crowdstrike.com/host-management/hosts) page in the CrowdStrike console
- Select a host you want to hide
- Click `Actions` and then `Hide`
- The host will be moved to Trash (you can restore it later)
- After about a minute, the peer will be disconnected from the network and marked as `Approval required` in the NetBird dashboard.
- To restore the host in CrowdStrike, navigate to the Trash and click `Restore`
<Note>
NetBird synchronizes the list of devices managed by the EDR platform via the API about every minute.
The changes might not be visible immediately.
</Note>
<Note>
If you install the CrowdStrike agent on a peer after it joined the network, you will need to disconnect and reconnect
this peer for the `Approval required` mark to disappear.
</Note>

4
src/pages/how-to/db-workload-migration.mdx
View File

@@ -245,12 +245,12 @@ If everything goes as expected, you will see your remote workload in NetBird's `
## 3. Setting Up NetBird's Access Control for Secure Data Transfer
NetBird's `Default` access control policy assigns all peers to the `All` group, enabling bidirectional access between devices and users. While this default setting allows immediate connectivity between your remote workload and on-premise database, it's recommended to implement stricter access controls. [NetBird Access Policies](https://docs.netbird.io/how-to/manage-network-access) enable you to limit connections to the on-premise instance, ensuring only authorized users or devices can access it, thus enhancing security.
NetBird's `Default` access control policy assigns all peers to the `All` group, enabling bidirectional access between devices and users. While this default setting allows immediate connectivity between your remote workload and on-premise database, it's recommended to implement stricter access controls. [NetBird Access Policies](https://docs.netbird.io/manage/access-control/manage-network-access) enable you to limit connections to the on-premise instance, ensuring only authorized users or devices can access it, thus enhancing security.
To create a new policy:
* Go to `Access Control > Policies`
* Click `Add Policy` to create a new policy. For more details on creating access policies, refer to [Managing Access with NetBird: Groups and Access Policies](https://docs.netbird.io/how-to/manage-network-access).
* Click `Add Policy` to create a new policy. For more details on creating access policies, refer to [Managing Access with NetBird: Groups and Access Policies](https://docs.netbird.io/manage/access-control/manage-network-access).
For this use case, we disabled the `Default` policy and created the following one:

104
src/pages/how-to/disabling-network-route-when-connecting-from-the-office.mdx
View File

@@ -1,104 +0,0 @@
# Connecting from the office
A typical scenario administrators have is accessing their office networks remotely. With [Network routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks), NetBird makes this easy. Still, administrators often want to avoid routing their users traffic via NetBird when they are in the office.
To solve this, administrators can leverage the power of [Posture Checks](https://docs.netbird.io/how-to/manage-posture-checks)and create policies that allow connection to the routing peers only if they are outside the office by using
a [Peer Network Range](/how-to/manage-posture-checks#peer-network-range) posture check with a block action.
## Example
In the following scenario, our office network is on the subnet `192.168.1.0/24`. Let's assume all users will be part of the group `route-users`, and the routing peer for our office will be inside the group `route-nodes`.
With this in mind, the goal is to create a Posture Check, create a Policy and assign a Posture Check to it, and finally create a Network Route that will expose the office subnet.
### Create a Posture Check
To create a Posture Check, navigate to the `Access Control -> Posture Checks` section in the NetBird dashboard and click on **Add Posture Check**.
Select `Peer Network Range`.
<p>
<img src="/docs-static/img/how-to-guides/posture-check-new-block-network-range.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Select the `Block` action and click on `Add Network Range` to input your office subbnet `192.168.1.0/24`.
<Note>
Note that if you have multiple locations that you want to see excluded, you can add multiple network ranges.
</Note>
<p>
<img src="/docs-static/img/how-to-guides/posture-check-block-network-range.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Click `Save`, then click `Continue` and fill out `Name of the Posture Check` with "Exclude Office subnet”.
After we conclude this step, we are ready to create a policy and assign this posture check.
### Create a Policy
We start by creating a simple policy that will allow access from group `route-users` to group `route-nodes`.
This is needed to establish the connection between the users and the routing peer.
Navigate to the `Access Control -> Policies` section in the NetBird dashboard and click on `Add Policy`.
On the `Source` field, select the group `route-user`, and on the `Destination` field, select the group `route-nodes`.
Choose `UDP` for the protocol and type `1`on Ports. Click `Continue`.
<Note>
Note that the protocol and port are arbitrary and can be changed according to your needs. An usual choice is to allow ICMP traffic for troubleshooting purposes.
</Note>
<p>
<img src="/docs-static/img/how-to-guides/policy-office-subnet-with-posturecheck.png" alt="high-level-dia" className="imagewrapper"/>
</p>
In this step, we'll click `Browse Checks` and select the posture check we created earlier, `Exclude Office subnet`.
Click `Add Posture Checks` and then click `Continue`.
<p>
<img src="/docs-static/img/how-to-guides/policy-with-network-posturecheck-added.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Give your policy the name "Allow users to route-nodes" and click on `Add Policy`.
We are now ready for the final step of creating the office route.
### Create a Network Route
Now, let's create a [Network Route](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) that will expose the local office subnet `192.168.1.0/24`,
which will be distributed to all peers members of the group `route-users`. In this example, we will be using a routing peer named `router-01`,
which is a member of the group `route-nodes`, this way, the policy we just created goes into effect, and all peers from the group `route-users` will be able to reach
`router-01` only if they are not in the office network, due to our posture check.
To get started navigate to `Network Routes` menu on the NetBird dashboard and click on **Add Route**. Fill out the fields as shown in the image below, and click `Continue`:
<p>
<img src="/docs-static/img/how-to-guides/create-route-with-posturecheck.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Next assign `route-users` do `Distribution Groups`.
<p>
<img src="/docs-static/img/how-to-guides/distribute-to-groups-posturechecks.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Click `Continue` and assign the name "Office network access" to `Network Identifier`, click `Continue` agaom and in the final step, finish this process by clicking `Add Route`.
<p>
<img src="/docs-static/img/how-to-guides/route-office-subnet-posturecheck.png" alt="high-level-dia" className="imagewrapper"/>
</p>
### Testing Posture Check
Now that we have created the Posture Check, the Policy, and the Network Route, we can test this configuration. In the following example, we will be testing this Posture Check from a macOS client named `client-01`, and as stated earlier, it belongs to the group `route-users`.
#### While connect from inside our office:
Our local connection shows that we are connected to local office WiFi and and we are part of that subnet.
<p>
<img src="/docs-static/img/how-to-guides/wifi-inside-office-subnet.png" alt="high-level-dia" className="imagewrapper"/>
</p>
When we are connected from inside the office, we can observe that the NetBird route is not available and that the subnet `192.168.1` is using local network interface `en0` to route traffic.
<p>
<img src="/docs-static/img/how-to-guides/netbird-routes-list-local.png" alt="high-level-dia" className="imagewrapper"/>
</p>
<p>
<img src="/docs-static/img/how-to-guides/netstat-routes-grep-local.png" alt="high-level-dia" className="imagewrapper"/>
</p>
#### When connected outside the office, we can observe:
<p>
<img src="/docs-static/img/how-to-guides/netbird-routes-list-external.png" alt="high-level-dia" className="imagewrapper"/>
</p>
<p>
<img src="/docs-static/img/how-to-guides/netstat-routes-grep-external.png" alt="high-level-dia" className="imagewrapper"/>
</p>
Notice that subnet `192.168.1.0/24` is routed through our Wireguard interface (`utun100`).
As you can see, the Posture Check is working as expected, and the traffic is being routed through NetBird only when the client is outside the office network.
This concludes this Posture Check example.

40
src/pages/how-to/endpoint-detection-and-response.mdx
View File

@@ -1,40 +0,0 @@
# Integrate NetBird with MDM & EDR Platforms
![Endpoint Detection and Response](/docs-static/img/how-to-guides/endpoint-detection-and-response/edr-integrations.png)
## What is EDR and MDM?
Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate,
and respond to threats on endpoint devices. An endpoint is any device that is connected to a network, such as laptops,
desktops, smartphones, tablets, servers, and even some IoT (Internet of Things) devices.
MDM stands for Mobile Device Management. It's a type of security software that
enables organizations to monitor, manage, and secure their employees' mobile devices, including smartphones, tablets, and laptops,
across various service providers and operating system.
MDM focuses on managing and securing mobile devices, while EDR focuses on detecting and responding to threats on various
endpoints, including desktops, laptops, and servers.
## NetBird's EDR and MDM Integration
With the rise of remote work, endpoints often operate outside the traditional corporate network perimeter,
making them more vulnerable to attacks. EDR provides a layer of security that is not dependent on the physical location
of the endpoint, thus extending protection to remote workers and their devices.
NetBird integrates with major EDR and MDM platforms to restrict network access only to devices managed by the company's IT department.
With the integration enabled, NetBird synchronizes the list of devices managed by the MDM or EDR platform via the API and
checks the presence of the MDM or EDR agent on the device, blocking access to the network if the agent is not installed or
not compliant with the organization's security policies.
NetBird doesn't apply the MDM and EDR checks to all devices in the network. Instead, you can select specific groups of devices for
the checks to apply.
<Note>
This feature is only available in the cloud version of NetBird.
</Note>
## Supported EDR Platforms
NetBird integrates with the following EDR platforms:
* [CrowdStrike Falcon](/how-to/crowdstrike-edr)
* [Microsoft Intune](/how-to/intune-mdm)
* [SentinelOne Singularity](/how-to/sentinelone-edr)

6
src/pages/how-to/getting-started.mdx
View File

@@ -100,11 +100,11 @@ The final onboarding step introduces NetBird's powerful Access Control policies.
![NetBird policy disabled](/docs-static/img/getting-started/08_policy-disabled-example.jpeg)
1. By default, a policy is active that allows connections between all your devices. This is why the ping command in the previous step worked.
2. The wizard demonstrates this by allowing you to toggle the policy. If you disable the "Default Policy," the ping between your devices will immediately fail with a "Request timeout" error.
3. Re-enabling the policy instantly restores the connection. This gives you a basic understanding of how you can control traffic within your network. You can learn much more about policies [here](/how-to/manage-network-access).
3. Re-enabling the policy instantly restores the connection. This gives you a basic understanding of how you can control traffic within your network. You can learn much more about policies [here](/manage/access-control/manage-network-access).
4. Click Continue to finish.
![Policy Example](/docs-static/img/getting-started/09_policy-example.jpeg)
In the policy example above, we allowed _IT Admins_ port specific access to peers under the _AWS Servers_ group. Policies are a key building block to access in NetBird. You can learn more about the power of policies [here](https://docs.netbird.io/how-to/manage-network-access).
In the policy example above, we allowed _IT Admins_ port specific access to peers under the _AWS Servers_ group. Policies are a key building block to access in NetBird. You can learn more about the power of policies [here](https://docs.netbird.io/manage/access-control/manage-network-access).
<Note>
If you manage users and groups with your identity provider, you can provision and sync them with NetBird. Learn more [here](https://docs.netbird.io/how-to/idp-sync) including the supported platforms.
@@ -183,7 +183,7 @@ Click Go to Dashboard to access the main NetBird admin panel. From here, you can
* [Control Center](https://docs.netbird.io/how-to/control-center): Visualize your network topology and access relationships with an interactive graph.
* [Peers](https://docs.netbird.io/how-to/add-machines-to-your-network): View and manage all connected devices and their properties.
* [Setup Keys](https://docs.netbird.io/how-to/register-machines-using-setup-keys): Create and manage keys for adding new headless or ephemeral devices.
* [Access Control](https://docs.netbird.io/how-to/manage-network-access): Define granular firewall rules to control which peers can access what.
* [Access Control](https://docs.netbird.io/manage/access-control/manage-network-access): Define granular firewall rules to control which peers can access what.
* [Team](https://docs.netbird.io/how-to/add-users-to-your-network): Manage users and create groups for easier policy management.
You are now ready to explore the full capabilities of NetBird.

2
src/pages/how-to/idp-sync.mdx
View File

@@ -15,7 +15,7 @@ and automatically provisioning users and groups. This integration ensures that c
synchronized from your identity provider to NetBird, granting appropriate network access to new users and immediately
revoking access for departing employees.
NetBird allows you to use synchronized groups to create [access control policies](/how-to/manage-network-access#creating-policies),
NetBird allows you to use synchronized groups to create [access control policies](/manage/access-control/manage-network-access#creating-policies),
or update network configurations like [DNS](/how-to/manage-dns-in-your-network#distribution-groups),
eliminating the need for manual grouping.

0
src/pages/how-to/installation.mdx → src/pages/how-to/installation/index.mdx
View File

167
src/pages/how-to/intune-mdm.mdx
View File

@@ -1,167 +0,0 @@
# Allow Only Intune-Managed Devices to Access Your Network
<div className="videowrapper">
<iframe src="https://www.youtube.com/embed/W4DaE4Dj04o" allow="fullscreen;"></iframe>
</div>
<Note>
TLDR: Devices marked as "Non-compliant" in Intune will automatically lose access, ensuring strict adherence to your security policies.
Once a device returns to a "Compliant" status, access is restored.
</Note>
[Microsoft Intune](https://www.microsoft.com/en-us/security/business/endpoint-management/microsoft-intune) is a cloud-based endpoint management platform that enables organizations to manage devices, enforce security policies, and protect their networks. Intune agent presence on endpoints allows continuous collection and evaluation of device posture, which can then be used to enforce network access controls based on device compliance, security configuration, and enrollment status.
The integration of NetBird with Microsoft Intune provides network security by ensuring only devices managed and compliant
in Intune can access the protected network. This approach ensures only up-to-date and compliant Windows/macOS endpoints have access to critical network resources via NetBird and lets administrators enforce access restrictions based on compliance policies defined in Intune, such as device health, OS version, security baseline adherence, and more.
In this guide, you'll learn how to integrate NetBird with Microsoft Intune and configure access controls to allow only Intune-managed/compliant devices onto your network.
## Get Started with NetBird-Intune Integration
- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
- Click `Connect Intune` to start the configuration wizard
<p>
<img src="/docs-static/img/how-to-guides/intune-mdm/getting-started.png" alt="NetBird Get Started Intune MDM" className="imagewrapper-big"/>
</p>
## Prerequisites
Before starting the integration process, verify that you have the required permissions in Microsoft Intune.
Specifically, you will need an Azure user account with at least one of these roles:
* Application Administrator
* Cloud Application Administrator
* Global Administrator
To check your permissions:
* Log in to the [Azure portal](portal.azure.com).
* Navigate to Manage Microsoft Intune and click `View`.
* Expand the `Manage` tab and click on `Roles and administrators` in the left menu.
* Look for your username and verify if you're assigned any of the above roles.
![Intune Roles](/docs-static/img/how-to-guides/microsoft-entra-id-sync/lDyaAeV.png)
If you don't have the required permissions, contact your Azure AD administrator to grant you the appropriate role before proceeding with the NetBird integration.
## Create and Configure a Microsoft Entra ID Application for NetBird Integration
Now that you have the required permissions, return to the NetBird dashboard. Click on the `Get Started` button to initiate the integration process.
A new wizard screen will appear, offering step-by-step instructions for creating and configuring your Microsoft Entra ID application. To simplify the process, the wizard also provides quick-copy buttons for essential information:
* Name
* Account Type
![NetBird Create Application](/docs-static/img/how-to-guides/intune-mdm/create-app.png)
For convenience, click on [Azure Active Directory](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview) (step 1). That will open the Azure dashboard. Navigate to `App registrations` in the left menu and then click `+New registration` as indicated below:
![Intune App Registration](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Yxxktk6.png)
Fill in the required information:
![Intune Register an App](/docs-static/img/how-to-guides/intune-mdm/register-app.png)
After entering all required information, click the `Register` button at the bottom of the form to finalize the application registration process.
Upon successful registration, you'll be redirected to a confirmation screen similar to the following:
![Intune App Registered](/docs-static/img/how-to-guides/microsoft-entra-id-sync/7WYZMW6.png)
Copy and securely store the generated `Application (client) ID` and `Directory (tenant) ID` as you will need them shortly.
## Configure API Permissions for NetBird-Intune Integration
On the NetBird dashboard click the `Continue →` button. A new wizard screen will appear, this time, offering step-by-step instructions for setting up API permissions.
![NetBird Add API Permissions](/docs-static/img/how-to-guides/intune-mdm/api-permissions.png)
Back to Azure, in the `App registrations` screen, click on `Manage` in the left menu to expand it and then click on `API permissions`:
![Intune API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/V0aRf7f.png)
Look for the `+ Add a permission` button, located near the top of the permissions list and click on it.
![Intune API Permissions Screen](/docs-static/img/how-to-guides/microsoft-entra-id-sync/Qy9lDMF.png)
A new pop-up window will appear, asking you to select an API. Click on `Microsoft Graph`.
![Intune Microsoft Graph](/docs-static/img/how-to-guides/microsoft-entra-id-sync/tP7WqXO.png)
On the next screen, click on the `Application permissions` button, which will let you select the appropriate permissions for NetBird to function correctly with your Microsoft Intune environment.
![Intune Request API Permissions](/docs-static/img/how-to-guides/microsoft-entra-id-sync/zSkSGAm.png)
To assign user permissions:
* Locate the search bar at the top. Type `DeviceManagementManagedDevices.Read.All` into the search bar and press `Enter`.
* In the search results, click on the `DeviceManagementManagedDevices` tab to expand it and view the available permissions.
* Click on the checkbox to select and enable the `DeviceManagementManagedDevices.Read.All` permission.
![Intune UserReadAll](/docs-static/img/how-to-guides/intune-mdm/device-permissions.png)
The `DeviceManagementManagedDevices.Read.All` permission allows NetBird to read the properties of all devices managed by Microsoft Intune in your organization.
Once done, click the `Add permissions` button. You will see a few warnings:
![Intune API Permissions Warnings](/docs-static/img/how-to-guides/intune-mdm/grant-permissions.png)
Locate the `Grant admin consent for [Your Organization Name]` button (youll find it next to `+Add a permission` button). Click on it to grant the required permissions.
A confirmation dialog will appear, asking you to verify this action. Review the permissions listed in the dialog and click `Yes` to confirm. Wait for the process to complete, this may take a few seconds.
Once finished, the status of the permissions should change to `Granted for [Your Organization Name]`. Verify that all selected permissions now show a green checkmark, indicating they've been successfully granted:
![Intune API Permissions Granted](/docs-static/img/how-to-guides/intune-mdm/granted-permissions.png)
## Create a Client Secret for Secure NetBird-Intune Authentication
Back to the NetBird dashboard, click the `Continue →` button. A new wizard screen will appear, showing instructions for generating a client secret in Entra ID.
![NetBird Generate Client Secret](/docs-static/img/how-to-guides/intune-mdm/client-secret.png)
On Azure, click on the `Certificates & secrets` button in the left menu to open the management page. Click on `+New client secret` as shown below. Choose an expiration time that suits your security needs and click the `Add` button.
![EntraID Add a Client Secret](/docs-static/img/how-to-guides/microsoft-entra-id-sync/WIercn5.png)
A new client secret will be generated and displayed on the screen. Copy and securely store the `Value` field immediately, as you will needed in the next step.
![EntraID Client Secret Value](/docs-static/img/how-to-guides/microsoft-entra-id-sync/LimVmGI.png)
## Enter Application ID and Directory ID in NetBird
Paste the secret `Value` from the previous step into NetBird and click the `Continue →` button. A new wizard screen will appear, asking for the `Application (client) ID` and the `Directory (tenant) ID` credentials generated previously.
Paste the values and click the `Continue →` button.
![NetBird Application ID and Directory](/docs-static/img/how-to-guides/intune-mdm/client-id.png)
## Choose Groups to require Intune Agent
At this stage, specify one or more NerBird groups to which the check should apply. The check will require the peer to have a running Intune agent installed.
![Intune Groups](/docs-static/img/how-to-guides/intune-mdm/groups.png)
<Note>
The MDM check will apply only to machines in the selected groups and will require a running Intune agent.
</Note>
<Note>
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
</Note>
Peers that have the Intune agent installed and are compliant will be granted access to the network. Peers without the agent will appear
with a `Approval required` mark in the peers list and won't be able to access the network until the agent is installed.
<p>
<img src="/docs-static/img/how-to-guides/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
</p>
## Important Notes
- Only Windows and macOS devices are supported; Linux, iOS, and Android are not eligible for this integration.
- A device must have successfully synced with Intune within the last 24 hours otherwise, it will not be treated as compliant, regardless of its last known state.
- Devices with a Intune compliance state of `Compliant` or `InGracePeriod` are accepted; all other states are rejected.
- New devices or those that recently achieved compliance may need to be disconnected and reconnected to Netbird to propagate updated status.
- NetBird regularly synchronizes with Intune every few minutes, so changes in compliance can take some time to reflect on the dashboard.

2
src/pages/how-to/intune-netbird-integration.mdx
View File

@@ -26,7 +26,7 @@ Before beginning this tutorial, ensure you have the following prerequisites in p
## Setting Up NetBird Access Policies for Team-Specific Permissions
[NetBird's Access Control Policies](https://docs.netbird.io/how-to/manage-network-access) provide the foundation for implementing a zero-trust architecture with Intune. They enable you to define precise permissions based on user groups and resource categories. This ensures that team members can only access what they need for their specific roles.
[NetBird's Access Control Policies](https://docs.netbird.io/manage/access-control/manage-network-access) provide the foundation for implementing a zero-trust architecture with Intune. They enable you to define precise permissions based on user groups and resource categories. This ensures that team members can only access what they need for their specific roles.
These policies work in tandem with Intune's device compliance mechanisms, creating a powerful security layer where identity and device posture determine access rights to the network.

2
src/pages/how-to/jamf-pro-netbird-integration.mdx
View File

@@ -29,7 +29,7 @@ These requirements are essential for successfully implementing NetBird-Jamf Pro
## Setting Up NetBird Access Policies for Team-Specific Permissions
NetBird's [Access Control Policies](https://docs.netbird.io/how-to/manage-network-access) are essential to this integration, allowing you to define and enforce specific permissions for different user groups. This ensures that team members can only access the resources necessary for their roles.
NetBird's [Access Control Policies](https://docs.netbird.io/manage/access-control/manage-network-access) are essential to this integration, allowing you to define and enforce specific permissions for different user groups. This ensures that team members can only access the resources necessary for their roles.
For this tutorial, we'll create a policy that allows the `Support` team to access the `Servers` group:

2
src/pages/how-to/kandji-netbird-integration.mdx
View File

@@ -20,7 +20,7 @@ To successfully integrate NetBird with Kandji MDM, ensure you have the following
## Configuring NetBird Access Policies for Team-Specific Permissions
NetBird plays a crucial role in this integration by providing granular access control through its [Access Control Policies](https://docs.netbird.io/how-to/manage-network-access). These features allow you to define and enforce specific permissions for different user groups, ensuring that team members can only access the resources necessary for their roles.
NetBird plays a crucial role in this integration by providing granular access control through its [Access Control Policies](https://docs.netbird.io/manage/access-control/manage-network-access). These features allow you to define and enforce specific permissions for different user groups, ensuring that team members can only access the resources necessary for their roles.
For instance, let's suppose you want to create a policy that allows the `Support` team to access the `Servers` group:

2
src/pages/how-to/manage-dns-in-your-network.mdx
View File

@@ -18,7 +18,7 @@ Starting [v0.11.0](https://github.com/netbirdio/netbird/releases), NetBird autom
to each peer in a private `netbird.cloud` space that can be used to access the machines. E.g., `my-server.netbird.cloud`.
Besides accessing machines by their domain names, you can configure NetBird to use your private nameservers,
control what nameservers a specific [peer group](/how-to/manage-network-access#groups) should use, and set up split DNS.
control what nameservers a specific [peer group](/manage/access-control/manage-network-access#groups) should use, and set up split DNS.
<Note>
Nameservers feature is available in NetBird [v0.11.0](https://github.com/netbirdio/netbird/releases) or later on both

216
src/pages/how-to/manage-network-access.mdx
View File

@@ -1,216 +0,0 @@
import {Note} from "../../components/mdx";
# Managing Access with NetBird: Groups and Access Policies
NetBird empowers administrators to effectively manage and control access between resources (referred to as peers) using groups and access policies.
These access policies define which peers or peer groups are allowed to connect, specify the protocols and ports available
for these connections, and optionally incorporate posture checks. By integrating posture checks, NetBird enforces
zero-trust principles, enabling dynamic and context-aware access control that adapts to the specific security needs of
your environment.
Watch our Access Control video on YouTube:
<div className="videowrapper">
<iframe src="https://www.youtube.com/embed/WtZD_q-g_Jc" allow="fullscreen;"></iframe>
</div>
<Note>
For a visual overview of your access policies and network topology, check out the [Control Center](/how-to/control-center), which provides an interactive graph view of peers, groups, and their access relationships.
</Note>
## Introduction
Initially, a NetBird account is configured with a `Default` policy which allows peers to connect via any protocol, resulting in the formation of a full mesh network. This setup often suits small networks or those requiring minimal security. In scenarios where higher security is needed or access to specific resources must be restricted for certain users or services, policies can be set up to determine access permissions.
Access control policies make use of groups to control connections between peers. These groups, which are sets of peers (meaning different machines with the NetBird client installed), can be added as Source or Destination of a policy. They are evaluated when the Management service distributes the list of peers across your network.
## Concepts
### Groups
A NetBird group works and follows a similar concept to tags in other platforms; they are easily created and can be associated with peers and used in policies to control traffic within your network.
Here are some key attributes of groups:
- Each group is unique.
- A single group can have multiple peers.
- Peers can be part of multiple groups simultaneously.
- Groups can be included in the 'Source' and 'Destination' lists of policies.
- Groups can be created either in `Access Control > Groups` or in places where a group input field is provided. Type the preferred group name into the input and press 'Enter' to create the new group. [Learn more](#creating-groups)
- Groups can be deleted in `Access Control > Groups` [Learn more](#deleting-groups)
- There exists a default group called `All` which cannot be deleted or renamed.
<Note>
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
</Note>
### The All Group
The 'All' group serves as a default group that automatically includes every peer in your network. This group cannot be modified or removed.
### Policies
Policies act as rules governing how different resources (peers) can communicate and connect. They specify the source and destination of communication and can allow bidirectional or unidirectional connections.
Policies are processed when the Management service shares a network map with all peers of your account. Because you can only create ALLOW policies, there is no processing order or priority. So, the decision to distribute peer information is based on its association with a group belonging to an existing policy.
For ICMP and ALL protocols, as well as for TCP and UDP protocols **without** specific port restrictions, communication between groups listed in the source and destination fields is bidirectional. This means that both source and destination groups can initiate connections with each other. To establish one-way connections, you must specify a protocol (UDP or TCP), along with a port.
<Note>
If you need to allow peers from the same group to communicate with each other, you can do so by adding the same group to the `Source` and `Destination` lists.
</Note>
Without policies, a network operates by denying traffic, meaning peers cannot communicate with each other. That's why the default policy is automatically created upon account creation.
### The Default policy
The `Default` policy is created when you first create your account. This policy is very permissive because it allows communication between all peers in your network, utilizing the [`All`](#the-all-group) group as both the source and destination. It's worth noting that the [`All`](#the-all-group) group is also automatically present when the account is being created. If you want to have better control over your network, it is recommended that you delete this policy and create more restricted policies with custom groups.
<Note>
If you need to restrict communication within your network, you can create new policies and use different groups. Then, you can remove the default policy to achieve the desired behavior.
</Note>
### Multiple Mesh Networks
As mentioned above, policies are bidirectional by default, essentially controlling how your network behaves as a mesh network. However, for TCP and UDP protocols, if you specify ports in the policy, it can become unidirectional.
There is a `Default` policy, which configures a default mesh connection between all peers of your network. With policies, you can define smaller mesh networks by grouping peers and adding these groups to `Source` and `Destination` lists. Additionally, you can create unidirectional policies to restrict traffic between groups for TCP and UDP protocols if you define ports.
## Managing Policies
### Creating Policies
After accessing the `Access Control` > `Policies` tab, click on the `Add policy` button to create a new policy.
In the popup, specify connection `Source` and `Destination` groups. You can select existing groups or create new ones by entering a name in the input box.
<Note>
We recommend using [identity provider (IdP) integrations](/how-to/idp-sync) to provision your user groups from the IdP.
</Note>
You can limit access to specific protocol and ports by selecting the `Protocol` and providing the port numbers in the `Ports` field.
Starting version `0.48` NetBird supports port ranges in policies, allowing you to specify a range of ports in the format `start-end` (e.g., `8000-9000`).
Make sure to set traffic direction only when TCP or UDP protocols are selected. Finally, provide a name and description for your policy.
<p>
<img src="/docs-static/img/overview/create-rule.png" alt="high-level-dia" className="imagewrapper"/>
</p>
If necessary, you can also add a [posture checks](/how-to/manage-posture-checks) to the policy. Posture checks are used to ensure that the peer meets certain security requirements before allowing it to connect. You can select from predefined posture checks or create custom ones.
Once you have finished configuring the policy, click `Add Policy` to save it. You will then see your new policy in the table.
<p>
<img src="/docs-static/img/overview/new-rule-list.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
Because of its permissiveness, new policies will take effect once you remove the `Default` policy.
</Note>
<Note>
Protocol type All or ICMP must be bi-directional. Also unidirectional traffic for TCP and UDP protocol requires at least one port to be defined.
</Note>
### Adding peers to groups
If you create a new group when defining a policy, you will need to add a peer to the group for the policy to take effect.
You can assign a peer to a group by accessing the `Peers` section. Then, choose the specific peer you want to assign to a group. Click on the `Assigned Groups` select box and select the group(s) you wish to assign to this peer.
<p>
<img src="/docs-static/img/overview/associate-peer-groups.png" alt="high-level-dia" className="imagewrapper-big"/>
</p>
<Note>
You can assign groups automatically with the [peer auto-grouping feature](/how-to/register-machines-using-setup-keys#peer-auto-grouping).
</Note>
### Updating Policies
To update a policy, just click on its name and customize it according to your requirements. This action will open the same screen where you can update policy groups, descriptions, and status, or modify allowed traffic direction, protocols with ports, and posture checks, similar to the information described in the "Creating Policies" section above.
### Disabling Policies
To disable a policy, use the switch in the `Active` column of the table.
<p>
<img src="/docs-static/img/overview/disable-rule.png" alt="high-level-dia" className="imagewrapper"/>
</p>
### Deleting Policies
To delete a policy, click on `Delete` in the table, and confirm the message that appears.
<p>
<img src="/docs-static/img/overview/delete-rule-menu.png" alt="high-level-dia" className="imagewrapper"/>
</p>
## Managing Groups
### Creating Groups
You can create groups in two ways:
**Quick Creation (Inline)**<br/>
When you see a group input field anywhere in the dashboard (e.g. such as when creating policies), you can create groups directly from the input field.
1. Type your preferred group name into the input field
2. Press 'Enter' to create the new group
<p>
<img src="/docs-static/img/groups/create-group-input.png" alt="Create group inline" className="imagewrapper"/>
</p>
**From Groups Page**<br/>
1. Navigate to `Access Control` > `Groups`
2. Click the `Create Group` button
3. Provide a name for your new group
<p>
<img src="/docs-static/img/groups/create-group.png" alt="Create group from groups page" className="imagewrapper"/>
</p>
### Viewing Groups
**Groups Overview**<br/>
Navigate to `Access Control` > `Groups` to view all groups in your organization. This page shows:
- All existing groups
- Associated objects (peers, users, policies, etc.)
- Usage status (used/unused groups)
<p>
<img src="/docs-static/img/groups/view-groups.png" alt="Groups overview page" className=""/>
</p>
**Group Details**<br/>
Navigate to `Access Control` > `Groups` and then click on any group name to view detailed information and manage associated objects:
- **Users**: View, assign, or invite users to this group
- **Peers**: Manage which peers are assigned to this group
- **Policies**: See policies where this group is used as a source or destination
- **Network Resources**: View associated resources from networks
- **Network Routes**: See network routes using this group (either part of the distribution, access control, or routing peer group)
- **Nameservers**: View nameservers using this group as a distribution group
- **Setup Keys**: See setup keys with this group as an auto-assigned group
<p>
<img src="/docs-static/img/groups/view-group-detail.png" alt="Group details page" className=""/>
</p>
### Renaming Groups
1. Navigate to `Access Control` > `Groups`
2. Click the dropdown button (⋮) next to the group you want to rename
3. Select `Rename`
4. Enter the new name and click `Save`
<Note>
Groups synchronized from Identity Providers (Google Workspace, Entra ID, etc.) cannot be renamed.
</Note>
<p>
<img src="/docs-static/img/groups/rename-group.png" alt="Rename group" className=""/>
</p>
### Deleting Groups
1. Navigate to `Access Control` > `Groups`
2. Click the dropdown button (⋮) next to the group you want to delete
3. Select `Delete`
4. Confirm the action by clicking `Delete` in the confirmation dialog
<Note>
Groups synchronized from Identity Providers (Google Workspace, Entra ID, etc.) cannot be deleted.
</Note>
<Note>
Groups with active dependencies cannot be deleted. First remove all dependencies in order to delete the group.
</Note>
<p>
<img src="/docs-static/img/groups/delete-group.png" alt="Delete group" className=""/>
</p>

138
src/pages/how-to/manage-posture-checks.mdx
View File

@@ -1,138 +0,0 @@
# NetBird Posture Checks: Access Control for Modern Organizations
Today, organizations face the critical challenge of maintaining robust access control across their IT infrastructure. As networks grow more complex and threats become increasingly sophisticated, traditional access control methods often fall short, leaving businesses vulnerable to security breaches and operational inefficiencies.
Key challenges include:
* Dynamic infrastructures
* Need for granular control
* Scalability issues
NetBird's Posture Checks feature offers:
* Adaptive, context-aware access
* Highly granular policies
* Effortless scalability
This solution enhances security and efficiency by:
* Reducing unauthorized access risk
* Automating policy-based control
* Enabling business agility
Let's delve into the details of how [NetBird's Posture Checks](https://docs.netbird.io/how-to/manage-posture-checks) feature transforms access control, making it more secure, efficient, and adaptable for modern enterprises.
## Understanding NetBird Posture Checks
Posture Checks is a security feature that enhances network protection by implementing automated assessments of a device's security status before granting network access, thus ensuring that only compliant devices can access your network resources.
In this regard, NetBird posture checks verify various aspects of a connecting device, offering granular control over network access. These checks include **verifying the NetBird client version**, allowing you to restrict access to peers with specific versions of the client software. Additionally, you can implement **geographical restrictions** based on country or region, giving you control over where connections can originate from.
The feature also allows for network-level restrictions by enabling you to **allow or block specific peer network ranges**. Furthermore, you can set constraints based on the operating system of the connecting device, **ensuring that only approved OS versions can gain access**. For an even more detailed level of control, Posture Checks can examine the running processes on a peer device, **allowing or denying access based on the presence of specific applications or services**.
By using these diverse checking capabilities, NetBird empowers you to create a robust and finely-tuned security posture for your network, significantly reducing the risk of unauthorized access and potential security breaches.
## Setting Up Posture Checks
Setting up posture checks in NetBird is straightforward, you can follow the example in the video below:
<div className="videowrapperadjusted" >
<iframe src="https://www.youtube.com/embed/-KlJUBuZrpo" allow="fullscreen;"></iframe>
</div>
Or follow the guide with other examples below:
Log in to your NetBird dashboard and navigate to `Access Control` > `Posture Checks` in the left menu. Click `Create Posture Check` or edit an existing one.
![NetBird Posture Checks](/docs-static/img/how-to-guides/posture-checks/posture-checks-01.png)
A pop-up window will open with two tabs: `Checks` and `Name & Description`.
![Create Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-02.png)
From here, you can [manage access with posture checks](https://docs.netbird.io/how-to/manage-posture-checks) based on several aspects:
#### NetBird Client Version
Restrict access to peers with specific NetBird client versions, thus ensuring that all devices connecting to the network use up-to-date, secure client software.
![NetBird Client Version Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-03.png)
#### Country and Region
Limit network access based on geographical location, helping comply with data regulations or restrict access from high-risk areas. Note that you have two tabs available for this: `Allow` (green) and `Block` (red), making it easy to set up your preferred access rules..
![Country and Region Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-04.png)
<Note>
When allowing access from specific locations in the network settings, all other locations are automatically blocked. Conversely, blocking certain locations means only those are blocked, while access remains open for all other locations.
</Note>
#### Peer Network Range
This posture check lets you precisely control network access by specifying which IP ranges can connect to your network. You can create policies allowing only connections from approved locations, such as office networks or trusted remote work setups. Additionally, you can enhance security by blocking high-risk IP ranges working in tandem with geo-based posture checks. This granular control helps create a more secure network environment by limiting access to known, trusted sources while preventing connections from potentially risky or unauthorized IP addresses.
![Peer Network Range Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-05.png)
#### Operating System
Restrict access based on the connecting device's OS, ensuring only approved and potentially more secure operating systems can connect.
![Operating System Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-06.png)
<Note>
The Operating System Check requires NetBird version [0.26.0](https://github.com/netbirdio/netbird/releases) or newer.
</Note>
The check evaluates the actual `OS version` for Android, macOS, and iOS, while for Linux and Windows, it assesses the `kernel version`.
Below are some examples of OS versions for each operating system:
* Android 14 Upside Down Cake: `14`, `14.3`
* macOS 13 Ventura: `13`, `13.6.4`
* macOS 14 Sonoma: `14`, `14.3.1`
* iOS 16 / iPadOS 16: `16`, `16.7.5`
* Linux kernel: `6`, `6.7.5`
* Windows 10, version 22H2: `10.0.19045`
* Windows 11, version 23H2: `10.0.22631`
* Windows Server 2022, Version 21H2: `10.0.20348`
#### Process
[Limit network access based on specific applications or services running on the connecting device](https://netbird.io/knowledge-hub/limit-network-access-based-on-running-processes). By verifying specific applications or processes, you ensure that only devices running essential security software, such as antivirus, firewalls, or endpoint protection agents, can connect to your network, reducing the risk of malware entering your network through unprotected devices. It also aids in maintaining compliance with regulatory requirements by enforcing consistent security measures across all devices.
Furthermore, this process-based posture check allows you to create specific policies for different user groups or network segments based on their unique security needs. Working in conjunction with other posture checks in NetBird, this setting offers a comprehensive and user-friendly approach to network security.
![Process Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-07.png)
#### Naming and saving
After enabling the desired posture check, go to the `Name & Description` tab. Here, enter a descriptive name for your newly created posture check and save it.
![Name your Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-08.png)
You'll notice a gray dot to the left of the posture check name, indicating it's inactive. To activate the posture check, you need to link it to an access control policy.
![New Posture Check](/docs-static/img/how-to-guides/posture-checks/posture-checks-09.png)
#### Applying Posture Checks to Access Control Policies
To apply a posture check:
* [Create or edit an access control policy](https://docs.netbird.io/how-to/manage-network-access).
* Find the `Posture Checks` tab within the policy settings.
* Choose `Browse Checks` to select an existing check or `New Posture Check` to create one.
Note that you can add multiple posture checks to a single policy as needed for comprehensive security.
![Add Posture Check to Access Control Policy](/docs-static/img/how-to-guides/posture-checks/posture-checks-10.png)
After adding the posture check, it will appear in the `POSTURE CHECKS` column. For easy management, you can click on it to edit the access control policy, allowing you to add or remove posture checks as needed.
![Access Control Policies Dashboard](/docs-static/img/how-to-guides/posture-checks/posture-checks-11.png)
If you revisit the `Posture Checks` dashboard, you'll notice a green dot next to your recently configured posture check. This color shift indicates that the posture check is now active and integrated into your network security framework, actively contributing to your system's protection.
![Posture Checks Dashboard](/docs-static/img/how-to-guides/posture-checks/posture-checks-12.png)
Following these steps, you can effectively implement and manage NetBird's Posture Checks, significantly enhancing your network's security posture.
## Get started
<p float="center" >
<Button name="button" className="button-5" onClick={() => window.open("https://netbird.io/pricing")}>Use NetBird</Button>
</p>
- Make sure to [star us on GitHub](https://github.com/netbirdio/netbird)
- Follow us [on X](https://x.com/netbird)
- Join our [Slack Channel](/slack-url)
- NetBird [latest release](https://github.com/netbirdio/netbird/releases) on GitHub

2
src/pages/how-to/microsoft-entra-id-sync.mdx
View File

@@ -182,5 +182,5 @@ You should see all the users and groups from your Microsoft Entra ID environment
![NetBird Checking Integration](/docs-static/img/how-to-guides/microsoft-entra-id-sync/qlNlfgV.png)
You can now proceed to configure [access control policies](/how-to/manage-network-access#creating-policies) using the synchronized groups to allow or deny access to the
You can now proceed to configure [access control policies](/manage/access-control/manage-network-access#creating-policies) using the synchronized groups to allow or deny access to the
synchronized users.

2
src/pages/how-to/networks.mdx
View File

@@ -104,7 +104,7 @@ On a technical level the feature works as follows:
## Manage access to resources
To manage access to resources, you can assign them to groups and create [access control policies](/how-to/manage-network-access#creating-policies) to define which peers can access them.
To manage access to resources, you can assign them to groups and create [access control policies](/manage/access-control/manage-network-access#creating-policies) to define which peers can access them.
See the image below with an example resource `CRM`:
<p>
<img src="/docs-static/img/how-to-guides/networks/resources-2.png" alt="resource-group" className="imagewrapper"/>

6
src/pages/how-to/peer-approval-for-remote-worker-access.mdx
View File

@@ -37,13 +37,13 @@ With these prerequisites in place, you're ready to simulate granting network acc
## 1. Setting Up NetBird's Access Control Policies For Enhanced Security
Before onboarding remote workers, ensure your organization has appropriate [access control policies](/how-to/manage-network-access) in place. Adhering to zero-trust principles, create or modify policies to grant new users access only to necessary resources.
Before onboarding remote workers, ensure your organization has appropriate [access control policies](/manage/access-control/manage-network-access) in place. Adhering to zero-trust principles, create or modify policies to grant new users access only to necessary resources.
Navigate to `Access Control > Policies` in the NetBird admin console, then click `Add Policy` or edit an existing one to define these restrictions. Here's a sample policy that grant any member of the `Freelancers` group access to the resources in the group `On-Premise-DB`.
![NetBird Freelancer Access Control Policy](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-01.png)
If necessary, you can also set [posture checks](/how-to/manage-posture-checks) for this policy.
If necessary, you can also set [posture checks](/manage/access-control/posture-checks) for this policy.
![NetBird Freelancer Posture Check](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-02.png)
@@ -139,6 +139,6 @@ To activate this feature, navigate to `Integrations > EDR` and activate the Crow
![NetBird EDR Integration](/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-18.png)
For more information regarding NetBird's EDR integration, refer to the [documentation](/how-to/endpoint-detection-and-response)
For more information regarding NetBird's EDR integration, refer to the [documentation](/manage/access-control/endpoint-detection-and-response)

2
src/pages/how-to/register-machines-using-setup-keys.mdx
View File

@@ -60,7 +60,7 @@ If you add multiple peers with the same labels, they became part of a DNS round-
## Peer Auto-grouping
NetBird offers a powerful [access control feature](/how-to/manage-network-access) that allows easy access management of your resources.
NetBird offers a powerful [access control feature](/manage/access-control/manage-network-access) that allows easy access management of your resources.
In a basic scenario, you would create multiple groups of peers and create access rules to define what groups can access each other.
Adding peers to groups might become time-consuming in large networks with dozens of machines.

2
src/pages/how-to/secure-remote-webserver-access.mdx
View File

@@ -106,7 +106,7 @@ With both peers now connected to NetBird, the next step is to configure access c
* In NetBird's left menu, navigate to `Access Control > Policies`
* Click `Add Policy` to create a new one.
NetBird offers a range of options for peer access control. For comprehensive details on configuring groups and access policies, refer to the official documentation: [Managing Access with NetBird: Groups and Access Policies](/how-to/manage-network-access).
NetBird offers a range of options for peer access control. For comprehensive details on configuring groups and access policies, refer to the official documentation: [Managing Access with NetBird: Groups and Access Policies](/manage/access-control/manage-network-access).
For this specific use case, we've implemented a simple access policy:

114
src/pages/how-to/sentinelone-edr.mdx
View File

@@ -1,114 +0,0 @@
# Restrict Network Access with SentinelOne Singularity™
[SentinelOne Singularity](https://www.sentinelone.com/platform/) is an autonomous cybersecurity platform that provides
comprehensive endpoint protection, detection, and response capabilities. The SentinelOne agent runs on your devices (endpoints),
collecting and analyzing endpoint data to detect and respond to threats in real-time. The agent's presence on endpoints and the
security data it collects can be utilized to enforce access policies and limit network access according to the "health" status
of the endpoints.
The integration of NetBird with SentinelOne provides organizations with robust security controls that allow
only IT-managed devices running SentinelOne to access the network. Additionally, the integration uses SentinelOne's threat
detection capabilities, enabling administrators to further limit network access based on the security posture of each device.
<div className="videowrapper">
<iframe src="https://www.youtube.com/embed/QVs0RhprVYM" allow="fullscreen;"></iframe>
</div>
SentinelOne's endpoint protection provides real-time threat detection and automated response capabilities. By integrating with
SentinelOne Singularity, NetBird can ensure that only devices with active security monitoring and protection can access the network.
In this guide, we will walk you through the configuration steps to integrate SentinelOne Singularity with NetBird and use
endpoint security status to control network access for devices that meet your security requirements.
## Prerequisites
Before you start creating and configuring a SentinelOne integration, ensure that you have the following:
- A SentinelOne account with the permissions to create and manage API tokens.
If you don't have the required permissions, ask your SentinelOne administrator to grant them to you.
## Create a SentinelOne API Token
- Navigate to your SentinelOne Management Console
- Go to **Settings** &raquo; **Users** &raquo; **Service Users**
- Click **Create Service User**
- Fill in the form:
- **Name**: `NetBird Integration`
- **Description**: `API token for NetBird EDR integration` (optional)
- **Expiration Date**: Set your preferred expiration date
- Click **Next**
- Select Site and set **Scope** to **Viewer**
- Click **Create User**
- Copy the generated API token immediately (it will only be displayed once)
- Note your SentinelOne console URL from your browser's address bar (e.g., `https://your-tenant.sentinelone.net`)
<Note>
Treat the API token securely and store it safely. You will need both the console URL and API token for the NetBird integration configuration.
</Note>
## Configure a SentinelOne Integration in NetBird
- Navigate to the [Integrations &raquo; EDR](https://app.netbird.io/integrations?tab=edr) tab in the NetBird dashboard
- Click **Connect SentinelOne** to start the configuration wizard
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/getting-started.png" alt="SentinelOne integration getting started" className="imagewrapper-big"/>
</p>
- Click the **Get Started** button to initiate the integration process
- Enter your SentinelOne console URL (e.g., `https://your-tenant.sentinelone.net`) and click **Continue**
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/console-config.png" alt="SentinelOne console configuration" className="imagewrapper-big"/>
</p>
- Enter the API token you created in the previous step and click **Continue** to verify the connection
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/service-user.png" alt="SentinelOne service user configuration" className="imagewrapper-big"/>
</p>
- Select the **groups** you want to apply the integration to and click **Connect**
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/group-config.png" alt="SentinelOne group configuration" className="imagewrapper-big"/>
</p>
<Note>
The EDR check will apply only to peers in the selected groups and will require a running SentinelOne agent.
You can also use groups [synchronized from your Identity Provider (IdP)](/how-to/idp-sync).
</Note>
- Configure the compliance criteria that devices must meet to access your network. These security requirements ensure only healthy, properly configured devices can connect. Select the criteria that align with your organization's security policies:
- **Allowed Active Threats**: Maximum number of active threats allowed on a device. Default is set to `0` to block devices with any active threats.
- **Disk Encryption**: Requires disk encryption to be enabled on the device.
- **Firewall**: Requires the device firewall to be enabled and active.
- **Block Infected Devices**: Prevents network access for devices with confirmed active infections.
- **Network Connectivity**: Requires active network connection between the device and SentinelOne services.
- **Active Status**: Requires the SentinelOne agent to be active and reporting. The agent must be in operational state (not disabled, corrupted, or experiencing errors).
- **Latest Agent Version**: Requires the SentinelOne agent to be running the most current version.
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/compliance-config.png" alt="edr-integrations" className="imagewrapper-big"/>
</p>
- Configure the **SentinelOne Sync Window** (default is 24 hours). This setting determines which devices NetBird will consider for network access based on their recent activity in SentinelOne. Only devices that have been active and reporting to SentinelOne within this time window will be synchronized. These devices must then also meet the configured compliance criteria to gain network access.
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/sync-config.png" alt="edr-integrations" className="imagewrapper-big"/>
</p>
- Click **Connect** to complete the integration setup
- Only peers that have the SentinelOne agent installed and meet all the configured compliance criteria will be granted access to the network.
Peers without the SentinelOne agent or those that don't meet the compliance requirements will appear with an `Approval required` mark in the peers list and won't be able to access
the network until they have the agent installed and satisfy all the specified security requirements.
<p>
<img src="/docs-static/img/how-to-guides/endpoint-detection-and-response/sentinelone/edr-approval-required.png" alt="edr-approval-required" className="imagewrapper-big"/>
</p>
<Note>
NetBird matches the SentinelOne agent to the peer using the Serial Number of the device. You must ensure that each of your devices has a unique serial number.
</Note>

2
src/pages/how-to/setup-keys-add-servers-to-network.mdx
View File

@@ -193,7 +193,7 @@ Alternatively, you can go to `http://VM_NETBIRD_DOMAIN:8080` using your browser:
![NetBird Welcome Page](/docs-static/img/how-to-guides/setup-keys-add-servers-to-network/setup-keys-add-server-04.png)
Keep in mind that this tutorial used the default `All` group for simplicity. However, implementing [NetBird's Access Policy](https://docs.netbird.io/how-to/manage-network-access) to restrict peer-to-peer connections to specific user groups is a best practice for gaining granular control over resource access, thus improving your network's overall security posture in various scenarios.
Keep in mind that this tutorial used the default `All` group for simplicity. However, implementing [NetBird's Access Policy](https://docs.netbird.io/manage/access-control/manage-network-access) to restrict peer-to-peer connections to specific user groups is a best practice for gaining granular control over resource access, thus improving your network's overall security posture in various scenarios.
## Optional: Automating SSH Access to Your VM

2
src/pages/how-to/traffic-events-logging.mdx
View File

@@ -28,7 +28,7 @@ that describe how NetBird logs traffic events for different types of connections
When two peers are connected directly (p2p), NetBird captures and logs the traffic events for that connection on both peers.
For example, if a user accessed an internal CRM server from their laptop via a browser and port 443, NetBird would log the traffic events for that
connection on both the user's machine and the CRM server. If the connection was blocked, such as when there is a
[policy](/how-to/manage-network-access#managing-policies) that restricts access to the CRM server,
[policy](/manage/access-control/manage-network-access#managing-policies) that restricts access to the CRM server,
NetBird would log the blocked event on the peer that refused the connection.
<p>