-
Notifications
You must be signed in to change notification settings - Fork 2
Add documentation for SASE OpsLab whitelisting solution #137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
4ab57db
Add documentation for SASE OpsLab whitelisting solution
hguesdon caf5ad0
Update opslab-src/WhiteListing
abr-ubiqube 5d38788
Update opslab-src/WhiteListing
abr-ubiqube 55ebd96
Update opslab-src/WhiteListing
abr-ubiqube 5a230e5
Update opslab-src/WhiteListing
abr-ubiqube cfbcb82
Update opslab-src/WhiteListing
abr-ubiqube 8d521c0
🎪 add .md extension
antoine-brun b9dc927
🎪 review
antoine-brun File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,32 @@ | ||||||
| # Problem Statement | ||||||
|
|
||||||
| As enterprises transition to SASE (Secure Access Service Edge), they are required to build secure tunnels from their locations to the SSE (Security Service Edge) PoPs (Points of Presence). However, for these tunnels to function correctly, legacy edge firewalls and CPE (routers) must also be configured to allow traffic to the SSE PoPs. | ||||||
| SSE vendors typically provide large IP subnet ranges for these PoPs—often with far more addresses than are actually in use. Whitelisting such broad IP ranges introduces significant security risks, as it expands the attack surface and violates the principle of least privilege. | ||||||
| To reduce this risk, customers prefer to allow traffic only to the specific IP addresses of the PoPs actually in use. However, identifying and managing these specific IPs across hundreds or even thousands of firewalls is operationally burdensome and error-prone. This complexity creates a major obstacle to SASE adoption, particularly in large, distributed environments. | ||||||
|
|
||||||
| # Motivation | ||||||
| Without a precise and scalable method for whitelisting only the necessary IP addresses, organizations are forced to choose between weakening their security posture or facing high operational overhead. | ||||||
| A solution that enables dynamic, fine-grained whitelisting—automated and aligned with actual PoP usage—would drastically reduce risk, simplify operations, and accelerate SASE deployments at scale. It would also help network and security teams maintain consistent policy enforcement across all locations, ensuring that SASE does not become a new point of vulnerability. | ||||||
|
|
||||||
| # Business Opportunity | ||||||
| SASE OpsLab addresses this challenge by providing automated, dynamic whitelisting to: | ||||||
| - Reduce operational complexity for network and security teams by centralizing and simplifying firewall rule management across heterogeneous and distributed firewalls at the edge | ||||||
| - Improve the security posture by enforcing least-privilege access—ensuring that only the exact, actively-used PoP IPs are permitted, not entire vendor subnets | ||||||
| - Allow for policy consistency and the ability to audit across legacy and virtualized firewalls from different vendors. | ||||||
| By integrating SASE OpsLab into the deployment process, enterprises can accelerate SASE rollouts, reduce misconfiguration risk, and maintain strict security standards without overwhelming their operational teams. | ||||||
|
|
||||||
| #Detailed Use Cases (per personas) | ||||||
|
|
||||||
| ## Mary & Angela: Security Manager & Security Architect | ||||||
| As members of the security leadership team we want to be sure that our firewall policy posture complies with the principle of the least privilege. | ||||||
| Therefore, we want to open only the traffic to the POPs of our SASE provider. For that we want a solution that automatically collects and maintains the list of POP IP addresses associated with our SASE tenant (organization), and dynamically update firewall whitelisting rules on all edge devices accordingly. | ||||||
| So that the redirection of all outgoing traffic from the edge/branch to the internet and DCs are allowed to be sent to the right SASE POPs | ||||||
| ## Sebastian: Managed SASE Provider Operator | ||||||
| Sebastian receives repeated requests to configure access only to the specific IPs of the PoPs actually used by its customer’s users. He must manually configure numerous NGFW which is cumbersome and time-consuming. He may have created scripts but those are not productized nor dynamic. | ||||||
| Sebastian uses SASE OpsLab as an automation and orchestration layer to simplify and secure this process. The SASE OpsLab queries the SSE vendor APIs to determine which PoPs are actively used by each customer/site. It then pushes the necessary firewall rules to the appropriate customer edge devices. | ||||||
|
|
||||||
| #Product Behavior | ||||||
|
||||||
| #Product Behavior | |
| # Product Behavior |
Copilot
AI
Nov 24, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inconsistent heading formatting. Headers should have a space after the # symbols for proper Markdown formatting. Change ##Rule Generation and Deployment: to ## Rule Generation and Deployment: (also note the colon at the end, which is inconsistent with other headings and should be removed for consistency).
Suggested change
| ##Rule Generation and Deployment: | |
| ## Rule Generation and Deployment |
Comment on lines
+29
to
+31
Copilot
AI
Nov 24, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Incomplete section. The "Product Behavior" section describes storing IP addresses and rule generation/deployment, but lacks details about the OpsKit mentioned in line 31. Consider adding a subsection or introductory paragraph explaining the OpsLab/OpsKit relationship and their respective roles before diving into specific behaviors.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inconsistent heading formatting. Headers should have a space after the
#symbol for proper Markdown formatting. Change#Detailed Use Cases (per personas)to# Detailed Use Cases (per personas).