CIDR Overlap for NPA

  • 23 September 2022
  • 2 replies

Badge +12
  • Explorer III
  • 45 replies



Reading through  private-access-best-practices article on, it mentions not to overlap CIDR ranges for NPA. I wonder how we can satisfy this recommendation for the following, very common scenario.


Lets say we got three outlook web servers. all serve on port 443, so private app [Outlook] is created with the individual three IPs with TCP port 443 and assigned to all/general users in the organization. All good here.


Now for the Admins of the Org, they would need to RDP to these outlook webservers for support/admin purposes. I would think, we need a second private app with same three IPs with TCP port 3389 and assign to IT Admins. Two separate apps for zero trust model.



So the second private creates a overlap, any pointers on how to configure this scenario adhering to best practices?





Best answer by sshiflett 26 September 2022, 16:23

View original

2 replies

Userlevel 6
Badge +16



Thank you for the question.   In general, the guidance to avoid overlap typically refers to avoid assigning overlapping CIDR blocks for the same users to different Publishers.  This avoids sending traffic to different Publishers and potentially breaking traffic flows.   For your specific use case, you can create two separate apps with with the required access for each role. You can then create individual Real-time Policies assigned to the different users or groups.  Without going too deep into the weeds, the individual application definitions, entitlements, and steering decisions for NPA are based on a combination of application definitions and the Real-time protection policies assigned to respective users.  

Badge +12

Thank you.