Access rules for policy-based VPNs

The Access rules define which traffic is sent to the policy-based VPN and which traffic is allowed out of the policy-based VPN.

No traffic is sent out through the policy-based VPN until you direct traffic to the VPN in the Access rules. The Policy-Based VPN element must be referenced in at least one Access rule. The IKE and IPsec packets required to establish the VPN are allowed automatically based on the VPN definitions for the VPN Gateways. If there are intermediate firewalls between the VPN endpoints, make sure that the policies of those firewalls allow the required IKE and IPsec traffic.

You can set the VPN options in the Action options of the following Actions: Allow, Continue, or Jump. The VPN Action setting has three options, which have different effects depending on the source and destination of the traffic.

  • Apply VPN — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule does not match non-VPN traffic from outside networks into the protected networks regardless of whether the other cells in the rule match. This action allows handling special cases in which VPN and cleartext traffic that match the same rule must be passed through the firewall.
  • Enforce VPN — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule drops non-VPN connections from outside networks into the protected networks if the other cells in the rule match the connection.
  • Forward — Directs traffic from protected local networks or from a policy-based VPN tunnel into another policy-based VPN tunnel. This action is useful for forwarding connections from one policy-based VPN tunnel into another (VPN hub configuration), or from local networks to VPN client computers that are currently connected.

When traffic is sent out through a policy-based VPN, the correct tunnel is selected based on the Sites of the gateway elements. If a VPN Access rule matches a connection with a source or destination IP address that is not included in the Sites, tunnel selection fails and the connection is dropped.

Incoming connections that arrive through the policy-based VPN are matched just like connections that do not use a VPN. Incoming connections do not have to match a VPN Access rule to be allowed in through the policy-based VPN. Any Access rule can match a policy-based VPN connection.