Create rules for VPN client connections in policy-based VPNs

The Firewall Template policy contains rules that allows policy-based VPN traffic to form and maintain the tunnels. VPN client user authentication is also allowed as part of this VPN connection establishment process. If you use a custom top-level template, you must allow this traffic in the policy.

If your Firewall Policy is based on the Firewall Template policy, there is no need to create rules for VPN client connections. If your Firewall Policy is based on a custom top-level template, make sure that the policy allows the correct Services.

  For more details about the product and how to configure features, click Help or press F1.


  1. To allow incoming connections from VPN clients, insert the following type of rule:
    Table 1. Rule for allowing incoming traffic from VPN clients
    Source Destination Service Action Authentication
    VPN clients’ Virtual Adapter address space or ANY if Virtual Adapters are not used. Local networks. Set as needed. Select Use VPN, change the Action to Apply or Enforce, then click Select to add the Policy-Based VPN element. Double-click the cell to edit. Add User or User Group elements and allowed Authentication Methods.
    • When a policy-based VPN and Authentication Methods are specified in the installed policy, the corresponding configurations are activated on the firewall. Connections from VPN client users are also matched against all other rules.
    • Any users who can authenticate using the specified authentication method can connect with a VPN client. Any such connected users can access resources if there is a matching rule that allows connections without specific Users defined. You can also use the Source VPN cell to prevent unwanted matches in Access rules.
    • When filled in, the User and Authentication cells are equal to Source, Destination, and Service as rule matching criteria. Matching continues from the next rule if the defined User and Authentication Method do not match the connection that is being examined. You can, for example, create rules that give the same user access to different resources depending on the authentication method used.
  2. (Optional) To allow internal hosts to open connections to the VPN client computers when the VPN is active, insert the following type of rule:
    Table 2. Rule for sending traffic to VPN clients
    Source Destination Service Action
    Local networks. VPN clients’ Virtual Adapter address space. Set as needed. Select Use VPN, then change the Action to Forward. Add a specific Policy-Based VPN element or select the Any Mobile VPN option to match any VPN client connection.
    • To use the policy-based VPN, the connecting hosts’ IP addresses must be included in the gateway’s Site definition.
    • If NAT is used inside tunnels of this policy-based VPN, add a NAT rule for this traffic direction.