Access rules for policy-based VPNs

The firewall IPv4 Access rules define which traffic is sent to the policy-based VPN and which traffic is allowed out of the policy-based VPN.

These checks are made in addition to the enforcement of the Site definitions of the Gateways, which define the allowed source and destination addresses for each VPN.

No traffic is sent through the policy-based VPN until you direct traffic to the VPN in the IPv4 or IPv6 Access rules. The Policy-Based VPN element must be referenced in at least one IPv4 Access rule or IPv6 Access rule. The communications required to establish the VPN are allowed based on the policy-based VPN definitions and the rules in the Firewall Template. You do not need to specifically include the gateway addresses in the Access rules if your policy is based on the Firewall Template. You might need to allow traffic to the gateway addresses if you use your own customized top-level template policy.

VPN Access rules behave basically the same as all other Access rules: you define certain matching criteria and all traffic that matches is then handled according to the Action set for the rule. The Use VPN rule action has three main options, which have different effects depending on the source and destination of the traffic:
  • Apply — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule does not match non-VPN traffic from outside networks into the protected networks regardless of whether the other cells in the rule match. This action allows handling special cases in which VPN and cleartext traffic that match the same rule must be passed through the firewall.
  • Enforce — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule drops non-VPN connections from outside networks into the protected networks if the other cells in the rule match the connection.
  • Forward — Directs traffic from protected local networks or from a policy-based VPN tunnel into another policy-based VPN tunnel. This action is useful for forwarding connections from one policy-based VPN tunnel into another (VPN hub configuration), or from local networks to VPN client computers that are currently connected.

When traffic is sent out through a policy-based VPN, the correct tunnel is selected based on the Sites of the gateway elements. If a VPN Access rule matches a connection with a source or destination IP address that is not included in the Sites, tunnel selection fails. The connection is dropped.

Incoming connections that arrive through the policy-based VPN are matched just like connections that do not use a VPN. Incoming connections do not have to match a VPN Access rule to be allowed in through the policy-based VPN. Any Access rule can match a policy-based VPN connection. You can use the Source VPN cell to match traffic based on whether the traffic is coming from a policy-based VPN tunnel. When the Source VPN cell is set to match policy-based VPNs, the rule only matches traffic from the selected policy-based VPNs. The cell can also be set to only match non-VPN traffic, or traffic from VPN clients. Access rules that do not have any Source VPN definition can match any traffic, including traffic that is received through a VPN.

Note: We recommend activating logging for the policy-based VPN rules for initial testing even if you do not plan to log the connections that use the policy-based VPN later. VPN negotiations between the gateways are always logged.

NAT rules only apply to the encrypted packets (the VPN tunnel) by default. The addresses of the packets going through the policy-based VPN tunnel are translated if you specifically enable NAT for the policy-based VPN. With NAT, the traffic in the policy-based VPN tunnel uses the translated addresses, so you must define the Sites using the translated addresses.

Note: NAT is needed for the NAT Pool feature in VPN client communications and for the Server Pool feature in inbound traffic management. To use these features in a policy-based VPN, NAT must be enabled in the properties of the Policy-Based VPN element.