The rules in this example allow protected hosts to open connections both ways. Two rules are created here to allow the different directions of traffic separately.
VPN rules are matched based on source, destination, and service like any other rules.
Note: This basic configuration scenario does not explain all settings related to Access rules for VPNs.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Open the Firewall policy used by the
NGFW Engines involved in the VPN for editing.
-
Add two IPv4 Access rules in a suitable location in the policy.
- Make sure that these rules are above other rules that match the same traffic with
Allow,
Discard, or
Refuse as their action.
- Traffic that you do not want to send through the VPN must not match these rules. Traffic that is not routable through the VPN is dropped if it matches these rules.
-
Fill in the rules.
If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 1. Example VPN rules
| Source |
Destination |
Service |
Action |
| Local internal networks |
Remote internal networks |
Set as needed. |
Select Use VPN, then change the Action to Enforce, and click
Select to add the Policy-Based VPN element you created. |
| Remote internal networks |
Local internal networks |
Set as needed. |
Select Use VPN, then change the Action to Enforce, and click
Select to add the Policy-Based VPN element you created. |
-
Save the policy.
-
Add the same rules in the policies of all firewalls involved in the VPN.
CAUTION:
If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.
-
Refresh the policies of all firewalls involved in the VPN to activate the new configuration.
Result
The VPN is established when traffic matches the Access rules.