Create Access rules for VPN configuration 3

Create a rule to allow specific users access to internal networks after having authenticated.

The authentication connection from VPN clients is allowed in the Firewall Template. Authentication is always required to establish a VPN tunnel. VPN client connections are matched based on Source, Destination, and Service like any other traffic. The example rule matches only specific users and only after the users have already successfully authenticated. We recommend always adding the authentication requirement to rules that are specific to VPN clients.

After the VPN tunnel is established, any connection from the VPN clients to the internal network is matched against the Access rules as usual. The example rule that is created here allows these connections.

Note: This basic configuration scenario does not explain all settings related to VPN Access rules.

  For more details about the product and how to configure features, click Help or press F1.


  1. Open the Firewall policy that is used by the NGFW Engines involved in the VPN for editing.
  2. Add an IPv4 Access rule in a suitable location in the policy and configure the rule as outlined here:
    If NAT is active and applied to translate the destination, remember that the Access rules are checked before the NAT rules are applied.
    Table 1. Example VPN rule
    Source Destination Service Action Authentication Users
    Set to ANY. Local internal networks Set as needed. Select Use VPN, then change the Action to Enforce, and click Select to add the Policy-Based VPN element you created. Set to ANY or to a particular method. The stonegate Internal User Group (in InternalDomain)
  3. Save the policy.
  4. Refresh the policies of all firewalls involved in the VPN to activate the new configuration.


The VPN is established when traffic matches the created Access rules.