Create rules for gateway connections in policy-based VPNs

The Firewall Template policy contains rules that allow the policy-based VPN traffic to form and maintain tunnels. If you use a custom top-level template, you must allow this traffic in the policy.

If you use a custom top-level template, make sure that at least the ISAKMP (UDP) Service is allowed between the gateways. You might also need to open other ports if encapsulation is used.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create rules for incoming site-to-site VPN traffic,
    1. To allow traffic from a single policy-based VPN with an Apply or Enforce action, insert the following type of rule:
      Table 1. Basic rule for allowing incoming VPN traffic from a single policy-based VPN
      Source Destination Service Action
      Remote networks. Local networks. Set as needed. Select Use VPN, change the Action to Apply or Enforce, then click Select to add the Policy-Based VPN element.
    2. (Optional) To match the rule based on whether traffic is using a policy-based VPN, insert the following type of rule:
      Table 2. Rule for allowing incoming policy-based VPN traffic from any number of different policy-based VPNs
      Source Destination Service Action Source VPN
      Remote networks. Local networks. Set as needed. Select Allow. Double-click the cell to edit it. To ignore this rule for non- VPN traffic, select Match traffic based on source VPN. Add one or more Policy-Based VPN elements according to where the traffic is coming from. This rule does not match traffic from other sources.
  2. To create rules for outgoing policy-based VPN traffic, insert the following type of rule:
    Table 3. Basic rule for outgoing VPN traffic
    Source Destination Service Action
    Local networks. Remote networks. Set as needed. Select Use VPN, then click Select to add the Policy-Based VPN element (the Apply, Enforce, and Forward actions are all identical in this use).
    Note: If Access rules send traffic into a policy-based VPN, but the source or destination IP addresses are not included in the Site definitions, the traffic is dropped. This configuration error is shown as the message “tunnel selection failed” in the logs.