Create rules for gateway connections in policy-based VPNs

The Firewall Template policy contains rules that allow the policy-based VPN traffic to form and maintain tunnels. If you use a custom top-level template, you must allow this traffic in the policy.

1. Create rules for incoming site-to-site VPN traffic,
   1. To allow traffic from a single policy-based VPN with an Apply or Enforce action, insert the following type of rule:

      Table 1. Basic rule for allowing incoming VPN traffic from a single policy-based VPN

      Source	Destination	Service	Action
      Remote networks.	Local networks.	Set as needed.	Select Use VPN, change the Action to Apply or Enforce, then click Select to add the Policy-Based VPN element.

   2. (Optional) To match the rule based on whether traffic is using a policy-based VPN, insert the following type of rule:

      Table 2. Rule for allowing incoming policy-based VPN traffic from any number of different policy-based VPNs

      Source	Destination	Service	Action	Source VPN
      Remote networks.	Local networks.	Set as needed.	Select Allow.	Double-click the cell to edit it. To ignore this rule for non- VPN traffic, select Match traffic based on source VPN. Add one or more Policy-Based VPN elements according to where the traffic is coming from. This rule does not match traffic from other sources.

2. To create rules for outgoing policy-based VPN traffic, insert the following type of rule:

   Table 3. Basic rule for outgoing VPN traffic

   Source	Destination	Service	Action
   Local networks.	Remote networks.	Set as needed.	Select Use VPN, then click Select to add the Policy-Based VPN element (the Apply, Enforce, and Forward actions are all identical in this use).

   Note: If Access rules send traffic into a policy-based VPN, but the source or destination IP addresses are not included in the Site definitions, the traffic is dropped. This configuration error is shown as the message “tunnel selection failed” in the logs.