Access rules for policy-based VPNs

The Access rules define which traffic is sent to the policy-based VPN and which traffic is allowed out of the policy-based VPN.

These checks are made in addition to the enforcement of the Site definitions of the Gateways, which define the allowed source and destination addresses for each VPN.

No traffic is sent through the policy-based VPN until you direct traffic to the VPN in the Access rules. The Policy-Based VPN element must be referenced in at least one Access rule. The IKE and IPsec packets required to establish the VPN are allowed automatically based on the VPN definitions for the VPN Gateways. If there are intermediate firewalls between the VPN endpoints, make sure that the policies of those firewalls allow the required IKE and IPsec traffic.

VPN Access rules behave basically the same as all other Access rules: you define certain matching criteria and all traffic that matches is then handled according to the Action set for the rule. You can set the VPN options in the Action options of the Allow, Continue, or Jump Actions.

You can set the VPN options in the Action options of the following Actions: Allow, Continue, or Jump. The VPN Action setting has three options, which have different effects depending on the source and destination of the traffic.

  • Apply VPN — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule does not match non-VPN traffic from outside networks into the protected networks regardless of whether the other cells in the rule match. This action allows handling special cases in which VPN and cleartext traffic that match the same rule must be passed through the firewall.
  • Enforce VPN — Directs traffic from protected local networks into the policy-based VPN tunnel. It allows traffic that arrives through a policy-based VPN to proceed. The rule drops non-VPN connections from outside networks into the protected networks if the other cells in the rule match the connection.
  • Forward — Directs traffic from protected local networks or from a policy-based VPN tunnel into another policy-based VPN tunnel. This action is useful for forwarding connections from one policy-based VPN tunnel into another (VPN hub configuration), or from local networks to VPN client computers that are currently connected.

When traffic is sent out through a policy-based VPN, the correct tunnel is selected based on the Sites of the gateway elements. If a VPN Access rule matches a connection with a source or destination IP address that is not included in the Sites, tunnel selection fails. The connection is dropped.

Incoming connections that arrive through the policy-based VPN are matched just like connections that do not use a VPN. Incoming connections do not have to match a VPN Access rule to be allowed in through the policy-based VPN. Any Access rule can match a policy-based VPN connection. You can use the Source VPN cell to match traffic based on whether the traffic is coming from a policy-based VPN tunnel. When the Source VPN cell is set to match policy-based VPNs, the rule only matches traffic from the selected policy-based VPNs. The cell can also be set to only match non-VPN traffic, or traffic from VPN clients. Access rules that do not have any Source VPN definition can match any traffic, including traffic that is received through a VPN.

Note: We recommend activating logging for the policy-based VPN rules for initial testing even if you do not plan to log the connections that use the policy-based VPN later. VPN negotiations between the gateways are always logged.

NAT rules only apply to the encrypted packets (the VPN tunnel) by default. The addresses of the packets going through the policy-based VPN tunnel are translated if you specifically enable NAT for the policy-based VPN. With NAT, the traffic in the policy-based VPN tunnel uses the translated addresses, so you must define the Sites using the translated addresses.

Note: NAT is needed for the NAT Pool feature in VPN client communications and for the Server Pool feature in inbound traffic management. To use these features in a policy-based VPN, NAT must be enabled in the properties of the Policy-Based VPN element.