Create rules for VPN client connections in policy-based VPNs

The NGFW Engine automatically allows policy-based VPN traffic to form and maintain the tunnels. VPN client user authentication is also allowed as part of this VPN connection establishment process.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. To allow incoming connections from VPN clients, insert the following type of rule:
    Table 1. Rule for allowing incoming traffic from VPN clients
    Source Destination Service Action Authentication
    VPN clients’ Virtual Adapter address space. If Virtual Adapters are not used, select ANY. Local networks. Set as needed. Select Allow, then open the Action options. Set VPN Action to Apply VPN or Enforce VPN, then select a Policy-Based VPN. Add User or User Group elements and allowed Authentication Methods.
    • When a policy-based VPN and Authentication Methods are specified in the installed policy, the corresponding configurations are activated on the firewall. Connections from VPN client users are also matched against all other rules.
    • Any users who can authenticate using the specified authentication method can connect with a VPN client. Any such connected users can access resources if there is a matching rule that allows connections without specific Users defined. You can also use the Source VPN cell to prevent unwanted matches in Access rules.
    • When filled in, the User and Authentication cells are equal to Source, Destination, and Service as rule matching criteria. Matching continues from the next rule if the defined User and Authentication Method do not match the connection that is being examined. You can, for example, create rules that give the same user access to different resources depending on the authentication method used.
  2. (Optional) To allow internal hosts to open connections to the VPN client computers when the VPN is active, insert the following type of rule:
    Table 2. Rule for sending traffic to VPN clients
    Source Destination Service Action
    Local networks. VPN clients’ Virtual Adapter address space. Set as needed. Select Allow, then open the Action options. Set VPN Action to Forward. Select a specific Policy-Based VPN element, or select Any Mobile VPN to match any VPN client connection.
    To use the policy-based VPN, the connecting hosts’ IP addresses must be included in the gateway’s Site definition.