Example VPN configuration 4: create Access rules

The rules in this example allow connections between hosts in protected networks of all gateways to connect to all other protected networks.

1. Select Configuration.
2. Browse to NGFW > Policies > Firewall Policies.
3. Add rules to the policy that is used by the NGFW Engine that acts as a hub.
   1. Right-click the Firewall policy, then select Edit Firewall Policy.
   2. Add the following rules in a suitable location in the policy:
      Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

      Table 1. Example VPN rules in the hub policy

      Source	Destination	Service	Action	Source VPN
      Rules for traffic between the hub spoke 1, and between spoke 1 and spoke 2
      Hub gateway	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 1 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element
      Rules for traffic between the hub spoke 2, and between spoke 2 and spoke 1
      Hub gateway	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 2 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element

   3. Save the policy.
4. Add rules to the policy that is used by the NGFW Engine that acts as spoke 1.
   1. Right-click the Firewall policy, then select Edit Firewall Policy.
   2. Add the following rules in a suitable location in the policy:
      Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

      Table 2. Example VPN rules in the spoke 1 policy

      Source	Destination	Service	Action	Source VPN
      Spoke 1 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Hub gateway	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element
      Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element

   3. Save the policy.
5. Add rules to the policy that is used by the NGFW Engine that acts as spoke 2.
   1. Right-click the Firewall policy, then select Edit Firewall Policy.
   2. Add the following rules in a suitable location in the policy:
      Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the Allow, Discard, or Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.

      Table 3. Example VPN rules in the spoke 2 policy

      Source	Destination	Service	Action	Source VPN
      Spoke 2 internal network	Hub gateway	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Hub gateway	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select the Policy-Based VPN element that you created.	Your Policy-Based VPN element
      Spoke 2 internal network	Spoke 1 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element
      Spoke 1 internal network	Spoke 2 internal network	Set as needed.	Select Allow, then open the Action options. Set VPN Action to Forward, then select your Policy-Based VPN.	Your Policy-Based VPN element

   3. Save the policy.
6. Refresh the policies of all firewalls involved in the VPN to activate the new configuration.
   CAUTION:

   If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.