The rules in this example allow protected hosts to open connections both ways. Two rules are created here to allow the different directions of traffic separately.
VPN rules are matched based on source, destination, and service like any other rules.
Note: This configuration scenario does not explain all settings related to VPN Access rules.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Select Configuration.
-
Browse to .
-
Right-click the Firewall policy that is used by the NGFW Engines involved in the VPN, then select Edit Firewall
Policy.
-
Add two IPv4 Access rules in a suitable location in the policy.
- Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic the
Allow,
Discard, or
Refuse action.
- Traffic that you do not want to send through the VPN must not match these rules. Traffic that is not routable through the VPN is dropped if it matches these rules.
-
Fill in the rules as outlined here. If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 1. Example VPN rules
Source |
Destination |
Service |
Action |
Local internal networks |
Remote internal networks |
Set as needed. |
Select Allow, then open the Action options. Set VPN Action to Enforce
VPN, then select a Policy-Based VPN. |
Remote internal networks |
Local internal networks |
Set as needed. |
Select Allow, then open the Action options. Set VPN Action to Enforce
VPN, then select a Policy-Based VPN. |
-
Save the policy.
CAUTION:
If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.
-
Refresh the policies of all firewalls involved in the VPN to activate the new configuration.
Result
The VPN is established when traffic matches the Access rules created here. Example VPN configuration 2 is now complete.