Example VPN configuration 3: create Access rules

Create a rule to allow specific users access to internal networks after having authenticated.

The authentication connection from VPN clients is allowed in the Firewall Template. Authentication is always required to establish a VPN tunnel. VPN client connections are matched based on Source, Destination, and Service like any other traffic. The example rule matches only specific users and only after the users have already successfully authenticated. We recommend always adding the authentication requirement to rules that are specific to VPN clients.

After the VPN tunnel is established, any connection from the VPN clients to the internal network is matched against the Access rules as usual. The example rule that is created here allows these connections.

Note: This configuration scenario does not explain all settings related to VPN Access rules.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to NGFW > Policies > Firewall Policies.
  3. Right-click the Firewall policy that is used by the NGFW Engines involved in the VPN, then select Edit Firewall Policy.
  4. Add an IPv4 Access rule in a suitable location in the policy and configure the rule as outlined here:
    Table 1. Example VPN rule
    Source Destination Service Action Authentication
    Network element that represents the virtual IP address range for the VPN Client Local internal networks Set as needed. Select Allow, then open the Action options. Set VPN Action to Enforce VPN, then select a Policy-Based VPN.

    Users tab: stonegate Internal User Group (under InternalDomain).

    Authentication Methods tab: ANY or a specific method.

  5. Save the policy.
  6. Refresh the policies of all firewalls involved in the VPN to activate the new configuration.

Result

The VPN is established when traffic matches the created Access rules. Example VPN configuration 3 is now complete.