Configure rules for policy-based VPN traffic

The Access rules define which traffic is allowed through the firewall and policy-based VPN tunnels.

Add an access policy rule with the Allow rule action and use the Edit options from the context menu in the Action column to assign VPN action pointing the traffic hitting the rule to the Forcepoint ONE SSE policy-based VPN that you created.

Steps

In the Management Client, select Configuration.
The NGFW Engines page opens displaying the NGFW Engines.
Right-click the NGFW Engine that you are using as the Satellite Gateway in your policy-based VPN to Forcepoint ONE SSE cloud, then select Current Policy > Edit.
The policy page opens.
To create a new policy, right-click on the rule ID column and then select Add Rule Before or Add Rule After.
Specify the following matching criteria in the rule:
- Source — On the left pane, navigate to Network Elements > Networks and then drag and drop the internal network from which you want to route the traffic to internet.
- Destination — Any
- Service — HTTP, HTTPS
  Important: The Edge device (router or firewall) at the customer must be configured to send only web traffic on TCP ports 80 and 443 over the tunnel to the Cloud-SWG.
Configure the action for the rule.
1. Right-click the Action cell, then select Allow.
2. Right-click the Action cell again, then select Edit Options
3. From the VPN Action drop-down list, select Enforce VPN.
4. Next to the VPN field, click Select and then select the custom Policy-Based VPN element that you created.
5. Click OK.
Click Save.

Next steps

Configure the Cloud SWG policies in Forcepoint ONE SSE portal and install the policy you just added or updated on NGFW to ensure that the engine has the VPN configuration changes as well as the new access policy directing the traffic selected to the Forcepoint ONE SSE portal.

Test the configuration to make sure that traffic is flowing through the tunnel and the correct Forcepoint ONE SSE policy is applied.