The rules in this example allow protected hosts to open connections both ways. Two rules are created here to allow the different directions of traffic separately.
VPN rules are matched based on source, destination, and service like any other rules.
Note: This configuration scenario does not explain all settings related to Access rules for VPNs.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
Select Configuration.
-
Browse to .
-
Right-click the Firewall policy that is used by the Engines involved in the VPN, then select Edit Firewall
Policy.
-
Add two IPv4 Access rules in a suitable location in the policy.
- Make sure that these rules are above other rules that match the same traffic with
Allow,
Discard, or
Refuse as their action.
- Traffic that you do not want to send through the VPN must not match these rules. Traffic that is not routable through the VPN is dropped if it matches these rules.
-
Fill in the rules.
If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
Table 1. Example VPN rules
Source |
Destination |
Service |
Action |
Local internal networks |
Remote internal networks |
Set as needed. |
Select Allow, then open the Action options. Set VPN Action to Enforce
VPN, then select a Policy-Based VPN. |
Remote internal networks |
Local internal networks |
Set as needed. |
Select Allow, then open the Action options. Set VPN Action to Enforce
VPN, then select a Policy-Based VPN. |
-
Save the policy.
-
Add the same rules in the policies of all firewalls involved in the VPN.
CAUTION:
If you continue to use this VPN, change the pre-shared key periodically to guarantee continued confidentiality of your data. Alternatively, you can change to certificate-based
authentication by creating a custom VPN profile.
-
Refresh the policies of all firewalls involved in the VPN to activate the new configuration.
Result
The VPN is established when traffic matches the Access rules. Example VPN configuration 1 is now complete.