Configure rules for policy-based VPN traffic

In the Management Client, add access rules to allow the traffic that you want to accept from both VPN tunnels. Review and modify the NAT rules if necessary.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Home.
  2. Right-click the NGFW Engine, then select Current Policy > Edit.
  3. Locate the rule that allows traffic to the Internet, then right-click the rule ID and select Add Rule Before.
  4. Specify the following matching criteria in the rule:
    • Source — Tunnel 1 NAT IP Host element
    • Destination — Private network of the site
    • Service — HTTP, HTTPS
  5. Configure the action for the rule.
    1. Right-click the Action cell, then select Allow.
    2. Right-click the Action cell again, then select Edit Options
    3. From the VPN Action drop-down list, select Enforce VPN.
    4. Next to the VPN field, click Select, then select the custom Policy-Based VPN element that you created for the first tunnel.
    5. On the Advanced tab, select On from the Enforce TCP MSS drop-down list.
    6. In the Maximum field, enter 1360.
    7. Click OK.
  6. Right-click the rule ID of the rule that you just created, then select Add Rule After.
  7. Specify the following matching criteria in the rule:
    • Source — Tunnel 2 NAT IP Host element
    • Destination — Private network of the site
    • Service — HTTP, HTTPS
  8. Configure the action for the rule.
    1. Right-click the Action cell, then select Allow.
    2. Right-click the Action cell again, then select Edit Options
    3. From the VPN Action drop-down list, select Enforce VPN.
    4. Next to the VPN field, click Select, then select the custom Policy-Based VPN element that you created for the second tunnel.
    5. On the Advanced tab, select On from the Enforce TCP MSS drop-down list.
    6. In the Maximum field, enter 1360.
    7. Click OK.
  9. If necessary, configure NAT exceptions to ensure that network address translation is not applied to traffic that is routed through the VPN.
    Note: By default, NAT is not applied to traffic that is routed through the VPN unless you select the Apply NAT to traffic that uses this VPN option in the properties of the Policy-Based VPN element.
  10. Click Save and Install.

Result

The configuration is now complete.

Next steps

Test the configuration to make sure that traffic is flowing through the tunnels as expected.