Step 6: Create firewall policies
To allow the user to access both your internal network and the internet, you must create two firewall policies: one for the Internet and one for your internal network.
Configure an internet firewall policy
To configure an SSL-VPN firewall policy for the Internet from the GUI:
- From the main menu, select Policy & Objects > IPv4 Policy.
- Select Create New, and make the required selections as shown in the following table.
- Address —"all",
- User—"sslvpngrp".
- Make the other selections as desired.
- Click OK to confirm the policy configuration.
Parameter |
Description and Example |
---|---|
Name |
Specify a unique name that identifies the purpose of the policy, e.g., "ssl-to-internet". |
Incoming Interface |
Select the interface for incoming traffic, e.g., "SSL-VPN tunnel interface (ssl.root)". |
Outgoing Interface |
Select the interface for outgoing traffic, e.g., "port1". |
Source |
Make the following selections: |
Destination |
Set Address to "all". |
Schedule |
Select "always". |
Service |
Select "ALL" |
Action |
Select "ACCEPT". |
NAT |
Click the button to enable NAT. |
IP Pool Configuration |
Select "Use Outgoing Interface Address" |
Enable this policy |
Click the button to enable the policy. |
To configure an SSL VPN firewall policy for the Internet from the Console:
config firewall policy edit 1 set name "sssl-to-internet" set srcintf "ssl.root" set dstintf "port1" set srcaddr "all" set dstaddr "192.168.1.0" set groups “sslvpngrp” set action accept set schedule "always" set service "ALL" next end
Configure an internal network firewall policy
To configure an SSL VPN firewall policy for your internal network from the GUI:
- From the main menu, select Policy & Objects > IPv4 Policy.
- Select Create New, and make the required selections as illustrated below:
- Address —"all",
- User—"sslvpngrp".
- Make the other selections as desired.
- Click OK to confirm the policy configuration.
Parameter |
Description and Example |
---|---|
Name |
Specify a unique name that identifies the purpose of the policy, e.g., "ssl-to-lan". |
Incoming Interface |
Select the interface for incoming traffic, e.g., "SSL-VPN tunnel interface (ssl.root)". |
Outgoing Interface |
Select the interface for outgoing traffic, e.g., "port2". |
Source |
Make the following selections |
Destination |
Set Address to "local-lan". |
Schedule |
Select "always". |
Service |
Select "ALL" |
Action |
Select "ACCEPT". |
NAT |
Click the button to enable NAT. |
IP Pool Configuration |
Select "Use Outgoing Interface Address" |
Enable this policy |
Click the button to enable the policy. |
To configure an SSL VPN firewall policy for your internal network from the Console:
config firewall policy edit 1 set name "ssl-to-lan" set srcintf "ssl.root" set dstintf "port2" set srcaddr "all" set dstaddr "local-lan" set groups “sslvpngrp” set action accept set schedule "always" set service "ALL" next end
The image below shows the two firewall policies we've just created.