Step 6: Create firewall policies

To allow the user to access both your internal network and the internet, you must create two firewall policies: one for the Internet and one for your internal network.

Configure an internet firewall policy

To configure an SSL-VPN firewall policy for the Internet from the GUI:

1. From the main menu, select Policy & Objects > IPv4 Policy.
2. Select Create New, and make the required selections as shown in the following table.

Parameter	Description and Example
Name	Specify a unique name that identifies the purpose of the policy, e.g., "ssl-to-internet".
Incoming Interface	Select the interface for incoming traffic, e.g., "SSL-VPN tunnel interface (ssl.root)".
Outgoing Interface	Select the interface for outgoing traffic, e.g., "port1".
Source	Make the following selections: Address —"all", User—"sslvpngrp".
Destination	Set Address to "all".
Schedule	Select "always".
Service	Select "ALL"
Action	Select "ACCEPT".
NAT	Click the button to enable NAT.
IP Pool Configuration	Select "Use Outgoing Interface Address"
Enable this policy	Click the button to enable the policy.

3. Make the other selections as desired.
4. Click OK to confirm the policy configuration.

To configure an SSL VPN firewall policy for the Internet from the Console:

config firewall policy 
    edit 1
        set name "sssl-to-internet"
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "192.168.1.0"
        set groups “sslvpngrp”
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Configure an internal network firewall policy

To configure an SSL VPN firewall policy for your internal network from the GUI:

1. From the main menu, select Policy & Objects > IPv4 Policy.
2. Select Create New, and make the required selections as illustrated below:

Parameter	Description and Example
Name	Specify a unique name that identifies the purpose of the policy, e.g., "ssl-to-lan".
Incoming Interface	Select the interface for incoming traffic, e.g., "SSL-VPN tunnel interface (ssl.root)".
Outgoing Interface	Select the interface for outgoing traffic, e.g., "port2".
Source	Make the following selections Address —"all", User—"sslvpngrp".
Destination	Set Address to "local-lan".
Schedule	Select "always".
Service	Select "ALL"
Action	Select "ACCEPT".
NAT	Click the button to enable NAT.
IP Pool Configuration	Select "Use Outgoing Interface Address"
Enable this policy	Click the button to enable the policy.

3. Make the other selections as desired.
4. Click OK to confirm the policy configuration.

To configure an SSL VPN firewall policy for your internal network from the Console:

config firewall policy 
    edit 1
        set name "ssl-to-lan"
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "local-lan"
        set groups “sslvpngrp”
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

The image below shows the two firewall policies we've just created.