Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Policy-Based VPN Creation Using Address Objects and Protected Resources Overview


The policy-based VPN creation methods are as follows:

Configuring Address Objects

You must create address objects to represent your network components in the UI. For details on creating and configuring address objects, see the Network and Security Manager Administration Guide.

Configuring Protected Resources

You should determine your protected resources first to help you identify the devices you need to include in the VPN. After you know what you want to protect, you can use VPN Manager or manually configure your security devices to create the VPN. A protected resource object represents the network components (address objects) and services (service objects) you want to protect and the security device that protects them.

The address specifies secured destination, the service specifies the type of traffic to be tunneled, and the device specifies where the VPN terminates (typically an outgoing interface in untrust zone). In a VPN rule, protected resources are the source and destination IP addresses.

When creating protected resources:

  • To protect multiple network components that are accessible by the same security device, add the address objects that represent those network components to the protected resource object.

  • To protect a single network component that is accessible by multiple security devices, add multiple devices to the protected resource object. You must configure each device to be a part of the VPN.

  • To manage different services for the same network component, create multiple protected resource objects that use the same address object and security device but specify a different service object.

  • If you change the security device that protects a resource, NSM removes the previous security device from all affected VPNs and adds the new security device. However, NSM does not configure the VPN topology for the new security device—you must reconfigure the topology to include the new device manually.

For more details on creating protected resources, see the Network and Security Manager Administration Guide.