Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Adding VPN Rules to a Security Policy Overview

 

To create a policy-based VPN or to add access policies to a route-based VPNs, you must add a VPN rule to a security policy for each device in the VPN.

Adding a VPN rule is a three-stage process:

Configuring the VPN

In security policies, select a predefined security policy (or create a policy), and add a VPN rule. Right-click in the Source Address, Destination Address, Action, or Install On column and select Configure VPN to display the Configure VPN dialog box.

  • Select the source security device that contains the termination interface for the VPN tunnel.

  • Select a VPN type:

    • For IKE VPNs, select the VPN that you configured on the device.

    • For L2TP VPNs, you must also select the L2TP tunnel that you configured on the device.

  • Select the protected resources for the VPN:

    • If both VPN termination points are security devices, choose the protected resources that represent the network components you want to protect. You can also select a predefined global MIP or VIP for the device.

    • If the source VPN termination point is a RAS user, select Source is Dialup and choose the protected resources behind the destination VPN termination point that represent the network components you want to protect on the remote network.

    • If the destination VPN termination point is a RAS user, select Destination is Dialup and choose the protected resources behind the source VPN termination point that represent the network components you want to protect on the local network.

Configuring the Security Policy

To configure the remaining columns for the VPN rule:

  • From Zone—Select the zone on the source VPN member that contains the termination interface for the VPN tunnel.

  • To Zone—Select the zone on the destination VPN member that contains the termination interface for the VPN tunnel.

  • Service column—Select the services you want to permit in the VPN tunnel.

You do not need to configure the action—NSM automatically defines the action as tunnel. You can also configure traffic shaping, options, authentication, antivirus, or attack protection for the VPN rule. For details on configuring these rule options, see the Network and Security Manager Administration Guide.

To deny a host, use a deny rule before the VPN rule.

Assigning and Installing the Security Policy

You must assign the security policy to each VPN member and install the security policy on those devices before the VPN is active.