Related Topics
Configure Policies to Filter IPSec Mobile VPN Traffic
In a default configuration, Mobile VPN with IPSec users have full access to Firebox resources with the Any Mobile VPN with IPSec policy. The Any policy allows traffic on all ports and protocols between the Mobile VPN user and the network resources available through the Mobile VPN tunnel. To restrict VPN user traffic by port and protocol, the Any policy on the Mobile VPN with IPSec tab can be deleted and replaced with policies that restrict access.
In a Mobile VPN with IPSec policy, the Policy tab has these properties, which are different than the properties of a Firewall policy:
- Group — The name of a Mobile VPN with IPSec group that is the source of traffic for this policy.
- Allowed Resources — The list of network resources the policy allows access to. The Allowed Resources you specify must be all, or a subset of, the Allowed Resources that are specified in the Mobile VPN with IPSec configuration for the group. By default, IPSec policies include all resources in the Mobile VPN with IPSec configuration.
The Advanced tab includes only the advanced settings that apply to VPN traffic.
Most other policy properties are the same as for a Firewall policy. For more information, see About Policy Properties.
Edit a Mobile VPN with IPSec Policy
When you create a Mobile VPN with IPSec profile, Fireware automatically creates a Mobile VPN with IPSec Any policy that allows all traffic from users in the group to the resources available through the tunnel. You can also specify individual users in the policy. Any additional Mobile VPN with IPSec policies you create are also associated with a Mobile VPN group.
If you edit the Mobile VPN with IPSec group profile to change the resources accessible through the tunnel, the Allowed Resources in the policies for that group are not updated automatically. To update the Allowed Resources list, you must edit each policy for that group.
- Select Firewall > Mobile VPN IPSec Policies.
- Click the Policy Name of the Any policy associated with the Mobile VPN with IPSec group.
The policy name is the group name followed by -Any. For example, IPSec-Users-Any
- On the Settings tab, edit the Allowed Resources list for the policy.
- To add a new resource, click Add.
- To remove a resource, select the resource and click Remove.
- To copy the allowed resources from the Mobile VPN with IPSec group configuration to the Allowed Resources list, click Copy from Group.
- (Fireware v12.0.1 and higher) To edit the users in the group, or to select specific users that you want this policy to apply to, select the Users tab.
You can only select users on the authentication server specified in the Mobile VPN group. - Update other policy properties as described in About Policy Properties.
- Save your changes.
- Select the Mobile VPN with IPSec tab.
- Double-click the Any policy for the Mobile VPN with IPSec group.
The policy name is the group name followed by -Any. For example, IPSec VPN group-Any
- To edit the Mobile VPN with IPSec configuration for the group, adjacent to the Group text box, click .
- Edit the Allowed Resources list for the policy.
- To add a new resource, click Add.
- To remove a resource, select the resource and click Remove.
- To copy the allowed resources from the Mobile VPN with IPSec group configuration to the Allowed Resources list, click Copy from Group.
- To edit the users in the group, or to select specific users that you want this policy to apply to, select the Users tab.
You can only select users on the authentication server specified in the Mobile VPN group. - Configure the other policy properties as described in About Policy Properties.
- Save the configuration file to the Firebox.
Add a Policy
The default IPSec policy is an Any policy. You can use Policy Manager to add other types of policies for Mobile VPN traffic.
- Select Firewall > Mobile VPN IPSec Policies.
- Click Add Policy.
- From the Select a group drop-down list, select the Mobile VPN group for this policy.
- Select Packet Filter, Proxies, or Custom.
- From the adjacent drop-down list, select the policy type.
- Click Add Policy.
- Edit the Allowed Resources list as appropriate for this policy.
- To add a new resource, click Add.
- To remove a resource, select the resource and click Remove.
- To copy the allowed resources from the Mobile VPN with IPSec group configuration to the Allowed Resources list, click Copy from Group.
- (Fireware v12.0.1 and higher) To edit the users in the group, or to select specific users that you want this policy to apply to, select the Users tab.
You can only select users on the authentication server specified in the Mobile VPN group. - Configure the other policy properties as described in About Policy Properties.
- Save your configuration to the Firebox.
- Select the Mobile VPN with IPSec tab.
- Click .
Or, select Edit > Add Policy.
The Select Mobile VPN with IPSec Group dialog box appears. - Select a Mobile VPN with IPSec group, and click OK.
The Add Policies dialog box appears. - Expand the Packet Filters or Proxies folder.
A list of templates for packet filters or proxies appears. - Select a policy template and click Add.
- On the Policy tab, edit the Allowed Resources list for the policy.
- To add a new resource, click Add.
- To remove a resource, select the resource and click Remove.
- To copy the allowed resources from the Mobile VPN with IPSec group configuration to the Allowed Resources list, click Copy from Group.
- To edit the users in the group, or to select specific users that you want this policy to apply to, click Specify Users.
You can only select users on the authentication server specified in the Mobile VPN group. - Configure other policy properties as described in About Policy Properties.
- Save your configuration file to the Firebox.
Change the Policy List View
In Policy Manager, you can choose to see the policy list as large icons or as a detailed list.
- To see large icons and no details, in Policy Manager select View > Large Icons.
- To see more information in a detailed list, select View > Details.
When you choose the Details view, in the MVPN Group column, the authentication server for the Mobile VPN group appears in parentheses.