Configure Policies to Filter IPSec Mobile VPN Traffic

In a default configuration, Mobile VPN with IPSec users have full access to Firebox resources with the Any Mobile VPN with IPSec policy. The Any policy allows traffic on all ports and protocols between the Mobile VPN user and the network resources available through the Mobile VPN tunnel. To restrict VPN user traffic by port and protocol, the Any policy on the Mobile VPN with IPSec tab can be deleted and replaced with policies that restrict access.

In a Mobile VPN with IPSec policy, the Policy tab has these properties, which are different than the properties of a Firewall policy:

  • Group — The name of a Mobile VPN with IPSec group that is the source of traffic for this policy.
  • Allowed Resources — The list of network resources the policy allows access to. The Allowed Resources you specify must be all, or a subset of, the Allowed Resources that are specified in the Mobile VPN with IPSec configuration for the group. By default, IPSec policies include all resources in the Mobile VPN with IPSec configuration.

The Advanced tab includes only the advanced settings that apply to VPN traffic.

Most other policy properties are the same as for a Firewall policy. For more information, see About Policy Properties.

Edit a Mobile VPN with IPSec Policy

When you create a Mobile VPN with IPSec profile, Fireware automatically creates a Mobile VPN with IPSec Any policy that allows all traffic from users in the group to the resources available through the tunnel. You can also specify individual users in the policy. Any additional Mobile VPN with IPSec policies you create are also associated with a Mobile VPN group.

If you edit the Mobile VPN with IPSec group profile to change the resources accessible through the tunnel, the Allowed Resources in the policies for that group are not updated automatically. To update the Allowed Resources list, you must edit each policy for that group.

Add a Policy

The default IPSec policy is an Any policy. You can use Policy Manager to add other types of policies for Mobile VPN traffic.

Change the Policy List View

In Policy Manager, you can choose to view the policy list as large icons or as a detailed list.

  • To view large icons and no details, in Policy Manager select View > Large Icons.
  • To view more information in a detailed list, select View > Details.
    When you select the Details view, in the MVPN Group column, the authentication server for the Mobile VPN group appears in parentheses.

See Also

Restrict Mobile VPN Access with Policies video tutorial (12 minutes)

Add Policies to Your Configuration

About Policies

About Proxy Actions