Configure Policies to Filter Mobile VPN Traffic

In a default configuration, Mobile VPN with IPSec users have full access to XTM device resources with the Any policy. The Any policy allows traffic on all ports and protocols between the Mobile VPN user and the network resources available through the Mobile VPN tunnel. To restrict VPN user traffic by port and protocol, you can delete the Any policy and replace it with policies that restrict access.

In an IPSec policy, the Policy tab has these properties, which are different than the properties of a firewall policy:

The Advanced tab includes only the advanced settings that apply to VPN traffic.

Most other policy properties are the same as described in About Policy Properties.

Edit a Mobile VPN with IPSec Policy

When you create a Mobile VPN with IPSec profile, Fireware XTM automatically creates a Mobile VPN with IPSec Any policy that allows all traffic from users in the group to the resources available through the tunnel. Any additional Mobile VPN with IPSec policies you create are also associated with a Mobile VPN group.

If you edit the Mobile VPN with IPSec group profile to change the resources accessible through the tunnel, the Allowed Resources in the policies for that group are not updated automatically. If you want to update the Allowed Resources list, you must edit the existing policy.

To edit a Mobile VPN with IPSec Any policy:

  1. Select Firewall > Mobile VPN Policies.
  2. Click the name of the Any policy associated with the Mobile VPN with IPSec group.
    The policy name is the group name followed by -Any.

  1. On the Settings tab, edit the Allowed Resources list for the policy.
    Click Copy from Group to copy the allowed resources from the Mobile VPN with IPSec group configuration.
  2. Update other policy properties as described in About Policy Properties.
  3. Save the configuration to the XTM device.

Add a Policy

The default IPSec policy is an Any policy. You can use Policy Manager to add other types of policies for mobile VPN traffic.

  1. Select Firewall > Mobile VPN Policies.
  2. Click Add Policy.
  3. In the Select a policy type section, select Packet Filter, Proxies, or Custom.
  4. From the adjacent drop-down list, select the policy type.
  5. From the Select a group drop-down list, select the Mobile VPN group for this policy.
  6. Click Add Policy.
  7. Edit the Allowed Resources list as appropriate for this policy.
    Click Copy from Group to copy the allowed resources from the Mobile VPN with IPSec group configuration.
  8. Configure other policy properties as described in About Policy Properties.
  9. Save your configuration to the XTM device.

See Also

Add Policies to Your Configuration

About Policies

About Proxy Actions

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base