This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to use a custom network zone for S2S IPSec VPN for device access

As the topic describes, I'd like to know if it is possible to use a custom zone for a site-to-site VPN connection over IPSec.

I'm asking to use this new Zone for local Local service ACL on the XG/S.

My goal is to allow HTTPS Webadmin and SSH access on the remote firewall only from the IPSec Site-2-Site Tunnel and not from SSL Remote Access VPN also configured on the remote firewall.

A workaround would be a deny rule for the SSL VPN network but the first approach would be more transparent.



This thread was automatically locked due to age.
Parents Reply Children
  • Adding to the conversation - I have a few different types of "VPN" - one set for CORE business traffic links and other sets for 3rd parties.  The problem then is that I have to build out an ACL for every single VPN and spell out all traffic.  I don't mind this from a security perspective for 3rd party traffic, but for the CORE type traffic I need any to any connectivity - and I can't efficiently build that quickly without a different zone if that makes sense.

  • You can workaround this with Matched user based firewall rules. As you have an authentication within the SSLVPN/Ipsec remote access, you can allow this traffic based on user/Groups. 

    __________________________________________________________________________________________________________________

  • This is for Site to Site VPNs, unfortunately we're not to the point of "user" identification or groups within this instance.  Doing network based ACLs over-complicates things if we could just have a separate zone for VPNs that fit a certain criteria.