Remote Access SSL VPN Default Gateway

Question

Problem: I need to route all traffic from Android devices through the SSL VPN (using openvpn client currently). 
 
 What's configured: I have basic SSL VPN settings configured. I have a firewall rule allowing anything going to the WAN and there is a default NAT policy NATing to the WAN interface. Ok the SSL profile the "Use as default gateway" is checked. In the permitted network resources section is where I'm getting hung up on kind of. 
 This appears to be needed as even though the use as default gateway is checked, if I don't have a range or subnets in here, there is no connectivity to resources. Once I put them in, I can connect (tried with internal resources). 
 Now when it comes to the internet traffic, I need at 0.0.0.0/0 subnet but the firewall doesn't allow the creation of such subnet. The group that's pre built the public ipv4 is not selectable in the VPN config settings. It only allows IPs and networks (no ranges, fqdn, etc). 
 
 How can I accomplish sending all traffic through the VPN? This wasn't a problem in earlier versions. I'm on the latest firmware, 19.5.1 MR-1 Build 278. 
 My only option is to do one subnet 128.0.0.0/1 (which allows the creation and covers 128.0.0.0-255.255.255.254. and then create 127x networks with /8s starting with 1.0.0.0 (for some odd reason this version of firewall doesn't allow easy creations of networks nor making them selectable in the SSL VPN settings. 
 
 Any help is appreciated. Thank you!

Vivek Jagad · Answer

Hello David Holt , Thank you for reaching out to the community, the option under the SSL VPN Policy: " Use as default gateway ." - is to send remote access users' internet traffic through the firewall. You must also select the permitted network resources if you want remote users to access these internal resources. 
 If you turn on the default gateway setting, the firewall's rules and protection policies apply to the remote users' internet traffic. So, configure a firewall rule with the source zone set to VPN and the destination zone set to Any to allow traffic to the internet and the permitted resources. 
 You can also set the source networks to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6 . Now Under the Global SSL VPN settings, The firewall leases IP addresses to SSL VPN clients from the network you specify. You can only select an IPv4 subnet up to /24 . For example, you can't select /25 and smaller subnets . 
 Here's an example: 
 
 The firewall leases IP addresses to remote access SSL VPN users from the network you configure. 
 When you migrate to 19.5 and later, the firewall converts the IP range and subnet mask configured in 18.5.x and earlier versions to the subnet value. 
 However, if you've added a custom IP host for the lease range to the corresponding firewall rules, the host's lease range may not match the migrated subnet. So, traffic may not flow through the remote access SSL VPN connections after you migrate. 
 If you change these IPv4 and IPv6 address settings, and you've assigned static SSL VPN IP addresses to users, make sure the static addresses are within the updated static range. 
 If traffic doesn't flow through remote access SSL VPN connections after you migrate to version 19.5, you may have added custom hosts for the leased IP addresses to the corresponding firewall rules. 
 Select the system host ##ALL_SSLVPN_RW (and ##ALL_SSLVPN_RW6 if required) instead. The firewall automatically applies the conversion from IP range to network for these system hosts because it dynamically adds the leased IP addresses to these system hosts when remote users establish connections.