Hallo,
how is it possible to control the IPSEC Remote VPN Access time-based on the XGS, so that the users can only establish a connection at certain times?
Thank You!
Added TAGs
[edited by: Erick Jan at 3:29 PM (GMT -7) on 4 Jul 2024]
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Hallo,
how is it possible to control the IPSEC Remote VPN Access time-based on the XGS, so that the users can only establish a connection at certain times?
Thank You!
Hi,
Thank you for reaching out to Sophos Community.
On the VPN Firewall Rule Allow Rule, have you tried to configure the "during scheduled time" ?
During scheduled time | Select a schedule or create one. Sophos Firewall matches the rule criteria during the time period and day of the week that you select. |
For more reference, kindly check the following
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
IPsec Remote Access VPN supports Idle timeout where SFOS disconnects idle client tunnels after the specified time. Whenever traffic activity resumes on this tunnel, the tunnel re-establishes automatically.
Do it with a Firewall Rule, you will get the same outcome: The Firewall Rule based on Users is only allowed at your timewindow.
So they can potentially build VPN, but not reach anything.
__________________________________________________________________________________________________________________
To add a bit more detail to what Erick Jan and LuCar Toni said, see these screenshots for how we do it.
Rather than 'allowing' at certain times, we find it easier to add a timed block as the top/first firewall rule. This is easier than adding timed 'allows' for every firewall rule (if you have more than one) and reduces the chances of errors if you ever need to make changes.
We are using 'Match known users' because some people are allowed access at any time so we just block certain people outside work hours.
The effect of this rule is to block the named users at the 'VPN Access Block' scheduled times. If you want to block everybody at certain times, just don't use 'Match known users'.