Skip to content

Add a remote access SSL VPN policy

You can configure remote access SSL VPN policies to allow users and groups to access the permitted network resources. You can also require their internet traffic to flow through the firewall.

The gateway, client addresses, and other settings are based on SSL VPN global settings.

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Enter a name.
  3. For Policy members, select the preconfigured users and groups.

    Guest users don't have access to remote access IPsec and SSL VPNs. So, you can't add guest users and guest groups.

  4. Turn on Use as default gateway to send remote access users' internet traffic through the firewall.

    Tip

    You must also select the permitted network resources if you want remote users to access these internal resources.

    Note

    If you turn on the default gateway setting, the firewall's rules and protection policies apply to the remote users' internet traffic. So, configure a firewall rule with the source zone set to VPN and the destination zone set to Any to allow traffic to the internet and the permitted resources.

    You can also set the source networks to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6.

  5. For Permitted network resources, select the internal networks you want the policy's remote access users to access.

  6. (Optional) Select Disconnect idle clients if you want to set a specific time at which the firewall disconnects clients with idle sessions.
  7. (Optional) For Override global timeout, enter the time in minutes.

    Note

    This time-out value only applies if it's lower than the idle peer value in SSL VPN global settings. If you specify a higher value, the global settings' value applies.

Next steps: Go to Administration > Device access and make sure you've selected the WAN zone for SSL VPN, and the LAN and WAN zones for the user portal to download the configuration file. See Configure remote access SSL VPN as a split tunnel.

We recommend that you turn off access to the user portal from WAN after users download the file.