Skip to content

Add a remote access SSL VPN policy

You can configure remote access SSL VPN policies to allow users and groups to access the permitted network resources. You can also require their internet traffic to flow through the firewall.

The gateway, client addresses, and other settings are based on SSL VPN global settings.

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Click Configure manually.
  3. Enter a name.
  4. For Policy members, select the preconfigured users and groups.

    Guest users don't have access to remote access IPsec and SSL VPNs. So, you can't add guest users and guest groups.

  5. Turn on Use as default gateway to send remote access users' internet traffic through the firewall.


    You must also select the permitted network resources if you want remote users to access these internal resources.


    If you turn on the default gateway setting, the firewall's rules and protection policies apply to the remote users' internet traffic. So, configure a firewall rule with the source zone set to VPN and the destination zone set to Any to allow traffic to the internet and the permitted resources. You must also check if the default IPv4 SNAT rule or an SNAT rule to masquerade outbound traffic exists. If it doesn't, you must configure a linked NAT rule to translate the SSL VPN leased IP addresses to a publicly routable IP address. See Check the SNAT rule.

    You can also set the source networks to the system hosts ##ALL_SSLVPN_RW and ##ALL_SSLVPN_RW6.

  6. For Permitted network resources, select the internal networks you want the policy's remote access users to access.

    You can also select FQDNs for permitted IPv4 networks. VPN logs show the resolved IP addresses rather than the FQDNs.


    Dynamic IP address changes for FQDNs aren't automatically updated for SSL VPN tunnels. Remote users must manually disconnect and reconnect to access the permitted resource.

  7. (Optional) Select Disconnect idle clients if you want to set a specific time at which the firewall disconnects clients with idle sessions.

  8. (Optional) For Override global timeout, enter the time in minutes.


    This time-out value only applies if it's lower than the idle peer value in SSL VPN global settings. If you specify a higher value, the global settings' value applies.

Allow traffic

  1. Go to Administration > Device access.
  2. To allow traffic for the services from specific zones, make sure you select the following zones:

    1. SSL VPN: WAN
    2. VPN portal: LAN, WAN

      Users must download the configuration file from the VPN portal.

More resources