Identity-Based Firewall (IBF) setup for SSL VPN
Last adaptation to the version: 12.6.0
New:
- Updated to Redesign of the webinterface
This article refers to a Resellerpreview
Introduction
Firewall rules always apply to network objects.
To apply firewall rules to members of an SSL VPN group, they are created under as individual hosts or networks with IP addresses as Network Objects and then merged into network groups .
Alternatively, it is possible to automatically create network objects based on user groups and thus use identity-based port filtering rules.
If users are authenticated through an AD or LDAP, the administrative effort is significantly reduced.
For the internal services (such as DNS), the transfer network must be created and the packet filter rules written from there.
Configuration on the UTM
Configure group
This is done under Area Groups.
Either a new group is created or an existing group is edited .
Either a new group is created or an existing group is edited .
Permissions Permissions
| |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnAuthenticationUser  Add group - edit permissions
|
|---|---|---|---|
| Group name: | Road-Warrior | Enter a descriptive name | |
| Userinterface | On | Should be enabled, otherwise the user will not be able to download SSL VPN client or view his emails in the quarantine. | |
| SSL-VPN | On | Should be enabled. Requires "user interface" permissions for client download | |
SSL-VPN
SSL-VPN
This is where to configure settings for the SSL VPN for an entire group.
All users share the same certificate when using the group settings!
SSL VPN settings of individual users override the group settings.
| Caption: | Value | Description: | UTMuser@firewall.name.fqdnAuthenticationUser  SSL VPN group settings
|
|---|---|---|---|
| Client downloadable in the user interface: | No | If enabled, the VPN client can be downloaded in the user interface | |
| SSL VPN connection: | RW-Securepoint | Select the preferred connection (created under ) | |
| Client certificate: | cs-sslvpn-rw(1) | Select the certificate for this group (created under Area Certificates) It is also possible to use ACME certificates. | |
| Remote Gateway: | 192.168.175.1 | IP address of the gateway on which the SSL VPN clients dial in. Free input or selection via drop-down menu. | |
| Redirect Gateway: | Off | Requests to destinations outside the local network (and thus also the VPN) are usually routed directly to the Internet by the VPN user's gateway. When the On button is activated, the local gateway is redirected to the UTM. This way, these packets also benefit from the protection of the UTM. This setting changes the configuration file for the VPN client. | |
| Use in packet filter: | No | By enabling Yes this option, rules for this group can be created in the packet filter. This can be used to control access for users who are members of this group connected via SSL VPN. | |
Create packetfilter rule
A rule in the packetfilter is created under with Button
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallPacketfilter  Packetfilter rule
|
|---|---|---|---|
| Active: | On | Activates/deactivates the rule | |
| Source: |  Road-Warrior |
Here, the previously created SSL VPN group can now be selected directly as a network object | |
| Destination: |  internal-networks |
The destination network object can be selected here | |
| Service: |  ssl-vpn |
Selecting the required service or a service group | |
| Action: | Access shall be granted | ||
Save and close |
Add rule and close the dialog | ||
Result
The created packetfilter is now effective for all users who are in the Roadwarrior group.
Packet filter rule for internal services of the firewall
notempty
Packet filter rules based on firewall user groups(IBF) do not work on internal services of the firewall.
If a service is required that is provided by an 
interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
Another rule is created in the port filter under Button
Create network object
Create network object for the transfer network under Button
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirwallNetwork objects  Network object for the transfer network
|
|---|---|---|---|
| Name: | SSL VPN transfer network | Descriptive name for the network object | |
| Type: | Type of network object | ||
| Address: | The network IP that was set when the SSL VPN connection was established | ||
| Zone: | If the transfer network IP is known and correct, the zone is automatically assigned correctly | ||
| Group: | The network object can be directly assigned to a group | ||
Create packetfilter rule
If a service is required that is provided by an 
interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
Another rule is created in the port filter under Button
interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.Another rule is created in the port filter under Button
General
| ||
| Source |  SSL VPN transfer network |
The network object just created |
| Destination | internal-interface |
Interface that is to provide the internal service |
| Service | proxy |
Required service of the interface |
Result
With this additional rule, internal services of the firewall can also be used.