Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png






Identity-Based Firewall (IBF) setup for SSL VPN
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

10.2022 11.8

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115
Firewall

Introduction

Firewall rules always apply to network objects.
To apply firewall rules to members of an SSL VPN group, they are created under Firewall Network Objects as individual hosts or networks with IP addresses as  Network Objects  and then merged into  network groups .

Alternatively, it is possible to automatically create network objects based on user groups and thus use identity-based port filtering rules.
If users are authenticated through an AD or LDAP, the administrative effort is significantly reduced.

  • Packet filter rules based on firewall user groups(Identity-Based Firewall) do not work on internal services of the firewall.
    For the internal services (such as DNS), the transfer network must be created and the packet filter rules written from there.
  • Configuration on the UTM

    Configure group

    This is done under Authentication User  Area Groups.
    Either a new group is created Add group or an existing group is edited .
    Permissions
    Permissions
    Caption Value Description Add group UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6 ibf Gruppe hinzufuegen Road-Warrior-en.png Add group - edit permissions
    Group name: Road-Warrior Enter a descriptive name
    Userinterface On Should be enabled, otherwise the user will not be able to download SSL VPN client or view his emails in the quarantine.
    SSL-VPN On Should be enabled. Requires "user interface" permissions for client download


    SSL-VPN
    SSL-VPN






























    De.png
    En.png
    Fr.png



    This is where to configure settings for the SSL VPN for an entire group.
    All users share the same certificate when using the group settings!
    SSL VPN settings of individual users override the group settings.

    Caption: Value Description: Add Group UTMuser@firewall.name.fqdnAuthenticationUser UTM v12.6 Authentifizierung Gruppe SSL-VPN-en.png SSL VPN group settings
    Client downloadable in the user interface: No If enabled, the VPN client can be downloaded in the user interface
    SSL VPN connection: RW-Securepoint Select the preferred connection (created under VPN SSL-VPN )
    Client certificate: cs-sslvpn-rw(1) Select the certificate for this group (created under Authentication Certificates  Area Certificates)
    It is also possible to use ACME certificates.
    Remote Gateway: 192.168.175.1 IP address of the gateway on which the SSL VPN clients dial in. Free input or selection via drop-down menu.
    Redirect Gateway: Off Requests to destinations outside the local network (and thus also the VPN) are usually routed directly to the Internet by the VPN user's gateway. When the On button is activated, the local gateway is redirected to the UTM. This way, these packets also benefit from the protection of the UTM.
    This setting changes the configuration file for the VPN client.
    Use in packet filter: No By enabling Yes this option, rules for this group can be created in the packet filter.
    This can be used to control access for users who are members of this group connected via SSL VPN.



    Create packetfilter rule

    A rule in the packetfilter is created under → Firewall →Packetfilter with Button Add rule
    Caption Value Description Add rule UTMuser@firewall.name.fqdnFirewallPacketfilter UTM v12.6 ibf Paketfilterregel Quelle Road-Warrior-en.png Packetfilter rule
    Active: On Activates/deactivates the rule
    Source: Ipsetgroup.svg Road-Warrior Here, the previously created SSL VPN group can now be selected directly as a network object
    Destination: Network.svg internal-networks The destination network object can be selected here
    Service: Service-group.svg ssl-vpn Selecting the required service or a service group
    Action: ACCEPT Access shall be granted
    Save and close Add rule and close the dialog
  • In order for the rule to be applied, the button must be clicked. Update rules

  • Result

    The created packetfilter is now effective for all users who are in the Roadwarrior group.

    Packet filter rule for internal services of the firewall

    notempty
    Packet filter rules based on firewall user groups(Identity-Based Firewall) do not work on internal services of the firewall.

    If a service is required that is provided by an Interface.svg interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
    Another rule is created in the port filter under Firewall Packetfilter  Button Add rule

    Create network object

    Create network object for the transfer network under Firewall Network objects  Button Add object

    Caption Value Description Add network object UTMuser@firewall.name.fqdnFirwallNetwork objects UTM v12.6 ibf Netzwerkobjekt erstellen SSL-VPN Transfernetz-en.pngNetwork object for the transfer network
    Name: SSL VPN transfer network Descriptive name for the network object
    Type: VPN network Type of network object
    Address: 10.0.1.0/24 The network IP that was set when the SSL VPN connection was established
    (Step 4 in the wizard, where the IP for the local end of the transfer network was set) or as in the overview of SSL VPN connections in the column Transfer network/pool (also here the IP for the local end of the transfer network is displayed)
      
    Zone: vpn-ssl-Roadwarrior If the transfer network IP is known and correct, the zone is automatically assigned correctly
    Group:     The network object can be directly assigned to a group


    Create packetfilter rule

    If a service is required that is provided by an Interface.svg interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
    Another rule is created in the port filter under Firewall Packetfilter  Button Add rule
    General
    Source Vpn-network.svg SSL VPN transfer network The network object just created
    Destination Interface.svg internal-interface Interface that is to provide the internal service
    Service Service-group.svg proxy Required service of the interface

    Result

    With this additional rule, internal services of the firewall can also be used.