Firewall rules always apply to network objects. To apply firewall rules to members of an SSL VPN group, they are created under → Firewall →PortfilterTab Network Objects as individual hosts or networks with IP addresses as Network Objects and then merged into network groups.
Alternatively, it is possible to automatically create network objects based on user groups and thus use identity-based port filtering rules.
If users are authenticated through an AD or LDAP, the administrative effort is significantly reduced.
Port filter rules based on firewall user groups(Identity-Based Firewall) do not work on internal services of the firewall. For the internal services (such as DNS), the transfer network must be created and the port filter rules written from there.
Configuration on the UTM
Configure group
This is done under → Authentication →UserTab Groups.
Either a new group is created Add group or an existing group is edited .
Permissions
Permissions
Caption
Value
Description
Add group - edit permissions
Group name:
Road-Warrior
Enter a descriptive name
Userinterface
On
Should be enabled, otherwise the user will not be able to download SSL VPN client or view his emails in the quarantine.
SSL-VPN
On
Should be enabled. Requires "user interface" permissions for client download
SSL-VPN
SSL-VPN
notempty
This article refers to a version that is no longer current!
There is already a newer version of this article, but it refers to a Reseller-Preview
This is where to configure settings for the SSL VPN for an entire group.
All users share the same certificate when using the group settings!
SSL VPN settings of individual users override the group settings.
Caption:
Value
Description:
SSL VPN group settings
Client downloadable in the user interface:
No
If enabled, the VPN client can be downloaded in the user interface
SSL VPN connection:
rw-sslvpn-e2s-01
Select the preferred connection (created under → VPN →SSL-VPN)
Client certificate:
cs-sslvpn-rw
Select the certificate for this group (created under → Authentication →CertificatesTab Certificates) It is also possible to use ACME certificates.
Remote Gateway:
203.0.113.0/24
IP address of the gateway on which the SSL VPN clients dial in. Free input or selection via drop-down menu.
Redirect Gateway:
Off
Requests to destinations outside the local network (and thus also the VPN) are usually routed directly to the Internet by the VPN user's gateway. When the On button is activated, the local gateway is redirected to the UTM. This way, these packets also benefit from the protection of the UTM. This setting changes the configuration file for the VPN client.
Use in portfilter:
No
By enabling Yes this option, rules for this group can be created in the portfilter. This can be used to control access for users who are members of this group connected via SSL VPN.
Create portfilter rule
A rule in the portfilter is created under → Firewall →PortfilterTab Portfilter with Button Add rule
Caption
Value
Description
Portfilter rule
Active:
On
Activates/deactivates the rule
Source:
Road-Warrior
Here, the previously created SSL VPN group can now be selected directly as a network object
Destination:
internal-networks
The destination network object can be selected here
Service:
ssl-vpn
Selecting the required service or a service group
Action:
Accept
Access shall be granted
Logging:
SHORT - Log three entries per minute
Desired logging level
Group::
default
The network object can be directly assigned to a group
Add and close
Add rule and close the dialog
In order for the rule to be applied, the button must be clicked. Update rules
Result
The created portfilter is now effective for all users who are in the Roadwarrior group.
Port filter rule for internal services of the firewall
Port filter rules based on firewall user groups(Identity-Based Firewall) do not work on internal services of the firewall.
If a service is required that is provided by an interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
Another rule is created in the port filter under → Firewall →PortfilterTab Portfilter with Button Add rule
Create network object
Create network object for the transfer network under → Firewall →Port filterTab Network objects with Button Add object
Caption
Value
Description
Network object for the transfer network
Name:
SSL VPN transfer network
Descriptive name for the network object
Type:
VPN network
Type of network object
Address:
10.0.1.0/24
The network IP that was set when the SSL VPN connection was established
(Step 4 in the wizard, where the IP for the local end of the transfer network was set) or as in the overview of SSL VPN connections in the column Transfer network/pool
(also here the IP for the local end of the transfer network is displayed)
Zone:
vpn-ssl-Roadwarrior
If the transfer network IP is known and correct, the zone is automatically assigned correctly
Group:
The network object can be directly assigned to a group
Create portfilter rule
If a service is required that is provided by an interface network object (e.g. DNS or, as in the following example, the proxy), another filter rule is required with the network object of the transfer network.
Another rule is created in the port filter under → Firewall →PortfilterTab Portfilter with Button Add rule
General
Source
SSL VPN transfer network
The network object just created
Destination
internal-interface
Interface that is to provide the internal service
Service
proxy
Required service of the interface
Result
With this additional rule, internal services of the firewall can also be used.