Configuring the filter and NAT policy

This section explains how to configure the filter and NAT policy to be implemented in order to deploy SSL VPN tunnels. You can click on Apply at any time to save your changes.

Configuring the filter policy

You need to define rules to grant or deny SSL VPN clients access to your organization's internal resources. In the example below, we are adding a rule to allow all user connections from UDP and TCP SSL VPN clients to an HTTP intranet.

To increase security, you can set up granular filtering to restrict users' access to only what is necessary. To do so, create rules for each user group that is setting up SSL VPN tunnels with the SNS firewall (in the rule editing window: User tab on SNS in version 5 or Source tab, User field on SNS in version 4).

  1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.

  2. Click on New rule > Single rule, and double-click on the number of the rule to edit it; a new window will open.

  3. In the General tab, Status field, select On.

  4. In the Action tab, Action field, select pass.

  5. In the Source tab:

    1. In the General tab, Source hosts field, select the objects that represent the IP addresses of UDP and TCP SSL VPN clients,

    2. In the Advanced properties sub-tab, Via field, select SSL VPN tunnel.

  6. In the Destination tab, Destination hosts field, select the object that represents the internal server or the intranet.

  7. In the Port - Protocol tab, Destination port field, select https.

  8. Click on OK.

NOTE
Rules will be scanned in the order of their appearance in the list. You can also use advanced filter functions (inspection profiles, application proxies, antivirus scans, etc.).

Screen showing the configuration of the filter policy on an SNS firewall in version 5

Configuring the NAT policy

if UDP and TCP SSL VPN clients must access the Internet, you will need to set up a network address translation (NAT) rule.

  1. Go to Configuration > Security policy > Filter - NAT, NAT tab.

  2. Click on New rule > Source address sharing rule (masquerading), and double-click on the number of the rule to edit it; a new window will open.

  3. In the General tab, Status field, select On.

  4. In the Original source tab:

    1. Source hosts field, select the objects that represent the IP addresses of UDP and TCP SSL VPN clients,

    2. Incoming interface field, select SSL VPN.

  5. In the Original destination tab, Destination hosts field, select Internet.

  6. In the Translated source tab, Translated source host field, select the object that represents the public IP address.

  7. In the Translated source port field, select the option Choose random translated source port.

  8. Click on OK.

Screen showing the configurationof the NAT policy on an SNS firewall in version 5