This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to use a custom network zone for S2S IPSec VPN for device access

As the topic describes, I'd like to know if it is possible to use a custom zone for a site-to-site VPN connection over IPSec.

I'm asking to use this new Zone for local Local service ACL on the XG/S.

My goal is to allow HTTPS Webadmin and SSH access on the remote firewall only from the IPSec Site-2-Site Tunnel and not from SSL Remote Access VPN also configured on the remote firewall.

A workaround would be a deny rule for the SSL VPN network but the first approach would be more transparent.

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago in reply to Matthew LaComb +1

You can workaround this with Matched user based firewall rules. As you have an authentication within the SSLVPN/Ipsec remote access, you can allow this traffic based on user/Groups.

Parents

0 Vivek Jagad over 3 years ago

Hey LHerzog,

You can use a custom zone, but when it comes to the S2S that network should be shared in that zone where you have allowed that S2S network.

Meaning you create a zone name: "custom" and then you have custom network X.X.X.X and that is added on the remote network, then it makes sense.

But otherwise, a option of ACL would be better to allow the SSH/Admin access for that remote network.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad over 3 years ago

Hey LHerzog,

You can use a custom zone, but when it comes to the S2S that network should be shared in that zone where you have allowed that S2S network.

Meaning you create a zone name: "custom" and then you have custom network X.X.X.X and that is added on the remote network, then it makes sense.

But otherwise, a option of ACL would be better to allow the SSH/Admin access for that remote network.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LHerzog over 3 years ago in reply to Vivek Jagad

Sorry, I do not understand your answer.

I have not found a way to put site-2-site VPN into a different zone than the default assignment to VPN zone.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 3 years ago in reply to LHerzog

In short a custom zone for LAN/DMZ is possible but for the VPN it will need to be allowed on the VPN zone only.

When it comes to device access, ACL will be a better option to utilize, if you do not want to enable the option on the default provided zone.
Cancel
Vote Up 0 Vote Down

Cancel
0 Matthew LaComb over 3 years ago in reply to Vivek Jagad

Adding to the conversation - I have a few different types of "VPN" - one set for CORE business traffic links and other sets for 3rd parties. The problem then is that I have to build out an ACL for every single VPN and spell out all traffic. I don't mind this from a security perspective for 3rd party traffic, but for the CORE type traffic I need any to any connectivity - and I can't efficiently build that quickly without a different zone if that makes sense.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Matthew LaComb

You can workaround this with Matched user based firewall rules. As you have an authentication within the SSLVPN/Ipsec remote access, you can allow this traffic based on user/Groups.
Cancel
Vote Up +1 Vote Down

Cancel
0 Matthew LaComb over 3 years ago in reply to LuCar Toni

This is for Site to Site VPNs, unfortunately we're not to the point of "user" identification or groups within this instance. Doing network based ACLs over-complicates things if we could just have a separate zone for VPNs that fit a certain criteria.
Cancel
Vote Up 0 Vote Down

Cancel