forbid Access from / for a specific Network / Subnet

On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms.  It is also probably all that needs to be done for your scenario.   This is called split-tunnel VPN.

An alternative is for the VPN Profile to allow all networks, to create a full-tunnel VPN .   This forces all network traffic to flow to the UTM, which means that you need to have configuration rules to block whatever is needed.   UTM has a unique architecture:  traffic which goes through a proxy will bypass the firewall rules.   That is why this configuration is more complicated.

To illustrate:

Assume you  SSL VPN traffic arrives on 10.10.10./24nd is only supposed to have access to 192.168.10.0/24, but your entire network uses many subnets within 192.168.0.0/16.  VPN access to Internet should also be blocked.

Firewall Rules

1. ALLOW traffic from 10.10.10.0/24 to 192.168.10.0/24 port ANY.
2. BLOCK traffic from 10.10.10.0/24 to ANY port ANY. 

Web Proxy, FTP Proxy, POP3 proxy, etc

• Ensure that 10.10.10.0/24 is not on any Filter Profile allow network range, OR
• Create a Filter Profile for 10.10.10.0/24 which is linked to a policy and a Filter Action that blocks everything, then give it precedence over any filter profile that includes 10.10.10.0/24 in a larger network range.

WAF

• Use Access Control on Site Path Routing to prevent access from the VPN subnet

DouglasFoster said:

On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms

I disabled and as nothing happened deleted the VPN Profile. Still nothing (Access from this Subnet to the Internet).

still no Effect. :-( I rebooted the UTM -> still no Effect.

I created a Filewall-Rule to block all Traffic from this Subnet -> no Effect

I disabled the Masquerading for this Subnet -> no Effect

thanks for your Suggestions on the VPN, but I want to solve this first.

DouglasFoster said:

On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms

I disabled and as nothing happened deleted the VPN Profile. Still nothing (Access from this Subnet to the Internet).

still no Effect. :-( I rebooted the UTM -> still no Effect.

I created a Filewall-Rule to block all Traffic from this Subnet -> no Effect

I disabled the Masquerading for this Subnet -> no Effect

thanks for your Suggestions on the VPN, but I want to solve this first.

from a PC connected via VPN do a trace route. Maybe you are not connected through UTM 

will try this once my UTM works again

Andreas, it sounds like there might be traffic going via Web Filtering - is the VPN Pool in 'Allowed Networks' for one of your Web Filtering Profiles?

You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address.  Ich behaupte auch eine deutsche Version, die ursprünglich vom Mitglieder hallowach übersetzt wurde, als wir zusammen im Jahre 2013 eine große Revision machten.

Cheers - Bob