Writing a Detailed Rule for VPN Tunneling Access Control Policies

IPv6/FQDN support for ACLs - Layer 3 feature can be configured in the same way as IPv4, in the following 2 ways:

Simple Rules

Detailed Rules

Simple Rules: Admin can configure IPv4/IPv6/FQDN addresses with allow/deny rules. These rules permit/deny access to an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured.

Detailed rules: Admin can configure IPv4/IPv6/FQDN addresses with allow/deny rules with conditions. These rules permit/deny access to an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured when the condition matches.

Every entry in the ACL policy corresponds to 2 entries in the FORWARD chain in iptables/ip6tables. One in the inbound direction and the other in the outbound direction.

To create/edit VPN Tunneling Access Control policy with IPv4/IPv6/FQDN resources with detailed rules:

1.On the New Policy page for a resource policy, enter the required resource and role information.

2.In the Action section, select Use Detailed Rules and then click Save Changes.

3.On the Detailed Rules tab, click New Rule.

4.On the Detailed Rule page:

In the Action section, specify:

Allow Access - This option will permit accessing an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured.

Deny Access - This option will not allow accessing an IPv4/IPv6/FQDN resource based on the IPv4/IPv6/FQDN address configured.

In the Resources section, specify:

In the IPv4 Resources section, specify the IPv4 resources and

In the IPv6 Resources section, specify the IPv6 resources

In the FQDN Resources section, specify the FQDN name. FQDN-based split tunneling lets the admin configure split tunneling rules by directly specifying the domain names. This is helpful while configuring rules to ignore or tunnel cloud services. For FQDN resources wild card domains are allowed.

  • Admin can either configure IPv4 resources or IPv6 resources or FQDN resources or all three.
  • FQDN is not supported on IPv6. FQDN resource will be given preference over IPv4 incase of conflict.
  • FQDN resources are supported only with the Device DNS option enabled in the connection profile. Allow the DNS IP address under the IPv4 address resource access list or select the option Auto allow DNS/WINS IP in the connection profile.

In the Conditions section, specify one or more expressions to evaluate in order to perform the action (optional):

Boolean expressions: Using system variables, write one or more boolean expressions using the NOT, OR, or AND operators.

Custom expressions: Using the custom expression syntax, write one or more custom expressions.

When specifying a time condition, the specified time range cannot cross midnight. The workaround is to break the time range into two conditions.

5.Click Save Changes.

6.On the Detailed Rules tab, order the rules according to how you want the system to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a rule's Resource list, it performs the specified action and stops processing rules (and other resource policies).