Restrict VPN Access Using Filter Rules

Allowing VPN users onto your network brings decisions about what network resources and subnets that you will want to share with them. All our VPN technologies include methods for sharing exported networks, but sometimes you need to be more concerned about restricting resources.

The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

When you create a VPN route to an internal subnet, you are allowing all VPN users to have access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet.

Here's how you can further restrict your VPN users' access using Filter and Firewall rules. Filter Rules are useful for restricting based on layer-3 information: IP address, source interface (including the VPN interface), destination port, &c.

If you'd like to use AD usernames, see below for using Firewall Rules instead.

Filter Rules apply to, and are useful for, blocking traffic going through the NG Firewall server. They also apply to bypassed traffic. The Firewall application doesn't see bypassed traffic. This means if you want to block anything that's bypassed, you need to use a Filter Rule.

For example, let's say you have a site-to-site tunnel where endpoint A is sharing the local network of 192.168.102.0/24 and endpoint B is sharing the local network of 10.10.0.0/16. If endpoint A does not want any of endpoint B's users to access a server addressed at 192.168.102.5 you would create the following Filter Rule:

1. Head to Config > Network > Filter Rules.
   
   
2. Click the Add button to create a new rule.
   
   
3. Use the conditions Source Address is and Destination Address is:
   
   
   
4. Click Done and then Save to apply the new rule.

Using Firewall application rules gives you some layer-7 options to use instead of just IP address or interface: AD usernames, client country, and so forth. For these, head to Apps > Firewall > Rules. Click Add in the top left-hand corner, then choose your conditions the same as you would for Filter Rules above.