I’m trying to setup IPSEC remote access (also known as a road warrior setup), along with the zone based firewall.
Since it isn’t a site-to-site setup, there is no VTI interface, so zones cannot be used.
So I guess I have to use the non-zone firewall rules along with the zone based rules.
How would I go about doing that?
For other people having the same question, and searching for an answer - here is what you need:
Just push the needed prefixes through the tunnel, then no other networks can be accessed through VPN.
In the firewall, allow traffic from the LOCAL zone, since that is the source of the VPN traffic.
If SNAT is used, make sure to exclude traffic with the internal network as source and the VPN prefix as destination, since you don’t want that NAT translated.
Thank you for sharing these helpful steps! Your insights will certainly assist others encountering similar challenges. We appreciate your contribution to the community!
Also an important thing to remember - in the WAN to LAN zone policy:
set firewall ipv4 name WAN_TO_LAN rule 10 action ‘accept’
set firewall ipv4 name WAN_TO_LAN rule 10 description ‘Allow IPSEC traffic’
set firewall ipv4 name WAN_TO_LAN rule 10 ipsec match-ipsec
set firewall ipv4 name WAN_TO_LAN rule 10 state ‘new’
Otherwise traffic won’t flow between the LAN and IPSEC network.