This content has been marked as final. Show 2 replies
If I understand your question, you'll want to create a Connection Aware rule group in your firewall policy. Configure it to identify your internal network subnet + DNS server, DHCP server, WINS Server, DNS Suffix, etc.... and then add whatever 'Allow' rules you want into it. Those rules will only be applied when the device is connected internally.
Additionally, you'll likely need to create rules outside the connection aware group to allow the necessary traffic to establish the VPN connection. Finally at the bottom of the firewall rules you can add an explicit 'Block All' rule if you like (shouldn't be necessary but makes some people feel better). The firewall validates traffic against firewall rules from top to bottom in the firewall policy so keep that in mind when you're setting the order of the rules.
Thank you woodsjw. Nice suggestion! happy F.