Firewall Access Policies for a GRE Tunnel

Before you begin configuring firewall access policies, determine the zone for the IP address that you specified for Local IP Address. Typically, this is EXTERNAL, but it could be another zone. These instructions will refer to this zone as the remote zone.

The zone that you selected for Firewall Zone Association is the tunnel zone.

Finally, determine the zone for local endpoints that are allowed to send traffic over the tunnel. The instructions will refer to this as the local zone.

  1. Create a service object for GRE Generic Routing Encapsulation :

  1. Select Firewall > Access Policies > Services.

  2. Click Add Service.

  3. For Name, type GRE.

  4. For Protocol, select (47) GRE.

  5. Click Apply.

  6. Click Close.

  1. Configure an access policy to permit GRE packets from the remote tunnel endpoint to the TMS zl Module:

  1. Select Firewall > Access Policies > Unicast.

  2. Click Add Policy.

  3. For Action, accept the default, Permit Traffic.

  4. For From, select the remote zone.

  5. For To, select SELF.

  6. For Service, select GRE.

  7. For Source, specify the public IP address of the remote tunnel endpoint. You can select a previously-configured address object or type the IP address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)

  8. For Destination, specify the IP address that you configured for the tunnel's local IP address.

  9. Select the Enable logging on this Policy check box.

Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.

  1. Click Apply.

  1. Configure an access policy to permit GRE packets from the TMS zl Module to the remote tunnel endpoint:

  1. For Action, accept the default, Permit Traffic.

  2. For From, select SELF.

  3. For To, select the remote zone.

  4. For Service, select GRE.

  5. For Source, accept the default, Any Address, or specify the IP address that you configured for the local endpoint IP address.

  6. For Destination, specify the public IP address of the remote tunnel endpoint.

  7. Click Apply.

  1. Configure an access policy to permit remote traffic that arrives on the tunnel after it has been unencapsulated:

  1. For Action, accept the default, Permit Traffic.

  2. For From, select the tunnel zone.

  3. For To, select the local zone.

  4. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic.

  5. For Source, specify the local IP addresses that are allowed to send traffic on the tunnel.

  6. For Destination, specify the subnet that you specified in the tunnel traffic selector.

  7. Click Apply.

  1. Configure an access policy to permit local traffic that is sent across the tunnel before it is encapsulated:

  1. For Action, accept the default, Permit Traffic.

  2. For From, select the local zone.

  3. For To, select the tunnel zone.

  4. For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic.

  5. For Source, specify the local IP addresses that are allowed to send traffic on the tunnel.

  6. For Destination, specify the subnet that is specified in the tunnel's traffic selector.

  7. Click Apply.

  1. If you configured multiple tunnel traffic selectors, configure access policies for that traffic.

  2. Click Close.

  3. Click Save.