Before you begin configuring firewall access policies, determine the for the IP address that you specified for Local IP Address. Typically, this is EXTERNAL, but it could be another zone. These instructions will refer to this zone as the remote zone.
The zone that you selected for Firewall Zone Association is the tunnel zone.
Finally, determine the zone for local endpoints that are allowed to send traffic over the tunnel. The instructions will refer to this as the local zone.
Then follow these steps:
-
Create a service object for GRE :
-
Select Firewall > Access Policies > Services.
-
Click Add Service.
-
For Name, type GRE.
-
For Protocol, select (47) GRE.
-
Click Apply.
-
Click Close.
-
Permit IKE traffic from the remote endpoint.
-
Select Firewall > Access Policies > Unicast.
-
Click Add Policy.
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select isakmp.
-
For Source, specify the GRE remote endpoint, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-range.)
-
For Destination, accept the default, Any Address, or specify the local gateway.
-
Select the Enable logging on this Policy check box.

|
Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.
|
-
Click Apply.
-
Permit IKE traffic to the remote endpoint.
-
For Action, accept the default, Permit Traffic.
-
For From, select SELF.
-
For To, select the remote zone.
-
For Service, select isakmp.
-
For Source, accept the default, Any Address, or specify the local gateway.
-
For Destination, specify the GRE remote endpoint, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-range.)
-
Click Apply.
-
Configure an access policy to permit GRE packets from the remote tunnel endpoint to the TMS zl Module:
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select GRE.
-
For Source, specify the public IP address of the remote tunnel endpoint. You can select a previously-configured address object or type the IP address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the IP address that you configured for the tunnel's local IP address.
-
Click Apply.
-
Configure an access policy to permit GRE packets from the TMS zl Module to the remote tunnel endpoint:
-
For Action, accept the default, Permit Traffic.
-
For From, select SELF.
-
For To, select the remote zone.
-
For Service, select GRE.
-
For Source, accept the default, Any Address, or specify the IP address that you configured for the local endpoint IP address.
-
For Destination, specify the public IP address of the remote tunnel endpoint.
-
Click Apply.
-
Configure an access policy to permit local unicast traffic that is sent across the tunnel:
-
For Action, accept the default, Permit Traffic.
-
For From, select the local zone.
-
For To, select the tunnel zone.
-
For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the tunnel.
-
For Destination, specify the subnet that is specified in the tunnel's traffic selector.
-
Click Apply.
-
Configure an access policy to permit remote unicast traffic that arrives on the tunnel:
-
For Action, accept the default, Permit Traffic.
-
For From, select the tunnel zone.
-
For To, select the local zone.
-
For Service, accept the default, Any Service. This is the most basic configuration. You could also permit only certain types of traffic.
-
For Source, specify the remote IP addresses that are allowed to send traffic on the tunnel.
-
For Destination, specify the addresses that the remote endpoints are allowed to reach.
-
Click Apply.
-
If necessary, repeat Step 6 and/or Step 7 to permit any additional traffic that you configured for the traffic selector.
-
Click Close.

|