You configure server rules at the vpn server-rules level. For more details on the structure of the command to configure server rules, see the Configuring Rules Using UPL section.
To create an VPN server rule, use the following command:
Admin@nodename# create vpn server-rules <position> upl-rule <parameters>
You need to specify the following parameters:
Parameter |
Description |
---|---|
PASS OK |
Action to create a rule using UPL. |
enabled |
Enable/disable a rule:
If not specified when it is created, the rule will be enabled once created. |
name |
VPN server rule name. Example: name("VPN server rule example"). |
desc |
A description of the rule. Example: desc("VPN server rule example configured in CLI"). |
profile |
VPN security profile that defines a pre-shared encryption key and algorithms for encryption and authentication. Example: profile("Client VPN profile"). For more details on configuring security profiles, see the Configuring VPN Security Profiles section. |
vpn_network |
VPN network. To specify a network: vpn_network("VPN network example"). For more details about how to configure VPN using CLI, see the Configuring VPN Network section. |
auth_profile |
Authentication profile for VPN users. The same authentication profile may be used that you use to authorize users for Internet access. Note that transparent authentication methods such as Kerberos, NTLM, or SAML IDP cannot be used for VPN authorization. To specify a authentication profile: auth_profile("Example user auth profile"). For more details about how to create and configure auth profiles using CLI, see the Configuring Authentication Profiles section. |
interface |
VPN interface to connect VPN clients. To specify an interface, for example, tunnel1: interface(tunnel1). For more information about how to add and configure VPN interfaces, see the VPN Device Settings section. |
src.zone |
Zone from which VPN connections are allowed. To specify a source zone, such as Untrusted: src.zone = Untrusted. For more details about how to configure zones using CLI, see the Zones section. |
src.ip |
Lists of IP addresses or domains from which VPN connections are allowed. To specify a list of IP addresses: src.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. To specify a source domain list: src.ip = lib.url(). Provide the URL to which the desired domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see the Configuring URL Lists section. |
user |
Users and user groups allowed to connect via VPN. To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see the Configuring LDAP Connectors section). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group): user = (local_user, "CN=Local Group,DC=LOCAL", "example.loc\\AD_user", "CN=AD group,OU=Example,DC=example,DC=loc") The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups. |
dst.ip |
Lists of IP addresses of the interface to which the clients will be connected. To specify a list of IP addresses: dst.ip = lib.network(). Provide the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see the Configuring IP addresses section. |
Example of creating a VPN server rule:
Admin@nodename# create vpn server-rules 3 upl-rule OK\ ...name("Test server VPN rule") \ ...desc("Test server VPN rule description") \ ...profile("New server VPN profile") \ ...vpn_network("Test VPN network") \ ...auth_profile(Local) \ ...interface(tunnel3) \ ...src.zone = Untrusted \ ...dst.ip = lib.network("UG address") \ ...user = ("CN=VPN servers,DC=LOCAL") \ ...enabled(true) \
To edit a VPN server rule, use the following command:
Admin@nodename# set vpn server-rules <position> upl-rule <parameters>
To remove a VPN server rule, use the following command:
Admin@nodename# delete vpn server-rules <position>
To view the configured VPN server rules, use the following command:
Admin@nodename# show vpn server-rules <position>