Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magnitude_8
New Contributor III

Firewall policy placement for IPsec VPN/SD-WAN

I’m curious to know at which end of a VPN tunnel most people apply restrictions.

 

My thoughts are that you should apply restrictions near the device you’re trying to protect. So I would allow all traffic from a branch office to a hub and restrict access to servers at the hub. I suppose the restrictions could be applied on the branch firewall only, or at both ends.

 

How do you implement firewall policies in your environment? Are you aware of a documented best practice?

2 REPLIES 2
AEK
SuperUser
SuperUser

As you said I apply the protection near the protected device.

If I have servers on hub side I protect them on the hub firewall, instead of protecting the same servers on every branch firewall, while on branch firewalls I protect the clients.

AEK
AEK
Rajan_kohli
Staff
Staff

Hi @Magnitude_8 ,

 

Most of the time security policies are required on VPN Tunnel traffic because it is considered safe traffic at most of the time but if you wish to have a security policy you can have them on any side of the tunnel but be aware that it might affect the throughput of the tunnel.

 

Regards

Rajan

Rajan Kohli
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors