Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magnitude_8
New Contributor III

Created on ‎03-29-2024 07:08 AM

Firewall policy placement for IPsec VPN/SD-WAN

I’m curious to know at which end of a VPN tunnel most people apply restrictions.

 

My thoughts are that you should apply restrictions near the device you’re trying to protect. So I would allow all traffic from a branch office to a hub and restrict access to servers at the hub. I suppose the restrictions could be applied on the branch firewall only, or at both ends.

 

How do you implement firewall policies in your environment? Are you aware of a documented best practice?

Labels:
735
0 Kudos
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎03-29-2024 07:44 AM

As you said I apply the protection near the protected device.

If I have servers on hub side I protect them on the hub firewall, instead of protecting the same servers on every branch firewall, while on branch firewalls I protect the clients.

AEK
AEK
719
Rajan_kohli
Staff
Staff

Created on ‎03-29-2024 09:39 AM

Hi @Magnitude_8 ,

 

Most of the time security policies are required on VPN Tunnel traffic because it is considered safe traffic at most of the time but if you wish to have a security policy you can have them on any side of the tunnel but be aware that it might affect the throughput of the tunnel.

 

Regards

Rajan

Rajan Kohli
700
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.