topic Re: VPn Remote Access. Issue with implied rule in Firewall and Security Management

VPn Remote Access. Issue with implied rule

Vanesa_Benito_O — Tue, 03 Mar 2026 16:27:37 GMT

I am trying to configure Remote Access VPN on a recently created R82 cluster, but it is not working and I am not sure why.

The Endpoint client is not able to establish the connection. I can see the connection attempts hitting the firewall, but they are being dropped (they should be accepted by the implicit rules).

I also created an explicit Access Control rule allowing traffic from the public IP address, but I am experiencing the same issue — the firewall does not respond to the connection attempts.

Regarding the configuration:

The external interface has a private IP address configured.
Under IPSec VPN → Link Selection, I selected Statically NATed IP and configured the public IP address that is directly NATed to the firewall.
I verified that the Platform Portal is configured with a specific IP address for connections.
The Mobile Access Blade portal is configured with the same public IP address defined in Link Selection.

Does anyone have any idea what could be causing this issue?

Re: VPn Remote Access. Issue with implied rule

simonemantovani — Tue, 03 Mar 2026 16:46:20 GMT

Hello

could you share some screenshot of your configuration? (in particular the settings in the VPN clients section within the gateway), just to try to help you.

Re: VPn Remote Access. Issue with implied rule

Martijn — Tue, 03 Mar 2026 16:49:58 GMT

Hi,

What version and hotfix are installed? Cluster or single gateway?

What message does the Endpoint client gets? What does SmartLog show?

Can you test the complete VPN configuration by putting the Endpoint client directly on the external network of the gateway? So without NATed IP. This way you can check the Remote Access configuration is OK.

Martijn

Re: VPn Remote Access. Issue with implied rule

Vanesa_Benito_O — Tue, 03 Mar 2026 17:44:46 GMT

Its a cluster in R82 With take 60.

The message in the Endpoint said there is unable to connect with the site (During the site creation step). And the SmartLog shows how the firewall drops the comunnication, in other environments that comunications are accepted by implied rules. I also try to create a explicit rule to accept the traffic but without succesfull.

Its a good approach to test the connectivity directly but i need to ask if it is possible... currently i only have access remotly

Re: VPn Remote Access. Issue with implied rule

Vanesa_Benito_O — Tue, 03 Mar 2026 17:50:12 GMT

In the configuration I allowed the connection from the following:

And the authenticator method is RADIUS (but well the issue is during the site creation, is like the firewall doesnt associate the Nated IP configured with the VPN service or his internal network...). I have compared the configuration with other environments and everythings seems to be configured correctly 😞

Re: VPn Remote Access. Issue with implied rule

Jesusm — Tue, 03 Mar 2026 18:30:21 GMT

Did you add the gateway to the remote access community?

Re: VPn Remote Access. Issue with implied rule

Vanesa_Benito_O — Tue, 03 Mar 2026 18:51:31 GMT

Yes, I also have another firewall in remote access community (that is working fine with a similar scenario) but I understand that doesnt affect with the comunication of the new remote access right? At the end each gateway has their own VPN domain configured.

Re: VPn Remote Access. Issue with implied rule

simonemantovani — Wed, 04 Mar 2026 08:27:18 GMT

Usually if you have two different gateways (Gateway A and Gateway B) in the same Remote Access community, for my experience, you need to edit $FWDIR/conf/trac_client_1.ttm file on the gateways and change configuration about MEP related to these lines setting the default to false:

:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (false)
)
)

Maybe is not your case (in this case ignore my post), but I always performed this configuration, withtout it the client connect to Gateway A and it's redirected to Gateway B.

Re: VPn Remote Access. Issue with implied rule

emmap — Wed, 04 Mar 2026 08:37:00 GMT

When the firewall is dropping the packets, what is the 'drop reason' in the log?