Allow SSLVPN-Users Policy - Security Issue?

phanaaekITphanaaekIT
in Firebox - VPN Mobile User

I noticed when you enable the mobile vpn with ssl, it creates a policy that looks like this:
Name: Allow SSLVPN-Users
From: SSLVPN-Users (Any)
To: Any

With the vpn set up to force all client traffic through the tunnel.

If you don't do anything else, I noticed that all sslvpn user traffic goes through this policy and they are allowed to bypass all your proxies so no av scanning, no web filtering, etc. Until you started adding the group SSLVPN-Users to your other policies.

Is this normal behavior?

Comments

  • Bruce_BriggsBruce_Briggs

    It is the default behavior.
    You can set this policy to Disabled and add any desired policies for SSLVPN-Users

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hello @phanaaekIT

    This is normal behavior, but you can disable the default policy, and add the SSLVPN-Users group to existing policies, or new ones.

    See here for more info:
    https://watchguardsupport.secure.force.com/publicKB?type=Article&SFDCID=kA10H000000g30qSAA&lang=en_US

    -James Carson
    WatchGuard Customer Support

  • greggmh123greggmh123

    I already apply my proxies to my VPN traffic, but I am wondering if there is a way to filter the VPN traffic through GAV or whatever before it hits a LAN. I fear something on a home PC crawling up the VPN pipe.

    Gregg Hill

  • Bruce_BriggsBruce_Briggs

    If you have a proxy From: VPN user group, then that proxy will apply to the VPN traffic prior to the firewall forwarding it out an interface, such as to a LAN interface.

  • greggmh123greggmh123

    @Bruce_Briggs said:
    If you have a proxy From: VPN user group, then that proxy will apply to the VPN traffic prior to the firewall forwarding it out an interface, such as to a LAN interface.

    Hmm. I will have to test that. Thank you!

    Gregg Hill

  • phanaaekITphanaaekIT
    edited March 2020

    Thanks for the info and the link. It's very helpful but I feel like neither the KB or the documentation makes it clear enough that it's basically adding an any outgoing policy for vpn users. Anyway, thanks for the confirmation, I got that disabled now.

    Is there a way to change dhcp lease time on the ssl vpn?

  • Bruce_BriggsBruce_Briggs

    Q. Is there a way to change dhcp lease time on the ssl vpn?
    What is the issue?
    There is no way in XTM to set a max session time for SSLVPN.

  • phanaaekITphanaaekIT

    No big issue, just wondering what the lease time is so I could maybe increase it to keep dns working well but so far it's working Ok.

  • greggmh123greggmh123

    @Bruce_Briggs said:
    Q. Is there a way to change dhcp lease time on the ssl vpn?
    What is the issue?
    There is no way in XTM to set a max session time for SSLVPN.

    Ha, ha, ha. I read "There is no way in XTM to set a max session time for SSLVPN" and laughed, thinking, "Sure there is! Just try using it at Starbucks!"

    My IKEv2 VPN is MUCH more stable.

    How are you holding up, Bruce?

    Gregg

    Gregg Hill

  • Bruce_BriggsBruce_Briggs

    Still kicking

  • greggmh123greggmh123

    @Bruce_Briggs said:
    Still kicking

    Me, too, just not as hard as I used to kick!

    Gregg Hill

  • xxupxxup

    Starbucks is closed down here.. Good thing I don't drink coffee..

    Adrian from Australia

Sign In to comment.