Creating Network-level (Layer-4) policies for Service Tunnels

  • Updated on May 17, 2024
  • 5 minutes to read
  • Contributors


SonicWall’s Cloud Secure Edge (CSE) Service Tunnel policies (i.e., Tunnel Policies) provide Network-level (Layer-4) access controls so that admins can allow or deny access down to specific protocols, CIDRs, ports, and FQDNs (Fully-Qualified Domain Names).

Steps to Create a Service Tunnel Policy

1. Navigate from Private Access > Access Policies > + Create Policy, and create a Tunnel Policy.

2. Enter a Policy Name and a Description.

3. Configure your first Access Group. Specify the required Trust Level, Role, allowed Protocols, CIDR ranges, FQDNs, and Ports.

Note: We strongly recommend FQDN(s) that resolve to the same addresses from different geolocations and do not change very frequently. Wildcard domains are not allowed.

Note: By default, the above parameters are for Allow access. If you wish to deny access, select Add exceptions (DENY rules) for Protocols, CIDRs, and Ports to configure exceptions within these parameters.

4. Optional: If you want to define an additional Access Group, select + New Access Group.

5. Select Create Policy.

Example Use Cases

Allowing all domains except one FQDN

In some cases, admins may want to allow all domains except a specific Fully-Qualified Domain Name (FQDN). This can be specified in the Tunnel Policy by configuring exemptions in the policy:

Service Tunnel logs - blocked access attempts

CSE has created an option to log all blocked Service Tunnel access attempts, to help admins troubleshoot any unexpected errors. Blocked access attempts highlight traffic that is being rejected by L4 policies (Tunnel policies) in CSE.

These Service Tunnel logs are available on your Access Tier(s).

Can’t find what you’re looking for?

We’re happy to help. Contact our team.