VPN Packet Flow
On a threat defense device, by default no traffic is allowed to pass through access-control without explicit permission. VPN tunnel traffic as well, is not relayed to the endpoints until it has passed through Snort. Incoming tunnel packets are decrypted before being sent to the Snort process. Snort processes outgoing packets before encryption.
Access Control identifying the protected networks for each endpoint node of a VPN tunnel determines which traffic is allowed to pass through the threat defense device and reach the endpoints. For Remote Access VPN traffic, a Group Policy filter or an Access Control rule must be configured to permit VPN traffic flow.
In addition, the system does not send tunnel traffic to the public source when the tunnel is down.