The table shows all the objects that can be configured in a direction, including three new objects created for Directional VPN:

Name of Object	Description
Remote Access Site2SiteVPN	Remote Access community Regular Star/Mesh community
Any Traffic	Any traffic
All_GwToGw	All Site2Site communities
All_Communities	All Site2Site and RemoteAccess communities
External_clear	For traffic outside the VPN community
Internal_clear	For traffic between local domains within the community

Note - Clear text connections originating from the following objects are not subject to enforcement:

• Any Traffic
• External_clear
• Internal_clear

There is no limit to the number of VPN directions that can be configured on a single rule. In general, if you have many directional enforcements, consider replacing them with a standard bidirectional condition.

VPN Directional Enforcement can take place between two VPN communities. In this case, one gateway must be configured as a member of both communities and the enforcement point between them. Every other peer gateway in both communities must have a route entry to the enforcement point gateway in its vpn_route.conf file.

To add a route entry to the enforcement point gateway:

On the management module of each gateway in the community (except for the enforcement point gateway), add an entry in the $FWDIR/conf/vpn_route.conf file:

Destination	Next hop router interface	Install on
<destination_community_obj>	<enforcement_point_gw>	<managed_FW_object>

These are the variable in the entry:

• destination_community_obj - a network object for the combined encryption domain of the community
• enforcement_point_gw - the gateway that is a member of both communities and transfers the encrypted traffic between them
• managed_FW_object - all community members that are managed by the management module

In the example below, Washington is a Mesh community, and London is a VPN Star.

The directional VPN rule below must be configured for the enforcement point gateway in the Access Control Policy Rule Base:

Source	Destination	VPN	Services & Applications	Action
Any	Any	Washington => London	Any	accept

The rule is applied to all VPN traffic that passes through the enforcement point gateway between the Washington and London communities. If a connection is opened from a source in the Washington Mesh, and the destination is in the London Star, the connection is allowed. Otherwise, the connection is denied.

Note - The Directional Enforcement applies only to the first packet of a connection. If the connection is permitted, the following packets of this connection are also permitted, including the packets in the opposite direction.