The firewall management is implemented through basic allow/deny/forward rules. The Account Administrator specifies a set of allow/deny/forward rules to define a policy. Each policy can support unique rules for each of the three network interfaces supported by the VPN Gateway: Internet, LAN, and Tunnel. Once a policy has been defined, multiple VPN Gateway devices can inherit the policy, simplifying the firewall policy management for the Account Administrator.

Two separate sets of firewall rules can be configured. One is used when operating over the configured primary interface and a second set for use when operating over the configured backup (dial, cellular, or secondary broadband) access. By having the ability to define separate policies, certain traffic can be blocked when operating over the backup connection, which usually has lower bandwidth.