CR: IOT_WAN VPN Passthrough — Verification

Pre-Change Checklist

Check Status

Check	Status
Current IOT_WAN rules show rules 10-70 only (no 75/80/85/90)	[ ]
`show configuration commands \| grep "IOT_WAN default"` shows no `default-log` line	[ ]
`show log firewall \| grep "IOT_WAN"` returns empty (no logged drops)	[ ]
No ESP/4501/500 rules exist: `show configuration commands \| grep "IOT_WAN rule 8\|IOT_WAN rule 9"` returns empty	[ ]
VPN connection from IoT VLAN fails (GlobalProtect shows connected but no data flows)	[ ]
Backup of current VyOS config taken	[ ]

Current IOT_WAN rules show rules 10-70 only (no 75/80/85/90)

[ ]

show configuration commands | grep "IOT_WAN default" shows no default-log line

[ ]

show log firewall | grep "IOT_WAN" returns empty (no logged drops)

[ ]

No ESP/4501/500 rules exist: show configuration commands | grep "IOT_WAN rule 8|IOT_WAN rule 9" returns empty

[ ]

VPN connection from IoT VLAN fails (GlobalProtect shows connected but no data flows)

[ ]

Backup of current VyOS config taken

[ ]

Check Status

Check	Status
`default-log` enabled: `show configuration commands \| grep "IOT_WAN default"` shows both `default-action` and `default-log`	[ ]
Rules 75, 80, 85, 90 present in `show firewall ipv4 name IOT_WAN`	[ ]
Rule 75: TCP 2443 accept (GlobalProtect VPN portal)	[ ]
Rule 80: ESP accept (IPsec encrypted data tunnel)	[ ]
Rule 85: UDP 4501 accept (IPsec NAT Traversal)	[ ]
Rule 90: UDP 500 accept (IKE key exchange)	[ ]
Firewall drops now appear in `show log firewall \| grep "IOT_WAN"`	[ ]
No VPN-related drops (2443, 4501, 500, ESP) in firewall log after rule application	[ ]
User can connect GlobalProtect VPN from IoT VLAN and access work resources	[ ]
Rule hit counters incrementing on rules 75/80/85/90	[ ]
IoT security posture unchanged: IoT devices still cannot reach internal networks (IOT_LOCAL, IOT_DATA default drop)	[ ]
Existing rules 10-70 unmodified	[ ]

default-log enabled: show configuration commands | grep "IOT_WAN default" shows both default-action and default-log

[ ]

Rules 75, 80, 85, 90 present in show firewall ipv4 name IOT_WAN

[ ]

Rule 75: TCP 2443 accept (GlobalProtect VPN portal)

[ ]

Rule 80: ESP accept (IPsec encrypted data tunnel)

[ ]

Rule 85: UDP 4501 accept (IPsec NAT Traversal)

[ ]

Rule 90: UDP 500 accept (IKE key exchange)

[ ]

Firewall drops now appear in show log firewall | grep "IOT_WAN"

[ ]

No VPN-related drops (2443, 4501, 500, ESP) in firewall log after rule application

[ ]

User can connect GlobalProtect VPN from IoT VLAN and access work resources

[ ]

Rule hit counters incrementing on rules 75/80/85/90

[ ]

IoT security posture unchanged: IoT devices still cannot reach internal networks (IOT_LOCAL, IOT_DATA default drop)

[ ]

Existing rules 10-70 unmodified

[ ]