Does anyone have any suggestions on a creative way to block inbound site-to-site VPN traffic? We have a software vendor that requires a site to site VPN, but I don't want to give wide open access to the entire subnet. I would prefer to only allow traffic FROM us TO them and only on port 1433.
In my opinion this is a shortcoming of the product. While I understand the philosophy to block flows as close to the source as possible this may not always be possible as that third party device may be one you don't have under control/don't trust. Perhaps someone from the MX team can elaborate a bit on the philosophy.
Yeah, I was afraid of this. It is such a royal pain to put in *another* firewall because of this simple limitation. It seems like a no brainer to apply firewall policies to site to site VPN. Why wouldn't this be part of the solution out of the box?