Alright thank you. Just needed a confirmation. Even though it is tied together with the VPN-related configuration. Then it still makes more sense to me if this was handled on the specific layer 3 part. It will still be traffic that comes from those "interfaces".
Why doesn't it make sense to you? In other firewalls you can work with security zones, so we can interpret them as different zones, at least I think so. The system was programmed to work like this, independently.
I believe the reason it because I have been used to work with the ASA Firewalls, where most of these rules defined whether you wanted to go to another network locally or if you tried to reach another network via your IPSEC tunnels.
That's basically it. So now I just have to think different and the fact it is "splitted". If you ask me in one month, when I have created, changed and deleted rules then I might say it makes a lot of sense 🙂