If you click on a client, on the right-hand side, it shows all the firewall rules and policies that are being applied to the user.     ... View more

Wouldn't your entries need to be adjusted? D1: Security Appliance: 143.161.65.1/24 to 143.161.65.0/24 (subnet) or 143.161.65.1/32 specific device IP D2 Security Appliance: 143.161.64.1/24 to 143.161.64.0/24 (subnet) or 143.161.64.1/32 specific device IP ... View more

Once you include the source subnets in the VPN they will always be propagated to the other locations.  However you can use the site-to-site outbound firewall rules to filter the traffic between sites. ... View more

I feel your pain.  I am going to suggest a completely different solution.   1. Have the user use client VPN to connect to the site they want to work on.  They can work on either site, but one one at a time. 2. Deploy a "jump host" at City2 (such as a Windows virtual machine).  Have them install all their SCADA software there.  Have them RDP to that host when needing to work in City2. You can put that jump host in new VLAN (at City2) that does not have overlapping IP addresses, and build an AutoVPN to that. Have them use client VPN to access it. Or; last choice, nat a public IP address through to it, limit that NAT entry to the public IP address used by City1, and have them RDP to that.   Bonus points when using a jump host is to limit SCADA access to only from that jump host, and then deploy something like Duo MFA to secure the jump host (this also provides comprehensive audit logs of access).   I have setup a really strict "life or death" control environment before, and we added an extra step in that the account used to access the SCADA jump host was normally disabled.  Any changes had to be approved.  Once approved, the account was enabled at the nominated time and was set to disable automatically once the time had expired. ... View more