Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Anyconnect client firewall or group policy VPN filter?

Hi Guys

I have seen that if I want to place an ACL for a VPN group I can either do it via a VPN filter within the group policy settings or by applyinh a private  ACL under anyconnect > client firewall settings.

Which method is the preffered method and what are the differences?

Thank you        

  • VPN

Any thoughts on this, I am

Any thoughts on this, I am also interested in one good answer.

Hi ,VPN filter is global

Hi ,

VPN filter is global method that provides granular restriction (port based filtering) which can be used to restrict the traffic originating from the client. The VPN filter checks the incoming connections over the VPN tunnel.

Client firewall option is mostly used when you have Local Lan Access applied , so that with Lan access enabled , you can filter the traffic (e.g allowing access to only printers in local lan).
Hope this helps.

Dinesh Moudgil

P.S. Please rate helpful posts.

Hello Dinesh,I have a group

Hello Dinesh,

I have a group-policy used in a Anyconnect profile. This profile is using only ssl-client as tunneling protocol.

Can I still use vpn-filter? I don't see it available on the attached picture if my presumption is right: vpn-filter == client access rules.



Hi Florin, This is under More

Hi Florin,


This is under More options in the group-policy.
See the attached snippet.

Dinesh Moudgil

Nice catch, thanks!

Nice catch, thanks!

Hi Mohammed,VPN filters

Hi Mohammed,

VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

a VPN filter the ACL (which is stateful) is applied to traffic both bi-directionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.

If you use client firewall settings you can have rules configured and that will be pushed to the VPN client table during the IKE negotiation itself. In Client firewall you have multiple options. Here you have to define inbound and outbound ACL's seperately. In client-firewall options you can define policies for zone alarm, IPS, customized servers. etc.




Hi mate,What can I use for my

Hi mate,

What can I use for my scenario group-policy used in a Anyconnect profile?

Either of the two or just Client Firewall?

Hi Florin,You can have any of

Hi Florin,

You can have any of the one in group-policy. I prefer to have VPN-Filter list.