If you run a VPN client, ZoneAlarm examines ongoing packets before encryption, and incoming packets after decryption. This prevents malicious traffic from making its way into the VPN tunnel from your computer. It also prevents any malicious traffic that might arrive on your computer via the VPN tunnel from doing any damage.

Configuring ZoneAlarm for VPN Traffic

Configuring ZoneAlarm to allow VPN traffic involves three major steps:
Step 1: Adding VPN-related network resources to the Trusted Zone.
Step 2: Granting access permission to the VPN client and any other VPN-related programs on your computer.
Step 3: Allowing VPN protocol

To enable your computer to communicate with VPN gateways, DNS servers or other VPN-related network resources, add those resources to the Trusted Zone.

These resources are required by all VPN client computers and must be added to the Trusted Zone.
1. VPN Concentrator
Remote host computers connected to the VPN client (if not included in the subnet definitions for the corporate network)
2. Corporate Wide Area Network (WAN) subnets that will be accessed by the VPN client computer.
3. Corporate LANS that will be accessed by the VPN client computer

Other Resources: These may or may not be required, depending on your specific VPN implementation.
1. DNS Servers
2. Local host computer's NIC loopback address (depending on Windows version). If you specify a local host loopback address of 127.0.0.1, do not run provy software on the local host.
3. Internet Gateway
4. Local subnets
5. Security servers (for example RADIUS, ACE, or TACACS servers).

Step 2: Grant access permission to trusted VPN-related programs
Next, grant access permission to the VPN client program and any related programs.
Note: If any VPN related programs use an operating system (such as services.exe) to perform DNS lookup, that operating system program must have access permission as well.

Step 3: Allow VPN protocols
Finally, configure Zone Alarm to allow specific VPN protocols through the firewall at high security. To do this, go to the Firewall on the left and click the Advanced button and select the check box labelled Allow VPN protocols at high security. If VPN uses protocols other than GRE, ESP and AH, also select the check box labelled Allow uncommon protocols at high security.

Troubleshooting Use the following features to facilitate troubleshooting when you configuring ZoneAlarm for VPN access.

Automatic network detection
If you are confident that your computer will come into contact only with VPN-related networks during initial setup, you can set ZoneAlarm to automatically add detected networks to the Trusted Zone. This keeps you from having to add VPN related networks to the Trusted Zone manually.
To do this, go to the Firewall on the left and then click the Advanced button and select the check box labelled Include networks in the Trusted Zone on detection.

Program Learning mode
If you confident that your computer contains no malicious programs, you can set ZoneAlarm's Program Control to Auto (learning mode). In this mode, ZoneAlarm will automatically grant access permission to programs (such as your VPN client) that access the Internet.
To enable Program Learning mode, set the Program Control slider in the Program Control panel to Auto.

Alert Logging
If problems occur during your VPN setup, the ZoneAlarm alert log can provide useful troubleshooting information. Select Alerts & Logs and ensure that logging is enabled.