In order to protect private networks from unwanted network access, a firewall may be implemented in a gateway in order to selectively filter communication to and from the private network. By applying firewall rules, the firewall then lets network packets pass, or blocks them in one or both directions, typically referred to as the up or down direction. The rules are typically based on a 5-tuple being the source and/or destination addresses of the network packets, the source and/or destination ports of the network packets and the protocol.
In order to protect a private network further, the gateway's firewall may be combined with network tunneling. Access to the private network may then be established by a Virtual Private Network (VPN) where a secured networking tunnel is setup between a client device and the gateway. The setup of such a tunnel is only granted upon successful authentication with the gateway which then functions as a VPN server. By the combination of a firewall and VPN server in the gateway, access to devices in the private network can be authorized on client or user level by the VPN server and on network level by the firewall. An example of such a gateway solution is disclosed in U.S. Pat. No. 9,148,408, the entire disclosure of which is hereby incorporated herein by reference. In this solution, firewall rules are determined based on an authorization with an authentication server or controller. This way, client and thus user access to applications and servers is controlled centrally at a single gateway without a need for further deep-packet inspection in the gateway or anywhere in the private network.