Fastl4 fwd vs required for network access vs?

I have a Network Access vs and access policy created to give users SSLVPN. However when this was originally done, a forwarding fastl4 VS was also configured to accept traffic from any source and destined for any destination on any port for all VLANS. I disabled this as a test and when VPN'd in I can no longer access anything (internal hosts, Internet, google.com, nothing). Why is this the case? No where in the documentation did I see this was necessary. I'm also concerned this VS is overly permissive. In addition, it seems like the static ACL's I am applying to restrict VPN access to specific internal networks are not working and I'm wondering if the forwarding VS is allowing this traffic to pass. For example, if I apply a static ACL to deny all traffic to the 10.0.0.0/8 network, I am still able to ping all hosts on that network when VPN'd in.

 

Fwd_vs config: Type: Forwarding IP Source: any Dest Network: any All ports Protocol Profile: fastl4 All VLANS and Tunnels

 

Access Policy for Network Access: Basically I assign the network access and webtop and for specific groups I assign the static ACL along with them, which are as follows. Allowed: any -> 10.50.1.0/24 Denied: any -> all RFC 1918 networks

 

The ACL order is correct, matches the order above.

 

With this configuration I am still able to reach the 10.0.0.0/8 network. A tracert confirms that I am exiting the internal interface of my BigIP and reaching the internal host through the VPN.

 

So back to it, my question is two-fold. Why do I need a forwarding IP VS and could that be why my static ACL's are not working? Or are they two separate issues?

 

Any help is appreciated. Thanks