After the wizard, you might want to create a firewall group for WAN-Deny, and add all the cameras to that group; only access them via VPN. You create a firewall rule to block WAN-Deny to 0.0.0.0, and a separate rule (before) to allow to any local networks that should allow access (that aren't on the same subnet). This would include your VPN IP ranges.
↧