Adjust VPN-specific Site settings for VPN Gateways

Site elements allow you to adjust how the Site is used in each VPN.

Before you begin

You must have manually added Site elements to VPN Gateways.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click an NGFW Engine, then select Edit <element type>.
  3. Browse to VPN > Sites.
  4. Right-click a manually added Site, then select Properties.
  5. On the VPN References tab, select or deselect Enable for the existing VPNs shown in the table to include or exclude the Site from the configuration.
    When a Site is disabled, it is grayed out.
    You can disable a Site that contains translated address in VPNs in which NAT is not used, or in which a different address space is used for translation.
  6. In the Mode cell, select the mode for the Site for each VPN in which it is enabled.
    • Normal mode is the default. Use this mode for all active Site elements that do not require one of the other two modes.
    • Hub mode is used on a hub gateway in tunnel-to-tunnel forwarding. Hub mode Sites contain the IP addresses of the networks that are behind the remote spoke gateways (the networks between which the hub gateway forwards traffic). The automatically generated Site cannot be used as a Hub Site.
    • (VPN Gateways on NGFW Engines only) Private mode is used for the local untranslated addresses when addresses are translated using NAT in the VPN. You must include the translated IP addresses (the addresses that the other end sees) as a Normal-mode Site element in these types of VPNs. If NAT is disabled in the VPN, any Sites in the Private mode are ignored.

Engine Editor > VPN > Sites

Use this branch to select the protected IP addresses that are behind the gateway.

Option Definition
Add and update IP addresses based on routing When selected, the site content updates automatically according to changes made in the routing configuration for the NGFW Engine (for interfaces that are not disabled).
Note: When the option is not selected, you must manually define the addresses that you want to be routable through the VPN.
Search Opens a search field for the selected list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Left pane Shows elements that you can add to the site definition.
Add Adds the selected element to the site content.
Remove Removes the selected element from the site content.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Creates an element of the specified type.
Tools
  • Expand All — Expands all levels of the status tree.
  • Collapse All — Collapses all levels of the status tree.
  • Refresh View — Updates the view.
Right pane Allows you to change the IP addresses that are included in the site definition.