Defining VPN gateways

VPN Gateway and External VPN Gateway elements represent the physical devices that establish the VPN in the configuration.

  • VPN Gateway elements represent NGFW Engines that are managed by the Management Server and administrative Domain that you are currently connected to with your Management Client. One VPN Gateway element is automatically created for each Forcepoint NGFW in the Firewall/VPN role. You can optionally add more VPN Gateways to the Firewall.

    Each VPN Gateway can have multiple VPN endpoints but each endpoint can belong to only one VPN Gateway. For example, using multiple endpoints for a VPN Gateway is required for a Multi-Link VPN configuration.

  • External VPN Gateway elements represent all other gateway devices. NGFW Engines that are managed by a different Management Server or administrative Domain are also External VPN Gateway elements. External VPN Gateway elements define settings for the external gateway devices in their role as VPN gateways.

Only one VPN Gateway or External VPN Gateway element is required for each device, even if there are many VPNs. You can use the same Gateway in several different VPNs, possibly overriding some of the Gateway’s settings as necessary. You can create several Gateway elements to represent the same Firewall. However, each Gateway element reserves a VPN endpoint (IP address) that other Gateway elements cannot use. You cannot use the same pair of endpoints for VPN tunnels in several configurations for a single NGFW Engine.

The predefined VPN Client element represents all instances of the Forcepoint VPN Client and third-party IPsec VPN clients in mobile VPNs. When you set up a mobile VPN with the Forcepoint VPN Client, the VPN Client element must always be used. Usually, we recommend using the element with third-party VPN clients as well. However, it is possible to configure an individual third-party VPN client using an External VPN Gateway element if there is a specific need to do so. In this configuration, only one client at a time can connect to each gateway.