Example VPN configuration 4: define a Site element for the hub gateway

The VPN Gateway that acts as the hub gateway needs a Site element.

Note: This configuration scenario does not explain all settings related to Site elements.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the VPN Gateway that acts as the hub gateway, then select New > Site.
  2. In the Name field, enter a unique name.
  3. Add all networks protected by the spoke gateways to the site contents on the right.
    After you add the protected networks, the site contains all remote IP addresses that are used in spoke-to-hub traffic that is forwarded from the hub to other spokes. The site should not contain the hub gateway’s local networks. These are defined using the automatic site management features in this example.
  4. On the VPN References tab, select Enable for this VPN element, then deselect it for all other VPNs.
    The site is still shown in all VPNs, but is grayed-out (disabled) and not included in the configuration.
  5. In the Mode cell, select Hub to activate VPN hub-related features for the VPN Gateway.
  6. Click OK to close the dialog box.
    You return to the main VPN editing view.
  7. Click the Tunnels tab.
  8. Check that the Validity column in the Gateway<->Gateway and the End-Point<->End-Point tables has a green checkmark to indicate that there are no problems.
    1. If the Validity column of a tunnel has a warning icon, see the Issues pane to check what the problem is. If the pane is not shown, select Menu > View > Panels > Issues.
    2. If issues are shown, correct them as indicated. Long issues are easiest to read by hovering over the issue text so that the text is shown as a tooltip.
  9. Click Save.

Next steps

Create Access rules.

VPN Site Properties dialog box

Use this dialog box to view or edit the properties a VPN site.

Option Definition
General tab
Name The name of the element.
Comment An optional comment for your own reference.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New This option is not available in this dialog box.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the view.
VPN References tab
VPN Shows the VPNs where this site is used.
Enable When selected, the site is enabled in the specified VPN.
Mode Defines the mode for the Site for each VPN in which it is enabled.
  • Normal — Use this mode for all active Site elements that do not require one of the other two modes.
  • Private — (VPN Gateways on NGFW Engines only) Use this mode for the local untranslated addresses when addresses are translated using NAT in the VPN. You must include the translated IP addresses (the addresses that the other end sees) as a Normal-mode Site element in these types of VPNs. If NAT is disabled in the VPN, any Sites in the Private mode are ignored.
  • Hub — Use this mode on a hub gateway in tunnel-to-tunnel forwarding. Hub mode Sites contain the IP addresses of the networks that are behind the remote spoke gateways (the networks between which the hub gateway forwards traffic). The automatically generated Site cannot be used as a Hub Site.