Adjusting gateway settings for NGFW Engines in existing VPNs

The Gateway Settings element defines performance-related VPN options for the NGFW Engines.

The gateway settings are used internally and there is no need to match them exactly with settings of other gateways in VPNs.

Gateway setting
MOBIKE Return Routablility Check	MOBIKE (mobile IKE) return routablility checks (RRC) can be used with IKEv2 to verify the validity of VPN client or gateway IP addresses if the IP address changes in the middle of an open VPN connection. The IP address is updated in the negotiated SAs when the new IP address has been verified. If the new IP address cannot be verified, the VPN connection is closed. By default, no return routablility checks are done.
Negotiation Retry	If a negotiation for a VPN does not complete successfully, the VPN establishment is retried according to settings in the Negotiation Retry section in Gateway Settings properties. The default settings are the recommended values. VPN establishment might fail because you have frequent intermittent problems with network connectivity or because your network connection is too slow. In these cases, increasing Negotiation Retry values might be a work-around solution for getting the VPN to establish.
Certificate Cache	The CRL Validity setting in the Certificate Cache section in Gateway Settings properties has an effect only if you use certificates to authenticate VPN gateways in IKE negotiations. The default setting is the recommended value. We do not recommend adjusting this setting.

Gateway setting

MOBIKE Return Routablility Check

MOBIKE (mobile IKE) return routablility checks (RRC) can be used with IKEv2 to verify the validity of VPN client or gateway IP addresses if the IP address changes in the middle of an open VPN connection.

The IP address is updated in the negotiated SAs when the new IP address has been verified. If the new IP address cannot be verified, the VPN connection is closed. By default, no return routablility checks are done.

Negotiation Retry

If a negotiation for a VPN does not complete successfully, the VPN establishment is retried according to settings in the Negotiation Retry section in Gateway Settings properties.

The default settings are the recommended values. VPN establishment might fail because you have frequent intermittent problems with network connectivity or because your network connection is too slow. In these cases, increasing Negotiation Retry values might be a work-around solution for getting the VPN to establish.

Certificate Cache

The CRL Validity setting in the Certificate Cache section in Gateway Settings properties has an effect only if you use certificates to authenticate VPN gateways in IKE negotiations.

The default setting is the recommended value. We do not recommend adjusting this setting.

By default, all NGFW Engines use the Gateway Default Settings Gateway Settings element. To customize the gateway settings, define a custom Gateway Settings element.