Select IP addresses as VPN Gateway endpoints for multiple Single Firewalls

On the Define End-Points for the Internal VPN Gateways page, you can define VPN endpoints (IP addresses) for the Firewalls.

The endpoints are used when the Firewall acts as a gateway in a VPN. The same endpoint cannot be used in both a policy-based VPN and in a Route-Based VPN Tunnel element. Each IP address can only be used once.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. If you do not want to configure VPN gateway endpoints using the Create Multiple Single Firewalls wizard, continue the configuration in one of the following ways:
    • If you are creating the Firewall elements using POS codes, click Next twice, then upload the multiple Single Firewall initial configuration to the Installation Server.
    • Otherwise, click Next twice and select a Firewall Policy for multiple Single Firewalls.
  2. Otherwise, on the Define End-Points for the Internal VPN Gateways page of the Create Multiple Single Firewalls wizard, select the IPv4/IPv6 addresses that you want to use as endpoints.
    Typically, these IP addresses belong to interfaces toward the Internet, which are selected by default. Both IPv4 and IPv6 addresses can be used as endpoints in IPsec VPN tunnels. Only IPv4 addresses are supported as endpoints in SSL VPN tunnels or for access to the SSL VPN Portal. If you have more than one Internet connection, select an IP address from each ISP to make Multi-Link load balancing and failover possible.
  3. To change the properties of an endpoint, right-click the name and select Properties.
    1. (Optional) In the Name field, enter a name for the endpoint.
    2. Optional) In the Mode list, select a mode to define how the endpoint is used in a Multi-Link configuration.
      You can override the mode settings in each individual VPN.
    3. (Optional) To activate encapsulation for NAT traversal in site-to-site VPNs, select a NAT-T option. NAT device traversal might be needed at the local or remote gateway end.
      The gateway always allows VPN clients to use NAT-T regardless of these settings. NAT-T always uses the standard UDP port 4500.
      Note: The TCP Tunneling option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.9.0 or later.
    4. (Optional) Review the phase-1 properties of the endpoints and change them, if necessary.
    5. (Optional) To restrict the types of VPN configurations that the endpoints can be used in, select Selected types only and select one or more of the following options:
      • IPsec VPN — The endpoints can be used in IPsec tunnels in policy-based or route-based VPNs.
      • SSL VPN Tunnel — The endpoints can be used in SSL VPN tunnels.
      • SSL VPN Portal — The endpoints provide access to the SSL VPN Portal.
      Note: Only endpoints that have an IPv4 address can be used in SSL VPN tunnels or to provide access to the SSL VPN Portal.
  4. Click OK to close the Properties dialog box.
  5. Click Next.
    The Review and Edit Internal VPN Gateway End-Points page opens.
  6. Review the endpoint details and change them, if necessary.
  7. Click Next.
  8. Continue the configuration in one of the following ways:
    • If you are creating the Firewall elements using POS codes, upload the multiple Single Firewall initial configuration to the Installation Server.
    • Otherwise, select a Firewall Policy for multiple Single Firewalls.