Forcepoint NGFW supports both policy-based and route-based VPNs (virtual private networks).
You can reconfigure and tune existing VPNs.
Before setting up Forcepoint Next Generation Firewall (Forcepoint NGFW), it is useful to know what the different components do and what engine roles are available.
Before you can set up the system and start configuring elements, you must consider how the different SMC components should be positioned and deployed.
After deploying the SMC components, you are ready to start using the Management Client and carrying out some of the first configuration tasks.
You can use the SMC to monitor system components and third-party devices. You can also view and filter logs, and create Reports from them.
You can command and set options for engines through the Management Client or on the engine command line. You can also stop traffic manually.
Security Management Center (SMC) configuration allows you to customize how the SMC components work.
You can create and modify Firewalls, IPS engines, Layer 2 Firewalls, Master NGFW Engines and Virtual NGFW Engines. You can configure the engine properties, activate optional features, and configure advanced engine settings.
Use the Management Client to configure static or dynamic routing, and use a Multi-Link configuration to manage and distribute inbound and outbound connections.
Policies are key elements that contain rules for allowing or blocking network traffic and inspecting the content of traffic.
User accounts are stored in internal databases or external directory servers. You can use Forcepoint NGFW in the Firewall/VPN role or external authentication servers to authenticate users.
A VPN extends a secured private network over public networks by encrypting connections so that they can be transported over insecure links without compromising confidential data.
VPNs allow creating secure, private connections through networks that are not otherwise secure.
The following configurations outline specific examples for common policy-based VPN configuration scenarios.
A digital certificate is a proof of identity. Forcepoint NGFW in the Firewall/VPN role supports using certificates for authenticating gateways and the Stonesoft VPN Client.
You can add or remove tunnels in a VPN.
NAT traversal (NAT-T) prevents intermediary devices from applying NAT to VPN communications if NAT is found to prevent the communications from working.
You can apply NAT to the communications between VPN Gateways.
You can configure NAT for traffic in VPN tunnels in the properties of the Policy-Based VPN element.
You can add new gateways to route-based and policy-based VPNs.
There are special considerations depending on whether you change the IP address of a VPN Gateway element or an External VPN Gateway element.
If you want to give access to hosts with IP addresses that are not already configured for your policy-based VPN, you must follow several general steps.
You can force all traffic from VPN clients or clients in protected networks to be routed through a policy-based VPN.
In policy-based VPNs, you can redirect traffic from one VPN tunnel to another VPN tunnel through a hub gateway.
You can renew or generate pre-shared keys automatically or manually.
The Gateway Settings element defines performance-related VPN options for the Firewalls.
Stonesoft VPN Client does not have controls for many settings that are needed for establishing a VPN. These settings are defined in the SMC. Stonesoft VPN Client downloads the settings from the gateways it connects to. VPN clients are only supported in policy-based VPNs.
Maintenance includes procedures that you do not typically need to do frequently.
Troubleshooting helps you resolve common problems in the Forcepoint NGFW and SMC.