VPNs and how they work

VPNs secure the communications through authentication, encryption, and integrity checking mechanisms.

  • Authentication provides a way for the devices at both ends of the VPN to confirm the identity of the other device. Authentication prevents malicious parties from obtaining confidential data or access by posing as a legitimate host.
  • Encryption scrambles the transmissions to prevent anyone from viewing the content, providing privacy for the communications.
  • Integrity checking detects whether packets have been changed in transit, which could be a sign of malicious tampering or transmission errors.

Forcepoint NGFW provides two types of VPNs. The main difference between the two is how traffic is selected to use the VPN:

  • Policy-based VPNs are configured using Policy-Based VPN elements. The firewall Access rules define which traffic is sent to the VPN and which traffic is allowed out of the VPN.
  • Route-based VPNs are configured using the Route-Based VPN Tunnel elements. Any traffic that is routed to firewall interfaces that are designated as endpoints for a VPN tunnel is sent into the VPN tunnel. If Access rules allow the traffic, it is automatically sent through the tunnel to the peer endpoint.

Policy-based VPNs are recommended for the following uses:

  • To create mobile VPNs with IPsec tunnels, SSL VPN tunnels, or both IPsec and SSL VPN tunnels.
  • To create VPNs in which some gateways act as central gateways and other gateways act as satellite gateways (for example, star topology and VPN hub topology).

Route-based VPN tunnels are recommended for the following uses:

  • To use VPN tunnels as paths in dynamic routing.
  • To protect the integrity of dynamic routing communications that are sent through the Internet.
  • To protect and route multicast streams through the Internet.


The following limitations apply to VPNs:
  • You cannot use the same VPN tunnel in several configurations for a single NGFW Engine. For example:
    • You cannot use the same VPN tunnel in two policy-based VPNs.
    • You cannot create two Route-Based VPN Tunnel elements that have the same endpoints.
    • You cannot create a Route-Based VPN Tunnel element that uses the same endpoints that are used in a VPN tunnel in a policy-based VPN.
  • VPNs are not supported on layer 2 physical interfaces on Firewalls.
  • VPNs are not supported on Layer 2 Firewalls.
  • If your Forcepoint NGFW installation is configured in a restricted operating mode to comply with regulatory requirements, some VPN options are not available to you.
  • Version-specific limitations in supported features for different Forcepoint NGFW versions are listed in the Release Notes for the versions you are using. The SMC automatically prevents the use of unsupported settings based on engine version.