The rules in this example allow connections between hosts in protected networks of all gateways to connect to all other protected networks.
VPN rules are matched based on Source, Destination, and Service like any other rules.
Note: This basic configuration scenario does not explain all settings related to VPN Access rules.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Open the Firewall policy of the
NGFW Engine that is configured as the hub gateway in the VPN for editing.
-
Add an IPv4 Access rule in a suitable location in the policy.
Make sure that rules for sending traffic through the VPN are above other rules that match the same traffic with the
Allow,
Discard, or
Refuse action. Traffic that you do not want to send through the VPN must not match this rule. Traffic that is not routable through the VPN is dropped if it matches this rule.
-
Fill in the rule as outlined here.
- If NAT is enabled in the VPN, remember that the Access rules are checked before the NAT rules are applied.
- To prevent this rule from matching other traffic, you can add the VPN you created in the
Source VPN cell.
Table 1. Example VPN rule for spoke-to-spoke forwarding
Source
|
Destination
|
Service
|
Action
|
Remote internal networks
|
Remote internal networks
|
Set as needed.
|
Select
Use VPN, then change the
Action to
Forward, and click
Select
to add the Policy-Based VPN element you created.
|
-
Add two more rules to allow traffic between the hub gateway’s local protected networks to the spoke gateway’s protected networks.
Two rules are created here to allow the different directions of traffic.
Table 2. Example VPN rules
Source |
Destination |
Service |
Action |
Local internal networks |
Remote internal networks |
Set as needed. |
Select Use VPN, then change the Action to Forward, and click
Select to add the Policy-Based VPN element you created. |
Remote internal networks |
Local internal networks |
Set as needed. |
Select Use VPN, then change the Action to Forward, and click
Select to add the Policy-Based VPN element you created. |
-
Save the policy.
-
Add similar rules in the policies of all
NGFW Engines involved in the VPN.
CAUTION:
If you continue to use this VPN, change the pre-shared key periodically (for example, monthly) to guarantee continued confidentiality of your data. Alternatively, you can switch to certificate-based authentication by creating a custom VPN profile.
-
Refresh the policies of all firewalls involved in the VPN to activate the new configuration.
Result
The VPN is established when traffic matches the created Access rules.