Example VPN configuration 3: configure VPN settings for the NGFW Engine

Configure certificates and sites for the mobile VPN.

Before you begin

The NGFW Engine must have a certificate for a mobile VPN. You can check the gateway certificates in the SD-WAN > Other Elements > VPN Certificates > Gateway Certificates branch of the Configuration view.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the firewall element, then select Edit Single Firewall or Edit Firewall Cluster.
  2. In the navigation pane on the left, browse to VPN > Certificates.
  3. Make sure that Automated RSA Certificate Management is selected.
  4. In the navigation pane on the left, browse to VPN > Sites.
    The Sites represent the internal addresses that VPN clients can reach through the VPN. Sites do not grant any host access directly. The Access rules define the allowed connections.
  5. (Optional) Leave Add and update addresses based on routing selected.
    This option automatically updates this information based on routing changes. You can exclude some interfaces while keeping the others automatically updated.
  6. (Optional) Select the internal networks that you want to exclude from the VPN by disabling the interface they are under in the automatic site.
    Disabled interfaces are grayed-out.
    • If you want to include some individual network that is under an otherwise disabled interface, drag and drop it from under the disabled interface onto the Site element. The element is copied to the higher level. The copied definition is not updated automatically.
    • The Sites must include only internal networks. Do not add interfaces with the Any Network element in this type of VPN.
  7. Click Save.

Next steps

Create a VPN Profile element.

Engine Editor > VPN > Certificates

Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.

Option Definition
Automated RSA Certificate Management When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
Trusted VPN Certificate Authorities Restricts which certificate authorities the VPN gateway trusts.
  • Trust all — The VPN gateway trusts all certificate authorities. This option is the default setting.
  • Trust only selected — The VPN gateway trusts only the certificate authorities that you select in the table.