VPNs and how they work

VPNs secure the communications through authentication, encryption, and integrity checking mechanisms.

  • Authentication provides a way for the devices at both ends of the VPN to confirm the identity of the other device. Authentication prevents malicious parties from obtaining confidential data or access by posing as a legitimate host.
  • Encryption scrambles the transmissions to prevent anyone from viewing the content, providing privacy for the communications.
  • Integrity checking detects whether packets have been changed in transit, which could be a sign of malicious tampering or transmission errors.

Forcepoint NGFW provides two types of VPNs. The main difference between the two is how traffic is selected to use the VPN:

  • Policy-based VPNs are configured using Policy-Based VPN elements. The firewall Access rules define which traffic is sent to the VPN and which traffic is allowed out of the VPN.
  • Route-based VPNs are configured using the Route-Based VPN Tunnel elements. Any traffic that is routed to firewall interfaces that are designated as endpoints for a VPN tunnel is sent into the VPN tunnel. If Access rules allow the traffic, it is automatically sent through the tunnel to the peer endpoint.

Policy-based VPNs are recommended for the following uses:

  • To create mobile VPNs with IPsec tunnels, SSL VPN tunnels, or both IPsec and SSL VPN tunnels.
  • To easily create VPN topologies with multiple connections between multiple gateways, such as full mesh, partial mesh, star, and hub topologies.

Route-based VPN tunnels are recommended for the following uses:

  • To use VPN tunnels as paths in dynamic routing.
  • To protect the integrity of dynamic routing communications that are sent through the Internet.
  • To protect and route multicast streams through the Internet.
  • To configure GRE, IP-IP, or SIT tunnels that encapsulate traffic but do provide encryption.

Limitations

The following limitations apply to VPNs:

  • You cannot use the same pair of endpoints for VPN tunnels in several configurations for a single NGFW Engine. For example:
    • You cannot use the same pair of endpoints l in two policy-based VPNs.
    • You cannot create two Route-Based VPN Tunnel elements that use the same pair of endpoints.
    • You cannot create a Route-Based VPN Tunnel element that uses the same pair of endpoints that is used in a VPN tunnel in a policy-based VPN.
  • VPNs are not supported on layer 2 physical interfaces on Firewalls.
  • VPNs are not supported on Layer 2 Firewalls.
  • If your Forcepoint NGFW installation is configured in a restricted operating mode to comply with regulatory requirements, some VPN options are not available to you.
  • Version-specific limitations in supported features for different Forcepoint NGFW versions are listed in the Release Notes for the versions you are using. The SMC automatically prevents the use of unsupported settings based on engine version.