Example VPN configuration 1: configure VPN settings for the NGFW Engines
Follow these steps for each NGFW Engine that is used as a VPN gateway.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
Engine Editor > VPN > Endpoints
Use this branch to change the endpoint settings that are used when the NGFW Engine acts as a VPN gateway.
Option | Definition |
---|---|
Enabled | When selected, the endpoint IP address is active. |
Name | Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown. |
IP Address | Shows the IP address of the endpoint. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
Options | Shows the optional settings that have been selected for the endpoint. |
Phase-1 ID | Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations. |
VPN Type | Shows the types of VPNs that the endpoint can be used in. |
Edit | Allows you to change the properties of the selected endpoint. |
Endpoint Properties dialog box
Use this dialog box to define the properties of internal endpoints.
Option | Definition |
---|---|
Name | The name of the endpoint. If no name is entered, the IP address is used. |
IP Address | The IP address of the endpoint. |
Dynamic | Automatically selected if the endpoint has a dynamic IP address. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
NAT-T |
Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.
|
Contact Addresses section | This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties. |
Default | Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic | Used when the endpoint has a dynamic IP address. Note: Dynamic contact addresses are not supported on SSID Interfaces.
|
Exceptions | Opens the Exceptions dialog box. |
Phase-1 ID section | |
ID Type | Identifies the Gateways during the IKE phase-1 negotiations.
|
Exceptions | Allows you to create VPN-specific exceptions if the endpoint must use different Phase-1 ID settings in individual policy-based VPNs. |
ID Value | Specifies the details of the ID Type. |
VPN Type section | |
All types | Restricts the types of VPNs that the endpoint can be used in. |
Selected types only | Select one or more options.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.
|
VPN Site Properties dialog box
Use this dialog box to view or edit the properties a VPN site.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
Comment | An optional comment for your own reference. |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Returns to the previous folder. |
New | This option is not available in this dialog box. |
Tools |
|
VPN References tab | |
VPN | Shows the VPNs where this site is used. |
Enable | When selected, the site is enabled in the specified VPN. |
Mode | Defines the mode for the Site for each VPN in which it is enabled.
|