Example VPN configuration 1: configure VPN settings for the NGFW Engines

Follow these steps for each NGFW Engine that is used as a VPN gateway.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Firewall element, then select Edit Single Firewall or Edit Firewall Cluster.
  2. Browse to VPN > Endpoints.
  3. (Optional) Change the selection of IP addresses that you want to use as endpoints in VPNs.
    • Typically, these are IP addresses that belong to interfaces toward the Internet, which are automatically selected based on the firewall’s default routing table.
    • If loopback IP addresses are defined for the NGFW Engine, you can select a loopback IP address as the endpoint IP address. On clustered firewalls, the IP addresses are CVIs.
    • (Optional) If you have more than one Internet connection, select an IP address from each ISP.
  4. In the navigation pane on the left, browse to VPN > Sites.
    The Sites represent the addresses that are routable through the VPN. Sites do not grant any host access directly. The Access rules define the allowed connections.
  5. (Optional) Select the internal networks that you want to exclude from the VPN by disabling the interface they are under in the automatic site.
    Disabled interfaces are grayed-out.
    • If you want to include some individual network that is under an otherwise disabled interface, drag and drop it from under the disabled interface onto the Site element. The element is copied to the higher level. The copied definition is not updated automatically.
    • The Sites must include only internal networks. Do not add interfaces with the Any Network element in this type of VPN.
  6. Click Save.

Next steps

Create a Policy-Based VPN element.

Engine Editor > VPN > Endpoints

Use this branch to change the endpoint settings that are used when the NGFW Engine acts as a VPN gateway.

Option Definition
Enabled When selected, the endpoint IP address is active.
Name Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown.
IP Address Shows the IP address of the endpoint.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
Options Shows the optional settings that have been selected for the endpoint.
Phase-1 ID Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations.
VPN Type Shows the types of VPNs that the endpoint can be used in.
Edit Allows you to change the properties of the selected endpoint.

Endpoint Properties dialog box

Use this dialog box to define the properties of internal endpoints.

Option Definition
Name The name of the endpoint. If no name is entered, the IP address is used.
IP Address The IP address of the endpoint.
Dynamic Automatically selected if the endpoint has a dynamic IP address.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
NAT-T

Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.

  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Contact Addresses section This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties.
Default Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
Exceptions Opens the Exceptions dialog box.
Phase-1 ID section
ID Type Identifies the Gateways during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. You can only add one DN value for each VPN Gateway.
  • IP Address — An IP address identifies the gateway. If the endpoint has a static IP address, the value is filled in automatically. If the endpoint has a dynamic IP address, you must manually enter an IP address.
To add VPN-specific exceptions for the Phase-1 ID, click Exceptions.
Exceptions Allows you to create VPN-specific exceptions if the endpoint must use different Phase-1 ID settings in individual policy-based VPNs.
ID Value Specifies the details of the ID Type.
VPN Type section
All types Restricts the types of VPNs that the endpoint can be used in.
Selected types only Select one or more options.
  • IPsec VPN — The endpoint can be used in IPsec tunnels.
  • SSL VPN Tunnel — The endpoint can be used in SSL VPN tunnels.
  • SSL VPN Portal — The endpoint can be used to access the SSL VPN Portal.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.

VPN Site Properties dialog box

Use this dialog box to view or edit the properties a VPN site.

Option Definition
General tab
Name The name of the element.
Comment An optional comment for your own reference.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New This option is not available in this dialog box.
Tools
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the view.
VPN References tab
VPN Shows the VPNs where this site is used.
Enable When selected, the site is enabled in the specified VPN.
Mode Defines the mode for the Site for each VPN in which it is enabled.
  • Normal — Use this mode for all active Site elements that do not require one of the other two modes.
  • Private — (VPN Gateways on NGFW Engines only) Use this mode for the local untranslated addresses when addresses are translated using NAT in the VPN. You must include the translated IP addresses (the addresses that the other end sees) as a Normal-mode Site element in these types of VPNs. If NAT is disabled in the VPN, any Sites in the Private mode are ignored.
  • Hub — Use this mode on a hub gateway in tunnel-to-tunnel forwarding. Hub mode Sites contain the IP addresses of the networks that are behind the remote spoke gateways (the networks between which the hub gateway forwards traffic). The automatically generated Site cannot be used as a Hub Site.