Types of VPNs in Forcepoint NGFW
Forcepoint NGFW provides two types of VPNs. The main difference between the two is how traffic is selected to use the VPN.
- Policy-based VPNs are configured using Policy-Based VPN elements. The firewall Access rules define which traffic is sent to the VPN and which traffic is allowed out of the VPN.
- Route-based VPNs are configured using the Route-Based VPN Tunnel elements. Any traffic that is routed to firewall interfaces that are designated as endpoints for a VPN tunnel is sent into the VPN tunnel. If Access rules allow the traffic, it is automatically sent through the tunnel to the peer endpoint.
Policy-based VPNs are recommended for the following uses:
- To create mobile VPNs with IPsec tunnels, SSL VPN tunnels, or both IPsec and SSL VPN tunnels.
- To easily create VPN topologies with multiple connections between multiple gateways, such as full mesh, partial mesh, star, and hub topologies.
Route-based VPN tunnels are recommended for the following uses:
- To use VPN tunnels as paths in dynamic routing.
- To protect the integrity of dynamic routing communications that are sent through the Internet.
- To protect and route multicast streams through the Internet.
- To configure GRE, IP-IP, or SIT tunnels that encapsulate traffic but do provide encryption.