Add a VPN Broker Interface to each NGFW Engine

You must add a VPN Broker Interface to each NGFW Engine that is used as a VPN Broker member so that the VPN Broker can communicate with the members of a VPN Broker domain.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Management Client, select Configuration.
  2. Right-click an NGFW Engine, then select Edit <element type>.


  3. Browse to Interfaces.
  4. Click Add > VPN Broker Interface.
  5. Configure the settings.


    1. From the VPN Broker Domain drop-down list, select the VPN Broker Domain element that you created.
    2. In the MAC Address field, enter the last three octets of the MAC address for the VPN Broker member.
      This MAC address must be the same as the MAC address used in the corresponding VPN Broker Member element that you created in the NGFW Manager.
    3. In the Shared Secret field, enter the same password that you entered for the VPN Broker Member element in the NGFW Manager.
    4. Click OK.
  6. Right-click the VPN Broker Interface, then select New > IPv4 Address or New > IPv6 Address.
  7. Enter the IP address used in the corresponding VPN Broker Member element, then click OK.
  8. Click Save and Refresh, then click OK to transfer the changes to the NGFW Engine.

Example

Table 1. VPN Broker Interface properties
Option Definition
General tab
Interface ID

The ID number that identifies the VPN Broker Interface.

The VPN Broker Interface is a virtual interface that is used only for the VPN Broker. The interface ID of the VPN Broker Interface can be the same as the interface ID of a physical interface on the same NGFW Engine.

Zone

(Optional)

Select the network zone to which the interface belongs. Click Select to select an element, or click New to create an element.
VPN Broker Domain Select the VPN Broker Domain element that you created.
MAC Address
Note: The MAC address prefix for the VPN Broker Domain is automatically added based on the VPN Broker Domain element.

Enter the last three octets of the MAC address for the VPN Broker member. This MAC address must be the same as the MAC address used in the corresponding VPN Broker Member element that you created in the NGFW Manager.

Shared Secret Enter the password. The password must be the same as the shared secret that you entered for the VPN Broker Member element in the NGFW Manager.

By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.

VPN Gateway Select the local VPN gateway.
Retrieve Routes from VPN Broker When selected, the routing table is updated with routes that are retrieved by the VPN Broker.
Adjust Antispoofing according to retrieved routes When selected, antispoofing rules are automatically adjusted based on the routes that are retrieved by the VPN Broker.
QoS Mode

(Optional)

Defines how QoS is applied to the link on this interface.

If Full QoS or DSCP Handling and Throttling is selected, a QoS policy must also be selected. If Full QoS is selected, the throughput must also be defined.

If the interface is a Physical Interface, the same QoS mode is automatically applied to any VLANs created under it.

QoS Policy

(When QoS Mode is Full QoS or DSCP Handling and Throttling)

The QoS policy for the link on this interface.

If the interface is a Physical Interface, the same QoS policy is automatically selected for any VLANs created under it.

Note: If a Virtual Resource has a throughput limit defined, the interfaces on the Virtual NGFW Engine that use a QoS policy all use the same policy. The policy used in the first interface is used for all the interfaces.
Interface Throughput Limit

(When QoS Mode is Full QoS)

Enter the throughput for the link on this interface as megabits per second.

If the interface is a Physical Interface, the same throughput is automatically applied to any VLANs created under it.

The throughput is for uplink speed (outgoing traffic) and typically must correspond to the speed of an Internet link (such as an ADSL line), or the combined speeds of several such links when connected to a single interface.

CAUTION:
Make sure that you set the interface speed correctly. When the bandwidth is set, the NGFW Engine always scales the total amount of traffic on this interface to the bandwidth you defined. This scaling happens even if there are no bandwidth limits or guarantees defined for any traffic.
CAUTION:
The throughput for a Physical Interface for a Virtual NGFW Engine must not be higher than the throughput for the Master NGFW Engine interface that hosts the Virtual NGFW Engine. Contact the administrator of the Master NGFW Engine before changing this setting.
MTU

(Optional)

The maximum transmission unit (MTU) size on the connected link. Either enter a value between 400–65535 or select a common MTU value from the list.

If the interface is a Physical Interface, the same MTU is automatically applied to any VLANs created under it.

The default value (also the maximum standard MTU in Ethernet) is 1500. Do not set a value larger than the standard MTU, unless you know that all devices along the communication path support it.

To set the MTU for a Virtual NGFW Engine, you must configure the MTU for the interface on the Master NGFW Engine that hosts the Virtual NGFW Engine, then refresh the policy on the Master NGFW Engine and the Virtual NGFW Engine.

Next steps

Check the status of the VPN Broker.