Configure the endpoint for the NGFW Engine

Verify that your assigned site IKE ID in the Forcepoint ONE SSE portal matches your NGFW VPN endpoint IKE ID. If necessary, you can add VPN-specific exception for the NGFW endpoint IKE ID.

Steps

  1. In the Management Client, select Configuration.

    The NGFW Engines page opens displaying the NGFW Engines.

  2. Right-click the Firewall you want to edit, then select Edit Single Firewall.
  3. Browse to VPN > Endpoints.
  4. In the list of endpoints, double-click the endpoint that you plan to use for VPN connections to the cloud.
    The Endpoint Properties dialog box opens.
  5. From the NAT-T drop-down list, select Enabled.


  6. If the default IKE ID type is already using other types than IP address or FQDN with some other VPN configurations, you can make an exception for the Forcepoint ONE VPN via the Exceptions button.
    1. In the Phase-1 ID settings, click Exceptions.

      The Exceptions dialog box opens.



    2. Click Add and then select the type of ID from the drop-down list depending on the ID that you have in Forcepoint ONE SSE.
      • To use an FQDN as the Phase-1 ID, select DNS Name.
      • To use an IP address as the Phase-1 ID, select IP Address.
    3. Select your Policy-Based VPN element, then click Select.
    4. Double-click the ID Value cell, then enter the Site IKE ID from Analyze > Tunnels > Setup Info of the Forcepoint ONE SSE portal.
      Note: The Phase-1 ID configured on the device must match the Site IKE ID configured in the Forcepoint ONE SSE portal.
    5. Click OK.
  7. Click OK to save your changes to the NGFW endpoint.
  8. Click Save to save the changes, then close the Engine Editor.

Next steps

Create rules to define which traffic is sent to the policy-based VPN and which traffic is allowed out of the policy-based VPN.