Creating Sites
A Site represents a corporate location from which traffic will originate. While creating a Site, you can configure IPsec tunnel through which traffic should be sent over to cloud and create or add subnets groups within the site.
Steps
- Navigate to Protect > Objects > Sites.
- On the Sites page, click the green plus icon.
-
On the General tab:
- Enter a unique Name of the Site.
- Select the appropriate TimeZone of the corporate IP location.
- Enter Description for the Site.
-
Select the Tunnel option from the Type of the site.
Available options are:
- Tunnel (default) - Select Tunnel if you want to create GRE or IPSec tunnels so that web traffic from the site is
forwarded to Cloud SWG via tunnels.Note: When Type is set to Tunnel, then the Tunnel tab is available.
- Explicit Proxy - Select Explicit Proxy if you want to forward the web traffic from the site to Cloud SWG using a PAC file.
- None - Select None if the Site is with an on-premise proxy that sends traffic direct to the internet (without sending it to the Cloud SWG).
Note: The Type cannot be changed once a Site is created. You can delete and create new site with correct Type. - Tunnel (default) - Select Tunnel if you want to create GRE or IPSec tunnels so that web traffic from the site is
forwarded to Cloud SWG via tunnels.
-
Enter the Public IP address of the site.
Forcepoint ONE SSE validates the IP address to make sure that the value is actually an IP address and is not a duplicate of another site with same IP address that is already created.Note: You can also enter a Dynamic IP address, IP address that was assigned dynamically by any one of the ISPs connected to the site, in the Public IP field. This Dynamic IP address can change over time and is simply used as a tag to match any Location Policies for the site on the Protect > Policies page.
-
Set the Identify Coordinates to Automatic to identify the location of the site based on entered IP address when you click
Detect Location.
Location displays the location name of the entered IP address.
-
If you need a finer coordinates or Forcepoint ONE SSE is
unable to identify the location of the entered IP address, then:
- Set the Identify Coordinates to Manual.
- Select the applicable Country to which entered IP address belongs.
For existing Sites, where the country was not available for selection, it is set to a special value (unknown) and displayed as a blank in the Country drop-down, so that you can select it later.
- Enter the Latitude and Longitude.
-
On the Tunnels tab, create tunnels to route the traffic from site to Forcepoint ONE SSE cloud:
To create an IPsec Tunnel, follow the steps below:
-
Select the Type as IPsec.
- Select whether the Site uses its Public IP address or a FQDN from the Site IKE Identity Type.
-
Enter the IP address or FQDN to be used as Site IKE Identity as appropriate for the Site IKE Identity Type selection.
Note: Your Site IKE ID value does not need to be a reachable IP address or resolvable FQDN as long as it matches whatever is configured at the site NGFW VPN gateway endpoint initiating the IKE negotiation with the cloud. The purpose of the IKE ID is for a VPN gateway to match configuration for that peer VPN gateway endpoint in its configuration.
- Select whether you will Use your own key or an Auto-generated key from the Preshared Key Type.
-
Enter the Preshared Key configured on the site router or firewall.
OR
Click Generate Key to auto-generated key and use the key while configuring the site router or firewall.
Note: The Preshared Key is case sensitive and must be minimum 8 characters long. -
Select whether the Site uses Cloud Public IP address or Cloud FQDN as Cloud IKE ID from Cloud IKE Identity
Type.
By default, FQDN is selected.
- Select the datacenter where the primary tunnel from the site will connect.
-
Select the datacenter where the secondary tunnel from the site will connect.
Select a datacenter that is in a different Region or Zone than the Primary Datacenter. If you do not want to assign secondary datacenter, then select None from the Secondary Datacenter drop-down list.
-
Select the Type as IPsec.
-
(Optional) On the Subnets tab, define subnets or reuse the configured subnets within the site:
Note: Subnets are unique within a site. However, in large cookie cutter network deployments, the same subnet may be used in multiple sites. Combination of Site and Subnet is globally unique.
To add Subnet(s) defined in Protect > Objects > Custom Locations page:
- Click the green plus icon.
A Subnet appears.
- From the Name drop-down list, select the applicable subnet.
The details of selected subnet appears.
You can add as many subnets as required.
To create a new subnet for the site:- Click and select Create New.
Create Subnet dialog opens.
- Enter a unique Name of the location for easy identification.
- Select the Traffic Type for the subnet addresses in the custom location.
- Enter the IP Address one per line in CIDR notation.
Custom locations should be external internet facing addresses and can be an IP address, subnets, or ranges on individual lines.
- Leave the Trusted IP option unchecked.
If you select the Trusted IP option, then the IP addresses will not be considered when Forcepoint ONE SSE looks for suspicious user log-ins from distant physical locations. Configure the action to take by adding a policy under Protect > Policies > Session Policy with Suspicious User Locations as the condition (example: Two-Factor Auth).
- To save the custom location details, click Save.
- Click the green plus icon.
-
To configure a site with selected information, click OK.
As soon as the Site is created, the status of Site will be Configuring. After some time, the status of the Site gets changes to Provisioned or Failed.
Note: Tunnel typically takes approximately three minutes for it to be Provisioned.