IPsec is an extension to the IP protocol that provides secure traffic tunneling by authenticating and encrypting information sent over a network.
The IPsec protocol uses Internet Key Exchange (IKE) to establish session keys for encryption and decryption, and Encapsulating Security Payload (ESP) to provide data confidentiality and
integrity.
Traffic to the Forcepoint ONE SSE Cloud SWG service can be fully encapsulated in
tunnel mode, providing complete traffic encryption.
IPsec connectivity also supports sites that connect to the Internet with a dynamic IP address, using a fully qualified domain name (FQDN) as the device IKE ID.
By default, two Forcepoint datacenters are provided for Cloud SWG. Forcepoint strongly recommends configuring your edge devices to fail over to second datacenter for geographic redundancy.
Tunnels should be configured with automatic failover. Each datacenter has a tunnel monitoring address that can be used to monitor the status of the connection.
Note: Connection redundancy is a
requirement for the Forcepoint ONE SSE SLA. Redundancy can be achieved by configuring
connections to both datacenters addresses provided and configuring your edge device to fail over in the event of network disruption.
Important: The Edge device (router or firewall) at the customer must be configured to send only web traffic on TCP ports 80 and 443 over the tunnel to the
Cloud-SWG. All other traffic should be routed direct to the internet. If traffic over any other ports is sent over the tunnel, it will be discarded.
This guide describes how to configure the Palo Alto device using the Forcepoint ONE SSE Cloud SWG IPsec tunnel configurations.