Creating Sites
A Site represents a corporate location from which traffic will originate. While creating a Site, you can configure either GRE or IPsec tunnel through which traffic should be sent over to cloud and create or add subnets groups within the site.
Steps
- Navigate to Protect > Objects > Sites.
- On the Sites page, click the green plus icon.
-
On the General tab:
- Enter a unique Name of the Site.
- Select the appropriate TimeZone of the corporate IP location.
- Enter Description for the Site.
-
Select the Tunnel option from the Type of the site.
Available options are:
- Tunnel (default) - Select Tunnel if you want to create GRE or IPSec tunnels so that web traffic from the site is
forwarded to Cloud SWG via tunnels.Note: When Type is set to Tunnel, then the Tunnel tab is available.
- Explicit Proxy - Select Explicit Proxy if you want to forward the web traffic from the site to Cloud SWG using a PAC file.
- None - Select None if the Site is with an on-premise proxy that sends traffic direct to the internet (without sending it to the Cloud SWG).
Note: The Type cannot be changed once a Site is created. You can delete and create new site with correct Type. - Tunnel (default) - Select Tunnel if you want to create GRE or IPSec tunnels so that web traffic from the site is
forwarded to Cloud SWG via tunnels.
-
Enter the Public IP address of the site.
Forcepoint ONE SSE validates the IP address to make sure that the value is actually an IP address and is not a duplicate of another site with same IP address that was already created.
Note: You can also enter a Dynamic IP address, IP address that was assigned dynamically by any one of the ISPs connected to the site, in the Public IP field. This Dynamic IP address can change over time and is simply used as a tag to match any Location Policies for the site on the Protect > Policies page. -
Set the Identify Coordinates to Automatic to identify the location of the site based on entered IP address when you click
Detect Location.
Location displays the location name of the entered IP address.
-
If you need a finer coordinates or Forcepoint ONE SSE is
unable to identify the location of the entered IP address, then:
- Set the Identify Coordinates to Manual.
- Select the applicable Country to which entered IP address belongs.
For existing Sites, where the country was not available for selection, it is set to a special value (unknown) and displayed as a blank in the Country drop-down, so that you can select it later.
- Enter the Latitude and Longitude.
-
On the Tunnels tab, create tunnels to route the traffic from site to Forcepoint ONE SSE cloud:
To create an IPsec Tunnel, follow the steps below:
-
Select the Type as IPsec.
- Select whether the Site uses its Public IP address or a FQDN from the Site IKE Identity Type.
- Enter either public IP address or a FQDN of the site in the Site IKE Identity as per the Site IKE Identity Type selection.
- Select whether you will Use your own key or an Auto-generated key from the Preshared Key Type.
-
Enter the Preshared Key configured on the site router or firewall.
OR
Click Generate Key to auto-generated key and use the key while configuring the site router or firewall.
Note: The Preshared Key is case sensitive and must be minimum 8 characters long. -
Select whether the Site uses Cloud Public IP address or Cloud FQDN as Cloud IKE ID from Cloud IKE Identity
Type.
By default, FQDN is selected.
- Select the data center where the primary tunnel from the site is terminated.
-
Select the data center where the secondary tunnel from the site is terminated.
Select a data center that is in a different Region or Zone than the Primary Datacenter. If you do not want to assign secondary data center, then select None from the Secondary Datacenter drop-down list.
-
Select the Type as IPsec.
-
(Optional) On the Subnets tab, define subnets or reuse the configured subnets within the site:
Note: Subnets are unique within a site. However, in large cookie cutter network deployments, the same subnet may be used in multiple sites. Combination of Site and Subnet is globally unique.To add Subnet(s) defined in Protect > Objects > Custom Locations page:
- Click the green plus icon.
A Subset appears.
- From the Name drop-down list, select the applicable subset.
The details of selected subset appears.
You can add as many subsets as required.
To create a new subset for the site:- Click and select Create New.
Create Subnet dialog opens.
- Enter a unique Name of the location for easy identification.
- Select the Traffic Type for the subnet addresses in the custom location.
- Enter the IP Address one per line in CIDR notation.
Custom locations should be external internet facing addresses and can be an IP address, subnets, or ranges on individual lines.
- Leave the Trusted IP addresses checkbox unchecked.
- To save the custom location details, click Save.
- Click the green plus icon.
-
To configure a site with selected information, click OK.
As soon as the Site is created, the status of Site will be Configuring. After some time, the status of the Site gets changes to Provisioned or Failed.
Note: Tunnel typically takes approximately three minutes for it to be Provisioned.