Configure Forcepoint NGFW settings in the SMC

Use the VPN Connection configuration that you downloaded from AWS to configure the remaining NGFW Engine settings.

The VPN Connection configuration provides the tunnel interface IP addresses, the next-hop gateway, autonomous system (AS) numbers, pre-shared keys, and the cryptographic specifications.

Steps

  1. In the Management Client, create two External VPN Gateway elements that represent the two AWS endpoints.


    1. Select Configuration then browse to SD-WAN > VPN Gateways.
      In SMC 6.4 or lower, select Configuration then browse to VPN > Gateways.
    2. Right-click VPN Gateways, then select New External VPN Gateway.
      In SMC 6.4 or lower, right-click Gateways, then select New External VPN Gateway.
    3. On the Endpoints tab of each External VPN Gateway element, add the IP address of the AWS endpoint.
    4. On the Sites tab of each External VPN Gateway element, configure each external gateway site to match the VPC network, then click OK.
      In this example, the VPC network is 172.31.0.0/16.


  2. Add a tunnel interface to the NGFW Engine for each VPN gateway, then add the IP address of the AWS endpoint to each tunnel interface.


    1. Browse to Configuration > NGFW > NGFW Engines.
    2. Right-click the NGFW Engine, then select Edit Single Firewall.
    3. In the Engine Editor, browse to Interfaces.
    4. Add one tunnel interface for each VPN gateway.
  3. Enable BGP in the NGFW Engine properties.


    1. In the Engine Editor, browse to Routing > Dynamic Routing.
    2. In the BGP settings, select Enabled.
    3. In the Autonomous System field, create an Autonomous System element that uses the AS number that AWS specified in the configuration.
      The default is 65000.
    4. Add your protected network to the Announced Network configuration.
  4. Edit the routing configuration for the NGFW Engine.


    1. In the Engine Editor, browse to Routing.
    2. Under each tunnel interface, add a BGP Peering element.
    3. Right-click the BGP Peering element under each tunnel interface, then select Add External BGP Peer.
    4. Select an AWS gateway for each tunnel interface.
      For the Autonomous System (AS) field, create an Autonomous System element that uses the AS number provided by AWS.
      In this example, the AS number is 7224 for us-east.
    5. Click Save.
  5. Create a VPN Profile that matches the settings required by AWS.


    1. Select Configuration then browse to SD-WAN > Other Elements > Profiles > VPN Profiles.
      In SMC 6.4 or lower, select Configuration then browse to VPN > Other Elements > Profiles > VPN Profiles.
    2. Right-click VPN Profiles, then select New VPN Profile
    3. Configure the settings to match the settings required by AWS, then click OK.
  6. Create route-based VPN tunnels for each AWS gateway.
    1. Browse to Configuration > SD-WAN > Route-Based VPN Tunnels.
      In SMC 6.4 or lower, browse to Configuration > VPN > Route-Based VPN Tunnels.
    2. Right-click Route-Based VPN Tunnels, then select New Route-Based VPN Tunnel.




    3. For each tunnel, select the VPN Profile element that you created.
    4. For each tunnel, enter the pre-shared key from the AWS VPN Connection configuration.
    5. In the Local settings, select the NGFW Engine, then select a tunnel interface.
    6. In the Remote settings, select an AWS gateway.
      Make sure that you select the correct AWS gateway for each tunnel interface.
  7. Browse to Configuration > Policy > Firewall Policy, then create a Firewall Policy that allows traffic in both directions between the networks.


  8. To verify that the IPsec tunnel is correctly established, right-click the NGFW Engine, then select Monitoring > VPN SAs.


  9. To verify that BGP correctly propagates routes, select Home, right-click the NGFW Engine, then select Monitoring > Routing.


  10. In the AWS console, browse to the Tunnel Details tab, then verify that the tunnels are active.