Configure the endpoint and sites for the NGFW Engine

In the Management Client, configure the endpoint and sites for the NGFW Engine.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to VPN Gateways.
  3. Right-click the VPN Gateway element that represents the NGFW Engine, then select Properties.
  4. Make sure that the external-facing interface of the NGFW Engine is enabled as the endpoint.
  5. Right-click the endpoint, then select Properties.
  6. From the NAT-T drop-down list, select Enabled.
  7. In the Phase-1 ID section, configure the settings to match the configuration in the Private Access management portal.
    1. In the Phase-1 ID settings, select an option from the ID Type drop-down list according to the ID type that is configured for the local edge device in the Private Access management portal.
      • If the ID type in the Private Access management portal is a fully qualified domain name (FQDN), select DNS Name.
      • If the ID type in the Private Access management portal is an IP address, select IP Address.
    2. In the ID Value field, enter the ID value that is configured as the IKE ID of the local edge device in the Private Access management portal.
      • DNS Name — Enter the FQDN of the local edge device.
      • IP Address — Enter the IP address of the local edge device.
    Note: If the VPN endpoint is used in other VPNs, you must configure VPN-specific phase-1 ID exceptions. See the Forcepoint Next Generation Firewall Product Guide for more information.
  8. Click OK to save your changes to the endpoint.
    Note: Do not close the Engine Editor.
  9. In the navigation pane on the left, browse to VPN > Sites.
  10. Select Networks, then select the internal network and click Add.
  11. Click Save to save the changes, then close the Engine Editor.

Next steps

Configure a policy-based VPN.

Engine Editor > VPN > Endpoints

Use this branch to change the endpoint settings that are used when the NGFW Engine acts as a VPN gateway.

Option Definition
Enabled When selected, the endpoint IP address is active.
Name Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown.
IP Address Shows the IP address of the endpoint.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
Options Shows the optional settings that have been selected for the endpoint.
Phase-1 ID Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations.
VPN Type Shows the types of VPNs that the endpoint can be used in.
Edit Allows you to change the properties of the selected endpoint.

Endpoint Properties dialog box

Use this dialog box to define the properties of internal endpoints.

Option Definition
Name The name of the endpoint. If no name is entered, the IP address is used.
IP Address The IP address of the endpoint.
Dynamic Automatically selected if the endpoint has a dynamic IP address.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
NAT-T

Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.

  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Contact Addresses section This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties.
Default Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
Exceptions Opens the Exceptions dialog box.
Phase-1 ID section
ID Type Identifies the Gateways during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. You can only add one DN value for each VPN Gateway.
  • IP Address — An IP address identifies the gateway. If the endpoint has a static IP address, the value is filled in automatically. If the endpoint has a dynamic IP address, you must manually enter an IP address.
To add VPN-specific exceptions for the Phase-1 ID, click Exceptions.
Exceptions Allows you to create VPN-specific exceptions if the endpoint must use different Phase-1 ID settings in individual policy-based VPNs.
ID Value Specifies the details of the ID Type.
VPN Type section
All types Restricts the types of VPNs that the endpoint can be used in.
Selected types only Select one or more options.
  • IPsec VPN — The endpoint can be used in IPsec tunnels.
  • SSL VPN Tunnel — The endpoint can be used in SSL VPN tunnels.
  • SSL VPN Portal — The endpoint can be used to access the SSL VPN Portal.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.

Exceptions dialog box (VPN endpoints)

Use this dialog box to add VPN-specific exceptions for the phase-1 ID in policy-based VPNs.

Option Definition
VPN Shows the VPN to which the exception applies.
ID Type Shows the phase-1 ID type used in the exception.
  • Distinguished Name — The Distinguished Name field in the gateway's certificate identifies the gateway.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • IP Address — An IP address identifies the gateway. If the endpoint has a static IP address, the value is filled in automatically. If the endpoint has a dynamic IP address, you must manually enter an IP address.
ID Value Specifies the value of the phase-1 ID used in the exception.
Add Adds a phase-1 ID of the selected type and opens the Select VPN dialog box.
Remove Removes the selected row from the table.