How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT
Table of Contents INTRODUCTION 2 DEPLOYMENT SCENARIO 2 CONFIGURATION OVERVIEW 3 FIREWALL CONFIGURATION OVERVIEW 3 Configure endpoints and Sites 3 Create tunnel interface 7 Create the correct VPN profile 8 Create routed based VPN 10 Create the apropiate firewall rules 11 Test the environment with the VPN client 12 Technical Document 1
Introduction The purpose of this document is to describe the configuration steps needed on the Forcepoint Security Management Center (SMC) in order to configure Forcepoint Next Generation Firewall VPN to AZURE using route-based VPN. Used Versions: Management Server: version 6.0.1 Security Engine: version 6.0.1 Deployment Scenario 10.10.10.0/24 192.168.221.0/24 172.16.0.0/12 104.40.176.167 Production Site 192.168.11.0/24 5.196.241.117 192.168.252.0/24 192.168.252.0/24 Test Environment 5.196.241.117 192.168.166.0/24 For this environment we are using 2 internal networks which will be connected to the Azure Cloud, in case of AZURE, we do have 2 different sites, with 2 different endpoints, Test site and Production site.. Test site has two networks in it and Production site has three networks in it. In this scenario, we are using routed based VPN, if you want to create a policy based VPN then look for the How-To document for the policy based VPN for Azure. Technical Document 2
Configuration Overview The general workflow for configuring the route based VPN to AZURE is divided in two parts. First part describes how to configure the Forcepoint NGFW. The second part refers to the AZURE portal. Please refer to the Azure Help if you need deep help with it. 1. Configure endpoints and sites at NGFW properties 2. Create the correct VPN profile 3. Create a tunnel interface 4. Create route based VPN to include the endpoint 5. Create appropriate rules to the firewall policy Firewall configuration overview First configuration step is done on the Management Center. CONFIGURE ENDPOINTS AND SITES First you should configure the VPN endpoint. The VPN endpoint refers to the IP address which is the point of contact for the remote clients. In order to do that, Edit the firewall element Click over the VPN section Open it Go to End-Point part, select the correct IP address Select the type of VPN you want to configure. Technical Document 3
In this case, we have selected IPSEC VPN, as we will only use this type of VPN for AZURE. Once everything is done, click on OK button, and save the firewall options edited. Once the endpoint is ready to be used, proceed to the sites configuration section. You can use the default and in this case you will use all the network segments except the one used for encrypt the traffic. Local endpoint has been created, as you are using site to site VPN, you do need to create also an external endpoint, and this will be the AZURE endpoint with parameters defined on AZURE portal. Open net tab and VPN gateways over VPN section, once there, create a new external VPN Gateway Technical Document 4
Set the correct name and go to the endpoint tab On next tab, Endpoints, you will add a new endpoint, with the IP address provided by Azure: Do not forget to enable the endpoint once created. Technical Document 5
We do need to create the site properties for the remote endpoint, in order to generate the correct Security Association (SA). In this case, we have created a new site called Azure Cloud Remote Networks, adding Azure side networks in it. You can do as many endpoints as you have to into the same VPN. In this case you add one more Azure endpoint with a pre-production environment networks. Technical Document 6
CREATE TUNNEL INTERFACE As you are using route based VPN, we do need to create a tunnel interface in which the traffic will be routed to. In order to create it, go to interfaces section of the NGFW properties and ad new interface type tunnel interface. You set two different tunnel interfaces, but you may also do it with one only. You should configure IP address on these interfaces, but it will be only used if you will use dynamic routing. Otherwise, NGFW will use its internal interface on this tunnels. Technical Document 7
As its route based VPN, you configure next routing, and drag and drop Azure networks under the respective tunnel interfaces. You will use these same Azure network in NGFW policy afterwards.. CREATE THE CORRECT VPN PROFILE An appropriate VPN profile is needed to configure the VPN. The VPN profile is used to encrypt and decrypt data, and this profile tells to NGFW which are the crypto settings you will use with Azure cloud. To create a VPN profile you can go to VPN other elements VPN profiles. You define a profile as per instructions defined in at AZURE support web page. Technical Document 8
For the IKE phase you will set the parameters as defined, on the right hand side you have settings for the Next Generation Firewall and on the left hand side you have AZURE settings. For IPsec SA phase 2, you will set parameters as defined at AZURE web page. Note that in some cases, we can have issues with phase 2 and symptoms could be that the VPN is disconnecting. In this case we do recommend using longer IPsec tunnel lifetime for the NGFW end of the tunnel than Azure end of the tunnel. This forces the Azure end to initiate a new session key negotiation. Using 75 minutes seems to work fine. Technical Document 9
You may also consider this when configuring Routed based VPN with Azure. CREATE ROUTED BASED VPN You do have your NGFW Gateway element ready to add to the routed based VPN. Let s open VPN configuration and go to routed based VPN configuration. Once there, edit the routed based VPN as showed. Technical Document 10
Add new gateway properties and set the options as follow: Tunnel type: VPN VPN Profile: the one created, Azure Profile Set the correct PreShared KEY Select local Gateway and correct tunnel interface for each remote endpoint Select remote endpoint After you have created the tunnels, you can proceed with the next step, creating the firewall rules. CREATE THE APROPIATE FIREWALL RULES After the endpoint and VPN configuration has been done, you need just to setup the correct rules to grant access to our users through the VPN. You will create firewall rules that allow traffic from your networks to Azure cloud networks and vice versa. Routing will take care that your traffic is directed to a correct tunnel interface. Technical Document 11
In this case, as showed, you do have 2 sections within the same VPN, traffic for the test environment and the traffic for the production environment. This way you can use the same VPN for both environments and you do not need to create separated VPN. You can also merge both firewall rule sections, but the best practices about setting rules on firewall defines to set separated rules for each environment for easier management. TEST THE ENVIRONMENT WITH THE VPN CLIENT As the final action, you do need to install the firewall policy on the referred firewall. Use the save and install button on top right. Once the policy has been installed, you can generate traffic from both sides, as defined per your policy, and see corresponding logs. Take a look at logs and look for errors in tunnel creation and allowed connections. You can turn on VPN Diagnostics if you need to see more details about tunnel negotiations. Technical Document 12