How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

Similar documents
How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Virtual Tunnel Interface

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Stonesoft VPN Client. for Windows Release Notes Revision A

Stonesoft VPN Client. for Windows Release Notes Revision A

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Stonesoft VPN Client. for Windows Release Notes Revision B

CheckPoint. Check Point Certified Security Administrator R71

NGFW Security Management Center

How to Configure SSL VPN for Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Integration Guide. Oracle Bare Metal BOVPN

FAQ about Communication

Managing Site-to-Site VPNs

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Firepower Threat Defense Site-to-site VPNs

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Managing Site-to-Site VPNs: The Basics

ASA 8.x/ASDM 6.x: Add New VPN Peer Information in an Existing Site-to-Site VPN using ASDM

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

NGFW Security Management Center

S2S VPN with Azure Route Based

Managing Site-to-Site VPNs: The Basics

NGFW Security Management Center

Integrating Riverbed SD-WAN with Palo Alto Networks GlobalProtect Cloud Service

NGFW Security Management Center

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

NGFW Security Management Center

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

Chapter 6 Virtual Private Networking

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Service Managed Gateway TM. Configuring IPSec VPN

NGFW Security Management Center

NGFW Security Management Center

SonicWALL VPN with Win2K using IKE Prepared by SonicWALL, Inc. 05/01/2001

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Ingate Firewall. interworking with. SSH Sentinel

Virtual Tunnel Interface

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

How To Forward GRE Traffic over IPSec VPN Tunnel

Configuration of an IPSec VPN Server on RV130 and RV130W

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Configuring Aviatrix Encryption

How to configure IPSec VPN failover

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Site-to-Site VPN with SonicWall Firewalls 6300-CX

IPsec Dead Peer Detection Periodic Message Option

Table of Contents 1 IKE 1-1

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

How to Set Up an IPsec Connection Between Two Ingate Firewalls/SIParators. Lisa Hallingström Paul Donald

Configuration Summary

VPN Auto Provisioning

VPN Configuration Guide SonicWALL

Stonesoft Next Generation Firewall. Release Notes Revision A

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

NGFW Security Management Center

ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

LP-1521 Wideband Router 123 Manual L VPN Configuration between two LP-1521`s with Dynamic IP.

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Stonesoft Next Generation Firewall. Release Notes Revision B

NGFW Security Management Center

How to Configure VNET peering with the F-Series Firewall

Case 1: VPN direction from Vigor2130 to Vigor2820

VPN Configuration Guide. NETGEAR FVS318v3

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

Stonesoft Management Center. Release Notes Revision B

How to find your IP address information

Efficient SpeedStream 5861

Stonesoft VPN Client. for Windows Product Guide 6.2. Revision A

Stonesoft Management Center. Release Notes Revision C

Sample excerpt. Virtual Private Networks. Contents

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

VPN Setup for CNet s CWR g Wireless Router

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

VPN Configuration Guide. NETGEAR FVG318 / FVS318G / FVS336G / FVS338 / DGFV338 FVX538 / SRXN3205 / SRX5308 / ProSecure UTM Series

Internet security and privacy

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Aviatrix Virtual Appliance

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

VPN Overview. VPN Types

VPN Configuration Guide. Cisco ASA 5500 Series

How to create the IPSec VPN between 2 x RS-1200?

Defining IPsec Networks and Customers

Transcription:

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

Table of Contents INTRODUCTION 2 DEPLOYMENT SCENARIO 2 CONFIGURATION OVERVIEW 3 FIREWALL CONFIGURATION OVERVIEW 3 Configure endpoints and Sites 3 Create tunnel interface 7 Create the correct VPN profile 8 Create routed based VPN 10 Create the apropiate firewall rules 11 Test the environment with the VPN client 12 Technical Document 1

Introduction The purpose of this document is to describe the configuration steps needed on the Forcepoint Security Management Center (SMC) in order to configure Forcepoint Next Generation Firewall VPN to AZURE using route-based VPN. Used Versions: Management Server: version 6.0.1 Security Engine: version 6.0.1 Deployment Scenario 10.10.10.0/24 192.168.221.0/24 172.16.0.0/12 104.40.176.167 Production Site 192.168.11.0/24 5.196.241.117 192.168.252.0/24 192.168.252.0/24 Test Environment 5.196.241.117 192.168.166.0/24 For this environment we are using 2 internal networks which will be connected to the Azure Cloud, in case of AZURE, we do have 2 different sites, with 2 different endpoints, Test site and Production site.. Test site has two networks in it and Production site has three networks in it. In this scenario, we are using routed based VPN, if you want to create a policy based VPN then look for the How-To document for the policy based VPN for Azure. Technical Document 2

Configuration Overview The general workflow for configuring the route based VPN to AZURE is divided in two parts. First part describes how to configure the Forcepoint NGFW. The second part refers to the AZURE portal. Please refer to the Azure Help if you need deep help with it. 1. Configure endpoints and sites at NGFW properties 2. Create the correct VPN profile 3. Create a tunnel interface 4. Create route based VPN to include the endpoint 5. Create appropriate rules to the firewall policy Firewall configuration overview First configuration step is done on the Management Center. CONFIGURE ENDPOINTS AND SITES First you should configure the VPN endpoint. The VPN endpoint refers to the IP address which is the point of contact for the remote clients. In order to do that, Edit the firewall element Click over the VPN section Open it Go to End-Point part, select the correct IP address Select the type of VPN you want to configure. Technical Document 3

In this case, we have selected IPSEC VPN, as we will only use this type of VPN for AZURE. Once everything is done, click on OK button, and save the firewall options edited. Once the endpoint is ready to be used, proceed to the sites configuration section. You can use the default and in this case you will use all the network segments except the one used for encrypt the traffic. Local endpoint has been created, as you are using site to site VPN, you do need to create also an external endpoint, and this will be the AZURE endpoint with parameters defined on AZURE portal. Open net tab and VPN gateways over VPN section, once there, create a new external VPN Gateway Technical Document 4

Set the correct name and go to the endpoint tab On next tab, Endpoints, you will add a new endpoint, with the IP address provided by Azure: Do not forget to enable the endpoint once created. Technical Document 5

We do need to create the site properties for the remote endpoint, in order to generate the correct Security Association (SA). In this case, we have created a new site called Azure Cloud Remote Networks, adding Azure side networks in it. You can do as many endpoints as you have to into the same VPN. In this case you add one more Azure endpoint with a pre-production environment networks. Technical Document 6

CREATE TUNNEL INTERFACE As you are using route based VPN, we do need to create a tunnel interface in which the traffic will be routed to. In order to create it, go to interfaces section of the NGFW properties and ad new interface type tunnel interface. You set two different tunnel interfaces, but you may also do it with one only. You should configure IP address on these interfaces, but it will be only used if you will use dynamic routing. Otherwise, NGFW will use its internal interface on this tunnels. Technical Document 7

As its route based VPN, you configure next routing, and drag and drop Azure networks under the respective tunnel interfaces. You will use these same Azure network in NGFW policy afterwards.. CREATE THE CORRECT VPN PROFILE An appropriate VPN profile is needed to configure the VPN. The VPN profile is used to encrypt and decrypt data, and this profile tells to NGFW which are the crypto settings you will use with Azure cloud. To create a VPN profile you can go to VPN other elements VPN profiles. You define a profile as per instructions defined in at AZURE support web page. Technical Document 8

For the IKE phase you will set the parameters as defined, on the right hand side you have settings for the Next Generation Firewall and on the left hand side you have AZURE settings. For IPsec SA phase 2, you will set parameters as defined at AZURE web page. Note that in some cases, we can have issues with phase 2 and symptoms could be that the VPN is disconnecting. In this case we do recommend using longer IPsec tunnel lifetime for the NGFW end of the tunnel than Azure end of the tunnel. This forces the Azure end to initiate a new session key negotiation. Using 75 minutes seems to work fine. Technical Document 9

You may also consider this when configuring Routed based VPN with Azure. CREATE ROUTED BASED VPN You do have your NGFW Gateway element ready to add to the routed based VPN. Let s open VPN configuration and go to routed based VPN configuration. Once there, edit the routed based VPN as showed. Technical Document 10

Add new gateway properties and set the options as follow: Tunnel type: VPN VPN Profile: the one created, Azure Profile Set the correct PreShared KEY Select local Gateway and correct tunnel interface for each remote endpoint Select remote endpoint After you have created the tunnels, you can proceed with the next step, creating the firewall rules. CREATE THE APROPIATE FIREWALL RULES After the endpoint and VPN configuration has been done, you need just to setup the correct rules to grant access to our users through the VPN. You will create firewall rules that allow traffic from your networks to Azure cloud networks and vice versa. Routing will take care that your traffic is directed to a correct tunnel interface. Technical Document 11

In this case, as showed, you do have 2 sections within the same VPN, traffic for the test environment and the traffic for the production environment. This way you can use the same VPN for both environments and you do not need to create separated VPN. You can also merge both firewall rule sections, but the best practices about setting rules on firewall defines to set separated rules for each environment for easier management. TEST THE ENVIRONMENT WITH THE VPN CLIENT As the final action, you do need to install the firewall policy on the referred firewall. Use the save and install button on top right. Once the policy has been installed, you can generate traffic from both sides, as defined per your policy, and see corresponding logs. Take a look at logs and look for errors in tunnel creation and allowed connections. You can turn on VPN Diagnostics if you need to see more details about tunnel negotiations. Technical Document 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback