Selecting the output interface of firewalls for VPN topologies

You can select the firewall output interface used as the source in a VPN tunnel. Two steps are required to do this:

  • In the Objects menu, create a Firewall_xx Host object that corresponds to an interface configured in the Configuration > Network > Interfaces menu on the firewall. This object will not be deployed on the firewall. The firewall will use the indicated values in its own Firewall_xx object.

On SNS firewalls, the same parameter is found under Configuration > VPN > IPSec VPN > Peers > Advanced properties > Local Address.

For any firewall, you can choose the output interface that it will use in most VPN topologies. You can define this default output interface in the firewall's parameters. If you need to define a different interface in certain topologies, you can replace the default interface directly in these topologies.

  1. Go to Monitoring > Firewalls, and double click on the firewall.
  2. In the System > IPsec VPN tab, select the desired value for the local address in Default local address. The default value is Any.

The parameter chosen here can be replaced with a different interface in other topologies, as shown in the following section.

  1. In Configuration > VPN topologies, go to step 4 Peers and endpoints configuration when creating or modifying a topology.
  2. Double-click in the Local address column.
  3. In the VPN local address field, select an interface.

Depending on your firewall's routing configuration, create a static route, if necessary, for each peer of the VPN tunnel with the following parameters:

  • destination: peer’s IP address
  • interface: interface dedicated to VPN communications (the same interface as that selected during the procedure above)
  • gateway: the interface’s dedicated gateway for VPN communications

For more information on how to create routes on SMC, refer to the section Configuring the network and routing.