Settings for firewall FWB1

The configuration of firewall FWB1 is symmetrical with regard to the one created for firewall FWA1.

Following the method described for configuring firewall FWA1, define the elements below:

Virtual IPSec interface

  • Name (FWB1_FWA1_VTI in the example),
  • IP address (192.168.101.2 in the example),
  • Mask (255.255.255.252 in the example).

Static routing

Even though the firewall performs routing in the filter policy (Policy Based Routing) in this configuration, a default route or an explicit static route to the remote network needs to be defined.

The first action that the firewall performs is indeed to check that it has a route to the remote site before looking up its filter policy. The absence of a route will result in packets being rejected.

Return routes

Return route to firewall FWA1

  • Gateway: create ( icon) the network object corresponding to the virtual IPSec interface of firewall 1 on site A (FWB1_FWA1_VTI_GW with the IP address 192.168.101.1 in the example),
  • Interface: select the local virtual interface defined for the IPSec tunnel between firewalls 1 on sites B and A (FWB1_FWA1_VTI in the example).
 

Enable the route by double-clicking in the Status column.

 

Return route to firewall FWB2

  • Gateway: create the network object corresponding to firewall 2 on site B (FWB2 in the example),

NOTE
The MAC address of firewall FWB2 must be declared in this network object.

 
  • Interface: select the interface on firewall FWB1 through which return packets will be transported to firewall FWB2 (Dmz1 in the example).

Enable the route by double-clicking in the Status column.

 

Return route to firewall FWB3

  • Gateway: create the network object corresponding to firewall 3 on site B (FWB3 in the example),

NOTE
The MAC address of firewall FWB3 must be declared in this network object.

 
  • Interface: select the interface on firewall FWB1 through which return packets will be transported to firewall FWB3 (Dmz2 in the example).

Enable the route by double-clicking in the Status column.

Filter rule

  • Status: On,
  • Action: Pass,
  • Source hosts: LAN_Site_A in the example,
  • Destination hosts: LAN_Site_B in the example,
  • Destination port: Any in the example,

IPSec policy

  • Peer: Site_FWA1 in the example,
  • Local network: select the object corresponding to the virtual IPSec interface on firewall FWB1 (Firewall_FWB1_FWA1_VTI in the example),
  • Remote network: select the object corresponding to the virtual IPSec interface on firewall FWA1 (FWB1_FWA1_VTI_GW in the example).