Settings for firewall FWB3

The configuration of firewall FWB3 is symmetrical with regard to the one created for firewall FWA3.

Following the method described for configuring firewall FWA1, define the elements below:

Virtual IPSec interface

  • Name: FWB3_FWA3_VTI in the example,
  • IP address: 192.168.103.2 in the example,
  • Mask: 255.255.255.252 in the example,

Static routing

Even though the firewall performs routing in the filter policy (Policy Based Routing) in this configuration, a default route or an explicit static route to the remote network needs to be defined.

The first action that the firewall performs is indeed to check that it has a route to the remote site before looking up its filter policy. The absence of a route will result in packets being rejected.

Return routes

Return route to firewall FWA3

  • Gateway: create the network object corresponding to the virtual IPSec interface of firewall 3 on site A (FWB3_FWA3_VTI_GW with the IP address 192.168.103.1 in the example),
  • Interface: select the local virtual interface defined for the IPSec tunnel between firewalls 3 on sites B and A (FWB3_FWA3_VTI in the example).
 

Enable the route by double-clicking in the Status column.

 

Return route to firewall FWB1

  • Gateway: create the network object corresponding to firewall 1 on site B (FWB1 in the example),

NOTE
The MAC address of firewall FWB1 must be declared in this network object.

 
  • Interface: select the interface on firewall FWB3 through which return packets will be transported to firewall FWB1 ("In" in the example).

Enable the route by double-clicking in the Status column.

Filter rule

  • Action: Pass,
  • Source hosts: LAN_Site_A in the example,
  • Destination hosts: LAN_Site_B in the example,
  • Destination port: Any in the example,

IPSec policy

  • Peer: create an object corresponding to the public IP address of firewall FWA3,
  • Local network: select the object corresponding to the local virtual IPSec interface (Firewall_FWB3_FWA3_VTI in the example),
  • Remote network: select the object corresponding to the remote virtual IPSec interface (FWB3_FWA3_VTI_GW in the example).