Settings for Firewall FW2
A default route or an explicit static route to the remote network needsto be defined.
The first action that the firewall performs is indeed to check that it has a route to the remote site before looking up its filter policy. The absence of a route will result in packets being rejected.
Create a route that would allow transporting return packets to the original firewall using its MAC address:
Return route to firewall FW1
- Gateway: create the network object corresponding to firewall 1 on the site (FW1 in the example),
The MAC address of firewall FW1 must be declared in this network object.
- Interface: select the interface on firewall FW2 through which return packets will be transported to firewall FW1 ("In" interface in the example).
Enable the route by double-clicking in the Status column.
Enabling the SSL proxy
In the Configuration > Filter and NAT menu, expand the New rule menu and select
SSL inspection rule:
Fill in the fields in the wizard with the following values:
- Source hosts: select the object representing the hosts or network at the source of the HTTPS traffic (object Network_bridge in the example),
- Destination: select Internet,
- Destination port: leave it as the https object.
- Inspection profile: choose the inspection profile to apply (the choice suggested by default applies the profile IPS_00 to incoming traffic and the profile IPS_01 to outgoing traffic),
- SSL filter policy: select the SSL filter policy to apply (default00 in the example),
- Antivirus: enable the antivirus by selecting the value On,
The filter policy will then look like this: