Settings for Firewall FW2

Static routing

A default route or an explicit static route to the remote network needsto be defined.

The first action that the firewall performs is indeed to check that it has a route to the remote site before looking up its filter policy. The absence of a route will result in packets being rejected.

Return route

Create a route that would allow transporting return packets to the original firewall using its MAC address:

 

Return route to firewall FW1

  • Gateway: create the network object corresponding to firewall 1 on the site (FW1 in the example),

NOTE
The MAC address of firewall FW1 must be declared in this network object.

 
  • Interface: select the interface on firewall FW2 through which return packets will be transported to firewall FW1 ("In" interface in the example).

Enable the route by double-clicking in the Status column.

Enabling the SSL proxy

In the Configuration > Filter and NAT menu, expand the New rule menu and select

SSL inspection rule:

 

Fill in the fields in the wizard with the following values:

  • Source hosts: select the object representing the hosts or network at the source of the HTTPS traffic (object Network_bridge in the example),
  • Destination: select Internet,
  • Destination port: leave it as the https object.
  • Inspection profile: choose the inspection profile to apply (the choice suggested by default applies the profile IPS_00 to incoming traffic and the profile IPS_01 to outgoing traffic),
  • SSL filter policy: select the SSL filter policy to apply (default00 in the example),
  • Antivirus: enable the antivirus by selecting the value On,

 

The filter policy will then look like this: