Configuring the FW-LILLE firewall

Follow all the steps required to configure the LILLE firewall, as described in the section Configuring the FW-LILLE firewall from the example that deals with IPsec tunnels based on virtual IPsec (VTI) interfaces.

As indicated in the header of this section, the failover option is imperative when creating the router object that is used in the route to the PARIS site's LAN.

The following paragraphs explain the specific settings in a hub and spoke configuration.

Using the router object in routing to reach the PARIS site's LAN

Default route option

  1. Go to Configuration > Network > Routing.
  2. In the Default gateway field, select the router object that was created earlier.
  3. Click on Apply then Save.

Static routing option

  1. Go to Configuration > Network > Routing > Static routing tab.
  2. Click on Add.
  3. Switch the Status of the return route to Enabled.
  4. For the Destination network, select the object corresponding to the PARIS site's LAN (PAR-LAN in the example).
  5. Do not select any interface.
  6. For the gateway that needs to be used for this route, select the router object that was created earlier.
  7. Click on Apply.

Policy-based routing (PBR) option

  1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
  2. Click on New rule > Single rule.
  3. Double-click in any column in this rule.
  4. General menu on the left: switch the Status of the rule to On.
  5. Action menu on the left, General tab:
    1. General section: set the Action to pass.
    2. Routing section: select the router object that was created earlier.
  6. Source menu on the left: select the object corresponding to the LILLE site's local network (LIL-LAN in this example).
  7. Destination menu on the left: select the object corresponding to the PARIS site's local network (PAR-LAN in this example).
  8. Port/Protocol menu on the left: add to the grid the Destination ports of the various objects corresponding to the ports to be allowed in this filter rule.
  9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
  10. Click on OK.
  11. Click on Apply.

Creating address translation (NAT) rules for traffic towards the Internet

  1. Go to Configuration > Security policy > Filter - NAT, NAT tab.

First LILLE WAN access link

  1. Click on New rule > Single rule.
  2. Double-click in any column in this rule.
  3. General menu on the left: switch the Status of the rule to On.
  4. Original source menu on the left, Source hosts grid: double-click on the Any object and replace it with the object corresponding to the PARIS LAN (PAR-LAN in this example).
  5. Original destination menu on the left:
    1. In the General tab, Destination hosts grid: double-click on the object Any and replace it with the object Internet.
    2. In the Advanced properties tab, Outgoing interface field: select the object corresponding to the first LILLE WAN interface (WAN-1 in the example).
  6. Translated source menu on the left:
    1. Translated source host field: select the object corresponding to the first public IP address of the firewall (Firewall_WAN-1 in this example).
    2. Translated source port field: select the object ephemeral_fw.
    3. Select Choose random translated source port.
  7. Options menu on the left: select ‎NAT inside IPsec tunnel (before encryption, after decryption).
  8. Click on OK.

Repeat steps 2 to 9 to create the NAT rules corresponding to the two other WAN access links of the LILLE site with the following objects:

Second LILLE WAN access link

Field Value
Original source - Destination hosts PAR-LAN
Original destination - Destination hosts Internet
Original destination - Outgoing interface WAN-2
Translated source - Translated source host Firewall_WAN2

Third LILLE WAN access

Field Value
Original source - Destination hosts PAR-LAN
Original destination - Destination hosts Internet
Original destination - Outgoing interface WAN-3
Translated source - Translated source host Firewall_WAN3

The translation rules on the LILLE firewall will therefore look like this: