Configuring the FW-LILLE firewall

Creating objects corresponding to LANs at the LILLE and LYON sites

  1. Go to Configuration > Objects > Network.
  2. Click on Add.
  3. In the column on the left side of the object creation window, select Network.
  4. Specify the Object name (LIL-LAN in this example).
  5. Enter the Network IP address in the form of a network/mask. The network mask can be entered in CIDR or decimal format.
  6. Click on Create and duplicate.
  7. Repeat steps 4 and 5 to create the object LYO-LAN.
  8. Click on Create.

Creating 3 objects corresponding to the LILLE WAN gateways/links

  1. Go to Configuration > Objects > Network.
  2. Click on Add.
  3. In the column on the left side of the object creation window, select Host.
  4. Specify the Object name (LIL-WAN-1 in this example).
  5. Enter its IPv4 address.
  6. Click on Create and duplicate.
  7. Repeat steps 4 to 6 to create the object LIL-WAN-2.
  8. Repeat steps 4 and 5 to create the object LIL-WAN-3.
  9. Click on Create.

Creating the object corresponding to the FW-LYON firewall

  1. Go to Configuration > Objects > Network.
  2. Click on Add.
  3. In the column on the left side of the object creation window, select Host.
  4. Specify the Object name (FW-LYON in this example).
  5. Enter the public IPv4 address of the LYON site's WAN link.
  6. Click on Create.

Creating the router object that will be the default route

  1. Go to Configuration > Objects > Network.
  2. Click on Add.
  3. In the column on the left side of the object creation window, select Rrouter.

General properties

  1. Name the object (e.g., DEFAULT-ROUTER-LILLE).

Monitoring

For more information on monitoring parameters and SLA thresholds, refer to the SNS user guide.

  1. For the Detection method, select ICMP.
  2. Adjust the Timeout (s) as needed.
  3. Adjust the Interval (s) as needed.
  4. Adjust the number of Failures before degradation (3 by default).

SD-WAN SLA (thresholds)

  1. Select SD-WAN SLA (thresholds).
  2. Adjust the Latency (ms) as needed.
  3. Adjust the Jitter (ms) as needed.
  4. Adjust the Packet loss rate (%) as needed.
  5. Do not enter an Unavailability rate (%).

Gateways

  1. In the Gateways used tab, click on Add.
  2. In the Gateway column, select the object LIL-WAN-1.
  3. In the Device(s) for testing availability column, select Test the gateway directly.
  4. Repeat steps 14 to 16 to add the object LIL-WAN-2.
  5. In the Backup gateways tab, click on Add.
  6. In the Gateway column, select the object LIL-WAN-3.
  7. In the Device(s) for testing availability column, select Test the gateway directly.

Advanced properties

  1. In Advanced properties, select Load balancing No load balancing.
  2. For Enable backup gateways, select When all gateways cannot be reached.
  3. Click on Apply then Save.

Setting this router object as the FW-LILLE firewall's gateway

  1. Go to Configuration > Network > Routing.
  2. In the Default gateway field, select the router object that was created earlier (DEFAULT-ROUTER-LILLE in this example).
  3. Click on Apply then Save.

Setting the IPsec peer for the LYON site

This peer is a remote gateway.

In this example, pre-shared key authentication is used.

  1. Go to Configuration > VPN > IPsec VPN > Peers tab.
  2. Click on Add, then on New remote gateway.
  3. In the Remote gateway field, select the object corresponding to the FW-LYON firewall's public IP address (LYO-WAN-1 in the example).
  4. Enter a name for this peer (FW-LYON in the example).
  5. Select the IKEv2 version.
  6. Choose the IKE profile to use.
  7. Click on Next.
  8. For the Authentication type, select Pre-shared key (PSK).
  9. Set the Pre-shared key and confirm it.
  10. Click on Next.
    You will be shown a summary of the peer's details.
  11. Click on Finish.
    Details on the peer are shown.
  12. Ensure that the value of the Local address is Any.
    13. NOTE
    In order for one of the 3 FW-LILLE WAN links to be used, the value of the Local address field has to be Any.
  13. In the Advanced properties section, set the DPD field to High.
    14. NOTE
    The DPD (Dead Peer Detection) option has to be set to High to force the IPsec tunnel to be renegotiated as quickly as possible when the link is down.
  14. Confirm changes by clicking on Apply then on Save.
  15. Changes can be applied immediately by clicking on Yes, activate the policy.

Creating the IPsec policy to set up the tunnel with the FW-LYON peer

  1. Go to Configuration > VPN > IPsec VPN > Encryption Policy - Tunnels tab > Site-to-site (gateway-gateway) tab.
  2. Click on Add, then on Standard site-to-site tunnel.
  3. In the Local resources field, select the traffic endpoint of the LILLE site (network object LIL-LAN in the example).
    The endpoint may be a network group.
  4. In the Peer selection field, select the peer that was created for the LYON firewall (host object FW-LYON in the example).
  5. In the Remote networks field, select the traffic endpoint of the LYON site (network object LYO-LAN in the example).
    The endpoint may be a network group.
  6. Click on Finish.
  7. Click in the Keepalive column and select a duration from the drop-down menu (600 ms in the example).
    This setting determines how long to keep the tunnel up even when it is not in use.
  8. Double-click in the Status column to enable this rule in the IPsec policy.
  9. Click on Apply, then Save to save the changes made to the configuration.
  10. Changes can be applied immediately by clicking on Yes, activate the policy.

On the FW-LILLE firewall, the IPsec policy between the LILLE and LYON sites is therefore:

Creating the filter rule to enable dialogue between the LILLE and LYON sites

  1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
  2. Click on New rule > Single rule.
  3. Double-click in any column in this rule.
  4. General menu on the left: switch the Status of the rule to On.
  5. Action menu, General tab: set the Action to pass.
  6. Source menu on the left: select the object corresponding to the LYON local network (LYO-LAN in this example).
  7. Destination menu on the left: select the object corresponding to the LILLE local network (LIL-LAN in this example).
  8. Port/Protocol menu on the left: add to the grid the Destination ports of the various objects corresponding to the ports to be allowed in this filter rule.
  9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
  10. Click on OK.
  11. Repeat steps 2 to 10 with the LIL-LAN object as the source, and the LYO-LAN object as the destination.
  12. Click on Apply.