Configuring the FW-LILLE firewall

Creating objects corresponding to LANs at the PARIS and LILLE sites

1. Go to Configuration > Objects > Network.
2. Click on Add.
3. In the column on the left side of the object creation window, select Network.
4. Specify the Object name (LIL-LAN in this example).
5. Enter the Network IP address in the form of a network/mask. The network mask can be entered in CIDR or decimal format.
6. Click on Create and duplicate.
7. Repeat steps 4 and 5 to create the object PAR-LAN.
8. Click on Create.

Creating objects corresponding to the LILLE WAN gateways/links

1. Go to Configuration > Objects > Network.
2. Click on Add.
3. In the column on the left side of the object creation window, select Host.
4. Specify the Object name (LIL-WAN-1 in this example).
5. Enter its IPv4 address.
6. Click on Create and duplicate.
7. Repeat steps 4 and 5 to create the object LIL-WAN-2.
8. Click on Create.

Creating objects corresponding to the PARIS WAN gateways/links

1. Go to Configuration > Objects > Network.
2. Click on Add.
3. In the column on the left side of the object creation window, select Host.
4. Specify the Object name (PAR-WAN-1 in this example).
5. Enter the public IPv4 address of the PARIS site's WAN-1 link.
6. Click on Create and duplicate.
7. Repeat steps 4 and 5 to create the object PAR-WAN-2 with the public IPv4 address of the PARIS site's WAN-2 link.
8. Click on Create.

Creating virtual IPsec interfaces for the LILLE site

1. Go to Configuration > Network > Virtual interfaces.
2. Click on Add.
3. Switch the Status of the interface to Enabled.
4. Indicate the Name of the virtual IPsec interface (LIL-VTI-1 in this example).
5. Indicate the IPv4 address and network mask of this interface (10.255.1.1/255,255,255,252 in this example).
6. Click on Apply.
7. Repeat steps 2 to 6 to create the second virtual IPsec interface (LIL-VTI-2 and 10.255.2.1/255.255.255.252 in this example).
8. Click on Apply.

Creating objects corresponding to the virtual IPsec interfaces of the PARIS firewall

1. Go to Configuration > Objects > Network.
2. Click on Add.
3. In the column on the left side of the object creation window, select Host.
4. Specify the Object name (PAR-VTI-1 in this example).
5. Enter the IPv4 address of the virtual IPsec interface ( 10.255.1.2/255,255,255,252 in this example).
6. Click on Create and duplicate.
7. Repeat steps 4 and 5 to create the object PAR-VTI-2 with the IP address 10.255.2.2/255.255.255.252 in this example.
8. Click on Create.

Creating return routes for the FW-LILLE virtual IPsec interfaces

1. Go to Configuration > Network > Routing, IPv4 return routes tab.
2. Click on Add.
3. Switch the Status of the return route to Enabled.
4. Indicate the remote Gateway of this return route (PAR-VTI-1 in this example).
5. Indicate the local virtual IPsec interface to be used for this return route (LIL-VTI-1 in this example).
6. Repeat steps 2 to 5 with the following elements:
   • Gateway: PAR-VTI-2,
   • Interface: LIL-VTI-2.
7. Click on Apply.

Creating the static routes required for setting up IPsec tunnels

This step involves defining a static route to each physical remote interface in such a way that:

• The first tunnel sets up between the links LIL-WAN-1 and PAR-WAN-1,
• The second tunnel sets up between the links LIL-WAN-2 and PAR-WAN-2.

To do so:

1. Go to Configuration > Network > Routing > Static routing tab.
2. Click on Add.
3. Switch the Status of the route to On.
4. For the Destination network, select the object corresponding to the PARIS site's WAN 1 access link (PAR-WAN-1 in the example).
5. For the local Interface that needs to be used for this route, select the interface corresponding to the LILLE WAN 1 access link (WAN-1 in this example).
6. For the gateway that needs to be used for this route, select the object LIL-WAN-1.
7. Repeat steps 2 to 6 with the following elements:
   • Destination network: PAR-WAN-2,
   • Interface: WAN-2,
   • Gateway: LIL-WAN-2.

8. Click on Apply.

These routes will then resemble the following:

Creating the router object to use in the route to the PARIS site's LAN

1. Go to Configuration > Objects > Network.
2. Click on Add.
3. In the column on the left side of the object creation window, select Rrouter.

General properties

4. Name the object (e.g., ROUTER-LILLE-VTI-FAILOVER or ROUTER-LILLE-VTI-LB depending on the chosen routing option).

Monitoring

5. For the Detection method, select ICMP.
6. Adjust the Timeout (s) as needed.
7. Adjust the Interval (s) as needed.
8. Adjust the number of Failures before degradation (3 by default).

SD-WAN SLA (thresholds)

9. Select SD-WAN SLA (thresholds).
10. Adjust the Latency (ms) as needed.
11. Adjust the Jitter (ms) as needed.
12. Adjust the Packet loss rate (%) as needed.
13. Do not enter an Unavailability rate (%).

Gateways

14. In the Gateways used tab, click on Add.
15. In the Gateway column, select the object PAR-VTI-1.
16. In the Device(s) for testing availability column, select Test the gateway directly.
17. If you select the load balancing option: repeat steps 14 to 16 to add the object PAR-VTI-2.
18. If you select the failover option:
    1. In the Backup gateways tab, click on Add.
    2. In the Gateway column, select the object PAR-VTI-2.
    3. In the Device(s) for testing availability column, select Test the gateway directly.

Advanced properties

19. In Advanced properties, for the Load balancing field value:
    1. Depending on your requirements, select By connection or By source IP address if you have chosen the load balancing option.
    2. Select No load balancing if you have chosen the failover option.
20. For Enable backup gateways, select When all gateways cannot be reached.
IMPORTANT
For the If no gateways are available field, select Do not route regardless of your routing choice.
This will prevent unencrypted traffic from being sent to unprotected networks, such as the Internet if no gateways are available.
21. Click on Apply then Save.

Using this object in routing to reach the PARIS site's LAN

Static routing with failover

1. Go to Configuration > Network > Routing > Static routing tab.
2. Click on Add.
3. Switch the Status of the return route to Enabled.
4. For the Destination network, select the object corresponding to the PARIS site's LAN (PAR-LAN in the example).
5. Do not select any interface.
6. For the gateway that needs to be used for this route, select the router object that was configured with failover (ROUTER-LILLE-VTI-FAILOVER in this example).
7. Click on Apply.

This route will then look like this:

Policy-based routing with load balancing

1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
2. Click on New rule > Single rule.
3. Double-click in any column in this rule.
4. General menu on the left: switch the Status of the rule to On.
5. Action menu on the left, General tab:
   1. General section: set the Action to pass.
   2. Routing section: select the router object that was configured earlier (ROUTER-LILLE-VTI-LB in this example).
6. Source menu on the left: double-click on the Any object and replace it with the object corresponding to the local network of the LILLE site (LIL-LAN in this example).
7. Destination menu on the left: double-click on the Any object and replace it with the object corresponding to the local network of the PARIS site (PAR-LAN in this example).
8. Port/Protocol menu on the left: add to the grid the Destination ports of the various objects corresponding to the ports to be allowed in this filter rule.
9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
10. Click on OK.
11. Click on Apply.

This filter rule will then look like this:

Setting the IPsec peers of the PARIS site

These peers are remote gateways.

In this example, pre-shared key authentication is used.

In order for one of the two FW-LILLE WAN links to be used when the tunnel is initialized, the value of the Local address field has to be Any. Similarly, the DPD (Dead Peer Detection) option has to be set to High to force the IPsec tunnel to be renegotiated as quickly as possible when the link is down.

1. Go to Configuration > VPN > IPsec VPN > Peers tab.
2. Click on Add, then on New remote gateway.
3. In the Remote gateway field, select the object corresponding to the FW-PARIS firewall's first public IP address (PAR-WAN-1 in the example).
4. Enter a name for this peer (PAR-WAN-1 in the example).
5. Select the IKEv2 version.
6. Choose the IKE profile to use.
7. Click on Next.
8. For the Authentication type, select Pre-shared key (PSK).
9. Set the Pre-shared key and confirm it.
10. Click on Next.
    You will be shown a summary of the peer's details.
11. Click on Finish.
    Details on the peer are shown.
12. Ensure that the value of the Local address is Any.
13. In the Advanced properties section, set the DPD field to High.
14. Confirm changes by clicking on Apply then on Save.
15. Repeat steps 2 to 14 to create the peer based on the FW-PARIS firewall's second public IP address (PAR-WAN-2 in this example).
16. Changes can be applied immediately by clicking on Yes, activate the policy.

Creating the IPsec policy to set up tunnels with the PARIS site

1. Go to Configuration > VPN > IPsec VPN > Encryption Policy - Tunnels tab > Site-to-site (gateway-gateway) tab.
2. Click on Add, then on Standard site-to-site tunnel.
3. In the Local resources field, select the traffic endpoint of the LILLE site: this is FW-LILLE's first virtual IPsec interface (network object Firewall_LIL-VTI-1 in the example).
   
4. In the Peer selection field, select the first peer that was created for the PARIS firewall (host object PAR-WAN-1 in the example).
5. In the Remote networks field, select the traffic endpoint of the PARIS site: this is FW-PARIS's first virtual IPsec interface (network object PAR-VTI-1 in the example).
   
6. Click on Finish.
7. Click in the Keepalive column and select a duration from the drop-down menu (600 ms in the example).
   This setting determines how long to keep the tunnel up even when it is not in use.
8. Double-click in the Status column to enable this rule in the IPsec policy.
9. Repeat steps 2 to 8 to create the tunnel between LIL-VTI-2 and PAR-VTI-2.
10. Click on Apply, then Save to save the changes made to the configuration.
11. Changes can be applied immediately by clicking on Yes, activate the policy.

On the FW-LILLE firewall, the IPsec policy between the LILLE and PARIS sites is therefore:

Creating the filter rule to enable monitoring of VTIs at the PARIS site

1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
2. Click on New rule > Single rule.
3. Double-click in any column in this rule.
4. General menu on the left: switch the Status of the rule to On.
5. Action menu, General tab: set the Action to pass.
6. Source menu on the left: leave the Any object suggested by default.
7. Destination menu on the left: double-click on the Any object and replace it with the objects corresponding to the VTIs of the PARIS site (PAR-VTI-1 and PAR-VTI-2 in this example).
8. Port/Protocol menu on the left: for the IP protocol field in the Protocol section, select the icmp object.
9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
10. Click on OK.
11. Click on Apply.

Creating the filter rule to enable dialogue between the LILLE and PARIS sites

1. Go to Configuration > Security policy > Filter - NAT, Filtering tab.
2. Click on New rule > Single rule.
3. Double-click in any column in this rule.
4. General menu on the left: switch the Status of the rule to On.
5. Action menu, General tab: set the Action to pass.
6. Source menu on the left: double-click on the Any object and replace it with the object corresponding to the local PARIS network (PAR-LAN in this example).
7. Destination menu on the left: double-click on the Any object and replace it with the object corresponding to the local LILLE network (LIL-LAN in this example).
8. Port/Protocol menu on the left: add to the grid the Destination ports of the various objects corresponding to the ports to be allowed in this filter rule.
9. Inspection menu on the left: we recommend leaving the default Inspection level, IPS.
10. Click on OK.
11. Repeat steps 2 to 10 with the LIL-LAN object as the source, and the PAR-LAN object as the destination.
NOTE
The second rule does not need to be created if you have used policy-based routing to reach the PARIS LAN.
12. Click on Apply.