The purpose of this document is to describe the configuration steps needed on the Forcepoint FlexEdge Secure SD-WAN Manager (SMC) to configure two Route-Based VPN (RBVPN) tunnels between Forcepoint FlexEdge Secure SD-WAN Engine (previously Next Generation Firewall or NGFW) and Azure VPN gateways.
For this environment we are using 2 internal networks behind the Secure SD-WAN Engine, which will be connected to the Azure Cloud. In case of Azure, there are 2 different sites (Test and Production) with 2 different endpoints. The Test site has two protected networks behind it and the Production site has three networks:
Note For a Policy-Based VPN with Azure, see How to configure a policy-based VPN between an on-premises Forcepoint NGFW Engine and Microsoft Azure.
The configuration was created using SMC version 7.1.1 and Secure SD-WAN Engine version 7.1.0.
Back to the top
The general workflow for configuring a Route-Based VPN to Azure is divided in two steps. The first step is to configure settings on the SMC for Forcepoint FlexEdge Secure SD-WAN Engine and consists of the following main tasks:
- Configure the Secure SD-WAN Engine
- Create the External SD-WAN Gateway Elements
- Create a SD-WAN Profile
- Create a Route-Based SD-WAN Tunnels
- Add Access Rules to Allow the Traffic
The second step is to configure a Route-Based VPN on the Azure portal. For detailed Azure configuration instructions, refer to the Azure Documentation.
Back to the top
The Forcepoint FlexEdge Secure SD-WAN Engine configuration consists of the following main tasks:
- Configure the Secure SD-WAN Engine
- Create External Gateway for Azure
- Create a SD-WAN Profile
- Create a Route-Based SD-WAN Tunnels
- Add Access Rules to Allow the Traffic
Back to the top
The first step is to add required configuration on the Secure SD-WAN Engine properties. Let's first add two tunnel interfaces that will be used on the Route-Based Secure SD-WAN Tunnels:
- Login to SMC with the Management Client
- Open the NGFW Engine element for editing and navigate to Interfaces
- Click the Add button > Tunnel Interface
- Select the Tunnel Interface ID, optionally define the Zone and write a Comment, and click OK
- Add a second tunnel interface repeating steps 3 and 4
Note If you are planning to use dynamic routing between Secure SD-WAN and Azure gateways, make sure to add an IP address for each tunnel interface. The example setup will be using static routing.
The second step on the Engine properties is to add routes to the Azure networks:
- Switch to the Routing page on the Engine properties
- Right-click the first tunnel interface, and add relevant Azure networks. In the example setup, the first tunnel interface will be used for Azure production network access and thus we will add networks 10.10.10.0/24, 192.168.221.0/24 and 172.16.0.0/12
- Right-click the second tunnel interface, and add relevant Azure networks. In the example setup, this tunnel interface will be used for test environment access and thus we'll add networks 192.168.251.0/24 and 192.168.252.0/24
Before saving the Secure SD-WAN Engine settings, verify that the external interface is enabled as a VPN endpoint:
- Navigate to SD-WAN > Endpoints on the Engine properties
- Make sure that Enabled checkbox is set for the external interface endpoint entry
- Click the Save button to save the Engine settings
Back to the top
An External SD-WAN Gateway elements represent VPN gateways that are external to local SMC. As there are two Azure gateways, we will need to create two external gateway elements:
- In the Management Client, navigate to Configuration > Secure SD-WAN > SD-WAN Gateways
- Click the New button > External SD-WAN Gateway
- Give a Name for the gateway (e.g. Azure-Production) on the General tab
- Switch to the Endpoints tab, click Add to create a new endpoint giving a Name for the endpoint and defining settings to match your Azure production gateway settings
- Click OK to save the endpoint
- Click the Enabled checkbox to enable the endpoint
- Click OK to save the external gateway element
- Repeat the steps to create an external gateway element for the Azure test environment gateway
Back to the top
A SD-WAN (or VPN) Profile element defines settings related to authentication, integrity checking, and encryption. We will create a SD-WAN Profile to match the setting Azure VPN gateways support. The default settings are documented on the Microsoft Azure
About VPN devices documentation page.
To create a SD-WAN Profile element in SMC:
- In the Management Client, navigate to Configuration > Secure SD-WAN > Other Elements > Profiles > SD-WAN Profiles
- Click the New button > SD-WAN Profile
- Give a Name for the element on the General tab
- Enable settings according to the Azure documentation on the IKE SA tab
- Enable settings according to the Azure documentation on the IPsec SA tab
- Click OK to save the SD-WAN Profile element
Back to the top
The last VPN related configuration step in SMC is to create Route-Based VPN Tunnels between the Secure SD-WAN Engine and two Azure gateway:
- In the Management Client, navigate to Configuration > Secure SD-WAN > Route-Based SD-WAN Tunnels
- Click the New button > Route-Based SD-WAN Tunnel
- Define the Route-Based SD-WAN Tunnel Properties:
- (Optional) Give a Name for the element
- Leave Tunnel Type to default VPN selection
- Change the SD-WAN Profile to the custom profile created on the previous step
- The Pre-Shared Key will be automatically generated
- Select the NGFW gateway element as the Local Gateway and make sure the first tunnel interface is selected on the Interface setting
- Select the Azure production gateway element as the Remote Gateway
- Click OK to save Route-Based SD-WAN Tunnel
- (Optional) If you wish to use custom Pre-Shared Key:
- Open the Route-Based SD-WAN Tunnel element again
- Click the Edit button next to Pre-Shared Key
- Define the custom key
- Click OK to save the key
- Click OK to save Route-Based SD-WAN Tunnel
- Repeat steps 3 and 4 to create second Route-Based SD-WAN Tunnel between the Secure SD-WAN Engine and Azure test environment gateway
Back to the top
The last configuration needed on the SMC side is to add Access Rules to allow traffic between protected networks:
- In the Management Client, click the Dashboards button > Engines
- Right-click the Secure SD-WAN Engine element > Current Policy > Edit
- Select a suitable spot in the policy and click the ID cell of the rule above > Add Rule After
- Add Access Rules that allow desired traffic between on-premises networks and Azure networks:
Note The rules needed depend on your setup and requirements. The example rules above were created to allow specific protocol access from on-prem network to the Azure production network, and full access to Azure Test Site network, while no access is allowed from the Azure networks to the on-prem networks.
- Click the Save and Install button to install new configuration the Secure SD-WAN Engine
Back to the top
Once everything has been configured on the Secure SD-WAN Manager and Engine side, you'll need to configure Route-Based VPN etc. definitions in your Azure environment. For detailed Azure configuration instructions, refer to the
Azure Documentation.
When the Azure configuration has been deployed, verify that traffic is allowed and working through each tunnel. The log should show connections allowed. The
SD-WAN SAs monitoring view (right-click the Secure SD-WAN Engine >
Monitoring >
SD-WAN SAs) should show IKE and IPsec SA established with each Azure gateway after traffic through the tunnel was generated.
If the VPN negotiation fails or traffic does not work, see
NGFW Site-to-Site VPN Troubleshooting Guide for guidance on how to troubleshoot VPN issues.
Back to the top
Keywords: Next Generation Firewall; site-to-site VPN; Route-Based VPN; Microsoft Azure; configuration example
