Cisco Firepower and Firebox Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based Branch Office VPN (BOVPN) between a WatchGuard Firebox and a Cisco Firepower 1010E Threat Defense.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11.2 or higher

  • Firepower 1010E Threat Defense v7.4.2.2-28 or higher

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Firepower 1010E.

Topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • You have configured the internal network objects for the Firebox and Firepower in the Firepower 1010E web UI. In this guide, we use the Network_under_Firebox and Network_Under_Firepower network objects.
  • You have configured an internal and external interface in the Firepower 1010E web UI. In this guide, we use the external ethernet1/1 and internal ethernet1/2 interfaces. For more information about how to configure interfaces, go to the Cisco Firepower official documentation.

Configure the Firebox

You can configure your Firebox for a policy-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of the BOVPN settings

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type policy-based vpn.
  5. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Firepower.
  9. Click Next.
    The VPN Gateway settings page opens.

    10. Screenshot of the VPN Gateway settings

  10. For your cloud-managed Firebox:
    1. Select External.
    2. From the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your Firepower firewall WAN connection.
  12. To encrypt and decrypt the data goes through the VPN tunnel, in the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key you will configure for the Firepower IPSec VPN Phase 1 settings.
  13. Click Next.
    The Traffic settings page opens.

    14. Screenshot of the Traffic settings

  14. For your cloud-managed Firebox, select the internal network that you want to be accessible through the VPN tunnel.
  15. For the Firepower endpoint, click Add Network Resource.
  16. In the Network Resource text box, type the IP address of the private network protected by the Firepower firewall. In our example, we type 192.168.13.0/24.
  17. Click Add.
  18. Keep the default values for all other settings.
  19. Click Next.
    The Tunnel Routes page opens.

    20. Screenshot of WGC, WGC Tunnel Routes

  20. Keep the default values for all other settings.
  21. Click Next.
    The Security settings page opens.

    22. Screenshot of WGC, WGC phase 1 and phase 2 settings

  22. In the Phase 1 Settings section
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 24.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  23. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  24. Keep the default values for all other settings.
  25. Click Add.
  26. (Optional) To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.
  27. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI at https://<your Firebox IP address>:8080.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The Add page opens.

    4. Screen shot of the general BOVPN settings

  4. In the Gateway Name text box, type a name to identify this BOVPN gateway. In this example, we type gateway.1.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section:
    1. Select Use Pre-Shared Keyand in the adjacent text box, type the pre-shared key.
    2. From the drop-down list, select String-Based.
  7. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    8. Screen shot of the gateway endpoint settings

  8. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Firebox.
  9. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  10. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  11. In the adjacent text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  12. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    13. Screen shot of the complete gateway endpoint configuration

  13. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  14. In the adjacent text box, type the IP address of your Firepower WAN connection. In this example, we type 198.51.100.2.
  15. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  16. In the adjacent text box, type the IP address of your Firepower WAN connection. In this example, we type 198.51.100.2.
  17. Keep the default values for all other settings.
  18. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    19. Screen shot of the completed general settings configuration

  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  20. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    21. Screen shot of the Phase 1 settings

  21. From the Version drop-down list, select IKEv2.
  22. Keep the default values for all other Phase 1 settings.
  23. Click Save.
    The gateway you added appears on the list of gateways.

    24. Screen shot of the Gateways and Tunnels lists

  24. In the Tunnels section, click Add.
    The tunnel settings page opens.

    25. Screen shot of the Addresses settings

  25. In the Name text box, type a name to identify the tunnel. In this example, we type tunnel.1.
  26. From the Gateway drop-down list, select the gateway that you configured. In this example, we select gateway.1.
  27. In the Addresses section, click Add.
    The Tunnel Route Settings page opens.

    28. Screen shot of the tunnel route settings

  28. In the Local IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox. In this example, we type 192.168.35.0.
  29. In the Remote IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the remote IP segment. This is the local network protected by the Firepower. In this example, we type 192.168.13.0.
  30. Click OK.

    31. Screen shot of the Phase 2 settings

  31. Keep the default values for all Phase 2 settings.
  32. Click Save.

Configure the Firepower 1010E

To configure the Firepower 1010E, complete these steps:

  1. Configure an IPSec VPN Tunnel for the Firepower 1010E
  2. Configure Policies for the Firepower 1010E
  3. Deploy the Configuration for the Firepower 1010E

Configure an IPSec VPN Tunnel for the Firepower 1010E

To configure an IPSec VPN tunnel for the Firepower 1010E:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>
  2. Select Device: [Firepower device name].
  3. In the Site-to-Site VPN section, click View Configuration.
    The Site-to-Site VPN page opens.
  4. Click Create Site-to-Site Connection.
    The Define Endpoints page opens.

    5. Screenshot of the Define Endpoints settings

  5. In the Connection Profile Name text box, type a descriptive name for the VPN. In our example, we type Policy-Based_IPSec.
  6. For Type, select Policy Based.
  7. From the Local VPN Access Interfaces drop-list, select the external interface you configured for the Firepower. In our example, we select external (Ethernet1/1).
  8. From the Local Network drop-list, select the internal network you configured for the Firepower. In our example, we select Network_Under_Firepower.
  9. In the Remote Site section, select Static.
  10. In the Remote IP Address text box, type the public IP address for your Firebox. In our example, we type 203.0.113.2.
  11. From the Remote Network drop-list, select the network object you configured for your Firebox. For our example, we select Network_Under_Firebox.
  12. Click Next.
    The Privacy Configuration page opens.
  13. Enable IKE Version 2.
  14. In the IKE Policy section, click Edit > Create New IKE Policy.
    The IKE v2 Policy configuration dialog box opens.

    15. Screenshot of the IKE v2 Policy configuration dialog box

  15. In the Priority text box, type the priority number for the IKE v2 policy. In our example, we type 1.
  16. In the Name text box, type a descriptive name for the IKE v2 policy. In our example, we type IKE_to_Firebox.
  17. Enable State.
  18. From the Encryption drop-down list, select AES 256.
  19. From the Diffie-Hellman Group drop-down list, select 14.
  20. From the Integrity Hash drop-down list, select SHA256.
  21. From the Pseudo Random Function (PRF) Hash drop-down list, select SHA256.
  22. In the Lifetime (Seconds) text box, type 86400.
  23. Click OK.
    The IKE v2 policy you created appears in the list of policies.
  24. Disable any other IKE v2 policies in the list.

    25. Screenshot of the list of IKE v2 policies

  25. Click OK.
    The Select IPSec Proposals dialog box opens.

    26. Screenshot of the Select IPSec Proposals dialog box

  26. To create a new IPSec proposal, select Edit > Add IPSec Proposals > Create New IPSec Proposal.
    The IKE v2 IPSec Proposal configuration dialog box opens.
  27. In the Name text box, type a descriptive name for the proposal. In our example, we type IKE_to_Firebox_Proposal.
  28. From the Encryption drop-down list, select AES 256.
  29. From the Integrity Hash drop-down list, select SHA256.
  30. Click OK.
  31. Select the IKE v2 proposal you created in the previous steps.
  32. Click OK.

    33. Screenshot of the list of IPSec Proposals

  33. Click OK.
    The Privacy Configuration page opens.

    34. Screenshot of the Privacy Configuration page

  34. For Authentication Type, select Pre-Shared Manual Key.
  35. In the Local Pre-Shared Key text box, type the same pre-shared key you configured for the Firebox.
  36. In the Remote Peer Pre-Shared Key text box, type the same pre-shared key you configured for the Firebox.
  37. In the Lifetime Duration text box, type 86400.
  38. In the Additional Options section, from the Diffie-Hellman Group for Perfect Forward Secrecy drop-down list, select 14.
  39. From the NAT Exempt drop-down list, select the interface to be protected by the VPN tunnel. In our example, we select internal (Ethernet 1/2).
  40. Click Next.
    The Summary page opens.
  41. Verify the configurations on this page, then click Finish.
    The VPN is created successfully.

Configure Policies for the Firepower 1010E

To configure policies for the Firepower 1010E:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>.
  2. Select Policies.
    The Policy Configuration page opens.
  3. Click Create Access Rule.
    The Add Access Rule dialog box opens.

    4. Screenshot of the Add Access Rule dialog box

  4. In the Title text box, type a descriptive name for this policy. In our example, we type IPSec_AllowIPSec_Allow.
  5. From the Action drop-down list, select Allow.
  6. In the Source section, from the Networks drop-down list, select the internal network you configured for the Firepower. In our example, we select Network_Under_Firepower.
  7. In the Destination section, from the Networks drop-down list, select the internal network you configured for the Firebox. In our example, we select Network_Under_Firebox.
  8. Click OK.

Deploy the Configuration for the Firepower 1010E

To deploy the Firepower 1010E configuration:

  1. Log in to the Firepower Web UI at: https://<Management IP address of the Firepower>.
  2. Select Deployment.
  3. Click Deploy Now.
  4. Click OK.
    It might take several minutes to complete the deployment.

Test the Integration

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN > Branch Office VPN.

    Screenshot of VPN live status on WatchGuard Cloud

  4. Verify that the VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.

    Screenshot of BOVPN statistics

  4. In the Tunnels section, verify that the VPN tunnels are active.