Applies To: Cloud-managed Fireboxes
To configure a BOVPN between two cloud-managed Fireboxes in the same WatchGuard Cloud account, you create a shared BOVPN configuration. When you add or update a BOVPN between two cloud-managed Fireboxes, the BOVPN configuration settings automatically deploy for both Fireboxes to download.
To configure a BOVPN between cloud-managed Fireboxes that are not in the same WatchGuard Cloud account, you must configure the BOVPN separately for each Firebox. For more information, see Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint.
When you add a BOVPN between two cloud-managed Fireboxes, you configure:
- VPN Gateways — The external networks the two device use to connect
- Network Resources — The networks that can send and receive traffic through the tunnel
- Virtual IP Address — (optional) Required if you want to add the BOVPN to an SD-WAN action
All VPN security settings are configured with the same settings automatically so that the devices can establish a connection.
BOVPNs and Routing
In the BOVPN configuration, you specify what network resources are accessible through the tunnel. The resources you select for one endpoint become static routes on the other VPN endpoint, with the BOVPN as the gateway. The metric you specify for each resource appears in the routing table. The Firebox uses the routing table to determine whether to send traffic through the BOVPN tunnel.
You cannot specify network resources for both endpoints in the same subnet. This means you cannot route traffic through a BOVPN tunnel between private networks that use the same IP address range.
If you add a zero route BOVPN network resource (0.0.0.0/0), this creates a default route that sends all network traffic (including the traffic to WatchGuard Cloud) through the VPN tunnel.
If you add a zero route BOVPN network resource, and the remote VPN endpoint cannot route traffic from the cloud-managed Firebox to WatchGuard Cloud, you lose the ability to manage or monitor the Firebox.
BOVPNs and Automatic Deployment
When you add, edit, or remove a BOVPN, WatchGuard Cloud automatically creates a new deployment for both Fireboxes to download. For each Firebox, the automatic deployment contains updated BOVPN settings. To make sure that the automatic deployment contains only BOVPN configuration changes, you cannot save BOVPN changes if either device has other undeployed configuration changes.
Before you add, edit, or remove a BOVPN for two Fireboxes in the same account, make sure that neither Firebox has undeployed changes.
Add a BOVPN Between Cloud-Managed Fireboxes in the Same Account
You can add a BOVPN from the BOVPN page for a specific Firebox, or you can add it from the VPNs page, which is shared configuration page. For more information, see Manage BOVPNs for Cloud-Managed Fireboxes.
To add a BOVPN, from WatchGuard Cloud:
- To open the BOVPN page, use one of these methods:
- To manage BOVPNs for all Fireboxes in the currently selected account, select Configure > VPNs
- To manage BOVPNs for a specific Firebox, on the Device Configuration page, click the Branch Office VPN tile.
- From either BOVPN page, click the Branch Office VPN tile.
The BOVPN page shows currently configured BOVPNs.
- Click Add BOVPN.
The Add BOVPN page opens.
- In the Name text box, type a name for this BOVPN.
- Select the option to connect to a WatchGuard cloud-managed Firebox.
With this option, both Endpoint A and Endpoint B sections contain a list of Fireboxes.
- In the Endpoint A section, select a cloud-managed Firebox in your account.
If you added the BOVPN from a Device Configuration page, the Endpoint A list contains only one Firebox.
- In the Endpoint B section, select another cloud-managed Firebox in this account.
The Endpoint B list shows all cloud-managed Fireboxes in the same account.
- Click Next.
The VPN Gateways page shows a list of external networks on each Firebox.
- For each endpoint, select at least one external network the endpoints use to connect.
- For each network you select, specify the IP address or a domain name that resolves to the Firebox external network IP address.
- If you select more than one network for an endpoint, the Order determines which network is primary. To change the network order, click the move handle for a network and drag it higher or lower in the list.
- Click Next.
The Traffic settings page shows the internal and guest networks configured on each device.
- For each endpoint, select internal or guest networks that can send and receive traffic through this tunnel.
- To specify a network resource other than internal or guest networks:
- Click Add Network Resource.
- In the Network Resource text box, type the network IP address and netmask.Tip!
- In the Metric text box, you can edit the metric. The default is 1.
- Click Add.
The network resource is added to the Traffic settings for the endpoint.
- (Optional) For each endpoint, in the Virtual IP Address text box, type an IP address.
We recommend you specify an IP address in a private network IP address range that is not used for routing on either endpoint.
You must specify virtual IP addresses before you can add this BOVPN to an SD-WAN action. To use this in an SD-WAN action, specify a host IP address with a /32 netmask.
- Click Save.
The BOVPN changes are deployed automatically for both Fireboxes to download. The BOVPN deployment is added to the Deployment History for both Fireboxes.
Edit or Delete a BOVPN
You can edit or delete a BOVPN from the BOVPN page. For information, see Manage BOVPNs for Cloud-Managed Fireboxes.