SSL/TLS Settings Precedence and Inheritance

Several Firebox features use SSL/TLS for secure communication. In order of precedence from highest to lowest, those features are:

  • Management Tunnel over SSL on hub devices
  • BOVPN over TLS in Server mode
  • Mobile VPN with SSL
  • Access Portal

Features with lower precedence inherit some SSL/TLS settings from enabled features with higher precedence. The shared settings are not configurable for the features with lower precedence.

When you enable more than one of these features, informational messages appear that explain some settings are inherited from another feature.

Shared Policy

When you enable Management Tunnel over SSL, BOVPN over TLS, Mobile VPN with SSL, or the Access Portal, the WatchGuard SSLVPN policy is created automatically. All of these features share the WatchGuard SSLVPN policy.

In Fireware v12.1 or higher, by default, the WatchGuard SSLVPN policy includes only the Any-External interface.

We recommend that you keep the WatchGuard SSLVPN policy in your configuration. In Fireware v12.1 or higher, if you delete the WatchGuard SSLVPN policy and create a custom policy with a different name, Mobile VPN with SSL does not function if the Data Channel protocol is configured for TCP.

In Fireware v12.1.x, the WatchGuard SSLVPN policy includes the WG-VPN-Portal alias. If you upgrade from v12.1.x to v12.2 or higher, the WG-VPN-Portal alias is removed from the WatchGuard SSLVPN policy. Interfaces that appeared in the WG-VPN-Portal alias appear in the WatchGuard SSLVPN policy, which means the policy matches the same traffic. For more information, go to WatchGuard SSLVPN policy changes and the WG-VPN-Portal alias in Fireware v12.1.x in the WatchGuard Knowledge Base.

Example Configurations

The example configurations in this topic show how settings for these features are related and how the WatchGuard SSLVPN policy is affected. These examples also show the messages that appear when a feature takes precedence over another feature.

In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, go to Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

Related Topics

Configure Management Tunnels

Configure BOVPN over TLS in Server Mode

Manually Configure the Firebox for Mobile VPN with SSL

Configure the Access Portal