About Global VPN Settings

From Fireware XTM Web UI, you can select settings that apply to manual BOVPN tunnels, BOVPN virtual interfaces, managed BOVPN tunnels, and Mobile VPN with IPSec tunnels.

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the Global VPN Settings page

  1. Configure the settings for your VPN tunnels, as explained in the subsequent sections.

Enable Outbound IPSec Pass-through

For a Mobile VPN with IPSec user on the trusted or optional network to make outbound IPSec connections to a Firebox or XTM device located behind a different XTM device, you must select the Add a policy to enable outbound IPSec pass-through check box. For example, if mobile employees are at a customer location that has a Firebox or XTM device, they can use IPSec to make a VPN connection to their network. For the Firebox or XTM device at the customer location to allow the outgoing IPSec connection, you must add an IPSec policy to the configuration.

When you enable IPSec pass-through, a policy called WatchGuard IPSec is automatically added to the configuration. The policy allows traffic from any trusted or optional network to any destination. When you disable IPSec pass-through, the WatchGuard IPSec policy is automatically deleted.

To enable inbound IPSec pass through, you must clear the Enable built-in IPSec policy check box, and create IPSec policies to handle inbound VPN traffic to the XTM device and any other VPN endpoints. For more information, see Configure Inbound IPSec Pass-through with SNAT.

Enable TOS for IPSec

Type of Service (TOS) is a set of four-bit flags in the IP header that can tell routing devices to give an IP datagram more or less priority than other datagrams. Fireware XTM gives you the option to allow IPSec tunnels to clear or maintain the settings on packets that have TOS flags. Some ISPs drop all packets that have TOS flags.

If you do not select the Enable TOS for IPSec check box, all IPSec packets do not have the TOS flags. If the TOS flags were set before, they are removed when Fireware XTM encapsulates the packet in an IPSec header.

When the Enable TOS for IPSec check box is selected and the original packet has TOS flags, Fireware XTM keeps the TOS flags set when it encapsulates the packet in an IPSec header. If the original packet does not have the TOS flags set, Fireware XTM does not set the TOS flag when it encapsulates the packet in an IPSec header.

Make sure to carefully consider whether to select this check box if you want to apply QoS marking to IPSec traffic. QoS marking can change the setting of the TOS flag. For more information on QoS marking, see About QoS Marking.

Enable the Use of Non-Default (Static or Dynamic) Routes to Determine if IPSec is Used

This option applies only to traffic through a BOVPN that is not a BOVPN virtual interface.

When this option is not enabled, all packets that match the tunnel route specified in the IPSec gateway are sent through the IPSec branch office VPN. If this option is enabled, the XTM device uses the routing table to determine whether to send the packet through the IPSec VPN tunnel.

If a default route is used to route a packet

The packet is encrypted and sent through the VPN tunnel, to the interface specified in the VPN gateway configuration.

If a non-default route is used to route a packet

The packet is routed to the interface specified in the non-default route in the routing table. When a non-default route is used, the decision about whether to send the packet through the IPSec VPN tunnel depends on the interface specified in the routing table. If the interface in the non-default route matches the interface in the BOVPN gateway, the packet goes through the BOVPN tunnel configured for that interface. For example, if the BOVPN gateway interface is set to Eth0, and the matched non-default route uses Eth1 as the interface, the packet is not sent through the BOVPN tunnel. However, if the matched non-default route uses Eth0 as the interface, the packet is sent through the BOVPN tunnel.

This feature works with any non-default route (static or dynamic).You can use this feature in conjunction with dynamic routing to enable dynamic network failover from a private network route to an encrypted IPSec VPN tunnel.

For example, consider an organization that sends traffic between two networks, Site A and Site B. They use a dynamic routing protocol to send traffic between the two sites over a private network connection, with no VPN required. The private network is connected to the Eth1 interface of each device. They have also configured a BOVPN tunnel between the two sites to send BOVPN traffic over the local Internet connection, over the Eth0 interface of each device. They want to send traffic over the BOVPN tunnel only if the private network connection is not available.

If they select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box in the Global VPN Settings, the XTM device sends traffic over the private network if a dynamic route to that network is present over the Eth1 interface. Otherwise, it sends traffic over the encrypted IPSec BOVPN tunnel on the Eth0 interface.

For more information about how to use this setting, see Configure a Branch Office VPN for Failover from a Leased Line.

Disable or Enable the Built-in IPSec Policy

The XTM device includes a built-in IPSec policy that allows IPSec traffic from Any-External to Firebox. This hidden policy enables the XTM device to function as an IPSec VPN endpoint for Branch Office VPN and Mobile VPN with IPSec tunnels. The built-in IPSec policy has a higher precedence than any manually created IPSec policy. The built-in IPSec policy is enabled by default. To disable this policy, clear the Enable built-in IPSec Policy check box. Do not disable the built-in policy unless you want to create another IPSec policy to terminate a VPN tunnel at a device other than the XTM device, such as a VPN concentrator on the XTM device trusted or optional network.

If you clear the Enable built-in IPSec Policy check box, you must create IPSec policies to handle inbound VPN traffic to the XTM device and any other VPN endpoints. For more information, see Configure Inbound IPSec Pass-through with SNAT.

Remove VPN Routes for a BOVPN Virtual Interface

You can choose whether you want the XTM device to automatically remove the static VPN routes configured for a BOVPN virtual interface from the Routes:Main table when the BOVPN virtual interface is down. This controls whether the XTM device can use the default route for packets that match these routes if the BOVPN virtual interface is down.

Select the Remove VPN routes when the tunnel for a BOVPN virtual interface is down check box if you want to automatically remove static routes for the BOVPN virtual interface from the routing table when the BOVPN virtual interface is down. If the destination IP address of a packet does not match any routes in the routing table, the XTM device sends it through the default route, which could be an unencrypted connection. If you select this check box, you must do one of two things to make sure that the VPN routes for a BOVPN virtual interface are added to the routes table when the tunnel is available. You can either enable policy-based routing for the BOVPN virtual interface, or, in the BOVPN virtual interface settings, select the Start Phase1 tunnel when it is inactive check box. This is selected by default when you configure the BOVPN virtual interface.

Clear the Remove VPN routes when the tunnel for a BOVPN virtual interface is down check box if you want to keep the route in the routing table when the BOVPN virtual interface is down. This is the default setting. When a BOVPN virtual interface is down, the metric for the routes that use it are automatically changed to a large number, so that they are lower priority than other routes. Because the route remains in the routing table, packets that match this route are not sent through the default route when the BOVPN virtual interface is down.

Regardless of this setting, if there is an alternate route for a packet to take, the XTM device sends the packet through the alternate route, when the BOVPN virtual interface is down, rather than the default route.

Enable LDAP Server for Certificate Verification

When you create a VPN gateway, you specify a credential method for the two VPN endpoints to use when the tunnel is created. If you choose to use an IPSec XTM device certificate, you can identify an LDAP server that validates the certificate. Type the IP address for the LDAP server. You can also specify a port if you want to use a port other than 389.

BOVPN Notification

In the BOVPN Notification section, you can configure the XTM device to send a notification when a BOVPN tunnel is down.

For information about the notification options, see Set Logging and Notification Preferences.

BOVPN notification settings do not apply to Mobile VPN with IPSec tunnels.

See Also

About Manual Branch Office VPN Tunnels

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base