Policy Based VPN To Azure
Policy Based VPN To Azure
Policy-Based VPN
Between Azure and a
Forcepoint NGFW
TECHNICAL DOCUMENT
Table of Contents
TABLE OF CONTENTS 1
INTRODUCTION 2
Deployment Scenario 2
CONFIGURATION OVERVIEW 3
Technical Document 1
Introduction
The purpose of this document is to describe the configuration steps needed on Forcepoint Security
Management Center (SMC) to configure Forcepoint Next Generation Firewall VPN to AZURE using
policy based VPN.
Used Versions:
Management Server: 6.0.1
Security Engine: 6.0.1
DEPLOYMENT SCENARIO
Production Site
104.40.176.167
5.196.241.117
192.168.11.0/24
192.168.252.0/24 192.168.252.0/24
Test Environment
5.196.241.117
192.168.166.0/24
For this environment we are using 2 internal networks which will be connected to the Azure Cloud, in
case of AZURE, we do have 2 different sites, with 2 different endpoints, Test site and Production site, as
this is a complete environment.
In this scenario, we are using Policy Based VPN, if you are looking for a Routed based VPN how to
guide, please, do not use this document.
Technical Document 2
Configuration Overview
The general workflow for configuring the policy based VPN to AZURE is divided in two parts, first part
describes how to configure the Firewall. The second one is referred to the AZURE portal, for this one,
please refer to the Azure Help if you need deep help about it
1. Configure endpoints and sites at the VPN side on the firewall properties editing it
2. Create the correct VPN profile
3. Create VPN to include the endpoint
4. Create the appropriate rules over your own policy
In order to do that, we may edit the firewall element, and click over the VPN section, once we open it, go
to End-Point part
Once there, just select the correct IP address and edit in order to configure the type of VPN you want to
configure.
Technical Document 3
In this case, we have select to be used as IPSEC, as we will only use this type for AZURE.
Once we have it, clik on OK, and save the firewall options edited.
After we have the endpoint ready to be used, we have to pass on the next step, the sites configuration
section. We can use the default, in this case we will use all the network interfaces except the one used
for encript the traffic.
In this case, we have created one specific site, including 2 internal networks we use on our firewall side.
Local endpoint has been created, as we are using site to site VPN, we do need to create also an external
endpoint, this will be the AZURE parameters defined on AZURE portal.
Open net tab and VPNgateways over VPNsection, once there, create a new external VPNGateway
Technical Document 4
Set the correct name and go to the endpoint tab
On next tab, endpoint, we will add a new endpoint, with the IP address provided by Azure:
Technical Document 5
Do not forget to enable the endpoint once created.
We do need to create the site properties for the remote endpoint, in order to generate the correct SA. In
this case, we have created a new site called Azure Cloud Remote Networks, adding some nets inside.
We can do as many endpoints as we have to use into the same VPN, in this case we did once more with
a pre-production environment as showed.
Technical Document 6
CREATE THE CORRECT VPNPROFILE
An appropriate VPN profile is needed to configure the VPN, the profile is used to encrypt and decrypt
data, and on this we set which are the settings we will use. To create a VPN profile we can go to VPN
other elements VPN profiles.
We have created a defined profile as per the notes inside Azure web page defined in at AZURE support
web page:
For the IKE phase we will set the parameters as defined, on the right, the one we must use into our Next
Gen Firewall, on the left, the defined at AZURE web page
Technical Document 7
For IPsec SA phase 2, we will set the next parameters as defined at AZURE web page.
Note about in some cases, we can have issues with phase 2, the symptoms could be VPN is
disconnecting, we do recommend in that case to use different lifetime for the tunnel, using 75 minutes
we did not have any issue on the lab.
When we are creating a new VPN, a box dialog will ask for; Name, comment, Default VPN profile to be
used, and DSCP QoS policy if we want to use.
Technical Document 8
Our VPN properties for this policy based VPN will be set as we show here. Do not forget to enable NAT
if you want to NAT some traffic into the VPN, if not, NAT rules are not taking effect for all the traffic
matching this VPN rules.
Once we have our VPN, over the first tab, Site-to-Site VPN, we will drag from the right side to the central
site the correct Gateway, in this case our Training FW. This is the gateway we have create at the
endpoint section.
Once we drag and drop the endpoints on the correct site, as showed, move to Tunnels tab section, in
which we will define the keys for both VPNs as we defined at AZURE portal, note about keys must be
the same in both sides, otherwise a no proposal chosen log will appear.
In order to do that, right click on key an edit
Technical Document 9
Finally, we should have this selecting both lines on the upper level
In this case, as showed, we do have 2 sections with same VPN, this way we will use same VPN and we
do not need to create separated VPN. We can also merge both sections, but the best practices about
setting rules on firewall defines to set separated rules for each environment for management purpose.
Technical Document 10
TEST THE ENVIRONMENT WITH THE VPNCLIENT
As a final action, we do need to install the policy on the referred firewall, we can use it the save and
install button on top right.
Once the policy has been installed, you can generate traffic from both sides, as defined per your policy,
and test on the logs for errors.
Technical Document 11