Watchguard Firebox FireboxTM System 4.6 User Manual page 139

Watchguard firebox system user guide

Hide thumbs Also See for Firebox FireboxTM System 4.6:

Reference manual (78 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

page of 170

/ 170
Contents
Table of Contents
Bookmarks

Table of Contents

Branch office VPN with IPSec

Use the Protocol drop list to limit the protocol used by the policy.

Options include: * (specify ports but not protocol), TCP , and UDP .

10 In the Src Port field, enter the local host port.

The local host port number is optional and is the port from which WatchGuard sends all

communication for the policy. To enable communication from all ports, enter 0.

11 Click OK.

The IPSec Configuration dialog box appears listing the newly created policy. Policies are

initially listed in the order in which they were created.

Changing IPSec policy order

WatchGuard handles policies in the order listed, from top to bottom, on the IPSec

configuration dialog box. Initially, the policies are listed in the order created. You

must manually reorder the policies from more specific to less specific to ensure that

sensitive connections are routed along the higher-security tunnels. In general,

WatchGuard recommends the following policy order:

• Host to host

• Host to network

• Network to host

• Network to network

Policies must be set to the same order at both ends of the tunnel. For more

information about IPSec policy order, see the Network Security Handbook.

From the IPSec Configuration dialog box:

• To move a policy up in the list, click the policy. Click Move Up.

• To move a policy down in the list, click the policy. Click Move Down.

Configuring services for branch office VPN with IPSec

Users on the remote Firebox are technically outside the trusted network; you must

therefore configure the Firebox to allow traffic through the VPN connection. A quick

method is to create a host alias corresponding to the VPN remote networks and hosts.

Then, use either the host alias or individually enter the remote VPN networks and

hosts when configuring the following service properties:

Incoming

• Enabled and Allowed

• From: Remote VPN network, hosts, or host alias

• To: trusted or selected hosts

Outgoing

• Enabled and Allowed

• From: trusted network or selected hosts

• To: Remote VPN network, hosts, or host alias

For more information, see "Defining service properties" on page 49, and "Adding a

host alias" on page 86.

User Guide

129

Table of Contents

Related Products for Watchguard Firebox FireboxTM System 4.6

Watchguard 4RE

Watchguard Firebox 4500

Watchguard Firebox FireboxTM System 4.6 User Manual page 139

Related Manuals for Watchguard Firebox FireboxTM System 4.6

Related Products for Watchguard Firebox FireboxTM System 4.6

Table of Contents