How Do Firewall Object Definitions Work?

[BarryStiefel]

How Do Firewall Object Definitions Work?



To make VPN deffinition as easy as possible I am trying to build a good model of how the various firewall-object definitions interact.

So far I have only worked with traditional mode VPN definitions and as far as I can make out there are four places where firewall-object definitions effect a single VPN connection:

• The Local definition of the Local Firewall-Object
• The Local definition of the Remote Firewall-Object
• The Remote definition of the Local Firewall-Object
• The Remote definition of the Remote Firewall-Object

Warning - the following is my working hypothesis and might be nonsence.

Here is my guess at the relationships that apply.

The Local definition of the Local Firewall-Object:

Globally enables protocols on the Local-Firewall, if I want to use a particular protocol on any VPN it needs to be enabled on this object.

The Local definition of the Remote Firewall-Object:

Defines a subset of the protocols defined in the 'Local definition of the Local Firewall-Object' which I want to use when talking to 'The Remote Firewall-Object'

The above definition apply symmetrically on the remote Firewall and as a result VPN connection uses the same parameters for connections originating at ether end.

A good procedure for establishing a new parameters with a partner VPN would be:

• Agree the set of working parameters you want to use with the remote site.
• Check that the working parameters are enabled in the 'local definition of the local firewall-Objects' at both ends.
• Check that the working parameters are enabled in the 'local definition of the remote firewall-Object' at both ends.
• Define the policy rules for the VPN at both ends and check that their encryption parameters match.
• Test the connection.

I would be grateful to anyone who can correct or clarify the above understanding.

FAQForm FAQs.Class: EncryptionFAQs FAQs.OS: FAQs.Version: