Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nguiovani
New Contributor

Created on ‎09-04-2023 06:00 PM

Configuration of Phase 2 Selectors on Site-to-Site VPN through Fortimanager

I need to perform all configuration of a VPN Site-to-site "External Gateway" through Fortimanager.

But, in the last step of the configuration I didn't find the option "Selectors of Phase 2". There is an option "Create Phase2 by Protected Subnet Pair" , but I didn't identify where I define the remote and local networks that browsed this VPN.

When I add an object in "Protected Subnet" will it be enough or should I create them through the firewall policy?

fortigate.PNGmanager.PNG

537
0 Kudos
1 Solution
HarshChavda
Staff
Staff

Created on ‎09-05-2023 08:52 AM

"Create Phase2 by Protected Subnet Pair" option typically auto-generates Phase 2 selectors (also called traffic selectors or Proxy IDs) based on pairs of local and remote subnets that you want to pass through the VPN tunnel. These selectors specify which traffic will be encrypted and sent through the tunnel.

 

When you add an object to the "Protected Subnet," you're essentially defining a subnet that will be included in one of these auto-generated Phase 2 selectors. Typically this will be the local subnet that you want to connect to the remote network via VPN.

 

Generally, defining the protected subnets as part of the VPN configuration isn't enough. You'll also need to create a corresponding firewall policy that allows traffic to pass from your local network to the remote network (and vice versa) through the VPN tunnel.

 

Start by defining your local and remote networks in the VPN configuration. Depending on your Forti Manager version, you may have to configure this within the VPN settings or elsewhere. Create a corresponding firewall policy that allows traffic from your local network to the VPN tunnel. You may need to add static routes to make sure traffic is directed through the VPN tunnel. Make sure to commit your changes in Forti Manager and install the configuration to the FortiGate devices.

 

 

View solution in original post

512
1 REPLY 1
HarshChavda
Staff
Staff

Created on ‎09-05-2023 08:52 AM

"Create Phase2 by Protected Subnet Pair" option typically auto-generates Phase 2 selectors (also called traffic selectors or Proxy IDs) based on pairs of local and remote subnets that you want to pass through the VPN tunnel. These selectors specify which traffic will be encrypted and sent through the tunnel.

 

When you add an object to the "Protected Subnet," you're essentially defining a subnet that will be included in one of these auto-generated Phase 2 selectors. Typically this will be the local subnet that you want to connect to the remote network via VPN.

 

Generally, defining the protected subnets as part of the VPN configuration isn't enough. You'll also need to create a corresponding firewall policy that allows traffic to pass from your local network to the remote network (and vice versa) through the VPN tunnel.

 

Start by defining your local and remote networks in the VPN configuration. Depending on your Forti Manager version, you may have to configure this within the VPN settings or elsewhere. Create a corresponding firewall policy that allows traffic from your local network to the VPN tunnel. You may need to add static routes to make sure traffic is directed through the VPN tunnel. Make sure to commit your changes in Forti Manager and install the configuration to the FortiGate devices.

 

 

513
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.