Hello, I have a couple of doubts and I would like you to help me about it. 1.- Is it possible to perform an Ipsec VPN when the firewall is in V-Wires mode? Only having an IP in the administration interface? 2.- Is it possible to perform SSL decryption when the firewall is in V-Wires mode? If so, what parameters should the digital certificate have? Thank you very much for your help in this regard.
In both situations, you can do SSL and S2S VPNs with VWire... but... you will also need to configure a L3 interface/address that is private on your network. I have configured this on my PA220, when my ISP had its DHCP public IP (residential cable modem/router/all in one) and I wanted to setup a VPN.
For S2S VPN, you need to ensure that L3 interface is connected to your downstream switch (so that the Vwire AND this L3 interface are on the same broadcast domain).
Configure the IKE Gateway using the L3 interface and traffic will be able to pass through the VWire.
Now, SSL Inbound Inspection (where you take the public/private keys from your servers and put onto the FW, should allow you do decrypt traffic as it passes through the FW downstream to your DMZ, or vice versa.
For SSL Forward Proxy, you may want to test it out, but you can try to leverage the ability to do SNAT or DNAT on traffic.
Example: When VWire-trusted goes to VWire-Untrusted, then SNAT the traffic using a Translated Address object (vs an Interface Address). If I created an Address Object called VWire-Translate with an IP of 22.214.171.124, then it would be this Translated Address object (of 126.96.36.199) that your traffic would be using.
If this does not work, then you would need to create a L3 interface to use for SSL Forward Proxy.
Read SSL Decryption documentation and substitute your L3 interface for CN field and you should be fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!