The VPN service relies on several settings necessary for operation. The parameters are grouped into the following subsections:
|Listen on port 443||Deactivated|
The TCP tunnel transport usually uses TCP connections on port 691, the default.
|Maximum number of tunnels|
|This value sets the maximum number of concurrent client-to-site and site-to-site tunnels accepted by the VPN service.|
|CRL poll time [min.]||0||The time interval in minutes for fetching the Certificate Revocation List. Entering 0 results in a poll time of 15 minutes.|
|Site to Site authentication|
|Typically, a tunnel registers itself at the firewall by creating an auth.db entry with the tunnel network and the tunnel credentials. You can then create an access rule with the tunnel name or credentials as a condition. This feature is rarely used.|
|Add VPN routes to main routing table|
|Add the routes for published VPN networks to the main routing table with a metric of 10.|
|Allow concurrent user sessions|
|Add the routes for published VPN networks to the main routing table with a metric of 10. For more information, see Authentication, Encryption, Transport, IP Version and VPN Routing.|
|Use Perfect Forward Secrecy||Enforced|
Enable perfect forward secrecy and elliptic curve cryptography for TINA site-to-site VPN tunnels. For more information, see Authentication, Encryption, Transport, IP Version and VPN Routing.
|Accounting information storage time [days]||14|
Stores information on client-to-site connections and site-to-site VPN tunnels using the TINA VPN protocol in the /VPNservice/VPN log file. For client-to-site VPN connections, both the login and logout are logged. To disable this feature, set to
Example login log entry:
Session PGRP-AUTH-user1-b607769a27fdf6e: Accounting LOGIN - user=user1 IP=REMOTE_IP start="2016/05/27 15:00:00"
Example logout log entry:
Session PGRP-AUTH-user1-b607769a27fdf6e: Accounting LOGOUT - user=user1 IP=REMOTE_IP start="2016/05/27 15:00:00" duration=0:03:36 inBytes=0 outBytes=0 lastOS="Android 6.0" lastClient="Android 2.0.1"
|Send SDWAN data to Control Center||Yes|
|Defines how SD-WAN data is propagated to the Control Center.|
|Log VPN user accounting|
|If set to On, this option creates a log entry for every user log-in and log-off for a client-to-site connection.|
|If set to On, the firewall stores the Min/Avg/Max value of the throughput rate every 5 minutes.|
|Default Server Certificate|
|Select the check box to use self-signed certificates.|
Click the "add" icon to create a new private key.
Click the blue "up arrow" icon to clear, import, or export the certificate.
Click the "certificate" icon to edit the current certificate.
Click the "pen" icon to clear, import, or export the certificate.
|Handshake Timeout [sec]||10||Set the time in seconds until a handshake request times out.|
|Tunnel HA Sync||During an HA takeover, the initialization of all VPN tunnels and transports requires a very CPU-intensive RSA handshake procedure. As long as less than approximately 200 tunnels and transports are terminated, this initialization happens very quickly and does not decrease overall system performance. Due to real-time synchronization to the HA partner unit, the system load during a takeover can be decreased, providing faster tunnel re-establishment.|
|Pending session limit|
|Enforces a limit of five sessions. Additional session requests are dropped.|
|Prebuild cookies on startup|
Pre-builds the cookies when the VPN service is started. This can slow the VPN service startup but increases the speed of tunnel builds.
Typically, cookies are built on demand while a VPN tunnel is initiated.
Enable this setting to prevent high system load on CloudGen Firewalls that are concentrating a large number of VPN tunnels. High system load caused by the VPN service can occur if a large number of VPN tunnels are established simultaneously after a reboot or Internet Service Provider outage.
|Global TOS copy|
|Enables the Type of Service (ToS) flag for site-to-site tunnels. By default, the ToS flag is globally disabled (setting: Off). Individual tunnel ToS policies override global policy settings.|
|Global replay window size [packets]||256|
If ToS policies assigned to VPN tunnels or transport packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding global policy settings. To specify that tunnel and transport settings should be used, enter 0 (default).
To view the specified replay window size, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replayWindow).
|Allow Dynamic Mesh|
|Enable Dynamic Mesh for this VPN service. For more information, see Dynamic Mesh VPN Networks.|
Acccess Control Service
|IP Address||The IP address of the Access Control Service.|
|Sync Authentication Trust Zone|
|If activated, propagates authentication information to systems in the same trustzone.|