Secure Firewall Threat Defense Site-to-site VPN Guidelines and Limitations

  • Site-to-site VPN supports ECMP zone interfaces.

  • You must configure all nodes in a topology with either crypto ACL or a protected network. You cannot configure a topology with crypto ACL on one node and protected network on another.

  • You can configure a VPN connection across domains by using an extranet peer for the endpoint not in the current domain.

  • You can backup Firewall Threat Defense VPNs using the Cloud-Delivered Firewall Management Center backup.

  • IKEv1 does not support CC/UCAPL-compliant devices. We recommend that you use IKEv2 for these devices.

  • You cannot move a VPN topology between domains.

  • VPN does not support network objects with a 'range' option.

  • Firewall Threat Defense VPNs do not currently support PDF export and policy comparison.

  • There is no per-tunnel or per-device edit option for Firewall Threat Defense VPNs, you can edit only the whole topology.

  • The Cloud-Delivered Firewall Management Center does not verify the device interface address verification for transport mode when you select a crypto ACL.

  • There is no support for automatic mirror ACE generation. Mirror ACE generation for the peer is a manual process on either side.

  • With crypto ACL, the Cloud-Delivered Firewall Management Center supports only point to point VPN and does not support tunnel health events.

  • Whenever IKE ports 500/4500 are in use or when there are some active PAT translations, you cannot configure a site-to-site VPN on the same ports as it fails to start the service on those ports.

  • Tunnel status is not updated in realtime, but at an interval of five minutes in the Cloud-Delivered Firewall Management Center.

  • You cannot use the character " (double quote) as part of pre-shared keys. If you have used " in a pre-shared key, ensure that you change the character.

  • In a site-to-site VPN configuration with two devices managed by the same Cloud-Delivered Firewall Management Center, you cannot configure the devices as backup peers. You must configure one of peer devices in the topology as an extranet device.

  • Configure unique local IKE identity for all tunnels across all your VPN topologies.