This configuration guide includes information needed to connect a WatchGuard firewall to the Pureport platform via a routed IPSEC VPN using BGP for routing.

Note: This guide was created using WatchGuard version 12.5. Depending on your specific firmware version, there may be minor differences between this guide and your actual configuration. Be aware that each WatchGuard platform may have slightly different options in the user interface. Additionally, if you already have a routing topology in place, you must change some of these configuration items based on your specific setup.

In this example, we show the configuration for:

  • One Firebox external device (virtual shown)
  • Two Firebox BOVPN virtual interfaces
  • Redundant Pureport VPN gateways
  • Dynamic routing using BGP


In order to complete the VPN connection process, you will need to create the VPN gateway on the Pureport side in advance. Instructions for deploying are found in the Connecting to a Site VPN - Route-Based with BGP article. 

You will need the three variables highlighted below to complete this configuration, or you may alternately use placeholder values during creation and replace them with actual values once the WatchGuard is configured.

Variables Needed

You will need the following information from various sources in order to configure your VPN tunnels and BGP peering on your WatchGuard firewall.

Customer Gateway IPWatchGuard ConfigurationThe public IP address of the WAN interface of your firewall.
If there are multiple outside / public interfaces, select the one or two that are bound to the IP address you will use as your VPN peer address.
(also needed to create the VPN in the Pureport Console)
Encryption Settings for the VPN
Pureport consolePureport defaults are used in the example configuration - you may configure as desired however be sure the settings chosen match on both the WatchGuard and the Pureport sides.
(also needed to create the VPN in the Pureport Console)
Pureport Primary Gateway IP AddressPureport console
Pureport Primary Gateway Pre-Shared KeyPureport console
Pureport Secondary Gateway IP AddressPureport console
Pureport Secondary Gateway Pre-Shared KeyPureport console
Customer VTI IP for Primary GatewayPureport console
Customer VTI IP for Primary GatewayPureport console
Pureport BGP ASNPureport consoleNormally 394351
Customer BGP ASNWatchGuard Configuration / User-createdIf you do not already have an ASN for BGP peering, we recommend using 65501. Review the "ASN selection" article for details.
(also needed to create the VPN in the Pureport Console)
Customer Site Internal Network Number and MaskWatchGuard ConfigurationThe trusted network of the Firebox in CIDR notation. These will be the networks that are advertised via BGP

Configuration Guide

When using this configuration script, use the variables, as listed in the table above.

Add the BOVPN Virtual Interfaces

You will create two BOVPN Virtual Interfaces to correspond to each of the Primary and Secondary gateways on the Pureport side. To create the Branch Office VPN Virtual Interfaces, in the Web GUI:

  1. Select VPN > BOVPN Virtual Interfaces

  2. Click Add.

  3. In the Interface Name text box, type a name that describes the virtual interface. In our example, we use Pureport-primary for the primary and Pureport-secondary for the secondary.

  4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.

  5. From the Gateway Address Family drop-down list, select IPv4 Addresses.

  6. For the credential method, select Use Pre-Shared Key.

  7. Copy and paste the Pre-Shared Key from the Pureport console. Be sure to copy the primary key for the primary VPN and the secondary key for the secondary VPN.

  8. In the Gateway Endpoint section, click Add.

  9. The Gateway Endpoint Settings dialog box appears.

  10. From the Physical drop-down list, select External.

  11. From the Interface IP Address drop-down list, select Primary IPv4 Interface Address.

  12. Select By IP Address.

  13. In the adjacent text box, type the Public IP address for the Firebox external interface.

  14. Select the Remote Gateway tab.

  15. Select Static IP Address.

  16. In the adjacent text box, paste the IP address of the Pureport gateway.
  17. Click OK

  18. You will be returned to the BOVPN Virtual Interfaces / Add screen.

  19. Click the VPN Routes tab

  20. Check the box to Assign virtual interface IP addresses

  21. In the Local IP address box, paste the Customer VTI IP value from the Pureport console (note: you do not need the "/30" mask notation for the IP address

  22. In the Peer IP address or netmask box, enter 

  23. Click the Phase 1 Settings tab. Ensure all settings match the VPN settings in the Pureport Console. Pay particular attention to the Version and Transform settings, and ensure Dead Peer Detection is enabled. You may adjust the WatchGuard or the Pureport configuration to achieve a match.

  24. Click the Phase 2 Settings tab. Again, ensure the settings match those from the Pureport console. You may adjust the WatchGuard or the Pureport configuration to achieve a match.

  25. Click Save.

  26. Repeat this process for the Secondary gateway

Configure BGP Peering on the WatchGuard

Next you will configure BGP peering on the Watchguard to achieve dynamic routing and full high availability with the Pureport network. You will need the BGP settings form the Pureport console. For the example we will use the following:

In the WatchGuard Web UI:

  1. Select Network > Dynamic Routing.
  2. Select Enable Dynamic Routing.

  3. Select the BGP tab.

  4. Specify the BGP commands. Be sure to replace the IP addresses and ASN information with your own. The "maximum-paths 2" command is critical to enable functional routing over both tunnels, otherwise the anti-spoofing feature of the Watchguard may cause loss of connectivity.
router bgp 65501
maximum-paths 2
neighbor remote-as 394351
neighbor activate
neighbor timers 10 30
neighbor remote-as 394351
neighbor activate
neighbor timers 10 30

Validate Connectivity

You should now see both IPSEC and BGP up in the Pureport Console:

You can also validate the VPN tunnel is up in the Watchguard interface by clicking System Status > VPN Statistics. Here you can see if a tunnel is down and also see statistics on VPN traffic, etc. In the screen shot below we see that the Primary tunnel is up and the secondary tunnel is down:

Finally, you can check to ensure that BGP is functioning by looking at the routing table, by clicking System Status > Routes and filtering for Dynamic routes: