On hk-screen1

1. Define an address object for the other Screen in the configuration (bos-screen in this example).

   The address of this object is the tunnel address.

2. Define the networks behind both Screens as address objects (that is, bos-net and hk-net).

3. Add the certificate name for bos-screen1.

   Use Certificate --> Associate MKID to generate a certificate object called bos-screen1.cert.

4. Add a rule to the configuration to encrypt the traffic between bos-net and hk-net.

   The following figure, Figure 6-7, and Figure 6-8 show the parameters used. The example uses Common Services, but the actual service you use reflects the security policy that you are implementing.

   Figure 6-6 Encryption Configuration

   
   

   Figure 6-7 Rule Definition Window

   
   

   Figure 6-8 Rule Index, Action Details Window

   
   

5. Add a rule to pass CDP in the clear before the encryption rules.

6. Save and activate the policy.