Define an address object for the other Screen in the configuration (bos-screen in this example).
The address of this object is the tunnel address.
Define the networks behind both Screens as address objects (that is, bos-net and hk-net).
Add the certificate name for bos-screen1.
Use Certificate --> Associate MKID to generate a certificate object called bos-screen1.cert.
Add a rule to the configuration to encrypt the traffic between bos-net and hk-net.
The following figure, Figure 6-7, and Figure 6-8 show the parameters used. The example uses Common Services, but the actual service you use reflects the security policy that you are implementing.
Add a rule to pass CDP in the clear before the encryption rules.
Save and activate the policy.