Edit common properties of several NGFW Engines at the same time

You can select several NGFW Engines and change the properties that are common to all of them.

The following limitations apply when you change the properties of several engines at once:
  • Properties specific to one individual NGFW Engines element, such as IP address definitions, are never available in the common properties.
  • If you select both single and clustered NGFW Engines elements, the cluster-specific options are not available.
  • If you select NGFW Engines of different types, you can only change properties that are supported for all of the selected types of elements.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Shift-select or Ctrl-select the NGFW Engines that you want to edit.
    Tip: To have the maximum number of properties available, select NGFW Engines of the same type.
  3. Right-click one of the selected NGFW Engines, then select Common Properties.
  4. Configure the settings, then click OK.
    The properties that you can configure depend on how similar in type the selected NGFW Engines are.

Common Engine Properties dialog box

Use this dialog box to define common properties for two or more engines.

Option Definition
General tab
Log Server

(Not Virtual NGFW Engines)

 Specifies the log server to which the engines send event data.
Location

(Not Virtual NGFW Engines)

 Specifies the location for the engines or clusters if there is a NAT device between the engine and other SMC components.
Tools Profile

(Not Virtual NGFW Engines)

 Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

 A comment for your own reference.
   
General tab Clustering section

(Clusters only)
Clustering Mode

(Not Layer 2 Firewalls)
  • Balancing — All nodes are simultaneously online providing enhanced performance and high availability if there is node failure. Balancing mode is the default mode.
  • Standby — Only one node can be online at a time. We recommend having at least one other node on standby to allow automatic takeover if there is failure. Several nodes can be on standby at a time. A randomly selected standby node is turned online when the online node fails.
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
Filter Mode Defines how traffic is balanced between the nodes.
  • Static — Packet ownership (the node to which the connection or packet belongs) can change only when nodes are added or removed from the cluster, or when they switch from one state to another.
  • Dynamic — Traffic is balanced to avoid node overloads and existing connections are moved between nodes whenever overload is detected.
Heartbeat Message Period Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Heartbeat Failover Time Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Load-Balancing Filter Uses Ports

(Firewalls only)

When selected, includes a port value for selecting between all nodes.

This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally.

Note: Enabling this option is not compatible with some features, such as mobile VPNs.
Option Definition
General tab Tester Global Settings section

(Not Virtual NGFW Engines)
Alert Interval Specify the time in minutes the NGFW Engine waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After Boot Specify the time in seconds that the NGFW Engine waits before it resumes running the tests after the listed events.
Delay After Reconfiguration
Delay After Status Change
Auto Recovery

(Clusters and Master NGFW Engines only)

When selected, the NGFW Engine automatically goes back online when a previously failed test completes successfully. Run the test in both online and offline states if you activate this option.
Boot Recovery When selected, the NGFW Engine automatically goes back online after restarting if all offline tests report a success.
Option Definition
General tab SNMP section

(Not Virtual NGFW Engines)
SNMP Agent Enables the NGFW Engine to send SNMP traps.
  • Select — Select an existing SNMP Agent element.
  • None — Disables the sending of SNMP traps.
  • New — Create an SNMP Agent element.
SNMP Location Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
Option Definition
General tab LLDP section

(Not Virtual NGFW Engines)
LLDP Profile

(NGFW Engines and Master NGFW Engines in the Firewall/VPN role only)

 The LLDP Profile element that specifies settings for LLDP announcements that the NGFW Engine announces. Click Select to select an element.
Option Definition
General tab Layer 2 Settings section

(Firewalls only)
Policy for Layer 2 Interfaces

The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces.

All layer 2 physical interfaces on the NGFW Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored.
Layer 2 Connection Tracking Mode

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns.
Bypass Traffic on Overload

When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the engine gets overloaded.

Option Definition
Routing tab

(Firewalls only)
Link Usage Profile To enable dynamic link selection for the NGFW Engine, select a Link Usage Profile element.
Option Definition
Add-Ons tab TLS Inspection section

(Not Master NGFW Engines)
Client Protection Certificate Authority Select the Client Protection Certificate Authority element to use for client protection.
Check Certificate Revocation When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked.
Decrypt All Traffic When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements.
Cryptography Suite Set Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic that is decrypted for TLS Client Protection. Click Select to select an element.
Option Definition
Add-Ons tab User Authentication section

(Firewall/VPN role only)
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.
Option Definition
Add-Ons tab User Identification section

(Not Master NGFW Engines or Virtual NGFW Engines)
User Identification Service The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
Option Definition
Add-Ons tab Snort section

(Not Master NGFW Engines or Virtual NGFW Engines)
Enable When selected, enables Snort inspection for the NGFW Engine.
Note: To apply Snort inspection to traffic, you must also create Access rules to select traffic for Snort inspection.
Snort Configuration

(Optional)

 The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
  • Click Browse to select a file.
  • Click None to remove a previously imported file.
  • Click Export to export the Snort configuration file.

All NGFW Engines for which Snort inspection is enabled use the global Snort configuration by default. If you do not want to override settings in the global Snort configuration, it is not necessary to import a Snort configuration file for an individual NGFW Engine.

Settings in the Snort configuration .zip file for an individual NGFW Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual NGFW Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored.
Option Definition
Policies tab Element-Based NAT section

(Firewall/VPN role only)
Use Default NAT Address for Traffic from Internal Networks Select an option to define how the NGFW Engine uses the default NAT address.
  • On — The NGFW Engine always uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic.
  • Off — The NGFW Engine never uses the default NAT address as the public IP address.
  • Automatic — The NGFW Engine automatically determines whether to use the default NAT address based on the routing configuration. If there are routes that use NetLinks, the NGFW Engine uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic.

When you select On or Automatic, a NAT rule is generated at the end of the IPv4 or IPv6 NAT rules in the policy.
Option Definition
Policies tab Settings for Automatic Rules section
Allow Traffic to Authentication Ports

(Firewall/VPN role only)

 When selected, allows traffic to the ports that are used for user authentication.
Allow Traffic from Listening IP Addresses to DNS Relay Port

(Firewall/VPN role only)

 When selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay.
Allow Connections to Domain-Specific DNS Servers

(Firewall/VPN role only)

 When selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall.
Allow Connections from Local DHCP Relay to Remote DHCP Server

(Firewall/VPN role only)

 When selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers.
Note: To relay DHCP messages through a policy-based VPN, you must add specific Access rules to allow the traffic. The Access rules must refer to the correct policy-based VPN.
Log Level for Automatic Rules The log level for traffic that matches automatic rules.
  • None — Does not create any log entry.
  • Alert — Triggers an alert entry.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Option Definition
VPN tab

(Firewall/VPN role only)
Gateway Settings The Gateway Settings element that defines performance-related VPN options.
Option Definition
Advanced tab System Parameters section
Encrypt Configuration Data By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub.
Contact Node Timeout

(Not Virtual NGFW Engines)

The maximum amount of time the Management Server tries to connect to an NGFW Engine.

A consistently slow network connection might require increasing this value. The default value is 120 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
Auto Reboot Timeout

(Not Virtual NGFW Engines)

 Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable.
Policy Handshake

(Not Virtual NGFW Engines)

 When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.

Without this feature, you must switch to the previous configuration manually through the boot menu of the NGFW Engine.

Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout

(Not Virtual NGFW Engines)

 The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal

(Not Virtual NGFW Engines)

 When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.

Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine.

Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the NGFW Engine's VPN settings.
FIPS-Compatible Operating Mode

(Firewalls only)

(Not Virtual NGFW Engines)

 When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS).
Note: You must also select FIPS-specific settings in the NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Number of CPUs Reserved for Control Plane

(Firewalls only)

(Not Virtual NGFW Engines)

 Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this ensures that you can still monitor and control the NGFW Engine operation.
Note: The reserved CPUs cannot be used for traffic processing. Using fewer CPUs for traffic processing degrades performance.
Isolate Also Interfaces for System Communications

(Firewalls only)

When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic.
Option Definition
Advanced tab Traffic Handling section
Layer 3 Connection Tracking Mode

(Firewalls only)

Connection Tracking Mode

(IPS engines and Layer 2 Firewalls only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this NGFW Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The NGFW Engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The NGFW Engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The NGFW Engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The NGFW Engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the NGFW Engine to receive non-standard traffic patterns.
On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Firewalls only)

(Not Virtual NGFW Engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the NGFW Engine.

When the NGFW Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual NGFW Engines)

This option is included for backward compatibility with legacy NGFW software versions.
Concurrent Connection Limit

(Not Virtual NGFW Engines)

A global limit for the number of open connections. When the set number of connections is reached, the NGFW Engine stops the next connection attempts until a previously open connection is closed.
Inspection CPU Balancing Mode

(Not Virtual NGFW Engines)

Specifies how inspected connections are allocated between the CPUs. Select from the following options:
  • Default — The connection is allocated to the CPU that received the first packet of the connection. If the utilization on the CPU is high, a different CPU is dynamically selected. Incoming and outgoing packets might be handled by different CPUs.
  • Round Robin — Connections are allocated evenly between all CPUs in order. This option can improve CPU balancing when there are a large number of CPUs.
  • NUMA local Round Robin — Connections are balanced within the CPU that received the first packet of the connection. Incoming and outgoing packets are handled by the same CPU.
Active Wait Time Between Inspected Packets

(Not Virtual NGFW Engines)

Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
  • Short — The inspection process stays active for the minimum amount of time. This setting provides the best CPU performance, but can increase latency in inspection. This is the default setting.
  • Medium — The inspection process stays longer for a moderate amount of time. This setting provides a balance between CPU performance and latency in inspection.
  • Long — The inspection process stays active for the maximum amount of time. This setting provides the lowest latency in inspection, but decreases CPU performance.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Firewalls only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Not Master NGFW Engines)

The NGFW Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The NGFW Engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.
Option Definition
Advanced tab Certificate Validation section

(Not Virtual NGFW Engines)
HTTP Proxy

(Optional)

 When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly.
Timeout for OCSP and CRL Lookups The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds.
Option Definition
Advanced tab SYN Rate Limits section
SYN Rate Limits Limits for SYN packets sent to the NGFW Engine.
  • None — SYN rate limits are disabled.
  • Automatic — The NGFW Engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the NGFW Engine capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(When SYN Rate Limits is Custom)

The number of allowed SYN packets per second.
Burst Size

(When SYN Rate Limits is Custom)

The number of allowed SYNs before the NGFW Engine starts limiting the SYN rate.
CAUTION:
We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
Option Definition
Advanced tab Log Handling section

(Not Virtual NGFW Engines)
Log Spooling Policy

(Not Virtual NGFW Engines)

Defines what happens when the log spool becomes full.
  • Stop Traffic — The NGFW Engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The NGFW Engine continues to process traffic.
Store a Copy of Recent Log Files on the NGFW Engine When selected, the NGFW Engine stores copies of logs according to the specified settings.
Maximum Time The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the NGFW Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached.
Guaranteed Free Spool Partition The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 5–80 %, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.
Guaranteed Free Spool Partition Size The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be 50–1000 MB, or not specified.
Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits are enforced.
Option Definition
Advanced tab Scan Detection section
Scan Detection Mode When you enable scan detection, the number of connections or connection attempts within a time window is counted.
  • Disabled — Scan detection is not enabled.
  • Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section

Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created.

The following options are available for each protocol:

  • events in — Specifies the maximum number of events. The default value is 220.
  • Time period field — Specifies the time period. The default value is 1.
  • Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level Specifies the log level for the log entries.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Option Definition
Advanced tab Rate-Based DoS Protection section

(Not Master NGFW Engines)
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN flood protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the NGFW Engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections

(Optional)

 Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied.
  • High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
Option Definition
Advanced tab TCP Reset section

(Not Master NGFW Engines)
TCP Reset Sensitivity When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the NGFW Engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the NGFW Engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the NGFW Engine considers itself to be under attack.
Option Definition
Advanced tab General Authentication Settings section

(Firewall/VPN role only)
Default User Domain The default LDAP domain from which the NGFW Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.