Start the wizard
Start the wizard to create multiple Firewalls at the same time. Define the general settings for the new Firewalls.
For more details about the product and how to configure features, click Help or press F1.
Steps
Create multiple Firewalls wizard
Use this wizard to create multiple Firewall elements with similar configurations.
Firewall Creation Method page
Option | Definition |
---|---|
Proof-of-Serial Codes (Single Firewall only) |
If you have POS codes for Single Firewalls, enter the codes here. |
Number of Firewalls | If you do not have POS codes, specifies the number of Firewalls to create. |
Base Configuration on (Optional for Single Firewalls |
Specifies the Firewall on which you want to base the configuration. |
Proof-of-Serial Code Information page
Option | Definition |
---|---|
(Single Firewalls only) Review the information to confirm that the appliance information is correct. |
Basic Firewall Information page
Option | Definition |
---|---|
Name Prefix | Specifies the common name prefix. The system adds either a running number or the serial number of the appliance to the name prefix to generate a unique name for each individual NGFW Engine. We recommend giving each NGFW Engine a unique, descriptive name after the common Name Prefix, such as the geographical location where the particular NGFW Engine is used. |
Log Server | Specifies the Log Server to which the NGFW Engine sends event data. If the NGFW Engine is a Master NGFW Engine, the hosted Virtual NGFW Engines send log data to the same Log Server. |
DNS IP Addresses
(Optional) |
Specifies the IP addresses of the DNS servers that the NGFW Engine uses. DNS IP addresses are IP addresses of external DNS servers. NGFW Engines use these DNS servers to resolve Domain names to IP addresses. NGFW Engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies. (Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the NGFW Engine forwards DNS requests from clients in the internal network. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element. If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses. Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the
NetLink-specific DNS IP addresses.
Click Add to add an element to the table, or Remove to remove the selected element. Select one of the following options:
|
Location | Specifies the location for the NGFW Engine if there is a NAT device between the NGFW Engine and other SMC components. |
Proof-of-Serial
(Appliances only) |
Shows the Proof-of-Serial code of the Forcepoint NGFW appliance. Not editable. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Nodes table (Clusters only) | |
Node ID (Not editable) |
Shows the ID number of the node. |
Name | Specifies the name of the node. Double-click the cell to edit the name. |
Comment (Optional) |
A comment for your own reference. |
Disabled | Disables the node. You can enable the node later. |
Add Node | Adds a node to the cluster. Opens the Engine Node Properties dialog box. |
Edit Node | Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box. |
Remove Node | Deletes the selected node. The deleted node cannot be restored. |
Interfaces page
Option | Definition |
---|---|
Add | Adds an interface or IP address of the specified type:
CAUTION: Physical Interfaces for Virtual NGFW Engines are automatically created based on the interface
configuration in the Master NGFW Engine properties. The number of Physical Interfaces depends on the number of interfaces
allocated to the Virtual NGFW Engine in the Master NGFW Engine. Physical
Interfaces that you add to Virtual NGFW Engines might not be valid.
|
Edit | Allows you to change the properties of the interface or IP address. |
Remove | Removes the selected interface or IP address. |
Options
(Optional) |
Allows you to set advanced options for the interfaces. |
ARP Entries | Allows you to add ARP entries. |
Multicast Routing | Allows you to configure multicast routing. |
Option | Definition |
---|---|
Interface Options dialog box — General tab | |
Control Interface
(Not Virtual Firewalls) |
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the NGFW Engine.
|
Node-Initiated Contact to Management Server | When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always
used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the NGFW Engine through the Management Client, the command is left pending until the NGFW
Engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
|
Heartbeat Interface
(Clusters and Master NGFW Engines only) |
On Master NGFW Engines, you cannot use shared interfaces as a heartbeat interface. |
IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests |
The IPv4 address or IPv6 address of the selected interface is used when an NGFW Engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender. |
IPv4 Source for Authentication Requests or IPv6 Source for Authentication Requests | By default, specifies the source IPv4 address or IPv6 address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests. |
Default IP Address for Outgoing Traffic | Specifies the IP address that the NGFW Engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes. |
Bypass Default IP Address | Specifies how the source IP address for traffic sent from the NGFW Engine node is selected for tunnel interfaces that do not
have IP addresses.
|
Option | Definition |
---|---|
Interface Options dialog box — Loopback tab | |
Loopback addresses table | Click Add Row to add a row to the table, or Remove Row to remove the selected row. Click Up or Down to move the selected item up or down. |
Loopback Address | Enter the loopback IP address. |
CVI Address (Clusters only) |
Enter the loopback IP address for the cluster. |
Node NDI Address (Clusters only) |
Enter the node-specific loopback IP address. |
OSPFv2 Area | To advertise the loopback IP address as an OSPFv2 internal route, double-click the cell, then select an OSPFv2 Area element. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
ARP Entries dialog box | |
Type |
|
Interface ID | The interface on which you want to apply this ARP entry |
IP Addresses | Enter an IPv4 or IPv6 address. |
MAC Address | Enter a MAC Address. |
Add ARP Entry | Adds an ARP entry. |
Remove ARP Entry | Removes the selected ARP entry. |
Option | Definition |
---|---|
Multicast Routing dialog box | |
Multicast Routing Mode | Specifies how the NGFW Engine routes multicast traffic.
|
Option | Definition |
---|---|
When Multicast Routing Mode is Static Click Add to add a row to the table, or Remove to remove the selected row. |
|
Source Interface | Select the interface to use for multicast routing. |
Source IP Address | Enter the unicast IP address of the multicast source. |
Destination IP Address | Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255. |
Destination Interface | Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
When Multicast Routing Mode is IGMP Proxy | |
Upstream Interface | Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected. |
Upstream IGMP Version | Select the IGMP version according to the upstream network environment. The default IGMP version is version 3. |
Downstream Interfaces table Click Add to add a row to the table, or Remove to remove the selected row. |
|
Interface | Select the downstream interfaces. |
IGMP Querier Settings | Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters. |
Option | Definition |
---|---|
When Multicast Routing Mode is PIM | |
PIM Profile | Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used. |
Multicast Routing Preference | Note: This option is not supported in this version of Forcepoint NGFW.
The routing table is used to specify reverse path forwarding (RPF) information whenever multicast traffic from source addresses uses a different path than
unicast traffic from the same source address.
|
Bootstrap Settings — see RFC 5059 for more information. | |
RP Candidate | If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate. |
RP Priority | Enter a value for the RP priority. |
Multicast Groups | Add the multicast IPv4 networks for which the firewall acts as an RP candidate. Click Add to add a row to the table, or Remove to remove the selected row. |
BSR Candidate | If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate. |
BSR Priority | Enter a value for the BSR priority. |
Routing page
Option | Definition |
---|---|
You can see the routing of the NGFW Engine that you are basing your new NGFW Engines on. Changes that you make are reflected in all NGFW Engines. On the Review and Edit Routing page, select an NGFW Engine from the Routing for drop-down list to make changes to an individual NGFW Engine. You can drag and drop elements from the Resources pane on the left. Routes to directly connected networks are automatically added. You must add a default route and any routes through next-hop gateways to networks that are not directly connected to the NGFW Engine. |
NAT Definitions page
Option | Definition |
---|---|
NAT rules are automatically created and organized in the Firewall Policy based on the NAT definitions in the properties of the NGFW Engine. |
|
Use Default NAT Address for Traffic from Internal Networks | Select an option to define how the NGFW Engine uses the default NAT address.
When you select On or Automatic, a NAT rule is generated at the end of the IPv4 or IPv6 NAT rules in the policy. |
Show Details | Opens the Default NAT Address Properties dialog box. |
Add NAT Definition | Creates a NAT Definition element and opens the element properties. |
Edit NAT Definition | Opens the properties of an existing NAT Definition element. |
Remove NAT Definition | Removes the selected row from the table. |
Option | Definition |
---|---|
Default NAT Address Properties dialog box | |
Default NAT Address | Used to automatically translate traffic from internal networks to the public IP address of the external interface. Note: When several IP addresses from
the same network are available, the SMC automatically selects the smallest IPv4 address as the default NAT address.
|
Internal Networks | Shows the internal networks that are translated to the public IP address of the external interface. |
Option | Definition |
---|---|
NAT Definition Properties dialog box | |
Translation Type | Select the translation type.
|
Private IP Address | The element that represents the private IP address. Click Select to select an element. Note: Only Host, Server, or Network elements are allowed with static
NAT.
|
Public IP Address | Select the source of the public IP address.
|
Port Filter
(Optional) |
To limit NAT only to traffic that goes to selected destination ports, select a Service or Service Group element to act as a port filter. The Service or Service Group element includes the destination port information (a single destination port or a range of ports). Click Add to add an element to the list, or Remove to remove the selected element. |
Comment (Optional) |
A comment for your own reference. |
Additional Configuration Options page
Option | Definition |
---|---|
Define Additional Firewall Properties |
When selected, you can specify advanced properties for the NGFW Engine. If you do not select this option, when you click Next you go to the Summary page. |
Tester Settings page
Option | Definition |
---|---|
Global Settings section | |
Alert Interval | Specify the time in minutes the NGFW Engine waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. If the interval is too short, the alerts can overload the system or the alert recipient. |
Delay After | Specify the time in seconds that the NGFW Engine waits before it resumes running the tests after the
listed events. The delay prevents false test failures that can occur due to variations in how quickly different processes and
subsystems can start and stop. The maximum value is 1800.
|
Auto Recovery
(Clusters and Master NGFW Engines only) |
When selected, the NGFW Engine automatically goes back online when a previously failed test completes successfully. Run the test in both online and offline states if you activate this option. |
Boot Recovery | When selected, the NGFW Engine automatically goes back online after restarting if all offline tests report a success. |
Global Node Selection for Engine Tests | |
Filter | Allows you to filter the elements shown. |
A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash. | |
Active | Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all NGFW Engine tests. Tip: If you select ALL for the Node setting in the
test properties, you can use the Global Node Selection for Engine Tests table to exclude a specific node from the test.
|
Name | Specifies the name of the node. |
Node | Specifies the node ID. |
Set to Default | Returns tester changes to the default settings. |
Option | Definition |
---|---|
Engine Tests section | |
Filter | Allows you to filter the elements shown. |
A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash. | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Active | Shows whether the test is active. Deselect to deactivate a test. |
Node | Specifies whether the test applies to all nodes or a selected node. |
Interval | Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day). Note: We recommend a minimum interval of
four seconds. Running a test too frequently can increase overhead.
|
States | Shows the NGFW Engine states on which the test is run. |
Action | Specifies which action is taken if the test fails, and which type of notification is sent. |
Parameters | Shows some test details. |
Add | Adds a test to the table:
|
Edit | Allows you to change the test properties. |
Remove | Removes the test from the table. |
Option | Definition |
---|---|
External Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Retry Count | Enter the number of times the tester tries to execute the test. We recommend always setting the retry count to more than 1 to avoid creating overly sensitive tests that burden the system unnecessarily. |
Test Timeout | Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test. |
Command Line | Enter the command or script path. The result must return an exit code of 0 (zero) if it succeeds. Any non-zero return value is a
failure. CAUTION: This test allows administrators who have permissions to edit the properties of NGFW Engines to run
arbitrary commands in the NGFW Engine operating system.
|
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
Option | Definition |
---|---|
File System Space Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Partition | Specify the partition to test. |
Free Space | Enter the minimum amount of free space in kilobytes. When the amount of free space drops below this amount, the NGFW Engine executes the chosen action. |
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
Option | Definition |
---|---|
Free Swap Space Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Free Space | Enter the minimum amount of free space in kilobytes. When the amount of free space drops below this amount, the NGFW Engine executes the chosen action. |
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
Option | Definition |
---|---|
Inline Pair Link Speed Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Test Timeout | Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test. |
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
Option | Definition |
---|---|
Link Status Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Interface | Select the interface on which the test is run.
|
Aggregated Links in Load-Balancing Mode | From the Test Fails if More Than drop-down list, select the percentage of aggregated links that must be down for the test to be considered failed. |
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
Option | Definition |
---|---|
Multiping Test Properties dialog box | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Node
(Clusters only) |
Select whether to run the test on ALL nodes or only on a specific node. |
States to Test | Select one or more NGFW Engine states in which to run the test.
|
Test Interval | Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead. |
Retry Count | Enter the number of times the tester tries to execute the test. We recommend always setting the retry count to more than 1 to avoid creating overly sensitive tests that burden the system unnecessarily. |
Test Timeout | Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test. |
Source Address | Select the source address for the test.
|
Target Addresses | Specify the target addresses of ICMP echo requests. Click Add to add an element to the list, or Remove to remove the selected element. |
Failure section | |
Action | Select the action taken if a test fails.
|
Send Alert | When selected, sends an alert to notify administrators that a test has failed. |
Send SNMP Trap | When selected, sends an SNMP Trap. |
NTP page
Option | Definition |
---|---|
Enable time synchronization from NTP server | When selected, the NGFW Engine uses an external NTP server for time synchronization. |
Preferred (Optional) |
When selected, the NGFW Engine uses the specified NTP server by default. |
NTP Server | Lists the available NTP servers. Double-click the cell to select an NTP server. Click Add to add a row to the table, or Remove to remove the selected row. |
Option | Definition |
---|---|
NTP Server Properties dialog box — General tab | |
Name | The name of the element. |
Resolve (Optional) |
Automatically resolves the domain name in the Name field. |
Host Name (Optional) |
The host name of the NTP server. If you do not enter a host name, you must enter an IPv4 address or an IPv6 address. |
IP Address (Optional) |
The IPv4 address of the NTP server. If you do not enter an IPv4 address, you must enter a host name or an IPv6 address. |
IPv6 Address (Optional) |
The IPv6 address of the NTP server. If you do not enter an IPv6 address, you must enter a host name or an IPv4 address. |
Key Type |
The type of authentication key that the NTP server uses.
|
Key ID |
Specifies a unique identifier for the key. Enter a value between 1—65534. |
Key | Specifies the hash of the key. The maximum lengths for the key are 32 hexadecimal characters for MD5, 40 hexadecimal characters for SHA-1, and 64 hexadecimal characters for SHA-256. If ASCII characters are used, the maximum length is 20 characters for all key types. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
NTP Server Properties dialog box — Monitoring tab | |
Log Server | The Log Server that monitors the status of the element. |
Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view. |
Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. |
Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. |
Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. |
Time Zone | Selects the time zone for the logs. |
Encoding | Selects the character set for log files. |
SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. |
NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). |
Option | Definition |
---|---|
NTP Server Properties dialog box — NAT tab | |
Firewall | Shows the selected firewall. |
NAT Type | Shows the NAT translation type: Static or Dynamic. |
Private IP Address | Shows the Private IP Address. |
Public IP Address | Shows the defined Public IP Address. |
Port Filter | Shows the selected Port Filters. |
Comment | An optional comment for your own reference. |
Add NAT Definition | Opens the NAT Definition Properties dialog box. |
Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. |
Remove NAT Definition | Removes the selected NAT definition from the list. |
Permissions page
Option | Definition |
---|---|
Administrator Permissions section | |
Access Control Lists | Shows the Access Control Lists that have been selected. Click Add to add an element to the list, or Remove to remove the selected element. |
Permissions | Shows the administrators that have permissions. Click Add Permission to add a row to the list, or Remove Permission to remove the selected row. Click the Administrator cell to select the administrator. |
Option | Definition |
---|---|
Local Administrators section | |
Administrator | If local administrators have been defined, shows the names. |
Info | Shows whether the local administrator can execute root-level commands with the sudo tool. |
Option | Definition |
---|---|
Policies section | |
Allowed Policies | Shows the policies that are allowed to be installed. Click Add to add an element to the list, or Remove to remove the selected element. To allow the installation of any policy, select Set to ANY. |
Add-Ons page
Option | Definition |
---|---|
Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
TLS Credentials | Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element. |
User Identification Service | The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP
address information that can be used in transparent user identification. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
|
User Authentication | Opens the Browser-Based User Authentication dialog box. |
Anti-Malware | Opens the Anti-Malware Settings dialog box. |
Anti-Spam Settings | The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and higher. |
Sandbox | Opens the Sandbox Settings dialog box. Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and higher. We recommend
that you use Forcepoint Advanced Malware Detection instead.
|
File Reputation | Opens the GTI File Reputation Settings dialog box. |
Option | Definition |
---|---|
Browser-Based User Authentication dialog box — General tab | |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
TLS Profile | The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element. This option is required for client certificate authentication. |
Use Client Certificates for Authentication | When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication. |
Always Use HTTPS | When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the NGFW Engine also listens on other ports. |
Authentication Time-Out | Defines the length of time after which authentication expires and users must re-authenticate. |
Listen on Interfaces | Restricts the interfaces that users can authenticate through.
|
User Authentication Page | Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Option | Definition |
---|---|
Browser-Based User Authentication dialog box — HTTPS Certificate tab | |
Organization (O) (Optional) |
The name of your organization as it appears in the certificate. |
Organization Unit (OU)
(Optional) |
The name of your department or division as it appears in the certificate. |
State/Province (ST)
(Optional) |
The name of state or province as it appears in the certificate. |
Locality (L)
(Optional) |
The name of the city as it appears in the certificate. |
Common Name (CN) | The value for the Common Name field in the certificate request. For server certificates, the value is typically the fully qualified domain name (FQDN). |
Key Length | The length of the key in bits. |
Sign | |
With External Certificate Authority | Select this option if you want to create a certificate request that another certificate authority signs. |
Internally with | Select this option to sign the certificate using an internal CA. If more than one valid internal CA is available, select the internal CA that signs the
certificate request. There can be multiple valid internal CAs in the following cases:
|
Generate Request | Generates the request. The certificate request is shown in the same dialog box. |
Option | Definition |
---|---|
Sidewinder Proxy Settings dialog box | |
Enable | When selected, enables Sidewinder Proxy. |
Sidewinder Logging Profile | The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile. |
SSH Proxy | Settings specific to the SSM SSH Proxy. |
SSH Known Hosts Lists | The selected SSH Known Hosts List elements for the engine. Click Add to add an element to the list, or Remove to remove the selected element. |
Host Keys | The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. To import an existing host key, click Import. |
Key Type | Shows the signature algorithm used for the host key. |
Key Length | Shows the length of the host key. |
SHA256 Fingerprint | Shows the SHA256 fingerprint of the host key. |
SSH Proxy Services | The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element. |
Comment (Optional) |
A comment for your own reference. |
Advanced Settings | Opens the Advanced Sidewinder Proxy Settings dialog box. |
Option | Definition |
---|---|
Advanced Sidewinder Proxy Settings dialog box — Shared tab | |
Use this tab to define advanced Sidewinder Proxy settings that are shared by all SSM Proxies. Click Add to add a row to the table, or Remove to remove the selected row. | |
Shared Proxy Property | The name of the shared advanced Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
Advanced Sidewinder Proxy Settings dialog box — HTTP tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM HTTP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
HTTP Proxy Property | The name of the advanced HTTP Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
Advanced Sidewinder Proxy Settings dialog box — SSH tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
SSH Proxy Property | The name of the advanced SSH Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
Advanced Sidewinder Proxy Settings dialog box — TCP tab | |
Use this tab to define advanced TCP Sidewinder Proxy settings for the SSM TCP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
TCP Proxy Property | The name of the advanced Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
Advanced Sidewinder Proxy Settings dialog box — UDP tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM UDP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
UDP Proxy Property | The name of the advanced UDP Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
Anti-Malware Settings dialog box | |
Enable | Enables anti-malware checks. |
Malware Log Level | The log level for anti-malware events.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Malware Signature Update Settings section | |
Update Frequency | Defines how often the NGFW Engine checks for updates to the anti-malware database.
|
Malware Signature Mirror Settings section | |
Mirror(s) | Enter the URL of the anti-malware database mirror that the NGFW Engine contacts to update the anti-malware database. Separate multiple addresses with commas. |
Use HTTP Proxy
(Optional) |
Specifies that the NGFW Engine uses an HTTP proxy to connect to the anti-malware database mirrors. |
Host | The IP address or DNS name of the HTTP proxy. |
Port | The listening port of the HTTP proxy. |
Username | The user name for authenticating to the HTTP proxy. |
Password | The password for authenticating to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. |
Option | Definition |
---|---|
Sandbox Settings dialog box | |
Sandbox Type | Specifies which type of sandbox the NGFW Engine uses for sandbox file reputation scans.
|
Option | Definition |
---|---|
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection | |
License Key (Optional) |
The license key for the connection to the sandbox server.
Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data
center.
CAUTION: The license keys and license tokens allow access to confidential analysis reports. Handle the license key and license token
securely.
|
License Token (Optional) |
The license token for the connection to the sandbox server.
|
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Option | Definition |
---|---|
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection | |
License Key (Optional) |
The license key for the connection to the sandbox server.
|
License Token (Optional) |
The license token for the connection to the sandbox server.
|
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Option | Definition |
---|---|
File Reputation Settings dialog box | |
File Reputation Service | Select the file reputation service to use.
|
Option | Definition |
---|---|
When File Reputation Service is Global Threat Intelligence (GTI) | |
HTTP Proxies
(Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than
one HTTP proxy, the additional HTTP proxies are ignored.
|
Advanced Settings page
Option | Definition |
---|---|
Encrypt Configuration Data | By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Technical Support. |
Contact Node Timeout (Not Virtual NGFW Engines) |
The maximum amount of time the Management Server tries to connect to an NGFW Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
|
Auto Reboot Timeout (Not Virtual NGFW Engines) |
Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable. |
Policy Handshake (Not Virtual NGFW Engines) |
When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the boot menu of the NGFW Engine. Note: We recommend
adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout (Not Virtual NGFW Engines) |
The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds. |
Automated Node Certificate Renewal (Not Virtual NGFW Engines) |
When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise,
the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine. Note: Does not renew VPN certificates. Automatic certificate renewal for internally
signed VPN certificates is set separately in the NGFW Engine's VPN settings.
|
FIPS-Compatible Operating Mode
(Firewalls only) (Not Virtual NGFW Engines) |
When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS). Note: You must also select FIPS-specific settings in the
NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see
How to install Forcepoint NGFW in FIPS mode.
|
Number of CPUs Reserved for Control Plane (Firewalls only) (Not Virtual NGFW Engines) |
Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this
ensures that you can still monitor and control the NGFW Engine operation. Note: The reserved CPUs cannot be used for traffic
processing. Using fewer CPUs for traffic processing degrades performance.
|
Isolate Also Interfaces for System Communications (Firewalls only) |
When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic. |
Log Handling | Opens the Log Handling Settings dialog box. |
Clustering | Opens the Clustering Properties dialog box. |
Traffic Handling | Opens the Traffic Handling Settings dialog box. |
VPN Settings | Opens the VPN Settings dialog box. |
Policy Routing | Opens the Policy Routing dialog box. |
Idle Timeouts | Opens the Idle Timeouts dialog box. |
SYN Rate Limits | Opens the Default SYN Rate Limits dialog box. |
Scan Detection | Opens the Scan Detection Settings dialog box. |
DoS Protection | Opens the DoS Protection Settings dialog box. |
Option | Definition |
---|---|
Log Handling Settings dialog box | |
Log Spooling Policy
(Not Virtual NGFW Engines) |
Defines what happens when the log spool becomes full.
|
Log Compression
(Antispoofing Log Event Type for Firewalls only) |
The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged.
The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. The individual log entries are deleted.
After the single log entry is created, logging returns to normal and all entries are logged and shown separately. Double-click a cell to edit the value. Note: Do not
enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
|
Set to Default | Returns Log Compression settings to the default settings. |
Option | Definition |
---|---|
Clustering Properties dialog box — Cluster tab | |
Clustering Mode
(Not Layer 2 Firewalls) |
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
|
Heartbeat Message Period | Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running).
Enter the value in milliseconds. The default value is 1000 milliseconds (one second). CAUTION: Setting this option too low can result in unnecessary heartbeat
failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Heartbeat Failover Time | Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be
at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds. CAUTION: Setting this option too low can result in unnecessary
heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Node Synchronization table | Click or double-click the cells to edit the values. |
Interface ID | Shows the assigned interface ID. |
State Sync | Defines how the nodes exchange information about the traffic that they process.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
|
Full Sync Interval or Incr Sync Interval | Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults
(5000 ms for full, 50 ms for incremental) CAUTION: Adjusting the Sync Intervals has significant impact on the cluster's performance. Inappropriate settings
seriously degrade the firewall's performance.
|
Sync Security Level |
CAUTION: If the Firewall Cluster's primary and secondary Heartbeat Interfaces are not connected to dedicated networks and you use None or
Sign as the Sync Security Level, VPN traffic is transferred unencrypted between engine nodes when VPN traffic
balancing requires that traffic is forwarded between the nodes.
|
Heartbeat IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.1. This multicast IP address must not be used for other purposes on any of the network interfaces. |
Synchronization IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.2. This multicast IP address must not be used for other purposes on any of the network interfaces. |
Option | Definition |
---|---|
Clustering Properties dialog box — Manual LB Filters tab This tab contains advanced settings for fine-tuning load-balancing filters. CAUTION: Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the
filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.
|
|
Filter Mode | Defines how traffic is balanced between the nodes.
|
Load-Balancing Filter Uses Ports
(Firewalls only) |
When selected, includes a port value for selecting between all nodes. This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally. Note: Enabling this option is not compatible with some features, such as mobile VPNs.
|
Filter Entries table | Click Add Row to add a row to the table, or Remove Row to remove the selected row. |
IP Address | Double-click the cell to open the Load Balancing Filter IP Entry dialog box. |
Action | Select one of the following actions:
|
Replacement IP | Enter the replacement IP address. |
Use Ports | Overrides the global Load-Balancing Filter Uses Ports option. For example, if two hosts send most traffic through the engine, you can set the Use Ports option for one of them to divide the traffic between the cluster nodes, improving granularity. Using this option for IP addresses in a VPN site can reduce the granularity of VPN load balancing and prevent VPN client connections involving those IP addresses. |
NAT Enforce | Enables a specific NAT-related process in the load-balancing filter. CAUTION: Do not enable this option unless instructed to do so by Forcepoint
Customer Hub.
|
Use IPsec | Specifies addresses receiving IPsec traffic on the node itself. The option enables a specific load-balancing process for all IPsec traffic directed to the IP address
specified in the filter entry. CAUTION: Do not enable this option unless instructed to do so by Forcepoint
Customer Hub.
|
Ignore Other | Forces the handling of packets to and from the specified IP addresses one node at a time. |
Option | Definition |
---|---|
Load Balancing Filter IP Entry dialog box | |
IPv4 Network | Enter the IP address in the IPv4 Address field and the netmask in the Netmask field. |
IPv6 Network | Enter the IP address in the IPv6 Address field and the prefix in the Prefix field. |
Range | Enter the IP addresses in the first and second fields. |
Option | Definition |
---|---|
Traffic Handling Settings dialog box | |
Layer 3 Connection Tracking Mode (Firewalls only) Connection Tracking Mode(IPS engines and Layer 2 Firewalls only) |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this NGFW Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Virtual Defragmenting
(Not Virtual NGFW Engines) (Not editable on IPS engines) |
When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the NGFW Engine. When the NGFW Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection
(Not Virtual NGFW Engines) |
This option is included for backward compatibility with legacy NGFW software versions. |
Concurrent Connection Limit
(Not Virtual NGFW Engines) |
A global limit for the number of open connections. When the set number of connections is reached, the NGFW Engine stops the next connection attempts until a previously open connection is closed. |
Inspection CPU Balancing Mode (Not Virtual NGFW Engines) |
Specifies how inspected
connections are allocated between the CPUs. Select from the following options:
|
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
|
Action When TCP Connection Does Not Start With a SYN Packet
(Not Master NGFW Engines) |
The NGFW Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection
matches an Access rule with the Allow action. The NGFW Engine does not send a TCP reset if the TCP connection begins with a
TCP reset packet.
|
Option | Definition |
---|---|
VPN Settings dialog box | |
Gateway Settings | The Gateway Settings element that defines performance-related VPN options. |
Gateway Profile | The Gateway Profile in use. |
Translate IP Addresses Using NAT Pool | When selected, the specified IP address range and port range are used for translating IP addresses of incoming Forcepoint VPN Client
connections to internal networks. Enter the ranges in the IP Address Range and Port Range fields. Note: This option is an
alternative to using virtual IP addresses for VPN Clients.
|
Option | Definition |
---|---|
Policy Routing dialog box | |
IPv4 Policy Routes or IPv6 Policy Routes | Enter the routing information in the appropriate table. Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |
Source IP Address | Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane. |
Source Netmask
(IPv4 only) |
Enter the netmask for the source IP address. |
Source Prefix
(IPv6 only) |
Enter the network prefix for the source IP address. |
Destination IP Address | Enter the destination IP address. |
Destination Netmask
(IPv4 only) |
Enter the netmask for the destination IP address. |
Destination Prefix
(IPv6 only) |
Enter the network prefix for the destination IP address. |
Gateway IP Address | Enter the IP address of the device to which packets that match the source/destination pair are forwarded. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Idle Timeouts dialog box | |
Timeouts table Double-click the Timeout(s) cell to change the value. Click Add to add an element to the table, or Remove to remove the selected element. To set the selected protocols and values back to default settings, click Set to Default. |
Option | Definition |
---|---|
Default SYN Rate Limits dialog box | |
SYN Rate Limits | Limits for SYN packets sent to the NGFW Engine.
|
Allowed SYNs per Second | (When SYN Rate Limits is Custom) The number of allowed SYN packets per second. |
Burst Size | (When SYN Rate Limits is Custom) The number of allowed SYNs before the NGFW Engine starts limiting the SYN rate.CAUTION: We recommend setting the Burst Size value to
at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value
for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
|
Option | Definition |
---|---|
Scan Detection Settings dialog box | |
Scan Detection Mode | When you enable scan detection, the number of connections or connection attempts within a time window is counted.
|
Create a log entry when the system detects section |
Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol:
|
Log Level | Specifies the log level for the log entries.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Set to Default | Returns Scan Detection changes to the default settings. |
Option | Definition |
---|---|
DoS Protection Settings dialog box | |
Rate-Based DoS Protection Mode | Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
|
SYN Flood Sensitivity | When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the
client, and only initiates the connection with the server after the client has completed the TCP handshake.
|
Limit for Half-Open TCP Connections (Optional) |
Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated. |
Slow HTTP Request Sensitivity | The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If
the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the
sender’s IP address for a specified length of time.
|
Slow HTTP Request Blacklist Timeout | The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300). |
TCP Reset Sensitivity | When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP
Reset attack. You cannot override this setting in individual Access rules
|
Upload the Initial Configuration to the Installation Server page
This page is only shown for specific Forcepoint NGFW appliances that support plug-and-play configuration. Only Single Firewalls with a dynamic control IP address are supported.
Option | Definition |
---|---|
Upload Initial Configuration | When selected, the initial configuration is uploaded to the Installation Server, making the configuration available for use in plug-and-play installations. When you turn on the NGFW appliance, it automatically downloads and installs the initial configuration and makes initial contact with the
Management Server. Note: There are special considerations when using plug-and-play configuration. For example, both the SMC and the
NGFW Engines must be registered for plug-and-play configuration before you configure the engines. See Knowledge Base article 9662.
|
Enable SSH Daemon
(Optional) |
When selected, allows remote access to the NGFW Engine command line for troubleshooting purposes.
CAUTION: If you enable SSH, set the password for command-line access after the initial configuration either through the Management Client or by logging
on to the command line. When the password is not set, anyone with SSH access to the NGFW Engine can set the password.
|
Local Time Zone | Select a local time zone for commands you enter on the command line. Note: This setting only applies to the local console. NGFW Engines always use UTC (GMT) time internally. The clock on the local console is automatically synchronized with the
Management Server time.
|
Keyboard Layout | Select a language to specify the layout of the keyboard used with the local console. |
Endpoints for the Internal VPN Gateways page
Option | Definition |
---|---|
Enabled | When selected, the endpoint IP address is active. |
Name | Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown. |
IP Address | Shows the IP address of the endpoint. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
Options | Shows the optional settings that have been selected for the endpoint. |
Phase-1 ID | Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations. |
VPN Type | Shows the types of VPNs that the endpoint can be used in. |
Edit | Allows you to change the properties of the selected endpoint. |
Option | Definition |
---|---|
VPN Endpoint Properties dialog box | |
Name | The name of the endpoint. If no name is entered, the IP address is used. |
IP Address | The IP address of the endpoint. |
Dynamic | Automatically selected if the endpoint has a dynamic IP address. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
NAT-T |
Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.
|
Contact Addresses section | This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties. |
Default | Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic | Used when the endpoint has a dynamic IP address. Note: Dynamic contact addresses are not supported on SSID Interfaces.
|
Exceptions | Opens the Exceptions dialog box. |
Phase-1 ID section | |
ID Type | Identifies the Gateways during the IKE phase-1 negotiations.
|
ID Value | Specifies the details of the ID Type. |
VPN Type section | |
All types | Restricts the types of VPNs that the endpoint can be used in. |
Selected types only | Select one or more options.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.
|
Policy to Install page
Option | Definition |
---|---|
Policy | Click Select to select the policy to install on the Firewalls. |