Define Add-Ons for multiple Single Firewalls

On the Define Add-Ons for the Firewalls page, you can define settings for TLS inspection, transparent user identification, browser-based user authentication, and anti-malware for the Firewalls.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. (Optional) On the Define Add-Ons for the Firewalls page of the Create Multiple Single Firewalls wizard, select the appropriate Client Protection Certificate Authority element for TLS Inspection.
  2. (Optional) Click Add and select the TLS Credentials element. The selected elements are added to the list.
  3. (Optional) Select the User Identification Service element that represents the service with which the Firewall communicates for transparent user identification.
  4. (Optional) Click User Authentication to enable browser-based user authentication.
  5. (Optional) Select Anti-Malware to configure the anti-malware settings.
  6. Click Next.
    The Define Advanced Settings for the Firewalls page opens.

Browser-Based User Authentication dialog box

Use this dialog box to change browser-based user authentication settings for a Firewall.

Option Definition
General tab
HTTP Allows authentication using plain HTTP connections.
Port

(Optional)

Change the port settings if you want to use a different port for the authentication interface. The default ports are:
  • HTTP — 80
  • HTTPS — 443
HTTPS Allows authentication using encrypted HTTPS connections.
Always Use HTTPS Redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
Enable Session Handling Enables cookie-based strict session handling.
Refresh Status Page Every Defines how often the status page is automatically refreshed.
Option Definition
HTTPS Certificate tab
Common Name (CN) The fully qualified domain name (FQDN) of the authentication page as it appears in the certificate.
Organization (O)

(Optional)

The name of your organization as it appears in the certificate.
Organizational Unit (OU)

(Optional)

The name of your department or division as it appears in the certificate.
Country/Region (C)

(Optional)

Standard two-character country code for the country of your organization.
State/Province (ST)

(Optional)

The name of state or province as it appears in the certificate.
City/Locality (L)

(Optional)

The name of the city as it appears in the certificate.
Key Length Length of the key for the generated public-private key pair.

The default is 1024 bits.

Sign
With External Certificate Authority Select this option if you want to create a certificate request that another certificate authority signs.
Internally with Select this option to sign the certificate using an Internal CA for Gateways. If more than one valid internal certificate authority is available, select the internal CA that signs the certificate request. There can be multiple valid internal CAs for Gateways in the following cases:
  • There is both an internal RSA CA for gateways and an internal ECDSA CA for gateways.
  • The internal CA for gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available. Select the new CA in this case.
Generate Request Generates the request or the internal certificate details.
Certificate Request section

(External certificate authority)

Subject Name The identifier of the certified entity.
Export Opens the Export Certificate Request dialog box.
Import Certificate Opens the Import Certificate dialog box.
Delete Deletes the certificate request.
Sign Internally Signs the certificate with the chosen Internal CA. The Certificate Request details are displayed.
Certificate section

(Internal certificate authority)

Subject Name The identifier of the certified entity.
Valid From Shows start date of certificate validity.
Valid To Shows end date of certificate validity.
Fingerprint (SHA-1) Shows the certificate fingerprint using the SHA-1 algorithm.
Fingerprint (MD5) Shows the certificate fingerprint using the MD5 algorithm.
Fingerprint (SHA-512) Shows the certificate fingerprint using the SHA-512 algorithm.
Export Opens the Export Certificate dialog box.
Delete Deletes the certificate.

Sidewinder Proxy Settings dialog box

Use this dialog box to enable and configure Sidewinder Proxies on the engine.

Option Definition
Enable When selected, enables Sidewinder Proxy.
Sidewinder Logging Profile The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile.
SSH Proxy Settings specific to the SSM SSH Proxy.
SSH Known Hosts Lists The selected SSH Known Hosts List elements for the engine.
Add Opens the SSH Known Hosts Lists dialog box, where you can select an SSH Known Hosts List.
Remove Removes the selected element from the list.
Host Keys The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy.
Key Type Shows the signature algorithm used for the host key.
Key Length Shows the length of the host key.
SHA256 Fingerprint Shows the SHA256 fingerprint of the host key.
SSH Proxy Services The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element.
Comment

(Optional)

 A comment for your own reference.
Add Opens the Generate New Host Key dialog box.
Remove Removes the selected host key from the list.
Import Opens the Import Host Key dialog box, where you can import an existing host key.
Advanced Settings Opens the Advanced Sidewinder Proxy Settings dialog box.

Anti-Malware Settings dialog box

Use this dialog box to change the anti-malware settings.

Option Definition
Enable Enables anti-malware checks.
Malware Log Level The log level for anti-malware events.
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers an alert entry.
Alert When Alert is selected, specifies the Alert element that is sent.
Option Definition
Malware Signature Update Settings section
Update Frequency Defines how often the engine checks for updates to the anti-malware database.
  • Never — The engine does not check for updates. You must update the anti-malware database manually.
  • When Anti-Malware Daemon Starts — The anti-malware daemon starts, for example, when the anti-malware feature is enabled or when the engine restarts.
  • Every Hour — The engine checks for updates once an hour.
  • Daily — The engine checks for updates once a day. Set the Time of day that the engine checks for updates.
  • Weekly — The engine checks for updates once a week. Set the Day and Time of day that the engine checks for updates.
Option Definition
Malware Signature Mirror Settings section
Mirror(s) Enter the URL of the anti-malware database mirror that the engine contacts to update the anti-malware database. Separate multiple addresses with commas.
Use HTTP Proxy

(Optional)

Specifies that the Firewall uses an HTTP proxy to connect to the anti-malware database mirrors.
Host The IP address or DNS name of the HTTP proxy.
Port The listening port of the HTTP proxy.
Username The user name for authenticating to the HTTP proxy.
Password The password for authenticating to the HTTP proxy.
Hide Prevents the password from being shown as plain text. Deselect this option to show the password. Selected by default.

Sandbox Settings dialog box

Use this dialog box to select and configure sandbox servers.

Option Definition
Sandbox Type Specifies which type of sandbox the engine uses for sandbox file reputation scans.
  • Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
  • Local Sandbox - Forcepoint Advanced Malware Detection (ATD) — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
    Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.
  • Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense.
    Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead.
  • None — The engine does not use a sandbox.
Option Definition
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key The license key for the connection to the cloud sandbox server.
Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center.
CAUTION:
The license key and license token allow access to confidential analysis reports. Handle the license key and license token securely.
License Token The license token for the connection to the cloud sandbox server.
Sandbox Service Click Select to select a Sandbox Service element. Specifies the cloud sandbox data center that the firewall contacts to request file reputation scans.
  • Automatic — The firewall contacts the data center that is geographically closest.
  • EU Data Centers — The firewall contacts the EMEA data center in the Netherlands.
  • US Data Centers — The firewall contacts the data center in the USA.
Note: If the data center that the firewall contacts does not match the home data center that is specified in the license, files are forwarded to the home data center for analysis and stored in the home data center.
HTTP Proxies

(Optional)

 When specified, file reputation requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the sandbox service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.
Option Definition
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key The license key for the connection to the local sandbox server.
License Token The license token for the connection to the local sandbox server.
Sandbox Service Click Select to select a Sandbox Service element.
HTTP Proxies

(Optional)

 When specified, file reputation requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the sandbox service. If you select more than one HTTP proxy the additional HTTP proxies are ignored.

File Reputation Settings dialog box

Use this dialog box to enable file reputation services for file filtering.

Option Definition
File Reputation Service
Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE) — Enables the use of McAfee TIE file reputation services for file filtering.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
>When File Reputation Service is Threat Intelligence Exchange (TIE)
ePO Server Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC.
Select Opens the Select Element dialog box, where you can select an ePO Server element.
DXL Certificates Shows the currently valid DXL certificates.
Generate DXL Certificates Generates new certificates.
Option Definition
>When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies When specified, the engine uses an HTTP proxy to connect to the McAfee Global Threat Intelligence file reputation service.
  • Add — Allows you to add an HTTP Proxy to the list.
  • Remove — Removes the selected HTTP Proxy from the list.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one proxy, the additional HTTP proxies are ignored.