Management connections for engines and how they work

When you connect the engines to the SMC, the engines make initial contact with the Management Server and receive a certificate.

The certificate allows the engine to authenticate itself to other components in all further communications. When components contact each other, they check if the other component’s certificate is signed by the same internal certificate authority as their own certificate. The certificate authority runs on the Management Server, but is separate from the Management Server itself. The initial contact procedure is secured using a one-time password.

If the engines are Forcepoint NGFW appliances, you can connect them to the SMC using the plug-and-play configuration method. In plug-and-play configuration, you upload the initial configuration to the Installation Server. When the engines are turned on with all cables connected, they download the initial configuration from the Installation Server. After this, the engines automatically install the initial configuration and make initial contact with the Management Server. You can also specify a predefined policy to be installed on the engines when they make initial contact with the Management Server.

Note: There are special considerations when using plug-and-play configuration. For example, both the SMC and the NGFW Engines must be registered for plug-and-play configuration before you configure the engines. See Knowledge Base article 9662.


  • The plug-and-play configuration method is only available for Forcepoint NGFW appliances. You must have a valid proof-of-serial (POS) code for each appliance you want to configure using the plug-and-play configuration method.
  • Virtual NGFW Engines do not communicate directly with the SMC. All communication between Virtual NGFW Engines and the SMC is proxied by the Master NGFW Engine.

What should I know before I begin?

  • Engine certificates expire in three years from the date that they are issued. If the automatic certificate renewal option is active for the engine, the certificate is renewed automatically before it expires.
  • If the certificate of the engine is lost or expires, the initial contact procedure must be repeated to reconnect the engine to the other components.
  • The internal certificate authority that signs the engine certificates is valid for ten years. The internal certificate authority is automatically renewed six months before the expiration date and new certificates signed by the new internal certificate authority are automatically created for the engines. If the automatic certificate renewal fails, you must again make initial contact with the Management Server so that the engine receives a new certificate.
  • When a new internal certificate authority is created, its initial status is Ready to Use and it is not yet Active. A new internal certificate authority in a Ready to Use state only signs Management Server certificates. Certificates for other SMC components are signed by the internal certificate authority that is used by the Management Server. In an environment with multiple Management Servers, the new internal certificate authority reaches Active status when all the Management Servers are using the new internal certificate authority.
  • You must install a policy using the Management Client to transfer the complete configuration to the engine.