Start the Create Multiple Single Firewalls wizard

Start the Create Multiple Single Firewalls wizard to create multiple Single Firewall elements at the same time. Define general settings for the Single Firewall elements.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click NGFW Engines and select New > Firewall > Multiple Single Firewalls.
    The Create Multiple Single Firewalls wizard opens.
  3. To create multiple Single Firewall elements based on POS codes, follow these steps to start the configuration.
    1. In the Proof-of-Serial Codes field, enter the POS codes.
    2. (Optional) Select a Firewall on which you want to base the Firewalls’ configuration from the Base Configuration On list.
    3. Click Next.
      The Proof-of-Serial Code Information page opens.
    4. Make sure that the details on the Proof-of-Serial Code Information page are correct and click Next.
      The Define Basic Firewall Information page opens.
  4. If you do not have POS codes, follow these steps to start the configuration.
    1. Enter the Number of Single Firewalls (1-1000).
    2. (Optional) Select a Firewall on which you want to base the Firewalls’ configuration from the Base Configuration On list.
    3. Click Next.
      The Define Basic Firewall Information page opens.
  5. Enter a common Name Prefix. The system adds either a running number or the serial number of the appliance to the name prefix to generate a unique name for each individual Firewall.
  6. Select the Log Server to which the Firewall sends its event data.
    Note: Name Prefix and Log Server are the only mandatory properties you must define at this stage. Review the other properties carefully to see which ones to define as the shared properties for all Firewalls created with the wizard.
  7. (Optional) In DNS IP Addresses field, add one or more DNS IP addresses.
    DNS IP addresses are IP addresses of external DNS servers. Firewalls use these DNS servers to resolve Domain names to IP addresses. Firewalls need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element.
    Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the NetLink-specific DNS IP addresses.
    • To enter a single IP address manually, click Add and select IP Address. Enter the IP address in the dialog box that opens.
    • To define an IP address using a network element, click Add and select Network Element. Select an existing element, or click New and add an element.
  8. Select the Location for the Firewalls if there is a NAT device between these Firewalls and other SMC components.
    Note: Select a Location only if all Firewalls you create with the wizard belong to the same Location element.
  9. Define other settings according to your environment:
    • If you have a Forcepoint NGFW appliance, enter the Proof-of-Serial (POS) code delivered with the appliance.
    • If you want to include the Firewalls in predefined categories, select the appropriate Categories.
    • If you want to add custom commands to the Firewalls’ right-click menu, add a Tools Profile.
  10. Click Next.
    The Review and Edit Names and Comments page opens.
  11. Review the names of the Firewalls. If necessary, right-click the name and select Edit Name.
    Note: We recommend giving each Firewall a unique, descriptive name after the common Name Prefix, such as the geographical location where the particular Firewall engine will be used.
  12. Click Next.
    The Define Interfaces for the Firewalls page opens.

Create Multiple Single Firewalls wizard

Use this wizard to create multiple Single Firewall elements with similar configurations.

Option Definition
> Select Firewall Creation Method page
Proof-of-Serial Codes When selected, specifies the Proof-of-Serial codes you received to create the Single Firewall elements.
Number of Single Firewalls If you do not have POS codes, specifies the number of Single Firewalls elements.
Base Configuration on Specifies the Firewall on which you want to base the configuration.
Previous Navigates back to the previous wizard page.
Next Navigates to the following wizard page.
Option Definition
Define Basic Firewall Information page
Name Prefix Specifies the common name prefix.
Log Server Specifies the Log Server to which the engine sends event data.
DNS IP Addresses

(Optional)

Specifies the IP addresses of the DNS servers that the engine uses to resolve:
  • Malware signature mirror
  • Domain names
  • URL filtering categorization services

For DNS relay, specifies the IP addresses of external DNS servers to which the engine forwards DNS requests from clients in the internal network.
Add Adds one or more IP addresses using the following options:
  • IP Address — Adds an IP Address element that represents a single IP address.
  • Network Element — Adds a Network element that represents an IP network space.
Remove Removes the selected IP address from the DNS IP Addresses list.
Location Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
Proof-of-Serial

(Appliances only)

Shows the Proof-of-Serial code of the Forcepoint NGFW appliance. Not editable.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the element's right-click menu.
  • Select — Select an existing Tools Profile element.
  • None — Removes all previously selected Tools Profile elements.
  • New — Create a Tools Profile element.
Comment

(Optional)

 A comment for your own reference.
Review and Edit Names and Comments Shows a summary of the information you entered on the previous page.
Option Definition
Define Interfaces for the Firewalls page
Add Adds an interface or IP address of the specified type:
  • Physical Interface
  • VLAN Interface
  • IPv4 Address
  • IPv6 Address
  • ADSL Interface
  • Modem Interface
  • Tunnel Interface
  • Wireless Interface
  • Switch
  • Port Group Interface
  • SSID Interface
Edit Allows you to change the properties of the interface or IP address.
Remove Removes the selected interface or IP address from the table.
Options

(Optional)

Opens the Interface Options dialog box.
ARP Entries Allows you to add ARP entries for the engine elements.
Multicast Routing Allows you to configure the multicast routing properties.
Review and Edit Firewall Interfaces Shows a summary of the information you entered on the previous page.
Option Definition
>Define Routing for the Multiple Single Firewall Elements page — On this page, you can see the routing of the original engine that you are basing your engines on. Changes that you make are reflected in all engines that you are creating.
Review and Edit Routing View for the Multiple Single Firewall Elements On this page, you can make changes to the individual engines that you are creating.
Routing for Select the engine that you want to edit.
Option Definition
Define NAT Definitions for the Firewalls page
Use Default NAT Address for Traffic from Internal Networks

(Optional)

When selected, the engine uses the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the Firewall Policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Show Details

(Optional)

Opens the Default NAT Address Properties dialog box.
Add NAT Definition Creates a NAT Definition element and opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for an existing NAT Definition element.
Remove NAT Definition Removes the selected row from the table.
Option Definition
Select Additional Configuration Options page
Define Additional Firewall Properties

When selected, you can specify advanced properties for the engine.

If you do not select this option, clicking Next takes you to the Summary page.

Option Definition
Define Tester Settings for the Firewalls page
Alert Interval Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes.
Note: If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop.
  • Boot — The default is 30 seconds.
  • Reconfiguration — The default is 5 seconds.
  • Status Change — The default is 5 seconds.
Note: The maximum value for all options is 1800.
Boot Recovery When selected, the engine automatically goes back online after a reboot, or after an event such as a power failure or system crash, if all offline tests report a success.
Set to Default Returns tester changes to the default settings.
Add Adds the test to the test entry table:
  • External — Runs a custom script stored on the engine. If the script returns the code zero (0), the test is considered successful, otherwise the test is considered failed.
  • File System Space — Checks the free disk space on a hard disk partition.
  • Free Swap Space — Checks the available swap space on the hard disk.
  • Inline Pair Link Speed — Checks whether the network settings (speed/duplex) match on the two ports that form the inline pair and can force ports to use the same settings. Not available in the Firewall/VPN role.
  • Link Status — Checks whether a network port reports the link as up or down.
  • Multiping — Sends out a series of ping requests to determine whether there is connectivity through a network link.
  • Policy — Checks whether a new policy is activated on the engine. This option is intended for sending SNMP notifications.
Edit Allows you to change the test properties.
Remove Removes the test from the test entry table.
Option Definition
Define Permissions for the Firewalls page
Add Adds the element to the Access Control Lists table.
Remove Removes the elements from the Access Control Lists table.
Add Permission Adds the permission to the Permissions table.
Remove Permission Removes the permission from the Permissions table.
>Local Administrators
Administrator Specifies the name of the local administrator, if local administrators have been defined for the engine.
Info Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator.
Add Adds an element to the Allowed Policies list.
Set to Any Allows the installation of any policy.
Remove Removes the elements from the Allowed Policies list.
Option Definition
Define Add-Ons for the Firewalls page
Client Protection Certificate Authority Select the Client Protection Certificate Authority element for client protection.
Add Allows you to add a Server Protection Credentials element for server protection.
Remove Removes the selected item.
User Identification Service Specifies the Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service that associates IP addresses with users for transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: McAfee Logon Collector is only supported in Forcepoint NGFW version 5.8 or higher. For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
User Authentication Opens the Browser-Based User Authentication dialog box.
Anti-Malware Opens the Anti-Malware Settings dialog box.
Anti-Spam Settings The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and later.
Sandbox Opens the Sandbox Settings dialog box.
Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead.
File Reputation Opens the GTI File Reputation Settings dialog box.
Option Definition
> Define Advanced Settings for the Firewalls page
Encrypt Configuration Data By default, the configuration of the engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Contact Node Timeout The maximum amount of time the Management Server tries to connect to an engine. If the engine has a dynamic IP address, the Contact Node Timeout is the maximum amount of time that the engine tries to contact the Management Server. If the connection to the Management Server fails, the engine automatically tries to reconnect to the Management Server.

A consistently slow network connection might require increasing this value. The default value is 60 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the engines.
Auto Reboot Timeout Specifies the length of time after which an error situation is non-recoverable and the engine automatically restarts. The default value is 10 seconds.
Note: Set to 0 to disable.
Policy Handshake When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.
Without this feature, you must switch to the previous configuration manually through the engine's boot menu.
Note: We recommend adjusting the timeout rather than disabling this feature completely.
Rollback Timeout The time the engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal When selected, the engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.
Each certificate for system communications is valid for 3 years. If the certificate expires, other components refuse to communicate with the engine.
Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the engine's VPN settings.
FIPS-Compatible Operating Mode When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2.
Note: You must also select FIPS-specific settings in the NGFW Initial Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Log Handling Opens the Log Handling Settings dialog box.
Connection Tracking Mode

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. On Firewalls, Normal is the default setting.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Firewall to receive non-standard traffic patterns.
Virtual Defragmenting When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine.

When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
VPN Settings Opens the VPN Settings dialog box.
Policy Routing Opens the Policy Routing dialog box.
Idle Timeouts Opens the Idle Timeouts dialog box.
SYN Rate Limits Opens the Default SYN Rate Limits dialog box.
Scan Detection Opens the Scan Detection Settings dialog box.
DoS Protection Opens the DoS Protection Settings dialog box.
Option Definition
Define Endpoints for the Internal VPN Gateways page
Enabled When selected, the endpoint is enabled.
Edit Opens the Properties dialog box for the selected endpoint.
Review and Edit Internal VPN Gateway Endpoints Shows a summary of the information you entered on the previous page.
Option Definition
> Select a Policy to Install on the Firewalls page
Policy Click Select to select the policy to install on the Firewalls.
Summary Shows you a summary of the options that you have selected.
Finish Completes the creation of multiple Single Firewalls.