Create Master NGFW Engine elements

A Master NGFW Engine is a physical engine device that provides the resources for Virtual NGFW Engines. One physical Master NGFW Engine can support multiple Virtual NGFW Engines.

Before you begin

Before creating Master NGFW Engine elements, generate and install NGFW Engine licenses for the Master NGFW Engines.

By default, a Master NGFW Engine element has placeholders for two nodes when the element is created. A Master NGFW Engine can have 1–16 nodes. If you do not need to use clustering on the Master NGFW Engine, you can remove one of the automatically created nodes.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Right-click NGFW Engines and select New > Master NGFW Engine.
You are prompted to select the role for the Virtual NGFW Engines that this Master NGFW Engine hosts.

Note: You cannot change the role of the Virtual NGFW Engines that the Master NGFW Engine hosts after you create the Master NGFW Engine element.
Select the role for the Virtual NGFW Engines that this Master NGFW Engine will host and click OK.
The Engine Editor opens.
Give the element a unique Name.
Select the Log Server to which the Master NGFW Engine sends its log data.
The Master NGFW Engine also sends log data from the Virtual NGFW Engines to the same Log Server.
(Optional) In DNS IP Addresses field, add one or more DNS IP addresses.
DNS IP addresses are IP addresses of external DNS servers. Master NGFW Engines use these DNS servers to resolve Domain names to IP addresses. Master NGFW Engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies.
- To enter a single IP address manually, click Add and select IP Address. Enter the IP address.
- To define an IP address using a network element, click Add and select Network Element.
Select the Location for this Master NGFW Engine if there is a NAT device between this Master NGFW Engine and other SMC components.
(Optional) If you want to include the Master NGFW Engine in predefined categories, select the appropriate Categories.
(Optional) If you want to add custom commands to the Master NGFW Engine’s right-click menu, add a Tools Profile.
(Optional) If you do not need to use clustering on the Master NGFW Engine, select one of the nodes and click Remove Node.
You are prompted to confirm that you want to delete the selected node. Click Yes.

Next steps

You are now ready to create Virtual Resource elements.

Engine Editor – common elements

Use the Engine Editor toolbar options to save changes to the engine configuration and refresh a policy on the engine. These options are shown no matter which branch of the Engine Editor you have open.

Option	Definition
Save	Validates and saves the changes. The Engine Editor tab stays open.
Save and Refresh	Validates and saves the changes, and refreshes the policy on the engine. The Engine Editor tab stays open.
Tools	Validate — Validates the changes without saving them. The Engine Editor tab stays open.

Engine Editor – General

Use this branch to change general engine settings for clustering, engine tester configuration, and administrator permissions.

Option	Definition
Name	The name of the element.
Log Server	Specifies the Log Server to which the engine sends the event data.
Version (Not available for clusters)	The version of the Forcepoint Next Generation Firewall software. Not editable.
Status (Not available for clusters)	Shows the configuration status of the engine. Not editable.
DNS IP Addresses (Optional)	Specifies the IP addresses of the DNS servers that the engine uses to resolve: Malware signature mirror Domain names URL filtering categorization services (Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the engine forwards DNS requests from clients in the internal network. If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses. Note: Specifying a value for the DNS IP Addresses field overrides NetLink-specific DNS IP addresses defined in the NetLink properties.
Add	Adds one or more IP addresses using the following options: IP Address — Adds an IP Address element that represents a single IP address. Network Element — Adds a Network element that represents a network space.
Remove	Removes one or more selected IP addresses from the DNS IP Addresses list.
Location	Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds custom commands to the engine's right-click menu. Select — Select an existing Tools Profile element. None — Removes all previously selected Tools Profile elements. New — Create a Tools Profile element.
Comment (Optional)	A comment for your own reference.

Add IP Address dialog box

Use this dialog box to manually add DNS IP addresses to the engine.

Option	Definition
Enter a Manual IP Address	Adds the IP address of the DNS server.

Engine Editor – General – Clustering

Use this branch to view nodes and add new nodes to the NGFW Engine cluster.

Option	Definition
Node ID (Not editable)	Shows the ID number of the node.
Name	Specifies the name of the node. Double-click the cell to edit the name.
Configuration Status (Not editable)	Shows the configuration status of the node.
Version (Not editable)	Shows the version of the NGFW Engine software that is installed on the engine.
Comment (Optional)	A comment for your own reference.
SNMP Location	Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
SNMP Engine ID (SNMPv3 only)	A unique identifier for each NGFW Engine node that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated.
Disabled	Temporarily disables the node. You can enable the node later.
Add Node	Adds a node to the cluster. Opens the Engine Node Properties dialog box.
Edit Node	Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box.
Remove Node	Deletes the selected node. The deleted node cannot be restored.
Clustering Mode	Balancing — All nodes are simultaneously online providing enhanced performance and high availability if there is node failure. Balancing mode is the default mode. Standby — Only one node can be online at a time. We recommend having at least one other node on standby to allow automatic takeover if there is failure. Several nodes can be on standby at a time. A randomly selected standby node is turned online when the online node fails.
Clustering	Allows you to change advanced settings for the cluster. Opens the Advanced Cluster Settings dialog box.

Engine Editor – General – Tester

Use this branch to configure the tester to run various checks on the engines and initiate responses based on the success or failure of these tests.

Option	Definition
Global Settings section
Alert Interval	Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. Note: If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After	Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop. Boot — The default is 30 seconds. Reconfiguration — The default is 5 seconds. Status Change — The default is 5 seconds. Note: The maximum value for all options is 1800.
Auto Recovery (Clusters and Master NGFW Engines only)	When selected, the engine automatically goes back online when a previously failed test completes successfully. Note: Run the test in both online and offline states if you activate this option.
Boot Recovery	When selected, the engine automatically goes back online after a reboot if all offline tests report a success.
Global Node Selection for Engine Tests
Search	Opens a search field for the selected element list.
Tools	Refresh View — Refreshes the list of elements.
Active	Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all engine tests. Tip: If you select ALL for the Node setting in the test properties, you can use the Global Node Selection for Engine Tests table to exclude a specific node from the test.
Name	Specifies the name of the node.
Node	Specifies the node ID.
Set to Default	Returns tester changes to the default settings.

Option	Definition
Engine Tests section
Search	Opens a search field for the selected element list.
Tools	Refresh View — Refreshes the list of elements.
Name	Specifies the name of the test.
Active	Shows whether the test is active. Deselect to deactivate a test.
Node	Specifies whether the test applies to all nodes or a selected node.
Interval	Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day). Note: We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
States	Shows the engine states on which the test is run.
Action	Specifies which action is taken if the test fails, and which type of notification is sent.
Parameters	Specifies more parameters for the test.
Add	Adds the test to the test entry table: External — Runs a custom script stored on the engine. If the script returns the code zero (0), the test is considered successful, otherwise the test is considered failed. File System Space — Checks the free disk space on a hard disk partition. Free Swap Space — Checks the available swap space on the hard disk. Inline Pair Link Speed — Checks whether the network settings (speed/duplex) match on the two ports that form the inline pair and can force ports to use the same settings. Not available in the Firewall/VPN role. Link Status — Checks whether a network port reports the link as up or down. Multiping — Sends out a series of ping requests to determine whether there is connectivity through a network link. Policy — Checks whether a new policy is activated on the engine. This option is intended for sending SNMP notifications.
Edit	Allows you to change the test properties.
Remove	Removes the test from the test entry table.

Engine Editor – General – Permissions

Use this branch to change permissions settings to control the administration of the engines.

Option	Definition
Administrator Permissions section
Add	Adds an Access Control List.
Remove	Removes the selected Access Control List.
Add Permission	Adds a permission to the Administrator Permissions table.
Remove Permission	Removes the selected permission from the Administrator Permissions table.

Option	Definition
Local Administrators section
Administrator	Specifies the name of the local administrator, if local administrators have been defined for the engine.
Info	Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator.

Option	Definition
Policies section
Allowed Policies	Shows the policies that are allowed to be installed on the engine.
Add	Adds the element to the Allowed Policies list.
Set to Any	Allows the installation of any policy.
Remove	Removes the selected element from the Allowed Policies list..

Engine Editor – General – SNMP

Use this branch to enable the NGFW Engine to send SNMP traps.

Option	Definition
SNMP Agent	Enables the NGFW Engine to send SNMP traps. Select — Select an existing SNMP Agent element. None — Disables the sending of SNMP traps. New — Create an SNMP Agent element.
SNMP Location	Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
SNMP Engine ID (Single NGFW Engines and SNMPv3 only)	A unique identifier for the NGFW Engine that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated.
Listening IP Addresses	The IPv4 or IPv6 addresses from which SNMP traps are sent.
Add	Adds an interface and its IP addresses to the list. Opens the Select dialog box.
Remove	Removes the selected interface and its IP addresses from the list.

Engine Editor – General – NTP

Use this branch to enable NTP time synchronization and select NTP servers for the NGFW Engine.

Option	Definition
Enable time synchronization from NTP server	When selected, the NGFW Engine uses an external NTP server for time synchronization.
Preferred (Optional)	When selected, the NGFW Engine uses the specified NTP server by default.
NTP Server	Lists the available NTP servers. The following right-click actions are available: Select — Allows you to add an NTP Server element to the cell. Opens the Select Element dialog box. Remove — Removes the row from the table. Clear — Removes the NTP Server element from the cell. Click Add to add a row to the table, or Remove to remove the selected row.

Option

Definition

Enable time synchronization from NTP server

When selected, the NGFW Engine uses an external NTP server for time synchronization.

Preferred

(Optional)

When selected, the NGFW Engine uses the specified NTP server by default.

NTP Server

Lists the available NTP servers. The following right-click actions are available:

Select — Allows you to add an NTP Server element to the cell. Opens the Select Element dialog box.
Remove — Removes the row from the table.
Clear — Removes the NTP Server element from the cell.

Click Add to add a row to the table, or Remove to remove the selected row.

Engine Editor – Interfaces

Use this branch to configure the necessary interfaces and IP addresses for the engine.

Option	Definition
Add	Adds an interface or IP address of the specified type: Layer 3 Physical Interface (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) Layer 2 Physical Interface (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) Physical Interface (Available for all engine types except Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) VLAN Interface (Available for all engine types) IPv4 Address (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls) IPv6 Address (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls) ADSL Interface (Available for Single Firewalls and Firewall Clusters) Tunnel Interface (Available for Single Firewalls, Firewall Clusters, and Virtual Firewalls) Modem Interface (Available for Single Firewalls) Wireless Interface (Available for Single Firewalls) SSID Interface (Available for Single Firewalls) Switch (Available for Single Firewalls) Port Group Interface (Available for Single Firewalls) CAUTION: Physical Interfaces for Virtual NGFW Engines are automatically created based on the interface configuration in the Master NGFW Engine properties. The number of Physical Interfaces depends on the number of interfaces allocated to the Virtual NGFW Engine in the Master NGFW Engine. Physical Interfaces that you add to Virtual NGFW Engines might not be valid.
Edit	Allows you to change the properties of the interface or IP address.
Remove	Removes the selected interface or IP address from the table.

Engine Editor – Interfaces – Interface Options

Use this branch to define which IP addresses are used in particular roles in the engine's system communications.

Option	Definition
Control Interface (Not Virtual Firewalls)	Primary — Specifies the Primary Control IP address for Management Server contact. Backup (Optional) — Specifies the Backup Control IP address that is used if the Primary Control IP address is not available. Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Heartbeat Interface (Clusters and Master NGFW Engines only)	Primary — Specifies communications between the nodes. We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation. CAUTION: Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information. Backup — Used if the Primary Heartbeat Interface is unavailable. It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
Node-Initiated Contact to Management Server	When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
Identity for Authentication Requests	The IP address of the selected interface is used when an engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.
Source for Authentication Requests	By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic	Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes.

Engine Editor — Interfaces — Virtual Resources

Use this branch to add Virtual Resources to the Master NGFW Engine.

Option	Definition
Add	Adds a Virtual Resource to the Master NGFW Engine. Opens the Virtual Resource Properties dialog box.
Edit	Allows you to change the properties of the selected Virtual Resource. Opens the Virtual Resource Properties dialog box.
Remove	Deletes the selected Virtual Resource.

Engine Editor – Interfaces – ARP Entries

Use this branch to manually add ARP entries for IPv4 or neighbor discover entries for IPv6.

Option	Definition
Add ARP Entry	Adds an ARP entry.
Remove ARP Entry	Removes the selected ARP entry.

Engine Editor – Routing

Use this branch to view and change the engine's routing configuration.

Option	Definition
Refresh View	Updates the view.
Expand All	Expands all levels of the routing tree.
Collapse All	Collapses all levels of the routing tree.
Display Mode	Changes how the routing configuration is displayed. Tree View — Displays the routing configuration as a tree of interfaces, Router elements, NetLink elements, and destination networks. Table View — Displays the routing configuration as a table of destination networks, routing gateways, interfaces, and NetLink elements.
Default Route	Allows you to view and create default routes that are used when there is no more specific route defined. Note: If the Automatic Default Route setting is selected in the properties of the interface, default routes are created automatically for interfaces with dynamic IP addresses on single engines. Gateway — The IP address of the gateway device. You can also double-click the field and select a gateway device for the route. Add — Adds the default route to the routing configuration. Show Default Route — Highlights the default route in the Tree View or the Table View.
Add Route	Allows you to add routes to specific destination networks. Destination — The destination IP address or network. Gateway — The IP address of the gateway device. You can also double-click the field and select a gateway device for the route. Add — Adds the route to the routing configuration.
Query Route	Allows you to search for routes. Source — The source IP address. Destination — The destination IP address. Query — Highlights the route in the Tree View or the Table View.

Engine Editor – Routing – Antispoofing

Use this branch to view and change the engine's antispoofing configuration.

Option	Definition
Refresh View	Updates the view.
Expand All	Expands all levels of the routing tree.
Collapse All	Collapses all levels of the routing tree.

Engine Editor – Routing – Multicast Routing

Use this branch to define static multicast, IGMP-based multicast forwarding, or PIM dynamic routing. Only IPv4 addresses are supported.

Option	Definition
Multicast Routing Mode	Specifies how the engine routes multicast traffic. None — Disables multicast routing. Static — Enables options that allow you to add static routes for multicast traffic. IGMP Proxy — Enables options that allow you to use the engine for IGMP-based multicast forwarding. PIM — Enables options that allow you to use the engine for dynamic routing using PIM.

Option	Definition
When Multicast Routing Mode is Static
Source Interface	Select the interface to use for multicast routing.
Source IP Address	Enter the unicast IP address of the multicast source.
Destination IP Address	Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
Destination Interface	Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
Comment (Optional)	A comment for your own reference.
Add	Adds a row to the table.
Remove	Removes the selected row from the table.

Option	Definition
When Multicast Routing Mode is IGMP Proxy
Upstream Interface	Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected.
Upstream IGMP Version	Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
Interface	Select the downstream interfaces.
IGMP Querier Settings	Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters.
Add	Adds a downstream interface to the Downstream Interfaces table.
Remove	Removes the selected downstream interface from the Downstream Interfaces table.

Option	Definition
When Multicast Routing Mode is PIM
PIM Profile	Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used.
MRoute Preference	Note: This option is not supported in this version of Forcepoint NGFW. The routing table is used to specify reverse path forwarding (RPF) information whenever multicast traffic from source addresses uses a different path than unicast traffic from the same source address. Best Match Preferred — The RPF lookup prefers the best match based on both the default routing table and the Multicast routing (mroute) table. MRoute Preferred — The RPF lookup uses the mroute table. If the mroute table cannot be used, the default routing table is used.
Bootstrap Settings — see RFC 5059 for more information.
RP Candidate	If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate.
RP Priority	Enter a value for the RP priority.
Multicast Groups	Add the multicast IPv4 networks for which the firewall acts as an RP candidate.
Add	Adds a row to the table.
Remove	Removes the selected row from the table.
BSR Candidate	If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate.
BSR Priority	Enter a value for the BSR priority.

Engine Editor – Routing – Policy Routing

Use this branch to define policy routing for the engine.

Option	Definition
IPv4 Policy Routes or IPv6 Policy Routes	Enter the routing information in the appropriate table. Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.
Source IP Address	Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane.
Source Netmask (IPv4 only)	Enter the netmask for the source IP address.
Source Prefix (IPv6 only)	Enter the network prefix for the source IP address.
Destination IP Address	Enter the destination IP address.
Destination Netmask (IPv4 only)	Enter the netmask for the destination IP address.
Destination Prefix (IPv6 only)	Enter the network prefix for the destination IP address.
Gateway IP Address	Enter the IP address of the device to which packets that match the source/destination pair are forwarded.
Comment (Optional)	A comment for your own reference.

Engine Editor – Add-Ons

Use this branch to view a summary of the add-on features and the status of each feature.

Engine Editor – Add-Ons – Anti-Malware

Use this branch to enable and change settings for anti-malware checks on the engine.

Option	Definition
Enable	Enables anti-malware checks.
Malware Log Level	The log level for anti-malware events. None — Does not create any log entry. Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored. Stored — Creates a log entry that is stored on the Log Server. Essential — Creates a log entry that is shown in the Logs view and saved for further use. Alert — Triggers an alert entry.
Alert	When Alert is selected as the log level, specifies the Alert element that is sent.

Option	Definition
Malware Signature Update Settings section
Update Frequency	Defines how often the engine checks for updates to the anti-malware database. Never — The engine does not check for updates. You must update the anti-malware database manually. When Anti-Malware Daemon Starts — The anti-malware daemon starts, for example, when the anti-malware feature is enabled or when the engine restarts. Every Hour — The engine checks for updates once an hour. Daily — The engine checks for updates once a day. Set the Time of day that the engine checks for updates. Weekly — The engine checks for updates once a week. Set the Day and Time of day that the engine checks for updates.

Option

Definition

Malware Signature Update Settings section

Update Frequency

Defines how often the engine checks for updates to the anti-malware database.

Never — The engine does not check for updates. You must update the anti-malware database manually.
When Anti-Malware Daemon Starts — The anti-malware daemon starts, for example, when the anti-malware feature is enabled or when the engine restarts.
Every Hour — The engine checks for updates once an hour.
Daily — The engine checks for updates once a day. Set the Time of day that the engine checks for updates.
Weekly — The engine checks for updates once a week. Set the Day and Time of day that the engine checks for updates.

Option	Definition
Malware Signature Mirror Settings section
Mirror(s)	Enter the URL of the anti-malware database mirror that the engine contacts to update the anti-malware database. Separate multiple addresses with commas.
Use HTTP Proxy (Optional)	Specifies that the engine uses an HTTP proxy to connect to the anti-malware database mirrors.
Host	The IP address or DNS name of the HTTP proxy.
Port	The listening port of the HTTP proxy.
Username	The user name for authenticating to the HTTP proxy.
Password	The password for authenticating to the HTTP proxy.
Hide	Prevents the password from being shown as plain text. Deselect this option to show the password. Selected by default.

Engine Editor – Add-Ons – Sandbox

Use this branch to select and configure sandbox servers for engines.

Option	Definition
Sandbox Type	Specifies which type of sandbox the engine uses for sandbox file reputation scans. Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection. Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection. Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance. Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense. Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead. None — The engine does not use a sandbox.

Option

Definition

Sandbox Type

Specifies which type of sandbox the engine uses for sandbox file reputation scans.

Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.
Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense.
Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead.
None — The engine does not use a sandbox.

Option	Definition
>When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key	The license key for the connection to the cloud sandbox server. Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center. CAUTION: The license key and license token allow access to confidential analysis reports. Handle the license key and license token securely.
License Token	The license token for the connection to the cloud sandbox server.
Sandbox Service	Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select a Sandbox Service element.
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list.

Option	Definition
>When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key	The license key for the connection to the local sandbox server.
License Token	The license token for the connection to the local sandbox server.
Sandbox Service	Click Select to select a Sandbox Service element.
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list.

Engine Editor – Add-Ons – File Reputation

Use this branch to enable file reputation services for file filtering.

Option	Definition
File Reputation Service	Select the file reputation service to use. None — Disables file reputation services. Threat Intelligence Exchange (TIE) — Enables the use of McAfee TIE file reputation services for file filtering. Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.

Option	Definition
>When File Reputation Service is Threat Intelligence Exchange (TIE)
ePO Server	Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC.
Select	Opens the Select Element dialog box, where you can select an ePO Server element.
DXL Certificates	Shows the currently valid DXL certificates.
Generate DXL Certificates	Generates new certificates.

Option	Definition
>When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

Option

Definition

>When File Reputation Service is Global Threat Intelligence (GTI)

HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

Engine Editor – Add-Ons – Sidewinder Proxy (Master NGFW Engines)

These settings are intended for advanced users. We do not recommend changing these settings unless you are instructed to do so by Forcepoint support.

Option	Definition
Shared tab — Use this tab to define advanced Sidewinder Proxy settings that are shared by all SSM Proxies.
Shared Proxy Property	The name of the shared advanced Sidewinder Proxy setting.
Value	The value of the advanced Sidewinder Proxy setting.
Add	Adds a row.
Remove	Removes the selected row.

Option	Definition
HTTP tab — Use this tab to define advanced Sidewinder Proxy settings for the SSM HTTP Proxy.
HTTP Proxy Property	The name of the advanced HTTP Sidewinder Proxy setting.
Value	The value of the advanced Sidewinder Proxy setting.
Add	Adds a row.
Remove	Removes the selected row.

Option	Definition
SSH tab — Use this tab to define advanced Sidewinder Proxy settings for the SSM SSH Proxy.
SSH Proxy Property	The name of the advanced SSH Sidewinder Proxy setting.
Value	The value of the advanced Sidewinder Proxy setting.
Add	Adds a row.
Remove	Removes the selected row.

Option	Definition
TCP tab — Use this tab to define advanced TCP Sidewinder Proxy settings for the SSM TCP Proxy.
TCP Proxy Property	The name of the advanced Sidewinder Proxy setting.
Value	The value of the advanced Sidewinder Proxy setting.
Add	Adds a row.
Remove	Removes the selected row.

Option	Definition
UDP tab — Use this tab to define advanced Sidewinder Proxy settings for the SSM UDP Proxy.
UDP Proxy Property	The name of the advanced UDP Sidewinder Proxy setting.
Value	The value of the advanced Sidewinder Proxy setting.
Add	Adds a row.
Remove	Removes the selected row.

Engine Editor – Policies

Use this branch to view information about the policy that is installed on the engine.

Engine Editor – Policies – Automatic Rules

Use this branch to view a summary of currently used Automatic rules and change general settings for Automatic rules.

Option	Definition
Allow Traffic to Authentication Ports (Firewall/VPN role only)	When Yes is selected, allows traffic to the ports that are used for user authentication.
Allow Traffic from Listening IP Addresses to DNS Relay Port (Firewall/VPN role only)	When Yes is selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay.
Allow Connections to Domain-Specific DNS Servers (Firewall/VPN role only)	When Yes is selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall.
Allow Connections from Local DHCP Relay to Remote DHCP Server (Firewall/VPN role only)	When Yes is selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers.
Log Level for Automatic Rules	The log level for traffic that matches automatic rules. None — Does not create any log entry. Alert — Triggers an alert entry. Essential — Creates a log entry that is shown in the Logs view and saved for further use. Stored — Creates a log entry that is stored on the Log Server. Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
Alert	When Alert is selected, specifies the Alert element that is sent.
Reset to Default Settings	Returns Automatic Rule changes to the default settings.

Engine Editor – Policies – Aliases

Use this branch to view and change alias translation values.

Option	Definition
Alias	Shows the name of the Alias element.
Value	Right-click the Value cell and select one of the following options: Edit Value — Opens the Alias Value Properties dialog box. Set to Any — The Alias element matches any value. Set to None — Disables translation for the Alias element.

Engine Editor – Advanced Settings

Use this branch to change system parameters for the NGFW Engine. These parameters control how the NGFW Engine behaves under certain traffic conditions.

Option	Definition
Encrypt Configuration Data	By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Bypass Traffic on Overload (IPS only)	When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.
Contact Node Timeout	The maximum amount of time the Management Server tries to connect to an NGFW Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
Auto Reboot Timeout	Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable.
Policy Handshake	When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the engine's boot menu. Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout	The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal	When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine. Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the NGFW Engine's VPN settings.
FIPS-Compatible Operating Mode (Firewalls only)	When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2. Note: You must also select FIPS-specific settings in the NGFW Initial Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Number of CPUs Reserved for Control Plane	Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this ensures that you can still monitor and control the NGFW Engine operation. Note: The reserved CPUs cannot be used for traffic processing. Using fewer CPUs for traffic processing degrades performance.
Isolate Also Interfaces for System Communications	When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic.

Engine Editor – Advanced Settings – Traffic Handling

Use this branch to change advanced parameters that control how the engine handles traffic.

Option	Definition
Connection Tracking Mode (IPS engines and Layer 2 Firewalls only) Layer 3 Connection Tracking Mode (Firewalls only)	When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules. Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed. Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns. On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting (Not Virtual NGFW Engines) (Not editable on IPS engines)	When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine. When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.
Strict TCP Mode for Deep Inspection (Not Virtual NGFW Engines)	This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit (Not Virtual NGFW Engines)	A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Access Policy (IPS engines and Layer 2 Firewalls only)	Defines how connections that match Access rules with the Discard action are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy	Defines how connections that match rules with the Terminate action in the Inspection Policy are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet (Firewalls only)	The engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The engine does not send a TCP reset if the TCP connection begins with a TCP reset packet. Discard Silently — The connection is silently dropped. Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.

Engine Editor – Advanced Settings – Certificate Validation

Use this branch to specify settings for certificate validation and revocation status checks on the engine. The settings are used for features that have certificate validation and certificate revocation checks enabled.

Option	Definition
HTTP Proxy (Optional)	When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly.
Timeout for OCSP and CRL Lookups	The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds.

Engine Editor – Advanced Settings – SYN Rate Limits

Use this branch to change global SYN rate limits for the engine. SYN rate limits reduce the risk of SYN flood attacks against the engine.

Option	Definition
SYN Rate Limits	Limits for SYN packets sent to the engine. None — SYN rate limits are disabled. Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size. Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second (Custom only)	The number of allowed SYN packets per second.
Burst Size (Custom only)	The number of allowed SYNs before the engine starts limiting the SYN rate. CAUTION: We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.

Engine Editor – Advanced Settings – Log Handling

Use this branch to change log handling settings for the engine. You can use log handling settings to adjust logging when the log spool on the engine fills up.

Option	Definition
Log Spooling Policy (Not Virtual NGFW Engines)	Defines what happens when the engine’s log spool becomes full. Stop Traffic — The engine stops processing traffic and goes offline. Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression (Antispoofing Log Event Type for Firewalls only)	The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately. Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default	Returns Log Compression changes to the default settings.

Engine Editor – Advanced Settings – Scan Detection

Use this branch to change scan detection settings for the engine. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.

Option	Definition
Scan Detection Mode	When you enable scan detection, the number of connections or connection attempts within a time window is counted. Disabled — Scan detection is not enabled. Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting. On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section	Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol: events in — Specifies the maximum number of events. The default value is 220. Time period field — Specifies the time period. The default value is 1. Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level	Specifies the log level for the log entries. Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored. Stored — Creates a log entry that is stored on the Log Server. Essential — Creates a log entry that is shown in the Logs view and saved for further use. Alert — Triggers the alert you select.
Alert	When the Log Level is set to Alert, specifies the Alert that is sent.
Severity	When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Set to Default	Returns Scan Detection changes to the default settings.

Engine Editor – Advanced Settings – Idle Timeouts

Use this branch to view and change the timeouts for removing idle connections from the state table, including non-TCP communications that are handled like connections.

Option	Definition
Set to Default	Returns idle timeout changes to the default settings. The default values for the predefined protocols are: ICMP — 5 Other — 180 TCP — 1800 UDP — 50
Add	Adds the selected protocol to the table. Opens the Select timeout dialog box.
Remove	Removes the selected row from the table.