Start the Create Multiple Firewall Clusters wizard

Start the Create Multiple Firewall Clusters wizard and define general settings for the Firewall Cluster elements.

Before you begin

You must have an existing Firewall Cluster element on which to base the configuration.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click NGFW Engines and select New Firewall > Multiple Firewall Clusters.
    The Create Multiple Firewall Clusters wizard opens.
  3. Enter the Number of Firewall Cluster elements (1-1000).
  4. Select a Firewall Cluster on which you want to base the Firewall Clusters’ configuration from the Base Configuration on list and click Next.
    The Define Basic Firewall Information page opens.
  5. Enter a common Name Prefix.
    The SMC adds a running number to the name prefix to generate a unique name for each Firewall Cluster.
  6. Select a Log Server to which the Firewall Clusters send their event data.
    Note: Name Prefix and Log Server are the only mandatory properties you must define at this stage. Review the other properties carefully to see which ones to define as shared properties for all Firewall Clusters created with the wizard.
  7. (Optional) In DNS IP Addresses field, add one or more DNS IP addresses.
    DNS IP addresses are IP addresses of external DNS servers. Firewall Clusters use these DNS servers to resolve Domain names to IP addresses. Firewall Clusters need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element.
    Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the NetLink-specific DNS IP addresses.
    • To enter a single IP address manually, click Add and select IP Address. Enter the IP address in the dialog box that opens.
    • To define an IP address using a network element, click Add and select Network Element.
  8. Select the Location for this Firewall Cluster if there is a NAT device between this Firewall Cluster and other SMC components.
    Note: Select a Location only if all Firewall Clusters you create with the wizard belong to the same Location element.
  9. Define other settings according to your environment:
    • If you want to include the Firewall Clusters in predefined categories, select the appropriate Categories.
    • If you want to add custom commands to the Firewall Clusters’ right-click menu, add a Tools Profile.
    • Add, change, or remove nodes as needed.
  10. Click Next.
    The Review and Edit Names and Comments page opens.
  11. Review the names of the Firewall Clusters. If necessary, right-click the name or comment and select Edit Name or Edit Comment.
  12. Click Next.
    The Define Interfaces for the Multiple Firewall Elements page opens.

Create Multiple Firewall Clusters wizard

Use this wizard to create multiple Firewall Cluster elements at the same time.

Option Definition
Number of Firewall Clusters Specifies the number of Firewall Cluster elements.
Base Configuration on Specifies the Firewall Cluster on which you want to base the configuration.
Previous Navigates back to the previous wizard page.
Next Navigates to the following wizard page.
Option Definition
Define Basic Firewall Information page
Name Prefix Specifies the common name prefix.
Log Server Specifies the log server to which the engine sends event data.
DNS IP Addresses

(Optional)

Specifies the IP addresses of the DNS servers that the engine uses to resolve:
  • Malware signature mirror
  • Domain names
  • URL filtering categorization services

For DNS relay, specifies the IP addresses of external DNS servers to which the engine forwards DNS requests from clients in the internal network.
Add Adds one or more IP addresses using the following options:
  • IP Address — Adds an IP Address element that represents a single IP address.
  • Network Element — Adds a Network element that represents an IP network space.
Remove Removes the selected IP address from the DNS IP Addresses list.
Location Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the element's right-click menu.
  • Select — Select an existing Tools Profile element.
  • None — Removes all previously selected Tools Profile elements.
  • New — Create a Tools Profile element.
Comment

(Optional)

 A comment for your own reference.
Nodes
Disabled When selected, disables the node.
Add Node Adds an engine node to the Nodes list.
Edit Node Opens the Engine Node Properties dialog box.
Remove Node Removes the selected engine node from the Nodes list.
Review and Edit Names and Comments Shows a summary of the information you entered on the previous page.
Option Definition
Define Interfaces for the Multiple Firewall Elements page
Add Specifies the interface type:
  • Physical Interface
  • VLAN Interface
  • IPv4 Address
  • IPv6 Address
  • Tunnel Interface
Edit Allows you to change the properties of the interface or IP address.
Remove Removes the selected interface or IP address from the table.
Options

(Optional)

Opens the Interface Options dialog box.
ARP Entries Allows you to add ARP entries for the engine elements.
Multicast Routing Allows you to configure the multicast routing properties.
Review and Edit Firewall Interfaces Shows a summary of the information you entered on the previous page.
Option Definition
Define Routing for the Multiple Firewall Elements page — On this page, you can see the routing of the original engine that you are basing your engines on. Changes that you make are reflected in all engines that you are creating.
Review and Edit Routing View for the Multiple Firewall Elements On this page, you can make changes to the individual engines that you are creating.
Routing for Select the engine that you want to edit.
Option Definition
Define NAT Definitions for the Firewalls page
Use Default NAT Address for Traffic from Internal Networks

(Optional)

When selected, the engine uses the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the Firewall Policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Show Details

(Optional)

Opens the Default NAT Address Properties dialog box.
Add NAT Definition Creates a NAT Definition element and opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for an existing NAT Definition element.
Remove NAT Definition Removes the selected row from the table.
Option Definition
Select Additional Configuration Options page
Define Additional Firewall Properties When selected, you can specify advanced properties for the engine.

If you do not select this option, clicking Next takes you to the Summary page.

Option Definition
Define Tester Settings for the Firewalls page
Alert Interval Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes.
Note: If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop.
  • Boot — The default is 30 seconds.
  • Reconfiguration — The default is 5 seconds.
  • Status Change — The default is 5 seconds.
Note: The maximum value for all options is 1800.
Auto Recovery When selected, the engine automatically goes back online when a previously failed test completes successfully.
Note: Make sure to run the test in both online and offline states.
Boot Recovery When selected, the engine automatically goes back online after a restart, or after an event such as a power failure or system crash, if all offline tests report a success.
Set to Default Returns tester changes to the default settings.
Add Adds the test to the test entry table:
  • External — Runs a custom script stored on the engine. If the script returns the code zero (0), the test is successful, otherwise the test is failed.
  • File System Space — Checks the free disk space on a hard disk partition.
  • Free Swap Space — Checks the available swap space on the hard disk.
  • Inline Pair Link Speed — Checks whether the network settings (speed/duplex) match on the two ports that form the inline pair and can force ports to use the same settings. Not available in the Firewall/VPN role.
  • Link Status — Checks whether a network port reports the link as up or down.
  • Multiping — Sends out a series of ping requests to determine whether there is connectivity through a network link.
  • Policy — Checks whether a new policy is activated on the engine. This option is intended for sending SNMP notifications.
Edit Allows you to change the test properties.
Remove Removes the test from the test entry table.
Option Definition
Define Permissions for the Firewalls page
Add Adds the element to the Access Control Lists table.
Remove Removes the elements from the Access Control Lists table.
Add Permission Adds the permission to the Permissions table.
Remove Permission Removes the permission from the Permissions table.
Add Adds an element to the Allowed Policies list.
Set to Any Allows the installation of any policy.
Remove Removes the elements from the Allowed Policies list.
Option Definition
Define Add-Ons for the Firewalls page
Client Protection Certificate Authority Select the Client Protection Certificate Authority element for client protection.
Add Allows you to add a Server Protection Credentials element for server protection.
Remove Removes the selected item.
User Identification Service Specifies the Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service that associates IP addresses with users for transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: McAfee Logon Collector is only supported in Forcepoint NGFW version 5.8 or higher. For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
User Authentication Opens the Browser-Based User Authentication dialog box.
Anti-Malware Opens the Anti-Malware Settings dialog box.
Anti-Spam Settings The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and later.
Sandbox Opens the Sandbox Settings dialog box.
Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and later. We recommend that you use Forcepoint Advanced Malware Detection instead.
File Reputation Opens the GTI File Reputation Settings dialog box.
Option Definition
Define Advanced Settings for the Firewalls page
Encrypt Configuration Data By default, the configuration of the engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Contact Node Timeout The maximum amount of time the Management Server tries to connect to an engine.

A consistently slow network connection might require increasing this value. The default value is 60 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the engines.
Auto Reboot Timeout Specifies the length of time after which an error situation is non-recoverable and the engine automatically restarts. The default value is 10 seconds.
Note: Set to 0 to disable.
Policy Handshake When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.
Without this feature, you must switch to the previous configuration manually through the engine's boot menu.
Note: We recommend adjusting the timeout rather than disabling this feature completely.
Rollback Timeout The time the engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal When selected, the engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.
Each certificate for system communications is valid for 3 years. If the certificate expires, other components refuse to communicate with the engine.
Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the engine's VPN settings.
FIPS-Compatible Operating Mode When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2.
Note: You must also select FIPS-specific settings in the NGFW Initial Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Log Handling Specifies the settings related to adjusting logging when the log spool on the engines fills up or when the number of Antispoofing and Discard logs grows too high.
Note: You can adjust the logging of Antispoofing and Discard logs also for specific interfaces.
Clustering Specifies the settings related to the communications between cluster members and load-balancing between the nodes.
Connection Tracking Mode When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. On Firewalls, Normal is the default setting.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Firewall to receive non-standard traffic patterns.
Virtual Defragmenting When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine.

When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
VPN Settings Opens the VPN Settings dialog box.
Policy Routing Opens the Policy Routing dialog box.
Idle Timeouts Opens the Idle Timeouts dialog box.
SYN Rate Limits Opens the Default SYN Rate Limits dialog box.
Scan Detection Opens the Scan Detection Settings dialog box.
DoS Protection Opens the DoS Protection Settings dialog box.
Summary Shows you a summary of the options that you have selected.
Finish Completes the creation of multiple Firewall Clusters.