Add Virtual Firewall elements

Virtual Firewall elements store the configuration information related to the Virtual Firewalls.

Selecting a Virtual Resource for the Virtual Firewall automatically adds the Virtual Firewall to the Master NGFW Engine where the Virtual Resource is used.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click NGFW Engines and select New > Firewall > Virtual Firewall.
  3. In the Name field, enter a unique name.
  4. Next to the Virtual Resource field, click Select and select a Virtual Resource on the Master NGFW Engine to which you want to add the Virtual Firewall.
  5. (Optional) In the DNS IP Addresses field, add one or more IP addresses.
    DNS IP addresses are IP addresses of external DNS servers. Virtual Firewalls use these DNS servers to resolve Domain names to IP addresses. Virtual Firewalls need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element.
    Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the NetLink-specific DNS IP addresses.
    • To enter a single IP address manually, click Add and select IP Address. Enter the IP address in the dialog box that opens.
    • To define an IP address using a network element, click Add and select Network Element.
  6. (Optional) Next to the Category field, click Select and select one or more categories.
  7. Click Save.
    Do not close the Engine Editor.

Next steps

Configure interfaces for the Virtual Firewall.

Engine Editor – common elements

Use the Engine Editor toolbar options to save changes to the engine configuration and refresh a policy on the engine. These options are shown no matter which branch of the Engine Editor you have open.

Option Definition
Save Validates and saves the changes. The Engine Editor tab stays open.
Save and Refresh Validates and saves the changes, and refreshes the policy on the engine. The Engine Editor tab stays open.
Tools Validate — Validates the changes without saving them. The Engine Editor tab stays open.

Engine Editor – General

Use this branch to change general engine settings for clustering, engine tester configuration, and administrator permissions.

Option Definition
Name The name of the element.
Log Server Specifies the Log Server to which the engine sends the event data.
Version

(Not available for clusters)

The version of the Forcepoint Next Generation Firewall software. Not editable.
Status

(Not available for clusters)

Shows the configuration status of the engine. Not editable.
DNS IP Addresses

(Optional)

Specifies the IP addresses of the DNS servers that the engine uses to resolve:
  • Malware signature mirror
  • Domain names
  • URL filtering categorization services

(Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the engine forwards DNS requests from clients in the internal network.

If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses.

Note: Specifying a value for the DNS IP Addresses field overrides NetLink-specific DNS IP addresses defined in the NetLink properties.
Add Adds one or more IP addresses using the following options:
  • IP Address — Adds an IP Address element that represents a single IP address.
  • Network Element — Adds a Network element that represents a network space.
Remove Removes one or more selected IP addresses from the DNS IP Addresses list.
Location Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds custom commands to the engine's right-click menu.
  • Select — Select an existing Tools Profile element.
  • None — Removes all previously selected Tools Profile elements.
  • New — Create a Tools Profile element.
Comment

(Optional)

 A comment for your own reference.

Add IP Address dialog box

Use this dialog box to manually add DNS IP addresses to the engine.

Option Definition
Enter a Manual IP Address Adds the IP address of the DNS server.

Engine Editor – General – Permissions

Use this branch to change permissions settings to control the administration of the engines.

Option Definition
Administrator Permissions section
Add Adds an Access Control List.
Remove Removes the selected Access Control List.
Add Permission Adds a permission to the Administrator Permissions table.
Remove Permission Removes the selected permission from the Administrator Permissions table.
Option Definition
Local Administrators section
Administrator Specifies the name of the local administrator, if local administrators have been defined for the engine.
Info Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator.
Option Definition
Policies section
Allowed Policies Shows the policies that are allowed to be installed on the engine.
Add Adds the element to the Allowed Policies list.
Set to Any Allows the installation of any policy.
Remove Removes the selected element from the Allowed Policies list..

Engine Editor – General – DNS Relay

Use this branch to enable and configure DNS relay for firewalls.

Option Definition
DNS Relay Profile Allows you to select a DNS Relay Profile element.
  • Select — Opens a dialog box where you can select an existing DNS Relay Profile element.
  • None — Removes the previously selected DNS Relay Profile element. Selecting None deactivates DNS Relay.
  • New — Allows you to create a new DNS Relay Profile element. Opens the DNS Relay Profile Properties dialog box.
Listening IP Addresses The IP addresses to which clients in the internal network send DNS requests.
Add Adds an interface and its IP address to the list. Opens the Select dialog box.
Remove Removes the selected interface and its IP address from the list.
Source for Domain-Specific DNS Queries The IP addresses that are used as source IP addresses when the firewall makes domain-specific DNS queries.

When According to Routing is selected, the source IP address is automatically selected based on the route to the external DNS server.

Engine Editor – General – SNMP

Use this branch to enable the NGFW Engine to send SNMP traps.

Option Definition
SNMP Agent Enables the NGFW Engine to send SNMP traps.
  • Select — Select an existing SNMP Agent element.
  • None — Disables the sending of SNMP traps.
  • New — Create an SNMP Agent element.
SNMP Location Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
SNMP Engine ID

(Single NGFW Engines and SNMPv3 only)

A unique identifier for the NGFW Engine that is used by the SNMP agent.

The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated.
Listening IP Addresses The IPv4 or IPv6 addresses from which SNMP traps are sent.
Add Adds an interface and its IP addresses to the list. Opens the Select dialog box.
Remove Removes the selected interface and its IP addresses from the list.

Engine Editor – Interfaces

Use this branch to configure the necessary interfaces and IP addresses for the engine.

Option Definition
Add Adds an interface or IP address of the specified type:
  • Layer 3 Physical Interface

    (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role)

  • Layer 2 Physical Interface

    (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role)

  • Physical Interface

    (Available for all engine types except Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role)

  • VLAN Interface

    (Available for all engine types)

  • IPv4 Address

    (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls)

  • IPv6 Address

    (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls)

  • ADSL Interface

    (Available for Single Firewalls and Firewall Clusters)

  • Tunnel Interface

    (Available for Single Firewalls, Firewall Clusters, and Virtual Firewalls)

  • Modem Interface

    (Available for Single Firewalls)

  • Wireless Interface

    (Available for Single Firewalls)

  • SSID Interface

    (Available for Single Firewalls)

  • Switch

    (Available for Single Firewalls)

  • Port Group Interface

    (Available for Single Firewalls)

CAUTION:
Physical Interfaces for Virtual NGFW Engines are automatically created based on the interface configuration in the Master NGFW Engine properties. The number of Physical Interfaces depends on the number of interfaces allocated to the Virtual NGFW Engine in the Master NGFW Engine. Physical Interfaces that you add to Virtual NGFW Engines might not be valid.
Edit Allows you to change the properties of the interface or IP address.
Remove Removes the selected interface or IP address from the table.

Engine Editor – Interfaces – Interface Options

Use this branch to define which IP addresses are used in particular roles in the engine's system communications.

Option Definition
Control Interface

(Not Virtual Firewalls)

  • Primary — Specifies the Primary Control IP address for Management Server contact.
  • Backup (Optional) — Specifies the Backup Control IP address that is used if the Primary Control IP address is not available.
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Heartbeat Interface

(Clusters and Master NGFW Engines only)

  • Primary — Specifies communications between the nodes. We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation.
    CAUTION:
    Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
  • Backup — Used if the Primary Heartbeat Interface is unavailable. It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
Node-Initiated Contact to Management Server

When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic.

If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again.

Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
Identity for Authentication Requests

The IP address of the selected interface is used when an engine contacts an external authentication server.

This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.

Source for Authentication Requests By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes.

Engine Editor – Interfaces – Loopback

Use this branch to define loopback IP addresses for Firewalls. Loopback IP addresses allow you to assign IP addresses that do not belong to any directly connected networks to the Firewall.

Option Definition
Bypass Default IP Address Specifies how the source IP address for traffic sent from the engine node is selected for tunnel interfaces that do not have IP addresses.
  • Use Loopback IP Address in Unnumbered Tunnel Interface — Uses an IP address listed in the table as the source IP address of traffic sent from the engine node.
  • Use Default Outgoing IP Address in Unnumbered Tunnel Interface — Uses the default outgoing IP address defined in the Interface Options pane as the source IP address of traffic sent from the engine node.
Click Add Row to add a row to the table, or Remove Row to remove the selected row.

Engine Editor – Interfaces – ARP Entries

Use this branch to manually add ARP entries for IPv4 or neighbor discover entries for IPv6.

Option Definition
Add ARP Entry Adds an ARP entry.
Remove ARP Entry Removes the selected ARP entry.

Engine Editor – Routing

Use this branch to view and change the engine's routing configuration.

Option Definition
Refresh View Updates the view.
Expand All Expands all levels of the routing tree.
Collapse All Collapses all levels of the routing tree.
Display Mode Changes how the routing configuration is displayed.
  • Tree View — Displays the routing configuration as a tree of interfaces, Router elements, NetLink elements, and destination networks.
  • Table View — Displays the routing configuration as a table of destination networks, routing gateways, interfaces, and NetLink elements.
Default Route Allows you to view and create default routes that are used when there is no more specific route defined.
Note: If the Automatic Default Route setting is selected in the properties of the interface, default routes are created automatically for interfaces with dynamic IP addresses on single engines.
  • Gateway — The IP address of the gateway device. You can also double-click the field and select a gateway device for the route.
  • Add — Adds the default route to the routing configuration.
  • Show Default Route — Highlights the default route in the Tree View or the Table View.
Add Route Allows you to add routes to specific destination networks.
  • Destination — The destination IP address or network.
  • Gateway — The IP address of the gateway device. You can also double-click the field and select a gateway device for the route.
  • Add — Adds the route to the routing configuration.
Query Route Allows you to search for routes.
  • Source — The source IP address.
  • Destination — The destination IP address.
  • Query — Highlights the route in the Tree View or the Table View.

Engine Editor – Routing – Dynamic Routing

Use this branch to configure dynamic routing for the engine. Dynamic routing enables firewalls to automatically change their routing when the network topology changes.

Option Definition
BGP section
Enabled When selected, the BGP protocol for dynamic routing is enabled.
Router ID Enter an ID for the Firewall.

The ID must be unique. Often, the global IPv4 address is the ID.

By default, the Router ID is automatically the loopback CVI address or the highest CVI address available on the Firewall Cluster.

BGP Profile Select the BGP Profile to use.

The element contains distance, redistribution, and aggregation settings.

Autonomous System Select the Autonomous System (AS) to use.

An AS represents a whole network or a series of networks.

Announced Networks You can add hosts, networks, or groups that contain both hosts and networks.
Add Adds an announced network.
Remove Removes the selected announced network.
Option Definition
OSPFv2 section
Enabled When selected, the OSPFv2 protocol for dynamic routing is enabled.
Router ID Enter an ID for the Firewall.
OSPFv2 Profile Select the OSPFv2 Profile to use.

The element contains distance, redistribution, and aggregation settings.

Additional Networks to Automatically Add to Antispoofing Elements that you add are automatically added under all interfaces (that have dynamic routing elements configured) on the Antispoofing branch in the Engine Editor. You can add hosts, networks, or groups that contain both hosts and networks.
Add Adds a host, network, or group to the Additional Networks to Automatically Add to Antispoofing list.
Remove Removes the selected host, network, or group from the Additional Networks to Automatically Add to Antispoofing list.

Engine Editor – Routing – Antispoofing

Use this branch to view and change the engine's antispoofing configuration.

Option Definition
Refresh View Updates the view.
Expand All Expands all levels of the routing tree.
Collapse All Collapses all levels of the routing tree.

Engine Editor – Routing – Multicast Routing

Use this branch to define static multicast, IGMP-based multicast forwarding, or PIM dynamic routing. Only IPv4 addresses are supported.

Option Definition
Multicast Routing Mode Specifies how the engine routes multicast traffic.
  • None — Disables multicast routing.
  • Static — Enables options that allow you to add static routes for multicast traffic.
  • IGMP Proxy — Enables options that allow you to use the engine for IGMP-based multicast forwarding.
  • PIM — Enables options that allow you to use the engine for dynamic routing using PIM.
Option Definition
When Multicast Routing Mode is Static
Source Interface Select the interface to use for multicast routing.
Source IP Address Enter the unicast IP address of the multicast source.
Destination IP Address Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
Destination Interface Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
Comment

(Optional)

 A comment for your own reference.
Add Adds a row to the table.
Remove Removes the selected row from the table.
Option Definition
When Multicast Routing Mode is IGMP Proxy
Upstream Interface Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected.
Upstream IGMP Version Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
Interface Select the downstream interfaces.
IGMP Querier Settings Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters.
Add Adds a downstream interface to the Downstream Interfaces table.
Remove Removes the selected downstream interface from the Downstream Interfaces table.
Option Definition
When Multicast Routing Mode is PIM
PIM Profile Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used.
MRoute Preference
Note: This option is not supported in this version of Forcepoint NGFW.
The routing table is used to specify reverse path forwarding (RPF) information whenever multicast traffic from source addresses uses a different path than unicast traffic from the same source address.
  • Best Match Preferred — The RPF lookup prefers the best match based on both the default routing table and the Multicast routing (mroute) table.
  • MRoute Preferred — The RPF lookup uses the mroute table. If the mroute table cannot be used, the default routing table is used.
Bootstrap Settings — see RFC 5059 for more information.
RP Candidate If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate.
RP Priority Enter a value for the RP priority.
Multicast Groups Add the multicast IPv4 networks for which the firewall acts as an RP candidate.
Add Adds a row to the table.
Remove Removes the selected row from the table.
BSR Candidate If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate.
BSR Priority Enter a value for the BSR priority.

Engine Editor – Routing – Policy Routing

Use this branch to define policy routing for the engine.

Option Definition
IPv4 Policy Routes or IPv6 Policy Routes Enter the routing information in the appropriate table. Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.
Source IP Address Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane.
Source Netmask

(IPv4 only)

Enter the netmask for the source IP address.
Source Prefix

(IPv6 only)

Enter the network prefix for the source IP address.
Destination IP Address Enter the destination IP address.
Destination Netmask

(IPv4 only)

Enter the netmask for the destination IP address.
Destination Prefix

(IPv6 only)

Enter the network prefix for the destination IP address.
Gateway IP Address Enter the IP address of the device to which packets that match the source/destination pair are forwarded.
Comment

(Optional)

 A comment for your own reference.

Engine Editor – Add-Ons

Use this branch to view a summary of the add-on features and the status of each feature.

Engine Editor – Add-Ons – TLS Inspection

Use this branch to activate TLS inspection on the engine. You can configure TLS inspection for client or server protection.

Option Definition
Client Protection Certificate Authority Select the Client Protection Certificate Authority element for client protection.
TLS Credentials Specifies the Server Protection Credentials elements that are used for server protection.

Click Add to add an element to the list, or Remove to remove the selected element.
Check Certificate Revocation When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked.
Decrypt All Traffic When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements.
Cryptography Suite Set Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic.

Click Select to select an element.

Engine Editor – Add-Ons – Endpoint Integration

Use this branch to enable endpoint integration on the engine and change the settings for the endpoint client communication.

Option Definition
> When Endpoint Service is Forcepoint Endpoint Context Agent
ECA Listener Certificate The internal certificate for the NGFW Engine that listens for ECA traffic. The certificate is generated automatically when you save the ECA configuration.
Signing CA The internal CA that signed the certificate.
ECA Configuration The selected ECA Configuration element. Click Select to select an element.
Source Networks Add the networks or zones that contain the clients. The clients located in these networks or zones send endpoint information to this Firewall. Click Add to add an element to the table, or Remove to remove the selected element.
Destination Networks Add the networks or zones where outbound connections are going. The clients send endpoint information only if the destination address is located in these networks or zones. If filtering based on both source address and destination address, both conditions must be met.

Click Add to add an element to the table, or Remove to remove the selected element.
Listening Interfaces The interfaces or zones the NGFW Engine uses to listen for ECA traffic. Click Add to add an element to the table, or Remove to remove the selected element.
Listening Port The port on which the NGFW Engine listens for ECA traffic.
Export Configuration for Endpoint Clients Opens the Export ECA Configuration dialog box, where you can export an XML file that contains the ECA configuration and details of all the NGFW Engines that use the same ECA Configuration element. You must first save the NGFW Engine configuration.
Option Definition
> When Endpoint Service is McAfee Endpoint Intelligence Agent (McAfee EIA)
Note: McAfee Endpoint Intelligence Agent (McAfee EIA) is no longer supported in NGFW version 6.3.0 and later. We recommend that you use Forcepoint Endpoint Context Agent instead.
ePO Server The McAfee ePO server that you want the NGFW Engine to communicate with. Click Select to select an element.
Endpoint Client Zones or Networks The networks or zones in which the endpoint clients are located. Click Add to add an element to the table, or Remove to remove the selected element.
Listen on Interfaces The interfaces or zones the engine uses to listen for EIA traffic. Click Add to add an element to the table, or Remove to remove the selected element.
Listening Port The port on which the NGFW Engine listens for EIA traffic.

Engine Editor – Add-Ons – User Authentication

Use this branch to enable user authentication on the engine. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
HTTP When selected, allows authentication using plain HTTP connections.

Change the Port settings if you want to use a different port for the authentication interface. The default port is 80.
HTTPS

(Required for client certificate authentication)

 When selected, allows authentication using encrypted HTTPS connections.

Change the Port settings if you want to use a different port for the authentication interface. The default port is 443.
HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile

(Required for client certificate authentication)

 The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication.

Click Select to select a TLS Profile element.
Use Client Certificates for Authentication When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports.
Authentication Time-Out Defines the length of time after which authentication expires and users must reauthenticate.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Authentication Idle Time-Out Defines an idle timeout for user authentication.

If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed.

When Enable Session Handling is selected, defines the authentication timeout.

Engine Editor – Add-Ons – User Identification

Use this branch to select a User Identification Service element for the engine. The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user identification.

Option Definition
User Identification Service Specifies the Forcepoint User ID Service, the McAfee Logon Collector, or the Integrated User ID Service that associates IP addresses with users for transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: McAfee Logon Collector is only supported in Forcepoint NGFW version 5.8 or higher. For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.

Engine Editor – Add-Ons – Sidewinder Proxy

Use this branch to enable and configure Sidewinder Proxies on the engine.

Option Definition
Enable When selected, enables Sidewinder Proxy.
Sidewinder Logging Profile The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile.
SSH Proxy Settings specific to the SSM SSH Proxy.
SSH Known Hosts Lists The selected SSH Known Hosts List elements for the engine.
Add Opens the SSH Known Hosts Lists dialog box, where you can select an SSH Known Hosts List.
Remove Removes the selected element from the list.
Host Keys The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy.
Key Type Shows the signature algorithm used for the host key.
Key Length Shows the length of the host key.
SHA256 Fingerprint Shows the SHA256 fingerprint of the host key.
SSH Proxy Services The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element.
Comment

(Optional)

 A comment for your own reference.
Add Opens the Generate New Host Key dialog box.
Remove Removes the selected host key from the list.
Import Opens the Import Host Key dialog box, where you can import an existing host key.
Advanced Settings Opens the Advanced Sidewinder Proxy Settings dialog box.

Engine Editor – Add-Ons – OPC UA Inspection

Use this branch to change inspection settings for open platform communications unified architecture (OPC UA). For information about OPC UA, see Knowledge Base article 12491.

Engine Editor – Policies

Use this branch to view information about the policy that is installed on the engine.

Engine Editor – Policies – Element-based NAT

Use this branch to add NAT definitions for element-based NAT. The NAT definition is also added to the elements that are included in the engine’s NAT configuration.

Option Definition
Use Default NAT Address for Traffic from Internal Networks The engine uses the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Show Details Opens the Default NAT Address Properties dialog box.
Add NAT Definition Creates a NAT Definition element and opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for an existing NAT Definition element.
Remove NAT Definition Removes the selected row from the table.

Engine Editor – Policies – Automatic Rules

Use this branch to view a summary of currently used Automatic rules and change general settings for Automatic rules.

Option Definition
Allow Traffic to Authentication Ports

(Firewall/VPN role only)

 When Yes is selected, allows traffic to the ports that are used for user authentication.
Allow Traffic from Listening IP Addresses to DNS Relay Port

(Firewall/VPN role only)

 When Yes is selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay.
Allow Connections to Domain-Specific DNS Servers

(Firewall/VPN role only)

 When Yes is selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall.
Allow Connections from Local DHCP Relay to Remote DHCP Server

(Firewall/VPN role only)

 When Yes is selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers.
Log Level for Automatic Rules The log level for traffic that matches automatic rules.
  • None — Does not create any log entry.
  • Alert — Triggers an alert entry.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
Alert When Alert is selected, specifies the Alert element that is sent.
Reset to Default Settings Returns Automatic Rule changes to the default settings.

Engine Editor – Policies – Aliases

Use this branch to view and change alias translation values.

Option Definition
Alias Shows the name of the Alias element.
Value Right-click the Value cell and select one of the following options:
  • Edit Value — Opens the Alias Value Properties dialog box.
  • Set to Any — The Alias element matches any value.
  • Set to None — Disables translation for the Alias element.

Engine Editor – VPN

Use this branch to view the VPN Gateway elements associated with the engine, and the VPNs where the VPN Gateway elements are used. You can optionally add more VPN Gateway elements to the engine.

Option Definition
Add

(Optional)

Adds a VPN Gateway element to the engine. One VPN Gateway element is automatically created for each engine. You can use the same VPN Gateway element in multiple VPNs. You might need to add VPN Gateway elements if you want to use different endpoint IP addresses in different types of VPNs.
Remove Removes the selected item from the table.
Endpoints
Enabled When selected, the endpoint IP address is active.
Edit Opens the Properties dialog box for the endpoint.

Engine Editor – VPN – End-Points

Use this branch to change the endpoint settings that are used when the engine acts as a VPN gateway.

Option Definition
Enabled When selected, the endpoint IP address is active.
Name Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown.
IP Address Shows the IP address of the endpoint.
Mode The Connection Type element that defines how the endpoint is used in a Multi-Link configuration.
Options Shows the optional settings that have been selected for the endpoint.
Phase-1 ID Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations.
VPN Type Shows the types of VPNs that the endpoint can be used in.
Edit Allows you to change the properties of the selected endpoint. Opens the Properties dialog box.

Engine Editor – VPN – SSL VPN Portal

Use this branch to change settings for the SSL VPN portal on the engine.

Option Definition
SSL VPN Portal Shows the SSL VPN Portal element that is selected for the engine. Click Select to select an SSL VPN Portal element for the engine.
Port (Optional) The port for client connections to the SSL VPN Portal. The default port is 443.
Allowed SSL/TLS Versions The versions of SSL and TLS that are allowed for connections to the SSL VPN Portal.
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
TLS Cryptography Suite Set The cryptographic suite for TLS connections to the SSL VPN Portal. Click Select to select a cryptographic suite for TLS connections to the SSL VPN Portal. Do not change the default setting unless you have a specific reason to do so.

Engine Editor – VPN – Sites

Use this branch to select the protected IP addresses that are behind the gateway.

Option Definition
Add and update IP addresses based on routing When selected, the site content updates automatically according to changes made in the routing configuration for the engine (for interfaces that are not disabled).
Note: When the option is not selected, you must manually define the addresses that you want to be routable through the VPN.
Search Opens a search field for the selected list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Left pane Shows elements that you can add to the site definition.
Add Adds the selected element to the site content.
Remove Removes the selected element from the site content.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New Creates an element of the specified type.
Tools
  • Expand All — Expands all levels of the status tree.
  • Collapse All — Collapses all levels of the status tree.
  • Refresh View — Updates the view.
Right pane Allows you to change the IP addresses that are included in the site definition.

Engine Editor – VPN – VPN Client

Use this branch to change settings that are used when the engine acts as a VPN Gateway in a mobile VPN.

Option Definition
Gateway Display Name If you want to display a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
VPN Type Defines the type of tunnels the mobile VPN supports.
  • IPsec VPN — The mobile VPN only supports IPsec tunnels.
  • SSL VPN — The mobile VPN only supports SSL VPN tunnels.
  • Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port

(SSL VPN only)

The port for SSL VPN tunnels.
TLS Cryptography Suite Set

(SSL VPN only)

The cryptographic suite for SSL VPN tunnels. Click Select to select an element.
Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout

(SSL VPN only)

The timeout for Stonesoft VPN Client user authentication.
Option Definition
Local Security Checks section Defines whether the Stonesoft VPN Client checks for the presence of basic security software to stop connections from risky computers.
  • Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
  • Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
  • Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.
Option Definition
Virtual Address section Options for configuring the Stonesoft VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode Specifies how DHCP requests from VPN clients are sent.
  • Disabled (IPsec VPN type only) — DHCP is not enabled.
  • Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network.
    Note: This option is intended for backward compatibility with Forcepoint NGFW versions earlier than version 5.9.
  • Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests.
Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface

(Direct DHCP mode only)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay

(Relay DHCP mode only)

 The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (NGFW < 5.9)

(Direct DHCP mode only)

 The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is intended for backward compatibility with Forcepoint NGFW versions earlier than version 5.9.
DHCP Servers

(Relay DHCP mode only)

The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information (Optional) Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
  • Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.
Option Definition
Secondary IPsec VPN Gateways section

(Optional)

(IPsec VPN type only)

 Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.

Engine Editor – VPN – Certificates

Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.

Option Definition
Automated RSA Certificate Management When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
Trusted VPN Certificate Authorities Restricts which certificate authorities the VPN gateway trusts.
  • Trust all — The VPN gateway trusts all certificate authorities. This option is the default setting.
  • Trust only selected — The VPN gateway trusts only the certificate authorities that you select in the table.

Engine Editor – VPN – Advanced

Use this branch to change advanced VPN settings.

Option Definition
Gateway Settings The Gateway Settings element that defines performance-related VPN options.
TCP Tunneling Port Port used for tunneling Stonesoft VPN Client connections inside TCP connections to bypass intermediary traffic filters and NAT devices.
Translate IP Addresses Using NAT Pool When selected, the specified IP address range and port range are used for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
IP Address Range IP address range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.
Port Range Port range for translating IP addresses of incoming Stonesoft VPN Client connections to internal networks.

Engine Editor – Advanced Settings (Virtual NGFW Engines)

Use this branch to change system parameters for the Virtual NGFW Engine. These parameters control how the engine behaves under certain traffic conditions.

Option Definition
Encrypt Configuration Data By default, the configuration of the engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Bypass Traffic on Overload

(IPS only)

When selected, the engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.

Engine Editor – Advanced Settings – Traffic Handling

Use this branch to change advanced parameters that control how the engine handles traffic.

Option Definition
Connection Tracking Mode

(IPS engines and Layer 2 Firewalls only)

Layer 3 Connection Tracking Mode

(Firewalls only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns.
On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual NGFW Engines)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine.

When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual NGFW Engines)

This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit

(Not Virtual NGFW Engines)

A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Firewalls only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Firewalls only)

The engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.

Engine Editor – Advanced Settings – SYN Rate Limits

Use this branch to change global SYN rate limits for the engine. SYN rate limits reduce the risk of SYN flood attacks against the engine.

Option Definition
SYN Rate Limits Limits for SYN packets sent to the engine.
  • None — SYN rate limits are disabled.
  • Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(Custom only)

The number of allowed SYN packets per second.
Burst Size

(Custom only)

The number of allowed SYNs before the engine starts limiting the SYN rate.
CAUTION:
We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.

Engine Editor – Advanced Settings – Log Handling

Use this branch to change log handling settings for the engine. You can use log handling settings to adjust logging when the log spool on the engine fills up.

Option Definition
Log Spooling Policy

(Not Virtual NGFW Engines)

Defines what happens when the engine’s log spool becomes full.
  • Stop Traffic — The engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression

(Antispoofing Log Event Type for Firewalls only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Compression changes to the default settings.

Engine Editor – Advanced Settings – Scan Detection

Use this branch to change scan detection settings for the engine. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.

Option Definition
Scan Detection Mode When you enable scan detection, the number of connections or connection attempts within a time window is counted.
  • Disabled — Scan detection is not enabled.
  • Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section

Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created.

The following options are available for each protocol:

  • events in — Specifies the maximum number of events. The default value is 220.
  • Time period field — Specifies the time period. The default value is 1.
  • Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level Specifies the log level for the log entries.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Set to Default Returns Scan Detection changes to the default settings.

Engine Editor – Advanced Settings – DoS Protection

Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.

Option Definition
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN flood protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections

(Optional)

 Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied.
  • High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the engine considers itself to be under attack.

Engine Editor – Advanced Settings – Idle Timeouts

Use this branch to view and change the timeouts for removing idle connections from the state table, including non-TCP communications that are handled like connections.

Option Definition
Set to Default Returns idle timeout changes to the default settings.
The default values for the predefined protocols are:
  • ICMP — 5
  • Other — 180
  • TCP — 1800
  • UDP — 50
Add Adds the selected protocol to the table. Opens the Select timeout dialog box.
Remove Removes the selected row from the table.

Engine Editor – Advanced Settings – Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the NGFW Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.