Add Virtual IPS elements

Virtual IPS elements store the configuration information related to the Virtual IPS engines.

Selecting a Virtual Resource for the Virtual IPS element automatically adds the Virtual IPS element to the Master NGFW Engine where the Virtual Resource is used.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Right-click NGFW Engines and select New > IPS > Virtual IPS.
In the Name field, enter a unique name.
Next to the Virtual Resource field, click Select and select a Virtual Resource on the Master NGFW Engine to which you want to add the Virtual IPS.
(Optional) In the DNS IP Addresses field, add one or more IP addresses.
DNS IP addresses are IP addresses of external DNS servers. Virtual IPS engines use these DNS servers to resolve Domain names to IP addresses. Virtual IPS engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies.
- To enter a single IP address manually, click Add and select IP Address. Enter the IP address in the dialog box that opens.
- To define an IP address using a network element, click Add and select Network Element.
(Optional) Next to the Category field, click Select and select one or more categories.
Click Save.
Do not close the Engine Editor.

Next steps

Configure interfaces for the Virtual IPS engine.

Engine Editor – common elements

Use the Engine Editor toolbar options to save changes to the engine configuration and refresh a policy on the engine. These options are shown no matter which branch of the Engine Editor you have open.

Option	Definition
Save	Validates and saves the changes. The Engine Editor tab stays open.
Save and Refresh	Validates and saves the changes, and refreshes the policy on the engine. The Engine Editor tab stays open.
Tools	Validate — Validates the changes without saving them. The Engine Editor tab stays open.

Engine Editor – General

Use this branch to change general engine settings for clustering, engine tester configuration, and administrator permissions.

Option	Definition
Name	The name of the element.
Log Server	Specifies the Log Server to which the engine sends the event data.
Version (Not available for clusters)	The version of the Forcepoint Next Generation Firewall software. Not editable.
Status (Not available for clusters)	Shows the configuration status of the engine. Not editable.
DNS IP Addresses (Optional)	Specifies the IP addresses of the DNS servers that the engine uses to resolve: Malware signature mirror Domain names URL filtering categorization services (Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the engine forwards DNS requests from clients in the internal network. If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses. Note: Specifying a value for the DNS IP Addresses field overrides NetLink-specific DNS IP addresses defined in the NetLink properties.
Add	Adds one or more IP addresses using the following options: IP Address — Adds an IP Address element that represents a single IP address. Network Element — Adds a Network element that represents a network space.
Remove	Removes one or more selected IP addresses from the DNS IP Addresses list.
Location	Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds custom commands to the engine's right-click menu. Select — Select an existing Tools Profile element. None — Removes all previously selected Tools Profile elements. New — Create a Tools Profile element.
Comment (Optional)	A comment for your own reference.

Add IP Address dialog box

Use this dialog box to manually add DNS IP addresses to the engine.

Option	Definition
Enter a Manual IP Address	Adds the IP address of the DNS server.

Engine Editor – General – Permissions

Use this branch to change permissions settings to control the administration of the engines.

Option	Definition
Administrator Permissions section
Add	Adds an Access Control List.
Remove	Removes the selected Access Control List.
Add Permission	Adds a permission to the Administrator Permissions table.
Remove Permission	Removes the selected permission from the Administrator Permissions table.

Option	Definition
Local Administrators section
Administrator	Specifies the name of the local administrator, if local administrators have been defined for the engine.
Info	Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator.

Option	Definition
Policies section
Allowed Policies	Shows the policies that are allowed to be installed on the engine.
Add	Adds the element to the Allowed Policies list.
Set to Any	Allows the installation of any policy.
Remove	Removes the selected element from the Allowed Policies list..

Engine Editor – General – SNMP

Use this branch to enable the NGFW Engine to send SNMP traps.

Option	Definition
SNMP Agent	Enables the NGFW Engine to send SNMP traps. Select — Select an existing SNMP Agent element. None — Disables the sending of SNMP traps. New — Create an SNMP Agent element.
SNMP Location	Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
SNMP Engine ID (Single NGFW Engines and SNMPv3 only)	A unique identifier for the NGFW Engine that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated.
Listening IP Addresses	The IPv4 or IPv6 addresses from which SNMP traps are sent.
Add	Adds an interface and its IP addresses to the list. Opens the Select dialog box.
Remove	Removes the selected interface and its IP addresses from the list.

Engine Editor – Interfaces

Use this branch to configure the necessary interfaces and IP addresses for the engine.

Option	Definition
Add	Adds an interface or IP address of the specified type: Layer 3 Physical Interface (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) Layer 2 Physical Interface (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) Physical Interface (Available for all engine types except Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master NGFW Engines in the Firewall/VPN role) VLAN Interface (Available for all engine types) IPv4 Address (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls) IPv6 Address (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls) ADSL Interface (Available for Single Firewalls and Firewall Clusters) Tunnel Interface (Available for Single Firewalls, Firewall Clusters, and Virtual Firewalls) Modem Interface (Available for Single Firewalls) Wireless Interface (Available for Single Firewalls) SSID Interface (Available for Single Firewalls) Switch (Available for Single Firewalls) Port Group Interface (Available for Single Firewalls) CAUTION: Physical Interfaces for Virtual NGFW Engines are automatically created based on the interface configuration in the Master NGFW Engine properties. The number of Physical Interfaces depends on the number of interfaces allocated to the Virtual NGFW Engine in the Master NGFW Engine. Physical Interfaces that you add to Virtual NGFW Engines might not be valid.
Edit	Allows you to change the properties of the interface or IP address.
Remove	Removes the selected interface or IP address from the table.

Engine Editor – Add-Ons

Use this branch to view a summary of the add-on features and the status of each feature.

Engine Editor – Add-Ons – TLS Inspection

Use this branch to activate TLS inspection on the engine. You can configure TLS inspection for client or server protection.

Option	Definition
Client Protection Certificate Authority	Select the Client Protection Certificate Authority element for client protection.
TLS Credentials	Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element.
Check Certificate Revocation	When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked.
Decrypt All Traffic	When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements.
Cryptography Suite Set	Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic. Click Select to select an element.

Engine Editor – Add-Ons – OPC UA Inspection

Use this branch to change inspection settings for open platform communications unified architecture (OPC UA). For information about OPC UA, see Knowledge Base article 12491.

Engine Editor – Policies

Use this branch to view information about the policy that is installed on the engine.

Engine Editor – Policies – Automatic Rules

Use this branch to view a summary of currently used Automatic rules and change general settings for Automatic rules.

Option	Definition
Allow Traffic to Authentication Ports (Firewall/VPN role only)	When Yes is selected, allows traffic to the ports that are used for user authentication.
Allow Traffic from Listening IP Addresses to DNS Relay Port (Firewall/VPN role only)	When Yes is selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay.
Allow Connections to Domain-Specific DNS Servers (Firewall/VPN role only)	When Yes is selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall.
Allow Connections from Local DHCP Relay to Remote DHCP Server (Firewall/VPN role only)	When Yes is selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers.
Log Level for Automatic Rules	The log level for traffic that matches automatic rules. None — Does not create any log entry. Alert — Triggers an alert entry. Essential — Creates a log entry that is shown in the Logs view and saved for further use. Stored — Creates a log entry that is stored on the Log Server. Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view (if someone is viewing it) but is not stored.
Alert	When Alert is selected, specifies the Alert element that is sent.
Reset to Default Settings	Returns Automatic Rule changes to the default settings.

Engine Editor – Policies – Aliases

Use this branch to view and change alias translation values.

Option	Definition
Alias	Shows the name of the Alias element.
Value	Right-click the Value cell and select one of the following options: Edit Value — Opens the Alias Value Properties dialog box. Set to Any — The Alias element matches any value. Set to None — Disables translation for the Alias element.

Engine Editor – Advanced Settings (Virtual NGFW Engines)

Use this branch to change system parameters for the Virtual NGFW Engine. These parameters control how the engine behaves under certain traffic conditions.

Option	Definition
Encrypt Configuration Data	By default, the configuration of the engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Bypass Traffic on Overload (IPS only)	When selected, the engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.

Option

Definition

Encrypt Configuration Data

By default, the configuration of the engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.

Bypass Traffic on Overload

(IPS only)

When selected, the engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.

Engine Editor – Advanced Settings – Traffic Handling

Use this branch to change advanced parameters that control how the engine handles traffic.

Option	Definition
Connection Tracking Mode (IPS engines and Layer 2 Firewalls only) Layer 3 Connection Tracking Mode (Firewalls only)	When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules. Normal — The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed. Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the engine to receive non-standard traffic patterns. On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting (Not Virtual NGFW Engines) (Not editable on IPS engines)	When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine. When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.
Strict TCP Mode for Deep Inspection (Not Virtual NGFW Engines)	This option is included for backward compatibility with legacy Forcepoint NGFW software versions. Selecting this option has no effect on Forcepoint NGFW version 5.8.0 or later.
Concurrent Connection Limit (Not Virtual NGFW Engines)	A global limit for the number of open connections. When the set number of connections is reached, the engine stops the next connection attempts until a previously open connection is closed.
Default Connection Termination in Access Policy (IPS engines and Layer 2 Firewalls only)	Defines how connections that match Access rules with the Discard action are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy	Defines how connections that match rules with the Terminate action in the Inspection Policy are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet (Firewalls only)	The engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The engine does not send a TCP reset if the TCP connection begins with a TCP reset packet. Discard Silently — The connection is silently dropped. Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.

Engine Editor – Advanced Settings – SYN Rate Limits

Use this branch to change global SYN rate limits for the engine. SYN rate limits reduce the risk of SYN flood attacks against the engine.

Option	Definition
SYN Rate Limits	Limits for SYN packets sent to the engine. None — SYN rate limits are disabled. Automatic — The engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the engine’s capacity and memory size. Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second (Custom only)	The number of allowed SYN packets per second.
Burst Size (Custom only)	The number of allowed SYNs before the engine starts limiting the SYN rate. CAUTION: We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.

Engine Editor – Advanced Settings – Log Handling

Use this branch to change log handling settings for the engine. You can use log handling settings to adjust logging when the log spool on the engine fills up.

Option	Definition
Log Spooling Policy (Not Virtual NGFW Engines)	Defines what happens when the engine’s log spool becomes full. Stop Traffic — The engine stops processing traffic and goes offline. Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The engine keeps processing traffic.
Log Compression (Antispoofing Log Event Type for Firewalls only)	The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all generated entries are logged and displayed separately. Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default	Returns Log Compression changes to the default settings.

Engine Editor – Advanced Settings – Scan Detection

Use this branch to change scan detection settings for the engine. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.

Option	Definition
Scan Detection Mode	When you enable scan detection, the number of connections or connection attempts within a time window is counted. Disabled — Scan detection is not enabled. Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting. On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section	Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol: events in — Specifies the maximum number of events. The default value is 220. Time period field — Specifies the time period. The default value is 1. Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level	Specifies the log level for the log entries. Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored. Stored — Creates a log entry that is stored on the Log Server. Essential — Creates a log entry that is shown in the Logs view and saved for further use. Alert — Triggers the alert you select.
Alert	When the Log Level is set to Alert, specifies the Alert that is sent.
Severity	When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Set to Default	Returns Scan Detection changes to the default settings.

Engine Editor – Advanced Settings – DoS Protection

Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.

Option	Definition
Rate-Based DoS Protection Mode	Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks. Disabled — DoS protection is not enabled. Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting. On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity	When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake. Off — SYN flood protection is not enabled. Low — Allows the most SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. Medium — Allows a medium number of SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting. High — Allows the fewest SYN-ACK timeouts before the engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections (Optional)	Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity	The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the sender’s IP address for a specified length of time. Off — Slow HTTP Request Protection is not enabled. Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting. Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied. High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout	The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity	When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules Off — TCP reset protection is not enabled. This option is the default setting. Low — Allows the most TCP reset requests before the engine considers itself to be under attack. Medium — Allows a medium number of TCP reset requests before the engine considers itself to be under attack. High — Allows the fewest TCP reset requests before the engine considers itself to be under attack.

Engine Editor – Advanced Settings – Idle Timeouts

Use this branch to view and change the timeouts for removing idle connections from the state table, including non-TCP communications that are handled like connections.

Option	Definition
Set to Default	Returns idle timeout changes to the default settings. The default values for the predefined protocols are: ICMP — 5 Other — 180 TCP — 1800 UDP — 50
Add	Adds the selected protocol to the table. Opens the Select timeout dialog box.
Remove	Removes the selected row from the table.

Engine Editor – Advanced Settings – Tunneling

Use this branch to change the packet tunneling settings for the engine.

Option	Definition
Limit for Rematching Tunneled Traffic	Specifies how many times the contents of tunneled packets can be rematched against the IPv6 Access rules or IPv4 Access rules when several layers of tunneling are encountered. The default is 1. When the limit is reached, the action defined in the Action if Limit is Exceeded setting is taken.
Action if Limit is Exceeded	Specifies whether remaining encapsulated packets inside the tunneling packet are allowed without further inspection or discarded. The default is to discard the remaining packets. When this action is triggered, you are notified according to the Log Level setting.
Log Level	Specifies whether you are notified through a normal (stored) log entry or an Alert when the limit for rematching tunneled traffic is reached.
Alert	If you selected Alert as the Log Level, select the Alert element that is used when an event triggers an alert. The Alert elements can be used for matching in Alert Policies.
Select	When Alert is selected, allows you to select the Alert element that is sent. Opens the Select Custom Alert dialog box.
Set to Default	Returns Tunneling changes to the default settings.