Open the advanced settings

To adjust advanced settings for an NGFW Engine, you must open the Engine Editor.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an NGFW Engine, then select Edit <element type>.
  2. Browse to Advanced Settings.
  3. Adjust the settings.
  4. Click Save.

Engine Editor > Advanced Settings

Use this branch to change system parameters for the NGFW Engine. These parameters control how the NGFW Engine behaves under certain traffic conditions.

Option Definition
Encrypt Configuration Data By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support.
Bypass Traffic on Overload

(IPS only)

When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.

Contact Node Timeout

The maximum amount of time the Management Server tries to connect to an NGFW Engine.

A consistently slow network connection might require increasing this value. The default value is 120 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
Auto Reboot Timeout Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable.
Policy Handshake When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.

Without this feature, you must switch to the previous configuration manually through the boot menu of the NGFW Engine.

Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.

Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine.

Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the NGFW Engine's VPN settings.
FIPS-Compatible Operating Mode

(Firewalls only)

When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2.
Note: You must also select FIPS-specific settings in the NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Number of CPUs Reserved for Control Plane Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this ensures that you can still monitor and control the NGFW Engine operation.
Note: The reserved CPUs cannot be used for traffic processing. Using fewer CPUs for traffic processing degrades performance.
Isolate Also Interfaces for System Communications When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic.

Engine Editor > Advanced Settings > Traffic Handling

Use this branch to change advanced parameters that control how the NGFW Engine handles traffic.

Option Definition
Layer 3 Connection Tracking Mode

(Firewalls only)

Connection Tracking Mode

(IPS engines and Layer 2 Firewalls only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this NGFW Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The NGFW Engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The NGFW Engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The NGFW Engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The NGFW Engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the NGFW Engine to receive non-standard traffic patterns.
On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual NGFW Engines)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the NGFW Engine.

When the NGFW Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual NGFW Engines)

This option is included for backward compatibility with legacy NGFW software versions.
Concurrent Connection Limit

(Not Virtual NGFW Engines)

A global limit for the number of open connections. When the set number of connections is reached, the NGFW Engine stops the next connection attempts until a previously open connection is closed.
Inspection CPU Balancing Mode Specifies how inspected connections are allocated between the CPUs. Select from the following options:
  • Default — The connection is allocated to the CPU that received the first packet of the connection. If the utilization on the CPU is high, a different CPU is dynamically selected. Incoming and outgoing packets might be handled by different CPUs.
  • Round Robin — Connections are allocated evenly between all CPUs in order. This option can improve CPU balancing when there are a large number of CPUs.
  • NUMA local Round Robin — Connections are balanced within the CPU that received the first packet of the connection. Incoming and outgoing packets are handled by the same CPU.
Active Wait Time Between Inspected Packets Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
  • Short — The inspection process stays active for the minimum amount of time. This setting provides the best CPU performance, but can increase latency in inspection. This is the default setting.
  • Medium — The inspection process stays longer for a moderate amount of time. This setting provides a balance between CPU performance and latency in inspection.
  • Long — The inspection process stays active for the maximum amount of time. This setting provides the lowest latency in inspection, but decreases CPU performance.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Firewalls only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Firewalls only)

The NGFW Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The NGFW Engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.