Create Master NGFW Engines or Virtual NGFW Engines
A Master NGFW Engine is a physical engine device that provides the resources for Virtual NGFW Engines. One physical Master NGFW Engine can support multiple Virtual NGFW Engines.
Selecting a Virtual Resource for the Virtual NGFW Engine automatically adds the Virtual NGFW Engine to the Master NGFW Engine where the Virtual Resource is used.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > Common elements
Use the Engine Editor toolbar options to save changes to the configuration and refresh the policy on the NGFW Engine.
Option | Definition |
---|---|
Save | Validates and saves the changes. |
Save and Refresh | Validates and saves the changes, and refreshes the policy on the NGFW Eengine. |
Tools menu | Validate — Validates the changes without saving them. |
Engine Editor > General
Use this branch to change general NGFW Engine settings.
Option | Definition |
---|---|
Name | The name of the element. |
Log Server | Specifies the Log Server to which the NGFW Engine sends event data. If the NGFW Engine is a Master NGFW Engine, the hosted Virtual NGFW Engines send log data to the same Log Server. |
Version
(Not available for clusters) |
The version of the Forcepoint Next Generation Firewall software. Not editable. |
Status
(Not available for clusters) |
Shows the configuration status of the NGFW Engine. Not editable. |
DNS IP Addresses
(Optional) |
Specifies the IP addresses of the DNS servers that the NGFW Engine uses. DNS IP addresses are IP addresses of external DNS servers. NGFW Engines use these DNS servers to resolve Domain names to IP addresses. NGFW Engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies. (Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the NGFW Engine forwards DNS requests from clients in the internal network. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element. If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses. Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the
NetLink-specific DNS IP addresses.
Click Add to add an element to the table, or Remove to remove the selected element. Select one of the following options:
|
Geolocation | Specifies the geographical location of the NGFW Engine. |
Location | Specifies the location for the NGFW Engine if there is a NAT device between the NGFW Engine and other SMC components. |
Proof-of-Serial
(Appliances only) |
Shows the Proof-of-Serial code of the Forcepoint NGFW appliance. Not editable. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Engine Editor > General > Clustering
Use this branch to view nodes and add new nodes to the NGFW Engine cluster.
Option | Definition |
---|---|
Node ID (Not editable) |
Shows the ID number of the node. |
Name | Specifies the name of the node. Double-click the cell to edit the name. |
Configuration Status (Not editable) |
Shows the configuration status of the node. |
Version (Not editable) |
Shows the version of the NGFW Engine software that is installed on the engine. |
Comment (Optional) |
A comment for your own reference. |
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
SNMP Engine ID (SNMPv3 only) |
A unique identifier for each NGFW Engine node that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated. |
Disabled | Disables the node. You can enable the node later. |
Add Node | Adds a node to the cluster. Opens the Engine Node Properties dialog box. |
Edit Node | Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box. |
Remove Node | Deletes the selected node. The deleted node cannot be restored. |
Clustering Mode |
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
|
Clustering | Allows you to change advanced settings for the cluster. Opens the Advanced Cluster Settings dialog box. |
Engine Editor > General > Tester
Use this branch to configure the tester to run various checks on the NGFW Engines and initiate responses based on the success or failure of these tests.
Option | Definition |
---|---|
Global Settings section | |
Alert Interval | Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes.
Note: If the interval is too short, the alerts can overload the system or the alert recipient.
|
Delay After | Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures
that can occur due to variations in how quickly different processes and subsystems can start and stop.
Note: The maximum value for all options is 1800.
|
Auto Recovery
(Clusters and Master NGFW Engines only) |
When selected, the engine automatically goes back online when a previously failed test completes successfully. Note: Run the test in both online and
offline states if you activate this option.
|
Boot Recovery | When selected, the engine automatically goes back online after a reboot if all offline tests report a success. |
Global Node Selection for Engine Tests | |
Filter | Allows you to filter the elements shown. |
A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash. | |
Active | Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all engine tests. Tip: If you select ALL for the Node setting in the test properties, you can use the Global Node Selection
for Engine Tests table to exclude a specific node from the test.
|
Name | Specifies the name of the node. |
Node | Specifies the node ID. |
Set to Default | Returns tester changes to the default settings. |
Option | Definition |
---|---|
Engine Tests section | |
Filter | Allows you to filter the elements shown. |
A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash. | |
Name | The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name. |
Active | Shows whether the test is active. Deselect to deactivate a test. |
Node | Specifies whether the test applies to all nodes or a selected node. |
Interval | Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day). Note: We recommend a minimum interval of four
seconds. Running a test too frequently can increase overhead.
|
States | Shows the NGFW Engine states on which the test is run. |
Action | Specifies which action is taken if the test fails, and which type of notification is sent. |
Parameters | Shows some test details. |
Add | Adds a test to the table:
|
Edit | Allows you to change the test properties. |
Remove | Removes the test from the table. |
Engine Editor > General > Permissions
Use this branch to change permissions settings to control the administration of NGFW Engines.
Option | Definition |
---|---|
Administrator Permissions section | |
Access Control Lists | Shows the Access Control Lists that have been selected. Click Add to add an element to the list, or Remove to remove the selected element. |
Permissions | Shows the administrators that have permissions. Click Add Permission to add a row to the list, or Remove Permission to remove the selected row. Click the Administrator cell to select the administrator. |
Option | Definition |
---|---|
Local Administrators section | |
Administrator | If local administrators have been defined, shows the names. |
Info | Shows whether the local administrator can execute root-level commands with the sudo tool. |
Option | Definition |
---|---|
Policies section | |
Allowed Policies | Shows the policies that are allowed to be installed. Click Add to add an element to the list, or Remove to remove the selected element. To allow the installation of any policy, select Set to ANY. |
Engine Editor > General > DNS Relay
Use this branch to enable and configure DNS relay for firewalls.
Option | Definition |
---|---|
DNS Relay Profile | Allows you to select a DNS Relay Profile element.
|
Listening IP Addresses | The IP addresses to which clients in the internal network send DNS requests. Click Add to add an element to the list, or Remove to remove the selected element. |
Source for Domain-Specific DNS Queries | The IP addresses that are used as source IP addresses when the firewall makes domain-specific DNS queries. When According to Routing is selected, the source IP address is automatically selected based on the route to the external DNS server. |
Engine Editor > General > NTP
Use this branch to enable NTP time synchronization and select NTP servers for the NGFW Engine.
Option | Definition |
---|---|
Enable time synchronization from NTP server | When selected, the NGFW Engine uses an external NTP server for time synchronization. |
Preferred (Optional) |
When selected, the NGFW Engine uses the specified NTP server by default. |
NTP Server | Lists the available NTP servers. Double-click the cell to select an NTP server. Click Add to add a row to the table, or Remove to remove the selected row. |
Engine Editor > General > SNMP and LLDP
Use this branch to enable the NGFW Engine to send SNMP traps and to select the LLDP Profile for the NGFW Engine.
Option | Definition |
---|---|
SNMP section | |
SNMP Agent | Enables the NGFW Engine to send SNMP traps.
|
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
SNMP Engine ID (Single NGFW Engines and SNMPv3 only) |
A unique identifier for the NGFW Engine that is used by the SNMP agent. The engine ID is used with a hash function to generate keys for authentication and encryption of SNMPv3 messages. If you do not specify the SNMP engine ID, an SNMP engine ID is automatically generated. |
Listening IP Addresses | The IPv4 or IPv6 addresses from which SNMP traps are sent. Click Add to add an element to the list, or Remove to remove the selected element. |
LLDP section | |
LLDP Profile (NGFW Engines and Master NGFW Engines in the Firewall/VPN role only) |
The LLDP Profile element that specifies settings for LLDP announcements that the NGFW Engine announces. Click Select to select an element. |
Engine Editor > General > Layer 2 Settings
Use this branch to configure settings for layer 2 physical interfaces on Single Firewalls, Firewall Clusters, and Virtual Firewalls.
Option | Definition |
---|---|
Policy for Layer 2 Interfaces |
The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces. All layer 2 physical interfaces on the NGFW Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored. |
Layer 2 Interface Settings section | Defines settings for connection tracking on layer 2 physical interfaces. |
Layer 2 Connection Tracking Mode |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Inline IPS and Capture Interface Settings section | Defines advanced settings for Inline IPS Interfaces and Capture Interfaces. |
Bypass Traffic on Overload |
When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the engine gets overloaded. |
Engine Editor > Interfaces
Use this branch to configure the necessary interfaces and IP addresses for the NGFW Engine.
Option | Definition |
---|---|
Add | Adds an interface or IP address of the specified type:
CAUTION: Physical Interfaces for Virtual NGFW Engines are automatically created based on the interface
configuration in the Master NGFW Engine properties. The number of Physical Interfaces depends on the number of interfaces
allocated to the Virtual NGFW Engine in the Master NGFW Engine. Physical
Interfaces that you add to Virtual NGFW Engines might not be valid.
|
Edit | Allows you to change the properties of the interface or IP address. |
Remove | Removes the selected interface or IP address. |
Engine Editor > Interfaces > Interface Options
Use this branch to define which IP addresses are used in particular roles in the NGFW Engine's system communications.
Option | Definition |
---|---|
Control Interface
(Not Virtual Firewalls) |
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the NGFW Engine.
|
Node-Initiated Contact to Management Server | When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always
used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the NGFW Engine through the Management Client, the command is left pending until the NGFW
Engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
|
Heartbeat Interface
(Clusters and Master NGFW Engines only) |
On Master NGFW Engines, you cannot use shared interfaces as a heartbeat interface. |
IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests |
The IPv4 address or IPv6 address of the selected interface is used when an NGFW Engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender. |
IPv4 Source for Authentication Requests or IPv6 Source for Authentication Requests | By default, specifies the source IPv4 address or IPv6 address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests. |
Default IP Address for Outgoing Traffic | Specifies the IP address that the NGFW Engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes. |
Engine Editor > Interfaces > Virtual Resources
Use this branch to add Virtual Resources to the Master NGFW Engine.
Option | Definition |
---|---|
Add | Adds a Virtual Resource to the Master NGFW Engine. Opens the Virtual Resource Properties dialog box. |
Edit | Allows you to change the properties of the selected Virtual Resource. Opens the Virtual Resource Properties dialog box. |
Remove | Deletes the selected Virtual Resource. |
Engine Editor > Interfaces > Loopback
Use this branch to define loopback IP addresses for Firewalls. Loopback IP addresses allow you to assign IP addresses that do not belong to any directly connected networks to the Firewall.
Option | Definition |
---|---|
Bypass Default IP Address | Specifies how the source IP address for traffic sent from the NGFW Engine node is selected for tunnel interfaces that do not
have IP addresses.
|
Loopback addresses table | Click Add Row to add a row to the table, or Remove Row to remove the selected row. Click Up or Down to move the selected item up or down. |
Loopback Address | Enter the loopback IP address. |
CVI Address (Clusters only) |
Enter the loopback IP address for the cluster. |
Node NDI Address (Clusters only) |
Enter the node-specific loopback IP address. |
OSPFv2 Area | To advertise the loopback IP address as an OSPFv2 internal route, double-click the cell, then select an OSPFv2 Area element. |
Comment (Optional) |
A comment for your own reference. |
Engine Editor > Interfaces > ARP Entries
Use this branch to manually add ARP entries for IPv4 or neighbor discover entries for IPv6.
Option | Definition |
---|---|
Type |
|
Interface ID | The interface on which you want to apply this ARP entry |
IP Addresses | Enter an IPv4 or IPv6 address. |
MAC Address | Enter a MAC Address. |
Add ARP Entry | Adds an ARP entry. |
Remove ARP Entry | Removes the selected ARP entry. |
Engine Editor > Routing
Use this branch to view and change the routing configuration of the NGFW Engine.
Option | Definition |
---|---|
Filter | Allows you to view only the elements that match what you enter in the Filter field. |
Refresh View | Updates the view. |
Expand All | Expands all levels of the routing tree. |
Collapse All | Collapses all levels of the routing tree. |
Display Mode | Changes how the routing configuration is displayed.
|
Default Route | Allows you to view and create default routes that are used when there is no more specific route defined. Note: If the Automatic Default Route
setting is selected in the properties of the interface, default routes are created automatically for interfaces with dynamic IP addresses on single NGFW Engines.
|
Add Route | Allows you to add routes to specific destination networks.
|
Query Route | Allows you to search for routes.
|
Engine Editor > Routing > Dynamic Routing
Use this branch to configure dynamic routing for the engine. Dynamic routing enables firewalls to automatically change their routing when the network topology changes.
Option | Definition |
---|---|
BGP section | |
Enabled | When selected, the BGP protocol for dynamic routing is enabled. |
Router ID | Enter an ID for the Firewall. The ID must be unique. Often, the global IPv4 address is the ID. By default, the Router ID is automatically the loopback CVI address or the highest CVI address available on the Firewall Cluster. |
BGP Profile | Select the BGP Profile to use. The element contains distance, redistribution, and aggregation settings. |
Autonomous System | Select the Autonomous System (AS) to use. An AS represents a whole network or a series of networks. |
Announced Networks table | You can add hosts, networks, or groups that contain both hosts and networks. Click Add to add an element to the table, or Remove to remove the selected element. |
Option | Definition |
---|---|
OSPFv2 section | |
Enabled | When selected, the OSPFv2 protocol for dynamic routing is enabled. |
Router ID | Enter an ID for the Firewall. |
OSPFv2 Profile | Select the OSPFv2 Profile to use. The element contains distance, redistribution, and aggregation settings. |
Additional Networks to Automatically Add to Antispoofing | Elements that you add are automatically added under all interfaces (that have dynamic routing elements configured) on the Antispoofing branch in the Engine Editor. You can add hosts, networks, or groups that contain both hosts and networks. Click Add to add an element to the table, or Remove to remove the selected element. |
Engine Editor > Routing > Antispoofing
Use this branch to view and change the antispoofing configuration.
Option | Definition |
---|---|
Refresh View | Updates the view. |
Expand All | Expands all levels of the routing tree. |
Collapse All | Collapses all levels of the routing tree. |
Engine Editor > Routing > Multicast Routing
Use this branch to define static multicast, IGMP-based multicast forwarding, or PIM dynamic routing. Only IPv4 addresses are supported.
Option | Definition |
---|---|
Multicast Routing Mode | Specifies how the NGFW Engine routes multicast traffic.
|
Option | Definition |
---|---|
When Multicast Routing Mode is Static Click Add to add a row to the table, or Remove to remove the selected row. |
|
Source Interface | Select the interface to use for multicast routing. |
Source IP Address | Enter the unicast IP address of the multicast source. |
Destination IP Address | Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255. |
Destination Interface | Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
When Multicast Routing Mode is IGMP Proxy | |
Upstream Interface | Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected. |
Upstream IGMP Version | Select the IGMP version according to the upstream network environment. The default IGMP version is version 3. |
Downstream Interfaces table Click Add to add a row to the table, or Remove to remove the selected row. |
|
Interface | Select the downstream interfaces. |
IGMP Querier Settings | Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters. |
Option | Definition |
---|---|
When Multicast Routing Mode is PIM | |
PIM Profile | Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used. |
MRoute Preference | Note: This option is not supported in this version of Forcepoint NGFW.
The routing table is used to specify reverse path forwarding (RPF)
information whenever multicast traffic from source addresses uses a different path than unicast traffic from the same source address.
|
Bootstrap Settings — see RFC 5059 for more information. | |
RP Candidate | If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate. |
RP Priority | Enter a value for the RP priority. |
Multicast Groups | Add the multicast IPv4 networks for which the firewall acts as an RP candidate. Click Add to add a row to the table, or Remove to remove the selected row. |
BSR Candidate | If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate. |
BSR Priority | Enter a value for the BSR priority. |
Engine Editor > Routing > Policy Routing
Use this branch to define policy routing for the NGFW Engine.
Option | Definition |
---|---|
IPv4 Policy Routes or IPv6 Policy Routes | Enter the routing information in the appropriate table. Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |
Source IP Address | Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane. |
Source Netmask
(IPv4 only) |
Enter the netmask for the source IP address. |
Source Prefix
(IPv6 only) |
Enter the network prefix for the source IP address. |
Destination IP Address | Enter the destination IP address. |
Destination Netmask
(IPv4 only) |
Enter the netmask for the destination IP address. |
Destination Prefix
(IPv6 only) |
Enter the network prefix for the destination IP address. |
Gateway IP Address | Enter the IP address of the device to which packets that match the source/destination pair are forwarded. |
Comment (Optional) |
A comment for your own reference. |
Engine Editor > Add-Ons
Use this branch to view a summary of the add-on features and the status of each feature.
Engine Editor > Add-Ons > TLS Inspection
Use this branch to activate TLS inspection. You can configure TLS inspection for client or server protection.
Option | Definition |
---|---|
Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
TLS Credentials | Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element. |
Check Certificate Revocation | When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked. |
Decrypt All Traffic | When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements. |
Cryptography Suite Set | Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic. Click Select to select an element. |
Engine Editor > Add-Ons > Endpoint Integration
Use this branch to enable endpoint integration on the engine and change the settings for the endpoint client communication.
Option | Definition |
---|---|
When Endpoint Service is Forcepoint Endpoint Context Agent | |
ECA Listener Certificate | The internal certificate for the NGFW Engine that listens for ECA traffic. The certificate is generated automatically when you save the ECA configuration. |
Signing CA | The internal CA that signed the certificate. |
ECA Configuration | The selected ECA Configuration element. Click Select to select an element. |
Source Networks | Add the networks or zones that contain the clients. The clients located in these networks or zones send endpoint information to this Firewall. Click Add to add an element to the table, or Remove to remove the selected element. |
Destination Networks | Add the networks or zones where outbound connections are going. The clients send endpoint information only if the destination address is located in these networks or zones.
If filtering based on both source address and destination address, both conditions must be met. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Interfaces | The interfaces or zones the NGFW Engine uses to listen for ECA traffic. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Port | The port on which the NGFW Engine listens for ECA traffic. |
Export Configuration for Endpoint Clients | Opens the Export ECA Configuration dialog box, where you can export an XML file that contains the ECA configuration and details of all the NGFW Engines that use the same ECA Configuration element. You must first save the NGFW Engine configuration. |
Option | Definition |
---|---|
When Endpoint Service is McAfee Endpoint Intelligence Agent (McAfee EIA) Note: McAfee Endpoint Intelligence Agent (McAfee EIA) is no longer supported in NGFW version 6.3.0 and later. We recommend
that you use Forcepoint Endpoint Context Agent instead.
|
|
ePO Server | The McAfee ePO server that you want the NGFW Engine to communicate with. Click Select to select an element. |
Endpoint Client Zones or Networks | The networks or zones in which the endpoint clients are located. Click Add to add an element to the table, or Remove to remove the selected element. |
Listen on Interfaces | The interfaces or zones the engine uses to listen for EIA traffic. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Port | The port on which the NGFW Engine listens for EIA traffic. |
Engine Editor > Add-Ons > User Authentication
Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.
Option | Definition |
---|---|
Authentication Time-Out | Defines the length of time after which authentication expires and users must reauthenticate. |
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
HTTPS Settings | Opens the Browser-Based User Authentication HTTPS Configuration dialog box. |
TLS Profile | The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element. This option is required for client certificate authentication. |
Use Client Certificates for Authentication | When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication. |
Always Use HTTPS | When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the engine also listens on other ports. |
Listen on Interfaces | Restricts the interfaces that users can authenticate through.
|
User Authentication Page | Select the User Authentication Page element that defines the look of the logon page, challenge page, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Browser-Based User Authentication HTTPS Configuration dialog box
Use this dialog box to change the properties of an HTTPS certificate for browser-based user authentication.
Option | Definition |
---|---|
Organization (O) (Optional) |
The name of your organization as it appears in the certificate. |
Organization Unit (OU)
(Optional) |
The name of your department or division as it appears in the certificate. |
State/Province (ST)
(Optional) |
The name of state or province as it appears in the certificate. |
Locality (L)
(Optional) |
The name of the city as it appears in the certificate. |
Common Name (CN) | The value for the Common Name field in the certificate request. For server certificates, the value is typically the fully qualified domain name (FQDN). |
Key Length | The length of the key in bits. |
Sign | |
With External Certificate Authority | Select this option if you want to create a certificate request that another certificate authority signs. |
Internally with | Select this option to sign the certificate using an internal CA. If more than one valid internal CA is available, select the internal CA that signs the
certificate request. There can be multiple valid internal CAs in the following cases:
|
Generate Request | Generates the request. The certificate request is shown in the same dialog box. |
Option | Definition |
---|---|
Certificate Request — if signing with an external certificate authority | |
Subject Name | The identifier of the certified entity. |
Export | Opens the Export Certificate Request dialog box. |
Import Certificate | Opens the Import Certificate dialog box. |
Delete | Deletes the certificate request. |
Sign Internally | Signs the certificate with the Internal CA. If more than one valid internal CA is available, opens the Sign Certificate Request dialog box. |
Option | Definition |
---|---|
Certificate Request — if signing with an internal certificate authority | |
Subject Name | The identifier of the certified entity. |
Public Key Algorithm | The algorithm used for the public key. |
Key Length | The length of the key in bits. |
Serial Number | The sequence number of the certificate. The number is issued by the CA. |
Signature Algorithm | The signature algorithm that was used to sign the certificate. |
Signed By | The CA that signed the certificate. |
SubjectAltName | The subject alternative name fields of the certificate. |
Valid From | The start date of certificate validity. |
Valid To | The end date of certificate validity. |
Fingerprint (SHA-1) | The certificate fingerprint using the SHA-1 algorithm. |
Fingerprint (SHA-256) | The certificate fingerprint using the SHA-256 algorithm. |
Fingerprint (SHA-512) | The certificate fingerprint using the SHA-512 algorithm. |
Export | Opens the Export Certificate dialog box. |
Delete | Deletes the certificate request. |
Export Certificate Request dialog box
Use this dialog box to export a certificate request to sign using an external certificate authority.
Option | Definition |
---|---|
Certificate request field | Shows the certificate request as text. You can copy and paste the certificate request into an external application to sign the certificate. |
Export | Exports the certificate request so that you can sign it using an external certificate authority. Opens the Export Certificate Request dialog box. |
Engine Editor > Add-Ons > User Identification
Use this branch to select a User Identification Service element.
Option | Definition |
---|---|
User Identification Service | The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP
address information that can be used in transparent user identification. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
|
Engine Editor > Add-Ons > Anti-Malware
Use this branch to enable and change settings for anti-malware checks on the NGFW Engine.
Option | Definition |
---|---|
Enable | Enables anti-malware checks. |
Malware Log Level | The log level for anti-malware events.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Option | Definition |
---|---|
Malware Signature Update Settings section | |
Update Frequency | Defines how often the NGFW Engine checks for updates to the anti-malware database.
|
Option | Definition |
---|---|
Malware Signature Mirror Settings section | |
Mirror(s) | Enter the URL of the anti-malware database mirror that the NGFW Engine contacts to update the anti-malware database. Separate multiple addresses with commas. |
Use HTTP Proxy
(Optional) |
Specifies that the NGFW Engine uses an HTTP proxy to connect to the anti-malware database mirrors. |
Host | The IP address or DNS name of the HTTP proxy. |
Port | The listening port of the HTTP proxy. |
Username | The user name for authenticating to the HTTP proxy. |
Password | The password for authenticating to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. |
Engine Editor > Add-Ons > Sandbox
Use this branch to select and configure sandbox servers for NGFW Engines.
Option | Definition |
---|---|
Sandbox Type | Specifies which type of sandbox the NGFW Engine uses for sandbox file reputation scans.
|
Option | Definition |
---|---|
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection | |
License Key | The license key for the connection to the sandbox server. Note: The license defines the home data center where files are analyzed. Enter the key and
license token for the data center that you want to use as the home data center.
CAUTION: The license key and license token allow access to
confidential analysis reports. Handle the license key and license token securely.
|
License Token | The license token for the connection to the sandbox server. |
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Option | Definition |
---|---|
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection | |
License Key | The license key for the connection to the sandbox server. |
License Token | The license token for the connection to the sandbox server. |
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Engine Editor > Add-Ons > File Reputation
Use this branch to enable file reputation services for file filtering.
Option | Definition |
---|---|
File Reputation Service | Select the file reputation service to use.
|
Option | Definition |
---|---|
When File Reputation Service is Threat Intelligence Exchange (TIE) | |
ePO Server | Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC. Click Select to select an element. |
DXL Certificates | Shows the currently valid DXL certificates. |
Generate DXL Certificates | Generates new certificates. |
Option | Definition |
---|---|
When File Reputation Service is Global Threat Intelligence (GTI) | |
HTTP Proxies
(Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than
one HTTP proxy, the additional HTTP proxies are ignored.
|
Engine Editor > Add-Ons > Anti-Spam
The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and later..
Engine Editor > Add-Ons > Sidewinder Proxy
Use this branch to enable and configure Sidewinder Proxies.
Option | Definition |
---|---|
Enable | When selected, enables Sidewinder Proxy. |
Sidewinder Logging Profile | The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile. |
SSH Proxy | Settings specific to the SSM SSH Proxy. |
SSH Known Hosts Lists | The selected SSH Known Hosts List elements for the engine. Click Add to add an element to the list, or Remove to remove the selected element. |
Host Keys | The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. To import an existing host key, click Import. |
Key Type | Shows the signature algorithm used for the host key. |
Key Length | Shows the length of the host key. |
SHA256 Fingerprint | Shows the SHA256 fingerprint of the host key. |
SSH Proxy Services | The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element. |
Comment (Optional) |
A comment for your own reference. |
Advanced Settings | Opens the Advanced Sidewinder Proxy Settings dialog box. |
Advanced Sidewinder Proxy Settings dialog box
These settings are intended for advanced users. We do not recommend changing these settings unless you are instructed to do so by Forcepoint support.
Option | Definition |
---|---|
Shared tab | |
Use this tab to define advanced Sidewinder Proxy settings that are shared by all SSM Proxies. Click Add to add a row to the table, or Remove to remove the selected row. | |
Shared Proxy Property | The name of the shared advanced Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
HTTP tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM HTTP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
HTTP Proxy Property | The name of the advanced HTTP Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
SSH tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
SSH Proxy Property | The name of the advanced SSH Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
TCP tab | |
Use this tab to define advanced TCP Sidewinder Proxy settings for the SSM TCP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
TCP Proxy Property | The name of the advanced Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Option | Definition |
---|---|
UDP tab | |
Use this tab to define advanced Sidewinder Proxy settings for the SSM UDP Proxy. Click Add to add a row to the table, or Remove to remove the selected row. | |
UDP Proxy Property | The name of the advanced UDP Sidewinder Proxy setting. |
Value | The value of the advanced Sidewinder Proxy setting. |
Engine Editor > Add-Ons > ThreatSeeker
Use this branch to select HTTP Proxy elements for the connection to the ThreatSeeker Intelligence Cloud.
Option | Definition |
---|---|
Enable | When selected, enables ThreatSeeker URL filtering for the engine. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Engine Editor > Add-Ons > OPC UA Inspection
Use this branch to change inspection settings for open platform communications unified architecture (OPC UA). For information about OPC UA, see Knowledge Base article 12491.
Engine Editor > Policies
Use this branch to view information about the policy that is installed.
Engine Editor > Policies > Element-based NAT
Use this branch to add NAT definitions for element-based NAT. The NAT definition is also added to the elements that are included in the NAT configuration.
Option | Definition |
---|---|
Use Default NAT Address for Traffic from Internal Networks (Optional) |
The NGFW Engine uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address. |
Show Details | Opens the Default NAT Address Properties dialog box. |
Add NAT Definition | Creates a NAT Definition element and opens the element properties. |
Edit NAT Definition | Opens the properties of an existing NAT Definition element. |
Remove NAT Definition | Removes the selected row from the table. |
Engine Editor > Policies > Automatic Rules
Use this branch to view a summary of currently used Automatic rules and change general settings for Automatic rules.
Option | Definition |
---|---|
To Firewall section (Firewall/VPN role only) |
|
Allow Traffic to Authentication Ports | When Yes is selected, allows traffic to the ports that are used for user authentication. |
Allow Traffic from Listening IP Addresses to DNS Relay Port | When Yes is selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay. |
From Firewall section (Firewall/VPN role only) |
|
Allow Connections to Domain-Specific DNS Servers | When Yes is selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall. |
Allow Connections from Local DHCP Relay to Remote DHCP Server | When Yes is selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers. |
Log Level for Automatic Rules | The log level for traffic that matches automatic rules.
|
Alert | When Alert is selected, specifies the Alert element that is sent. |
Reset to Default Settings | Returns Automatic Rule changes to the default settings. |
Engine Editor > Policies > Aliases
Use this branch to view and change alias translation values.
Option | Definition |
---|---|
Alias | Shows the name of the Alias element. |
Value | Right-click the
Value cell and select one of the following options:
|
Engine Editor > VPN
Use this branch to view the VPN Gateway elements associated with the NGFW Engine, and the VPNs where the VPN Gateway elements are used. You can optionally add more VPN Gateway elements.
Option | Definition |
---|---|
Add
(Optional) |
Adds a VPN Gateway element to the NGFW Engine. One VPN Gateway element is
automatically created for each NGFW Engine. You can use the same VPN Gateway element in multiple VPNs.
You might need to add VPN Gateway elements if you want to use different endpoint IP addresses in different types of VPNs. Click Remove to remove the selected element. |
Endpoints | |
Enabled | When selected, the endpoint IP address is active. |
Edit | Opens the Properties dialog box for the endpoint. |
Engine Editor > VPN > Endpoints
Use this branch to change the endpoint settings that are used when the NGFW Engine acts as a VPN gateway.
Option | Definition |
---|---|
Enabled | When selected, the endpoint IP address is active. |
Name | Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown. |
IP Address | Shows the IP address of the endpoint. |
Connection Type | Defines how the endpoint is used in a Multi-Link configuration. |
Options | Shows the optional settings that have been selected for the endpoint. |
Phase-1 ID | Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations. |
VPN Type | Shows the types of VPNs that the endpoint can be used in. |
Edit | Allows you to change the properties of the selected endpoint. |
Engine Editor > VPN > SSL VPN Portal
Use this branch to change settings for the SSL VPN portal on the NGFW Engine.
Option | Definition |
---|---|
SSL VPN Portal | Shows the SSL VPN Portal element that is selected for the NGFW Engine. Click Select to select an element. |
Port (Optional) |
The port for client connections to the SSL VPN Portal. The default port is 443. |
Allowed SSL/TLS Versions | The versions of SSL and TLS that are allowed for connections to the SSL VPN Portal.
|
TLS Cryptography Suite Set | The cryptographic suite for TLS connections to the SSL VPN Portal. Click Select to select an element. Do not change the default setting unless you have a specific reason to do so. |
Engine Editor > VPN > Sites
Use this branch to select the protected IP addresses that are behind the gateway.
Option | Definition |
---|---|
Add and update IP addresses based on routing | When selected, the site content updates automatically according to changes made in the routing configuration for the NGFW
Engine (for interfaces that are not disabled). Note: When the option is not selected, you must manually define the addresses that you want to be routable through the VPN.
|
Search | Opens a search field for the selected list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
Tools |
|
Left pane | Shows elements that you can add to the site definition. |
Add | Adds the selected element to the site content. |
Remove | Removes the selected element from the site content. |
Search | Opens a search field for the selected element list. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
New | Creates an element of the specified type. |
Tools |
|
Right pane | Allows you to change the IP addresses that are included in the site definition. |
Engine Editor > VPN > VPN Client
Use this branch to change settings that are used when the NGFW Engine acts as a VPN Gateway in a mobile VPN.
Option | Definition |
---|---|
Gateway Display Name | If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element. |
VPN Type | Defines the type of tunnels the mobile VPN supports.
|
SSL Port | (When VPN Type is SSL VPN) The port for SSL VPN tunnels. |
TLS Cryptography Suite Set | (When VPN Type is SSL VPN) The cryptographic suite for SSL VPN tunnels. Click Select to select an element.Note: Do not change the default setting unless you have a specific reason to do so.
|
Authentication Timeout | (When VPN Type is SSL VPN) The timeout for Forcepoint VPN Client user authentication. |
Option | Definition |
---|---|
Local Security Checks section | Defines whether the Forcepoint VPN Client checks for the presence of basic security software to stop connections from risky computers.
|
Option | Definition |
---|---|
Virtual Address section | Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN. |
DHCP Mode | Specifies how DHCP requests from VPN clients are sent.
Note: If
SSL VPN or
Both IPsec & SSL VPN is selected from the
VPN Type drop-down list, only the
Direct and
DHCP Relay are shown.
|
Interface | (When DHCP Mode is Direct) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
Interface for DHCP Relay | (When DHCP Mode is Relay) The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server). |
DHCP Server (NGFW < 5.9) | (When DHCP Mode is Direct) The DHCP server that assigns IP addresses for the VPN clients.Note: This option is included for backward compatibility with legacy NGFW software versions.
|
DHCP Servers | (When DHCP Mode is Relay) The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element. |
Add Information
(Optional) |
Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
|
Restrict Virtual Address Ranges | When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right. |
Proxy ARP | When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right. |
Option | Definition |
---|---|
Secondary IPsec VPN Gateways section (Optional) |
(When VPN Type is IPsec VPN) Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down. |
Engine Editor > VPN > Certificates
Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.
Option | Definition |
---|---|
Automated RSA Certificate Management | When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
|
Trusted VPN Certificate Authorities | Restricts which certificate authorities the VPN gateway trusts.
|
Engine Editor > VPN > Advanced
Use this branch to change advanced VPN settings.
Option | Definition |
---|---|
Gateway Settings | The Gateway Settings element that defines performance-related VPN options. |
Gateway Profile | The Gateway Profile in use. |
Translate IP Addresses Using NAT Pool | When selected, the specified IP address range and port range are used for translating IP addresses of incoming Forcepoint VPN Client connections to internal networks. Enter the ranges in the IP Address Range and Port Range fields. |
Engine Editor > Advanced Settings
Use this branch to change system parameters for the NGFW Engine. These parameters control how the NGFW Engine behaves under certain traffic conditions.
Option | Definition |
---|---|
Encrypt Configuration Data | By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint support. |
Bypass Traffic on Overload
(IPS only) |
When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded. |
Contact Node Timeout |
The maximum amount of time the Management Server tries to connect to an NGFW Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
|
Auto Reboot Timeout | Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable. |
Policy Handshake | When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the boot menu of the NGFW Engine. Note: We recommend
adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout | The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds. |
Automated Node Certificate Renewal | When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise,
the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine. Note: Does not renew VPN certificates. Automatic certificate renewal for internally
signed VPN certificates is set separately in the NGFW Engine's VPN settings.
|
FIPS-Compatible Operating Mode
(Firewalls only) |
When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2. Note: You must also select FIPS-specific settings
in the NGFW Configuration Wizard on the command line of the NGFW Engine. For more information,
see How to install Forcepoint NGFW in FIPS mode.
|
Number of CPUs Reserved for Control Plane | Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this
ensures that you can still monitor and control the NGFW Engine operation. Note: The reserved CPUs cannot be used for traffic
processing. Using fewer CPUs for traffic processing degrades performance.
|
Isolate Also Interfaces for System Communications | When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic. |
Engine Editor > Advanced Settings > Traffic Handling
Use this branch to change advanced parameters that control how the NGFW Engine handles traffic.
Option | Definition |
---|---|
Layer 3 Connection Tracking Mode (Firewalls only) Connection Tracking Mode(IPS engines and Layer 2 Firewalls only) |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this NGFW Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Virtual Defragmenting
(Not Virtual NGFW Engines) (Not editable on IPS engines) |
When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the NGFW Engine. When the NGFW Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection
(Not Virtual NGFW Engines) |
This option is included for backward compatibility with legacy NGFW software versions. |
Concurrent Connection Limit
(Not Virtual NGFW Engines) |
A global limit for the number of open connections. When the set number of connections is reached, the NGFW Engine stops the next connection attempts until a previously open connection is closed. |
Inspection CPU Balancing Mode | Specifies how inspected
connections are allocated between the CPUs. Select from the following options:
|
Active Wait Time Between Inspected Packets | Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
|
Default Connection Termination in Access Policy
(IPS engines and Layer 2 Firewalls only) |
Defines how connections that match Access rules with the Discard action are handled.
|
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
|
Action When TCP Connection Does Not Start With a SYN Packet
(Firewalls only) |
The NGFW Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection
matches an Access rule with the Allow action. The NGFW Engine does not send a TCP reset if the TCP connection begins with a
TCP reset packet.
|
Engine Editor > Advanced Settings > Certificate Validation
Use this branch to specify settings for certificate validation and revocation status checks on the engine. The settings are used for features that have certificate validation and certificate revocation checks enabled.
Option | Definition |
---|---|
HTTP Proxy (Optional) |
When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly. |
Timeout for OCSP and CRL Lookups | The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds. |
Engine Editor > Advanced Settings > SYN Rate Limits
Use this branch to change global SYN rate limits. SYN rate limits reduce the risk of SYN flood attacks.
Option | Definition |
---|---|
SYN Rate Limits | Limits for SYN packets sent to the NGFW Engine.
|
Allowed SYNs per Second | (When SYN Rate Limits is Custom) The number of allowed SYN packets per second. |
Burst Size | (When SYN Rate Limits is Custom) The number of allowed SYNs before the NGFW Engine starts limiting the SYN rate.CAUTION: We recommend setting the Burst Size value to
at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value
for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
|
Engine Editor > Advanced Settings > Log Handling
Use this branch to change log handling settings for the NGFW Engine. You can use log handling settings to adjust logging when the log spool fills up.
Option | Definition |
---|---|
Log Spooling Policy
(Not Virtual NGFW Engines) |
Defines what happens when the log spool becomes full.
|
Log Compression
(Antispoofing Log Event Type for Firewalls only) |
The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The
single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this, logging returns to normal and all
generated entries are logged and displayed separately. Double-click a cell to edit the value. Note: Do not enable Log Compression if you want all Antispoofing and Discard
entries to be logged as separate log entries (for example, for reporting or statistics).
|
Set to Default | Returns Log Compression settings to the default settings. |
Store a Copy of Recent Log Files on the NGFW Engine | When selected, the NGFW Engine stores copies of logs according to the specified settings. |
Maximum Time | The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the NGFW Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached. |
Guaranteed Free Spool Partition | The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be
5–80 %, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits
are enforced.
|
Guaranteed Free Spool Partition Size | The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values can be
50–1000 MB, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options, both limits
are enforced.
|
Engine Editor > Advanced Settings > Scan Detection
Use this branch to change scan detection settings. You can use scan detection to count the number of connections or connection attempts within a time window and set a threshold after which an alert is generated.
Option | Definition |
---|---|
Scan Detection Mode | When you enable scan detection, the number of connections or connection attempts within a time window is counted.
|
Create a log entry when the system detects section |
Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol:
|
Log Level | Specifies the log level for the log entries.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Set to Default | Returns Scan Detection changes to the default settings. |
Engine Editor > Advanced Settings > DoS Protection
Use this branch to configure protection that can help prevent Denial of Service (DoS) attacks.
Option | Definition |
---|---|
Rate-Based DoS Protection Mode | Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
|
SYN Flood Sensitivity | When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the
client, and only initiates the connection with the server after the client has completed the TCP handshake.
|
Limit for Half-Open TCP Connections (Optional) |
Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated. |
Slow HTTP Request Sensitivity | The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If
the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine blacklists the
sender’s IP address for a specified length of time.
|
Slow HTTP Request Blacklist Timeout | The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300). |
TCP Reset Sensitivity | When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP
Reset attack. You cannot override this setting in individual Access rules
|
Engine Editor > Advanced Settings > Idle Timeouts
Use this branch to view and change the timeouts for removing idle connections from the state table, including non-TCP communications that are handled like connections.
Option | Definition |
---|---|
Timeouts table Double-click the Timeout(s) cell to change the value. Click Add to add an element to the table, or Remove to remove the selected element. To set the selected protocols and values back to default settings, click Set to Default. |
Engine Editor > Advanced Settings > Authentication
Use this branch to configure advanced settings for user authentication.
Option | Definition |
---|---|
Default User Domain | The default LDAP domain from which the NGFW Engine looks up users. Note: This setting applies to all user authentication,
including browser-based user authentication, VPN clients, and the SSL VPN Portal.
|
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix | When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before
looking up the user in the default domain. Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is
Distinguished Name.
|
Client Certificate Identity Field for TLS | The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values
from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
|
Engine Editor > Advanced Settings > Tunneling
Use this branch to change the packet tunneling settings for the engine.
Option | Definition |
---|---|
Limit for Rematching Tunneled Traffic | Specifies how many times the contents of tunneled packets can be rematched against the IPv6 Access rules or IPv4 Access rules when several layers of tunneling are encountered. The default is 1. When the limit is reached, the action defined in the Action if Limit is Exceeded setting is taken. |
Action if Limit is Exceeded | Specifies whether remaining encapsulated packets inside the tunneling packet are allowed without further inspection or discarded. The default is to discard the remaining packets. When this action is triggered, you are notified according to the Log Level setting. |
Log Level | Specifies whether you are notified through a normal (stored) log entry or an Alert when the limit for rematching tunneled traffic is reached. |
Alert | If you selected Alert as the Log Level, select the Alert element that is used when an event triggers an alert. The Alert elements can be used for matching in Alert Policies. Click Select to select an element. |
Set to Default | Returns Tunneling changes to the default settings. |
Engine Editor > Advanced Settings > Custom Properties Profiles
Use this branch to select a Custom Properties Profile to use with custom scripts.