Edit add-on settings for NGFW Engines
You can edit add-on settings in the Engine Editor.
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > Add-Ons
Use this branch to view a summary of the add-on features and the status of each feature.
Engine Editor > Add-Ons > TLS Inspection
Use this branch to activate TLS inspection. You can configure TLS inspection for client or server protection.
Option | Definition |
---|---|
Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
TLS Credentials | Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element. |
Check Certificate Revocation | When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked. |
Decrypt All Traffic | When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements. |
Cryptography Suite Set | Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic. Click Select to select an element. |
Engine Editor > Add-Ons > Endpoint Integration
Use this branch to enable endpoint integration on the engine and change the settings for the endpoint client communication.
Option | Definition |
---|---|
When Endpoint Service is Forcepoint Endpoint Context Agent | |
ECA Listener Certificate | The internal certificate for the NGFW Engine that listens for ECA traffic. The certificate is generated automatically when you save the ECA configuration. |
Signing CA | The internal CA that signed the certificate. |
ECA Configuration | The selected ECA Configuration element. Click Select to select an element. |
Source Networks | Add the networks or zones that contain the clients. The clients located in these networks or zones send endpoint information to this Firewall. Click Add to add an element to the table, or Remove to remove the selected element. |
Destination Networks | Add the networks or zones where outbound connections are going. The clients send endpoint information only if the destination address is located in these networks or zones.
If filtering based on both source address and destination address, both conditions must be met. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Interfaces | The interfaces or zones the NGFW Engine uses to listen for ECA traffic. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Port | The port on which the NGFW Engine listens for ECA traffic. |
Export Configuration for Endpoint Clients | Opens the Export ECA Configuration dialog box, where you can export an XML file that contains the ECA configuration and details of all the NGFW Engines that use the same ECA Configuration element. You must first save the NGFW Engine configuration. |
Option | Definition |
---|---|
When Endpoint Service is McAfee Endpoint Intelligence Agent (McAfee EIA) Note: McAfee Endpoint Intelligence Agent (McAfee EIA) is no longer supported in NGFW version 6.3.0 and later. We recommend
that you use Forcepoint Endpoint Context Agent instead.
|
|
ePO Server | The McAfee ePO server that you want the NGFW Engine to communicate with. Click Select to select an element. |
Endpoint Client Zones or Networks | The networks or zones in which the endpoint clients are located. Click Add to add an element to the table, or Remove to remove the selected element. |
Listen on Interfaces | The interfaces or zones the engine uses to listen for EIA traffic. Click Add to add an element to the table, or Remove to remove the selected element. |
Listening Port | The port on which the NGFW Engine listens for EIA traffic. |
Engine Editor > Add-Ons > User Authentication
Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.
Option | Definition |
---|---|
Authentication Time-Out | Defines the length of time after which authentication expires and users must re-authenticate. |
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
HTTPS Settings | Opens the Browser-Based User Authentication HTTPS Configuration dialog box. |
TLS Profile | The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element. This option is required for client certificate authentication. |
Use Client Certificates for Authentication | When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication. |
Always Use HTTPS | When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the NGFW Engine also listens on other ports. |
Listen on Interfaces | Restricts the interfaces that users can authenticate through.
|
User Authentication Page | Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Engine Editor > Add-Ons > User Identification
Use this branch to select a User Identification Service element.
Option | Definition |
---|---|
User Identification Service | The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP
address information that can be used in transparent user identification. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
|
Network Filters section (When a Forcepoint User ID Service element is selected) | |
IP Ranges (Optional) |
To prevent the NGFW Engine from receiving too many logon events, specify the IP address
ranges of networks from which to receive logon events. Click Add to add an element to the list, or Remove to remove the selected element. We recommend adding the IP address ranges of networks for which the NGFW Engine routes traffic. Note: Network filters do not exclude
other IP addresses outside of the specified IP address range if a user has at least one logon in the specified IP address range. The NGFW Engine might still receive logon events from other IP address ranges.
|
Engine Editor > Add-Ons > Anti-Malware
Use this branch to enable and change settings for anti-malware checks on the NGFW Engine.
Option | Definition |
---|---|
Enable | Enables anti-malware checks. |
Malware Log Level | The log level for anti-malware events.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Option | Definition |
---|---|
Malware Signature Update Settings section | |
Update Frequency | Defines how often the NGFW Engine checks for updates to the anti-malware database.
|
Option | Definition |
---|---|
Malware Signature Mirror Settings section | |
Mirror(s) | Enter the URL of the anti-malware database mirror that the NGFW Engine contacts to update the anti-malware database. Separate multiple addresses with commas. |
Use HTTP Proxy
(Optional) |
Specifies that the NGFW Engine uses an HTTP proxy to connect to the anti-malware database mirrors. |
Host | The IP address or DNS name of the HTTP proxy. |
Port | The listening port of the HTTP proxy. |
Username | The user name for authenticating to the HTTP proxy. |
Password | The password for authenticating to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. |
Engine Editor > Add-Ons > Data Protection
Use this branch to enable ICAP for data protection on the NGFW Engine.
Option | Definition |
---|---|
Enable ICAP for data protection | When selected, the NGFW Engine sends files to the specified ICAP servers for DLP scanning. |
ICAP Servers list Click Add to add an element to the list, or Remove to remove the selected element. If you add multiple ICAP servers, traffic is balanced between the ICAP servers. |
Engine Editor > Add-Ons > Sandbox
Use this branch to select and configure sandbox servers for NGFW Engines.
Option | Definition |
---|---|
Sandbox Type | Specifies which type of sandbox the NGFW Engine uses for sandbox file reputation scans.
|
Option | Definition |
---|---|
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection | |
License Key | The license key for the connection to the sandbox server. Note: The license defines the home data center where files are analyzed. Enter the key and
license token for the data center that you want to use as the home data center.
CAUTION: The license key and license token allow access to
confidential analysis reports. Handle the license key and license token securely.
|
License Token | The license token for the connection to the sandbox server. |
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Option | Definition |
---|---|
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection | |
License Key | The license key for the connection to the sandbox server. |
License Token | The license token for the connection to the sandbox server. |
Sandbox Service | Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Engine Editor > Add-Ons > File Reputation
Use this branch to enable file reputation services for file filtering.
Option | Definition |
---|---|
File Reputation Service | Select the file reputation service to use.
|
Option | Definition |
---|---|
When File Reputation Service is Threat Intelligence Exchange (TIE) | |
ePO Server | Shows the selected McAfee ePO Server element. The McAfee ePO server handles the request for DXL credentials initiated by the SMC. Click Select to select an element. |
DXL Certificates | Shows the currently valid DXL certificates. |
Generate DXL Certificates | Generates new certificates. |
Option | Definition |
---|---|
When File Reputation Service is Global Threat Intelligence (GTI) | |
HTTP Proxies
(Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element. Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than
one HTTP proxy, the additional HTTP proxies are ignored.
|
Engine Editor > Add-Ons > Anti-Spam
The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and later..
Engine Editor > Add-Ons > Sidewinder Proxy
Use this branch to enable and configure Sidewinder Proxies.
Option | Definition |
---|---|
Enable | When selected, enables Sidewinder Proxy. |
Sidewinder Logging Profile | The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile. |
SSH Proxy | Settings specific to the SSM SSH Proxy. |
SSH Known Hosts Lists | The selected SSH Known Hosts List elements for the engine. Click Add to add an element to the list, or Remove to remove the selected element. |
Host Keys | The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. To import an existing host key, click Import. |
Key Type | Shows the signature algorithm used for the host key. |
Key Length | Shows the length of the host key. |
SHA256 Fingerprint | Shows the SHA256 fingerprint of the host key. |
SSH Proxy Services | The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element. |
Comment (Optional) |
A comment for your own reference. |
Advanced Settings | Opens the Advanced Sidewinder Proxy Settings dialog box. |
Engine Editor > Add-Ons > ThreatSeeker
Use this branch to select HTTP Proxy elements for the connection to the ThreatSeeker Intelligence Cloud.
Option | Definition |
---|---|
Enable | When selected, enables ThreatSeeker URL filtering for the engine. |
HTTP Proxies (Optional) |
When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list. |
Engine Editor > Add-Ons > OPC UA Inspection
Use this branch to change inspection settings for open platform communications unified architecture (OPC UA). For information about OPC UA, see Knowledge Base article 12491.