Start the Convert Engine to Master NGFW Engine and Virtual NGFW Engines wizard

Start the conversion tool and define general properties for the Master NGFW Engine and Virtual NGFW Engines.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Right-click a Single Firewall or Firewall Cluster and select Configuration > Convert to Master NGFW Engine and Virtual NGFW Engine(s).
The Convert Engine to Master NGFW Engine and Virtual NGFW Engines wizard starts.
(Optional) Select a Firewall on which to base the configuration from the Base Configuration On list.
Enter the Number of Virtual Engines to create.
The specified number of Virtual Resources are added to the table, and a Virtual Engine is associated with each Virtual Resource.
(Recommended) Double-click the Virtual Resource Name field and edit the automatically generated Virtual Resource Name for each Virtual NGFW Engine.
(Recommended) Double-click the Virtual NGFW Engine Name field and edit the automatically generated Virtual NGFW Engine Name for each Virtual NGFW Engine.
Click Next.
The Define Basic Information for the Master NGFW Engine page opens.
Enter a Name for the Master NGFW Engine.
The name is also used to automatically generate the names of the nodes.
Select the Log Server to which the Master NGFW Engine sends its log data.
(Optional) In DNS IP Addresses field, add one or more DNS IP addresses.
DNS IP addresses are IP addresses of external DNS servers. Master NGFW Engines use these DNS servers to resolve Domain names to IP addresses. Master NGFW Engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies.
- To enter a single IP address manually, click Add and select IP Address. Enter the IP address.
- To define an IP address using a network element, click Add and select Network Element.
Select the Location for this Master NGFW Engine if there is a NAT device between this Master NGFW Engine and other SMC components.
Define other settings according to your environment:
- To include the Master NGFW Engine in predefined categories, select the appropriate Categories.
- To add custom commands to the Master NGFW Engine’s right-click menu, add a Tools Profile.
- Add, edit, or remove nodes.
Click Next.
The Define Interfaces for the Master NGFW Engine page opens.

Convert Engine to Master NGFW Engine and Virtual NGFW Engines wizard

Use this wizard to convert a Single Firewall or a Firewall Cluster element to a Master NGFW Engine and Virtual Firewall elements.

Option	Definition
Base Configuration on	Specifies the engine on which you want to base the configuration.
Number of Virtual Engines	Specifies the number of Virtual NGFW Engines to create.
ID	Shows the ID number of the Virtual NGFW Engine. Not editable.
Virtual Resource Name	Shows the automatically generated Virtual Resource Name for each Virtual NGFW Engine. Change the name by double-clicking the cell.
Virtual NGFW Engine Name	Shows the automatically generated Virtual NGFW Engine Name for each Virtual NGFW Engine. Change the name by double-clicking the cell.
Comment (Optional)	A comment for your own reference.

Option	Definition
Define Basic Information for the Master NGFW Engine page
Virtual Engine Type	Shows the role of the Virtual NGFW Engine. Not editable.
Name	Adds a name to the engine. The name is also used to automatically generate the names of the nodes.
Log Server	Specifies the log server to which the engines send their event data.
DNS IP Addresses (Optional)	The IP addresses of the DNS servers that the Master NGFW Engine uses to resolve domain names. Malware signature mirror Domain names URL filtering categorization services
Add	Adds a single IP address or network element to the DNS IP Addresses list.
Remove	Removes a single IP address from the DNS IP Addresses list.
Location	Specifies the location for the engine if there is a NAT device between the engine and other SMC components.
SNMP Agent	Enables the engine to send SNMP traps.
SNMP Location	Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds custom commands to the engine right-click menu.
Comment (Optional)	A comment for your own reference.
Nodes table
Node ID	Shows the ID number of the node. Not editable.
Name	Shows the name of the node. Change the name by double-clicking the cell.
Configuration Status	Shows the configuration status of the node.
Version	Shows the version of the node.
Comment (Optional)	A comment for your own reference.
Disabled	When selected, disables the node.
Add Node	Opens the Engine Node Properties dialog box that allows you to add an engine node to the Nodes list.
Edit Node	Opens the Engine Node Properties dialog box.
Remove Node	Removes the engine node from the Nodes list.

Option	Definition
Define Interfaces for the Master NGFW Engine page
Search	Activates the type-ahead search field.
New	Creates an interface of the specified type: Physical Interface VLAN Interface IPv4 Address IPv6 Address Tunnel Interface
Tools	Expand All — Expands all levels of the interface tree. Collapse All — Collapses all levels of the interface tree. Refresh View — Updates the interface tree.
Add	Creates an interface of the specified type: Physical Interface VLAN Interface IPv4 Address IPv6 Address Tunnel Interface
Edit	Allows you to change the interface properties.
Remove	Removes the selected interfaces from the table.
Options (Optional)	Opens the Interface Options dialog box that specifies the system communication roles of the interfaces, and the Loopback IP addresses.
ARP Entries	Opens the ARP Entry Properties dialog box that allows you to add ARP entries for the engine elements.
Virtual Resources	Opens the Virtual Resources dialog box.

Option	Definition
Distribute Tunnel Interfaces to Virtual NGFW Engines page
Name	Shows the name of the Tunnel Interface. Double-clicking the cell opens the Tunnel Interface Properties dialog box.
IP Address	Shows the IP address of the Tunnel Interface if an IP address has been defined.
Zone	Shows the network zone of the Tunnel Interface if the zone has been defined.
Comment (Optional)	A comment for your own reference.
Internal Gateway	Shows the VPN Gateway element associated with the Tunnel Interface if a VPN Gateway has been defined.
Virtual Engine	Adds the Tunnel Interface to the selected Virtual NGFW Engine.

Option	Definition
Review Distribution of Internal Gateways to Virtual NGFW Engines page
Gateway	Shows the VPN Gateway element associated with the Single Firewall or Firewall Cluster on which the configuration is based. Not editable.
Endpoint 1 IP Address	Shows the endpoint IP address associated with the Virtual NGFW Engine. Double-clicking the cell opens the Properties dialog box for the endpoint.
Endpoint 1 Phase-1 ID	Shows the value of the ID Value field defined in the Properties dialog box for the endpoint. No value is shown if IP Address is selected in the ID Type list. Double-clicking the cell opens the Properties dialog box for the endpoint.
Virtual Resource	Shows the Virtual Resource element that is associated with the interface that has the endpoint IP address.
Virtual Engine	Adds the endpoint IP address to the selected Virtual NGFW Engine.

Option	Definition
Define Routing for the Master NGFW Engine page
Navigation pane	The navigation pane on the left shows types of elements that can be added to the routing tree.
Search	Activates the type-ahead search field.
Up	Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New	Creates an element of the specified type.
Tools	Show Deleted Elements — Shows elements that have been moved to the Trash.
Routing tree pane	The routing tree pane on the right shows the routing configuration for each interface.
Search	Activates the type-ahead search field.
New	Creates an element of the specified type.
Tools	Expand All — Expands all levels of the routing tree. Collapse All — Collapses all levels of the routing tree. Refresh View — Updates the routing tree.

Option	Definition
Select Additional Configuration Options page
Define Additional Master NGFW Engine Properties	Enables more configuration options.

Option	Definition
Define Tester Settings for the Master NGFW Engine page
Alert Interval	Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. Note: If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After	Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop. Boot — The default is 30 seconds. Reconfiguration — The default is 5 seconds. Status Change — The default is 5 seconds. Note: The maximum value for all options is 1800.
Auto Recovery	When selected, the engine automatically goes back online when a previously failed test completes successfully. Note: Make sure to run the test in both online and offline states.
Boot Recovery	When selected, the engine automatically goes back online after a reboot, or after an event such as a power failure or system crash, if all offline tests report a success.
Global Node Selection for Engine Tests
Search	Opens a search field for the selected element list.
Tools	Refresh View — Refreshes the list of elements.
Active	Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all engine tests. Tip: If you select ALL for the Node setting in the test properties, you can use the Global Node Selection for Engine Tests table to exclude a specific node from the test.
Name	Specifies the name of the node.
Node	Specifies the node ID.
Set to Default	Returns tester changes to the default settings.
Engine Tests
Search	Opens a search field for the selected element list.
Tools	Refresh View — Refreshes the list of elements.
Name	Specifies the name of the test.
Active	Shows whether the test is active. Deselect to deactivate a test.
Node	Specifies whether the test applies to all nodes or a selected node.
Interval	Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day). Note: We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
States	Shows the engine states on which the test is run.
Action	Specifies which action is taken if the test fails, and which type of notification is sent.
Parameters	Specifies more parameters for the test.
Add	Adds the test to the Engine Tests table: External — Runs a custom script stored on the engine. If the script returns the code zero (0), the test is considered successful, otherwise the test is considered failed. File System Space — Checks the free disk space on a hard disk partition. Free Swap Space — Checks the available swap space on the hard disk. Inline Pair Link Speed — Checks whether the network settings (speed/duplex) match on the two ports that form the inline pair and can force ports to use the same settings. Not available in the Firewall/VPN role. Link Status — Checks whether a network port reports the link as up or down. Multiping — Sends out a series of ping requests to determine whether there is connectivity through a network link. Policy — Checks whether a new policy is activated on the engine. This option is intended for sending SNMP notifications.
Edit	Allows you to change the test properties.
Remove	Removes the test from the test entry table.

Option	Definition
Define Permissions for the Master NGFW Engine page
Add	Opens the Select Element dialog box that allows you to add an element to the Access Control Lists.
Remove	Removes the elements from the Access Control Lists.
Permissions
Add Permission	Adds the permission to the Permissions table.
Remove Permission	Removes the permission from the Permissions table.
Local Administrators
Administrator	Specifies the name of the local administrator, if local administrators have been defined for the engine.
Info	Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator.
Policies
Allowed Policies	Shows the allowed policies for the Master NGFW Engine.
Add	Adds the element to the Allowed Policies list.
Set to Any	Allows the installation of any policy.
Remove	Removes the elements from the Allowed Policies list.

Option	Definition
Define Advanced Settings for the Master NGFW Engine page
System Parameters
Encrypt Configuration Data	By default, the configuration of the engine is stored in an encrypted format. When selected, disables the encryption only if instructed to do so by Forcepoint support.
Contact Node Timeout	The maximum amount of time the Management Server tries to connect to an engine. If the engine has a dynamic IP address, the Contact Node Timeout is the maximum amount of time that the engine tries to contact the Management Server. If the connection to the Management Server fails, the engine automatically tries to reconnect to the Management Server. A consistently slow network connection might require increasing this value. The default value is 60 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the engines.
Auto Reboot Timeout	Specifies the length of time after which an error situation is considered non-recoverable and the engine automatically reboots. The default value is 10 seconds. Note: Set to 0 to disable.
Policy Handshake	When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the engine's boot menu. Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout	Specifies the time the engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal	When selected, the engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the engine. Note: Does not renew VPN certificates for Virtual Firewalls. Automatic certificate renewal for internally signed VPN certificates is set separately in the VPN settings for the Virtual Firewalls.
FIPS-Compatible Operating Mode (Firewalls only)	When selected, activates a mode that is compliant with the FIPS (Federal Information Processing Standard) 140-2. Note: You must also select FIPS-specific settings in the NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see How to install Forcepoint NGFW in FIPS mode.
Log Handling	Specifies the settings related to adjusting logging when the log spool on the engines fills up or when the number of Antispoofing and Discard logs grows too high. Note: You can adjust the logging of Antispoofing and Discard logs also for specific interfaces.
Clustering (Firewall Clusters only)	Specifies the settings related to the communications between cluster members and load-balancing between the nodes.
Traffic Handling
Connection Tracking Mode	When enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. Normal — Default connection tracking mode for firewalls. The engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The engine checks the traffic direction and the port parameters of UDP traffic. Loose — The engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Firewall to receive non-standard traffic patterns. Strict — The engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
Virtual Defragmenting	When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine. When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.
Strict TCP Mode for Deep Inspection	This option is included for backward compatibility with legacy NGFW software versions.
Default Connection Termination in Inspection Policy	Defines how connections that match rules with the Terminate action in the Inspection Policy are handled. Terminate and Log Connection — Stops the matching connections. This option is the default setting. Only Log Connection — Does not the stop matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped. You can override this engine-specific setting in the Inspection Policy.
Policy Routing	Specifies the policy routing settings.
Idle Timeouts	Specifies the settings for general connection timeouts.
SYN Rate Limits	Specifies the settings for configuring limits for SYN packets sent to the engine. You can also configure SYN Rate Limits for specific interfaces.
Scan Detection	Specifies the scan detection settings. You can override the engine-specific settings in Access rules.

Option	Definition
Review Basic Information for Virtual NGFW Engines page
Basic Information for	Shows the name of the Virtual NGFW Engine. Not editable.
Name	Shows the automatically generated Virtual NGFW Engine Name for the Virtual NGFW Engine.
Virtual Resource	Shows the Virtual Resource element associated with the Virtual NGFW Engine. Not editable.
Master NGFW Engine	Shows the Master NGFW Engine that hosts the Virtual NGFW Engine. Not editable.
DNS IP Addresses	Shows the DNS servers that the Master NGFW Engine uses to resolve domain names.
Add	Adds a single IP address or network element to the DNS IP Addresses list.
Remove	Removes a single IP address or network element from the DNS IP Addresses list.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Comment (Optional)	A comment for your own reference.

Option	Definition
Review Interfaces for Virtual NGFW Engines page
Interface Information for	Shows the name of the Virtual NGFW Engine. Not editable.
Search	Activates the type-ahead search field.
New	Not available.
Tools	Expand All — Expands all levels of the interface tree. Collapse All — Collapses all levels of the interface tree. Refresh View — Updates the interface tree.
Options (Optional)	Opens the Interface Options dialog box that specifies the roles of the interfaces, and the Loopback IP addresses.
ARP Entries	Opens the ARP Entry Properties dialog box that allows you to add ARP entries for the engine elements.
Multicast Routing	Opens the Multicast Routing Properties dialog box, where you can configure multicast routing.

Option	Definition
Review and Edit Routing for Virtual NGFW Engines page
Routing for	Select the Virtual NGFW Engine for which you want to view or edit routing.
Navigation pane	The navigation pane on the left shows types of elements that can be added to the routing tree.
Search	Activates the type-ahead search field.
Up	Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
New	Creates an element of the specified type.
Tools	Show Deleted Elements — Shows elements that have been moved to the trash.
Routing tree pane	The routing tree pane on the right shows the routing configuration for each interface.
Search	Activates the type-ahead search field.
New	Creates an element of the specified type.
Tools	Expand All — Expands all levels of the routing tree. Collapse All — Collapses all levels of the routing tree. Refresh View — Updates the routing tree.

Option	Definition
Review NAT Definitions for Virtual NGFW Engines page
NAT Definitions for	Specifies the Virtual NGFW Engine for which NAT definitions are shown.
Use Default NAT Address for Traffic from Internal Networks	The Firewall uses the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the Firewall Policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address.
Show Details	Opens the Default NAT Address Properties dialog box.
Add NAT Definition	Creates a NAT Definition element and opens the NAT Definition Properties dialog box.
Edit NAT Definition	Opens the NAT Definition Properties dialog box for an existing NAT Definition element.
Remove NAT Definition	Removes the selected row from the table.
Previous	Navigates back to the previous wizard page.
Next	Navigates to the following wizard page.