Policies are key elements that contain rules for allowing or blocking network traffic and inspecting the content of traffic.
Read the following examples of NAT rules.
This online help was created for Forcepoint FlexEdge Secure SD-WAN, version 7.1.x.
Before setting up Forcepoint FlexEdge Secure SD-WAN, it is useful to know what the different components do and what engine roles are available.
Before you can set up the system and start configuring elements, you must consider how the different SMC components should be positioned and deployed.
After deploying the SMC components, you are ready to start using the Management Client and carrying out some of the first configuration tasks.
You can use the SMC to monitor system components and third-party devices. You can also view and filter logs, and create Reports from them.
You can command and set options for engines through the Management Client or on the engine command line. You can also stop traffic manually.
SD-WAN Manager configuration allows you to customize how the SMC components work.
You can create and modify Engines, IPS engines, Layer 2 Engines, Master Engines and Virtual Secure SD-WAN Engines. You can configure the Secure SD-WAN Engine properties, activate optional features, and configure advanced Secure SD-WAN Engine settings.
Use the Management Client to configure static or dynamic routing, and use a Multi-Link configuration to manage and distribute inbound and outbound connections.
Policy elements are containers for the rules that determine how Secure SD-WAN Engines, Master Engines, and Virtual Engines examine traffic. The policy elements for the engines include Template Policies, Policies, and Sub-Policies.
Access rules are lists of matching criteria and actions that define how the engine treats different types of network traffic. They are your main configuration tool for defining which traffic is stopped and which traffic is allowed.
Network address translation (NAT) replaces the source or destination IP addresses in packets with other IP addresses. NAT rules define how NAT is applied to traffic.
Address translation is configured as part of the Engine Policy using NAT rules.
If NAT is needed between SMC components, you must define Contact Addresses for the communications so that the components use the correct address for contact when needed.
You can use NAT for outbound load-balancing.
Automatic proxy ARP requires an explicit route to the host or network to be configured in the Routing pane of the Engine Editor.
Protocols of the Protocol Agent type help with problems related to certain complex protocols and NAT.
These examples illustrate some common uses for NAT rules and the general steps on how each example is configured.
This example shows a static address translation that translates the addresses in one network to IP addresses in another network.
This example shows a dynamic address translation that translates the addresses in one internal network to a single external address for general web browsing.
This example shows a static address translation that translates the external IP address of a web server to the server’s internal address.
In this example, hairpin NAT is configured.
Inspection Policy elements define how the engines look for patterns in traffic allowed through the Access rules and what happens when a certain type of pattern is found.
The Snort open source intrusion prevention system is integrated into Forcepoint Secure SD-WAN. You can import externally created Snort configurations into Forcepoint Secure SD-WAN to use Snort rule sets for inspection.
The rules in Engine, IPS, Layer 2 Engine, and Layer 2 Interface Policies allow you to control how the engines inspect and filter network traffic, and how NAT (network address translation) is applied on Engines, Master Secure SD-WAN Engines, and Virtual Engines.
When you define IP addresses as elements, you can use the same definitions in multiple configurations for multiple components.
Service elements match traffic based on protocol or port and set options for advanced inspection of traffic. Service elements are used in Engine Policies, IPS Policies, Layer 2 Engine Policies, and Layer 2 Interface Policies.
Situation elements contain the context information that defines the pattern that the Secure SD-WAN Engine looks for in the inspected traffic. Situation elements also define the patterns that match events in the traffic.
Network Application elements collect combinations of identified characteristics and detected events in traffic to dynamically identify traffic related to the use of a particular network application.
With the User Response element, you can send customized replies to users, instead of just closing an HTTP or HTTPS connection.
The Quality of Service (QoS) features allow you to manage bandwidth and prioritize connections on the Secure SD-WAN Engines. QoS features are available on Engines, IPS Secure SD-WAN Engines, Layer 2 Engines, Master Engines, Virtual Engines, Virtual IPS Secure SD-WAN Engines, and Virtual Layer 2 Engines.
An anti-malware scanner compares network traffic against an anti-malware database to search for viruses and other malware. If malware is found, the traffic is stopped or content is stripped out.
Monitoring and restricting what data is sent out is an important part of data loss prevention (DLP). File filtering allows you to restrict the file types that are allowed in and out through the engine, and to apply malware detection to files.
If you have installed Forcepoint One Endpoint clients on the endpoints in your network, you can collect information about endpoint clients, and use the information for access control in the SMC.
URL filtering allows you to filter URLs based on categories of content or lists of individual URLs.
Protocol elements of the Protocol Agent type are special modules for some protocols and services that require advanced processing. Protocol Agents can enforce policies on the application layer.
Sidewinder Proxies are software modules that provide network level proxies, protocol validation, and configurable application level protocol filtering and translation on Forcepoint FlexEdge Secure SD-WAN.
The TLS inspection feature decrypts TLS connections so that they can be inspected for malicious traffic and then re-encrypts the traffic before sending it to its destination.
QUIC is a secure general-purpose transport protocol. QUIC combines encryption and transport layer data stream processing into one protocol, thereby, reduces latency and improves security.
In addition to inspecting traffic on the Secure SD-WAN Engine, you can transparently forward traffic to a proxy service in the cloud or on premises. For example, you can forward all HTTP and HTTPS traffic to the Forcepoint Web Security Cloud service.
Block listing is a way to temporarily block unwanted network traffic either manually or automatically with block list requests from an Secure SD-WAN Engine or Log Server. Engines, IPS engines, Layer 2 Engines, and Virtual Engines can use a block list for blocking traffic.
User accounts are stored in internal databases or external directory servers. You can use Secure SD-WAN in the Engine/VPN role or external authentication servers to authenticate users.
Secure SD-WAN supports both policy-based and route-based VPN tunnels between VPN gateways. For full remote access, Secure SD-WAN supports both IPsec and SSL VPN tunnels for VPN clients.
Maintenance includes procedures that you do not typically need to do frequently.
Troubleshooting helps you resolve common problems in the Secure SD-WAN and SMC.