Edit common properties of several Secure SD-WAN Engines at the same time
You can select several Secure SD-WAN Engines and change the properties that are common to all of them.
- Properties specific to one individual Secure SD-WAN Engines element, such as IP address definitions, are never available in the common properties.
- If you select both single and clustered Secure SD-WAN Engines elements, the cluster-specific options are not available.
- If you select Secure SD-WAN Engines of different types, you can only change properties that are supported for all of the selected types of elements.
For more details about the product and how to configure features, click Help or press F1.
Steps
Common Engine Properties dialog box
Use this dialog box to define common properties for two or more engines.
Option | Definition |
---|---|
General tab | |
Log Server
(Not Virtual Secure SD-WAN Engines) |
Specifies the log server to which the engines send event data. |
Location
(Not Virtual Secure SD-WAN Engines) |
Specifies the location for the engines or clusters if there is a NAT device between the engine and other SMC components. |
Tools Profile (Not Virtual Secure SD-WAN Engines) |
Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
General tab Clustering section (Clusters only) |
|
Clustering Mode
(Not Layer 2 Engines) |
Note: Only standby clustering mode is supported for Layer 2 Engine Clusters.
|
Filter Mode | Defines how traffic is balanced between the nodes.
|
Heartbeat Message Period | Specifies how often clustered Secure SD-WAN Engines send heartbeat messages to each other (notifying that they are up and running).
Enter the value in milliseconds. The default value is 1000 milliseconds (one second). CAUTION: Setting this option too low can result in unnecessary heartbeat
failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Heartbeat Failover Time | Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be
at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds. CAUTION: Setting this option too low can result in unnecessary
heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Load-Balancing Filter Uses Ports
(Engines only) |
When selected, includes a port value for selecting between all nodes. This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally. Note: Enabling this option is not compatible with some features, such as mobile VPNs.
|
Option | Definition |
---|---|
General tab Tester Global Settings section (Not Virtual Secure SD-WAN Engines) |
|
Alert Interval | Specify the time in minutes the Secure SD-WAN Engine waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. If the interval is too short, the alerts can overload the system or the alert recipient. |
Delay After Boot | Specify the time in seconds that the Secure SD-WAN Engine waits before it resumes running the tests after the listed events. |
Delay After Reconfiguration | |
Delay After Status Change | |
Auto Recovery
(Clusters and Master Engines only) |
When selected, the Secure SD-WAN Engine automatically goes back online when a previously failed test completes successfully. Run the test in both online and offline states if you activate this option. |
Boot Recovery | When selected, the Secure SD-WAN Engine automatically goes back online after restarting if all offline tests report a success. |
Option | Definition |
---|---|
General tab SNMP section (Not Virtual Secure SD-WAN Engines) |
|
SNMP Agent | Enables the Secure SD-WAN Engine to send SNMP traps.
|
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
Option | Definition |
---|---|
General tab LLDP section (Not Virtual Secure SD-WAN Engines) |
|
LLDP Profile (Secure SD-WAN Engines and Master Engines in the Engine/VPN role only) |
The LLDP Profile element that specifies settings for LLDP announcements that the Secure SD-WAN Engine announces. Click Select to select an element. |
Option | Definition |
---|---|
General tab Layer 2 Settings section (Engines only) |
|
Policy for Layer 2 Interfaces |
The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces. All layer 2 physical interfaces on the Secure SD-WAN Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored. |
Layer 2 Connection Tracking Mode |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Bypass Traffic on Overload |
When selected, the Secure SD-WAN Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the Secure SD-WAN Engine inspects all connections. Some connections might not get through if the engine gets overloaded. |
Option | Definition |
---|---|
Routing tab (Engines only) |
|
Link Usage Profile | To enable dynamic link selection for the Secure SD-WAN Engine, select a Link Usage Profile element. |
Option | Definition |
---|---|
Add-Ons tab TLS Inspection section (Not Master Secure SD-WAN Engines) |
|
Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
Check Certificate Revocation | When selected, the Secure SD-WAN Engine uses CRL or OCSP to check whether certificates have been revoked. |
Decrypt All Traffic | When selected, the Secure SD-WAN Engine forces all traffic to be decrypted. When the checkbox is not selected, the Secure SD-WAN Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements. |
Cryptography Suite Set (TLS 1.2 and lower) |
Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic that is decrypted for TLS Client Protection. Click Select to select an element. Note: If you use TLS 1.3 with Secure SD-WAN Engine version 6.11 or higher, the Secure SD-WAN Engine decrypts all supported TLS 1.3 cryptographic algorithms.
|
Option | Definition |
---|---|
Add-Ons tab User Authentication section (Engine/VPN role only) |
|
Authentication Time-Out | Defines the length of time after which authentication expires and users must re-authenticate. |
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
User Authentication Page | Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Option | Definition |
---|---|
Add-Ons tab User Identification section (Not Master Secure SD-WAN Engines or Virtual Engines) |
|
User Identification Service | The Forcepoint User ID Service and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user
identification. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.
Note: For Secure SD-WAN version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
|
Option | Definition |
---|---|
Add-Ons tab Snort section (Not Master Secure SD-WAN Engines or Virtual Engines) |
|
Enable | When selected, enables Snort inspection for the Secure SD-WAN Engine. Note: To apply Snort inspection to traffic, you must also create Access rules to select traffic for Snort inspection.
|
Snort Configuration
(Optional) |
The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
All Secure SD-WAN Engines for which Snort inspection is enabled use the global Snort configuration by default. If you do not want to override settings in the global Snort configuration, it is not necessary to import a Snort configuration file for an individual Secure SD-WAN Engine. Settings in the Snort configuration .zip file for an individual Secure SD-WAN Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual Secure SD-WAN Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored. |
Option | Definition |
---|---|
Policies tab Element-Based NAT section (Engine/VPN role only) |
|
Use Default NAT Address for Traffic from Internal Networks | Select an option to define how the Secure SD-WAN Engine uses the default NAT address.
When you select On or Automatic, a NAT rule is generated at the end of the IPv4 or IPv6 NAT rules in the policy. |
Option | Definition |
---|---|
Policies tab Settings for Automatic Rules section | |
Allow Traffic to Authentication Ports
(Engine/VPN role only) |
When selected, allows traffic to the ports that are used for user authentication. |
Allow Traffic from Listening IP Addresses to DNS Relay Port (Engine/VPN role only) |
When selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay. |
Allow Connections to Domain-Specific DNS Servers (Engine/VPN role only) |
When selected, allows connections from the engine to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for engine. |
Allow Connections from Local DHCP Relay to Remote DHCP Server (Engine/VPN role only) |
When selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers. Note: To relay DHCP messages through a policy-based VPN, you must add specific Access rules to allow the traffic. The Access rules must refer to the correct
policy-based VPN.
|
Log Level for Automatic Rules | The log level for traffic that matches automatic rules.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Option | Definition |
---|---|
SD-WAN tab (Engine/VPN role only) |
|
Gateway Settings | The Gateway Settings element that defines performance-related VPN options. |
Option | Definition |
---|---|
Advanced tab System Parameters section | |
Encrypt Configuration Data | By default, the configuration of the Secure SD-WAN Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub. |
Contact Node Timeout (Not Virtual Engines) |
The maximum amount of time the Management Server tries to connect to an Secure SD-WAN Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the Secure SD-WAN Engines.
|
Auto Reboot Timeout (Not Virtual Engines) |
Specifies the length of time after which an error situation is considered non-recoverable and the Secure SD-WAN Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable. |
Policy Handshake (Not Virtual Engines) |
When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the boot menu of the Secure SD-WAN Engine. Note: We recommend
adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout (Not Virtual Engines) |
The length of time the Secure SD-WAN Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds. |
Automated Node Certificate Renewal (Not Virtual Engines) |
When selected, the Secure SD-WAN Engine's certificate for system communications is automatically renewed before it expires. Otherwise,
the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the Secure SD-WAN Engine. Note: Does not renew SD-WAN certificates. Automatic certificate renewal for internally
signed SD-WAN certificates is set separately in the Secure SD-WAN Engine's SD-WAN settings.
|
FIPS-Compatible Operating Mode
(Engines only) (Not Virtual Engines) |
When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS). Note: You must also select FIPS-specific settings in the
Secure SD-WAN Configuration Wizard on the command line of the Secure SD-WAN Engine. For more information, see
How to install Forcepoint FlexEdge Secure SD-WAN in FIPS mode.
|
Number of CPUs Reserved for Control Plane (Engines only) (Not Virtual Engines) |
Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this
ensures that you can still monitor and control the Secure SD-WAN Engine operation. Note: The reserved CPUs cannot be used for traffic
processing. Using fewer CPUs for traffic processing degrades performance.
|
Isolate Also Interfaces for System Communications (Engines only) |
When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic. |
Option | Definition |
---|---|
Advanced tab Traffic Handling section | |
Layer 3 Connection Tracking Mode (Engines only) Connection Tracking Mode(IPS engines and Layer 2 Engines only) |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this Secure SD-WAN Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Virtual Defragmenting
(Engines only) (Not Virtual Secure SD-WAN Engines) |
When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the Secure SD-WAN Engine. When the Secure SD-WAN Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection
(Not Virtual Engines) |
This option is included for backward compatibility with legacy software versions. |
Concurrent Connection Limit
(Not Virtual Engines) |
A global limit for the number of open connections. When the set number of connections is reached, the Secure SD-WAN Engine stops the next connection attempts until a previously open connection is closed. |
Inspection CPU Balancing Mode (Not Virtual Engines) |
Specifies how inspected
connections are allocated between the CPUs. Select from the following options:
|
Active Wait Time Between Inspected Packets (Not Virtual Engines) |
Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
|
Default Connection Termination in Access Policy
(IPS engines and Layer 2 Engines only) |
Defines how connections that match Access rules with the Discard action are handled.
|
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
|
Action When TCP Connection Does Not Start With a SYN Packet
(Not Master Engines) |
The Secure SD-WAN Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection
matches an Access rule with the Allow action. The Secure SD-WAN Engine does not send a TCP reset if the TCP connection begins with a
TCP reset packet.
|
Option | Definition |
---|---|
Advanced tab Certificate Validation section (Not Virtual Secure SD-WAN Engines) |
|
HTTP Proxy (Optional) |
When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly. |
Timeout for OCSP and CRL Lookups | The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds. |
Option | Definition |
---|---|
Advanced tab SYN Rate Limits section | |
SYN Rate Limits | Limits for SYN packets sent to the Secure SD-WAN Engine.
|
Allowed SYNs per Second | (When SYN Rate Limits is Custom) The number of allowed SYN packets per second. |
Burst Size | (When SYN Rate Limits is Custom) The number of allowed SYNs before the Secure SD-WAN Engine starts limiting the SYN rate.CAUTION: We recommend setting the Burst Size value to
at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value
for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
|
Option | Definition |
---|---|
Advanced tab Log Handling section (Not Virtual Secure SD-WAN Engines) |
|
Log Spooling Policy
(Not Virtual Engines) |
Defines what happens when the log spool becomes full.
|
Store a Copy of Recent Log Files on the Secure SD-WAN Engine | When selected, the Secure SD-WAN Engine stores copies of logs according to the specified settings. |
Maximum Time | The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the Secure SD-WAN Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached. |
Guaranteed Free Spool Partition | The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the Secure SD-WAN Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values
can be 5–80 %, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options,
both limits are enforced.
|
Guaranteed Free Spool Partition Size | The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the Secure SD-WAN Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values
can be 50–1000 MB, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options,
both limits are enforced.
|
Option | Definition |
---|---|
Advanced tab Scan Detection section | |
Scan Detection Mode | When you enable scan detection, the number of connections or connection attempts within a time window is counted.
|
Create a log entry when the system detects section |
Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol:
|
Log Level | Specifies the log level for the log entries.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Option | Definition |
---|---|
Advanced tab Rate-Based DoS Protection section (Not Master Secure SD-WAN Engines) |
|
Rate-Based DoS Protection Mode | Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
|
SYN Flood Sensitivity | When SYN flood protection is activated, the Secure SD-WAN Engine acts as a SYN proxy. The engine completes the TCP handshake with the
client, and only initiates the connection with the server after the client has completed the TCP handshake.
|
Limit for Half-Open TCP Connections (Optional) |
Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated. |
Slow HTTP Request Sensitivity | The Secure SD-WAN Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If
the sender of the request tries to keep the connection open for an unreasonable length of time, the Secure SD-WAN Engine block lists
the sender’s IP address for a specified length of time.
|
Slow HTTP Request Block list Timeout | The length of time for block listing IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300). |
Option | Definition |
---|---|
Advanced tab TCP Reset section (Not Master Secure SD-WAN Engines) |
|
TCP Reset Sensitivity | When enabled, the Secure SD-WAN Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP
Reset attack. You cannot override this setting in individual Access rules
|
Option | Definition |
---|---|
Advanced tab General Authentication Settings section (Engine/VPN role only) |
|
Default User Domain | The default LDAP domain from which the Secure SD-WAN Engine looks up users. Note: This setting applies to all
user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
|
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix | When selected, the Secure SD-WAN Engine looks up the user from the domain specified in the email address or user
principal name before looking up the user in the default domain. Note: This option is ignored when the value of the Client Certificate Identity Field for
TLS option is Distinguished Name.
|
Client Certificate Identity Field for TLS | The attribute that is used to look up the user entry from the user domain when using TLS. The Secure SD-WAN
Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
|
Option | Definition |
---|---|
Advanced tab Root and Administrator Authentication section | |
Root Password Login | Select one of the following options:
|
Authentication Method | Select an authentication method element from the available options:
|
SSH Passwordless Login | Select one of the following options:
Note: This applies only to administrators replicated on the engine. For more details on administrator account replication, refer to the Add administrator
accounts topic.
|