Centralized management of global system settings

Use the Global System Properties dialog box to centrally manage global system settings and configure password policy settings.

Note: You can only change the settings when you are logged on to the Shared Domain.

Global System Properties dialog box — Updates tab

Use this tab to define settings for dynamic updates, engine upgrades, and licenses.

Note: Telemetry data is collected when SMC version 6.5 or higher connects to the Secure SD-WAN Updates and Upgrades service at https://⁠autoupdate.ngfw.forcepoint.com/dynup.rss. For more information, see Knowledge Base article 19213.
Option Definition
Allow Sending License and Installation Telemetry Data to Forcepoint Servers When selected, allows the Management Server to send information about the installed components and licenses to the Secure SD-WAN Updates and Upgrades service. You must select this option to configure settings for dynamic updates, and engine and license upgrades.
View Telemetry Data Shows the telemetry data that is collected when SMC version 6.5 or higher connects to the Secure SD-WAN Updates and Upgrades service.
Dynamic Updates Specifies the dynamic updates options:
  • Do Not Check for Updates. You are not notified of new dynamic updates.
  • Notify When Updates Become Available. You receive an alert when a new dynamic update becomes available. You must manually download and activate the update.
  • Notify and Automatically Download Updates. You receive an alert when a new dynamic update becomes available. The SMC also automatically downloads the update. You must manually activate the update.
  • Automatically Download and Activate Updates The SMC automatically downloads and activates the new dynamic updates.
Update Service

(Optional)

Specifies the update service that is used for automatic dynamic updates. Click Select to select an element.
Notify When Updates Have Been Activated

(Optional)

You receive an alert when the dynamic updates have been activated. This option becomes available when you select Automatically Download and Activate Updates.

You must refresh the policies before the updates take effect. If Refresh Policies After Update Activation is selected, the policies are refreshed automatically. Otherwise, you must refresh the policies manually.

Refresh Policies After Update Activation

(Optional)

The SMC automatically refreshes the policies after activating the dynamic updates. This option becomes available when you select Automatically Download and Activate Updates.
Remote Upgrades for Engines Specifies new engine upgrade options:
  • Do Not Check for Engine Upgrades. You are not notified of new engine upgrades.
  • Notify When Engine Upgrades Become Available. You receive an alert when a new engine upgrade becomes available. You must manually download and install the update.
  • Notify and Automatically Download Engine Upgrades. You receive an alert when a new engine upgrade becomes available. The SMC automatically downloads the new engine upgrade. You must manually install the update.
Upgrade Service

(Optional)

Specifies the upgrade service that is used for automatic engine upgrades. Click Select to select an element.
Generate and Install New Licenses Automatically

(Optional)

When selected, the SMC automatically generates and installs licenses for all components for new major releases.
Check for Updates Specifies how often to check for updates.

Global System Properties dialog box — Change Management tab

Use this tab to enforce an approval workflow for all engines.

Option Definition
Require Approval for Changes in Secure SD-WAN Engine Configuration When selected, all changes to engine configurations and policies must be approved before the changes are committed and transferred to the engines. Administrators with permissions to approve changes and administrators with unrestricted permissions (superusers) can approve changes.
Allow Administrators to Approve Their Own Changes When selected, the same administrator who made the changes can approve the changes.

Global System Properties dialog box — Password Policy tab

Use this tab to change settings for password strength, password expiration, failed logons, and actions related to temporary and long-term inactivity in the administrator password policy.

Option Definition
Enforce Password Settings for All the Administrators and Web Portal Users When selected, enforces the password settings for all administrators and Web Portal users.
Option Definition
Logon Options section
Only one Logon Session for Each User When selected, an administrator or Web Portal user can open only a single session at a time to the Management Client or to the Web Portal.
Administrator User Name is Case Sensitive When selected, uppercase and lowercase letters in the administrator user name are considered to be different from each other.
Disable Account After Failed Logon Attempts When selected, administrator accounts are disabled when the maximum number of failed logon attempts in the specified length of time is reached.
Maximum Number of Failed Logon Attempts The maximum number of failed logon attempts.

The default is 8 attempts.

Attempts Within The length of time for counting the number of failed logon attempts. Select the time unit from the drop-down list.

The default is 30 minutes.

Temporarily Ban for Multiple Failed Logon Attempts When selected, the source IP address is temporarily banned by using which the maximum number of failed logon attempts is reached.
Maximum Number of Failed Logon Attempts

The maximum number of failed logon attempts.

The default is 4 attempts. This option is selected by default.

Block Source IP Address for

The length of time for which the source IP address is blocked. Select the time unit from the drop-down list.

The default is 30 minutes.

Temporarily Lock Account After Failed Logon Attempts When selected, administrators or Web Portal users are temporarily locked when the maximum number of failed logon attempts is reached.
Maximum Number of Failed Logon Attempts The maximum number of failed logon attempts.

The default is 6 attempts. This option is selected by default.

Lock Account for The length of time for which the account is locked. Select the time unit from the drop-down list.

The default is 30 minutes.

Disable Accounts That Have Been Inactive For When selected, administrator or Web Portal user accounts that have not been used for the specified length of time are automatically disabled. Select the time unit from the drop-down list.

The default is 3 months.

Lock the Management Client Window After the User Session is Idle for When selected, the Management Client window is locked when an administrator has been idle for the specified length of time. Select the time unit from the drop-down list.

The default is 15 minutes.

Hide the Management Client Window Content When selected, the content of the Management Client window is hidden when the screen is locked.
Close the Management Client When selected, the Management Client is automatically closed when the screen is locked.
Allow Logon Only From Listed IP Addresses When selected, administrators or Web Portal users can only log on from hosts that have the listed IP addresses. You can enter up to 170 IP addresses.
Add Adds an IP address to the list.
Remove Removes the selected IP address from the list.
Option Definition
Password Age and Expiration section
Require Password Change After First Logon When selected, the administrator or Web Portal user must change the password after the first time they log on.
Minimum Time Before Next Password Change When selected, the administrator or Web Portal user password cannot be changed again before the specified length of time. Select the time unit from the drop-down list.

The default is 3 days.

Password Expires After When selected, specifies the length of time after which administrator or Web Portal user passwords expire and must be changed. Select the time unit from the drop-down list.

The default is 3 months.

Notify User When Password Expires in When selected, the administrator or Web Portal user is notified that the password is about to expire the specified length of time before expiration. Select the time unit from the drop-down list.

The default is 7 days.

Disable Account Automatically After Password Expiration When selected, the administrator or Web Portal user account is automatically disabled when the password expires.
Limit Reuse of Previous Passwords (Number of Previous Passwords) When selected, the administrator or Web Portal user cannot use a password that has already been used in the specified number of previous passwords.

The default is 8.

Option Definition
Password Complexity Requirements section
Minimum Number of Characters in Password When selected, administrator or Web Portal user passwords must contain the specified minimum number of characters.

The default is 10 characters. This option is selected by default.

Minimum Number of Required Characters When selected, administrator or Web Portal user passwords must contain the specified minimum number of required characters.
Note: The total number of required characters must not be larger than the value of the Minimum Number of Characters in Password option.

This option is selected by default.

Uppercase The minimum number of required uppercase letters.

The default is 0.

Lowercase The minimum number of required lowercase letters.

The default is 1.

Special Characters The minimum number of special characters. Special characters include the following characters: !@#$%^&*()

The default is 0.

Numbers The minimum number of required numeric characters.

The default is 1.

Maximum of Same Characters Between Previous and New Password When selected, administrator or Web Portal user passwords must not have more than the specified number of characters in common with the previous password.

The default is 4 characters.

Reset to Default Discards the changes and reverts to the default settings.

Global System Properties dialog box — Global Options tab

Use this tab to configure general settings for the SMC and Secure SD-WAN Engines.

You can also use this tab to:

  • Authorize McAfee® Global Threat Intelligence™ (McAfee GTI). Only administrators with unrestricted permissions (superusers) can enable McAfee GTI.
  • Set the expiration time for one-time passwords that are generated when you save the initial configuration for an Secure SD-WAN Engine.
  • Import Snort configuration files globally to configure default settings for Snort inspection for all Secure SD-WAN Engines.

All settings are optional.

Option Definition
Enable McAfee Global Threat Intelligence (GTI) and McAfee Threat Intelligence Exchange (TIE) usage When selected, enables McAfee GTI usage.
Note: McAfee Threat Intelligence Exchange (TIE) is no longer supported in Secure SD-WAN 6.10 and higher.
One-Time Passwords Expire After Defines the expiration time for one-time passwords that are generated when you save the initial configuration for an Secure SD-WAN Engine. If the one-time password is not used, it automatically expires after the expiration time has elapsed.

By default, one-time passwords expire after 30 days.

Snort Configuration The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
  • Click Browse to select a file.
  • Click None to remove a previously imported file.
  • Click Export to export the Snort configuration file.

All Secure SD-WAN Engines for which Snort inspection is enabled use the global Snort configuration by default.

Settings in the Snort configuration .zip file for an individual Secure SD-WAN Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual Secure SD-WAN Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored.

Global System Properties dialog box — Monitoring tab

Use this tab to configure the monitoring settings for network application health, active users, and SD-WAN.

All settings are optional.

Option Definition
Health Monitoring Specifies selection of either the Top Network Application or individual Network Application. This section includes the following fields:
  • Network Applications – Specifies the applications you need to individually select for monitoring. You can add or remove an application.
  • Top Network Applications – Specifies the applications that SMC automatically selects for monitoring, based on the accounting traffic. This is the default setting. You can even select the Top Network Application based on application usage.
  • Top Limit – Specifies the maximum number of network applications displayed on the Application Health Monitoring dashboard for monitoring. This is applicable only for Top Network Application. The default value of Top Limit is 10, however; you can configure this value.
  • Application Usages – Specifies the application usage category, based on the selected category the SMC automatically selects top network applications for monitoring.
Monitor Users in the Active Users Dashboard When selected, users that have been recently active are shown in the Dashboard view.
Retrieve Information for Users Active A user is considered active if they have generated log data. Select the time period to retrieve the information. The longer the time period, the greater the performance impact.
Show Users From These Networks (Only if Display Users as is Source IP Addresses) If you want to show users as source IP addresses, select the networks where your users are located.
Monitoring Frequency

Specifies the time interval after which the engine sends the monitoring data about all the SD-WAN links to the SMC. You can specify the value in the range 5 to 600 seconds. By default, the value is set to 5 seconds.

Note: Clear this checkbox to disable the SD-WAN monitoring, if you do not want the engine to send SD-WAN monitoring data to the SMC.

Global System Properties dialog box — Banners tab

Use this tab to create logon banners and export banners.

Note: The text from the banner also appears in the logon window of the SMC Appliance console and Web Portal.
Option Definition
Show Logon Banner When selected, the specified banner is shown to all administrators before they log on to the Management Client.
Banner text box Specifies the text for the logon banner. You can use HTML to format the text.
Include Export Banner When selected, the specified banner is added at the beginning of each exported XML file or HTML file to indicate that the export contains sensitive or classified data.
Banner text box Specifies the text for the export banner. Only plain text is supported.