Open the advanced settings

To adjust advanced settings for an Secure SD-WAN Engine, you must open the Engine Editor.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an Secure SD-WAN Engine, then select Edit <element type>.
  2. Browse to Advanced Settings.
  3. Adjust the settings.
  4. Click Save.

Engine Editor > Advanced Settings

Use this branch to change system parameters for the Secure SD-WAN Engine. These parameters control how the Secure SD-WAN Engine behaves under certain traffic conditions.

Option Definition
Encrypt Configuration Data By default, the configuration of the Secure SD-WAN Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub.
Disable Application Health Monitoring When selected, the Application Health Monitoring feature is disabled.
Bypass Traffic on Overload

(IPS only)

When selected, the Secure SD-WAN Engine dynamically reduces the number of inspected connections if the load is too high.

Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection.

If this option is not selected, the Secure SD-WAN Engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded.

Contact Node Timeout

(Not Virtual Engines)

The maximum amount of time the Management Server tries to connect to an Secure SD-WAN Engine.

A consistently slow network connection might require increasing this value. The default value is 120 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the Secure SD-WAN Engines.
Auto Reboot Timeout

(Not Virtual Engines)

Specifies the length of time after which an error situation is considered non-recoverable and the Secure SD-WAN Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable.
Policy Handshake

(Not Virtual Engines)

When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.

Without this feature, you must switch to the previous configuration manually through the boot menu of the Secure SD-WAN Engine.

Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout

(Not Virtual Engines)

The length of time the Secure SD-WAN Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal

(Not Virtual Engines)

When selected, the Secure SD-WAN Engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.

Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the Secure SD-WAN Engine.

Note: Does not renew SD-WAN certificates. Automatic certificate renewal for internally signed SD-WAN certificates is set separately in the Secure SD-WAN Engine's SD-WAN settings.
FIPS-Compatible Operating Mode

(Engines only)

(Not Virtual Engines)

When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS).
Note: You must also select FIPS-specific settings in the Secure SD-WAN Configuration Wizard on the command line of the Secure SD-WAN Engine. For more information, see How to install Forcepoint FlexEdge Secure SD-WAN in FIPS mode.
Disable Remote Engine Upgrades

(FIPS-Compatible Operating Mode only)

When selected, remote upgrades for Secure SD-WAN Engines are disabled in FIPS-compatible operating mode.
Disable sgInfo Creation

(FIPS-Compatible Operating Mode only)

When selected, creating sgInfo files for Secure SD-WAN Engines is disabled in FIPS-compatible operating mode.
Number of CPUs Reserved for Control Plane

(Engines only)

(Not Virtual Engines)

Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this ensures that you can still monitor and control the Secure SD-WAN Engine operation.
Note: The reserved CPUs cannot be used for traffic processing. Using fewer CPUs for traffic processing degrades performance.
Isolate Also Interfaces for System Communications

(Engines only)

When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic.

Engine Editor > Advanced Settings > Traffic Handling

Use this branch to change advanced parameters that control how the Secure SD-WAN Engine handles traffic.

Option Definition
Layer 3 Connection Tracking Mode

(Engines only)

Connection Tracking Mode

(IPS engines and Layer 2 Engines only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this Secure SD-WAN Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The Secure SD-WAN Engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The Secure SD-WAN Engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The Secure SD-WAN Engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The Secure SD-WAN Engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Secure SD-WAN Engine to receive non-standard traffic patterns.
On Engines and Layer 2 Engines, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual Engines)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the Secure SD-WAN Engine.

When the Secure SD-WAN Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual Engines)

This option is included for backward compatibility with legacy software versions.
Concurrent Connection Limit

(Not Virtual Engines)

A global limit for the number of open connections. When the set number of connections is reached, the Secure SD-WAN Engine stops the next connection attempts until a previously open connection is closed.
Inspection CPU Balancing Mode

(Not Virtual Engines)

Specifies how inspected connections are allocated between the CPUs. Select from the following options:
  • Default — The connection is allocated to the CPU that received the first packet of the connection. If the utilization on the CPU is high, a different CPU is dynamically selected. Incoming and outgoing packets might be handled by different CPUs.
  • Round Robin — Connections are allocated evenly between all CPUs in order. This option can improve CPU balancing when there are a large number of CPUs.
  • NUMA local Round Robin — Connections are balanced within the CPU that received the first packet of the connection. Incoming and outgoing packets are handled by the same CPU.
Active Wait Time Between Inspected Packets

(Not Virtual Engines)

Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
  • Short — The inspection process stays active for the minimum amount of time. This setting provides the best CPU performance, but can increase latency in inspection. This is the default setting.
  • Medium — The inspection process stays longer for a moderate amount of time. This setting provides a balance between CPU performance and latency in inspection.
  • Long — The inspection process stays active for the maximum amount of time. This setting provides the lowest latency in inspection, but decreases CPU performance.
Default Connection Termination in Access Policy

(IPS engines and Layer 2 Engines only)

Defines how connections that match Access rules with the Discard action are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Not Master Engines)

The Secure SD-WAN Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The Secure SD-WAN Engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.