Open the advanced settings
To adjust advanced settings for an Secure SD-WAN Engine, you must open the Engine Editor.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click an Secure SD-WAN Engine, then select Edit <element type>.
- Browse to Advanced Settings.
- Adjust the settings.
- Click Save.
Engine Editor > Advanced Settings
Use this branch to change system parameters for the Secure SD-WAN Engine. These parameters control how the Secure SD-WAN Engine behaves under certain traffic conditions.
Option | Definition |
---|---|
Encrypt Configuration Data | By default, the configuration of the Secure SD-WAN Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub. |
Disable Application Health Monitoring | When selected, the Application Health Monitoring feature is disabled. |
Bypass Traffic on Overload
(IPS only) |
When selected, the Secure SD-WAN Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the Secure SD-WAN Engine inspects all connections. Some connections might not get through if the IPS engine gets overloaded. |
Contact Node Timeout (Not Virtual Engines) |
The maximum amount of time the Management Server tries to connect to an Secure SD-WAN Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the Secure SD-WAN Engines.
|
Auto Reboot Timeout (Not Virtual Engines) |
Specifies the length of time after which an error situation is considered non-recoverable and the Secure SD-WAN Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable. |
Policy Handshake (Not Virtual Engines) |
When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the boot menu of the Secure SD-WAN Engine. Note: We recommend
adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout (Not Virtual Engines) |
The length of time the Secure SD-WAN Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds. |
Automated Node Certificate Renewal (Not Virtual Engines) |
When selected, the Secure SD-WAN Engine's certificate for system communications is automatically renewed before it expires. Otherwise,
the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the Secure SD-WAN Engine. Note: Does not renew SD-WAN certificates. Automatic certificate renewal for internally
signed SD-WAN certificates is set separately in the Secure SD-WAN Engine's SD-WAN settings.
|
FIPS-Compatible Operating Mode
(Engines only) (Not Virtual Engines) |
When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS). Note: You must also select FIPS-specific settings in the
Secure SD-WAN Configuration Wizard on the command line of the Secure SD-WAN Engine. For more information, see
How to install Forcepoint FlexEdge Secure SD-WAN in FIPS mode.
|
Disable Remote Engine Upgrades (FIPS-Compatible Operating Mode only) |
When selected, remote upgrades for Secure SD-WAN Engines are disabled in FIPS-compatible operating mode. |
Disable sgInfo Creation (FIPS-Compatible Operating Mode only) |
When selected, creating sgInfo files for Secure SD-WAN Engines is disabled in FIPS-compatible operating mode. |
Number of CPUs Reserved for Control Plane (Engines only) (Not Virtual Engines) |
Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this
ensures that you can still monitor and control the Secure SD-WAN Engine operation. Note: The reserved CPUs cannot be used for traffic
processing. Using fewer CPUs for traffic processing degrades performance.
|
Isolate Also Interfaces for System Communications (Engines only) |
When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic. |
Engine Editor > Advanced Settings > Traffic Handling
Use this branch to change advanced parameters that control how the Secure SD-WAN Engine handles traffic.
Option | Definition |
---|---|
Layer 3 Connection Tracking Mode (Engines only) Connection Tracking Mode(IPS engines and Layer 2 Engines only) |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this Secure SD-WAN Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Virtual Defragmenting
(Not Virtual Engines) (Not editable on IPS engines) |
When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the Secure SD-WAN Engine. When the Secure SD-WAN Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection
(Not Virtual Engines) |
This option is included for backward compatibility with legacy software versions. |
Concurrent Connection Limit
(Not Virtual Engines) |
A global limit for the number of open connections. When the set number of connections is reached, the Secure SD-WAN Engine stops the next connection attempts until a previously open connection is closed. |
Inspection CPU Balancing Mode (Not Virtual Engines) |
Specifies how inspected
connections are allocated between the CPUs. Select from the following options:
|
Active Wait Time Between Inspected Packets (Not Virtual Engines) |
Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
|
Default Connection Termination in Access Policy
(IPS engines and Layer 2 Engines only) |
Defines how connections that match Access rules with the Discard action are handled.
|
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
|
Action When TCP Connection Does Not Start With a SYN Packet
(Not Master Engines) |
The Secure SD-WAN Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection
matches an Access rule with the Allow action. The Secure SD-WAN Engine does not send a TCP reset if the TCP connection begins with a
TCP reset packet.
|