Enhancements

This release of the product includes these enhancements.

Enhancements in Security Engine version 7.3.3

Enhancement Description
New Explicit Proxy Follow-up Network Application The Explicit Proxy Follow-up Network Application enables NAT rules to identify Explicit Proxy traffic and handle it differently from regular connections.
VPN Broker Members with IPv6 endpoints when Broker Gateway uses only IPv4 The VPN Broker Gateway can provide IPv6 endpoints to other members within the same domain, even if the Gateway itself does not support IPv6 endpoints.
Automatic deployment on Oracle Cloud Infrastructure (OCI) When deploying a single engine on Oracle Cloud Infrastructure, elements can be automatically created in SMC through the SMC API.

Enhancements in Security Engine version 7.3.1

Enhancement Description
Log Server per Virtual Engine

You can now assign a dedicated log server to a virtual engine. Previously, the log data from virtual engine was sent to the same log server as the master engine.

Enhancements in Security Engine version 7.3.0

Enhancement Description
AES-GCM-256 support in IKEv2

IPsec VPNs can now be configured to use AES-GCM cipher mode also in IKE negotiations. This mode is used in three new predefined VPN profiles: CNSA-GCM-256-ECDH-384, CNSA-GCM-256-DH-3072 and CNSA-GCM-256-DH-4096.
Wi-Fi 6 (802.11ax) support

WLAN interface configuration now supports new 802.11ax wireless mode and WPA3 security that can be used with compatible appliance revisions.
CRL prefetching

Administrator configured certificate revocation lists (CRLs) can now be fetched and cached even before those are needed for certificate validation.
Dynamic routing suite upgrade FRRouting protocol suite for dynamic routing support has been upgraded to 9.1 version.
Security Engine kernel update Security Engine has been updated to 6.6 version.
Security Engine OS updates
  • Security Engine operating system has been refreshed to a newer version
  • FIPS mode utilizes FIPS 140-3 cryptographic modules:
    • #4835 for IPsec
    • #4898 for IKE
    • #4985 for TLS and other purposes
SHA-256 and AES-256 algorithms support added for SNMPv3 agent SNMPv3 agent has been enhanced to support SHA-256 and AES-256 algorithms.
SNMP trap from disconnected log server When SNMP Agent is configured for Security Engine and Hardware Alerts SNMP trap is activated, Security Engine now sends an SNMP trap with MIB OID forcepointNGFWEngineMib.engineObjects.netNodeObjects.nodeHwmonEvent if the log server connection has been unavailable for more than 5 minutes.
Extending Layer 2 networks across Layer 3 boundaries (Experimental) Security Engine with Layer 2 Interfaces using VXLAN (Virtual Extensible LAN) and VTEP (Virtual Tunnel End Point) provides a solution for extending Layer 2 Interfaces across Layer 3 boundaries.

For detailed instructions, see Knowledge Base article 11858.