Start the wizard

Start the wizard to create multiple Firewalls at the same time. Define the general settings for the new Firewalls.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Select New > Firewall > Multiple Single Firewalls or Multiple Firewall Clusters.
  3. (Single Firewalls only) To create multiple Single Firewall elements based on POS codes, enter the POS codes in the Proof-of-Serial Codes Codes field.
  4. If you do not have POS codes, enter the number of Firewalls to create.
    You can create up to 1000 Firewalls.
  5. Select the Firewall on which you want to base the configuration from the Base Configuration On drop-down list.
    This step is optional when creating Single Firewalls.
  6. To progress through the Wizard, click Next. To go back a page, click Previous.
    After most configuration pages there is a page where you can review and edit the configuration. Double-click the fields to directly edit the details.
  7. When you have completed the wizard and reviewed the summary page, click Finish.

Create multiple Firewalls wizard

Use this wizard to create multiple Firewall elements with similar configurations.

Firewall Creation Method page

Option Definition
Proof-of-Serial Codes

(Single Firewall only)

 If you have POS codes for Single Firewalls, enter the codes here.
Number of Firewalls If you do not have POS codes, specifies the number of Firewalls to create.
Base Configuration on

(Optional for Single Firewalls

 Specifies the Firewall on which you want to base the configuration.

Proof-of-Serial Code Information page

Option Definition
(Single Firewalls only)

Review the information to confirm that the appliance information is correct.

Basic Firewall Information page

Option Definition
Name Prefix Specifies the common name prefix. The system adds either a running number or the serial number of the appliance to the name prefix to generate a unique name for each individual Engine Engine. We recommend giving each Engine a unique, descriptive name after the common Name Prefix, such as the geographical location where the particular Engine is used.
Log Server Specifies the Log Server to which the Engine sends event data. If the Engine is a Master Engine, the hosted Virtual Engines send log data to the same Log Server.
DNS IP Addresses

(Optional)

Specifies the IP addresses of the DNS servers that the Engine uses. DNS IP addresses are IP addresses of external DNS servers. Engines use these DNS servers to resolve Domain names to IP addresses. Engines need DNS resolution to contact services that are defined using URLs or domain names, and to resolve fully qualified domain names (FQDNs) used in policies.

(Firewall/VPN role only) For DNS relay, specifies the IP addresses of external DNS servers to which the Engine forwards DNS requests from clients in the internal network. When DNS relay is configured, these DNS servers are used unless domain-specific DNS servers are specified in a DNS Relay Profile element.

If you have configured at least one Physical Interface with a dynamic IP address or one static NetLink with a DNS IP address, the default value of the DNS IP Addresses field is The engine uses NetLink-specific DNS IP addresses.

Note: If you have defined NetLink-specific DNS IP addresses, adding DNS IP addresses overrides the NetLink-specific DNS IP addresses.
Click Add to add an element to the table, or Remove to remove the selected element. Select one of the following options:
  • IP Address — Adds an IP Address element that represents a single IP address.
  • Network Element — Adds a Network element that represents a network space.
Location Specifies the location for the Engine if there is a NAT device between the Engine and other Secure SD-WAN Manager components.
Proof-of-Serial

(Appliances only)

Shows the Proof-of-Serial code of the Engine appliance. Not editable.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

 A comment for your own reference.
Nodes table (Clusters only)
Node ID

(Not editable)

 Shows the ID number of the node.
Name Specifies the name of the node. Double-click the cell to edit the name.
Comment

(Optional)

 A comment for your own reference.
Disabled Disables the node. You can enable the node later.
Add Node Adds a node to the cluster. Opens the Engine Node Properties dialog box.
Edit Node Allows you to change the properties of the selected node. Opens the Engine Node Properties dialog box.
Remove Node Deletes the selected node. The deleted node cannot be restored.

Interfaces page

Option Definition
Add Adds an interface or IP address of the specified type:
  • Layer 3 Physical Interface

    (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master Engines in the Firewall/VPN role)

  • Layer 2 Physical Interface

    (Available for Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master Engines in the Firewall/VPN role)

  • Physical Interface

    (Available for all engine types except Single Firewalls, Firewall Clusters, Virtual Firewalls, and Master Engines in the Firewall/VPN role)

  • VLAN Interface

    (Available for all engine types)

  • IPv4 Address

    (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls)

  • IPv6 Address

    (Not available for Virtual IPS engines or Virtual Layer 2 Firewalls)

  • ADSL Interface

    (Available for Single Firewalls and Firewall Clusters)

  • Tunnel Interface

    (Available for Single Firewalls, Firewall Clusters, and Virtual Firewalls)

  • Modem Interface

    (Available for Single Firewalls)

  • Wireless Interface

    (Available for Single Firewalls)

  • SSID Interface

    (Available for Single Firewalls)

  • Switch

    (Available for Single Firewalls)

  • Port Group Interface

    (Available for Single Firewalls)

CAUTION:
Physical Interfaces for Virtual Engines are automatically created based on the interface configuration in the Master Engine properties. The number of Physical Interfaces depends on the number of interfaces allocated to the Virtual Engine in the Master Engine. Physical Interfaces that you add to Virtual Engines might not be valid.
Edit Allows you to change the properties of the interface or IP address.
Remove Removes the selected interface or IP address.
Options

(Optional)

Allows you to set advanced options for the interfaces.
ARP Entries Allows you to add ARP entries.
Multicast Routing Allows you to configure multicast routing.
Option Definition
Interface Options dialog box — General tab
Control Interface

(Not Virtual Firewalls)

  • Primary — Specifies the Primary Control IP address for Management Server contact.
  • Backup (Optional) — Specifies the Backup Control IP address that is used if the Primary Control IP address is not available.
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the Engine.
Node-Initiated Contact to Management Server When selected, the Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the Engine through the Management Client, the command is left pending until the Engine opens the connection again.
Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual Engines.
Heartbeat Interface

(Clusters and Master Engines only)

  • Primary — Specifies communications between the nodes. We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation.
    CAUTION:
    Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
  • Backup — Used if the Primary Heartbeat Interface is unavailable. It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is interrupted. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.

On Master Engines, you cannot use shared interfaces as a heartbeat interface.
IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests

The IPv4 address or IPv6 address of the selected interface is used when an Engine contacts an external authentication server.

This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.

IPv4 Source for Authentication Requests or IPv6 Source for Authentication Requests By default, specifies the source IPv4 address or IPv6 address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic Specifies the IP address that the Engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes.
Bypass Default IP Address Specifies how the source IP address for traffic sent from the Engine node is selected for tunnel interfaces that do not have IP addresses.
  • Use Loopback IP Address in Unnumbered Tunnel Interface — Uses an IP address listed in the table as the source IP address of traffic sent from the Engine node.
  • Use Default Outgoing IP Address in Unnumbered Tunnel Interface — Uses the default outgoing IP address defined in the Interface Options pane as the source IP address of traffic sent from the Engine node.
Option Definition
Interface Options dialog box — Loopback tab
Loopback addresses table Click Add Row to add a row to the table, or Remove Row to remove the selected row. Click Up or Down to move the selected item up or down.
Loopback Address Enter the loopback IP address.
CVI Address

(Clusters only)

 Enter the loopback IP address for the cluster.
Node NDI Address

(Clusters only)

 Enter the node-specific loopback IP address.
OSPFv2 Area To advertise the loopback IP address as an OSPFv2 internal route, double-click the cell, then select an OSPFv2 Area element.
Comment

(Optional)

 A comment for your own reference.
Option Definition
ARP Entries dialog box
Type
  • Static — The ARP entry gives the Engine a permanent reference to an IP address/MAC address pair.
  • Proxy — The ARP entry gives the Engine a reference to an IP address/MAC address pair for which the Engine provides proxy ARP. Proxy ARP is possible only for hosts located in networks directly connected to the Engine.
Interface ID The interface on which you want to apply this ARP entry
IP Addresses Enter an IPv4 or IPv6 address.
MAC Address Enter a MAC Address.
Add ARP Entry Adds an ARP entry.
Remove ARP Entry Removes the selected ARP entry.
Option Definition
Multicast Routing dialog box
Multicast Routing Mode Specifies how the Engine routes multicast traffic.
  • None — Disables multicast routing.
  • Static — Enables options that allow you to add static routes for multicast traffic.
  • IGMP Proxy — Enables options that allow you to use the Engine for IGMP-based multicast forwarding.
  • PIM — Enables options that allow you to use the Engine for dynamic routing using PIM.
Option Definition
When Multicast Routing Mode is Static

Click Add to add a row to the table, or Remove to remove the selected row.
Source Interface Select the interface to use for multicast routing.
Source IP Address Enter the unicast IP address of the multicast source.
Destination IP Address Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
Destination Interface Right-click Destination Interface, then select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
Comment

(Optional)

 A comment for your own reference.
Option Definition
When Multicast Routing Mode is IGMP Proxy
Upstream Interface Select the interface to use as the upstream interface. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the upstream interface. In that case, leave Not Set selected.
Upstream IGMP Version Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
Downstream Interfaces table

Click Add to add a row to the table, or Remove to remove the selected row.
Interface Select the downstream interfaces.
IGMP Querier Settings Select an IGMP Querier Settings element according to the downstream network environment. The element defines the IGMP version and query parameters.
Option Definition
When Multicast Routing Mode is PIM
PIM Profile Select a PIM Profile to use. The profile contains the multicast groups and determines the PIM mode that is used.
Multicast Routing Preference
Note: This option is not supported in this version of Engine.
The routing table is used to specify reverse path forwarding (RPF) information whenever multicast traffic from source addresses uses a different path than unicast traffic from the same source address.
  • Prefer Best Match — The RPF lookup prefers the best match based on both the default routing table and the Multicast routing (mroute) table.
  • Prefer mroute — The RPF lookup uses the mroute table. If the mroute table cannot be used, the default routing table is used.
Bootstrap Settings — see RFC 5059 for more information.
RP Candidate If you want to use the firewall as a rendezvous point (RP) candidate, select an IP address. Otherwise, select Not a Candidate.
RP Priority Enter a value for the RP priority.
Multicast Groups Add the multicast IPv4 networks for which the firewall acts as an RP candidate. Click Add to add a row to the table, or Remove to remove the selected row.
BSR Candidate If you want to use the firewall as a bootstrap router (BSR) candidate, select an IP address. Otherwise, select Not a Candidate.
BSR Priority Enter a value for the BSR priority.

Routing page

Option Definition

You can see the routing of the Engine Engine that you are basing your new Engine Engines on. Changes that you make are reflected in all Engines.

On the Review and Edit Routing page, select an Engine from the Routing for drop-down list to make changes to an individual Engine. You can drag and drop elements from the Resources pane on the left.

Routes to directly connected networks are automatically added. You must add a default route and any routes through next-hop gateways to networks that are not directly connected to the Engine.

NAT Definitions page

Option Definition

NAT rules are automatically created and organized in the Firewall Policy based on the NAT definitions in the properties of the Engine.

Use Default NAT Address for Traffic from Internal Networks Select an option to define how the Engine uses the default NAT address.
  • On — The Engine always uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic.
  • Off — The Engine never uses the default NAT address as the public IP address.
  • Automatic — The Engine automatically determines whether to use the default NAT address based on the routing configuration. If there are routes that use NetLinks, the Engine uses the default NAT address as the public IP address if there is not a more specific NAT definition that matches the traffic.

When you select On or Automatic, a NAT rule is generated at the end of the IPv4 or IPv6 NAT rules in the policy.
Show Details Opens the Default NAT Address Properties dialog box.
Add NAT Definition Creates a NAT Definition element and opens the element properties.
Edit NAT Definition Opens the properties of an existing NAT Definition element.
Remove NAT Definition Removes the selected row from the table.
Option Definition
Default NAT Address Properties dialog box
Default NAT Address Used to automatically translate traffic from internal networks to the public IP address of the external interface.
Note: When several IP addresses from the same network are available, the Secure SD-WAN Manager automatically selects the smallest IPv4 address as the default NAT address.
Internal Networks Shows the internal networks that are translated to the public IP address of the external interface.
Option Definition
NAT Definition Properties dialog box
Translation Type Select the translation type.
  • Static — Static network address translation is used. For each original address there is a single, predefined translated address.
  • Dynamic — Dynamic network address translation is used. Dynamic NAT uses ports to track connections using the same IP address.
Private IP Address The element that represents the private IP address. Click Select to select an element.
Note: Only Host, Server, or Network elements are allowed with static NAT.
Public IP Address Select the source of the public IP address.
  • Default NAT Address — The default address is used as the public IP Address.
  • Element — Click Select to select an element that represents the IP address.
  • Interface — Select an interface.
  • IP Address — Manually enter an IP Address.
Port Filter

(Optional)

To limit NAT only to traffic that goes to selected destination ports, select a Service or Service Group element to act as a port filter. The Service or Service Group element includes the destination port information (a single destination port or a range of ports). Click Add to add an element to the list, or Remove to remove the selected element.
Comment

(Optional)

 A comment for your own reference.

Additional Configuration Options page

Option Definition
Define Additional Firewall Properties

When selected, you can specify advanced properties for the Engine.

If you do not select this option, when you click Next you go to the Summary page.

Tester Settings page

Option Definition
Global Settings section
Alert Interval Specify the time in minutes the Engine waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. If the interval is too short, the alerts can overload the system or the alert recipient.
Delay After Specify the time in seconds that the Engine waits before it resumes running the tests after the listed events. The delay prevents false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop. The maximum value is 1800.
  • Boot — The default is 30 seconds.
  • Reconfiguration — The default is 5 seconds.
  • Status Change — The default is 5 seconds.
Auto Recovery

(Clusters and Master Engines only)

When selected, the Engine automatically goes back online when a previously failed test completes successfully. Run the test in both online and offline states if you activate this option.
Boot Recovery When selected, the Engine automatically goes back online after restarting if all offline tests report a success.
Global Node Selection for Engine Tests
Filter Allows you to filter the elements shown.
Tools A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash.
Active Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all Engine tests.
Tip: If you select ALL for the Node setting in the test properties, you can use the Global Node Selection for Engine Tests table to exclude a specific node from the test.
Name Specifies the name of the node.
Node Specifies the node ID.
Set to Default Returns tester changes to the default settings.
Option Definition
Engine Tests section
Filter Allows you to filter the elements shown.
Tools A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash.
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Active Shows whether the test is active. Deselect to deactivate a test.
Node Specifies whether the test applies to all nodes or a selected node.
Interval Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day).
Note: We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
States Shows the Engine states on which the test is run.
Action Specifies which action is taken if the test fails, and which type of notification is sent.
Parameters Shows some test details.
Add Adds a test to the table:
  • External — Runs a custom script stored on the Engine. If the script returns the code zero (0), the test is considered successful, otherwise the test is considered failed.
  • File System Space — Checks the free disk space on a hard disk partition.
  • Free Swap Space — Checks the available swap space on the hard disk.
  • Inline Pair Link Speed — Checks whether the network settings (speed/duplex) match on the two ports that form the inline pair and can force ports to use the same settings. Not available in the Firewall/VPN role.
  • Link Status — Checks whether a network port reports the link as up or down.
  • Multiping — Sends out a series of ping requests to determine whether there is connectivity through a network link.
  • PolicyThis option is included for backward compatibility with legacy software versions.
Edit Allows you to change the test properties.
Remove Removes the test from the table.
Option Definition
External Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Retry Count Enter the number of times the tester tries to execute the test. We recommend always setting the retry count to more than 1 to avoid creating overly sensitive tests that burden the system unnecessarily.
Test Timeout Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test.
Command Line Enter the command or script path. The result must return an exit code of 0 (zero) if it succeeds. Any non-zero return value is a failure.
CAUTION:
This test allows administrators who have permissions to edit the properties of Engines to run arbitrary commands in the Engine operating system.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.
Option Definition
File System Space Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Partition Specify the partition to test.
Free Space Enter the minimum amount of free space in kilobytes. When the amount of free space drops below this amount, the Engine executes the chosen action.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.
Option Definition
Free Swap Space Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Free Space Enter the minimum amount of free space in kilobytes. When the amount of free space drops below this amount, the Engine executes the chosen action.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.
Option Definition
Inline Pair Link Speed Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Test Timeout Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.
Option Definition
Link Status Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Interface Select the interface on which the test is run.
  • ALLAll physical, modem, ADSL, and wireless interfaces.
  • ALL with CVI(Clusters only) All interfaces that have a cluster virtual IP address (CVI)
  • Specific interfaces
Aggregated Links in Load-Balancing Mode From the Test Fails if More Than drop-down list, select the percentage of aggregated links that must be down for the test to be considered failed.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.
Option Definition
Multiping Test Properties dialog box
Name The name of the test. If you want to run more than one instance of the same test type with different parameters, give each test a unique name.
Node

(Clusters only)

Select whether to run the test on ALL nodes or only on a specific node.
States to Test Select one or more Engine states in which to run the test.
  • OnlineWhen selected, the test is run when the Engine Engine node is online.
  • Offline When selected, the test is run when the Engine Engine node is offline.
  • Standby(Clusters only) When selected, the test is run when the Engine Engine node is in the Standby state.
Test Interval Specify how frequently the test is run. The minimum interval is one second and the maximum is 86400 (one day). We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
Retry Count Enter the number of times the tester tries to execute the test. We recommend always setting the retry count to more than 1 to avoid creating overly sensitive tests that burden the system unnecessarily.
Test Timeout Enter the timeout in milliseconds. If the test being run does not return a response in the specified time, the test has failed. Avoid overly short timeout values. We recommend a timeout of 500–1000 ms, depending on the test.
Source Address Select the source address for the test.
  • DEFAULT — No source address is forced on the test. The source IP address is selected automatically based on the standard routing rules. In a cluster, if the Physical Interface that routes the ping packet out has an NDI (Node Dedicated IP Address), this address is used as the source address. Otherwise, the NDI selected as Default IP for Outgoing Traffic is used.
  • A single Physical Interface, a VLAN Interface, a Modem Interface (Single Firewalls only), an ADSL Interface (Single Firewalls only), or an SSID Interface (Single Firewalls only). If the Node ID selection is ALL, each node uses the IP address of the selected interface as the source IP address for the test. If a single node is selected in Node ID in a cluster, the source address and the test itself apply to that node only.
Target Addresses Specify the target addresses of ICMP echo requests. Click Add to add an element to the list, or Remove to remove the selected element.
Failure section
Action Select the action taken if a test fails.
  • NoneNo action is taken.
  • Offline(Clusters only) The Engine node goes offline, unless it is the last active node in a cluster or the node is in the Locked Online state.
  • Force Offline The Engine node goes offline, even if it is the last node active node in a cluster or the node is in the Locked Online state. Use in cases in which a complete cut in traffic is a better option than a partially working Engine.
  • Force Speed (Inline Pair Link Speed test only) — If the test finds that the pair of inline ports has different speed/duplex settings, the speed/duplex on the higher speed/full duplex link is set to match the lower speed/half duplex setting on the other port. Correct and reliable operation requires identical settings.
Send Alert When selected, sends an alert to notify administrators that a test has failed.
Send SNMP Trap When selected, sends an SNMP Trap.

NTP page

Option Definition
Enable time synchronization from NTP server When selected, the Engine uses an external NTP server for time synchronization.
Preferred

(Optional)

 When selected, the Engine uses the specified NTP server by default.
NTP Server

Lists the available NTP servers. Double-click the cell to select an NTP server.

Click Add to add a row to the table, or Remove to remove the selected row.
Option Definition
NTP Server Properties dialog box — General tab
Name The name of the element.
Resolve

(Optional)

 Automatically resolves the domain name in the Name field.
Host Name

(Optional)

The host name of the NTP server.

If you do not enter a host name, you must enter an IPv4 address or an IPv6 address.
IP Address

(Optional)

The IPv4 address of the NTP server.

If you do not enter an IPv4 address, you must enter a host name or an IPv6 address.
IPv6 Address

(Optional)

The IPv6 address of the NTP server.

If you do not enter an IPv6 address, you must enter a host name or an IPv4 address.
Key Type

The type of authentication key that the NTP server uses.

  • None — The NTP server does not use a key.
  • MD5 — The NTP server uses an MD5 hash.
    Note: You cannot use MD5 in FIPS mode.
  • SHA1 — The NTP server uses a SHA-1 hash.
  • SHA2 — The NTP server uses a SHA-256 hash.
Key ID

Specifies a unique identifier for the key.

Enter a value between 1—65534.
Key Specifies the hash of the key.

The maximum lengths for the key are 32 hexadecimal characters for MD5, 40 hexadecimal characters for SHA-1, and 64 hexadecimal characters for SHA-256. If ASCII characters are used, the maximum length is 20 characters for all key types.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

 A comment for your own reference.
Option Definition
NTP Server Properties dialog box — Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to Secure SD-WAN Manager log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NTP Server Properties dialog box — NAT tab
Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

Permissions page

Option Definition
Administrator Permissions section
Access Control Lists Shows the Access Control Lists that have been selected. Click Add to add an element to the list, or Remove to remove the selected element.
Permissions Shows the administrators that have permissions. Click Add Permission to add a row to the list, or Remove Permission to remove the selected row. Click the Administrator cell to select the administrator.
Option Definition
Local Administrators section
Administrator If local administrators have been defined, shows the names.
Info Shows whether the local administrator can execute root-level commands with the sudo tool.
Option Definition
Policies section
Allowed Policies Shows the policies that are allowed to be installed. Click Add to add an element to the list, or Remove to remove the selected element. To allow the installation of any policy, select Set to ANY.

Add-Ons page

Option Definition
Client Protection Certificate Authority Select the Client Protection Certificate Authority element to use for client protection.
TLS Credentials Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element.
User Identification Service The Forcepoint User ID Service, McAfee Logon Collector, and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service, McAfee Logon Collector, or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: For Engine version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
User Authentication Opens the Browser-Based User Authentication dialog box.
Anti-Malware Opens the Anti-Malware Settings dialog box.
Anti-Spam Settings The Anti-Spam feature is no longer supported in Engine version 6.2.0 and higher.
Sandbox Opens the Sandbox Settings dialog box.
Note: McAfee Advanced Threat Defense is no longer supported in Engine version 6.4.0 and higher. We recommend that you use Forcepoint Advanced Malware Detection instead.
File Reputation Opens the GTI File Reputation Settings dialog box.
Option Definition
Browser-Based User Authentication dialog box — General tab
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.
Use Client Certificates for Authentication When selected, the Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the Engine also listens on other ports.
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.
Option Definition
Browser-Based User Authentication dialog box — HTTPS Certificate tab
Organization (O)

(Optional)

 The name of your organization as it appears in the certificate.
Organization Unit (OU)

(Optional)

 The name of your department or division as it appears in the certificate.
State/Province (ST)

(Optional)

 The name of state or province as it appears in the certificate.
Locality (L)

(Optional)

 The name of the city as it appears in the certificate.
Common Name (CN) The value for the Common Name field in the certificate request. For server certificates, the value is typically the fully qualified domain name (FQDN).
Key Length The length of the key in bits.
Sign
With External Certificate Authority Select this option if you want to create a certificate request that another certificate authority signs.
Internally with Select this option to sign the certificate using an internal CA. If more than one valid internal CA is available, select the internal CA that signs the certificate request. There can be multiple valid internal CAs in the following cases:
  • There is both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways.
  • The Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available.
Generate Request Generates the request. The certificate request is shown in the same dialog box.
Option Definition
Sidewinder Proxy Settings dialog box
Enable When selected, enables Sidewinder Proxy.
Sidewinder Logging Profile The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile.
SSH Proxy Settings specific to the SSM SSH Proxy.
SSH Known Hosts Lists The selected SSH Known Hosts List elements for the engine. Click Add to add an element to the list, or Remove to remove the selected element.
Host Keys The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. To import an existing host key, click Import.
Key Type Shows the signature algorithm used for the host key.
Key Length Shows the length of the host key.
SHA256 Fingerprint Shows the SHA256 fingerprint of the host key.
SSH Proxy Services The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element.
Comment

(Optional)

 A comment for your own reference.
Advanced Settings Opens the Advanced Sidewinder Proxy Settings dialog box.
Option Definition
Advanced Sidewinder Proxy Settings dialog box — Shared tab
Use this tab to define advanced Sidewinder Proxy settings that are shared by all SSM Proxies. Click Add to add a row to the table, or Remove to remove the selected row.
Shared Proxy Property The name of the shared advanced Sidewinder Proxy setting.
Value The value of the advanced Sidewinder Proxy setting.
Option Definition
Advanced Sidewinder Proxy Settings dialog box — HTTP tab
Use this tab to define advanced Sidewinder Proxy settings for the SSM HTTP Proxy. Click Add to add a row to the table, or Remove to remove the selected row.
HTTP Proxy Property The name of the advanced HTTP Sidewinder Proxy setting.
Value The value of the advanced Sidewinder Proxy setting.
Option Definition
Advanced Sidewinder Proxy Settings dialog box — SSH tab
Use this tab to define advanced Sidewinder Proxy settings for the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row.
SSH Proxy Property The name of the advanced SSH Sidewinder Proxy setting.
Value The value of the advanced Sidewinder Proxy setting.
Option Definition
Advanced Sidewinder Proxy Settings dialog box — TCP tab
Use this tab to define advanced TCP Sidewinder Proxy settings for the SSM TCP Proxy. Click Add to add a row to the table, or Remove to remove the selected row.
TCP Proxy Property The name of the advanced Sidewinder Proxy setting.
Value The value of the advanced Sidewinder Proxy setting.
Option Definition
Advanced Sidewinder Proxy Settings dialog box — UDP tab
Use this tab to define advanced Sidewinder Proxy settings for the SSM UDP Proxy. Click Add to add a row to the table, or Remove to remove the selected row.
UDP Proxy Property The name of the advanced UDP Sidewinder Proxy setting.
Value The value of the advanced Sidewinder Proxy setting.
Option Definition
Anti-Malware Settings dialog box
Enable Enables anti-malware checks.
Malware Log Level The log level for anti-malware events.
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Malware Signature Update Settings section
Update Frequency Defines how often the Engine checks for updates to the anti-malware database.
  • Never — The Engine does not check for updates. You must update the anti-malware database manually.
  • When Anti-Malware Daemon Starts — Checks when the anti-malware daemon starts. The daemon starts, for example, when the anti-malware feature is enabled or when the Engine restarts.
  • Every Hour — Checks for updates once an hour.
  • Daily — Checks for updates once a day. Set the time of day.
  • Weekly — Checks for updates once a week. Set the day and time of day.
Malware Signature Mirror Settings section
Mirror(s) Enter the URL of the anti-malware database mirror that the Engine contacts to update the anti-malware database. Separate multiple addresses with commas.
Use HTTP Proxy

(Optional)

Specifies that the Engine uses an HTTP proxy to connect to the anti-malware database mirrors.
Host The IP address or DNS name of the HTTP proxy.
Port The listening port of the HTTP proxy.
Username The user name for authenticating to the HTTP proxy.
Password The password for authenticating to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Option Definition
Sandbox Settings dialog box
Sandbox Type Specifies which type of sandbox the Engine uses for sandbox file reputation scans.
  • None — The Engine does not use a sandbox.
  • Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
  • Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
    Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.
  • Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense.
    Note: McAfee Advanced Threat Defense is no longer supported in Engine version 6.4.0 and higher. We recommend that you use Forcepoint Advanced Malware Detection instead.
Option Definition
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key

(Optional)

The license key for the connection to the sandbox server.

  • If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting.
Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center.
CAUTION:
The license keys and license tokens allow access to confidential analysis reports. Handle the license key and license token securely.
License Token

(Optional)

The license token for the connection to the sandbox server.

  • If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies

(Optional)

 When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.
Option Definition
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key

(Optional)

The license key for the connection to the sandbox server.

  • If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting.
License Token

(Optional)

The license token for the connection to the sandbox server.

  • If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies

(Optional)

 When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.
Option Definition
File Reputation Settings dialog box
File Reputation Service Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE)This option is included for backward compatibility with legacy software versions. McAfee Threat Intelligence Exchange (TIE) is no longer supported in Engine 6.10 and higher.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies

(Optional)

 When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

Advanced Settings page

Option Definition
Encrypt Configuration Data By default, the configuration of the Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub.
Contact Node Timeout

(Not Virtual Engines)

The maximum amount of time the Management Server tries to connect to an Engine.

A consistently slow network connection might require increasing this value. The default value is 120 seconds.

Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the Engines.
Auto Reboot Timeout

(Not Virtual Engines)

 Specifies the length of time after which an error situation is considered non-recoverable and the Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable.
Policy Handshake

(Not Virtual Engines)

 When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy.

Without this feature, you must switch to the previous configuration manually through the boot menu of the Engine.

Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
Rollback Timeout

(Not Virtual Engines)

 The length of time the Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds.
Automated Node Certificate Renewal

(Not Virtual Engines)

 When selected, the Engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually.

Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the Engine.

Note: Does not renew VPN certificates. Automatic certificate renewal for internally signed VPN certificates is set separately in the Engine's VPN settings.
FIPS-Compatible Operating Mode

(Firewalls only)

(Not Virtual Engines)

 When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS).
Note: You must also select FIPS-specific settings in the Engine Configuration Wizard on the command line of the Engine. For more information, see How to install Forcepoint FlexEdge Secure SD-WAN in FIPS mode.
Number of CPUs Reserved for Control Plane

(Firewalls only)

(Not Virtual Engines)

 Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this ensures that you can still monitor and control the Engine operation.
Note: The reserved CPUs cannot be used for traffic processing. Using fewer CPUs for traffic processing degrades performance.
Isolate Also Interfaces for System Communications

(Firewalls only)

When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic.
Log Handling Opens the Log Handling Settings dialog box.
Clustering Opens the Clustering Properties dialog box.
Traffic Handling Opens the Traffic Handling Settings dialog box.
VPN Settings Opens the VPN Settings dialog box.
Policy Routing Opens the Policy Routing dialog box.
Idle Timeouts Opens the Idle Timeouts dialog box.
SYN Rate Limits Opens the Default SYN Rate Limits dialog box.
Scan Detection Opens the Scan Detection Settings dialog box.
DoS Protection Opens the DoS Protection Settings dialog box.
Option Definition
Log Handling Settings dialog box
Log Spooling Policy

(Not Virtual Engines)

Defines what happens when the log spool becomes full.
  • Stop Traffic — The Engine stops processing traffic and goes offline.
  • Discard Log — Log entries are discarded in four stages, according to available space. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Engine continues to process traffic.
Log Compression

(Antispoofing Log Event Type for Firewalls only)

The maximum number of separately logged entries. When the defined limit is reached, a single Antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. The individual log entries are deleted. After the single log entry is created, logging returns to normal and all entries are logged and shown separately. Double-click a cell to edit the value.
Note: Do not enable Log Compression if you want all Antispoofing and Discard entries to be logged as separate log entries (for example, for reporting or statistics).
Set to Default Returns Log Compression settings to the default settings.
Option Definition
Clustering Properties dialog box — Cluster tab
Clustering Mode

(Not Layer 2 Firewalls)
  • Balancing — All nodes are simultaneously online providing enhanced performance and high availability if there is node failure. Balancing mode is the default mode.
  • Standby — Only one node can be online at a time. We recommend having at least one other node on standby to allow automatic takeover if there is failure. Several nodes can be on standby at a time. A randomly selected standby node is turned online when the online node fails.
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
Heartbeat Message Period Specifies how often clustered Engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Heartbeat Failover Time Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Node Synchronization table Click or double-click the cells to edit the values.
Interface ID Shows the assigned interface ID.
State Sync Defines how the nodes exchange information about the traffic that they process.
  • All (recommended) — Both full and incremental synchronization messages are sent. This option allows frequent updates without consuming resources excessively. Regular full synchronization guarantees that all nodes stay synchronized even if some incremental messages are not delivered.
  • Full Only (not recommended) — Only full synchronization messages are sent. Incremental updates are not sent in between, so nodes might not have the same information about connections unless the full sync interval is reduced.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
Full Sync Interval or Incr Sync Interval Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults (5000 ms for full, 50 ms for incremental)
CAUTION:
Adjusting the Sync Intervals has significant impact on the cluster's performance. Inappropriate settings seriously degrade the firewall's performance.
Sync Security Level
  • None — No security features. Do not select this option unless the heartbeat traffic uses a dedicated, secure network that does not handle other traffic.
  • Sign — (default) Transmissions are authenticated to prevent outside injections of connection state information.
  • Encrypt and Sign — Transmissions are authenticated and encrypted. This option increases the overhead compared to the default option. However, it is recommended if node-to-node communications are relayed through insecure networks (for example, if the backup heartbeat is configured on an interface that handles other traffic).
CAUTION:
If the Firewall Cluster's primary and secondary Heartbeat Interfaces are not connected to dedicated networks and you use None or Sign as the Sync Security Level, VPN traffic is transferred unencrypted between engine nodes when VPN traffic balancing requires that traffic is forwarded between the nodes.
Heartbeat IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.1. This multicast IP address must not be used for other purposes on any of the network interfaces.
Synchronization IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.2. This multicast IP address must not be used for other purposes on any of the network interfaces.
Option Definition
Clustering Properties dialog box — Manual LB Filters tab

This tab contains advanced settings for fine-tuning load-balancing filters.

CAUTION:
Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.
Filter Mode Defines how traffic is balanced between the nodes.
  • Static — Packet ownership (the node to which the connection or packet belongs) can change only when nodes are added or removed from the cluster, or when they switch from one state to another.
  • Dynamic — Traffic is balanced to avoid node overloads and existing connections are moved between nodes whenever overload is detected.
Load-Balancing Filter Uses Ports

(Firewalls only)

When selected, includes a port value for selecting between all nodes.

This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally.

Note: Enabling this option is not compatible with some features, such as mobile VPNs.
Filter Entries table Click Add Row to add a row to the table, or Remove Row to remove the selected row.
IP Address Double-click the cell to open the Load Balancing Filter IP Entry dialog box.
Action Select one of the following actions:
  • None — No action is performed for the IP address specified in this entry. Used with the Replacement IP, Use Ports, NAT Enforce, Use IPsec, or Ignore Other options.
  • Replace by — The IP address in the Replacement IP cell replaces the original IP address. This option is the default action.
  • Pass on All Nodes — The filter entry allows packets to all nodes.
  • Block on All Nodes — The filter entry blocks packets to all nodes.
  • Pass on Node <number> — The filter entry forces the selected node to handle all packets belonging to the connection specified in this entry.
Replacement IP Enter the replacement IP address.
Use Ports Overrides the global Load-Balancing Filter Uses Ports option. For example, if two hosts send most traffic through the engine, you can set the Use Ports option for one of them to divide the traffic between the cluster nodes, improving granularity. Using this option for IP addresses in a VPN site can reduce the granularity of VPN load balancing and prevent VPN client connections involving those IP addresses.
NAT Enforce Enables a specific NAT-related process in the load-balancing filter.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint Customer Hub.
Use IPsec Specifies addresses receiving IPsec traffic on the node itself. The option enables a specific load-balancing process for all IPsec traffic directed to the IP address specified in the filter entry.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint Customer Hub.
Ignore Other Forces the handling of packets to and from the specified IP addresses one node at a time.
Option Definition
Load Balancing Filter IP Entry dialog box
IPv4 Network Enter the IP address in the IPv4 Address field and the netmask in the Netmask field.
IPv6 Network Enter the IP address in the IPv6 Address field and the prefix in the Prefix field.
Range Enter the IP addresses in the first and second fields.
Option Definition
Traffic Handling Settings dialog box
Layer 3 Connection Tracking Mode

(Firewalls only)

Connection Tracking Mode

(IPS engines and Layer 2 Firewalls only)

When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.

You can override this Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.

  • Normal — The Engine drops ICMP error messages related to connections that are not currently active in connection tracking. A valid, complete TCP handshake is required for TCP traffic. The Engine checks the traffic direction and the port parameters of UDP traffic.
  • Strict — The Engine does not permit TCP traffic to pass through before a complete, valid TCP handshake is performed.
  • Loose — The Engine allows some connection patterns and address translation operations that are not allowed in the Normal mode. This mode can be used, for example, if routing is asymmetric and cannot be corrected or if the use of dynamic routing protocols causes the Engine to receive non-standard traffic patterns.
On Firewalls and Layer 2 Firewalls, Normal is the default setting. On IPS engines, Loose is the default setting.
Virtual Defragmenting

(Not Virtual)

(Not editable on IPS engines)

When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the Engine.

When the Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented.

Strict TCP Mode for Deep Inspection

(Not Virtual)

This option is included for backward compatibility with legacy software versions.
Concurrent Connection Limit

(Not Virtual)

A global limit for the number of open connections. When the set number of connections is reached, the Engine stops the next connection attempts until a previously open connection is closed.
Inspection CPU Balancing Mode

(Not Virtual)

Specifies how inspected connections are allocated between the CPUs. Select from the following options:
  • Default — The connection is allocated to the CPU that received the first packet of the connection. If the utilization on the CPU is high, a different CPU is dynamically selected. Incoming and outgoing packets might be handled by different CPUs.
  • Round Robin — Connections are allocated evenly between all CPUs in order. This option can improve CPU balancing when there are a large number of CPUs.
  • NUMA local Round Robin — Connections are balanced within the CPU that received the first packet of the connection. Incoming and outgoing packets are handled by the same CPU.
Default Connection Termination in Inspection Policy Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
  • Terminate and Log Connection — Stops the matching connections. This option is the default setting.
  • Only Log Connection — Does not stop the matching connections. Creates a Terminate (passive) log entry for the matching connections. This option is useful for testing which types of connections are stopped.
Action When TCP Connection Does Not Start With a SYN Packet

(Not Master Engine)

The Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection matches an Access rule with the Allow action. The Engine does not send a TCP reset if the TCP connection begins with a TCP reset packet.
  • Discard Silently — The connection is silently dropped.
  • Refuse With TCP Reset — The connection is refused, and a TCP reset packet is returned.
Option Definition
VPN Settings dialog box
Gateway Settings The Gateway Settings element that defines performance-related VPN options.
Gateway Profile The Gateway Profile in use.
Translate IP Addresses Using NAT Pool When selected, the specified IP address range and port range are used for translating IP addresses of incoming Forcepoint VPN Client connections to internal networks. Enter the ranges in the IP Address Range and Port Range fields.
Note: This option is an alternative to using virtual IP addresses for VPN Clients.
Option Definition
Policy Routing dialog box
IPv4 Policy Routes or IPv6 Policy Routes Enter the routing information in the appropriate table. Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.
Source IP Address Enter the source IP address. This IP address is always something other than the default 0.0.0.0 that matches any IP address. Such configurations can be handled more easily with the normal routing tools in the Routing pane.
Source Netmask

(IPv4 only)

Enter the netmask for the source IP address.
Source Prefix

(IPv6 only)

Enter the network prefix for the source IP address.
Destination IP Address Enter the destination IP address.
Destination Netmask

(IPv4 only)

Enter the netmask for the destination IP address.
Destination Prefix

(IPv6 only)

Enter the network prefix for the destination IP address.
Gateway IP Address Enter the IP address of the device to which packets that match the source/destination pair are forwarded.
Comment

(Optional)

 A comment for your own reference.
Option Definition
Idle Timeouts dialog box
Timeouts table

Double-click the Timeout(s) cell to change the value. Click Add to add an element to the table, or Remove to remove the selected element. To set the selected protocols and values back to default settings, click Set to Default.
Option Definition
Default SYN Rate Limits dialog box
SYN Rate Limits Limits for SYN packets sent to the Engine.
  • None — SYN rate limits are disabled.
  • Automatic — The Engine automatically calculates the Allowed SYNs per Second and Burst Size values for the interface based on the Engine capacity and memory size.
  • Custom — Enter custom values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second

(When SYN Rate Limits is Custom)

The number of allowed SYN packets per second.
Burst Size

(When SYN Rate Limits is Custom)

The number of allowed SYNs before the Engine Engine starts limiting the SYN rate.
CAUTION:
We recommend setting the Burst Size value to at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
Option Definition
Scan Detection Settings dialog box
Scan Detection Mode When you enable scan detection, the number of connections or connection attempts within a time window is counted.
  • Disabled — Scan detection is not enabled.
  • Off (Can Be Overridden in Policy) — Scan detection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — Scan detection is enabled. You can override this setting in individual Access rules if scan detection is not needed or to avoid false positives.
Create a log entry when the system detects section

Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created.

The following options are available for each protocol:

  • events in — Specifies the maximum number of events. The default value is 220.
  • Time period field — Specifies the time period. The default value is 1.
  • Time unit drop-down list — Specifies the unit of time. The default value is Minutes.
Log Level Specifies the log level for the log entries.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Set to Default Returns Scan Detection changes to the default settings.
Option Definition
DoS Protection Settings dialog box
Rate-Based DoS Protection Mode Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
  • Disabled — DoS protection is not enabled.
  • Off (Can Be Overridden in Policy) — DoS protection is not enabled, but you can override this setting in individual Access rules. This option is the default setting.
  • On (Can Be Overridden in Policy) — DoS protection is enabled. You can override this setting in individual Access rules.
SYN Flood Sensitivity When SYN flood protection is activated, the Engine acts as a SYN proxy. The engine completes the TCP handshake with the client, and only initiates the connection with the server after the client has completed the TCP handshake.
  • Off — SYN flood protection is not enabled.
  • Low — Allows the most SYN-ACK timeouts before the Engine requires a full TCP handshake with the client before it communicates with a server.
  • Medium — Allows a medium number of SYN-ACK timeouts before the Engine requires a full TCP handshake with the client before it communicates with a server. This option is the default setting.
  • High — Allows the fewest SYN-ACK timeouts before the Engine requires a full TCP handshake with the client before it communicates with a server.
Limit for Half-Open TCP Connections

(Optional)

 Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated.
Slow HTTP Request Sensitivity The Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If the sender of the request tries to keep the connection open for an unreasonable length of time, the Engine blacklists the sender’s IP address for a specified length of time.
  • Off — Slow HTTP Request Protection is not enabled.
  • Low — Allows the slowest data transfer rate before the blacklist timeout is applied. This option is the default setting.
  • Medium — Allows a moderately slow data transfer rate before the blacklist timeout is applied.
  • High — Allows the least slow data transfer rate before the blacklist timeout is applied.
Slow HTTP Request Blacklist Timeout The length of time for blacklisting IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300).
TCP Reset Sensitivity When enabled, the Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP Reset attack. You cannot override this setting in individual Access rules
  • Off — TCP reset protection is not enabled. This option is the default setting.
  • Low — Allows the most TCP reset requests before the Engine considers itself to be under attack.
  • Medium — Allows a medium number of TCP reset requests before the Engine considers itself to be under attack.
  • High — Allows the fewest TCP reset requests before the Engine considers itself to be under attack.

Upload the Initial Configuration to the Installation Server page

This page is only shown for specific Engine appliances that support plug-and-play configuration. Only Single Firewalls with a dynamic control IP address are supported.

Option Definition
Upload Initial Configuration When selected, the initial configuration is uploaded to the Installation Server, making the configuration available for use in plug-and-play installations. When you turn on the Engine appliance, it automatically downloads and installs the initial configuration and makes initial contact with the Management Server.
Note: There are special considerations when using plug-and-play configuration. For example, both the Secure SD-WAN Manager and the Engines must be registered for plug-and-play configuration before you configure the engines. See Knowledge Base article 9662.
Enable SSH Daemon

(Optional)

 When selected, allows remote access to the Engine command line for troubleshooting purposes.
  • You can enable and disable remote command-line access at any time after management contact is established through the right-click menu of the Engine. We recommend that you disable SSH access whenever it is not needed. Make sure that your Access rules allow SSH access to the Engines from the administrators’ IP addresses only.
  • The Template policies do not allow these connections. However, the temporary policy activated immediately after the Engine’s initial configuration (active until you install the working policy) allows SSH access from the Management Server’s IP address. Alternatively, you can upload a working policy to be automatically installed after it has contacted the Management Server.
CAUTION:
If you enable SSH, set the password for command-line access after the initial configuration either through the Management Client or by logging on to the command line. When the password is not set, anyone with SSH access to the Engine can set the password.
Local Time Zone Select a local time zone for commands you enter on the command line.
Note: This setting only applies to the local console. Engines always use UTC (GMT) time internally. The clock on the local console is automatically synchronized with the Management Server time.
Keyboard Layout Select a language to specify the layout of the keyboard used with the local console.

Endpoints for the Internal VPN Gateways page

Option Definition
Enabled When selected, the endpoint IP address is active.
Name Shows the name of the endpoint. If the endpoint does not have a descriptive name, the IP address of the endpoint is shown.
IP Address Shows the IP address of the endpoint.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
Options Shows the optional settings that have been selected for the endpoint.
Phase-1 ID Shows the value of the phase-1 ID that identifies the gateway during the IKE phase-1 negotiations.
VPN Type Shows the types of VPNs that the endpoint can be used in.
Edit Allows you to change the properties of the selected endpoint.
Option Definition
VPN Endpoint Properties dialog box
Name The name of the endpoint. If no name is entered, the IP address is used.
IP Address The IP address of the endpoint.
Dynamic Automatically selected if the endpoint has a dynamic IP address.
Connection Type Defines how the endpoint is used in a Multi-Link configuration.
NAT-T

Detects when an IPsec VPN tunnel goes through a NAT device. If NAT is detected, the VPN automatically uses UDP port 4500 for IKE negotiation messages, and encapsulates ESP packets in UDP packets that use port 4500.

  • Disabled — NAT traversal is disabled.
  • Enabled — Select this option to allow encapsulating the IPsec communications in standard NAT-T UDP packets in site-to-site VPNs when the gateways detect that a NAT operation is applied to the communications. If both gateways do not support this option, the option is ignored.
  • Forced — Select this option to force NAT-T even when the gateways do not detect a NAT operation being applied to the communications. If both gateways do not support this option, the VPN fails to establish.
Contact Addresses section This section cannot be edited. The contact addresses for endpoints are defined in the Interface properties.
Default Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic Used when the endpoint has a dynamic IP address.
Note: Dynamic contact addresses are not supported on SSID Interfaces.
Exceptions Opens the Exceptions dialog box.
Phase-1 ID section
ID Type Identifies the Gateways during the IKE phase-1 negotiations.
  • DNS Name — A DNS name identifies the gateway.
  • E-mail — An email address identifies the gateway.
  • Distinguished Name — The Distinguished Name (DN) field in the gateway's certificate identifies the gateway. You can only add one DN value for each VPN Gateway.
  • IP Address — An IP address identifies the gateway. If the endpoint has a static IP address, the value is filled in automatically. If the endpoint has a dynamic IP address, you must manually enter an IP address.
To add VPN-specific exceptions for the Phase-1 ID, click Exceptions.
ID Value Specifies the details of the ID Type.
VPN Type section
All types Restricts the types of VPNs that the endpoint can be used in.
Selected types only Select one or more options.
  • IPsec VPN — The endpoint can be used in IPsec tunnels.
  • SSL VPN Tunnel — The endpoint can be used in SSL VPN tunnels.
  • SSL VPN Portal — The endpoint can be used to access the SSL VPN Portal.
Note: The endpoint must have an IPv4 address if you want to use it in SSL VPN tunnels or to access the SSL VPN Portal.

Policy to Install page

Option Definition
Policy Click Select to select the policy to install on the Firewalls.