Create additional Management Server elements
Any new Management Server elements you add to an existing Secure SD-WAN Manager are considered to be additional Management Servers. You can set up several additional Management Servers.
The number of additional Management Servers you can create depends on the Management Server license.
For more details about the product and how to configure features, click Help or press F1.
Steps
Management Server Properties dialog box
Use this dialog box to define Management Server properties.
Option | Definition |
---|---|
General tab | |
Name | The name of the element. |
Installation ID | Shows the unique installation identifier (UIID) for the Secure SD-WAN Manager. |
IPv4 Address | Specifies the IPv4 address of the server. The server can have both an IPv4 and an IPv6 address. |
IPv6 Address | Specifies the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address. |
Resolve | Automatically resolves the IP address of the server. |
Location
(Optional) |
Specifies the location to which the server belongs if there is a NAT device between the server and other Secure SD-WAN Manager components. |
Contact Addresses section (All optional settings) |
|
Default | Used by default when a component that belongs to another Location connects to this server. |
Exceptions | Allows you to define exceptions to the default contact address. Opens the Exceptions dialog box. |
Log Server | Specifies the Log Server to which the server sends its logs. |
RADIUS Method
(Optional) |
Specifies a RADIUS authentication method for authenticating administrators.
|
TACACS Method
(Optional) |
Specifies a TACACS+ authentication method for authenticating administrators.
|
TLS Credentials (Optional) |
Specifies the TLS Credentials element that is used for certificate-based authentication of administrators. |
TLS Profile (Optional) |
Specifies the TLS Profile element that is used for certificate-based authentication of administrators. |
Include in Database Replication
(Multiple Management Servers only) |
When selected, the Management Server is included in database replication between Management Servers for high availability. CAUTION: Leave
this option selected unless you have a specific reason to deselect it. Deselecting this option makes the Management Server's database incompatible with the databases of
the other Management Servers.
|
Audit Storage Full | Specifies the action when the Management Server detects that the audit storage is full.
|
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Notifications tab | |
E-mail section — Specifies email notification details. | |
SMTP Server | Select the SMTP Server that is used to send the alert notifications as email. Click Select to select an element. |
Sender Name | Enter the name to be used in the From field of the email. If this setting is left blank, the Default Sender Name defined in the SMTP Server Properties is used. |
Sender Address | Enter the email address to be used in the From field of the email. If this setting is left blank, the Default Sender Address defined in the SMTP Server Properties is used. |
SMS section Click Add to add an element to the table, or Remove to remove the selected element. Click Up or Down to move the selected item up or down. |
|
Name | Shows the name of the channel. |
Channel Type | Shows the type of the channel.
You can add multiple SMS Channels Types. If the first SMS Channel fails, the subsequent SMS channels are used in the order in which they are listed. Use the Up and Down buttons to change the order of the channels if necessary. |
Host/URL/Script | Shows the server, URL, or script used for SMS notification. |
Edit | Opens the Channel Properties dialog box for the selected entry. |
SNMP section | |
Gateways | Enter the host name or IP address of the SNMP Gateways to which the alert notifications are sent as SNMP traps. You can specify a list of gateways separated by semicolons. If your SNMP gateway port is not the default port 162, specify the port number by typing a colon and the port after the host name (for example, snmp-gw:4390). |
Custom Alert Scripts section | |
Root Path | Enter the root path on the Management Server where custom alert scripts are executed. The default location is Do not define the script name here. Add the script name in the Alert Chain at each place you want to call a particular script. You can use multiple scripts. |
Option | Definition |
---|---|
Secure SD-WAN Manager Web Access tab | |
Enable | Enables the feature. |
Host Name
(Optional) |
Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names. |
Port Number |
Enter the TCP port number that the service listens to. By default, port 8085 is used when Secure SD-WAN Manager Web Access is enabled on the Management Server and port 8083 when enabled on the Web Portal Server. Note: Make sure that the listening port is not in use on the server.
|
Listen Only on Address
(Optional) |
If the server has several addresses and you want to restrict access to one address, specify the IP address to use. |
Session Timeout | Enter the timeout in seconds after which the session expires. While the session is still active, the administrator does not need to log on again if they close the web browser. |
Server Credentials | You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element. |
Generate Server Logs
(Optional) |
Select if you want to log all file load events for further analysis with external web statistics software. |
Use SSL for session ID
(Optional) |
Track sessions in your web application. Do not select this option if your network requires you to use cookies or URIs for session tracking. |
Option | Definition |
---|---|
Secure SD-WAN Manager API tab | |
Enable | Enables the feature. |
Host Name | Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names. Note: API requests are served only if the API request is made to this host name. To allow API
requests to any host name, leave this field blank.
|
Port Number
(Optional) |
Enter the TCP port number that the service listens to. By default, port 8082 is used. In Linux, the value of this parameter must always be higher than 1024. |
Listen Only on Address
(Optional) |
If the server has several addresses and you want to restrict access to one address, specify the IP address to use. |
Server Credentials | You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element. |
Generate Server Logs
(Optional) |
Select if you want to log all file load events for further analysis with external web statistics software. |
Use SSL for session ID
(Optional) |
Track sessions in your web application. Do not select this option if your network requires you to use cookies or URIs for session tracking. |
Option | Definition |
---|---|
Secure SD-WAN Manager Downloads tab | |
Enable | Enables the feature. |
ECA Evaluation | To easily deploy Forcepoint One Endpoint to a limited set of users for evaluation purposes, enable the ECA Evaluation feature. For more information, see Knowledge Base article 16193. |
Management Client Download | When selected, the Management Server provides the Management Client for download on the Secure SD-WAN Manager Downloads page. |
Host Name
(Optional) |
Enter the host name that the service uses. Leave the field blank to allow requests to any of the server’s host names. |
Port Number |
Enter the TCP port number that the service listens to. By default, port 8080 is used for new Secure SD-WAN Manager installations, and port 8084 is used when you upgrade the Secure SD-WAN Manager. Note: Make sure that the listening port is not in use on the server.
|
Listen Only on Address
(Optional) |
If the server has several addresses and you want to restrict access to one address, specify the IP address to use. |
Server Credentials | You must select the TLS Credentials element that is used for HTTPS connections. Click Select to select an element. |
Generate Server Logs
(Optional) |
Select if you want to log all file load events for further analysis with external web statistics software. |
Option | Definition |
---|---|
Announcement tab | |
Display announcement to Web Portal Users | Enables you to display announcements to the administrators who log on to the Web Portal. Enter the announcement in the field. The length is limited to 160 characters. You can add formatting to the announcement with standard HTML tags (which are also included in the character count). |
Option | Definition |
---|---|
Connection tab | |
Proxy Settings | |
Use proxy server for HTTPS connection | Select if the connection from the Management Server to the Forcepoint servers requires a proxy server. |
Proxy address | Defines the address of the HTTP proxy. |
Proxy port | Defines the port of the HTTP proxy. |
Authenticate to the proxy server | Select if the proxy server requires user authentication. |
Proxy user name | Enter the user name for the proxy user. |
Proxy user password | Enter the password for the proxy user. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option. |
Option | Definition |
---|---|
Elasticsearch tab The Elasticsearch tab is only visible after you have created an Elasticsearch Cluster element. Important: Forwarding log data to an Elasticsearch cluster is an advanced feature that requires knowledge of how to configure Elasticsearch. You must already have an Elasticsearch cluster deployed and configured in your environment.
|
|
Elasticsearch Cluster | Shows the Elasticsearch cluster that receives log data from the SMC server. |
Client Authentication Settings |
Defines how the connection between the server and the Elasticsearch cluster is secured.
|
TLS Certificate |
(When Override is selected.) Specifies the TLS certificate that is used to secure the connection between the SD-WAN Manager server and the Elasticsearch cluster.
|
Option | Definition |
---|---|
Audit Forwarding or Log Forwarding tab Click Add to add a row to the table, or Remove to remove the selected row. |
|
Target Host | The Host element that represents the target host to which data is forwarded. Double-click to open the Select Host dialog box. |
Service | Click the cell, then select the network protocol for forwarding data from the drop-down list. For log data in IPFIX or NetFlow v9 format, UDP is the only available network
protocol. Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the
Service in the Access rule.
|
Port | The Port that is used for forwarding data. Double-click to edit the cell. The default port is 2055. For log data, the default port used by IPFIX/NetFlow data collectors is
2055. Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Port you select is also used as the Port in the
Access rule.
|
Format | Click the cell, then select the data forwarding format from the drop-down list.
|
Filter
(Optional) |
An optional local filter that defines which data is forwarded. The local filter is only applied to the data that matches the Audit Forwarding or Log Forwarding rule. Double-click to open the Local Filter Properties dialog box. |
TLS Profile | Allows you to select a TLS Profile element that contains settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-click to open the Select Element dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service. |
TLS Server Identity
(Optional) |
(When a TLS Profile is selected) Select the identity of a TLS server to secure the TLS-protected traffic from the Management Server or Log Server to an external syslog server. Double-click to open the TLS Server Identity dialog box. |
TLS Certificate Used for Forwarding Logs | Select the certificate for TLS-protected data forwarding.
|
Option | Definition |
---|---|
NAT tab (All optional settings) |
|
Firewall | Shows the selected firewall. |
NAT Type | Shows the NAT translation type: Static or Dynamic. |
Private IP Address | Shows the Private IP Address. |
Public IP Address | Shows the defined Public IP Address. |
Port Filter | Shows the selected Port Filters. |
Comment | An optional comment for your own reference. |
Add NAT Definition | Opens the NAT Definition Properties dialog box. |
Edit NAT Definition | Opens the NAT Definition Properties dialog box for the selected definition. |
Remove NAT Definition | Removes the selected NAT definition from the list. |