About this Help
This online help was created for Secure SD-WAN Manager, version 6.10.100.0.
Open the online help
The Management Client provides context-sensitive online help.
Find product documentation
In the Forcepoint Customer Hub, you can find information about a released product, including product documentation, technical articles, and more.
Links to downloads
Engine upgrades and dynamic update packages are available at these websites.
Conventions
The following typographical conventions and icons are used.
Introduction to the FlexEdge Secure SD-WAN
Before setting up FlexEdge Secure SD-WAN, it is useful to know what the different components do and what engine roles are available.
The FlexEdge Secure SD-WAN
The FlexEdge Secure SD-WAN solution consists of one or more Engines and the Secure SD-WAN Manager. The Secure SD-WAN Manager is the management component of the FlexEdge Secure SD-WAN solution.
Introduction to FlexEdge Secure SD-WAN in the Firewall/VPN role
The FlexEdge Secure SD-WAN in the Firewall/VPN role provides access control and VPN connectivity.
Introduction to FlexEdge Secure SD-WAN in the IPS and Layer 2 Firewall roles
The Engine in the IPS and Layer 2 Firewall roles are part of the FlexEdge Secure SD-WAN solution. The IPS component provides intrusion detection and prevention, and the Layer 2 Firewalls provide access control and deep inspection of traffic.
Deployment
Before you can set up the system and start configuring elements, you must consider how the different Secure SD-WAN Manager components should be positioned and deployed.
Deploying the Secure SD-WAN Manager
When deploying the Secure SD-WAN Manager, there are some general guidelines for positioning components to guarantee the security of the system.
Deploying FlexEdge Secure SD-WAN in the Firewall/VPN role
The positioning of a firewall depends on the network environment and the function of the firewall.
Deploying FlexEdge Secure SD-WAN in IPS and Layer 2 Firewall roles
The positioning of an IPS engine or Layer 2 Firewall depends on the network environment and the function of the IPS engine or Layer 2 Firewall.
Setting up
After deploying the Secure SD-WAN Manager components, you are ready to start using the Management Client and carrying out some of the first configuration tasks.
Using the Management Client
The Management Client provides the user interface for setting up, managing, and monitoring all features in the Secure SD-WAN Manager.
Network address translation (NAT) and how it works
Network address translation (NAT) means changing the IP address or port information in packets. Most often, NAT is used to allow internal hosts to communicate via networks where their actual address is not routable and to conceal the internal network structure from outsiders.
Configuring system communications
System communications involve traffic between Secure SD-WAN Manager components, traffic between Secure SD-WAN Manager components and external components that are a part of the system configuration, and external access into the system.
Managing certificates for system communications
Certificates are proof of identity that Secure SD-WAN Manager components and Engines use to authenticate themselves in communications.
Managing elements
Certain tasks are common to most elements. Some of these tasks are not mandatory for defining an element, but are still helpful as you get your Secure SD-WAN Manager up and running.
Monitoring
You can use the Secure SD-WAN Manager to monitor system components and third-party devices. You can also view and filter logs, and create Reports from them.
Monitoring Engine components
You can monitor Engine components and view system summaries in the Management Client.
Monitoring third-party devices
The Secure SD-WAN Manager can be configured to log and monitor other manufacturers’ devices in much the same way as Secure SD-WAN Manager components are monitored.
Viewing and exporting logged data
You can view log, alert, and audit entries through the log browsing views. You can view data from Secure SD-WAN Manager servers, all types of engines, and from third-party components that are configured to send data to the Secure SD-WAN Manager.
Reports
Reports are summaries of logs and statistics that allow you to combine large amounts of data into an easily viewable form.
Filtering data
Filters allow you to select data based on values that it contains. Most frequently, you use filters when viewing logs, but filters can also be used for other tasks, such as exporting logs and selecting data for reports.
Working with Diagram elements
Diagrams allow you to visualize your network security environment.
Incident Case elements
When suspicious activity is detected, it is important to collect information about the incident and act quickly. The Incident Case element is a tool for investigating incidents of suspicious activity.
Controlling Engines
You can command and set options for engines through the Management Client or on the engine command line. You can also stop traffic manually.
Controlling Engine operation
You can command and set options for Firewall engines, Layer 2 Firewall engines, IPS engines, Master Engines, Virtual Firewalls, Virtual IPS engines, and Virtual Layer 2 Firewalls through the Management Client.
Working on the Engine command line
Although the engines are managed remotely, some operations on the Linux command line on the engines are useful for troubleshooting and local maintenance operations.
Secure SD-WAN Manager configuration
Secure SD-WAN Manager configuration allows you to customize how the Secure SD-WAN Manager components work.
Administrator accounts
Administrator accounts define administrator rights and permissions in the Secure SD-WAN Manager.
Alert escalation
The Secure SD-WAN Manager can escalate the alerts generated so that notifications are sent to the administrators through multiple channels.
Domain elements
Domain elements allow you to restrict which elements are displayed to the administrators in the Management Client and in the optional Web Portal. They also allow you to define in which administrative Domains an administrator has permissions. Configuring Domains requires a special license.
Setting up the Web Portal
The Web Portal provides browser-based access to logs, reports, and Policy Snapshots for specific authorized users. The Web Portal is provided by the Web Portal Server, which is an optional component that you can purchase for your Secure SD-WAN Manager.
Using the Management Client in a web browser
To avoid installing the full Java-based Management Client on each workstation that an administrator uses, you can run the Management Client in a web browser.
Management Client downloads from the Management Server
When the Management Server provides the Management Client for download, administrators can download and install the Management Client from the Secure SD-WAN Manager Downloads page.
Configuring the Log Server
You can modify a Log Server element, configure settings for Log Servers, and recertify Log Servers.
Configuring Secure SD-WAN Manager servers for high availability
You can install several Management Servers and Log Servers to provide high availability for the Secure SD-WAN Manager.
Reconfiguring the Secure SD-WAN Manager and Engines
You can modify settings for Management Servers, change hardware platforms or the IP addresses used in system communications, change the type of certificate authority, and change the role of Engines.
Engine configuration
You can create and modify Firewalls, IPS engines, Layer 2 Firewalls, Master Engines and Virtual Engines. You can configure the Engine properties, activate optional features, and configure advanced Engine settings.
Creating and modifying Engines
Engine elements contain the configuration information that is directly related to the Firewalls, IPS engines, and Layer 2 Firewalls. The configuration information includes interface definitions, cluster mode selection, tester settings, and other options specific to the Engine.
Creating and modifying Master Engine and Virtual Engine elements
Virtual Engines are logically separate Engines that run as virtual instances on a physical appliance. A Master Engine is a physical appliance that provides resources for Virtual Engines.
Network interface configuration
The network interface configuration for Engines is stored on the Management Server in the properties of Single Firewall, Firewall Cluster, Single IPS, IPS Cluster, Single Layer 2 Firewall, Layer 2 Firewall Cluster, Master Engine, and Virtual Engine elements.
Connecting Engines to the Secure SD-WAN Manager
To maintain the security of your system, the Engines establish an authenticated and encrypted connection with Log Servers and Management Servers.
Element-based network address translation (NAT)
Element-based NAT allows you to define NAT addresses in the properties of an element. The NAT definitions define how firewalls translate network IP addresses.
Configuring the Engine tester
The Engine tester runs various checks on the Engine and initiates responses based on the success or failure of these tests.
Engine permissions
You can set permissions to control the administration of the engines.
DNS Relay
DNS relay allows the firewall to provide DNS services for clients in internal networks.
Setting up SNMP for Engines
SNMP is a standard protocol that different equipment can use to send network management-related information to each other. You can configure Engines to send SNMP traps to external equipment.
Setting up LLDP for Engines
Network devices can use the Link Layer Discovery Protocol (LLDP) to advertise their identity, capabilities, and neighbors on a local area network.
Alias element translations for Engines
Alias elements can be used to represent other network elements in configurations. The value an Alias takes in a configuration can be different on each Engine where the Alias is used.
Add-on features for Engines
There are several add-on features that you can use on Firewalls, IPS engines, Layer 2 Firewalls, Virtual Firewalls, Virtual IPS engines, and Virtual Layer 2 Firewalls.
Advanced Engine settings
Advanced settings cover various system parameters related to different features.
Routing
Use the Management Client to configure static or dynamic routing, and use a Multi-Link configuration to manage and distribute inbound and outbound connections.
Configuring routing and antispoofing
Routing defines through which next hop router the Engine forwards traffic from a source address to a destination address. Antispoofing defines which addresses are considered valid source addresses for the networks connected to each interface.
Configuring dynamic routing
With dynamic routing, Engines automatically change their routing when the network topology changes. The Engines can also exchange information about appropriate routing paths.
Outbound traffic management
You can use Multi-Link to distribute outbound traffic between multiple network connections and to provide high availability and load balancing for outbound traffic.
Inbound traffic management
Inbound traffic management ensures that services remain available even when one or more servers or NetLinks fail, and balances the load of incoming traffic more efficiently between a group of servers. Inbound traffic management is not supported on Layer 2 Firewalls or on layer 2 physical interfaces on Firewalls.
Dynamic link selection
When you use Multi-Link for outbound traffic management or Multi-Link VPNs, Engine in the Firewall/VPN role can dynamically select the NetLink or VPN link that best matches the quality requirements of traffic.
Traffic inspection policies
Policies are key elements that contain rules for allowing or blocking network traffic and inspecting the content of traffic.
Creating and managing policy elements
Policy elements are containers for the rules that determine how Engines, Master Engines, and Virtual Engines examine traffic. The policy elements for the engines include Template Policies, Policies, and Sub-Policies.
Ethernet rules
Access rules
Access rules are lists of matching criteria and actions that define how the engine treats different types of network traffic. They are your main configuration tool for defining which traffic is stopped and which traffic is allowed.
NAT rules
Inspection Policy elements
Inspection Policy elements define how the engines look for patterns in traffic allowed through the Access rules and what happens when a certain type of pattern is found.
Snort inspection on Engines
The Snort open source intrusion prevention system is integrated into FlexEdge Secure SD-WAN. You can import externally created Snort configurations into FlexEdge Secure SD-WAN to use Snort rule sets for inspection.
Editing policies
The rules in Firewall, IPS, Layer 2 Firewall, and Layer 2 Interface Policies allow you to control how the engines inspect and filter network traffic, and how NAT (network address translation) is applied on Firewalls, Master Engines, and Virtual Firewalls.
Defining IP addresses
When you define IP addresses as elements, you can use the same definitions in multiple configurations for multiple components.
Working with Service elements
Service elements match traffic based on protocol or port and set options for advanced inspection of traffic. Service elements are used in Firewall Policies, IPS Policies, Layer 2 Firewall Policies, and Layer 2 Interface Policies.
Defining Situation elements
Situation elements contain the context information that defines the pattern that the Engine looks for in the inspected traffic. Situation elements also define the patterns that match events in the traffic.
Using Network Application elements
Network Application elements collect combinations of identified characteristics and detected events in traffic to dynamically identify traffic related to the use of a particular network application.
Defining User Response elements
With the User Response element, you can send customized replies to users, instead of just closing an HTTP or HTTPS connection.
Quality of Service
The Quality of Service (QoS) features allow you to manage bandwidth and prioritize connections on the Engines. QoS features are available on Firewalls, IPS Engines, Layer 2 Firewalls, Master Engines, Virtual Firewalls, Virtual IPS Engines, and Virtual Layer 2 Firewalls.
File filtering
Monitoring and restricting what data is sent out is an important part of data loss prevention (DLP). File filtering allows you to restrict the file types that are allowed in and out through the firewall, and to apply malware detection to files.
Integrating Forcepoint F1E with Engine
If you have installed Forcepoint F1E clients on the endpoints in your network, you can collect information about endpoint clients, and use the information for access control in the Secure SD-WAN Manager.
Filtering URLs
URL filtering allows you to filter URLs based on categories of content or lists of individual URLs.
Anti-malware scanning
An anti-malware scanner compares network traffic against an anti-malware database to search for malware. If malware is found, the traffic is stopped or content is stripped out.
Protocol Agents on Engines
Protocol elements of the Protocol Agent type are special modules for some protocols and services that require advanced processing. Protocol Agents can enforce policies on the application layer.
Sidewinder Proxies
Sidewinder Proxies are software modules that provide network level proxies, protocol validation, and configurable application level protocol filtering and translation on Secure SD-WAN Manager.
Setting up TLS inspection
The TLS inspection feature decrypts TLS connections so that they can be inspected for malicious traffic and then re-encrypts the traffic before sending it to its destination.
Forward traffic to a proxy service for external inspection
In addition to inspecting traffic on the Engine, you can transparently forward traffic to a proxy service in the cloud or on premises. For example, you can forward all HTTP and HTTPS traffic to the Forcepoint Web Security Cloud service.
Blacklisting IP addresses
Blacklisting is a way to temporarily block unwanted network traffic either manually or automatically with blacklist requests from an Engine or Log Server. Firewalls, IPS engines, Layer 2 Firewalls, and Virtual Engines can use a blacklist for blocking traffic.
Users and authentication
User accounts are stored in internal databases or external directory servers. You can use Engine in the Firewall/VPN role or external authentication servers to authenticate users.
Setting up directory servers
A directory server provides access to information about user accounts in a user database. Both internal and external directory servers can be used. Directory servers can be used for user authentication with Engine in the Firewall/VPN role.
Setting up user authentication
You can implement user authentication to control which resources different end users can access. You can use authentication as an access requirement in IPv4 Access and IPv6 Access rules in Firewall Policies. You can use both internal and external user authentication servers.
Virtual private networks
Engine supports both policy-based and route-based VPN (virtual private network) tunnels between VPN gateways. For full remote access, Engine supports both IPsec and SSL VPN tunnels for VPN clients.
VPNs in Engine
A VPN extends a secured private network over public networks by encrypting connections so that they can be transported over insecure links without compromising confidential data.
Configuring VPNs
VPNs allow creating secure, private connections through networks that are not otherwise secure.
Example VPN configurations
The following example configurations outline common VPN use cases.
Managing VPN certificates
A digital certificate is a proof of identity. Engine in the Firewall/VPN role supports using certificates for authenticating gateways and the Forcepoint VPN Client.
Reconfiguring existing VPNs
You can reconfigure and tune existing VPNs.
VPN client settings
Forcepoint VPN Client does not have controls for many settings that are needed for establishing a VPN. These settings are defined in the Secure SD-WAN Manager. Forcepoint VPN Client downloads the settings from the gateways it connects to. VPN clients are only supported in policy-based VPNs.
Configuring the SSL VPN Portal
The SSL VPN Portal uses secure sockets layer (SSL) encryption to allow authenticated users to establish secure connections to internal HTTP and HTTPS services through a standard web browser or through a client application that allows direct network access.
Maintenance and upgrades
Maintenance includes procedures that you do not typically need to do frequently.
Configuration of automatic updates and upgrades
You can configure the Management Server to automatically download and install dynamic update packages, remote upgrades for engines, and licenses.
Backing up and restoring system configurations
Backups contain the necessary configuration information to restore the Secure SD-WAN Manager to the state it was in when the backup was taken.
Managing log data
Log management consists of configuring when log data produced, which log entries are stored, and when stored log entries are deleted or archived. To prevent the Log Server storage from filling up, log data management tools help you manage log entries automatically.
Managing and scheduling Tasks
Tasks define parameters of system maintenance operations. You can run maintenance operations manually or automatically according to a schedule you set.
Managing licenses
All Secure SD-WAN Manager components and Engines must be licensed as a proof of purchase. In addition, some additional features can be activated by installing a feature license.
Upgrading the Secure SD-WAN Manager
You can upgrade the Management Servers, Management Clients, Log Servers, and Web Portal Servers in your Secure SD-WAN Manager.
Upgrading Engines
You can upgrade Firewalls, IPS engines, Layer 2 Firewalls, and Master Engines.
Manual dynamic updates
Dynamic Update packages include changes and additions to the system Policies, Situations, and other elements of the Secure SD-WAN Manager.
Troubleshooting
Troubleshooting helps you resolve common problems in the Engine and Secure SD-WAN Manager.
General troubleshooting tips
General troubleshooting tips help you troubleshoot situations that are not covered by more specific troubleshooting topics.
Troubleshooting accounts and passwords
There are several common problems and solutions related to accounts and passwords.
Messages for troubleshooting
Some common alert and log messages that you might see in the Logs view are useful for troubleshooting.
Troubleshooting Engine operation
There are several common errors and problems that are directly related to the operation of Firewalls, IPS engines, and Layer 2 Firewalls.
Troubleshooting licenses
Licenses are a proof of purchase used for ensuring that your organization is a legal license holder of the software.
Troubleshooting logging
There are some common problems you might encounter when viewing logs or performing tasks related to the log files.
Troubleshooting the Management Client
There are several general problems that you might encounter when using the Management Client.
Troubleshooting NAT
There are some common problems you might encounter with NAT.
Troubleshooting policies
There are some common problems you might encounter when working with policies and the rules that they contain.
Troubleshooting reporting
There are some common problems that you might encounter when generating reports from raw statistical and log data stored on the Log Server.
Troubleshooting upgrades
There are some common problems that you might encounter when upgrading Secure SD-WAN Manager components.
Troubleshooting VPNs
There are some common problems that you might encounter when creating and managing VPNs.
Command line tools
There are command line tools for the Secure SD-WAN Manager and the Engines.
Default communication ports
There are default ports used in connections between Secure SD-WAN Manager components and default ports that Secure SD-WAN Manager components use with external components.
Working with expressions
Expressions are elements that allow you to create simple definitions for representing complex sets of IP addresses by using logical operands.
Predefined Aliases
Predefined Aliases are used in the default policies. Some of them might be useful when you create your own rules.
Situation Context parameters
There are parameters you can define for Situation Contexts.
Regular expression syntax
The Secure SD-WAN Manager has its own regular expression syntax. Regular expressions are used in Situations for matching network traffic. Situations are used in the Inspection rules on Engines.
Schema updates for external LDAP servers
There are Secure SD-WAN Manager-specific LDAP classes and attributes that you add to the schema of external LDAP servers.
Log fields
For descriptions of all log fields, see the following reference.
Keyboard shortcuts
For a list of available shortcut keys in the Management Client, see Knowledge Base article 38538.
Multicasting
The multicasting reference describes the general principles of multicasting and how it can be used with CVIs (cluster virtual IP addresses) in Firewall Clusters.