Edit common properties of several NGFW Engines at the same time
You can select several NGFW Engines and change the properties that are common to all of them.
- Properties specific to one individual NGFW Engines element, such as IP address definitions, are never available in the common properties.
- If you select both single and clustered NGFW Engines elements, the cluster-specific options are not available.
- If you select NGFW Engines of different types, you can only change properties that are supported for all of the selected types of elements.
For more details about the product and how to configure features, click Help or press F1.
Steps
Common Engine Properties dialog box
Use this dialog box to define common properties for two or more engines.
Option | Definition |
---|---|
General tab | |
Log Server
(Not Virtual NGFW Engines) |
Specifies the log server to which the engines send event data. |
Location
(Not Virtual NGFW Engines) |
Specifies the location for the engines or clusters if there is a NAT device between the engine and other SMC components. |
Tools Profile (Not Virtual NGFW Engines) |
Adds commands to the right-click menu for the element. Click Select to select an element. |
Comment (Optional) |
A comment for your own reference. |
General tab Clustering section (Clusters only) |
|
Clustering Mode
(Not Layer 2 Firewalls) |
Note: Only standby clustering mode is supported for Layer 2 Firewall Clusters.
|
Filter Mode | Defines how traffic is balanced between the nodes.
|
Heartbeat Message Period | Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running).
Enter the value in milliseconds. The default value is 1000 milliseconds (one second). CAUTION: Setting this option too low can result in unnecessary heartbeat
failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Heartbeat Failover Time | Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be
at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds. CAUTION: Setting this option too low can result in unnecessary
heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Load-Balancing Filter Uses Ports
(Firewalls only) |
When selected, includes a port value for selecting between all nodes. This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally. Note: Enabling this option is not compatible with some features, such as mobile VPNs.
|
Option | Definition |
---|---|
General tab Tester Global Settings section (Not Virtual NGFW Engines) |
|
Alert Interval | Specify the time in minutes the NGFW Engine waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes. If the interval is too short, the alerts can overload the system or the alert recipient. |
Delay After Boot | Specify the time in seconds that the NGFW Engine waits before it resumes running the tests after the listed events. |
Delay After Reconfiguration | |
Delay After Status Change | |
Auto Recovery
(Clusters and Master NGFW Engines only) |
When selected, the NGFW Engine automatically goes back online when a previously failed test completes successfully. Run the test in both online and offline states if you activate this option. |
Boot Recovery | When selected, the NGFW Engine automatically goes back online after restarting if all offline tests report a success. |
Option | Definition |
---|---|
General tab SNMP section (Not Virtual NGFW Engines) |
|
SNMP Agent | Enables the NGFW Engine to send SNMP traps.
|
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
Option | Definition |
---|---|
General tab LLDP section (Not Virtual NGFW Engines) |
|
LLDP Profile (NGFW Engines and Master NGFW Engines in the Firewall/VPN role only) |
The LLDP Profile element that specifies settings for LLDP announcements that the NGFW Engine announces. Click Select to select an element. |
Option | Definition |
---|---|
General tab Layer 2 Settings section (Firewalls only) |
|
Policy for Layer 2 Interfaces |
The Layer 2 Interface Policy that contains rules for traffic detected by layer 2 physical interfaces. All layer 2 physical interfaces on the NGFW Engine use the same Layer 2 Interface Policy. If there are no layer 2 physical interfaces, this setting is ignored. |
Layer 2 Connection Tracking Mode |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Bypass Traffic on Overload |
When selected, the NGFW Engine dynamically reduces the number of inspected connections if the load is too high. Some traffic might pass through without any access control or inspection if this option is selected. Bypassed traffic is not counted when a possible license throughput limit is enforced. The bypass does not affect traffic subject to TLS Inspection. If this option is not selected, the NGFW Engine inspects all connections. Some connections might not get through if the engine gets overloaded. |
Option | Definition |
---|---|
Routing tab (Firewalls only) |
|
Link Usage Profile | To enable dynamic link selection for the NGFW Engine, select a Link Usage Profile element. |
Option | Definition |
---|---|
Add-Ons tab TLS Inspection section (Not Master NGFW Engines) |
|
Client Protection Certificate Authority | Select the Client Protection Certificate Authority element to use for client protection. |
Check Certificate Revocation | When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked. |
Decrypt All Traffic | When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements. |
Cryptography Suite Set (TLS 1.2 and lower) |
Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic that is decrypted for TLS Client Protection. Click Select to select an element. Note: If you use TLS 1.3 with NGFW Engine version 6.11 or higher, the NGFW Engine decrypts all supported TLS 1.3 cryptographic algorithms.
|
Option | Definition |
---|---|
Add-Ons tab User Authentication section (Firewall/VPN role only) |
|
Authentication Time-Out | Defines the length of time after which authentication expires and users must re-authenticate. |
Authentication Idle Time-Out | Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users. |
HTTP | When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80. |
HTTPS | When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the
authentication interface. The default port is 443. This option is required for client certificate authentication. |
User Authentication Page | Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate. |
Enable Session Handling
(Optional) |
When selected, enables cookie-based strict session handling. Note: When Enable Session Handling is selected, the
Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication
timeout.
|
Refresh Status Page Every
(Optional) |
Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout. |
Option | Definition |
---|---|
Add-Ons tab User Identification section (Not Master NGFW Engines or Virtual NGFW Engines) |
|
User Identification Service | The Forcepoint User ID Service and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user
identification. The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
|
Option | Definition |
---|---|
Add-Ons tab Snort section (Not Master NGFW Engines or Virtual NGFW Engines) |
|
Enable | When selected, enables Snort inspection for the NGFW Engine. Note: To apply Snort inspection to traffic, you must also create Access rules to select traffic for Snort inspection.
|
Snort Configuration
(Optional) |
The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
All NGFW Engines for which Snort inspection is enabled use the global Snort configuration by default. If you do not want to override settings in the global Snort configuration, it is not necessary to import a Snort configuration file for an individual NGFW Engine. Settings in the Snort configuration .zip file for an individual NGFW Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual NGFW Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored. |
Option | Definition |
---|---|
Policies tab Element-Based NAT section (Firewall/VPN role only) |
|
Use Default NAT Address for Traffic from Internal Networks | Select an option to define how the NGFW Engine uses the default NAT address.
When you select On or Automatic, a NAT rule is generated at the end of the IPv4 or IPv6 NAT rules in the policy. |
Option | Definition |
---|---|
Policies tab Settings for Automatic Rules section | |
Allow Traffic to Authentication Ports
(Firewall/VPN role only) |
When selected, allows traffic to the ports that are used for user authentication. |
Allow Traffic from Listening IP Addresses to DNS Relay Port (Firewall/VPN role only) |
When selected, allows traffic from clients in the internal network to the standard DNS ports (53/TCP and 53/UDP) on the interfaces that are selected as listening interfaces for DNS relay. |
Allow Connections to Domain-Specific DNS Servers (Firewall/VPN role only) |
When selected, allows connections from the firewall to the domain-specific DNS servers specified in the DNS Relay Profile element that is selected for firewall. |
Allow Connections from Local DHCP Relay to Remote DHCP Server (Firewall/VPN role only) |
When selected, allows connections from interfaces on which DHCP relay is active to remote DHCP servers. Note: To relay DHCP messages through a policy-based VPN, you must add specific Access rules to allow the traffic. The Access rules must refer to the
correct policy-based VPN.
|
Log Level for Automatic Rules | The log level for traffic that matches automatic rules.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Option | Definition |
---|---|
VPN tab (Firewall/VPN role only) |
|
Gateway Settings | The Gateway Settings element that defines performance-related VPN options. |
Option | Definition |
---|---|
Advanced tab System Parameters section | |
Encrypt Configuration Data | By default, the configuration of the NGFW Engine is stored in an encrypted format. Disable the encryption only if instructed to do so by Forcepoint Customer Hub. |
Contact Node Timeout (Not Virtual NGFW Engines) |
The maximum amount of time the Management Server tries to connect to an NGFW Engine. A consistently slow network connection might require increasing this value. The default value is 120 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the NGFW Engines.
|
Auto Reboot Timeout (Not Virtual NGFW Engines) |
Specifies the length of time after which an error situation is considered non-recoverable and the NGFW Engine automatically reboots. The default value is 10 seconds. Set to 0 to disable. |
Policy Handshake (Not Virtual NGFW Engines) |
When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the boot menu of the NGFW Engine. Note: We recommend
adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout (Not Virtual NGFW Engines) |
The length of time the NGFW Engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active. The default value is 60 seconds. |
Automated Node Certificate Renewal (Not Virtual NGFW Engines) |
When selected, the NGFW Engine's certificate for system communications is automatically renewed before it expires. Otherwise,
the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the NGFW Engine. Note: Does not renew VPN certificates. Automatic certificate renewal for internally
signed VPN certificates is set separately in the NGFW Engine's VPN settings.
|
FIPS-Compatible Operating Mode
(Firewalls only) (Not Virtual NGFW Engines) |
When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS). Note: You must also select FIPS-specific settings in the
NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see
How to install Forcepoint NGFW in FIPS mode.
|
Number of CPUs Reserved for Control Plane (Firewalls only) (Not Virtual NGFW Engines) |
Select how many CPUs to reserve for control plane operations. In situations where there is exceptionally high traffic, in a denial of service attack, for example, this
ensures that you can still monitor and control the NGFW Engine operation. Note: The reserved CPUs cannot be used for traffic
processing. Using fewer CPUs for traffic processing degrades performance.
|
Isolate Also Interfaces for System Communications (Firewalls only) |
When selected, the reserved CPUs handle the system communications traffic that pass through the Control Interfaces and dedicated primary Heartbeat Interfaces. We recommend that you only use this option when the Physical Interfaces used for system communications do not handle any other traffic. |
Option | Definition |
---|---|
Advanced tab Traffic Handling section | |
Layer 3 Connection Tracking Mode (Firewalls only) Connection Tracking Mode(IPS engines and Layer 2 Firewalls only) |
When connection tracking is enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule. You can override this NGFW Engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules.
|
Virtual Defragmenting
(Firewalls only) (Not Virtual NGFW Engines) |
When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the NGFW Engine. When the NGFW Engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection
(Not Virtual NGFW Engines) |
This option is included for backward compatibility with legacy NGFW software versions. |
Concurrent Connection Limit
(Not Virtual NGFW Engines) |
A global limit for the number of open connections. When the set number of connections is reached, the NGFW Engine stops the next connection attempts until a previously open connection is closed. |
Inspection CPU Balancing Mode (Not Virtual NGFW Engines) |
Specifies how inspected
connections are allocated between the CPUs. Select from the following options:
|
Active Wait Time Between Inspected Packets (Not Virtual NGFW Engines) |
Defines how long the inspection process stays active waiting for packets after it has inspected a packet.
|
Default Connection Termination in Access Policy
(IPS engines and Layer 2 Firewalls only) |
Defines how connections that match Access rules with the Discard action are handled.
|
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the Terminate action in the Inspection Policy are handled.
|
Action When TCP Connection Does Not Start With a SYN Packet
(Not Master NGFW Engines) |
The NGFW Engine refuses TCP connections if the TCP connection does not start with a SYN packet, even if the TCP connection
matches an Access rule with the Allow action. The NGFW Engine does not send a TCP reset if the TCP connection begins with a
TCP reset packet.
|
Option | Definition |
---|---|
Advanced tab Certificate Validation section (Not Virtual NGFW Engines) |
|
HTTP Proxy (Optional) |
When specified, OCSP and CRL lookups are sent through an HTTP proxy instead of the engine accessing the external network directly. |
Timeout for OCSP and CRL Lookups | The maximum amount of time that the engine tries to connect to the CRL or OCSP server if the connection has failed. The default is 120 seconds. |
Option | Definition |
---|---|
Advanced tab SYN Rate Limits section | |
SYN Rate Limits | Limits for SYN packets sent to the NGFW Engine.
|
Allowed SYNs per Second | (When SYN Rate Limits is Custom) The number of allowed SYN packets per second. |
Burst Size | (When SYN Rate Limits is Custom) The number of allowed SYNs before the NGFW Engine starts limiting the SYN rate.CAUTION: We recommend setting the Burst Size value to
at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value
for Allowed SYNs per Second is 10000, the Burst Size value must be at least 1000.
|
Option | Definition |
---|---|
Advanced tab Log Handling section (Not Virtual NGFW Engines) |
|
Log Spooling Policy
(Not Virtual NGFW Engines) |
Defines what happens when the log spool becomes full.
|
Store a Copy of Recent Log Files on the NGFW Engine | When selected, the NGFW Engine stores copies of logs according to the specified settings. |
Maximum Time | The maximum length of time for which to store copies of logs. Values can be 1–720 hours (the maximum is 30 days), or not specified. If a value is not specified, the NGFW Engine stores copies of logs until the limits specified in the Guaranteed Free Spool Partition or Guaranteed Free Spool Partition Size options are reached. |
Guaranteed Free Spool Partition | The minimum percentage of the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values
can be 5–80 %, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options,
both limits are enforced.
|
Guaranteed Free Spool Partition Size | The minimum amount of file space, in MB, on the spool partition that must be kept free. When the amount of free space reaches the limit, the NGFW Engine starts deleting the oldest stored copies of log and alert entries when a new log or alert entry is saved. Values
can be 50–1000 MB, or not specified. Note: You must enter a value for at least one of the guarantee options. If you enter a value for both options,
both limits are enforced.
|
Option | Definition |
---|---|
Advanced tab Scan Detection section | |
Scan Detection Mode | When you enable scan detection, the number of connections or connection attempts within a time window is counted.
|
Create a log entry when the system detects section |
Allows you to set thresholds for creating log entries. When the specified number of events for the specified time period is exceeded, log entries are created. The following options are available for each protocol:
|
Log Level | Specifies the log level for the log entries.
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Option | Definition |
---|---|
Advanced tab Rate-Based DoS Protection section (Not Master NGFW Engines) |
|
Rate-Based DoS Protection Mode | Enables or disables DoS protection, which can help prevent Denial of Service (DoS) attacks.
|
SYN Flood Sensitivity | When SYN flood protection is activated, the NGFW Engine acts as a SYN proxy. The engine completes the TCP handshake with the
client, and only initiates the connection with the server after the client has completed the TCP handshake.
|
Limit for Half-Open TCP Connections (Optional) |
Set the maximum number of half-open TCP connections per destination IP address. The minimum is 125, the maximum is 100 000. When the limit is exceeded, the SYN flood protection is activated, and log data is generated. |
Slow HTTP Request Sensitivity | The NGFW Engine analyzes the data transfer rate and length of time it takes to read the header fields of the HTTP request. If
the sender of the request tries to keep the connection open for an unreasonable length of time, the NGFW Engine block lists
the sender’s IP address for a specified length of time.
|
Slow HTTP Request Block list Timeout | The length of time for block listing IP addresses that are suspected of sending malicious traffic. Enter the time in seconds (the default is 300). |
Option | Definition |
---|---|
Advanced tab TCP Reset section (Not Master NGFW Engines) |
|
TCP Reset Sensitivity | When enabled, the NGFW Engine detects the sequence numbers of the TCP RST segments to determine whether it is under a TCP
Reset attack. You cannot override this setting in individual Access rules
|
Option | Definition |
---|---|
Advanced tab General Authentication Settings section (Firewall/VPN role only) |
|
Default User Domain | The default LDAP domain from which the NGFW Engine looks up users. Note: This setting applies to all
user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
|
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix | When selected, the NGFW Engine looks up the user from the domain specified in the email address or user
principal name before looking up the user in the default domain. Note: This option is ignored when the value of the Client Certificate Identity Field for
TLS option is Distinguished Name.
|
Client Certificate Identity Field for TLS | The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW
Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
|