Edit add-on settings for NGFW Engines

You can edit add-on settings in the Engine Editor.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an engine element, then select Edit <element type>.
  2. In the navigation pane on the left, expand the Add-Ons branch.
  3. Browse to the add-on settings that you want to edit, then adjust the settings.
  4. Click Save and Refresh to save the changes to the configuration and refresh the policy on the engine.

Engine Editor > Add-Ons

Use this branch to view a summary of the add-on features and the status of each feature.

Engine Editor > Add-Ons > Anti-Malware

Use this branch to enable and change settings for anti-malware checks on the NGFW Engine.

Option Definition
Enable Enables anti-malware checks.
Malware Log Level The log level for anti-malware events.
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Option Definition
Malware Signature Update Settings section
Update Frequency Defines how often the NGFW Engine checks for updates to the anti-malware database.
  • Never — The NGFW Engine does not check for updates. You must update the anti-malware database manually.
  • When Anti-Malware Daemon Starts — Checks when the anti-malware daemon starts. The daemon starts, for example, when the anti-malware feature is enabled or when the NGFW Engine restarts.
  • Every Hour — Checks for updates once an hour.
  • Daily — Checks for updates once a day. Set the time of day.
  • Weekly — Checks for updates once a week. Set the day and time of day.
Option Definition
Malware Signature Mirror Settings section
Mirror(s) Enter the URL of the anti-malware database mirror that the NGFW Engine contacts to update the anti-malware database. Separate multiple addresses with commas.
Use HTTP Proxy

(Optional)

Specifies that the NGFW Engine uses an HTTP proxy to connect to the anti-malware database mirrors.
Host The IP address or DNS name of the HTTP proxy.
Port The listening port of the HTTP proxy.
Username The user name for authenticating to the HTTP proxy.
Password The password for authenticating to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.

Engine Editor > Add-Ons > Data Protection

Use this branch to enable ICAP for data protection on the NGFW Engine.

Option Definition
Enable ICAP for data protection When selected, the NGFW Engine sends files to the specified ICAP servers for DLP scanning.
ICAP Servers list

Click Add to add an element to the list, or Remove to remove the selected element.

If you add multiple ICAP servers, traffic is balanced between the ICAP servers.

Engine Editor > Add-Ons > File Reputation

Use this branch to enable file reputation services for file filtering.

Option Definition
File Reputation Service Select the file reputation service to use.
  • None — Disables file reputation services.
  • Threat Intelligence Exchange (TIE)This option is included for backward compatibility with legacy NGFW software versions. McAfee Threat Intelligence Exchange (TIE) is no longer supported in NGFW 6.10 and higher.
  • Global Threat Intelligence (GTI) — Enables the use of McAfee GTI file reputation services for file filtering.
Option Definition
When File Reputation Service is Global Threat Intelligence (GTI)
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Click Add to add an element to the list, or Remove to remove the selected element.
Note: You can only use one HTTP proxy for the connection to the McAfee Global Threat Intelligence file reputation service. If you select more than one HTTP proxy, the additional HTTP proxies are ignored.

Engine Editor > Add-Ons > IPv6 Transition Mechanism

Use this dialog to enable IPv6 transition mechanisms that enable communication between devices that have only IPv4 addresses and devices that have only IPv6 address.

Option Definition
Type Select one of the following translation modes:
  • NAT64: Allows only IPv6 connectivity to customers while still enabling access to servers that have only IPv4 address. Following fields need to be set:
    • Local IPv4 pools: IPv4 addresses used in translation.
    • NAT64 IPv6 prefix: 32,40,48,56,64 or 96 bit IPv6 prefix. IPv6 addresses matching this prefix will be translated to IPv4 addresses. (96 bit prefix recommended).
    • Static mappings (Optional): Can be used to ensure that specific IPv6 address & port combination will be always translated to specific IPv4 address & port combination. IPv4 address must be from the local IPv4 pool.
  • 464XLAT CLAT: Enables IPv4-only applications to work on IPv6-only networks. Following fields need to be set:
    • Local IPv6 Prefix: 32,40,48,56,64, or 96 bit IPv6 prefix (96 bit prefix recommended) which will be used when translating local IPv4 addresses. Surrounding network must route traffic matching this prefix to NGFW.
    • Remote IPv6 Prefix: 32,40,48,56,64 or 96 bit IPv6 prefix (96 bit prefix recommended) which will be used when translating non-local IPv4 addresses. This prefix must match the NAT64 prefix configured to the remote 464XLAT PLAT.
  • SIIT EAM: Allows any IPv4 address to be converted to an IPv6 address by way of one simple configurable IPv6 prefix. Following fields need to be set:
    • Default IPv6 Address pool: 32,40,48,56,64 or 96 bit IPv6 prefix (96 bit prefix recommended) which will be used when translating between IPv4 and IPv6 addresses. This prefix will be used when explicit mapping entries are not matching.
    • SIIT EAM Mappings (Optional): Combination of IPv4 network prefix and IPv6 prefix definition. IPv4 prefix value must have identical or smaller number of suffix bits than its corresponding IPv6 prefix value.

Engine Editor > Add-Ons > OPC UA Inspection

Use this branch to change inspection settings for open platform communications unified architecture (OPC UA). For information about OPC UA, see Knowledge Base article 12491.

Engine Editor > Add-Ons > QUIC Inspection

Use this dialog box to activate QUIC inspection.

Option Definition
Include QUIC ports for Web Traffic This option is enabled by default and activates QUIC inspection to the application traffic.
Discard QUIC if inspection not possible
  • If you select the option and enable TLS inspection, the access rule which allows the traffic enables decryption, then the Engine discards the QUIC traffic. As a result, the client application reverts to using TLS, which can be decrypted.
  • If you select the option and enable TLS inspection, however; the access rule which allows the traffic disables decryption, then QUIC traffic is allowed.
  • If you select the option but has not enabled TLS inspection, then QUIC traffic will be allowed.
  • If you do not select the option, then QUIC will always be allowed if it is included in an allowing access rule, no matter if TLS inspection is enabled, or if the allowing access rule enables decryption.

Engine Editor > Add-Ons > Sandbox

Use this branch to select and configure sandbox servers for NGFW Engines.

Option Definition
Sandbox Type Specifies which type of sandbox the NGFW Engine uses for sandbox file reputation scans.
  • None — The NGFW Engine does not use a sandbox.
  • Advanced Malware Detection & Protection — The engine uses the Advanced Malware Detection & Protection cloud service for sandbox analysis and file reputation scan.
    Note: This is a licensed service which requires a subscription to use.
  • Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
  • Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
    Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.
  • Local Sandbox - McAfee Advanced Threat Defense (ATD) — The engine uses McAfee Advanced Threat Defense.
    Note: McAfee Advanced Threat Defense is no longer supported in NGFW version 6.4.0 and higher. We recommend that you use Forcepoint Advanced Malware Detection instead.
Option Definition
When Sandbox Type is Advanced Malware Detection & Protection
Sandbox Service Specifies the sandbox service that the firewall contacts to request a file reputation with the file hash (SHA256), and if not found, sends the file for sandbox analysis. Click Select to select an element.
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Option Definition
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key

(Optional)

The license key for the connection to the sandbox server.

  • If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting.
Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center.
CAUTION:
The license keys and license tokens allow access to confidential analysis reports. Handle the license key and license token securely.
License Token

(Optional)

The license token for the connection to the sandbox server.

  • If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Option Definition
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key

(Optional)

The license key for the connection to the sandbox server.

  • If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting.
License Token

(Optional)

The license token for the connection to the sandbox server.

  • If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here.
  • If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service Specifies the sandbox service that the firewall contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Engine Editor > Add-Ons > Sidewinder Proxy

Use this branch to enable and configure Sidewinder Proxies.

Option Definition
Enable When selected, enables Sidewinder Proxy.
Sidewinder Logging Profile The selected Sidewinder Logging Profile element for the engine. Click Select to open the Select Element dialog box, where you can select a Sidewinder Logging Profile.
SSH Proxy Settings specific to the SSM SSH Proxy.
SSH Known Hosts Lists The selected SSH Known Hosts List elements for the engine. Click Add to add an element to the list, or Remove to remove the selected element.
Host Keys The SSH host keys used by the firewall when it acts as the SSH server in a connection that uses the SSM SSH Proxy. Click Add to add a row to the table, or Remove to remove the selected row. To import an existing host key, click Import.
Key Type Shows the signature algorithm used for the host key.
Key Length Shows the length of the host key.
SHA256 Fingerprint Shows the SHA256 fingerprint of the host key.
SSH Proxy Services The SSH Proxy Service element with which the host key is used. Double-click the field to open the Select Element dialog box, where you can select a Service element.
Comment

(Optional)

A comment for your own reference.
Advanced Settings Opens the Advanced Sidewinder Proxy Settings dialog box.

Engine Editor > Add-Ons > Snort

Use this branch to override settings in the global Snort configuration for specific NGFW Engines.

Note: These settings are not supported for Master NGFW Engines or Virtual NGFW Engines.
Option Definition
Enable When selected, enables Snort inspection for the NGFW Engine.
Note: To apply Snort inspection to traffic, you must also create Access rules to select traffic for Snort inspection.
Snort Configuration

(Optional)

The externally created Snort configuration .zip file that contains the Snort configuration files and rules for Snort inspection.
  • Click Browse to select a file.
  • Click None to remove a previously imported file.
  • Click Export to export the Snort configuration file.

All NGFW Engines for which Snort inspection is enabled use the global Snort configuration by default. If you do not want to override settings in the global Snort configuration, it is not necessary to import a Snort configuration file for an individual NGFW Engine.

Settings in the Snort configuration .zip file for an individual NGFW Engine are combined with the settings in the global Snort configuration .zip file. If any configuration files in a Snort configuration .zip file for an individual NGFW Engine have the same files name and paths as configuration files in the global Snort configuration .zip file, the overlapping files in the global Snort configuration .zip file are ignored.

Engine Editor > Add-Ons > TLS Inspection

Use this branch to activate TLS inspection. You can configure TLS inspection for client or server protection.

Note: These settings are not supported for Master NGFW Engines.
Option Definition
Client Protection Certificate Authority Select the Client Protection Certificate Authority element to use for client protection.
TLS Credentials Specifies the Server Protection Credentials elements that are used for server protection. Click Add to add an element to the list, or Remove to remove the selected element.
Check Certificate Revocation When selected, the NGFW Engine uses CRL or OCSP to check whether certificates have been revoked.
Decrypt All Traffic When selected, the NGFW Engine forces all traffic to be decrypted. When the checkbox is not selected, the NGFW Engine either decrypts or does not decrypt traffic according to the settings in TLS Match elements.
Cryptography Suite Set

(TLS 1.2 and lower)

Specifies the TLS Cryptography Suite Set element that defines which cryptographic algorithms are allowed for TLS traffic that is decrypted for TLS Client Protection. Click Select to select an element.
Note: If you use TLS 1.3 with NGFW Engine version 6.11 or higher, the NGFW Engine decrypts all supported TLS 1.3 cryptographic algorithms.
Do not decrypt destinations signed with these certificates The NGFW Engine does not decrypt the TLS connection where the server certificate is signed by one of the issuer certificates listed in this field.
Active destination server certificate probing When selected, it enables the NGFW Engine to fetch the server certificate over a separate TLS connection before establishing the original connection.
Server certificate cache timeout The set value for this field determines how long the previously fetched certificates are to be retained.

Engine Editor > Add-Ons > ThreatSeeker

Use this branch to select HTTP Proxy elements for the connection to the ThreatSeeker Intelligence Cloud.

Option Definition
Enable When selected, enables ThreatSeeker URL filtering for the engine.
HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Engine Editor > Add-Ons > Endpoint Integration

Use this branch to enable endpoint integration on the engine and change the settings for the endpoint client communication.

Option Definition
When Endpoint Service is Forcepoint Endpoint Context Agent
ECA Listener Certificate The internal certificate for the NGFW Engine that listens for Forcepoint One Endpoint traffic. The certificate is generated automatically when you save the Forcepoint One Endpoint configuration.
Signing CA The internal CA that signed the certificate.
ECA Configuration The selected ECA Configuration element. Click Select to select an element.
Source Networks Add the networks or zones that contain the Forcepoint One Endpoint clients. The Forcepoint One Endpoint clients located in these networks or zones send endpoint information to this Firewall. Click Add to add an element to the table, or Remove to remove the selected element.
Destination Networks Add the networks or zones where outbound connections are going. The Forcepoint One Endpoint clients send endpoint information only if the destination address is located in these networks or zones. If filtering based on both source address and destination address, both conditions must be met.

Click Add to add an element to the table, or Remove to remove the selected element.

Listening Interfaces The interfaces or zones the NGFW Engine uses to listen for Forcepoint One Endpoint traffic. Click Add to add an element to the table, or Remove to remove the selected element.
Listening Port The port on which the NGFW Engine listens for Forcepoint One Endpoint traffic.
Export Configuration for Endpoint Clients Opens the Export ECA Configuration dialog box, where you can export an XML file that contains the Forcepoint One Endpoint configuration and details of all the NGFW Engines that use the same ECA Configuration element. You must first save the NGFW Engine configuration.

Engine Editor > Add-Ons > User Authentication

Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.

HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.

Use Client Certificates for Authentication When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the NGFW Engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.

Engine Editor > Add-Ons > User Identification

Use this branch to select a User Identification Service element.

Note: These settings are not supported for Master NGFW Engines or Virtual NGFW Engines.
Option Definition
User Identification Service The Forcepoint User ID Service and Integrated User ID Service provide user, group, and IP address information that can be used in transparent user identification.

The Integrated User ID Service is primarily meant for demonstration purposes and proof-of-concept testing of user identification services.

  • Select — Allows you to select an existing Forcepoint User ID Service or Integrated User ID Service element.
  • None — Disables transparent user identification.
Note: For Forcepoint NGFW version 6.4 or higher, we recommend that you use the Forcepoint User ID Service.
Network Filters section (When a Forcepoint User ID Service element is selected)
IP Ranges

(Optional)

To prevent the NGFW Engine from receiving too many logon events, specify the IP address ranges of networks from which to receive logon events.

Click Add to add an element to the list, or Remove to remove the selected element.

We recommend adding the IP address ranges of networks for which the NGFW Engine routes traffic.

Note: Network filters do not exclude other IP addresses outside of the specified IP address range if a user has at least one logon in the specified IP address range. The NGFW Engine might still receive logon events from other IP address ranges.

Engine Editor > Add-Ons > Anti-Spam

The Anti-Spam feature is no longer supported in NGFW version 6.2.0 and higher..

Engine Editor > Add-Ons > ZTNA Connector

From 7.0 version onwards, ZTNA Connector is integrated with NGFW Engine.

This dialog box is used to enable the ZTNA connector so that, the connector is downloaded and installed automatically to the Engine. The Engine can be used as a connection point for applications that you might want to publish through FONE portal by using NGFW as ZTNA connector. For more information about the ZTNA connector, see Zero Trust Network Access section in Forcepoint ONE Admin Guide.

Option Definition
Enable When selected this option, the ZTNA Connector is downloaded and installed automatically to the Engine.
ZTNA Installer Key This installer key is required to fetch the ZTNA connector image from Forcepoint ONE. You can generate installer key in the Forcepoint ONE management portal.
Data Center This is the site name given for the ZTNA connector in Forcepoint ONE.
Auto-update When selected this option, the Engine checks if there is a newer version of ZTNA connector available during policy refresh.

Note: Make sure to modify the access rules to allow connections from the Engine to applications.