Start the Convert Engine to Master NGFW Engine and Virtual NGFW Engines wizard
Start the conversion tool and define general properties for the Master NGFW Engine and Virtual NGFW Engines.
For more details about the product and how to configure features, click Help or press F1.
Steps
Convert Engine to Master NGFW Engine and Virtual NGFW Engines wizard
Use this wizard to convert a Single Firewall or a Firewall Cluster element to a Master NGFW Engine and Virtual Firewall elements.
Option | Definition |
---|---|
Base Configuration on | Specifies the engine on which you want to base the configuration. |
Number of Virtual Engines | Specifies the number of Virtual NGFW Engines to create. |
ID | Shows the ID number of the Virtual NGFW Engine. Not editable. |
Virtual Resource Name | Shows the automatically generated Virtual Resource Name for each Virtual NGFW Engine. Change the name by double-clicking the cell. |
Virtual NGFW Engine Name | Shows the automatically generated Virtual NGFW Engine Name for each Virtual NGFW
Engine. Change the name by double-clicking the cell. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Define Basic Information for the Master NGFW Engine page | |
Virtual Engine Type | Shows the role of the Virtual NGFW Engine. Not editable. |
Name | Adds a name to the engine.
The name is also used to automatically generate the names of the nodes. |
Log Server | Specifies the log server to which the engines send their event data. |
DNS IP Addresses
(Optional) |
The IP addresses of the DNS servers that the Master NGFW Engine uses to resolve domain names.
|
Add | Adds a single IP address or network element to the DNS IP Addresses list. |
Remove | Removes a single IP address from the DNS IP Addresses list. |
Location | Specifies the location for the engine if there is a NAT device between the engine and other SMC components. |
SNMP Agent | Enables the engine to send SNMP traps. |
SNMP Location | Specifies the SNMP location string that is returned on queries to the SNMPv2-MIB or SNMPv2-MIB-sysLocation object. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Tools Profile | Adds custom commands to the engine right-click menu. |
Comment (Optional) |
A comment for your own reference. |
Nodes table | |
Node ID | Shows the ID number of the node. Not editable. |
Name | Shows the name of the node.
Change the name by double-clicking the cell. |
Configuration Status | Shows the configuration status of the node. |
Version | Shows the version of the node. |
Comment (Optional) |
A comment for your own reference. |
Disabled | When selected, disables the node. |
Add Node | Opens the Engine Node Properties dialog box that allows you to add an engine node to the Nodes list. |
Edit Node | Opens the Engine Node Properties dialog box. |
Remove Node | Removes the engine node from the Nodes list. |
Option | Definition |
---|---|
Define Interfaces for the Master NGFW Engine page | |
Search | Activates the type-ahead search field. |
New | Creates an interface of the specified type:
|
Tools |
|
Add | Creates an interface of the specified type:
|
Edit | Allows you to change the interface properties. |
Remove | Removes the selected interfaces from the table. |
Options
(Optional) |
Opens the Interface Options dialog box that specifies the system communication roles of the interfaces, and the Loopback IP addresses. |
ARP Entries | Opens the ARP Entry Properties dialog box that allows you to add ARP entries for the engine elements. |
Virtual Resources | Opens the Virtual Resources dialog box. |
Option | Definition |
---|---|
Distribute Tunnel Interfaces to Virtual NGFW Engines page | |
Name | Shows the name of the Tunnel Interface.
Double-clicking the cell opens the Tunnel Interface Properties dialog box. |
IP Address | Shows the IP address of the Tunnel Interface if an IP address has been defined. |
Zone | Shows the network zone of the Tunnel Interface if the zone has been defined. |
Comment (Optional) |
A comment for your own reference. |
Internal Gateway | Shows the VPN Gateway element associated with the Tunnel Interface if a VPN Gateway has been defined. |
Virtual Engine | Adds the Tunnel Interface to the selected Virtual NGFW Engine. |
Option | Definition |
---|---|
Review Distribution of Internal Gateways to Virtual NGFW Engines page | |
Gateway | Shows the VPN Gateway element associated with the Single Firewall or Firewall Cluster on which the configuration is based. Not editable. |
Endpoint 1 IP Address | Shows the endpoint IP address associated with the Virtual NGFW Engine. Double-clicking the cell opens the Properties dialog box for the endpoint. |
Endpoint 1 Phase-1 ID | Shows the value of the
ID Value field defined in the
Properties dialog box for the endpoint. No value is shown if
IP Address is selected in the
ID Type list.
Double-clicking the cell opens the Properties dialog box for the endpoint. |
Virtual Resource | Shows the Virtual Resource element that is associated with the interface that has the endpoint IP address. |
Virtual Engine | Adds the endpoint IP address to the selected Virtual NGFW Engine. |
Option | Definition |
---|---|
Define Routing for the Master NGFW Engine page | |
Navigation pane | The navigation pane on the left shows types of elements that can be added to the routing tree. |
Search | Activates the type-ahead search field. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
New | Creates an element of the specified type. |
Tools | Show Deleted Elements — Shows elements that have been moved to the Trash. |
Routing tree pane | The routing tree pane on the right shows the routing configuration for each interface. |
Search | Activates the type-ahead search field. |
New | Creates an element of the specified type. |
Tools |
|
Option | Definition |
---|---|
Select Additional Configuration Options page | |
Define Additional Master NGFW Engine Properties | Enables more configuration options. |
Option | Definition |
---|---|
Define Tester Settings for the Master NGFW Engine page | |
Alert Interval | Specifies the time in minutes the system waits before sending a new alert when the same test keeps failing repeatedly. The default value is 60 minutes.
Note: If the interval is too short, the alerts can overload the system or the alert recipient.
|
Delay After | Specifies the time in seconds that the engine waits before it resumes running the tests after the listed events. The delays prevent false test failures that can occur due to variations in how quickly different processes and subsystems can start and stop.
Note: The maximum value for all options is 1800.
|
Auto Recovery | When selected, the engine automatically goes back online when a previously failed test completes successfully.
Note: Make sure to run the test in both online and offline states.
|
Boot Recovery | When selected, the engine automatically goes back online after a reboot, or after an event such as a power failure or system crash, if all offline tests report a success. |
Global Node Selection for Engine Tests | |
Search | Opens a search field for the selected element list. |
Tools | Refresh View — Refreshes the list of elements. |
Active | Shows whether the node is included in the tests that have been configured for the engine. Deselect to exclude a node from all engine tests.
Tip: If you select
ALL for the
Node setting in the test properties, you can use the
Global Node Selection for Engine Tests table to exclude a specific node from the test.
|
Name | Specifies the name of the node. |
Node | Specifies the node ID. |
Set to Default | Returns tester changes to the default settings. |
Engine Tests | |
Search | Opens a search field for the selected element list. |
Tools | Refresh View — Refreshes the list of elements. |
Name | Specifies the name of the test. |
Active | Shows whether the test is active. Deselect to deactivate a test. |
Node | Specifies whether the test applies to all nodes or a selected node. |
Interval | Specifies how often the test is run. The minimum interval is one second and the maximum is 86400 (one day).
Note: We recommend a minimum interval of four seconds. Running a test too frequently can increase overhead.
|
States | Shows the engine states on which the test is run. |
Action | Specifies which action is taken if the test fails, and which type of notification is sent. |
Parameters | Specifies more parameters for the test. |
Add | Adds the test to the
Engine Tests table:
|
Edit | Allows you to change the test properties. |
Remove | Removes the test from the test entry table. |
Option | Definition |
---|---|
Define Permissions for the Master NGFW Engine page | |
Add | Opens the Select Element dialog box that allows you to add an element to the Access Control Lists. |
Remove | Removes the elements from the Access Control Lists. |
Permissions | |
Add Permission | Adds the permission to the Permissions table. |
Remove Permission | Removes the permission from the Permissions table. |
Local Administrators | |
Administrator | Specifies the name of the local administrator, if local administrators have been defined for the engine. |
Info | Specifies whether executing root-level commands with the sudo tool is allowed for the Local Administrator. |
Policies | |
Allowed Policies | Shows the allowed policies for the Master NGFW Engine. |
Add | Adds the element to the Allowed Policies list. |
Set to Any | Allows the installation of any policy. |
Remove | Removes the elements from the Allowed Policies list. |
Option | Definition |
---|---|
Define Advanced Settings for the Master NGFW Engine page | |
System Parameters | |
Encrypt Configuration Data | By default, the configuration of the engine is stored in an encrypted format. When selected, disables the encryption only if instructed to do so by Forcepoint Customer Hub. |
Contact Node Timeout |
The maximum amount of time the Management Server tries to connect to an engine. If the engine has a dynamic IP address, the Contact Node Timeout is the maximum amount of time that the engine tries to contact the Management Server. If the connection to the Management Server fails, the engine automatically tries to reconnect to the Management Server. A consistently slow network connection might require increasing this value. The default value is 60 seconds. Note: Setting the timeout value too short or too long can delay or prevent contact between the Management Server and the engines.
|
Auto Reboot Timeout | Specifies the length of time after which an error situation is considered non-recoverable and the engine automatically reboots.
The default value is 10 seconds. Note: Set to 0 to disable.
|
Policy Handshake |
When selected, the nodes automatically roll back to using the previously installed policy if connectivity is lost after installing a new policy. Without this feature, you must switch to the previous configuration manually through the engine's boot menu. Note: We recommend adjusting the timeout (next setting) rather than disabling this feature completely if there is a need to make changes.
|
Rollback Timeout | Specifies the time the engine waits for a management connection before it rolls back to the previously installed policy when the Policy Handshake option is active.
The default value is 60 seconds. |
Automated Node Certificate Renewal |
When selected, the engine's certificate for system communications is automatically renewed before it expires. Otherwise, the certificate must be renewed manually. Each certificate for system communications is valid for three years. If the certificate expires, other components refuse to communicate with the engine. Note: Does not renew VPN certificates for Virtual Firewalls. Automatic certificate renewal for internally signed VPN certificates is set separately in the VPN settings for the Virtual Firewalls.
|
FIPS-Compatible Operating Mode
(Firewalls only) (Not Virtual NGFW Engines) |
When selected, activates a mode that is compliant with the Federal Information Processing Standards (FIPS). Note: You must also select FIPS-specific settings in the
NGFW Configuration Wizard on the command line of the NGFW Engine. For more information, see
How to install Forcepoint NGFW in FIPS mode.
|
Log Handling | Specifies the settings related to adjusting logging when the log spool on the engines fills up or when the number of Antispoofing and Discard logs grows too high.
Note: You can adjust the logging of Antispoofing and Discard logs also for specific interfaces.
|
Clustering
(Firewall Clusters only) |
Specifies the settings related to the communications between cluster members and load-balancing between the nodes. |
Traffic Handling | |
Connection Tracking Mode |
When enabled, reply packets are allowed as part of the allowed connection without an explicit Access rule.
You can override this engine-specific setting and configure connection tracking for TCP, UDP, and ICMP traffic in Access rules. |
Virtual Defragmenting | When selected, fragmented packets are sent onwards using the same fragmentation as when they arrived at the engine.
When the engine receives fragmented packets, it defragments the packets for inspection. The original fragments are queued on the engine until the inspection is finished. If the option is not selected, the packets are sent onwards as if they had arrived unfragmented. |
Strict TCP Mode for Deep Inspection | This option is included for backward compatibility with legacy NGFW software versions. |
Default Connection Termination in Inspection Policy | Defines how connections that match rules with the
Terminate action in the Inspection Policy are handled.
You can override this engine-specific setting in the Inspection Policy. |
Policy Routing | Specifies the policy routing settings. |
Idle Timeouts | Specifies the settings for general connection timeouts. |
SYN Rate Limits | Specifies the settings for configuring limits for SYN packets sent to the engine.
You can also configure SYN Rate Limits for specific interfaces. |
Scan Detection | Specifies the scan detection settings.
You can override the engine-specific settings in Access rules. |
Option | Definition |
---|---|
Review Basic Information for Virtual NGFW Engines page | |
Basic Information for | Shows the name of the Virtual NGFW Engine. Not editable. |
Name | Shows the automatically generated Virtual NGFW Engine Name for the Virtual NGFW Engine. |
Virtual Resource | Shows the Virtual Resource element associated with the Virtual NGFW Engine. Not editable. |
Master NGFW Engine | Shows the Master NGFW Engine that hosts the Virtual NGFW Engine. Not editable. |
DNS IP Addresses | Shows the DNS servers that the Master NGFW Engine uses to resolve domain names. |
Add | Adds a single IP address or network element to the DNS IP Addresses list. |
Remove | Removes a single IP address or network element from the DNS IP Addresses list. |
Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
Comment (Optional) |
A comment for your own reference. |
Option | Definition |
---|---|
Review Interfaces for Virtual NGFW Engines page | |
Interface Information for | Shows the name of the Virtual NGFW Engine. Not editable. |
Search | Activates the type-ahead search field. |
New | Not available. |
Tools |
|
Options
(Optional) |
Opens the Interface Options dialog box that specifies the roles of the interfaces, and the Loopback IP addresses. |
ARP Entries | Opens the ARP Entry Properties dialog box that allows you to add ARP entries for the engine elements. |
Multicast Routing | Opens the Multicast Routing Properties dialog box, where you can configure multicast routing. |
Option | Definition |
---|---|
Review and Edit Routing for Virtual NGFW Engines page | |
Routing for | Select the Virtual NGFW Engine for which you want to view or edit routing. |
Navigation pane | The navigation pane on the left shows types of elements that can be added to the routing tree. |
Search | Activates the type-ahead search field. |
Up | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
New | Creates an element of the specified type. |
Tools | Show Deleted Elements — Shows elements that have been moved to the trash. |
Routing tree pane | The routing tree pane on the right shows the routing configuration for each interface. |
Search | Activates the type-ahead search field. |
New | Creates an element of the specified type. |
Tools |
|
Option | Definition |
---|---|
Review NAT Definitions for Virtual NGFW Engines page | |
NAT Definitions for | Specifies the Virtual NGFW Engine for which NAT definitions are shown. |
Use Default NAT Address for Traffic from Internal Networks | The Firewall uses the default NAT address as the Public IP Address if there is not a more specific NAT definition that matches the traffic. When you select this option, a NAT rule is generated at the end of the NAT rules in the Firewall Policy. If no NAT rule matches the traffic, no NAT is applied unless you enable the Default NAT Address. |
Show Details | Opens the Default NAT Address Properties dialog box. |
Add NAT Definition | Creates a NAT Definition element and opens the NAT Definition Properties dialog box. |
Edit NAT Definition | Opens the NAT Definition Properties dialog box for an existing NAT Definition element. |
Remove NAT Definition | Removes the selected row from the table. |
Previous | Navigates back to the previous wizard page. |
Next | Navigates to the following wizard page. |