Create a Forcepoint NGFW instance using Manual Launch

Configure and launch an instance of the Forcepoint NGFW AMI using Manual Launch.

CAUTION:
If required for regulatory compliance, or in environments with stricter security requirements, we recommend using dedicated instances when you deploy Forcepoint NGFW in AWS.

We recommend using the following instance types depending on the Forcepoint NGFW product:

Forcepoint NGFW product EC2 instance type
NGFW 2 CPU M4.large
NGFW 4 CPU M4.xlarge or C4.xlarge
NGFW 8 CPU M4.2xlarge or C4.2xlarge
NGFW 16 CPU C4.4xlarge

For information about VM size and network performance, see the Amazon documentation at https://aws.amazon.com/ec2/instance-types/. Enabling some Forcepoint NGFW features, such as inspection, might decrease the network throughput.

Forcepoint NGFW is designed to receive and manage all traffic on all ports. Use a security group that allows connections on all ports for inbound and outbound for the instance in which Forcepoint NGFW is running.

Steps

  1. In the AWS Marketplace, start the launch for the Forcepoint NGFW AMI.
  2. Click the Manual Launch tab.
  3. Select an instance type that meets your performance needs.
    The AMI automatically restricts the instance types so that only compatible instance types are available.
  4. Add one or more interfaces and map ENIs to the interfaces.
    1. To add an interface, click Add Device.
      Note: The wizard only allows you to add two interfaces. If you need to add more interfaces, use the command line tools.
      Add all required interfaces while creating the instance. If you add interfaces later, a reboot is required before the interfaces become available.
    2. From the Network Interface drop-down list for eth0, select the ENI for the control interface.
    3. From the Network Interface drop-down list for the other interfaces, select the ENI to connect to each interface.
  5. If you want to transfer the initial configuration file to the instance, add the initial configuration as user data.

    We recommend transferring the engine's initial configuration as user data when you launch the Forcepoint NGFW instance. When you provide user data, the engine automatically makes initial contact with the Management Server when it starts. After it is launched, the Forcepoint NGFW instance automatically appears in the Management Client.



    1. In the User Data options, select As Text.
    2. In the Save or Upload Initial Configuration dialog box in the Management Client, click Copy to Clipboard.
    3. In the EC2 Management Console, paste the text that you copied from the Save or Upload Initial Configuration dialog box into the User Data field.
  6. Click Review and Launch.
  7. On the Review Instance Launch page, select an existing key pair or create a new key pair for SSH connections to the NGFW engine.
    Note: The key is the only allowed authentication method for SSH connections to the engine command line.

    If the default security group is too limited for your environment, you can select a different security group or change the rules. You can also configure the NGFW Engine to restrict access.

Result

When the NGFW Engine installation is complete and the engine is ready to process traffic, the status of the NGFW Engine element changes in the Management Client to Online. The connection state is Connected, indicating that the Management Server can connect to the node.

You can also check the status of the NGFW Engine in the AWS console. To check the status, select Actions > Instance Settings > Get system log. The system log shows the following information:
Management server contact successful
Sg-auto-contact done