Deploy the SMC

When the NGFW Engine launch is complete, deploy the SMC.

Before you begin

Create a Forcepoint NGFW instance in AWS.

Note: If you already have existing SMC installation, it is not necessary to install an additional SMC for controlling NGFW Engines deployed in AWS.

All configuration information for the NGFW Engines is stored on the Management Server component of the SMC. The NGFW Engines continue to operate normally even when the Management Server is unreachable, so there is no interruption to any network services.

To deploy the SMC on your own hardware, you must have a computer with a 64-bit Linux operating system, such as Ubuntu 16.04 LTS. For compatible operating systems, see the Forcepoint NGFW Security Management Center Release Notes .

If you deploy the SMC in an instance on AWS, we recommend using the M4.xlarge instance type. If the SMC manages a large number of NGFW Engines, the M4.2xlarge or M4.4xlarge instance types might provide improved performance. Use a 64-bit Linux operating system, such as Ubuntu 16.04 LTS, and a 64-bit JRE. For compatible operating systems, see the Forcepoint NGFW Security Management Center Release Notes .

CAUTION:
Do not deploy the SMC in the same instance as the Forcepoint NGFW Engine. Forcepoint NGFW Engine image includes a custom operating system that is dedicated to running the Forcepoint NGFW Engine. The custom operating system is not suitable for general purpose computing.

Steps

  1. If you deploy the SMC in an instance on AWS, implement security groups for the instance to allow traffic only on the ports that the SMC uses.
    Note: If the SMC is already behind a firewall that restricts access, it is not necessary to implement security groups for the instance in which the SMC runs.
    1. To allow traffic on the necessary ports for system communication, add the following rules to the security group:
      TCP ports UDP ports Direction Purpose
      53 53 Outbound DNS queries
      443   Outbound HTTPS connections to the Forcepoint NGFW update service for downloading dynamic update packages, engine upgrades, and licenses
      3020   Inbound Alert sending from the Log Server and optional Web Portal Server. Log and alert messages from NGFW Engines. Monitoring of blacklists, connections, status, and statistics for NGFW Engines.
      3021   Inbound Certificate requests or certificate renewal for system communications
      3023   Inbound Status monitoring for the Log Server and the optional Web Portal Server
      8914-8918   Inbound Log browsing connections from the Management Client to the Log Server. Database replication (push) to the Log Server, log browsing on the optional Web Portal Server.
    2. To allow traffic on ports for optional features, add the following rules for the optional features that you use:
      TCP ports UDP ports Direction Purpose
      389   Outbound External LDAP queries for display/editing users from external LDAP domains in the Management Client. This port is only needed if you store user information in external LDAP domains.
      1812   Outbound RADIUS. Only needed if you use RADIUS to authenticate administrator logons to the Management Client.
      514, 5514 514, 5514 Outbound Log data forwarding to syslog servers. Only needed if you forward data from the Log Server or Management Server to external syslog servers.
      514, 5514 514, 5514 Inbound Syslog reception from third-party components. Only needed if you have configured monitoring of third-party devices.
      8082   Inbound SMC API. Only needed if you have enabled the SMC API.
      8083   Inbound Communication from SMC Web Access clients to the optional Web Portal Server. Only needed if you use the optional Web Portal Server and have enabled SMC Web Access.
      8085   Inbound Communication from SMC Web Access clients to the Management Server. Only needed if you have enabled SMC Web Access.
      8902-8913   Inbound and Outbound Database replication from the active Management Server to additional Management Servers for high availability. Only needed if you have configured multiple Management Servers for high availability.
      8931   Outbound Connections from the Log Server to the Web Portal Server. Only needed if you have installed the optional Web Portal Server component of the SMC.
        161 Outbound SNMP status probing to external IP addresses. Only needed if you have configured monitoring of third-party devices.
        2055 Inbound NetFlow or IPFIX forwarding to third-party components. Only needed if you have configured monitoring of third-party devices.
        162, 5162 Inbound SNMPv1 trap reception from third-party components. Only needed if you have configured monitoring of third-party devices.
  2. On the computer or instance where you want to deploy the SMC, open a terminal program, then enter the following command to copy the SMC installation files from the NGFW Engine EC2 instance to the local computer: 
    scp -p -i <your ssh private key>.pem aws@<aws instance public ip address>:/spool/<smc installation files>.zip .

    The SMC installation files are included in the NGFW Engine instance.

  3. Decompress the SMC installation files using compression utilities in your operating system.
    For example:
    unzip <smc installation files>.zip
  4. Navigate to the <smc installation files>/Forcepoint_SMC_Installer/Linux-x64 directory.
  5. To start the SMC installation, enter the following command: 
    sudo ./setup.sh
  6. Install the SMC components.
    For detailed instructions, see the Forcepoint Next Generation Firewall Installation Guide .

Next steps

Configure the network connections and contact addresses for the SMC.