Create a Forcepoint NGFW instance using 1-Click Launch

Configure and launch an instance of the Forcepoint NGFW AMI using 1-Click Launch.

CAUTION:
If required for regulatory compliance, or in environments with stricter security requirements, we recommend using dedicated instances when you deploy Forcepoint NGFW in AWS.

We recommend using the following instance types depending on the Forcepoint NGFW product:

Forcepoint NGFW product EC2 instance type
NGFW 2 CPU M4.large
NGFW 4 CPU M4.xlarge or C4.xlarge
NGFW 8 CPU M4.2xlarge or C4.2xlarge
NGFW 16 CPU C4.4xlarge

For information about VM size and network performance, see the Amazon documentation at https://aws.amazon.com/ec2/instance-types/. Enabling some Forcepoint NGFW features, such as inspection, might decrease the network throughput.

Forcepoint NGFW is designed to receive and manage all traffic on all ports. Use a security group that allows connections on all ports for inbound and outbound for the instance in which Forcepoint NGFW is running.

Steps

  1. In the AWS Marketplace, start the launch for the Forcepoint NGFW AMI.
  2. On the 1-Click Launch tab, configure the following settings:
    Setting Configuration
    Version Select the most recent version.
    Region Select the region that is the best match for your existing infrastructure and geographic location.
    EC2 Instance Type Select an instance type that meets your performance needs.

    The AMI automatically restricts the instance types so that only compatible instance types are available.

    Note: If you want to change the instance type later, you must create a new instance.
    VPC Settings Select a VPC and a subnet that correspond to the management interface of the NGFW Engine.
    Security Group

    Select a security group based on the seller settings.

    If the default security group is too limited for your environment, you can use a different security group or change the rules. You can also configure the NGFW Engine to restrict access.
    Key Pair Select a key pair for SSH connections to the NGFW engine.
    Note: The key is the only allowed authentication method for SSH connections to the engine command line.
  3. Click Launch with 1-click.
  4. When the instance is running, connect to the command line of the NGFW Engine and verify the SSH server identity.
    1. In the AWS web management console, select the NGFW Engine instance, then select Actions > Instance Settings > Get system log to show the SSH server fingerprints.
      The SSH server fingerprint are shown at the end of the NGFW Engine boot messages.
    2. On your computer, open a terminal program, then enter the following command to open an SSH connection to the command line of the NGFW Engine using the aws user account: 
      ssh -i <your ssh private key>.pem aws@<aws instance public ip address>
      The SSH key fingerprints are shown when you connect.
    3. Compare the SSH key fingerprints to the SSH server fingerprints from the system log.
    4. To confirm that you want to continue connecting, type yes.
      The IP address of the NGFW Engine is added to the SSH known hosts list.
  5. If the AMI does not support the use of sudo without a password, enter the following command to set a sudo password for the aws user: 
    sudo passwd

Next steps

If you do not have existing SMC installation, deploy the SMC.