Forcepoint NGFW 7 0 Administrator Course Student Guide

Prévia do material em texto

<p>forcepoint.com</p><p>Forcepoint</p><p>Next Generation Firewall 7.0</p><p>Administrator Course</p><p>Student Guide</p><p>20221205</p><p>Public</p><p>© 2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.</p><p>All other trademarks used in this document are the property of their respective owners.</p><p>This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or</p><p>reduced to any electronic medium or machine-readable form without prior consent in writing</p><p>from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,</p><p>Forcepoint makes no warranties with respect to this documentation and disclaims any implied</p><p>warranties of merchantability and fitness for a particular purpose.</p><p>Forcepoint shall not be liable for any error or for incidental or consequential damages in</p><p>connection with the furnishing, performance, or use of this manual or the examples herein. The</p><p>information in this documentation is subject to change without notice.</p><p>2 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>NGFW Overview</p><p>Forcepoint</p><p>Next Generation Firewall 6.7</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 3</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering Policy</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>4 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ List the Forcepoint NGFW benefits and differentiators.</p><p>▪ Explain the differences between the operating roles.</p><p>▪ Describe the Forcepoint NGFW engine and appliances.</p><p>▪ Explain basic concepts of virtualization.</p><p>▪ Describe at least one of the installation methods.</p><p>▪ List the four common NGFW deployments.</p><p>Module Objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 5</p><p>Objective</p><p>List the Forcepoint</p><p>NGFW benefits and</p><p>differentiators.</p><p>6 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 5</p><p>Forcepoint NGFW solution</p><p>CASB</p><p>w/ DLP</p><p>Threat</p><p>Intelligence</p><p>Install</p><p>Cloud</p><p>File</p><p>Reputation</p><p>URL</p><p>Filtering</p><p>Web</p><p>Security</p><p>Advanced</p><p>Malware</p><p>Detection</p><p>Endpoint</p><p>Context</p><p>ECA</p><p>Insider Threat</p><p>Data Loss Prevention</p><p>FBA</p><p>DLP</p><p>IT</p><p>Cloud-Assisted</p><p>Security</p><p>(industry-leading</p><p>advanced protection)</p><p>Centralized</p><p>NGFW Management</p><p>(self-administered or via MSP)</p><p>Centralized Management • High Availability</p><p>NGFW Appliance with Deep Security Built-in</p><p>AWS</p><p>Azure</p><p>Google</p><p>IBM</p><p>Oracle</p><p>Cloud</p><p>KVM</p><p>VMware ESXi</p><p>Hyper-V</p><p>Virtual</p><p>NGFW Appliances</p><p>(unified operation & performance</p><p>across all deployments) Endpoint</p><p>IntegrationCustomizable Interfaces</p><p>SIEM</p><p>Integration</p><p>DLP</p><p>Integration</p><p>DLP</p><p>• NGFW Appliances provides a unified operation and performance across all physical,</p><p>Virtual, and cloud deployments.</p><p>• The Security Management Center (SMC) provides unified network security management</p><p>for all NGFW security devices.</p><p>• The NGFW uses cloud services to augment the connectivity and security of every</p><p>location.</p><p>- File reputation, URL categorization</p><p>- Advance Malware detection with Sandboxing</p><p>- Installation cloud, etc…</p><p>- Web Gateway, CASB cloud service with Data Loss Protection (DLP)</p><p>• In addition, the NGFW can collect information about endpoint clients, and use the</p><p>information for access control.</p><p>• NGFW engines integrate with the Forcepoint Behavior Analytics (FBA) system that</p><p>collects information from all Forcepoint products (DLP, Insider Threat) to perform user</p><p>behavior analytics.</p><p>• NGFW engines integrate with the Forcepoint DLP system to provide DLP scanning,</p><p>typically used for outbound file transfers to prevent sensitive data from being sent out.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 7</p><p>Public © 2022 Forcepoint 6</p><p>Key benefits and differentiators</p><p>Unified</p><p>Software</p><p>Design</p><p>Advanced</p><p>Evasion</p><p>Prevention</p><p>Centralized</p><p>Management</p><p>High</p><p>Availability</p><p>SD-WAN</p><p>Capabilities</p><p>UP TO</p><p>Integration</p><p>Forcepoint Integration</p><p>▪ Web Filtering with Threatseeker Intelligence</p><p>▪ Web Gateway and CASB</p><p>▪ Data Loss Protection</p><p>▪ Malware detection</p><p>• Forcepoint Advanced Malware</p><p>Detection (Sandbox)</p><p>• File reputation (McAfee GTI)</p><p>▪ SIEM and UEBA Systems</p><p>*UDP 1518 bytes</p><p>High Availability Capabilities</p><p>▪ Up to 16 nodes natively in active-active mode</p><p>▪ Different HW models</p><p>▪ Different software versions supported for upgrades</p><p>One software</p><p>▪ Various platform (Virtual, Software, Appliances)</p><p>▪ 3 Roles (Firewall, IPS, L2FW) under 1 NGFW license</p><p>▪ Evolving software</p><p>SD-WAN Capabilities</p><p>▪ Load Balancing links (ISP/MPLS)</p><p>▪ Multi-link VPN provides HA and load</p><p>balancing over all active tunnels.</p><p>▪ QoS on Multilinks</p><p>▪ Application Health Monitoring</p><p>Deep Security and AETs prevention</p><p>▪ Built-in deep inspection</p><p>▪ Full-Stack normalization</p><p>▪ Detect advanced evasion</p><p>Centralized Management</p><p>▪ Scalable and user-friendly</p><p>▪ Hierarchical Policies</p><p>▪ Log Analysis and Reporting</p><p>▪ Plug and play deployment</p><p>Forcepoint approach offers you the security today’s businesses must have:</p><p>Advanced Evasion Prevention:</p><p>Communication on the Internet is based on TCP/IP protocols where traffic is split up into</p><p>packets and sent along multiple paths. There is no guarantee that the pieces arrive in order,</p><p>but the destination system can reorder and reassemble these pieces to recreate the original</p><p>contents.</p><p>An attacker using advanced evasion techniques might, for example, generate traffic</p><p>containing a known exploit but will send the pieces (IP diagrams, TCP segments) out of</p><p>order.</p><p>If the firewalls or intrusion prevention systems only look at each packet as it comes along,</p><p>the exploits will not be seen. When the packets get to the destination, they reconstitute the</p><p>original exploit which can then do its dirty work.</p><p>You can stop the most sophisticated, evasive threats. AETs work by hiding exploits by</p><p>manipulating data streams so they can slip past network security devices. Only the</p><p>Forcepoint NGFW can spot these and stop them.</p><p>− Decodes and normalizes traffic for inspection on all protocol layers</p><p>− Vulnerability-centric fingerprints detect exploits in the normalized data streams</p><p>− Successfully tested against over 800 million Advanced Evasion Techniques</p><p>8 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>One software:</p><p>• A single software core runs all the inspections for high-performance processing of the</p><p>entire data stream (this is the key to the anti-evasion protection).</p><p>• The NGFW can operate in 3 different Roles (Firewall, IPS, L2FW) under the same NGFW</p><p>license.</p><p>• In multi-layer deployment for NGFW Engines in the Firewall role allows having both layer</p><p>2 physical interfaces and layer 3 physical interfaces. The same NGFW Engine can now</p><p>provide the features of the Firewall role, as well as the features of the IPS and Layer 2</p><p>Firewall roles</p><p>• This unified software design allows:</p><p>▪ Adaptability</p><p>You can adapt the NGFW to any environment and situation dynamically. You just need</p><p>to enable the features that best fit your new needs.</p><p>For example, if your want to prevent attacks on your host servers in the DMZ, you can</p><p>enable deep inspection on the Firewall to deep inspect the traffic to these servers. Or</p><p>if you want to turn your layer 3 firewall that is protecting your remote office into a UTM</p><p>firewall, you can activate Anti-virus and URL Filtering on the firewall. Note that URL</p><p>filtering requires an additional license.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 9</p><p>• High Availability capabilities: Active-active, mixed clustering: Up to 16 nodes, of</p><p>different models, can be clustered together,</p><p>traffic.</p><p>Public © 2022 Forcepoint 13</p><p>Management server high availability</p><p>▪ Only one server is active at a time.</p><p>▪ Data is synchronized from the active Management Server to the standby servers.</p><p>▪ Data Replication is incremental.</p><p>▪ Control Management Servers through the Management Client.</p><p>▪ Requires special licensing.</p><p>ACTIVE</p><p>STANDBY</p><p>STANDBY</p><p>78 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Additional Log Servers can be used to allow continued monitoring of the system if one Log</p><p>Server fails.</p><p>There can be several backup log servers per managed FW engine. Any log server can</p><p>simultaneously act as the active log server for multiple firewalls while also acting as a</p><p>backup log server for other firewalls.</p><p>There is no data replication between the backup Log Servers, but the logs are sent to the</p><p>backup Log Server if the connection to the active Log Server fails. Browsing logs is exactly</p><p>the same as if there were only one Log Server since the management clients are connected</p><p>to all log servers at the same time. The logs are sorted by timestamps, so it does not make</p><p>a difference which server is sorting and sending the logs for browsing.</p><p>Public © 2022 Forcepoint 14</p><p>▪ Works with a normal Log Server license.</p><p>▪ No data replication between the servers.</p><p>▪ Transparent for management clients.</p><p>Log server high availability</p><p>PRIMARY FOR</p><p>NGFW ENGINE 2</p><p>PRIMARY FOR</p><p>NGFW ENGINE 1</p><p>LOG SERVER 1 NGFW</p><p>ENGINE 1</p><p>NGFW</p><p>ENGINE 2</p><p>LOG SERVER 2</p><p>BACKUP FOR</p><p>NGFW ENGINE 1</p><p>BACKUP FOR</p><p>NGFW ENGINE 2</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 79</p><p>Objective</p><p>Configure the SMC</p><p>administrator access.</p><p>80 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>You can define administrator rights in fine detail for each administrator according to the</p><p>administrator's duties:</p><p>• You can select the basic rights for the administrator and then select the elements to which</p><p>these rights apply.</p><p>• You can also grant administrators access to whole groups of elements instead of granting</p><p>access only to individual elements.</p><p>• You can lock elements to prevent conflicting changes.</p><p>Public © 2022 Forcepoint 16</p><p>SMC Administrators with Role-Based Access Control (RBAC)</p><p>= Predefined roles that</p><p>cannot be modified</p><p>UN-</p><p>RESTRICTED</p><p>OWNER OPERATOR</p><p>CUSTOM</p><p>ROLE</p><p>EDITOR</p><p>ALL</p><p>ELEMENTS</p><p>VIEWER</p><p>IPS</p><p>FW/VPN</p><p>FW/VPN</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 81</p><p>Administrator Roles are used with Administrator elements to define the actions that an</p><p>administrator is allowed to take. Each administrator can have one or several Administrator</p><p>Roles. You can either use predefined Administrator Roles or create new ones.</p><p>There are four predefined Administrator Roles:</p><p>• Operator: Can view the properties of selected elements. Can also send commands</p><p>to selected engines, refresh and upload policies, and browse logs and alerts from</p><p>selected elements.</p><p>• Editor: Can create, edit, and delete selected elements. Can send commands to</p><p>engines, refresh and upload policies, and browse logs and alerts from selected</p><p>elements.</p><p>• Owner: Can view the properties of selected elements, and edit and delete the</p><p>selected elements.</p><p>• Viewer: Can view the properties of selected elements.</p><p>Predefined Administrator Roles cannot be modified, but custom Administrator Roles can be</p><p>created.</p><p>Public © 2022 Forcepoint 17</p><p>Configure SMC administrator access</p><p>1. Create a new Administrator Role</p><p>2. Create an Access Control List</p><p>3. Define an Administrator</p><p>82 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Access Control Lists represent lists of elements that you can use to select the granted</p><p>elements to which the administrator rights apply.</p><p>You can grant whole groups of elements to administrators instead of selecting the elements</p><p>one by one.</p><p>You can also select individual policy and engine elements instead of using Access Control</p><p>Lists.</p><p>You can either use the predefined Access Control List or create new ones.</p><p>The Access Control Lists that you create can include Firewall, IPS, Firewall Policy, IPS</p><p>Policy, Layer 2 Firewall and Layer 2 Firewall policy elements.</p><p>All the elements in the system belong to one or more of the predefined Access Control Lists</p><p>according to element type. When you create a new element, it is automatically added to the</p><p>relevant Access Control List(s).</p><p>Public © 2022 Forcepoint 18</p><p>Configure SMC administrator access</p><p>1. Create a new Administrator Role</p><p>2. Create an Access Control List</p><p>3. Define an Administrator</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 83</p><p>Administrator Elements</p><p>There are two levels of permissions:</p><p>• Unrestricted permissions (Superuser)</p><p>• Restricted Permissions: used with Administrator Roles and Access Control Lists</p><p>A Superuser account is created during installation.</p><p>An administrator with unrestricted permissions can create and modify administrator</p><p>accounts and also grant other administrators the right to manage administrator accounts.</p><p>It is recommended to create a customized account for each administrator.</p><p>Restricted Permissions:</p><p>If you selected Restricted permissions as the general permissions level, you must then</p><p>define the rights for the administrator accounts by associating the Administrator Roles to</p><p>elements or Access Control Lists.</p><p>If an administrator is allowed to view logs and alerts, you can optionally create local filters</p><p>that are applied to the log data before it is displayed to the administrator.</p><p>Public © 2022 Forcepoint 19</p><p>Configure SMC administrator access</p><p>1. Create a new Administrator Role</p><p>2. Create an Access Control List</p><p>3. Define an Administrator</p><p>84 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Apply configuration to</p><p>NGFW engines.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 85</p><p>Installing a policy using the Management Client transfers the complete configuration (Policy</p><p>configuration, routing information, VPN configuration, engine configuration, etc.) from the</p><p>Management Server to an engine.</p><p>After the installation, the engine is ready to start processing traffic. The engines do not have</p><p>a working configuration until the first time you install a policy on them and the working</p><p>configuration is received from the Management Server.</p><p>You can view the configuration changes that you and other administrators have made before</p><p>the new configurations and policies are transferred to the NGFW Engines.</p><p>Policy Installation can be triggered by multiple but equivalent actions in the Management</p><p>Client:</p><p>• Commit Changes</p><p>• Install Policy</p><p>• Policy Refresh</p><p>• Upload Policy</p><p>• Install Engine Configuration</p><p>• Refresh Engine Configuration</p><p>• Policy Refresh task</p><p>• Policy Upload task</p><p>Public © 2022 Forcepoint 21</p><p>Applying configuration to NGFW engine</p><p>▪ Policy Installation transfers NGFW configuration from Management Server to engines.</p><p>▪ Pending Changes are visible in the Home view.</p><p>▪ Policy Installation can be triggered by multiple but equivalent actions in the Management Client.</p><p>Management</p><p>Server</p><p>Policy Installation</p><p>Management</p><p>Client</p><p>NGFW configuration files</p><p>NGFW Engine</p><p> Commit Changes</p><p> Install Policy</p><p> Policy Refresh</p><p> Upload Policy</p><p> Install Engine</p><p>Configuration</p><p>86 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>You can now view configuration changes that you and other administrators have made</p><p>before the new configurations are transferred to the engines. The pending changes are</p><p>shown in the Home view and on the selected engine’s home page. You can optionally also</p><p>enforce an approval workflow. When an approval workflow is enforced, administrators with</p><p>unrestricted permissions must approve all pending changes before the changes can be</p><p>committed.</p><p>Public © 2022 Forcepoint 22</p><p>Supporting approval workflows for all policy changes before being uploaded to the engine.</p><p>Policy change management and approval process</p><p>1</p><p>REQUEST</p><p>Policy Change</p><p>2</p><p>PENDING</p><p>Changes</p><p>Visible on SMC</p><p>3</p><p>COMMIT</p><p>Changes</p><p>4</p><p>APPROVE</p><p>One-by-One</p><p>or All Together</p><p>Need</p><p>Approval</p><p>?</p><p>N</p><p>4a</p><p>VIEW</p><p>Detailed</p><p>Changes</p><p>Y</p><p>Superusers</p><p>Editor</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 87</p><p>Objective</p><p>Describe how logs work.</p><p>88 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Logs generated by the Firewall record the type and volume of inbound and outbound traffic</p><p>as well as certain configuration and diagnostic information. Accordingly, they are the</p><p>fundamental resource for checking and proving your system.</p><p>Public © 2022 Forcepoint 24</p><p>Purpose of logs</p><p>▪ Logs record the type and volume of inbound and outbound traffic.</p><p>Logs also record some configuration and diagnostics information.</p><p>▪ Used to troubleshoot network issues.</p><p>▪ Provide evidence for necessary network upgrades.</p><p>▪ Provide evidence of network attacks.</p><p>▪ Track actions and connections.</p><p>▪ Provide data on network utilization.</p><p>▪ Record admin actions.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 89</p><p>The log level is defined in the Logging options in the Access rules and Inspection Policy. The</p><p>following log levels are available:</p><p>• Alert: An alert entry is generated every time traffic matches the rule. Alerts are always</p><p>stored. You can optionally specify which Alert is triggered (System Alert or a custom</p><p>Alert).</p><p>• Stored: A log entry is generated and stored on the Log Server.</p><p>• Essential: When the Log Server is unavailable, log entries are temporarily stored on the</p><p>NGFW engine. When the NGFW engine is running out of space to store the log entries, it</p><p>begins discarding log data in order of importance. Essential and alert logs are kept for the</p><p>longest. When the firewall is not running out of disk space, the Essential setting is just like</p><p>the Stored setting.</p><p>• Transient: A log entry is only available for immediate display in the Logs view and is not</p><p>stored.</p><p>• None: Rules with the None setting do not generate any log entry at all.</p><p>In Access rules, User, Application, and Payload information can be logged.</p><p>Logging user information requires that Access control by the user is enabled or that the</p><p>users are authenticated against the NGFW.</p><p>When application Information Logging is enforced or Payload information is enabled, the</p><p>engine may send matching connections to deep inspection.</p><p>Enabling Additional Payload stores packet payload extracted from the traffic in additional log</p><p>Public © 2022 Forcepoint 25</p><p>NGFW logging: log generation</p><p>▪ Logging criteria specified in the Access Rules and</p><p>Inspection Rules.</p><p>▪ Logging level options:</p><p>• None</p><p>• Transient</p><p>• Stored</p><p>• Essential</p><p>• Alert</p><p>▪ Logs Stored using UTC (GMT) timestamps.</p><p>▪ Time zone for browsing selected in the Management Client.</p><p>90 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>fields.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 91</p><p>Log entries are most often triggered by access rules. Other types of rules can be set to</p><p>create log entries as well. The system can also produce detailed diagnostics logs, and</p><p>always produces some other internal log entries (such as entries related to policy</p><p>installation).</p><p>Firewalls, IPS engines, and Layer 2 firewalls send their log entries directly to the Log Server.</p><p>The Log Server either stores the entries or just relays them to be viewed in the Logs view.</p><p>If administrative domains are configured, all log, alert, and audit entries are domain-specific.</p><p>When you log in to a domain, only the entries related to that specific Domain can be viewed</p><p>or managed. However, audit entries from all domains are displayed to administrators that</p><p>are logged in to the shared domain.</p><p>Public © 2022 Forcepoint 26</p><p>Log entry type: log messages</p><p>▪ Records of connections triggered by</p><p>matching rules sent by NGFW Engines.</p><p>▪ Audit Log messages sent by Management</p><p>Center servers.</p><p>▪ Log messages sent by Third-party</p><p>Devices.</p><p>92 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Logs view can show entries generated by any system components and third-party</p><p>components that send data to the SMC. The logged data includes alert and audit entries</p><p>(depending on administrator rights). You can filter the display by any combination of details</p><p>that exist in the records. By default, log browsing uses the local time zone set in the</p><p>operating system of the computer on which the Management Client runs.</p><p>The log entry table in the default Records arrangement is the primary way to view logs. You</p><p>can freely select which details are shown and change the order of the columns. Different</p><p>types of entries include different types of information, so each log entry does not necessarily</p><p>use all columns.</p><p>The time range and other criteria for filtering the log display are set in the Query panel.</p><p>By default, log entries are sorted according to their creation time. You can alternatively sort</p><p>log entries according to any other column heading.</p><p>The Timeline is a visual navigation tool. It provides you with a reference point for how the</p><p>current view relates to the Query you are browsing. It also allows you to quickly move within</p><p>the time range.</p><p>The Fields panel provides alternative views to the log entry that is currently selected. The</p><p>Watchlist item in the Fields panel allows you to create a customized list of fields for your</p><p>own use.</p><p>Public © 2022 Forcepoint 27</p><p>Logs view</p><p>One common view for all log entry types.</p><p>Log entry</p><p>table</p><p>Logs</p><p>toolbar</p><p>Timeline</p><p>for</p><p>browsing</p><p>Watchlist for</p><p>fields</p><p>Query panel</p><p>Logs icon</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 93</p><p>The Logs view has two operating modes:</p><p>• In Normal mode, you can browse stored log entries freely from any time period.</p><p>• In Current Events mode, the view automatically updates to show the most recently</p><p>received log entries until you select an entry or deactivate the Current Events mode. Both</p><p>Stored and Transient log entries appear in the Current Events mode.</p><p>Column selection: You can customize the columns shown in the Logs view. You can always</p><p>drag the column header to a different location to change the order of the columns.</p><p>You can visualize log data in four different arrangements:</p><p>• Records arrangement. It allows you to view selected details of many entries at a time.</p><p>The columns in the table are fully customizable.</p><p>• Statistics arrangement allows you to generate basic summaries of the log data currently</p><p>displayed in the Logs view, with the possibility to drill into the logs through individual chart</p><p>items.</p><p>• Details arrangement gives an overview of an individual log entry.</p><p>• Log Analysis arrangement provides various tools with which to analyze and visualize log</p><p>data. You can, for example, combine logs by Service or Situation, sort logs by column</p><p>type, or view the data as charts or diagrams. This makes it easier to notice patterns and</p><p>anomalies in traffic.</p><p>Public © 2022 Forcepoint 28</p><p>Logs view: Log tool bar</p><p>Current events /</p><p>normal mode</p><p>Go to first / last</p><p>stored entry</p><p>Log</p><p>visualization</p><p>Column</p><p>selection</p><p>Log view</p><p>customizations</p><p>94 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Log Data Contexts specifies which type of log data is displayed in the Logs view and in the</p><p>Reports view. You can select a predefined Log Data Context or create a new Log Data</p><p>Context. You can also define for each Log Data Context the selection of columns. You can</p><p>also save user-specific settings, save the modified column selection as the default settings,</p><p>or reset the columns to the default settings for each Log Data Context.</p><p>Public © 2022 Forcepoint 29</p><p>Log data contexts</p><p>▪ Log data contexts allow for even smoother log</p><p>browsing.</p><p>▪ Many predefined log data contexts, for example:</p><p>• Firewall</p><p>• VPN</p><p>• Inspection</p><p>▪ Customized log data contexts for defining:</p><p>• Column sets</p><p>• Combination of different log data</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 95</p><p>You can use Filters to select data for many operations such as viewing log entries in the</p><p>Logs view or generating statistical reports. Filters allow you to efficiently manage the large</p><p>amount of data that the system generates. Filters select entries by comparing values</p><p>defined in the Filter to each data entry included in the filtering operation. The operation can</p><p>use the filter to either include or exclude matching data.</p><p>There are two types of filters used in the Management Client:</p><p>• Local filters that are specific to a view or an element. They are temporary filters in the</p><p>sense that they disappear when you close the view.</p><p>• Permanent Filter elements that you can use anywhere in the Management Client. There</p><p>are predefined permanent Filters, and you can also create new permanent Filters.</p><p>You can create filters in four basic ways:</p><p>• Based on criteria you define, you can create a new local filter or Filter element and define</p><p>any combination of filtering criteria in the Filter properties, constructing the filter</p><p>completely yourself.</p><p>• Based on other Filters: you can duplicate a Filter element or copy/paste parts of filter</p><p>contents to other Filters to create a variation of previously defined filtering criteria.</p><p>• Based on existing log entries: you can create local filters in views where you view logs</p><p>and save them as permanent Filter elements.</p><p>• Based on element configuration: some local filters are created automatically by your</p><p>selections in specific views or elements.</p><p>Public © 2022 Forcepoint 30</p><p>Local filters: log filtering</p><p>▪ Drag & drop log fields to create local</p><p>filters.</p><p>▪ Local and permanent filters can be</p><p>combined.</p><p>96 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 31</p><p>Knowledge check</p><p>1. What is an Access Control List?</p><p>2. How can you restrict administrator access?</p><p>3. Why should you take Management Server</p><p>backups?</p><p>4. When would you use Management Server high</p><p>availability?</p><p>1. A list of elements to which an SMC Administrator</p><p>has access.</p><p>2. Through use of ACLs and Roles.</p><p>3. For disaster recovery purposes and</p><p>troubleshooting.</p><p>4. For disaster recovery and availability.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 97</p><p>Public © 2022 Forcepoint 32</p><p>Knowledge check</p><p>5. What does the Pending Changes pane show?</p><p>6. What are the different log entry types in the</p><p>NGFW system?</p><p>5. It shows configuration and policy changes that</p><p>have not yet been transferred to the engines.</p><p>6. Audit logs, logs triggered by rule match in NGFW</p><p>and third-party logs.</p><p>98 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>NGFW Policies and Templates</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 99</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>100 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Describe the types of NGFW policies.</p><p>▪ Define firewall policy templates.</p><p>▪ Create a firewall policy hierarchy.</p><p>▪ Describe the benefits of aliases and continue rules.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 101</p><p>Objective</p><p>Describe the types of</p><p>NGFW policies.</p><p>102 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>A policy is a set of rules that determines how traffic is filtered and inspected. There is a</p><p>corresponding policy for each NGFW role: Firewall, Layer 2 Firewall and IPS policy.</p><p>Public © 2022 Forcepoint 5</p><p>One policy for each NGFW role</p><p>NGFW policy types</p><p>NGFW</p><p>Firewall Role</p><p>IPS Role</p><p>Layer 2 Firewall Role</p><p>Firewall Policy</p><p>Layer 2 Firewall Policy</p><p>IPS Policy</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 103</p><p>A Policy is a set of rules that determines how traffic is filtered and inspected.</p><p>There is a corresponding Policy for each NGFW role: Firewall, Layer 2 Firewall, and IPS policy.</p><p>The Firewall Policies contain Access rules according to which the Engines deployed in the</p><p>Firewall role allow or block traffic.</p><p>• IPV4/IPV6 Access rules filter traffic based on IP addresses and IP-based protocols. These</p><p>rules control access to resources. There are separate Access rules for IPv4 and IPv6 traffic.</p><p>• Firewall Policies reference an Inspection Policy that contains the rules according to which the</p><p>Engines inspect the traffic based on patterns in any of the traffic that goes through it.</p><p>• Firewall Policies reference a File Filtering Policy that restricts the file types that are allowed</p><p>in and out through the firewall and applies malware detection to files.</p><p>• Firewall policies contain NAT rules that change source and/or destination IP addresses in</p><p>traffic that is allowed to pass through the firewall.</p><p>The same Firewall policy can be shared by several Firewall engines.</p><p>The same Inspection Policy and File Filtering policy can be referenced by several Firewall</p><p>Policies, IPS Policies, and Layer 2 Firewall Policies.</p><p>Public © 2022 Forcepoint 6</p><p>File Filtering Rules</p><p>Ethernet Access Rules</p><p>Inspection Rules</p><p>Rule types in a firewall policy</p><p>Firewall policy for Firewall role</p><p>NAT Rules</p><p>IPv4/IPv6 Access Rules</p><p>Routing</p><p>Inspection Policy</p><p>File Filtering Policy</p><p>Layer 2 Interface Policy</p><p>104 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The NGFW Policy is the element that gathers all the rules from the different policy elements.</p><p>It contains the rules added directly to the policy. It also contains the rules inherited from the</p><p>Template Policy that are used as the basis of the policy, the rules from Sub-Policies, and</p><p>rules from the Inspection Policy and File filtering policy.</p><p>Public © 2022 Forcepoint 7</p><p>NGFW policy</p><p>The NGFW policy gathers all the</p><p>rules from the different policy</p><p>elements:</p><p>▪ Template policy</p><p>▪ Inspection policy</p><p>▪ Sub policy</p><p>▪ File Filtering policy INSPECTION POLICY</p><p>NGFW POLICY</p><p>FIREWALL</p><p>TEMPLATE</p><p>ACCESS CONTROL - NAT RULES</p><p>CUSTOM</p><p>TEMPLATE</p><p>FW</p><p>FILE FILTERING POLICYSUB POLICY</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 105</p><p>Traffic processing rules are organized hierarchically to make the administration easier and to</p><p>optimize traffic inspection performance.</p><p>Each policy must always be based on a Template Policy. Template Policies contain rules</p><p>that are inherited by any template or policy below it in the policy hierarchy. Template Policies</p><p>are very similar to regular policies and are usually based on predefined Template Policies.</p><p>None of the default Template Policies can be modified.</p><p>You can create a customized template to enforce company rules that cannot be overwritten</p><p>in the regular policy or to define the traffic to be inspected. By inheriting Firewall Policies</p><p>from your customized template these company rules will be applied to each Firewall.</p><p>After covering the Firewall policy templates provided by the system, we will see in more</p><p>detail an example of a customized template.</p><p>The usage of Template Policies has several advantages:</p><p>• Reduce the need for creating the same rule or a similar rule in several policies.</p><p>• Can enforce administrative boundaries</p><p>• Reduce the likelihood of mistakes affecting important communications.</p><p>Public © 2022 Forcepoint 8</p><p>NGFW policy templates</p><p>▪ Each NGFW Policy must always be based on a template policy.</p><p>▪ Template Policies reduce the need for creating the same rule in several policies.</p><p>▪ Template Policies can enforce administrative boundaries.</p><p>NGFW POLICY</p><p>CUSTOM TEMPLATE</p><p>FIREWALL TEMPLATE FIREWALL TEMPLATE Rules</p><p>CUSTOM TEMPLATE Rules</p><p>NGFW POLICY Rules</p><p>CUSTOM TEMPLATE Insert Point</p><p>FIREWALL TEMPLATE Insert Point</p><p>106 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Define firewall</p><p>policy</p><p>templates.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 107</p><p>Public © 2022 Forcepoint 10</p><p>NGFW firewall templates</p><p>Firewall</p><p>Template</p><p>Firewall</p><p>Inspection</p><p>Template</p><p>Firewall</p><p>Templates</p><p>There are predefined Template Policies for NGFW for each of the NFGW roles.</p><p>None of the predefined Template Policies can be modified. However, you can make a copy</p><p>of a predefined Template Policy if you need to create a modified version.</p><p>The SMC provides two usable Firewall Template Policies: Firewall Template and Firewall</p><p>Inspection Template for the Firewall roles.</p><p>The Firewall template contains the predefined access rules necessary for the Firewall</p><p>engine to communicate with the Management Center and some external components.</p><p>The Firewall Template does not enforce any inspection policy while the Firewall Inspection</p><p>Template enforces the High-Security Inspection Policy.</p><p>For the Layer 2 Firewall role, the system provides the Layer 2 Firewall Template and the</p><p>Layer 2 Firewall Inspection Template.</p><p>For the IPS role, there are also two predefined templates. Both IPS Templates contain the</p><p>predefined Access rules necessary for the IPS engine to communicate with the</p><p>Management Center and some external components. The high-security IPS Template Policy</p><p>uses Inspection rules from the High-Security Inspection Policy. The high-security IPS</p><p>Template Policy is the recommended template for the IPS role and provides an easy starting</p><p>point for determining what kinds of rules your system needs.</p><p>108 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Firewall Template is available for the Firewall role and provides access control without</p><p>enforcing any Inspection Policy. It uses the No Inspection Policy which does not contain any</p><p>inspection rule.</p><p>Public © 2022 Forcepoint 11</p><p>Firewall Template</p><p>By default, the Firewall Template provides access control without enforcing any inspection policy.</p><p>ACCESS CONTROL ONLY</p><p>FIREWALL</p><p>TEMPLATE</p><p>NO INSPECTION</p><p>POLICY</p><p>NGFW POLICY</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 109</p><p>The Firewall Inspection Template is based on the Firewall Template. It uses Inspection rules</p><p>defined in the High-Security Inspection Policy. The Firewall Inspection Template enables</p><p>deep inspection for all traffic.</p><p>The Firewall Inspection Template provides an easy starting point if you want to use the IPS</p><p>capability of the Next Generation Firewall and send all the traffic allowed by the Firewall to</p><p>be deep inspected.</p><p>Using the Firewall Template or the Firewall Inspection Template for your firewall policy</p><p>allows you to easily configure your Firewall to enforce or deactivate traffic inspection. Using</p><p>your own templates, you can fine-tune which parts of the permitted traffic you want to</p><p>inspect and what inspection policy you want to enforce.</p><p>Public © 2022 Forcepoint 12</p><p>Firewall Inspection Template</p><p>The Firewall Inspection Template enables deep inspection for all traffic and enforces the High-Security</p><p>inspection policy.</p><p>ACCESS CONTROL + DEEP PACKET INSPECTION</p><p>NGFW POLICY</p><p>FIREWALL</p><p>INSPECTION</p><p>TEMPLATE</p><p>HIGH SECURITY</p><p>INSPECTION POLICY</p><p>110 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Let’s now look at the rules defined Firewall Policy Template.</p><p>In the IPv4 tab, we notice the IPv4 Insert Point. It marks the places where rules are inserted</p><p>in Policies or custom Template Policies that use the Firewall Template.</p><p>The last rule before the end of the policy is a rule that discards all traffic and creates a log</p><p>entry that is stored. This rule’s purpose is to ensure that this connection dropping is logged,</p><p>since the firewall silently drops the connections without creating a log entry if the matching</p><p>process reaches the end of the policy.</p><p>Above the IPv4 insert point, we see the Automatic Rules Insertion Point.</p><p>Default automatic rules are created for traffic to and from the engine, never for traffic that</p><p>passes through the engine.</p><p>When you enable a feature that requires communication between certain components is</p><p>allowed, rules allowing the traffic are automatically created and inserted at the Automatic</p><p>Rules Insert Point.</p><p>For example, Automatic Rules allow various kinds of system communications.</p><p>If we look at the Inspection Policy tab of the Firewall Policy Template, we see that it uses the</p><p>Inspection rules defined in the No Inspection Policy, which does not enforce any Inspection.</p><p>The Firewall Template uses the Default File Filtering policy which applies the advanced</p><p>malware sandbox, Anti-Malware scan, and File Reputation settings defined in the engine</p><p>editor to some traffic by default.</p><p>Public © 2022 Forcepoint 13</p><p>Firewall Template</p><p>IPv4 Rule tab</p><p>Automatic Rules</p><p>Insertion Point</p><p>IPv4 Insert Point</p><p>Deny All and Log</p><p>Connection</p><p>No Inspection and</p><p>File Filtering Policy</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 111</p><p>When you enable a feature that requires communication between certain components to be</p><p>allowed, rules allowing the traffic are automatically created.</p><p>Automatic rules are created for traffic to and from the engine, never for traffic that passes</p><p>through the engine.</p><p>Some features require more specific control over what traffic is allowed between specific</p><p>components, and in those cases, you still have to configure Access rules manually.</p><p>Automatic rules are detailed in the engine editor. Logging for automatic rules is not enabled</p><p>by default, but you can modify the log level.</p><p>Public © 2022 Forcepoint 14</p><p>Firewall automatic rules</p><p>▪ Automatic rules</p><p>▪ System communications</p><p>▪ Add-on components</p><p>communications</p><p>Log Level</p><p>and Alerts</p><p>Summary</p><p>of Rules</p><p>112 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Create a firewall policy</p><p>hierarchy.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 113</p><p>Each policy must always be based on a Template Policy. A Template Policy provides many</p><p>advantages. It reduces the need for creating the same or similar rule in several policies. It</p><p>can also enforce administrative boundaries and prevent modifications from unintentionally</p><p>changing the main design of your rules. As such, it reduces the likelihood of mistakes</p><p>affecting important communications</p><p>This example illustrates a hierarchy of Firewall Templates and Policies.</p><p>The main policy inherits rules from the Firewall Template, and from a customized template.</p><p>The Firewall Template contains access rules necessary for system component</p><p>communication, like Firewall to Security Management Center connections.</p><p>The customized template enforces logging for all traffic and prevents the usage of social</p><p>applications. This template is shared by all company Firewalls.</p><p>The Main policy contains rules that are specific to the Firewall on which the policy will be</p><p>uploaded. For example, the Atlanta policy allows the inbound traffic to the web server in the</p><p>Atlanta DMZ and the outbound traffic originating from the Atlanta internal site.</p><p>Public © 2022 Forcepoint 16</p><p>Hierarchical policies: policy templates</p><p>FIREWALL TEMPLATE</p><p>CUSTOM TEMPLATE</p><p>INBOUND TRAFFIC TO WEB SERVER</p><p>OUTBOUND TRAFFIC</p><p>LOG ALL TRAFFIC</p><p>FACEBOOK</p><p>LINKEDIN</p><p>TWITTER</p><p>ATLANTA POLICYHELSINKI POLICY PARIS POLICY</p><p>114 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 17</p><p>Hierarchical policies: policy templates</p><p>FIREWALL</p><p>TEMPLATE RULES</p><p>CUSTOM</p><p>TEMPLATE RULES</p><p>ATLANTA POLICY`</p><p>`</p><p>`</p><p>`</p><p>FIREWALL</p><p>TEMPLATE RULES</p><p>This screenshot shows the configuration of the Atlanta Policy with the rules inherited from</p><p>the Firewall Template and the custom template.</p><p>Because rules are processed from the top down, rules inherited from the templates match</p><p>first.</p><p>The local administrator can be given rights to edit the policy without being able to override</p><p>the rules inherited from higher-level templates</p><p>In the custom template rule, we can notice a rule with a special action, the continue action.</p><p>This rule allows to define of some options for the traffic matching the rule, without</p><p>performing</p><p>any access control. After matching the continue rule the traffic is sent to the next</p><p>rule. In this example, continue rule is used to set the logging option. You will see other</p><p>usage in an upcoming slide.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 115</p><p>Objective</p><p>Describe the benefits of</p><p>aliases and continue</p><p>rules.</p><p>116 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>In a shared rules, Alias elements can mark IP addresses that depend on the environment,</p><p>so that the actual values are defined separately for each component. The values that the</p><p>Aliases receive depend on the translation value you set for each Alias in each engine</p><p>elements’ properties. This way, the same Policy, Policy Templates, or Sub-Policies can be</p><p>used on several engines, and the IP address information is filled in correctly according to the</p><p>translation values for each engine.</p><p>Predefined Alias elements provided by the system start with two $$ symbols. System</p><p>Aliases cannot be modified. User-modifiable and user-created Alias elements start with one</p><p>$ symbol.</p><p>Public © 2022 Forcepoint 19</p><p>Hierarchical policies: alias elements</p><p>Share your policies using alias elements.</p><p>▪ These make it easy to use the same policy on several</p><p>engines.</p><p>▪ The alias represents one or several IP addresses.</p><p>▪ The values of the alias are defined separately for each</p><p>component.</p><p>▪ These are most useful in template policies and sub-policies.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 117</p><p>The Continue action, as a rule, does not perform any access control but sets default options</p><p>for the traffic matching process. Options set in Continue rules are used for subsequent rules</p><p>that match the same criteria as the Continue rule unless the rules are set to override the</p><p>options</p><p>A continue rule can be used to set a logging option, assign a Quality of Service (QoS) class,</p><p>or tag specific traffic for deep inspection.</p><p>Options set in Continue rules are used for subsequent rules that match the same criteria as</p><p>the Continue rule unless the rules are specifically set to override the options. This way, you</p><p>do not have to define the settings for each rule separately.</p><p>Continue rules are also very useful in the hierarchical structure of the policies. Firewall</p><p>Template Policies are particularly convenient for setting options with a Continue rule</p><p>because all the Firewall Policies and Firewall Template Policies that use the Firewall</p><p>Template Policy inherit the option settings you have specified.</p><p>Public © 2022 Forcepoint 20</p><p>Hierarchical policies: continue rules</p><p>▪ The Continue action can be used for:</p><p>• Logging options</p><p>• Deep inspection</p><p>• Protocol agents</p><p>• QoS classes</p><p>▪ Commonly used in templates</p><p>118 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 21</p><p>Hierarchical policies: sub-policies</p><p>▪ Easier policy management with shorter main policies</p><p>▪ Faster rule traversal</p><p>▪ Option to limit administrator rights to sub-policies only</p><p>Jump</p><p>Main Policy</p><p>Rule 1</p><p>Rule 2 Jump</p><p>Rule 3</p><p>Return and process next</p><p>Rule or Drop Packet</p><p>Firewall Sub-Policies are sections of Access rules that you can insert into Policies, Template</p><p>Policies, and even other Sub-Policies to make the engine process traffic more efficiently.</p><p>Sub-Policies are not based on any Template Policy. You cannot insert NAT rules or</p><p>Inspection rules into Sub-Policies.</p><p>Sub-Policies may make it easier to read the policies and to assign editing rights to</p><p>administrators. For example, you can give some administrators the rights to edit only certain</p><p>Sub-Policies without giving them rights to edit Policies.</p><p>You can also use Sub-Policies to organize rules. A Sub-Policy is inserted into some other</p><p>policy element by adding a Jump rule to the policy element. The Jump rule directs</p><p>connections that match the Jump rule for matching against the rules in the Firewall Sub-</p><p>Policy.</p><p>1. Packet Processing is handled top down. Each rule is checked and if a match is found the</p><p>actions are taken. If the rule has a jump policy, then sub-policies are checked.</p><p>2. If a Jump rule does not match, the engines can skip all of the sub-rules at once and</p><p>continue traversing the main policy.</p><p>3. If the Jump rule matches, the Sub-Policy is traversed as if it is a part of the main policy.</p><p>4. At the end of the Sub-Policy, processing returns to the main policy and continues.</p><p>Note: Sub-Sub-Policies do not return to the previous Sub-Policy. This is to prevent</p><p>continuous looping within the Sub-Policies.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 119</p><p>Public © 2022 Forcepoint 22</p><p>Knowledge check</p><p>1. What are the four main types of rules in a</p><p>Firewall Policy?</p><p>2. What is the benefit of using Policy Templates?</p><p>3. What is a Continue rule?</p><p>4. What is an alias?</p><p>5. What types of rules are included in the Firewall</p><p>automatic rules?</p><p>1. Firewall rule types are Access, Inspection, File</p><p>Filtering, and NAT.</p><p>2. Policy Templates allow you to have common</p><p>rules for multiple firewall policies, thereby</p><p>enforcing administrative boundaries and reducing</p><p>the likelihood of mistakes.</p><p>3. A Continue rule sets default options for traffic</p><p>matching.</p><p>4. An alias represents one or several IP addresses</p><p>that will translate differently for each engine.</p><p>5. The firewall automatic rules include management</p><p>rules and other settings used in common services</p><p>and tasks.</p><p>120 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Access Control and NAT</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 121</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. NGFW Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>122 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Explain how traffic is matched in access rules.</p><p>▪ Explain the different types of access rules.</p><p>▪ Describe the actions for processing traffic in access rules.</p><p>▪ Explain the different types of NAT.</p><p>▪ Configure NAT rules.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 123</p><p>Objective</p><p>Explain how traffic is</p><p>matched in access rules.</p><p>124 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>A Firewall Policy is an element that gathers together all the rules from the different policy</p><p>elements: the rules inherited from the Template Policy, rules from the Inspection Policy, and</p><p>the file filtering policy.</p><p>Let’s focus on the access control rules in the Firewall policy.</p><p>Access rules are traditionally used to match traffic based on information contained in the IP</p><p>header. Other criteria that can provide additional security can be used such as matching by</p><p>the interface to restrict traffic or by restricting traffic to specific users or during certain times</p><p>of the day. The Matched traffic can be allowed, allowed on condition, or stopped.</p><p>IMPORTANT: Rule Order is crucial</p><p>The most important thing to keep in mind when editing the Template Policies, Firewall</p><p>Policies, and Firewall Sub-Policies is that the access control rules are processed from the</p><p>top to down. The Allow, Refuse and Discard actions, and the action Use IPsec VPN with the</p><p>Enforce option stop the processing from continuing down the rule table for any connection</p><p>that matches the rule. Therefore, rules with any of these actions must be placed so that the</p><p>more limited the rule is in scope, the higher up in the rule table it is.</p><p>Public © 2022 Forcepoint 5</p><p>Matching traffic in Access Rules</p><p>▪ Access rules are configured</p><p>in the Firewall Policy.</p><p>▪ Rules are processed in order, from top to down.</p><p>▪ More specific rules should be placed above more general rules.</p><p>▪ A match will stop</p><p>processing traffic</p><p>for most actions</p><p>Standard Traffic</p><p>Matching Criteria</p><p>▪ Source and</p><p>destination such as</p><p>IP Address</p><p>▪ Protocol specific</p><p>information such as</p><p>ports</p><p>Additional Matching</p><p>Criteria (IPV4)</p><p>▪ Engine on which</p><p>VPN traffic</p><p>terminates</p><p>▪ User authentication</p><p>▪ Date and time</p><p>Access control rules</p><p>P</p><p>r</p><p>o</p><p>c</p><p>e</p><p>s</p><p>s</p><p>i</p><p>n</p><p>g</p><p>Action</p><p>Click to add text</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 125</p><p>Ethernet rules are used by IPS, Layer 2 Firewall, and Layer 2 Policies for the Firewall role.</p><p>Ethernet rules are lists of matching criteria and actions that define whether Ethernet protocol</p><p>traffic is allowed or discarded.</p><p>• The traffic matching in Ethernet rules is based on the source and destination MAC</p><p>address in the packets. Any Ethernet network traffic can be checked against the Ethernet</p><p>rules.</p><p>• When some traffic is found to match an Ethernet rule, the traffic can be allowed or</p><p>discarded. Regardless of the action taken, a matching rule can also create a log or alert</p><p>entry.</p><p>• The Logical Interface cell is also matched against traffic, but it is not mandatory to change</p><p>it if you want the rule to apply regardless of the interface. The same logical interface may</p><p>be assigned to one or several interfaces as configured in the properties of the layer 2</p><p>interfaces.</p><p>• The traffic allowed by Ethernet rules is then sent to the IPv4 and IPV6 access control</p><p>rules for further inspection.</p><p>Public © 2022 Forcepoint 6</p><p>Ethernet access rules</p><p>▪ Defined in Firewall Layer 2 Interface Policies, IPS Policies, and Layer 2 FW Policies.</p><p>▪ Requires configuration of Layer 2 Interfaces for Firewall role.</p><p>Matching the rule based on</p><p>the interface the traffic is</p><p>picked from.</p><p>Indicates the order of the</p><p>rules in the policy</p><p>Source/destination</p><p>MAC addresses Ethernet frame type</p><p>Action: allow/discard</p><p>Logging options</p><p>Unique identifier</p><p>For the rule</p><p>Shows number of connections</p><p>that have matched the rule</p><p>Mandatory fields for matching traffic</p><p>126 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List the different types of</p><p>access rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 127</p><p>In the IPv4/IPv6 Access rules are lists of matching criteria and actions that define how the</p><p>engine treats different types of network traffic. They are your main configuration tool for</p><p>defining which traffic is stopped and which traffic is allowed.</p><p>The traffic matching is based on the information contained in the packets.</p><p>• The Source and destination IP addresses, the Protocol-specific information, such as the</p><p>port information for protocols that use ports.</p><p>• You can also match traffic based on Network Applications, Users or User Groups,</p><p>interface Zones, country, or Domain Names. Elements such as Users, Domain Names,</p><p>and URL Categories, are dynamically resolved by the security engine.</p><p>Additional matching criteria that is not based on information in the packets can also be</p><p>configured. This includes</p><p>• The VPN the traffic is coming from.</p><p>• The User Authentication which allows the creation of rules that define the end-users who</p><p>are allowed to make connections and the Authentication Methods for the end-users.</p><p>• The day of the week and the time of day, allowing to enforce of rules only during certain</p><p>times, such as working hours. It is also possible to specify when a rule starts being</p><p>enforced, and when each rule automatically expires. The rule validity time can refer to the</p><p>NGFW engine’s local time.</p><p>Public © 2022 Forcepoint 8</p><p>Access Rules (IPv4/IPv6)</p><p>Defined in</p><p>▪ Firewall Policy</p><p>▪ L2 Interface Policy</p><p>▪ L2 FW Policy</p><p>▪ IPS Policy</p><p>SOURCE, DESTINATION</p><p>ADDITIONAL MATCHING CRITERIA.</p><p>NETWORK</p><p>APPLICATIONS</p><p>SERVICES</p><p>PROTOCOL AGENTS</p><p>URL CATEGORIES SOURCE VPN</p><p>AUTHENTICATION SERVICES</p><p>USERS AND USER GROUPS</p><p>VALIDITY TIME</p><p>SERVICES</p><p>MANDATORY</p><p>FIELDS FOR</p><p>MATCHING</p><p>TRAFFIC</p><p>URL LISTS</p><p>NETWORK</p><p>ELEMENTS</p><p>ZONES</p><p>USERS AND</p><p>USER GROUPS</p><p>DOMAIN NAMES</p><p>COUNTRIES</p><p>128 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Access rules in policies provide several different ways to react when some traffic is</p><p>found to match a rule. Each action provides specific options for VPN, connection tracking,</p><p>deep inspection, anti-malware, user responses, and blacklisting. These options will be</p><p>reviewed in detail in the coming slide.</p><p>If the allow action is used, The connection is let through the Firewall.</p><p>If the discard action is used, The connection is silently dropped.</p><p>It is important to note the difference between a Discard and Refuse Action. When the</p><p>Refuse action is used, traffic is dropped and an ICMP error message or a TCP reset (for</p><p>TCP connections) is sent in response to the source.</p><p>The Blocklist action checks the packet against the blocklist requests received by the</p><p>engines. If the packet matches a blocklist entry, the connection is discarded.</p><p>If the Jump action is used, the matching is continued in the specified sub-policy until a</p><p>match is found. If there is no matching rule in the sub-policy, the process resumes in the</p><p>main policy. If, the jump rule does not match the matching process continues to the next</p><p>rule.</p><p>To avoid defining the same settings for several rules individually, remember to use continue</p><p>rules to set default values like logging or deep inspection.</p><p>Public © 2022 Forcepoint 9</p><p>Access Rules (IPv4/IPv6)</p><p>Defined in</p><p>▪ Firewall Policy</p><p>▪ L2 Interface Policy</p><p>▪ L2 FW Policy</p><p>▪ IPS Policy</p><p>ACTION:</p><p>DISCARD</p><p>ALLOW</p><p>REFUSE</p><p>JUMP</p><p>BLOCKLIST</p><p>CONTINUE</p><p>THESE ACTIONS STOP</p><p>PACKET PROCESSING</p><p>WHAT IS DONE WHEN</p><p>TRAFFIC MATCHES</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 129</p><p>By default, the rule’s Logging options are undefined, which means that the rule uses logging</p><p>options that have been set in the previous Continue rule above. If there is no previous</p><p>Continue rule, a Stored-type log entry is created. Logging for the closing of the connection</p><p>can be turned on or off, or on with accounting information. You must collect accounting</p><p>information if you want to create reports that are based on traffic volumes.</p><p>You can assign a specific QoS Class to any traffic that you can match with an Access rule.</p><p>QoS Class and the associated traffic may be interpreted differently whether it is used in a</p><p>QoS Policies, VPN tunnel or an outbound multilink elements.</p><p>Each rule as a unique identifier call the rule name that is automatically created and updated.</p><p>You can optionally specify a name for each rule</p><p>Public © 2022 Forcepoint 10</p><p>Access Rules (IPv4/IPv6)</p><p>Defined in</p><p>▪ Firewall Policy</p><p>▪ L2 Interface Policy</p><p>▪ L2 FW Policy</p><p>▪ IPS Policy</p><p>UNIQUE IDENTIFIER</p><p>FOR THE RULE.</p><p>OPTIONS FOR LOGGING</p><p>QOS CLASS ASSIGNED TO</p><p>MATCHING CONNECTIONS</p><p>130 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List the actions for</p><p>processing traffic in</p><p>access rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 131</p><p>The Allow action options define the various aspects of firewall traffic handling. If no options</p><p>are specified, the settings defined in Continue rules higher up in the policy are used. The</p><p>following options can be configured in the Allow action options:</p><p>• Forward traffic to a Proxy</p><p>You can configure traffic forwarding to a proxy directly in the Access rules with this option</p><p>rather than in the NAT rules.</p><p>• Send traffic to a VPN</p><p>The VPN actions are used to send traffic to the VPN tunnel. The traffic selected for VPN</p><p>in the access rule must match the VPN tunnels in the VPN configuration.</p><p>• Deep Inspection</p><p>This option selects traffic that matches this rule for checking against the Inspection Policy</p><p>referenced by this policy. Traffic is inspected as the Protocol that is attached to the</p><p>Service element in this rule.</p><p>• Network Application Latency Monitoring</p><p>Collects application health-related information which is then</p><p>visible in the Application</p><p>Health Monitoring dashboard.</p><p>• File Filtering</p><p>This option selects traffic that matches this rule for checking against the File Filtering</p><p>Policy referenced by this policy</p><p>• Decryption</p><p>Decryption defines whether traffic that matches the rule is decrypted for TLS inspection or</p><p>by the SSM HTTP Proxy.</p><p>Public © 2022 Forcepoint 12</p><p>Allow Action options</p><p>▪ Action options contain additional settings for</p><p>the selected action:</p><p>▪ Allow options</p><p>• Forward traffic to a proxy</p><p>• Send traffic into a VPN</p><p>• Deep inspection</p><p>• Network application latency monitoring</p><p>• File filtering</p><p>• Decryption</p><p>132 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Advanced Allow Action Options</p><p>Connection Options</p><p>• You can control stateful connection handling by setting options for connection tracking,</p><p>including idle timeouts, and TCP segment size enforcement.</p><p>Connection tracking is on by default in the NGFW, and this feature keeps track of all</p><p>currently open connections. It supports TCP and even though UDP and ICMP are</p><p>stateless protocols, information about these connections can be obtained in the packets</p><p>and used to build virtual connections.</p><p>Connection tracking is required if using Network Address Translation. The recommended</p><p>mode is the default normal mode. It ensures that a TCP handshake is completed for TCP</p><p>traffic and maintains connection entry for other protocols and allows reply packets without</p><p>explicit rules. If the service in the rule has a protocol agent additional checks will be done</p><p>based on the protocol agent configuration. If a protocol violation occurs, the connection is</p><p>dropped.</p><p>• The Idle timeout is meant for clearing the firewall’s records of old connections which the</p><p>communicating hosts have been left hanging. Make sure you don’t set excessively long</p><p>timeouts, so firewall resources are not over-consumed.</p><p>• The synchronize connections option defines if connections matching this rule are synched</p><p>to other nodes in the cluster.</p><p>• The Enforce TCP maximum segment size (MSS) defines if NGFW enforces minimum or</p><p>maximum size for TCP MSS . Headers are not included in the MSS value; MSS concerns</p><p>only the payload of the packet.</p><p>Public © 2022 Forcepoint 13</p><p>Allow Action options</p><p>▪ Action options contain</p><p>additional settings for the</p><p>selected action:</p><p>▪ Advanced allow options</p><p>• Connection tracking</p><p>• Idle timeout</p><p>• Connection</p><p>synchronization in</p><p>clusters</p><p>• Enforce TCP MSS</p><p>• DoS protection</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 133</p><p>DoS protection Options</p><p>• Connection Limiting is an efficient way to prevent denial of service attacks, and because</p><p>the limit can also be set per destination IP address, it provides protection against</p><p>distributed denial of service attacks as well.</p><p>• You can enable or disable rate-based DoS protection and scan detection at the rule level</p><p>if they have not been disabled in the properties of individual Security Engines.</p><p>134 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>User Responses allow you to send a customized reply to the user instead of just ending the</p><p>connection when an HTTP or HTTPS connection is not allowed to continue. This makes it</p><p>possible to explain to the user why the connection was stopped, instead of simply closing</p><p>the connection with no notification.</p><p>User Responses can be used in Access Rules and in Inspection Policies.</p><p>You can define a different User Response entry for each of the following cases in which an</p><p>HTTP or HTTPS connection is not allowed to continue:</p><p>• Connection Blocklisted: (HTTP only) The connection was discarded according to a</p><p>rule with the Apply Blocklist action.</p><p>• Connection Discarded by Access Rule: The connection was dropped according to an</p><p>Access rule with the Discard action.</p><p>• Connection Terminated by Inspection Rule: The connection was terminated</p><p>according to the Inspection Policy.</p><p>• URL Not Allowed: The connection was terminated by one of the special URL filtering</p><p>situations.</p><p>• Virus Found: The Anti-Virus feature found a virus on the web page.</p><p>Public © 2022 Forcepoint 15</p><p>▪ When FW detects a pattern to be blocked in HTTP(S) connections, users can be notified</p><p>• HTTP(S) redirect</p><p>• HTML based responses for HTTP(S)</p><p>▪ HTML based responses applies to:</p><p>• Connection blocked by access rule</p><p>• Connection blocked by inspection</p><p>• URL not allowed</p><p>• Virus found</p><p>• Blocklisting</p><p>Action options: user response</p><p>10101010101010</p><p>01010101010101</p><p>10101010101010</p><p>01010101010101</p><p>HTML Response</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 135</p><p>Objective</p><p>Explain the different</p><p>types of NAT.</p><p>136 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Static source NAT Typically translates the internal (“real”) IP address of an internal host to a</p><p>different IP address in the external network.</p><p>With Static Source Address Translation, the IP address of a certain host is always translated</p><p>using the same specific IP address.</p><p>The original source address is the actual assigned IP address for a device on an internal</p><p>network or DMZ. The address is translated to a public IP address belonging to the public IP</p><p>address range assigned by the Internet service provider (ISP).</p><p>You can also define static translation for whole same-size networks at once if needed.</p><p>In the illustration</p><p>• Step 1, the packet starts out with the internal source (SRC) and external destination</p><p>(DEST) addresses.</p><p>• Step 2, The firewall replaces the internal source address of the packets with a new</p><p>source address.</p><p>• Step 3 The server responds using the host’s new source address.</p><p>• Step 4. Connection tracking information is used to automatically translate any reply</p><p>packets. So as the server responds, the destination address in the server’s response is</p><p>replaced with the original address of the internal host, ensuring that the responses find</p><p>their way back to the host.</p><p>Public © 2022 Forcepoint 17</p><p>NAT – Static Source Address Translation</p><p>▪ The source IP address of a certain host is always translated using the same specific IP address.</p><p>▪ One-to-one relationship.</p><p>SRC: 192.168.1.101</p><p>DEST: 129.40.1.22</p><p>SRC: 212.20.1.100</p><p>DEST: 129.40.1.22</p><p>SRC: 129.40.1.22</p><p>DEST: 192.168.1.101</p><p>SRC: 129.40.1.22</p><p>DEST: 212.20.1.100</p><p>InternetProtected</p><p>Network</p><p>HOST PRIVATE IP ADDRESS:</p><p>192.168.1.101</p><p>SERVER PUBLIC</p><p>ADDRESS IP: 129.40.1.22</p><p>FIREWALL PUBLIC IP</p><p>ADDRESS(ES): 212.20.1.100</p><p>212.20.1.101</p><p>…</p><p>1 2</p><p>4 3</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 137</p><p>Dynamic source NAT typically translates the internal IP addresses of several internal hosts</p><p>to one or a few external IP addresses. Used to hide the internal network structure from</p><p>outsiders and to avoid acquiring a separate public IP address for each of the hosts.</p><p>Dynamic source translation allows translating many original IP addresses to a much smaller</p><p>pool of translated addresses, even a single IP address.</p><p>Dynamic source translation is often used to mask the internal networks of a company behind</p><p>one or a few public, routable IP addresses provided by an ISP.</p><p>The illustration shows the process for dynamic source translation.</p><p>Since dynamic source translation involves multiple hosts using the same IP address, the</p><p>firewall needs some additional information to differentiate the connections when the reply</p><p>packets arrive. So, the host forwards a packet, and the firewall not only translates the</p><p>source IP but also assigns translates a source port. This is forwarded to the server, and</p><p>when the server replies, it is the port that is used to locate the internal host. The firewall</p><p>translates the destination address and port back to the original source address and port of</p><p>the host.</p><p>Note: It is quite important not to mix the same NAT address in dynamic and static NAT. The</p><p>cluster NDI address must never be used as a NAT address. If the node is switched off, then</p><p>the translated address will not be available anymore if the NDI address of the node is used.</p><p>Public © 2022 Forcepoint 18</p><p>NAT – Dynamic Source</p><p>Address Translation</p><p>▪ IP addresses of one or more networks or address ranges are translated to a single IP address or a pool of</p><p>addresses in another network.</p><p>▪ Many-to-one/many-to-some relationship.</p><p>SRC: 192.168.1.101:9057</p><p>DEST: 129.40.1.22:80</p><p>SRC: 212.20.1.100:9345</p><p>DEST: 129.40.1.22:80</p><p>SRC: 129.40.1.22:80</p><p>DEST: 192.168.1.101:9057</p><p>SRC: 129.40.1.22:80</p><p>DEST: 212.20.1.100:9345</p><p>InternetProtected</p><p>Network</p><p>HOST PRIVATE IP ADDRESS:</p><p>192.168.1.101</p><p>SERVER PUBLIC IP</p><p>ADDRESS: 129.40.1.22</p><p>FIREWALL PUBLIC IP ADDRESS:</p><p>212.20.1.100</p><p>1 2</p><p>34</p><p>138 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Static destination NAT typically translates the public IP address of an internal host to the</p><p>private IP address, so that the host (server) can receive new connections from external</p><p>hosts. You can use static destination translation for both IP addresses and ports.</p><p>You can also define static translation for whole same-size networks at once.</p><p>In the example, a host on the Internet connects to a server on the internal network.</p><p>• The host connects to the external, public IP address (1).</p><p>• The firewall then translates the destination address to the private IP address of the server</p><p>on the internal network (2).</p><p>• The server sends its response back (3), and the firewall automatically translates the</p><p>source address back to the external IP address (4).</p><p>Public © 2022 Forcepoint 19</p><p>NAT - Static Destination Address Translation</p><p>▪ For destination IP addresses and ports</p><p>▪ One-to-one relation</p><p>SRC: 129.40.1.22</p><p>DEST: 192.168.1.101</p><p>SRC: 129.40.1.22</p><p>DEST: 212.20.1.100</p><p>SRC: 192.168.1.101</p><p>DEST: 129.40.1.22</p><p>SRC: 212.20.1.100</p><p>DEST: 129.40.1.22</p><p>InternetProtected</p><p>Network</p><p>SERVER PRIVATE IP ADDRESS:</p><p>192.168.1.101</p><p>HOST PUBLIC IP</p><p>ADDRESS: 129.40.1.22</p><p>FIREWALL PUBLIC IP ADDRESS:</p><p>212.20.1.100</p><p>12</p><p>3 4</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 139</p><p>Proxy Address Resolution Protocol (ARP) allows a device to respond to ARP requests on</p><p>behalf of some other device on the network.</p><p>When network address translation is used on a firewall, the firewall is by default configured</p><p>to use proxy ARP so that it can answer ARP requests to the NAT pool addresses.</p><p>Proxy ARP is enabled by default in the NAT cell in NAT rules for each translation type,</p><p>although you have the option to uncheck it, if necessary.</p><p>The example shows how Proxy ARP is used when a host on the Internet connects to a</p><p>server on the internal network:</p><p>1. A host on the Internet sends an TCP SYN for the destination IP address 212.20.1.100,</p><p>which is the public translated address of web server in the DMZ.</p><p>2. The real address for the server is 192.168.1.101. When the HTTP packet reaches the</p><p>router, the router sends out an ARP request to find out the MAC address for the IP</p><p>address 212.20.1.100.</p><p>3. The firewall replies to the ARP request because Proxy ARP has been enabled for this</p><p>address on the firewall.</p><p>4. The packet is then sent to the firewall, which translates the destination address to</p><p>192.168.1.101 based on the NAT rules and sends the packet to the server.</p><p>Public © 2022 Forcepoint 20</p><p>Proxy ARP and NAT</p><p>Firewall IP Address (eth1): 212.20.1.111</p><p>MAC: 00:00:5e:00:aa:01</p><p>ARP Request:</p><p>Who is 212.20.1.100 ?</p><p>ARP Reply:</p><p>212.20.1.100 is at 00:00:5e:00:aa:01</p><p>http://212.20.1.100</p><p>Internet</p><p>Server IP Address: 192.168.1.101</p><p>Public IP Address: 212.20.1.100</p><p>DMZ</p><p>Router</p><p>1</p><p>2</p><p>3</p><p>The packet is sent to the firewall</p><p>that performs the address translation4</p><p>140 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure NAT rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 141</p><p>NAT rules in Firewall Policy</p><p>NGFW in Firewall Role can perform NAT (network address translation). NAT replaces the</p><p>source and/or destination IP addresses in packets with other IP addresses. NAT rules are</p><p>matched to allowed connections after Access rule matching. Therefore, in order to the NAT</p><p>rule to match access rules must have already allowed the connection.</p><p>The order of NAT rules should proceed from more specific to less specific as matching is</p><p>done from top to down.</p><p>Defining a NAT rule with no NAT cell is valid and useful: it means no NAT is done for the</p><p>matching traffic.</p><p>Note that element-based NAT rules can be defined in the properties of a Firewall. The NAT</p><p>rules generated from element–based NAT definitions are not visible in the firewall policy and</p><p>are applied after the NAT rules that you have manually added to the policy. Therefore, you</p><p>must keep in mind that a more specific created NAT rule in the Firewall Policy may prevent</p><p>traffic from matching the element-based NAT rules.</p><p>Note also that by default, NAT is disabled with connections traversing a VPN (NAT rules are</p><p>completely ignored for VPN traffic). If you want the NAT rules to apply to connections</p><p>traversing a VPN, enable NAT in the properties of the VPN element.</p><p>Public © 2022 Forcepoint 22</p><p>NAT Rule Configuration</p><p>▪ NAT rules in Firewall Policy</p><p>▪ Element-based NAT rules in firewall properties</p><p>MATCHING NAT RULES</p><p>TO TRAFFIC.</p><p>HOW THE TRANSLATION IS DONE.</p><p>142 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 23</p><p>Knowledge check</p><p>1. Why is the order of access rules important?</p><p>2. What are the matching fields in the access</p><p>rules?</p><p>3. What actions can be used in the action field of</p><p>an access rule?</p><p>1. The order of the access rules is important for</p><p>efficiency, proper matching of connections, and</p><p>security.</p><p>2. Matching fields include source, destination,</p><p>service, time and authentication.</p><p>3. Actions in an access rule can be Allow, Discard,</p><p>Refuse, Blacklist, Continue and Jump.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 143</p><p>Public © 2022 Forcepoint 24</p><p>Knowledge check</p><p>4. What is connection tracking?</p><p>5. What types of NAT are supported by the NGFW?</p><p>6. Why would you enable proxy ARP for NAT?</p><p>7. What configuration is required to send traffic to a</p><p>VPN or Proxy in an access rule?</p><p>4. Connection tracking allows the firewall track the</p><p>state of each connection, allowing for better</p><p>security and efficiency.</p><p>5. Dynamic Source NAT, Static Source NAT, and</p><p>Static Destination are supported.</p><p>6. Proxy Address Resolution Protocol (ARP) allows</p><p>the FW to respond to ARP requests for NAT IP</p><p>addresses not assigned to FW interfaces.</p><p>7. Select the Allow action and specify the Policy-</p><p>based VPN or the Proxy Server in the Allow</p><p>action options.</p><p>144 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Traffic Inspection</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 145</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>146 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Explain the difference between a service, service with protocol, and proxy.</p><p>▪ Explain the enhanced access control methods.</p><p>▪ Explain different ways to control applications.</p><p>▪ List the detection methods used in the Forcepoint NGFW Inspection.</p><p>▪ Describe advanced evasion techniques (AETs) and normalization.</p><p>▪ Describe TLS Inspection.</p><p>▪ Configure snort inspection on NGFW.</p><p>▪ List the Forcepoint and third-party products that integrate with Forcepoint NGFW.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 147</p><p>Objective</p><p>Explain the difference</p><p>between a service,</p><p>service with protocol, and</p><p>proxy</p><p>148 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This diagram gives an overview the different means of controlling the connections handled</p><p>by the NGFW engine.</p><p>The NGFW policy chapter detailed the matching criteria that the administrator can define in</p><p>an access rules. The usage of Zone matching, User identification, IP list, Countries, DNS</p><p>names allows a fine granularity in the source and destination matching. The NGFW engine</p><p>can work in a stateful mode or proxy mode to control the connection. The default mode is</p><p>the stateful mode. The stateful mode can control the connection based on protocol-specific</p><p>information, network application usage or requested URL The proxy mode allows additional</p><p>levels of security and control.</p><p>For vulnerability and malware inspection the traffic allowed by the access rule must be</p><p>tagged for deep inspection and matched against the inspection and the file filtering policy.</p><p>Public © 2022 Forcepoint 5</p><p>Connection control</p><p>▪ NGFW provides granular access control</p><p>▪ Two connection tracking modes for</p><p>connection usage control:</p><p>▪ Stateful mode (default)</p><p>▪ Proxy mode</p><p>D</p><p>ee</p><p>p</p><p>In</p><p>sp</p><p>ec</p><p>tio</p><p>n</p><p>Ac</p><p>ce</p><p>ss</p><p>C</p><p>on</p><p>tr</p><p>ol</p><p>GEO-PROTECTION</p><p>ANTI-SPOOFING</p><p>GRANULAR</p><p>ACCESS CONTROL</p><p>3</p><p>2</p><p>STATEFUL PROXY</p><p>• High assurance protocol control</p><p>• No direct connections</p><p>• Protocol validation</p><p>• Usage Control based on</p><p>• Protocol information</p><p>• Application</p><p>• URL Filtering</p><p>• Protocol control and</p><p>validation</p><p>USER</p><p>IDENTIFICATION</p><p>CONNECTION TRACKING</p><p>4</p><p>VULNERABILITY</p><p>INSPECTION</p><p>MALWARE INSPECTION</p><p>5</p><p>1</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 149</p><p>The Service elements match traffic based on protocol and port.</p><p>The Protocol set options for advanced inspection of traffic, provide application-layer</p><p>validation and handling of related connections.</p><p>When a Service is associated to a Protocol element, it is listed in the system as Service</p><p>with Protocol (or protocol agent). A Service with Protocol allows further inspection checks</p><p>and advanced traffic handling. Some Protocol elements have additional options that you can</p><p>set in the Service element’s properties. Most of the time, you can use the default Service</p><p>elements to represent standard protocols and ports. You can duplicate the predefined</p><p>Protocol Agent and adjust the parameters.</p><p>Related Connection Handling</p><p>• Only for protocols that use related connections</p><p>• FTP with the related active and passive data connections.</p><p>• H.323 conferencing protocol communications.</p><p>• Microsoft RPC for Microsoft Exchange and Outlook communications.</p><p>• NetBIOS for the Windows NetBIOS datagram services.</p><p>• Oracle TNS protocol communications.</p><p>• Remote Shell protocol communications.</p><p>• SunRPC Portmapper communications.</p><p>• TFTP file transfers</p><p>• SCCP</p><p>Public © 2022 Forcepoint 6</p><p>Connection control: Service with protocol</p><p>Service with protocol:</p><p>▪ Opens related connections</p><p>▪ Validates the protocol used</p><p>▪ Modifies application data when required (NAT)</p><p>▪ Tags protocols for deep inspection</p><p>APPLICATION</p><p>PRESENTATION</p><p>SESSION</p><p>TRANSPORT</p><p>NETWORK</p><p>DATA LINK</p><p>PHYSICAL</p><p>PROTOCOL AGENT</p><p>PROTOCOL AGENT</p><p>Service with protocol (Protocol Agent)</p><p>Service Protocol</p><p>150 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Protocol Validation</p><p>The FTP Protocol Agent can be set to strictly limit the allowed commands within the control</p><p>connection to standard commands as listed in the FTP standards. If other commands are</p><p>sent in the control connection, the connection is dropped.</p><p>The Oracle Protocol Agent can control the size of the Oracle TNS packets, or the location of</p><p>the Listener service with respect to the database services.</p><p>The SSH Protocol Agent can ensure that the SSH handshake is performed at the beginning</p><p>of an SSH connection. SIP connections need to follow RFC 3261</p><p>Nat-Related Payload Modifications</p><p>This operation is tightly associated with the related connection handling and cannot be</p><p>separated as such and is applied to the same protocols specified above.</p><p>In many protocols, the negotiation of related connections uses the IP addresses inside the</p><p>payload. In the case of NAT, payload modifications may be needed (for example, NAT in</p><p>H.323 payload).</p><p>Tag Protocol for Deep Inspection</p><p>For all protocols.</p><p>Some types of traffic always require the use of the correct Protocol Agent to pass the</p><p>firewall when the traffic is handled using stateful inspection.</p><p>Redirects connections to Content Inspection Servers (see Anti-Virus slides)</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 151</p><p>Public © 2022 Forcepoint 8</p><p>▪ Proxy technologies provide an extra level of security for mission-critical</p><p>services and applications</p><p>▪ Supported protocols are UDP, TCP, HTTP, HTTPS, FTP, TFTP, SSH, and DNS</p><p>Service with proxy</p><p>SSM ProxyService</p><p>Connection control: Sidewinder proxies</p><p>SYN</p><p>SYN/ACK</p><p>ACK</p><p>FIREWALL PUBLIC</p><p>INTERFACE</p><p>10.1.1.30</p><p>FIREWALL PRIVATE</p><p>INTERFACE</p><p>192.168.10.1</p><p>CUSTOMER</p><p>10.1.1.20</p><p>APP & WEB SERVERS</p><p>192.168.10.100 (TRUE ADDRESS)</p><p>10.1.1.50 (PUBLIC ALIAS)</p><p>SYN</p><p>SYN/ACK</p><p>ACK</p><p>FORCEPOINT NGFW</p><p>You can use Sidewinder Proxies on NGFW to enforce protocol validation and to restrict the</p><p>allowed parameters for each protocol. Sidewinder Proxies are primarily intended for users in</p><p>high-assurance environments, such as government or financial institutions. In environments</p><p>that limit access to external networks or access between networks with different security</p><p>requirements, you can use Sidewinder Proxies for Data Loss Prevention.</p><p>The following Sidewinder Proxies are supported: HTTP, HTTPS, FTP, TFTP, SSH, DNS,</p><p>TCP, and UDP. Sidewinder Proxies are also supported as Virtual NGFW Engines in the</p><p>Firewall/VPN role.</p><p>152 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain enhanced access</p><p>control methods.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 153</p><p>A Domain Name element represents all the IP addresses that belong to a particular domain</p><p>name. Domain Name elements can be used in Source and Destination cells in Access rules.</p><p>If you have entered the IP addresses of one or more DNS servers in the Firewall properties,</p><p>the engines periodically queries the DNS server to automatically resolve domain names to</p><p>IP addresses.</p><p>Domain Names allow you to create rules that match even when the IP address of the server</p><p>changes. If the DNS server returns multiple IP addresses for the same domain name, the</p><p>engine associates all the IP addresses with the domain name.</p><p>Once the DNS name is resolved to an IP address, the information is cached in the engine.</p><p>The cache is updated at regular intervals. The default update intervals is every six minutes.</p><p>It can be customized if necessary.</p><p>Public © 2022 Forcepoint 10</p><p>Enhanced access control: domain names</p><p>▪ DNS domain names are dynamically resolved to IP addresses</p><p>▪ No need to modify the policy each time a server’s IP address changes</p><p>▪ Multiple domain names can be defined per element.</p><p>DNS Server</p><p>DNS lookup</p><p>Cache</p><p>Policy Upload</p><p>Video.example.com</p><p>212.100.32.101</p><p>212.100.32.201</p><p>154 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>A Zone is an interface tag that can be assigned to a physical or VLAN interface, allowing</p><p>you to group together several firewall interfaces into one logical interface. You can use</p><p>Zones to specify the receiving or sending interfaces in policies. The Zone element</p><p>represents all the interfaces that belong to the Zone. All the rules that include a Zone</p><p>element also apply to any new interfaces that you associate with the same Zone.</p><p>Public © 2022 Forcepoint 11</p><p>Enhanced access control: zones</p><p>▪ Match interfaces instead of IP addresses</p><p>▪ Simplify the policy structure and improve</p><p>security</p><p>▪ Zones are also visible in the logs,</p><p>statistics, and reports</p><p>Remote Site</p><p>Internal Zone External Zone</p><p>Eth1Eth0</p><p>Eth2</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 155</p><p>Public © 2022 Forcepoint 12</p><p>Enhanced access control: geo-protection</p><p>▪ Geo-protection allows you to control network</p><p>traffic based on the source or destination</p><p>country.</p><p>▪ Country elements</p><p>are IP address lists based</p><p>on country-level geolocation information.</p><p>Internet</p><p>SERVERS</p><p>Country elements are IP address lists based on country-level geolocation information. They</p><p>are grouped within continents.</p><p>Country elements can be used to filter traffic in Access rules, based on the source or</p><p>destination country or an entire continent. They can also be used in NAT rules, Inspection</p><p>rules, and File Filtering rules.</p><p>You cannot edit or create Country elements or continents. Country elements are system</p><p>elements that are imported and updated when you activate new dynamic update packages.</p><p>156 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>URL filtering compares the URLs that end-users attempt to access to URL categories or lists</p><p>of URLs. You can use URL filtering to prevent users from accessing websites that provide</p><p>content that is objectionable, potentially harmful, or not work-related. This kind of content</p><p>filtering can increase network security and enforce an organization’s policy on acceptable</p><p>use of resources.</p><p>There are two ways to define the URLs:</p><p>• URL Category Group elements provided by Forcepoint ThreatSeeker (requires a license</p><p>for feature).</p><p>• You can configure URL List elements manually to filter specific URLs.</p><p>You can use both methods together. You can define allowed URLs manually if a URL that</p><p>you want to allow is included in a category of URLs that you otherwise want to block.</p><p>Public © 2022 Forcepoint 13</p><p>Enhanced access control: URL filtering</p><p>▪ Category-based URL filtering provided by</p><p>Forcepoint ThreatSeeker</p><p>• Always the latest category information</p><p>• Minimal memory footprint in NGFW</p><p>▪ Manual white-listing capability</p><p>▪ Custom URL lists</p><p>▪ Customizable user responses</p><p>▪ Forcepoint ThreatSeeker URL filtering is</p><p>available with add-on feature license</p><p>Adult Materials</p><p>Bandwidth</p><p>Business and Economy</p><p>Drugs</p><p>Education</p><p>Entertainment</p><p>Government</p><p>Information Technology</p><p>News and Media</p><p>Productivity</p><p>Religion</p><p>Web/URL Categorization</p><p>ThreatSeeker</p><p>Cloud</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 157</p><p>The URL categorizations are provided by the external Forcepoint™ ThreatSeeker®</p><p>Intelligence Cloud service. ThreatSeeker Intelligence Cloud (ThreatSeeker) provides</p><p>categories for malicious websites and several categories for different types of non-malicious</p><p>content you might want to filter or log. The NGFW Engine sends categorization requests</p><p>using HTTPS to the ThreatSeeker. URL Category Group elements contain several related</p><p>URL Categories. When you use URL Category Group elements in the Access rules, the rule</p><p>matches, if the URL the end user is accessing, is included in the group.</p><p>The engine can use the server name indication (SNI) in HTTPS traffic for URL</p><p>categorization without decrypting the HTTPS connection. When a web browser contacts a</p><p>server to request a page using HTTPS, the browser sends the server name in an</p><p>unencrypted SNI field. However, the requested URL is not known when HTTPS connections</p><p>are not decrypted.</p><p>158 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Endpoint Context Agent (ECA) is a Windows client application that provides endpoint</p><p>information to the Forcepoint NGFW. The endpoint information can be used to identify</p><p>users, log their actions, and control access. Forcepoint NGFW can enforce security policies</p><p>based on the information that is sent by the endpoints. The information can also be viewed</p><p>in log data and used in reports.</p><p>The main elements to use in Access Rules are the Endpoint Application elements that are</p><p>delivered through dynamic update packages. Applications can be identified by hash,</p><p>certificate, or signer, for example. You can also create custom elements.</p><p>An example use case is a point of sale (PoS) terminal. For example, you can:</p><p>• Allow a certain browser version to access the corporate intranet, only if the anti-virus</p><p>software on the endpoint is enabled and up-to-date</p><p>• Allow the PoS application to access corporate servers</p><p>• Allow the Windows Update service</p><p>• Block all other applications</p><p>Public © 2022 Forcepoint 15</p><p>Enhanced access control: Endpoint Context Agent (ECA)</p><p>▪ Endpoint Context Agent (ECA) collects the endpoint metadata and sends it to the NGFW.</p><p>▪ Provides access control and/or logging based on:</p><p>• The executable running at the endpoint</p><p>• Logged-in Windows user</p><p>• Platform attributes like OS version, anti-malware</p><p>Network</p><p>Attributes</p><p>Application</p><p>Attributes</p><p>User</p><p>Attributes</p><p>Platform</p><p>Attributes</p><p>Metadata</p><p>Endpoint Context Agent Listener</p><p>▪ NGFW receives ECA metadata on TCP port 9111</p><p>▪ Enforce ECA access policy</p><p>▪ Log ECA information</p><p>Endpoint Context Agent Client</p><p>Able to send Metadata to 1-8 NGFWs</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 159</p><p>Objective</p><p>Explain different ways to</p><p>control applications.</p><p>160 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 17</p><p>Application control: Network applications</p><p>▪ More than 7,600 predefined applications in SMC.</p><p>▪ Applications are matched against the payload in</p><p>the packets.</p><p>▪ Standard ports are used by default.</p><p>▪ Applications are classified by tag.</p><p>▪ TLS match is supported.</p><p>TLS Match</p><p>Standard</p><p>ports</p><p>Tags for classification</p><p>Network Application element</p><p>• There are many predefined Application elements available that define the criteria for</p><p>matching commonly-used applications. Applications are maintained continuously through</p><p>dynamic update packages. The standard ports are already configured in the application</p><p>element. To override the settings of a predefined Network Application, like the application</p><p>default ports, you can edit the Service Definition of the rule in which you use the Network</p><p>Application.</p><p>• The application is matched against the payload in the packets.</p><p>• Predefined TLS Match elements are used in the properties of some predefined Network</p><p>Application elements to allow the Network Application to match without decrypting the</p><p>TLS traffic.</p><p>• Tags help you to create simpler policies with less effort. Tag elements represent all</p><p>Network Application elements that are associated with that Tag. For example, the Media</p><p>Tag includes several web-based image, music, and video applications. Several Tags can</p><p>be associated with each Network Application element.</p><p>• TLS Match is supported. TLS Match elements can match traffic based on the following</p><p>criteria:</p><p>• Whether certificate validation succeeded, failed, or was not performed.</p><p>• The server domain name in a valid certificate.</p><p>• Specific reasons a certificate is regarded as invalid if certificate validation failed.</p><p>• The domain name in the Server Name Indication (SNI) field of the TLS Client Hello</p><p>packet.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 161</p><p>Public © 2022 Forcepoint 18</p><p>Application control: IP address list</p><p>▪ Contains large lists of IP addresses</p><p>▪ Used as matching criteria in rules</p><p>▪ Custom IP address lists can be created</p><p>IP Address List elements contain large lists of IP addresses, IP address ranges, or networks</p><p>that can be used to filter traffic,</p><p>You can use IP Address List elements in Access rules to allow the IP addresses used by</p><p>specific services such as Office 356 or block IPs used by Tor, or other anonymous proxies.</p><p>The system IP Address List elements are imported and updated when you activate new</p><p>dynamic update packages. You can also create your own IP Address List elements.</p><p>162 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List the detection</p><p>methods used in the</p><p>NGFW inspection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 163</p><p>The following general techniques are employed in the NGFW Inspection:</p><p>Misuse detection</p><p>Based on signatures of well-known attacks.</p><p>• Compares traffic to signatures and whenever a matching pattern is found, a</p><p>response is triggered.</p><p>• Limitation: Any attack that does not have a specific fingerprint goes unnoticed. Also,</p><p>the traffic stream may have been altered so that</p><p>providing superior performance and resiliency</p><p>for demanding security applications, such as deep packet inspection and VPNs. Note:</p><p>running different versions in the cluster is not intended to be a normal operating</p><p>configuration but only to allow online upgrades of a cluster.</p><p>• SD-WAN Capabilities: Multi-Link network clustering: Extends high availability coverage</p><p>to network and VPN connections. Provides the confidence of consistent security that can</p><p>take advantage of local broadband connections to complement or replace expensive</p><p>leased lines like MPLS.</p><p>10 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The product is built from the ground up to make protection—and the people who manage</p><p>it—efficient and easy to use. We’ve built in flexibility and low total cost of ownership in</p><p>several ways.</p><p>• Centralized Management : Configuration, real-time monitoring, logging, status</p><p>information, alerts, reports, updates, and upgrades – everything you need to do to</p><p>hundreds of firewalls, regardless of their physical location—happens within a central,</p><p>single console. We’ve worked to make you efficient: Automate routine tasks, reuse</p><p>elements, and use shortcuts and drill-downs</p><p>• Flexible Delivery: Forcepoint NGFW adapts to customer needs with a variety of</p><p>deployment types, giving customers the ability to optimize delivery for different contexts,</p><p>such as:</p><p>• Preconfigured physical appliances in branch offices where there is little expertise.</p><p>• Physical appliances at the network edge, and a virtual appliance to protect an internal</p><p>data center.</p><p>• We even support MSSPs with a way to logically split NGFW engine or cluster up to 250</p><p>virtual firewalls with separate configurations.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 11</p><p>Objective</p><p>Explain the differences</p><p>between the operating</p><p>roles.</p><p>12 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 11</p><p>Three operating roles</p><p>NGFW has a unified software design with 3 deployment options.</p><p>NGFW</p><p>Firewall</p><p>• Layer 3 Firewall with access control, deep inspection, NAT,</p><p>routing, authentication, and VPN gateway.</p><p>• Can also operate at layer 2 level with layer 2 interfaces</p><p>IPS</p><p>• Layer 2 deployed network security device which by default</p><p>deep inspects traffic. Capable of L2 access control and</p><p>network segmentation.</p><p>Layer 2 Firewall</p><p>• Layer 2 firewall for L2 access control and network</p><p>segmentation, deep inspection</p><p>NGFW overview</p><p>Forcepoint NGFW can run in three operating modes:</p><p>• Firewall role</p><p>• IPS role</p><p>• Layer 2 Firewall role</p><p>The 3 product roles are installed from a single software component: the NGFW engine.</p><p>• The same hardware can be reinitialized and used for different product roles. The licensing</p><p>includes a combined NGFW license valid for all products. All NGFW engines are</p><p>managed through the SMC.</p><p>• All NGFW roles provide full packet inspection capability, application identification, and</p><p>user access control.</p><p>• All NGFW roles include anti-evasion technologies that decode and normalize network</p><p>traffic for inspection on all protocol layers, making traffic evasion-free and exploits</p><p>detectable. Vulnerability-based fingerprints block exploits in the normalized data stream.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 13</p><p>Forcepoint NGFW in Firewall role:</p><p>• Layer 3 access control</p><p>• Full clustering capabilities</p><p>• Routing, NAT capabilities</p><p>• Site-to-site and client-to-gateway VPN support</p><p>• Multi-Link</p><p>• Server load balancer</p><p>• Authentication</p><p>• Full inspection capability</p><p>• SSL VPN portal</p><p>• Can also operate at layer 2 level and run Layer 2 Firewall and IPS roles on dedicated</p><p>Layer 2 Interfaces</p><p>14 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Forcepoint NGFW in IPS role:</p><p>• Layer 2 and Layer 3 access control</p><p>• Full inspection</p><p>• Serial clustering support</p><p>• IDS monitoring</p><p>• Transparent mode and easy deployment (layer 2 device)</p><p>Forcepoint NGFW in Layer 2 Firewall role:</p><p>• Layer 2 and Layer 3 access control</p><p>• Limited clustering support (active/standby)</p><p>• Full inspection</p><p>• Transparent mode and easy deployment (layer 2 device)</p><p>Changing the role of a NGFW Engine requires configuring a new Firewall, IPS, or Layer 2</p><p>Firewall element in the Management Server, factory resetting the NGFW engine and doing</p><p>new initial configuration to the engine to change its role.</p><p>IPS appliances can be equipped with fail-open network interfaces to allow the IPS to work in</p><p>bypass mode. When switching from the IPS role to the Firewall role or the Layer 2 Firewall</p><p>role, the fail-open interface automatically changes to work in normal (fail-closed) mode.</p><p>However, we recommend replacing the fail-open interfaces of the appliance with normal</p><p>NICs in this configuration.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 15</p><p>Objective</p><p>Describe the Forcepoint</p><p>NGFW engine and</p><p>appliances.</p><p>16 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 15</p><p>NGFW engines</p><p>▪ Engines run on an integrated, secure Linux-based operating system.</p><p>▪ Security patches are included in engine upgrades.</p><p>▪ Engines are remotely upgradeable from the SMC.</p><p>▪ Upgrades can also be performed from a USB drive.</p><p>NGFW Engine</p><p>The NGFW Engine refers to the combination of the physical device and the NGFW Engine</p><p>software, including the integrated operating system, a version of Linux. It only includes the</p><p>modules needed by the NGFW, and the file systems are read-only for all binaries. Unlike</p><p>other systems, it is not a standard distribution that was stripped down, but instead, was built</p><p>from the kernel up to be nothing but the most secure platform possible.</p><p>No additional security patches are needed as patches are included in engine upgrades.</p><p>The NGFW engines are remotely upgradeable from the SMC.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 17</p><p>Public © 2022 Forcepoint 16</p><p>1100 Series</p><p>10 fixed interfaces, 1 interface slot</p><p>FW 50-60 Gbps, IPS & NGFW 1.5-3 Gbps</p><p>300 Series (desktop)</p><p>8 interfaces + opt. 2 modules and WLAN on N335W</p><p>FW 4-7 Gbps, IPS & NGFW 350 Mbps-1 Gbps</p><p>2100 Series</p><p>12 fixed interfaces, 2 interface slots</p><p>FW 60-80 Gbps, IPS & NGFW 5-7.5 Gbps</p><p>Branch</p><p>Office</p><p>Data Center</p><p>Campus</p><p>Edge</p><p>SOHO</p><p>3400 Series</p><p>4 fixed interfaces, 8 interface slots</p><p>FW 200-300 Gbps, IPS & NGFW 15-35 Gbps</p><p>120 Series (desktop)</p><p>8 interfaces (2 POE ports) + WLAN, LTE on N120WL</p><p>FW 4 Gbps, IPS & NGFW 450 Mbps</p><p>NGFW appliance</p><p>• FW Rating based on UDP1518 Throughput</p><p>• IPS / NGFW Rating based on HTTP Inspection 64KB payload</p><p>60 (desktop)</p><p>4 interfaces</p><p>FW 2 Gbps, IPS & NGFW 350 Mbps</p><p>2200 Series</p><p>12 fixed interfaces, 1 interface slot</p><p>FW 80-120 Gbps, IPS & NGFW 5.5-13.5 Gbps</p><p>NGFW Hardware Platforms data:</p><p>• Maximum Firewall Throughput (UDP 1518 byte): up to 300 Gbps</p><p>• NGFW Inspection Throughput (HTTP 64 kB payload): up to 35 Gbps</p><p>• VPN throughput: up to 150 Gbps with AES-GCM-256 encryption</p><p>• Virtual engines: up to 250</p><p>Visit Forcepoint website and the Forcepoint NGFW Appliance Specifications page for further</p><p>information.</p><p>Forcepoint Next Generation Firewall is available through a wide range of appliances from home</p><p>office firewalls to multi-layer NGFW powered data center security architecture. These</p><p>appliances may also be run either as NGFW, IPS or Layer 2 Firewall engines.</p><p>The Forcepoint NGFW 60 is the most compact Forcepoint NGFW appliance. It is a full</p><p>Forcepoint NGFW with full SD-WAN connectivity, advanced high-availability clustering and</p><p>strong security (IPS, anti-malware). It is ideal for stores, branches, and remote offices.</p><p>The NGFW has a Mobile VPN Client available for Windows platforms that supports both IPSEC</p><p>and SSL VPNs. VPN clients for MacOS, Android, and Linux support SSL VPNs. Additionally,</p><p>Web-based services can be remotely accessed via an SSL VPN portal.</p><p>The Security Management Center is also available as an appliance.</p><p>The NGFW products support native virtualization and can be deployed as virtual appliances.</p><p>18 | Forcepoint NGFW 7.0 Administrator</p><p>it cannot be compared directly with</p><p>the signatures. Traffic normalization is done by default to remove the ambiguities</p><p>from the traffic before it is compared against the signatures.</p><p>Malware Detection</p><p>NGFW can identify and extract files From the traffic stream for further security checks e.g.</p><p>• Check the file reputation by querying the Global Threat Intelligence cloud</p><p>• Do the anti-virus check by utilizing the antivirus engine</p><p>• Send the file to the Forcepoint cloud sandbox for further malware analysis against</p><p>zero-day threats through dynamic sandboxing of malware and static inspection of</p><p>suspect code.</p><p>Public © 2022 Forcepoint 20</p><p>NGFW inspection detection methods overview</p><p>101010A0101T1010T0101AC0101K10101010</p><p>010101010A0101T1010T0101AC0101K10100</p><p>0100011101010A0101T1010T0101AC0101K1</p><p>010101010101101010101010101001010101</p><p>101010101011010101010101010010101010</p><p>010101010101011010101010101010010101</p><p>Misuse Detection Detecting the patterns of known attacks</p><p>Protection against</p><p>zero-day exploits</p><p>Detecting zero-day exploits</p><p>Enforcing protocol standards (RFC)Protocol Validation</p><p>Deviating from “normal” traffic</p><p>e.g., statistical triggers</p><p>Traffic Anomaly Detection</p><p>Normalizing the traffic for AET prevention</p><p>Stateful inspection Protocol Anomaly Detection</p><p>File Reputation, Antivirus</p><p>Malware analysisMalware Detection</p><p>164 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Protocol validation</p><p>• Checks whether traffic conforms to the protocol standards defined in the relevant Request</p><p>for Comments (RFC).</p><p>• Capable of detecting new types of attacks, also known as zero-day attacks.</p><p>Unfortunately, sometimes there are also legitimate products that have been designed to</p><p>violate the relevant standards either due to misinterpretation or purposely to circumvent a</p><p>limitation.</p><p>• Protocol Enforcement: Prevent unwanted tunneling using, for example, the DNS port</p><p>(Deny DDNS update, Deny DNS zone transfers) on open ports. Currently implemented</p><p>for DNS only.</p><p>Protocol anomaly detection</p><p>• Takes into account the fact that often attacks do not actually violate the protocol</p><p>specifications as such but take advantage of inaccuracies in standards.</p><p>• When IP fragmentation occurs, fragments collection, reordering and validation must be</p><p>performed to drop malformed IP fragments or overlapping data. This is done with Traffic</p><p>normalization.</p><p>• Reassemble TCP segments into a data stream to drop TCP out-of-order or overlapping</p><p>TCP segments with conflicting content. This is done with Traffic normalization.</p><p>• Protocol validation can also take the different states of connections into account, adding</p><p>the principle of stateful inspection to the Inspection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 165</p><p>Objective</p><p>Describe advanced</p><p>evasion techniques</p><p>(AETs) and normalization.</p><p>166 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>AETs</p><p>• One of the simplest evasions is to slice the network traffic containing the exploit into pieces</p><p>that are sent out of order. This takes advantage of one of the Internet’s most important</p><p>design elements: the ability for traffic to get split up and sent along multiple paths that could</p><p>have pieces arrive out of order. The destination reassembles these pieces to recreate the</p><p>original contents.</p><p>• IP fragmentation, TCP segment duplication, and Compressed HTTP are evasion techniques</p><p>operating at different layer levels.</p><p>• When they are combined, they become Advanced Evasion Techniques (AETs).</p><p>• Virtual patching is the process of addressing a known security vulnerability by blocking an</p><p>attack vector that could exploit it. Applying a virtual patch by using an NGFW or IPS</p><p>inspection buys the organization time to develop, test, and install the fix to the underlying</p><p>vulnerability. AETs are a problem because these attacks will bypass the “Virtual Patching”</p><p>that NGFW or IPS inspection should provide</p><p>• The key to be able to detect AETs is to reassemble the data stream before the inspection.</p><p>This is called traffic normalization.</p><p>Advanced Evasion Techniques examples:</p><p>IP fragmentation</p><p>When IP datagrams are transmitted over a link where the maximum transfer unit is smaller than</p><p>the datagram, the datagram must be split into several IP fragments. A well-known evasion</p><p>method used in the IP layer is to fragment the IP datagram and send fragments out-of-order.</p><p>Public © 2022 Forcepoint 23</p><p>A 1 T 2 T 3 A 4 C 5 K 6</p><p>Advanced evasion techniques (AETs)</p><p>▪ Any technique used to hide an attack and bypass security detection</p><p>▪ An attack against a vulnerability hidden in fragmented IP packets is an example</p><p>▪ AETs are a problem because of “virtual patching”</p><p>OOOOAOOOOOAO OOOKOOOOOOOOOO</p><p>OOOOOOOOOTOO OOOOOOOOOOOOO</p><p>OOOOOOOTOOOO OOOCOOOOOOOO</p><p>Server</p><p>INTERNET</p><p>Traditional packet-based</p><p>inspectionEvasion</p><p>Malware</p><p>A 1 T 2 T 3 A 4 C 5 K 6 T 3 A 4 A 1 T 2 C 5 K 6Out-of-order TCP</p><p>segments</p><p>Destination</p><p>reassembles TCP</p><p>segments</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 167</p><p>Imagine that you break the Conficker worm into two fragments and send them through the</p><p>network security device, waiting ten seconds between the fragments. Amazingly, if this is done,</p><p>many network security devices do not detect the Conficker worm. What happened?</p><p>Well, network security devices must be able to handle millions of connections every second.</p><p>This leads to the limitation that they can only keep some of those connections in memory. The</p><p>normal amount of memory allocated for the inspected traffic is about seven seconds. In the</p><p>Conficker example, two fragments are sent ten seconds apart. So, between one and seven</p><p>seconds the network security device knows that it has seen the first part of the Conficker worm</p><p>and it is waiting to see the second part. The whole Conficker worm will then be matched against</p><p>the detection fingerprint and the device will stop the traffic. But after seven seconds, the</p><p>memory section for this connection is renewed and the network security device does not</p><p>remember seeing the first part of Conficker anymore. So, the second part of Conficker enters</p><p>the network security device and the device allows it to pass. Now both parts of the Conficker</p><p>worm are through and can exploit the target device.</p><p>Out-of-order or overlapping TCP segments</p><p>Once a TCP connection is established, each endpoint may write data to the stream, and the</p><p>other endpoint will receive it. TCP wraps the stream data into TCP segments, which are</p><p>transmitted as IP datagrams. TCP segments may arrive at the endpoint out of order, and</p><p>duplicates are also possible. TCP evasions which are based on sending TCP segments out-of-</p><p>order or overlapping TCP segments with conflicting content.</p><p>Compressed HTTP</p><p>Attacks can be hidden in compressed HTTP data if data are not decompressed before</p><p>inspections.</p><p>168 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The NGFW analyzes data as a normalized stream rather than as single or combined</p><p>packets. The data stream is passed on for inspection, in which the Vulnerability-based</p><p>fingerprints detect exploits.</p><p>In the lower protocol layers, the NGFW makes sure that there is a unique way to reconstruct</p><p>the data stream. The NGFW passes well-formed IP fragments and TCP segments with</p><p>minimum or no modification. However, fragments or segments with conflicting and</p><p>overlapping data are dropped. This normalization determines that there is a unique way to</p><p>interpret the network traffic passing through the NGFW.</p><p>The actual data stream can now be reassembled for inspection in the upper layers.</p><p>Using Advanced Evasion Techniques examples, we are will now explain how the NGFW</p><p>through traffic normalization manages to block these attacks:</p><p>IP fragmentation</p><p>The NGFW collects the fragments, reorders them, and forms a complete IP datagram to</p><p>validate before performing inspection. No fragments are passed through without successful</p><p>IP datagram reassembly. Malformed IP fragments and overlapping IP fragments</p><p>with</p><p>conflicting data are detected and dropped.</p><p>Public © 2022 Forcepoint 25</p><p>Traffic normalization and advanced evasion prevention</p><p>▪ NGFW Inspection process for advanced evasion prevention</p><p>OOAOOOOAOOOOOOAOOOOOOOOOOOOOO</p><p>OOOTOOOCOOOOOOOOOOOOOOOOOOOOOO</p><p>OOKOOOOOTOOOOOOOOOOOOOOOOOOOOOOO</p><p>Server</p><p>INTERNET</p><p>OAOOO OOOAO OOOKO</p><p>OOOOO OTOOO OOOOO</p><p>OOOTO OOOOO OCOOO</p><p>NORMALIZATION</p><p>DATAHEADERSHANDSHAKE</p><p>Evasion</p><p>A 1 T 2 T 3 A 4 C 5 K 6 T 3 A 4 A 1 T 2 C 5 K 6</p><p>A 1 T 2 T 3 A 4 C 5 K 6</p><p>1</p><p>3</p><p>Multilayer</p><p>normalization</p><p>Data stream-based</p><p>inspection</p><p>Vulnerability/exploit</p><p>detection</p><p>2</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 169</p><p>Compressed HTTP</p><p>If the HTTP data is compressed in the client stream, the NGFW decompress it before</p><p>fingerprinting.</p><p>TCP stream reassembly</p><p>• NGFW inspects the actual data stream transmitted within a TCP connection instead of</p><p>the TCP packets or segments. Therefore, NGFW assembles the TCP segments into a</p><p>data stream before inspecting data content.</p><p>• TCP segments are buffered until the destination endpoint has acknowledged them. This</p><p>protects the network against evasions that are based on sending TCP segments out-of-</p><p>order or overlapping TCP segments with conflicting content.</p><p>170 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe TLS inspection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 171</p><p>TLS inspection allows you to decrypt TLS connections so that they can be inspected for malicious traffic.</p><p>The TLS inspection feature decrypts TLS traffic so that it can be inspected in the same way as</p><p>unencrypted traffic, and then re-encrypts the traffic before sending it to its destination. The TLS</p><p>inspection feature can be used following ways:</p><p>• Client protection allows you to inspect outgoing TLS connections initiated by users in the protected</p><p>network.</p><p>• Server protection allows you to inspect incoming TLS connections to servers in the protected</p><p>network.</p><p>You can use client protection alone, server protection alone, or client and server protection together.</p><p>Benefits of Client Protection</p><p>• Protects internal workstations from malicious web servers.</p><p>• Data loss prevention: confidential data disclosure, intellectual property data breaches</p><p>• Regulatory requirements</p><p>• Apply web filtering to HTTPS when combined with category-based web filtering</p><p>Benefits of Server-side Protection</p><p>• Protects web services from being compromised by unauthorized users.</p><p>• Data loss prevention.</p><p>• Meet the PCI DSS requirements to ensure the safe handling of cardholder information</p><p>• Non-regulatory drivers (contractual obligations, customer perception of bad publicity).</p><p>Public © 2022 Forcepoint 28</p><p>TLS inspection</p><p>Inspects SSL/TLS-based traffic to detect and react to any unwanted content</p><p>▪ TLS Inspection for Client-side protection</p><p>• Protect internal workstations from malicious</p><p>Web servers</p><p>▪ TLS Inspection for Server-side protection</p><p>• Protect internal servers from malicious</p><p>external clients</p><p>▪ Specific traffic can be excluded from decryption</p><p>INTERNET</p><p>INFECTED</p><p>SERVER</p><p>SSL DECRYPTION AND INSPECTION</p><p>ORGANIZATION</p><p>BOUNDARY</p><p>INFECTED</p><p>CLIENT</p><p>SSL DECRYPTION AND INSPECTION</p><p>ORGANIZATION</p><p>BOUNDARY</p><p>INTERNET</p><p>DMZ</p><p>INTERNAL</p><p>NETWORK</p><p>172 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure Snort</p><p>Inspection on Forcepoint</p><p>NGFW.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 173</p><p>Public © 2022 Forcepoint 30</p><p>Snort Integration</p><p>Overview</p><p>▪ Snort is a long-established and well respected open-source intrusion</p><p>detection system (IDS)</p><p>▪ It utilizes a ruleset format that has been widely adopted for the</p><p>distribution of attack signatures from public and private sources.</p><p>▪ The Snort ruleset format is different from, and not directly compatible with</p><p>the format of Forcepoint NGFW Deep Inspection signatures.</p><p>▪ A Snort engine running in NGFW will inspect the traffic based on rules.</p><p>▪ In 6.10 release, it is possible to integrate Snort inspection in the NGFW</p><p>so that either or both types of inspection can be performed.</p><p>Access</p><p>Control</p><p>Snort</p><p>Inspection</p><p>NGFW</p><p>Inspection</p><p>File</p><p>Filtering</p><p>NAT</p><p>Snort and</p><p>NGFW</p><p>Inspection</p><p>can be</p><p>activated</p><p>separately</p><p>NGFW PACKET</p><p>PROCESSING</p><p>There is a large number of available Snort signatures. NGFW engine includes Snort engine</p><p>so that administrators can take advantage of these with their NGFWs.</p><p>174 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>In the zip file, there must be a file named “snort.conf” in the root directory of the zip file. This</p><p>file may reference other config files with paths relative to the zip root.</p><p>For convenience, when a location “/etc/snort” occurs in a config file, it is automatically</p><p>resolved to the zip root.</p><p>A snort zip file can be uploaded to either location, or both. When present, both will be</p><p>uploaded to an engine. When there is a file with the same path in both zip files, the one</p><p>from the engine properties (the local configuration) will be used.</p><p>Put shared resources in the global properties and engine specific files in the engine</p><p>properties zip.</p><p>If all the engines can use the same snort configuration, you can just use the one zip file and</p><p>configure it in the global properties.</p><p>Public © 2022 Forcepoint 31</p><p>Configuring Snort</p><p>1. Enable Snort in Add-ons in engine properties</p><p>2. Zip your Snort Configuration</p><p>3. Import the zip file to the SMC</p><p>• Option 1: In Engine properties add-on section</p><p>• Option 2: in Global properties</p><p>4. Create access rules to match the traffic you want to inspect</p><p>• Enable Snort in the action options</p><p>5. Verify successful configuration through log messages during policy load and upon successful rule</p><p>matching</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 175</p><p>Limitations of Snort Inspection</p><p>Snort inspection is not supported on Master NGFW engines and Virtual NGFW Engines.</p><p>Snort inspection is not supported on capture interfaces.</p><p>Snort inspection is supported on VLAN interfaces, but the rules are applied to the traffic</p><p>regardless of the VLAN tag. It is not possible to differentiate traffic from different VLANs.</p><p>If you use Logical Interfaces that have overlapping IP address spaces as matching criteria in</p><p>IPS or L2FW Access rules that select traffic for Snort inspection, traffic might not match</p><p>Snort rules as intended.</p><p>We do not recommend using services that match based on the payload of connections,</p><p>such as Network Applications, URL Categories, or URL List Applications, in Access rules</p><p>that select traffic for Snort inspection.</p><p>Snort inspection cannot be applied to traffic that has been decrypted for TLS inspection.</p><p>If Snort inspection fails, the traffic is allowed by default.</p><p>NGFW Engines do not receive automatic updates for Snort rule sets. When new Snort rule</p><p>sets are available, you must import new Snort configuration files and refresh the policy on</p><p>the NGFW Engine to start using the new Snort rule sets.</p><p>176 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List the Forcepoint and</p><p>third-party products that</p><p>integrate with Forcepoint</p><p>NGFW.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 177</p><p>NGFW integrates with other Forcepoint security products and third-party products:</p><p>• Forcepoint Cloud Security Gateway. The Forcepoint Cloud Security Gateway is a cloud-</p><p>based web security proxy service. The NGFW can redirect web traffic to the Cloud for</p><p>inspection. The traffic is inspected in the cloud and transparently forwarded to the</p><p>destination.</p><p>• Advanced Malware Detection: The NGFW can use the file reputation scans in a cloud</p><p>sandbox to detect advanced threats.</p><p>• Forcepoint URL Filtering: The NGFW uses the Category-based web filtering now uses</p><p>URL categories provided by Forcepoint ThreatSeeker Intelligence Cloud.</p><p>• McAfee Anti-Malware: The NGFW uses McAfee Anti-Malware to compare network traffic</p><p>against an anti-malware database to search for malware. If malware is found, the traffic is</p><p>stopped,</p><p>or content is stripped out.</p><p>• McAfee Global Threat Intelligence (GTI). The Forcepoint NGFW Integrates with McAfee</p><p>Global Threat Intelligence file reputation services and allows access control based on the</p><p>file reputation.</p><p>• SIEM Integration: SMC provides predefined log forwarding formats to facilitate the</p><p>integration with FBA (Forcepoint Behavioral Analytics) and third-party SIEM systems</p><p>supporting the following format: McAfee ESM, Arcsight (CEF), Q1Labs (LEEF), RSA</p><p>enVision, NetFlow, IPFIX, Kafka (Splunk).</p><p>• Data Loss Prevention: Forcepoint NGFW integrates with ICAP servers with to provide</p><p>DLP scanning in the File Filtering Policy for outbound file transfers.</p><p>Public © 2022 Forcepoint 34</p><p>Forcepoint integration</p><p>▪ Out-of-the-box integrations with other</p><p>Forcepoint security products and third-party</p><p>products</p><p>▪ Advanced malware detection capabilities</p><p>▪ Better use of network security resources</p><p>▪ Easy extension of NGFW to zero-day</p><p>malware protection</p><p>File Reputation</p><p>(McAfee GTI)</p><p>SIEM Forcepoint Cloud</p><p>Security</p><p>Gateway</p><p>Forcepoint URL</p><p>Filtering</p><p>Threatseeker</p><p>Forcepoint</p><p>Endpoint</p><p>Context Agent</p><p>Anti-Malware</p><p>Advanced</p><p>Malware</p><p>Detection</p><p>Forcepoint FBA</p><p>Data Loss</p><p>Prevention</p><p>Supported third-party</p><p>SIEM systems/format:</p><p>• McAfee ESM</p><p>• Arcsight (CEF)</p><p>• Q1Labs (LEEF)</p><p>• RSA envision</p><p>• NetFlow</p><p>• IPFIX</p><p>• Splunk Kafka</p><p>178 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>• Forcepoint Cloud Security Gateway is a cloud-based web security proxy service.</p><p>• Forcepoint NGFW can redirect web traffic to the Forcepoint Cloud Security Gateway for</p><p>inspection. The traffic is inspected in the Forcepoint Cloud Security Gateway and</p><p>forwarded to the destination.</p><p>• Redirection of web traffic is done transparently and configured in the access rule. The</p><p>“forward to proxy” allow action option must be selected and the proxy server configured</p><p>with Forcepoint Cloud Security Gateway settings.</p><p>• Forcepoint NGFW redirects web traffic to the Cloud Security Gateway using the “Easy</p><p>Connect” proxy redirection features or using a predefined policy-based VPN</p><p>• To use the Forcepoint Cloud Security Gateway to inspect web traffic, you must have a</p><p>subscription to the Forcepoint Cloud Security Gateway service.</p><p>Public © 2022 Forcepoint 35</p><p>Forcepoint Cloud Security Gateway integration</p><p>NGFW transparently redirects HTTP and HTTPS traffic</p><p>to Forcepoint Cloud Security Gateway</p><p>▪ Easy to deploy SaaS security anywhere workers are</p><p>▪ URL filtering, Integrated DLP, File Sandbox, and</p><p>Threat Intelligence from Forcepoint Cloud Security</p><p>Gateway</p><p>▪ Signature-less, behavior analysis detection for</p><p>advanced threats</p><p>▪ Connection established to geographically closest</p><p>entry point in the cloud</p><p>▪ High availability</p><p>▪ Simple setup with the “Easy Connect” deployment</p><p>▪ Subscription to the Forcepoint Cloud Security</p><p>Gateway service is required</p><p>Internet</p><p>Remote Office</p><p>Mobile</p><p>Headquarters</p><p>Cloud</p><p>Security Gateway</p><p>Other traffic</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 179</p><p>Public © 2022 Forcepoint 36</p><p>Knowledge check</p><p>1. Give an example of when you would use a</p><p>Service with Protocol?</p><p>2. What settings are included in the Application</p><p>element?</p><p>1. An example of Service with Protocol use would</p><p>be for MSRPC to allow for opening dynamic TCP</p><p>high ports.</p><p>2. Default ports, protocols, and TLS matches can be</p><p>specified in Application elements.</p><p>180 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 37</p><p>Knowledge check</p><p>3. What are the benefits of TLS Inspection for</p><p>server protection and client protection?</p><p>4. List the Forcepoint products that integrate with</p><p>the NGFW.</p><p>3. Server protection allows you to inspect incoming</p><p>TLS connections to internal servers in the</p><p>protected network.</p><p>Client protection allows you to inspect outgoing</p><p>TLS connections initiated by users in the</p><p>protected network.</p><p>4. Cloud Security Gateway, URL Filtering, Advanced</p><p>Malware Detection, Forcepoint Behavior Analysis,</p><p>Data Loss Prevention</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 181</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Inspection Policies</p><p>182 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW overview</p><p>2. SMC overview</p><p>3. Getting started with the SMC</p><p>4. NGFW policies and templates</p><p>5. Access control and NAT</p><p>6. Traffic inspection</p><p>7. Inspection policies</p><p>8. Malware detection and file filtering</p><p>9. Alerts and notifications</p><p>10. Users and authentication</p><p>11. Mobile VPN and SSL VPN portal</p><p>12. Site-to-site VPN</p><p>13. Advanced logging</p><p>14. Policy tools</p><p>15. Monitoring and reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 183</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Explain how to send traffic for deep packet inspection.</p><p>▪ Describe Situations and how to use them.</p><p>▪ Define the different type of rules in the inspection policy.</p><p>▪ Tune an inspection policy.</p><p>Module objectives</p><p>184 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Send traffic for deep</p><p>packet inspection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 185</p><p>The diagram on the left-hand side gives an overview of the different means of controlling</p><p>and inspecting the connections handled by the NGFW engine. It is important to keep in mind</p><p>that activating protections levels on the NGFW engine to perform deeper packet inspection</p><p>in the IP packet will have consequences on the resource consumption and the throughput of</p><p>the NGFW engine.</p><p>Therefore, it is important to determine the traffic you want to send to deep inspection for</p><p>vulnerability and malware inspection.</p><p>Performing file reputation and malware analysis on external dedicated components like the</p><p>cloud sandbox will also save resource on the NGFW engine and preserve performance.</p><p>After the traffic is filtered and connections are controlled at the access control level, the</p><p>allowed traffic can be sent for deep inspection for vulnerability inspection and malware</p><p>detection. Before the inspection is performed, this traffic is normalized to prevent attacks</p><p>using advanced evasion techniques (AETs). Attacks to exploit known vulnerabilities, botnets</p><p>activity are detected by the rules of the inspection policy. Malware detection is managed by</p><p>file filtering policy and several scan options can be activated: File filtering, file reputation,</p><p>anti-malware scanning and sandbox analysis.</p><p>Public © 2022 Forcepoint 5</p><p>Inspection architecture</p><p>1</p><p>2</p><p>3</p><p>4</p><p>5</p><p>Per-connection</p><p>analysis</p><p>Policy-driven</p><p>High performance</p><p>Protocol</p><p>normalization</p><p>Packet reassembly</p><p>decryption</p><p>evasion disruption</p><p>Ac</p><p>ce</p><p>ss</p><p>C</p><p>on</p><p>tr</p><p>ol</p><p>D</p><p>ee</p><p>p</p><p>In</p><p>sp</p><p>ec</p><p>tio</p><p>n</p><p> Usage controls</p><p>By user, URL,</p><p>application (network & endpoint)</p><p> Connection controls</p><p>Anti-spoofing, IP reputation,</p><p>geo-protection, invalid connections</p><p> Command controls</p><p>Whitelists for app versions & commands</p><p>Proxies to prevent direct connections</p><p> Vulnerability inspection</p><p>Exploit & anomaly detection, Anti-botnet</p><p> Malware inspection</p><p>File filtering & reputation,</p><p>antimalware scanning, sandboxing</p><p>High-volume</p><p>threats</p><p>Targeted, advanced</p><p>threats</p><p>DYNAMIC STREAM INSPECTION</p><p>186 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Access control on the NGFW was configured to allow traffic from the external network to a</p><p>web server in our DMZ. In this example, only access control (and not deep inspection) is</p><p>being used.</p><p>Without any inspection enabled, the Firewall only looks at the IP addresses and ports and</p><p>sees that a connection is opened to the HTTP port (TCP/80). This traffic is permitted to</p><p>accomplish the goal of allowing external access to the web server.</p><p>As a malicious client interacts with our web server, they submit a string (perhaps in a</p><p>comment form or similar posting) like that above. If the server is not properly patched, the</p><p>malicious string would</p><p>cause a command shell to be opened, giving the attacker a way to</p><p>run commands on the server. This compromises the server and could be used to gain</p><p>access to other resources on our internal network.</p><p>Public © 2022 Forcepoint 6</p><p>Deep packet inspection</p><p>Firewall allowing HTTP</p><p>traffic (TCP/80)</p><p>01010101010101010A0101T1010T0101AC0101K10101</p><p>▪ TCP connection to port 80</p><p>▪ Opens a shell on the web server.</p><p>Web server</p><p>in DMZ</p><p>▪ GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ (Attack)</p><p>0101010101010A0101T1010T0101AC0101K101010101</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 187</p><p>With deep packet inspection activated, Forcepoint NGFW examines the content of the traffic</p><p>(the data and the header part of a packet as it passes through the NGFW). The HTTP traffic</p><p>is matched against the inspection policy that detects the transfer of the malicious string and</p><p>drops the connection.</p><p>In the next slide, based on this example, we will review how to configure deep packet</p><p>inspection on the NGFW.</p><p>Public © 2022 Forcepoint 7</p><p>Deep packet inspection</p><p>1010A0101T101T</p><p>0T0101AC0101K1</p><p>10101010101010</p><p>01010101010101</p><p>NGFW deep</p><p>packet</p><p>inspection</p><p>Web server</p><p>in DMZ</p><p>188 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Forcepoint NGFW provides full deep inspection functionality, and this is included in the</p><p>NGFW license. System fingerprint situations correspond to known exploits.</p><p>• They are provided through dynamic updates.</p><p>• Detailed information is provided for each fingerprint match.</p><p>• A situation and vulnerability description is attached to each system fingerprint situation.</p><p>System fingerprints are regular expression-based fingerprints and custom fingerprints can</p><p>be created.</p><p>Public © 2022 Forcepoint 8</p><p>NGFW deep packet inspection</p><p>▪ NGFW provides full deep inspection functionality</p><p>in all roles</p><p>• Protocol validation</p><p>• System fingerprints for known exploits</p><p>▪ Included in the NGFW license</p><p>▪ Support for custom fingerprints</p><p>• Regular expression-based fingerprints</p><p>Internet</p><p>Intranet</p><p>Data</p><p>Services</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 189</p><p>Access control rules control what network traffic goes to deep inspection, inspection is done</p><p>based on the policy referenced by this policy. Traffic is inspected as the protocol that is</p><p>attached to the service element in this rule. You enable deep inspection for a specific rule in</p><p>the options settings available in the action cell.</p><p>Inspection policies examine the packet payload throughout whole connections and act at the</p><p>point when something threatening is discovered. Patterns may trigger immediate responses</p><p>or just be recorded.</p><p>The SMC contains predefined inspection policies that provide an easy starting point for</p><p>determining what kinds of rules your system needs.</p><p>Public © 2022 Forcepoint 9</p><p>Deep packet inspection configuration</p><p>▪ Access rules control what network</p><p>traffic goes to deep inspection.</p><p>▪ Inspection is enabled in the options of</p><p>an allow or continue action.</p><p>▪ Inspection-specific configuration is</p><p>done in the inspection policy</p><p>190 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Firewall Inspection Template for the Firewall role is based on the Firewall Template. It</p><p>uses inspection rules defined in the High-Security Inspection Policy. The Firewall Inspection</p><p>Template enables deep inspection for all traffic.</p><p>The Firewall Inspection Template provides an easy starting point if you want to use the deep</p><p>inspection capability of the Next Generation Firewall.</p><p>Using the Firewall Inspection Template for your firewall policy allows you to easily configure</p><p>your Firewall to enforce or deactivate traffic inspection. Using your own templates or policy,</p><p>you can fine-tune which parts of the permitted traffic you want to inspect and what</p><p>inspection policy you want to enforce.</p><p>Public © 2022 Forcepoint 10</p><p>Firewall inspection template</p><p>▪ The Firewall Inspection Template enables deep inspection for all traffic and defaults to the high-security</p><p>inspection policy</p><p>ACCESS CONTROL + DEEP PACKET INSPECTION</p><p>NGFW POLICY</p><p>FIREWALL</p><p>INSPECTION</p><p>TEMPLATE</p><p>HIGH SECURITY</p><p>INSPECTION POLICY</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 191</p><p>In order to highlight the difference between a Firewall Template and an NGFW Inspection</p><p>templates we will use the Firewall Inspection Template as an example.</p><p>For the IPS role, the IPS Template enables deep inspection by default for all supported</p><p>protocols (with continue rules) and can be disabled for a specific rule if necessary.</p><p>IPv4 access rules</p><p>A Firewall Template contains the automatic access rules necessary for the firewall to</p><p>communicate with the SMC and deny all traffic.</p><p>In Firewall Inspection Template deep inspection is enabled by default for all supported</p><p>protocols with continue rules. The inspected traffic is matched against the High-Security</p><p>Inspection policy.</p><p>If your policy inherits from a Firewall Inspection Template, you can disable deep inspection</p><p>for specific traffic, if necessary, by creating a rule that overrides the continue rule settings.</p><p>In a similar way, IPv6 access rules enable deep inspection for all IPv6 supported protocols</p><p>with continue rules.</p><p>The protocols to be deep inspected are matched against the High Security Inspection policy.</p><p>Public © 2022 Forcepoint 11</p><p>NGFW inspection templates</p><p>Rules</p><p>inherited from</p><p>Firewall Template</p><p>Inspection policy</p><p>directs traffic</p><p>to…</p><p>Deep inspection: On</p><p>192 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The most common way to introduce inspection is to start with a predefined inspection policy.</p><p>Tuning the policy is important since a general policy that is meant to work in all</p><p>environments is not necessarily suited to your network. A tuning period is needed to activate</p><p>and deactivate inspection checks based on the findings and your needs.</p><p>There are three predefined inspection policies:</p><p>1. Highest-Security Inspection Policy: An inspection policy with a set of inspection rules</p><p>for detecting all identified threats. The Highest-Security Inspection Policy terminates all</p><p>suspected threats. The Highest-Security Inspection Policy is suitable for firewall</p><p>deployments in which maximum inspection coverage and evasion protection is required.</p><p>The risk of false positives is significant in production use. The High-Security Inspection</p><p>Policy terminates a connection if the security engine cannot see the whole connection.</p><p>2. High-Security Inspection Policy: An inspection policy with a set of inspection rules for</p><p>detecting common threats. The High-Security Inspection Policy is suitable for firewall</p><p>deployments in which extended inspection coverage and strong evasion protection are</p><p>required. The risk of false positives is moderate in production use. The High-Security</p><p>Inspection Policy terminates a connection if the security engine cannot see the whole</p><p>connection. You should use the High-Security Inspection Policy as a starting point for</p><p>your inspection policies.</p><p>Public © 2022 Forcepoint 12</p><p>Predefined inspection policies</p><p>Highest-Security</p><p>Inspection Template</p><p>Medium-Security</p><p>Inspection Template</p><p>High-Security</p><p>Inspection Template</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 193</p><p>3. Medium-Security Inspection Policy: An inspection policy with a set of inspection rules</p><p>for detecting common threats. The risk of false positives is low in production use. The</p><p>medium-security inspection is also designed to work in networks where asymmetric</p><p>routing exists and cannot immediately be corrected.</p><p>If you want to deactivate inspection, you can select the predefined No Inspection Policy in</p><p>your firewall policy.</p><p>194 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe Forcepoint</p><p>NGFW situations and</p><p>how to use them.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 195</p><p>Situations are the central element in inspection policies.</p><p>Situations are elements that provide a way to define which traffic patterns</p><p>and events you</p><p>want to detect in your system with the inspection policy.</p><p>The patterns and events are defined by selecting a context for the situation.</p><p>• Context: The context binds the situation to a certain type of traffic (protocol, direction of</p><p>stream) and gives you a set of options or a field for entering a regular expression.</p><p>Context provides a framework for defining the parameters of each situation. The</p><p>parameters are entered as a regular expression or through a set of fields and options that</p><p>you can adjust, depending on the context element selected</p><p>• Tags: Situations have their own grouping system called tags. The tag elements can be</p><p>used in policies to represent all situations that are associated with that tag. For example,</p><p>using the tag “Windows” in a rule means that the rule matches all the situations that</p><p>concern Windows systems.</p><p>Tags help you create simpler policies with less effort.</p><p>• Vulnerability: Associates situation with a commonly known vulnerability reference to</p><p>public vulnerability databases (which are shown in the logs view if a match is found).</p><p>• Type: Based on the situation type, the matching situation can be either terminated,</p><p>permitted with stored logging entry, or not inspected (Traffic Identification) by the default</p><p>system template rules.</p><p>Public © 2022 Forcepoint 15</p><p>Situation concept</p><p>Situations: a way of defining</p><p>traffic</p><p>patterns and events to be</p><p>matched in Inspection Policy</p><p>.</p><p>Tags: Allows</p><p>grouping of</p><p>Situations</p><p>Context: binds the</p><p>Situation to a certain</p><p>type of traffic</p><p>(protocol, Server or</p><p>client stream..)</p><p>Vulnerability:</p><p>reference to</p><p>public</p><p>vulnerability</p><p>database</p><p>Type: defines how the matching</p><p>Situation is handled by the</p><p>Inspection policy template</p><p>101010A0101T1010T0101AC0101K10101010</p><p>010101010A0101T1010T0101AC0101K10100</p><p>0100011101010A0101T1010T0101AC0101K1</p><p>010101010101101010101010101001010101</p><p>101010101011010101010101010010101010</p><p>010101010101011010101010101010010101</p><p>196 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Define rules in the</p><p>inspection policy.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 197</p><p>The rules tree is the main tool for controlling the deep packet inspection.</p><p>The main rules tree contains a tree of situations, which are organized under situation types</p><p>and sub-types.</p><p>This tree allows you to define what kind of action the NGFW takes when situation matches</p><p>are found in traffic and how the match is logged.</p><p>The rules tree defines general checks that are applied to all patterns that are not handled by</p><p>a more specific definition. It is not possible to limit the scope of the checks by IP addresses</p><p>or logical Interfaces in the rules tree.</p><p>To edit these rules, click the action cell or the logging cell of a rule and select the suitable</p><p>option.</p><p>All levels of the rules tree are editable. By default, sub-items inherit the action and logging</p><p>options from their parent item. If a sub-item has any setting that differs from the parent</p><p>item's settings, this is considered an override and appeared in bold.</p><p>You can have the default action changed for a whole situation type but have a different</p><p>action for just one situation within a type. If bit torrent usage is allowed in within you</p><p>company network, you can override the peer-to-peer rules setting to allow bit torrent file</p><p>exchanges.</p><p>Public © 2022 Forcepoint 17</p><p>Inspection rules - rules tree</p><p>▪ Situation handling is determined based on</p><p>situation types.</p><p>▪ Rules define general checks to all</p><p>patterns.</p><p>▪ Overrides can make exceptions for</p><p>specific situations, but there is no ability to</p><p>limit the scope of the action.</p><p>▪ Situation types include botnet detection.</p><p>SITUATION TYPE ACTION LOGGING OPTIONS</p><p>TERMINATE</p><p>PERMIT</p><p>• RECORDING OPTION</p><p>• LOG LEVEL</p><p>Default action and logging</p><p>options can be changed</p><p>198 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Botnet detection</p><p>All botnet detection-related techniques are grouped into a Botnet situation types in the</p><p>inspection policy. Botnet detection includes fingerprint-based detection, decryption-based</p><p>detection, and message-length sequence analysis.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 199</p><p>Inspection rules and exception rules can create a log or alert entry each time they match.</p><p>The log levels option are the same as in the access rules. However additional recording</p><p>options are available in the Inspection policy.</p><p>Excerpt</p><p>Stores an excerpt of the packet that matched. The maximum recorded excerpt size is 4 KB.</p><p>This allows you to quickly view the payload in the Logs view.</p><p>Record</p><p>Records the traffic up to the limit you set in the record length field. This allows for storing</p><p>more data than the excerpt option.</p><p>Record length sets the length of the recording for the record option in bytes.</p><p>Public © 2022 Forcepoint 19</p><p>Inspection rules logging options</p><p>▪ Using the same log levels as in</p><p>access rules</p><p>▪ Additional recording options:</p><p>• Excerpt</p><p>• Record</p><p>200 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The NGFW Inspection policy should provide the best possible accuracy.</p><p>• Inspection should let the legitimate traffic through with as little added latency or</p><p>bandwidth limitation as possible.</p><p>• The clearly bad traffic should be terminated.</p><p>• Most of the time the suspicious traffic must be let through.</p><p>A log entry should be generated for possible later analysis.</p><p>Predefined inspection policies are provided by the system, but there is not one set of traffic</p><p>inspection policies that would work ideally in every environment. What is a serious threat to</p><p>a crucial system in one environment may not be considered an event at all in another</p><p>network.</p><p>An inspection policy not properly tuned to your network environment will trigger:</p><p>False Positives</p><p>NGFW Inspection policy can be an efficient tool that allows you to quickly receive</p><p>notifications of events and even automatically block malicious traffic. If the patterns that the</p><p>NGFW is looking for are not accurate enough, also legitimate traffic may trigger alarms or</p><p>be stopped.</p><p>Public © 2022 Forcepoint 20</p><p>Detection accuracy</p><p>Legitimate</p><p>traffic</p><p>Suspicious</p><p>traffic</p><p>Bad</p><p>traffic</p><p>▪ Allowed most of the</p><p>time</p><p>▪ Logged</p><p>▪ Allowed</p><p>▪ No latency</p><p>▪ No bandwidth</p><p>limitation</p><p>▪ Terminated</p><p>NGFW correctly</p><p>identified harmful</p><p>traffic</p><p>NGFW correctly</p><p>did not react to</p><p>legitimate traffic</p><p>True</p><p>negative</p><p>NGFW incorrectly</p><p>identified</p><p>legitimate traffic</p><p>as harmful</p><p>False</p><p>positive</p><p>NGFW failed to</p><p>react to harmful</p><p>traffic</p><p>False</p><p>negative</p><p>True</p><p>positive</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 201</p><p>False negatives</p><p>False negatives occur when the NGFW fails to react to malicious traffic. This can happen for</p><p>many different reasons, for example:</p><p>• Skillful attackers may use techniques specifically designed to confuse the NGFW traffic</p><p>inspection.</p><p>• The inspection policies may be configured too permissive when trying to eliminate false</p><p>positives.</p><p>• The NGFW may not receive the same traffic as the hosts on the monitored network due</p><p>to network configuration issues.</p><p>• The lack of frequent updates may leave the NGFW lacking the attack signatures that</p><p>detect the latest publicly-known exploits.</p><p>202 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Tune an inspection policy.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 203</p><p>Verifying and tuning inspection</p><p>The most common way to introduce deep inspection in your network is to start with a predefined</p><p>Inspection policy.</p><p>Your next task is gathering information about the events detected in your networks during a</p><p>“tuning period”. Once you have enough information on what kind of traffic—malicious and</p><p>harmless—can be seen in your network, you can modify your policies to improve the detection</p><p>accuracy and to get rid of false alarms.</p><p>To assist in policy tuning, you can use:</p><p>• Passive termination. When passive termination is used (defined in the advanced tab in the</p><p>NGFW</p><p>element properties or in exception rules), the NGFW creates a special log entry that</p><p>notes that a certain connection was selected for termination, but the engine does not actually</p><p>terminate the connection. This allows you to check the logs and adjust your policy without the</p><p>risk of cutting important business communications.</p><p>• Inspection rule overrides. As previously discussed, overrides are used in an inspection rule</p><p>to either permit or terminate a specific situation or situation sub-type in contradiction to what</p><p>is done for the larger situation type. This determination, though, is applied wherever the given</p><p>situation or situation type is identified. When more specificity is needed, an exception rule</p><p>should be used instead.</p><p>• Exceptions rules in the inspection policy. The exceptions tab allows you to create detailed</p><p>rules, which are processed before the rules tree definitions on the inspection tab. An easy</p><p>way to create new exception rules to fine-tune your policy is to use an existing log entry as</p><p>the basis: you can create exceptions through the right-click menu of log entries.</p><p>Public © 2022 Forcepoint 23</p><p>Verifying and tuning inspection</p><p>Passive</p><p>termination</p><p>Inspection</p><p>exception rules</p><p>204 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The exceptions are matched before the main rules, which is reflected in location of the</p><p>exceptions panel above the main rules tree. The most frequent use of exceptions is to</p><p>eliminate false positives, which typically require permitting a pattern for some part of the</p><p>traffic while it still triggers a reaction when encountered in any other traffic.</p><p>The exceptions have additional features compared to the rules tree:</p><p>• You can make exceptions to the general rules tree definitions based on source,</p><p>destination, and protocol information. For example, an exception is needed to eliminate a</p><p>false positive in traffic between two internal hosts without disabling inspection completely.</p><p>• You can set additional responses to matches that are found. You can blocklist</p><p>connections on a NGFW, and you can add user responses as notifications to some types</p><p>of events.</p><p>• You can create rules that are applied only on certain days and/or times of day.</p><p>The basic design principle of exception rules is the same as in access rules, meaning that</p><p>the rules are read from top down, and more specific rules must be placed above more</p><p>general rules that match the same traffic. But in inspection rules, matching is mainly done</p><p>based on information included in the situation elements. Because each situation matches</p><p>only a particular pattern in traffic, the rules match the same traffic only when they match the</p><p>same situation, even if they have identical source, destination, severity and protocol</p><p>definitions.</p><p>Public © 2022 Forcepoint 24</p><p>Inspection policy exceptions rules</p><p>Protocols that</p><p>match the rule</p><p>Matching based on</p><p>source/destination</p><p>ZONES</p><p>USERS AND USER GROUPS</p><p>DOMAIN NAMES</p><p>NETWORK ELEMENTS</p><p>Patterns of traffic</p><p>the rule detects</p><p>SITUATION</p><p>CORRELATION</p><p>SITUATION</p><p>SITUATION TAG</p><p>VULNERABILITY</p><p>Action:</p><p>TERMINATE</p><p>PERMIT</p><p>BLOCKLIST</p><p>CONTINUE</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 205</p><p>In the example, the rules in the exceptions part of the policy contain the following rules:</p><p>• 1.1.1: Eliminating excessive logs (=noise) for FTP anonymous logging</p><p>• 1.1.2 Detecting forbidden web browser versions. Terminating first the connections and</p><p>then sending a response to the user (e.g., telling to update the browser version before</p><p>reconnecting). User response is also available in the exceptions table.</p><p>• 1.1.3: Detecting recent update: you can test newly added situations that are introduced in</p><p>the system by the dynamic update package by setting individual exception rules to</p><p>passive termination mode (just logging the traffic).</p><p>• 1.1.4 Permitting Information severity situations in Anomalies tag.</p><p>Public © 2022 Forcepoint 25</p><p>Inspection policy exceptions rules</p><p>Matching situations</p><p>within a severity range.</p><p>Matching situation based</p><p>on logical interface.</p><p>206 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 26</p><p>Inspection exception example</p><p>▪ Example of inspection exception rules to reduce false positive events</p><p>Test new</p><p>signatures</p><p>Permit situation which</p><p>caused false positives</p><p>from the internal</p><p>network to specific</p><p>server</p><p>Log specific alert so matches to</p><p>new situations are easily detected</p><p>In this example, inspection exception rules are used to reduce the number of false positive</p><p>events.</p><p>In rule 1.1.1, The new signatures from the 3 last update packages are temporary allowed for</p><p>testing purpose and ensure that they don’t generate any false positive. A specific alert is</p><p>raised when they are matched to easily identify these signatures.</p><p>In rule 1.1.2 the situation which generated a false positive is allowed from a specific internal</p><p>network to a specific server. If this situation is seen in any other traffic rule in the Inspection</p><p>rule base will terminate the connection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 207</p><p>New exploit signatures are provided by dynamic updates.</p><p>You can configure the management server to periodically check for new dynamic update</p><p>packages. Once the dynamic update packages are downloaded, they need to be activated</p><p>in SMC before they can be installed on the engine. The update of the signature on the</p><p>engine requires a policy installation. This is configured in the Global System Properties</p><p>dialog box and the full process can be automated.</p><p>Public © 2022 Forcepoint 27</p><p>Signatures update process</p><p>▪ New exploit signatures are provided by dynamic updates.</p><p>• Policy installation is required to install new signatures on NGFWs.</p><p>• Signature update process can be automated. Forcepoint Cloud</p><p>SMC</p><p>Exploit signatures in</p><p>Update package</p><p>Policy Upload</p><p>Signatures Update Process</p><p>208 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 28</p><p>Knowledge check</p><p>1. How do you direct traffic to the Inspection</p><p>Policy?</p><p>2. What is a situation?</p><p>3. What is situation type used for?</p><p>4. What are the two types of rules in an inspection</p><p>policy?</p><p>1. In the access rules by enabling deep inspection</p><p>in the action options.</p><p>2. A situation is an event of interest, like a</p><p>signature, used in inspection policies and system</p><p>operation.</p><p>3. A situation type defines how the situation is</p><p>handled according to the inspection policy, e.g.,</p><p>permit or terminate. Examples include suspicious</p><p>traffic or botnet traffic.</p><p>4. The two rule types are exceptions and inspection</p><p>rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 209</p><p>Public © 2022 Forcepoint 29</p><p>Knowledge check</p><p>5. What are the differences between the exception</p><p>rules and inspection rules defined in the rules</p><p>tree?</p><p>6. What is a false positive? How do you prevent</p><p>false positives?</p><p>5. Exceptions are processed before inspection and</p><p>are user defined. Inspection rules are defined by</p><p>Forcepoint but can be modified by administrators.</p><p>6. A false positive is when the legitimate traffic may</p><p>trigger alarms or be stopped. This can be</p><p>prevented in several ways including only sending</p><p>relevant traffic for deep inspection and using</p><p>exception rules in the inspection policy.</p><p>210 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Malware Detection and</p><p>File Filtering Policies</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 211</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>212 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ List the different options for detecting malware.</p><p>▪ Explain how to send traffic for malware detection.</p><p>▪ Configure a file filtering policy.</p><p>▪ Integrate Forcepoint NGFW with a Forcepoint Data Loss Prevention (DLP) system.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 213</p><p>Objective</p><p>List the different options</p><p>for detecting malware.</p><p>214 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This illustration gives an overview of the process and the order in which scanning is done.</p><p>1. When a file is being passed through the firewall using supported protocols, a hash of the file is sent to</p><p>McAfee Global Threat Intelligence (GTI). If the file exists in the McAfee database, a score is returned</p><p>classifying the relative risk of the file. If the file does not exist in the database, it is identified as</p><p>“unknown”. Based on the score returned, the file can be immediately allowed, or immediately blocked.</p><p>But if the file is unknown, the next malware detection scan starts: Anti-virus.</p><p>2. If Anti-Malware is activated, the NGFW scans the file for viruses. If the file is infected, it is discarded. If</p><p>the file is not infected, the file can be passed to the next malware detection: The Advanced Malware</p><p>Detection.</p><p>3. First the file hash is sent to the Forcepoint Advanced Malware Detection. If the file is known, then the</p><p>file reputation is returned in answer. If the file is unknown, NGFW will send it to the AMD and it</p><p>performs an in-depth sandbox analysis of the file. After the analysis is complete, the file reputation</p><p>score is returned to the NGFW.</p><p>This process is managed by the file filtering policy used by the NGFW.</p><p>Public © 2022 Forcepoint 5</p><p>Malware detection process</p><p>New File</p><p>Next</p><p>Generation</p><p>Firewall</p><p>2. Anti-Malware Scan</p><p>(Embedded)</p><p>1. McAfee GTI Global Threat Intelligence</p><p>(Cloud service included in NGFW licenses)</p><p>3. Advanced Malware Detection</p><p>(Cloud Service and On-Premises Sandbox)</p><p>OK</p><p>OK</p><p>Infected?</p><p>Extra analysis for unknown Files</p><p>OK</p><p>OK</p><p>Known Bad file (hash)?</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 215</p><p>▪ NGFW sends hashes of the files to the AMD. If the file is known to AMD it will reply with reputation</p><p>score. The unknown files are sent to the AMD which analyzes the behavior of files in a restricted</p><p>operating system environment and returns a reputation score for the files.</p><p>▪ From the Logs view of the Management Client, you can access an external portal where you can view</p><p>detailed reports for files that have been analyzed in the Cloud Sandbox. You can also use analysis and</p><p>reporting tools in the external portal.</p><p>Public © 2022 Forcepoint 6</p><p>Advanced Malware Detection (AMD)</p><p>▪ Detects Advanced Persistent Threats, Zero-Day</p><p>Threats, and Advanced Malwares.</p><p>▪ Provides deep content inspection analyzes for</p><p>unknown objects.</p><p>▪ Gives minimum impact on network traffic</p><p>performance.</p><p>▪ Is available as cloud sandbox service or as</p><p>sandbox appliance.</p><p>▪ Requires additional license.</p><p>Request Analysis</p><p>Send Report</p><p>Sandbox Reputation</p><p>• Legitimate</p><p>• Low Risk</p><p>• Medium Risk</p><p>• High Risk</p><p>• Malicious</p><p>• Unknown</p><p>Query Sandbox</p><p>Advanced</p><p>Malware Detection</p><p>216 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain how to send</p><p>traffic for malware</p><p>detection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 217</p><p>▪ Access control rules control what network traffic goes for malware detection in the File Filtering</p><p>Policy referenced by this policy.</p><p>▪ You enable file filtering in the action options of individual access rules or add a rule with the Continue</p><p>action to set defaults for file filtering.</p><p>▪ The traffic enabled for file filtering in the access rules is sent to the File Filtering Policy. The protocol</p><p>to which the file filtering applies is determined by the Service allowed by the access rule.</p><p>▪ File filtering is only available for FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, and POP3S. Note that for</p><p>encrypted protocols, you will need to decrypt the traffic.</p><p>▪ The Firewall Template and the Firewall Inspection Template use by default the file filtering rules</p><p>defined in the Default File Filtering Policy. Default file filtering applies specific scanning methods and</p><p>options depending on the file source, file destination, and file type. It enforces antivirus for all traffic on</p><p>all file types if the antivirus is enabled in the engine editor and file filtering is activated in the access</p><p>rules. The Default File Filtering Policy also applies the sandbox scan settings defined for the engine</p><p>to some traffic by default.</p><p>Public © 2022 Forcepoint 8</p><p>Malware detection</p><p>Configuration for file filtering</p><p>Access Rules control what network traffic</p><p>goes to File Filtering.</p><p>Malware detection is done in</p><p>the File Filtering Policy.</p><p>File filtering: On</p><p>218 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure a file filtering</p><p>policy.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 219</p><p>Policy-based file type filtering</p><p>▪ The File Filtering Policy allows you to restrict the file types that are allowed in and out through the</p><p>NGFW, and to apply malware detection to files.</p><p>▪ Whenever a file transfer operation is detected, the traffic is checked against the rules in the File</p><p>Filtering Policy. The first rule that matches the file transfer operation is applied. If no matching rule is</p><p>found, file transfer is allowed.</p><p>▪ In a file filtering rule, messages and file transfers can be matched based on the following matching</p><p>criteria: Source, Destination, and File Type.</p><p>Note: Source and Destination are the source and destination of the file, not the source and destination</p><p>of the connection. For example, if a client in the internal network downloads a file from a web server on</p><p>the Internet, the Source is the web server that served the file, and the Destination is the client’s</p><p>computer.</p><p>▪ The rules in the File Filtering Policy allow you to define rule-specific options for malware detection.</p><p>The methods are listed here in the order in which scanning is done:</p><p>• File reputation</p><p>• Anti-malware</p><p>• Sandbox scan</p><p>Public © 2022 Forcepoint 10</p><p>File filtering policy</p><p>▪ File content analysis</p><p>▪ Policy-based file type filtering</p><p>Matching based on:</p><p>• Source</p><p>• Destination</p><p>• File Type</p><p>Action:</p><p>• Allow after</p><p>• Allow</p><p>• Discard</p><p>Malware Detection</p><p>• GTI file reputation</p><p>• Anti-malware</p><p>• Sandbox scan</p><p>220 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Action defines how the engine handles the file:</p><p>▪ Allow: The file transfer is allowed without malware detection scanning. By default, compressed files are</p><p>decompressed, and the contents are matched against the File Filtering Policy again.</p><p>▪ Discard: The file transfer is discarded without sending an ICMP error message or TCP reset to the</p><p>source.</p><p>▪ Allow After: This allows you to select options for malware detection, by specifying malware detection</p><p>scans are applied to the file.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 221</p><p>File Content Analysis</p><p>▪ Allow After action allows you to select options for malware detection by specifying malware detection</p><p>scans are applied to the file. If the file meets the requirements specified in the rule action options, the</p><p>file transfer is allowed. Otherwise, the file is discarded.</p><p>Each scan method has its own requirements.</p><p>▪ File Reputation Scan</p><p>When selected, a checksum of the file is sent to the McAfee Global Threat Intelligence cloud or the</p><p>McAfee TIE cloud to be scanned, depending on which file reputation service is enabled in the engine</p><p>properties. If available, a file reputation is returned.</p><p>Scan methods return a file reputation score.</p><p>• The file is allowed without other malware detection scans if the reputation score is higher than the</p><p>value you</p><p>specify.</p><p>• The file is discarded if the file reputation score is lower than the value you specify.</p><p>• Otherwise, the file is sent to the next malware detection scan.</p><p>▪ NGFW Anti-Malware</p><p>If inspected file is infected, it is discarded. If the file is not infected, it is sent to AMD inspection if that is</p><p>configured.</p><p>Public © 2022 Forcepoint 12</p><p>File filtering policy</p><p>▪ Binding file reputation, anti-malware and cloud sandboxing into one process for malware detection</p><p>Allow After</p><p>GTI File Reputation</p><p>Anti-Malware</p><p>Advanced</p><p>Malware Detection</p><p>222 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Advanced Malware Sandbox Scan</p><p>When selected, a checksum of the file is sent to a Forcepoint Advanced Malware Detection sandbox server</p><p>to be scanned. If available, a file reputation is returned. If the file is unknown, and one of the Forcepoint</p><p>Advanced Malware Detection sandbox types is selected, the file is sent to the Forcepoint Advanced</p><p>Malware Detection server to be scanned. When the scan is complete, a file reputation is returned.</p><p>▪ If the file reputation is to the left of the slider, the file is discarded.</p><p>▪ If the file reputation is to the right of the slider, the file is allowed.</p><p>The “Delay file transfer until the analysis results are received” applies to the Advanced Malware Sandbox</p><p>Scan.</p><p>▪ When selected, processing of the file transfer stops until the NGFW engine receives the analysis result</p><p>from the Forcepoint Advanced Malware Detection sandbox server. When the NGFW engine receives</p><p>the result, it allows or discards the file based on the file reputation.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 223</p><p>File Buffering Level defines how the engine handles the file while the file is scanned by the malware scans.</p><p>▪ None: Traffic is not buffered. Traffic is allowed through before malware detection scans are completed.</p><p>This minimizes the delay to traffic, but it does not block unknown malware.</p><p>▪ Low: Only the last packet of the streaming connection is buffered until malware scans are completed.</p><p>The other packets of the connection are allowed through before malware scans are completed. For</p><p>SMTP traffic, selecting this option has the same effect as High.</p><p>▪ Medium: Part of the streaming connection is buffered until malware scans are completed. For SMTP</p><p>traffic, selecting this option has the same effect as High.</p><p>▪ High: Traffic is buffered until all malware scan are completed. This provides the highest level of</p><p>security, but it can delay traffic.</p><p>224 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Integrate Forcepoint</p><p>NGFW with Forcepoint</p><p>Data Loss Prevention</p><p>(DLP).</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 225</p><p>You can integrate on-premises DLP servers, such as Forcepoint DLP, with Forcepoint NGFW and use</p><p>them as a scanning method in the file filtering policy.</p><p>▪ DLP scanning is typically used for outbound file transfers to prevent sensitive data from being sent</p><p>out. DLP scanning is supported for the following protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3,</p><p>POP3S, and SMTP.</p><p>▪ NGFW Engines communicate with the integrated DLP servers using the ICAP protocol.</p><p>▪ The DLP scanning method is enabled in the File Filtering Policy.</p><p>▪ The File Filtering rule defines the content to scan. DLP Scanning is enabled in the Allow After action.</p><p>▪ DLP scans can be used together with other Anti-Malware scanners.</p><p>Public © 2022 Forcepoint 16</p><p>Data Loss Prevention scanning</p><p>▪ Data Loss Prevention scanning is used for outbound file transfers to prevent sensitive data from being sent</p><p>out.</p><p>▪ Forcepoint NGFW provides DLP scanning and uses ICAP protocol to integrate with Forcepoint and third-</p><p>party DLP solutions.</p><p>▪ Configured in the File Filtering policy.</p><p>Is file tranfer allowed? OK</p><p>DLP scanning</p><p>ICAP Server</p><p>226 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 17</p><p>Knowledge check</p><p>1. What is the purpose of the File Filtering policy?</p><p>2. How do you direct traffic to the File Filtering</p><p>policy?</p><p>3. What are the different options for detecting</p><p>malware?</p><p>4. What is the purpose of Data Loss Prevention</p><p>scanning?</p><p>1. File filtering allows administrators to restrict</p><p>the file types allowed through the firewall, to</p><p>apply malware detection to files, and to scan files</p><p>for Data Loss Protection.</p><p>2. In the access rules, enable file filtering in the</p><p>action options of an Allow or Continue action.</p><p>3. Anti-Virus, File Reputation, and Sandbox</p><p>(Advanced Malware Detection)</p><p>4. Data Loss Prevention prevents sensitive data</p><p>from being sent out during file transfers.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 227</p><p>Public © 2022 Forcepoint 18</p><p>You should now be able to:</p><p>▪ List the different options for detecting malware.</p><p>▪ Explain how to send traffic for malware detection.</p><p>▪ Configure a file filtering policy.</p><p>▪ Integrate Forcepoint NGFW with a Forcepoint Data Loss Prevention system.</p><p>Module summary</p><p>228 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Alerts and Notifications</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 229</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>230 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Explain the alert escalation process in Forcepoint NGFW.</p><p>▪ Create an alert policy and alert chain to escalate an alert.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 231</p><p>Objective</p><p>Explain the alert</p><p>escalation process in</p><p>Forcepoint NGFW.</p><p>232 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Alerts are notifications of important events that require the administrator’s attention. Alerts are generated</p><p>by:</p><p>▪ Matching rules that have the alert logging option set.</p><p>▪ Tests failing.</p><p>▪ Threshold exceeded (User Alert, Overviews).</p><p>▪ Monitored elements becoming unreachable.</p><p>▪ Problems related to the functioning of the system.</p><p>▪ Failures in communication between the system components.</p><p>The practical difference between alerts and normal log entries (where the log level is stored or essential) is</p><p>that alerts are highlighted in the Management Client in the Active Alert view (until acknowledged by an</p><p>administrator) and they can be escalated through various external notification channels. Each alert also</p><p>exists as a log entry and persists in that form even after being acknowledged. Normal log entries do not</p><p>produce the same kind of notification or escalation. In addition to rule matches, alerts can be generated</p><p>when an automatic test fails, a monitored element becomes unreachable, or if there is a system error.</p><p>Public © 2022 Forcepoint 5</p><p>Alerts</p><p>▪ Can be generated by matching rules.</p><p>▪ Can be created when a statistical threshold is</p><p>exceeded.</p><p>▪ Can be created when a problem exists related to</p><p>the functioning of the system.</p><p>▪ Can be escalated through a sequence of actions</p><p>to notify administrators of the problem.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 233</p><p>Alert Escalation means defining when and how the system notifies the administrators when an alert entry is</p><p>created. Alert entries inform the administrators if there is a problem with the SMC servers or NGFW</p><p>Engines, when a test or a task has failed, or when a rule has matched.</p><p>Alert Process</p><p>▪ The engine nodes send alert entries when a matching rule includes an alert element in its</p><p>logging</p><p>options, or when a failure is detected when running a test. The SMC Server also sends alerts on</p><p>critical system events.</p><p>▪ The Log Server receives the alerts, stores them and forwards the alert to the Management Server.</p><p>▪ When an alert is received by the Management Server, it becomes visible in the Active Alerts view.</p><p>The alert matches it to the Alert Policy installed on the Management Server. The Alert Policy rules</p><p>define which alerts are escalated through Alert Chains based on the component that sent the alert</p><p>entry and what the related alert element is.</p><p>▪ The Alert Chains define which administrators receive notifications, and in which order and in which</p><p>ways those notifications are sent.</p><p>▪ The administrator acknowledges alert entries in the Active Alerts view. The alert is removed from</p><p>Active Alerts and all Alert Chain processing for that alert entry is stopped.</p><p>Public © 2022 Forcepoint 6</p><p>Alert process</p><p>MANAGEMENT</p><p>SERVERSMC</p><p>SERVERS</p><p>1. Alert entry</p><p>created</p><p>2. Saved to disk</p><p>3. Displayed in</p><p>SMC client</p><p>LOG</p><p>SERVER</p><p>ACTIVE</p><p>ALERTS VIEW</p><p>4. Notifications</p><p>to administrators ADMINISTRATOR</p><p>5.Acknowledged by an</p><p>administrator</p><p>NGFW</p><p>ALERT POLICY</p><p>ALERT CHAIN</p><p>234 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Alerts are displayed on the NGFW Engines Dashboard page, in the Active Alerts view, and in the Logs</p><p>view with other types of log entries.</p><p>Public © 2022 Forcepoint 7</p><p>Active Alerts in NGFW Engines Dashboard</p><p>Alerts are clearly visible from</p><p>the NGFW Engines Dashboard</p><p>page.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 235</p><p>When a component generates an alert, the alert entry is displayed in the Active Alerts view and in the</p><p>Logs view with other types of log entries.</p><p>▪ The administrator acknowledges the alert in the Active Alerts view where alerts are aggregated by</p><p>type and severity.</p><p>▪ The active alerts are stored on the Management Server until the alerts are acknowledged.</p><p>▪ The Active Alerts view can be reached through the Monitoring Menu or by clicking on the user</p><p>notification icon that appears at the bottom right corner of the Management Client.</p><p>Public © 2022 Forcepoint 8</p><p>Active Alerts View</p><p>▪ Alerts are aggregated by type and severity.</p><p>▪ Alerts can be acknowledged in the Active Alerts view.</p><p>Shortcut to Active Alerts</p><p>236 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Create an alert policy and</p><p>alert chain to escalate an</p><p>alert.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 237</p><p>Task 1: Define the Alert or Situation to escalate (optional).</p><p>This step is identified as optional because System Alerts are already defined for many of the alerts you</p><p>might want to receive. The System Alerts are always based on matching a situation already defined. The</p><p>situation can be a warning or error in the operation of the SMC (like the Log Server: disk full situation).</p><p>If you want to create a custom alert, you should first name and describe it in a custom alert element. In the</p><p>next step, you will use a rule to identify the traffic or situation that should trigger the alert. The alert is</p><p>triggered by selecting “alert” as the logging level and then specifying the name of the custom (or system)</p><p>alert. The resulting log entries will be identifiable using the name of the alert.</p><p>Public © 2022 Forcepoint 10</p><p>Alert escalation</p><p>1. Define the Alert or Situation to escalate (optional).</p><p>2. Define the rule triggering the Alert (optional).</p><p>3. Define an Alert Chain.</p><p>4. Define an Alert Policy.</p><p>5. Configure Alert Notifications.</p><p>Custom Alert</p><p>System Alert</p><p>238 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 2: Define the rule triggering the Alert.</p><p>This step is identified as optional because system alerts are already defined and may be all you need in</p><p>some circumstances.</p><p>Alerts are sent when there is a problem with the system, when a test or task fails, or when a rule that is</p><p>configured to trigger an alert matches. Alerts can also be sent when a set threshold for a monitored item in</p><p>Overviews is exceeded.</p><p>Public © 2022 Forcepoint 11</p><p>Alert escalation</p><p>1. Define the Alert or Situation to escalate (optional).</p><p>2. Define the rule triggering the Alert (optional).</p><p>3. Define an Alert Chain.</p><p>4. Define an Alert Policy.</p><p>5. Configure Alert Notifications.</p><p>Traffic Match</p><p>Threshold</p><p>exceeded</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 239</p><p>Task 3: Define Alert Chains.</p><p>Alert Chains define how, in which order, and to whom the notifications on alert entries are sent. Alert</p><p>Chains include a list of actions that are executed from top to bottom. Each row in an Alert Chain defines a</p><p>Channel and a Destination address for the notification:</p><p>▪ The Custom Script channel executes a script stored on the Management Server. The Destination cell</p><p>must contain the name of the script.</p><p>▪ The DELAY channel allows you to add a delay without taking any action. Becasue any of the other</p><p>rows can also set a delay, the DELAY channel is most useful if you want to add a delay at the top of</p><p>the Alert Chain before any action.</p><p>▪ The SMS channel sends a text message using a GSM mobile phone that you attach to the</p><p>Management Server. The Destination cell must contain the mobile phone number the text message is</p><p>sent to.</p><p>▪ The SMTP channel sends an e-mail. The Destination cell must contain e-mail address(es) in a form</p><p>that your SMTP server is able to use.</p><p>▪ The SNMP channel sends an SNMP trap. The Destination cell is not used with this channel.</p><p>▪ The USER NOTIFICATION channel adds a blinking icon in the bottom right corner of the Management</p><p>Client. The Destination cell may be set to ANY or it may contain particular Administrator elements.</p><p>Each Alert Chain row also includes three optional fields. The Threshold to Block field is used to limit the</p><p>maximum number of notifications sent within a defined time period. The Delay field defines the number of</p><p>minutes before processing the next row in the alert chain. You can add a free-form comment to the rule in</p><p>the Comment field.</p><p>Public © 2022 Forcepoint 12</p><p>Alert escalation</p><p>1. Define the Alert or Situation to escalate (Optional).</p><p>2. Define the rule triggering the Alert (Optional).</p><p>3. Define an Alert Chain.</p><p>4. Define an Alert Policy.</p><p>5. Configure Alert Notifications.</p><p>240 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 4: Define Alert Policies.</p><p>Alert Policies determine the criteria for selecting which alerts, generated by various sources, are escalated</p><p>to certain Alert Chains.</p><p>▪ The Alert Policy includes rules for matching incoming alert and situation entries.</p><p>▪ Security engines, and SMC servers, are possible sources for alerts.</p><p>▪ Changes made to Alert Policies take effect when you install the Alert Policy on a Domain (or the</p><p>Shared Domain, if no domain has been defined).</p><p>▪ You must install the Alert Policy whenever you change the Alert Policy rules or the Alert Chains used</p><p>by those rules.</p><p>▪ If the Management Server has no Alert Policy installed, alert entries are escalated according to the</p><p>Default Alert Policy.</p><p>Note that only situations with Data Type: Alerts will work in the alert policy:</p><p>https://support.forcepoint.com/s/article/Alert-policy-does-not-apply-for-all-situations</p><p>Public © 2022 Forcepoint 13</p><p>Alert escalation</p><p>1. Define the Alert or Situation to escalate (Optional).</p><p>2. Define the rule triggering the Alert (Optional).</p><p>3. Define an Alert Chain.</p><p>4. Define an Alert Policy.</p><p>5. Configure Alert Notifications.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 241</p><p>Task 5: Configure Alert Notification Methods.</p><p>To use the Alert Channels in the chains, you may first need to configure the corresponding Notification</p><p>parameters in the properties of the Management Server element. The amount of information the alert</p><p>notification gives regarding the situation, depends on the Alert Channel used. For example, SMS may have</p><p>limits to the number of characters that can be sent.</p><p>Public</p><p>© 2022 Forcepoint 14</p><p>Alert escalation</p><p>1. Define the Alert or Situation to escalate (Optional).</p><p>2. Define the rule triggering the Alert (Optional).</p><p>3. Define an Alert Chain.</p><p>4. Define an Alert Policy.</p><p>5. Configure Alert Notifications.</p><p>242 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 15</p><p>Knowledge check</p><p>1. What is the difference between Active Alerts and</p><p>Alert Logs?</p><p>2. What are Alert Policies?</p><p>3. What are Alert Chains?</p><p>1. The Active Alerts can be acknowledged and will</p><p>disappear after acknowledgement, whereas alert</p><p>logs are stored in the Log Server.</p><p>2. Alert Policies determine the criteria for selecting</p><p>which alerts are escalated to certain Alert Chains.</p><p>3. Alert Chains define the notification channels used</p><p>to send alert notifications to administrators.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 243</p><p>Public © 2022 Forcepoint 16</p><p>Knowledge check</p><p>4. What alert notifications channels can be</p><p>configured in the SMC?</p><p>5. How do you stop the alert escalation process?</p><p>4. The SMC supports E-Mail, SMS, SNMP, and</p><p>Custom Alert Scripts notifications channels.</p><p>5. To stop alert escalation, acknowledge the active</p><p>alert triggering the alert escalation.</p><p>244 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Users and Authentication</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 245</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>246 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Identify supported directory servers and authentication methods.</p><p>▪ Explain the browser-based user authentication mechanism.</p><p>▪ Configure user authentication.</p><p>▪ Differentiate between user authentication and user identification.</p><p>▪ Explain the difference between the Forcepoint UID and ECA.</p><p>▪ Configure user behavior monitoring.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 247</p><p>Objective</p><p>Identify supported</p><p>directory servers and</p><p>authentication methods.</p><p>248 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>▪ Identification is claiming to be someone or something.</p><p>▪ Authentication is the verification that someone or something is who or what they claim to be.</p><p>▪ Authorization determines if someone or something is permitted to perform an action or allowed access</p><p>- after they have passed authentication.</p><p>Public © 2022 Forcepoint 5</p><p>Managing users and authentication</p><p>Identification is</p><p>claiming to be</p><p>someone or</p><p>something.</p><p>Identification</p><p>Authentication is the</p><p>verification that</p><p>someone or something</p><p>is who or what they</p><p>claim to be.</p><p>Authentication Authorization</p><p>Authorization</p><p>determines if someone</p><p>or something is</p><p>permitted to perform</p><p>an action or allowed</p><p>access.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 249</p><p>To make authentication possible, information regarding the users must be defined and stored. A directory</p><p>server is a server that contains a user database that is queried during the user authentication process. You</p><p>can store the user accounts in the Management Server’s internal user database or an external directory</p><p>server. Different users can be stored in different directories and can use different authentication methods.</p><p>▪ Authentication means requiring users to prove their identity before giving access to a network</p><p>resource. Authentication is mandatory with client-to-gateway VPNs. You can require authentication for</p><p>any non-VPN connections as well.</p><p>▪ Authentication is based on the user information, but is a separate operation and is not necessarily</p><p>done on the same server that stores the user information.</p><p>▪ Authentication can be performed in several ways. Combining several methods strengthens the</p><p>verification of the user. With authentication, a person can prove their identity using one or more of the</p><p>following:</p><p>• Something they are.</p><p>• Something they know.</p><p>• Something they have.</p><p>The most common type of authentication is something the user knows, such as a password, or something</p><p>they have, such as an authorization card.</p><p>Public © 2022 Forcepoint 6</p><p>Managing users and authentication</p><p>▪ A directory server provides access to information about user accounts in a user</p><p>database.</p><p>▪ NGFW can query user accounts stored in either:</p><p>• The management server’s internal LDAP directory service.</p><p>• An external Active Directory (AD) or LDAP directory server.</p><p>▪ The authentication method defines how the user can authenticate.</p><p>▪ The NGFW supports:</p><p>• Internal authentication methods.</p><p>In this case the NGFW has all user information and does not need to contact</p><p>external servers when authenticating users.</p><p>• External authentication methods.</p><p>External servers store user and authentication data and the NGFW must</p><p>communicate with them during the authentication process.</p><p>OK</p><p>250 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>There are predefined authentication method elements for user authentication on the firewall and for</p><p>external user authentication.</p><p>▪ Client Certificate is for certificate-based authentication.</p><p>▪ LDAP Authentication is for simple password authentication against LDAP databases on external</p><p>LDAP or Active Directory servers.</p><p>▪ Pre-Shared Key Method is for use with some third-party VPN clients.</p><p>▪ User Password is for simple password authentication against the internal LDAP database, including</p><p>user authentication in Forcepoint VPN Client hybrid authentication.</p><p>You can authenticate end-user access through firewalls and administrator’s logins to the SMC against</p><p>external authentication servers that support either the RADIUS or TACACS+ protocol. There are three</p><p>predefined external authentication methods for use with RADIUS or TACACS+:</p><p>▪ Network Policy Server authentication method (and Internet Authentication Service (IAS) in previous</p><p>Windows Server Versions) provides support for authentication on Active Directory using the Network</p><p>Policy Server authentication service.</p><p>▪ Terminal Access Controller Access Control System (TACACS+) authentication method.</p><p>▪ Remote Authentication Dial-in User Service (RADIUS) authentication method.</p><p>If you use an external authentication server, multiple authentication methods are available, such as one-</p><p>time passwords and token cards.</p><p>Public © 2022 Forcepoint 7</p><p>Supported authentication methods</p><p>Authentication methods Internal External</p><p>User Password P</p><p>Client Certificate P P</p><p>LDAP Authentication AD / External LDAP</p><p>Pre-Shared Key Method Third-party VPN clients</p><p>Network Policy Server AD</p><p>Radius P</p><p>Tacacs+ P</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 251</p><p>Internal LDAP User Database</p><p>The Management Server includes an integrated LDAP directory for storing user information.</p><p>The Management Server’s internal user database can be used for authenticating users with passwords or</p><p>certificates. Using an internal LDAP directory is the simplest choice when there is no specific need to have</p><p>an external LDAP server.</p><p>When the Management Server’s internal LDAP directory is used, the user and user group information is</p><p>stored on the Management Server. Each firewall node stores a replica of the user database, and any</p><p>changes to the main database are replicated immediately to the firewalls. This way, the firewalls can</p><p>access their local directories instead of constantly communicating user information over the network.</p><p>Users are managed directly through the Management</p><p>Course © 2022 Forcepoint</p><p>Objective</p><p>Explain basic concepts of</p><p>virtualization.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 19</p><p>Public © 2022 Forcepoint 18</p><p>Virtual firewall</p><p>▪ A physical NGFW appliance is split into logical Virtual NGFWs.</p><p>▪ Each Virtual NGFW has its own configuration (such as policy or routing).</p><p>▪ Useful in MSSP environments.</p><p>Virtual FW 1</p><p>Virtual FW 2</p><p>NGFW Appliance</p><p>Virtual Firewall</p><p>Virtual Firewalls offer a way to logically divide up to 250 security gateway configurations into</p><p>separately manageable instances on a single physical Next Generation Firewall appliance.</p><p>This approach is ideal for managed security service providers (MSSPs), who offer and</p><p>manage security services for multiple customers using the same physical elements.</p><p>20 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Forcepoint NGFW offers a comprehensive virtualization solution with Virtual Appliance.</p><p>Virtual Appliances</p><p>Virtual appliance is an NGFW engine that runs as a virtual machine inside a virtualization</p><p>hypervisor, such as VMware ESX.</p><p>With virtual appliances, you can easily and independently deploy a comprehensive security</p><p>infrastructure using virtual machines. Each virtual appliance can serve an independent role,</p><p>and even run its own software version and operating system. NGFW supports the following</p><p>virtualization systems:</p><p>• VMware, VMware NSX integration. NSX-V coordinates services between a software-</p><p>defined data center (SDDC) and Forcepoint Next Generation Firewall (Forcepoint</p><p>NGFW). Integrating NSX-V with Forcepoint NGFW makes it possible to quickly deploy</p><p>security services throughout the SDDC.</p><p>• KVM</p><p>• Hyper-V</p><p>Virtual Appliances for Cloud Platforms</p><p>Forcepoint NGFW can be installed on the following public clouds</p><p>• Amazon Web Services (AWS)</p><p>• Microsoft Azure</p><p>• Google Cloud Platform (GCP)</p><p>• IBM Cloud</p><p>• Oracle Cloud Infrastructure (OCI)</p><p>Public © 2022 Forcepoint 19</p><p>▪ A NGFW virtual appliance is an NGFW engine</p><p>installed on a virtualization platform or cloud</p><p>platform.</p><p>Virtual Environment</p><p>NGFW Software</p><p>Virtual appliance</p><p>Google Cloud Platform</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 21</p><p>Objective</p><p>Describe the NGFW</p><p>installation methods.</p><p>22 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The primarily way of installing the NGFW appliances is to perform a USB drive installation.</p><p>There is no need for technical onsite personnel during the installation: just plug in power and</p><p>network cables, and the USB drive with the initial configuration information. The smallest</p><p>available USB thumb drive is more than sufficient, as the configuration files are only about 1</p><p>KB each.</p><p>You can define a policy to be installed on the NGFW engine after it has made initial contact</p><p>with the Management Server. Together with the policy, the whole NGFW configuration such</p><p>as the interface configuration, routing and anti-spoofing, and the VPN configuration is sent</p><p>to the engine.</p><p>The appliance can still be configured using manual configuration and the Engine</p><p>Configuration Wizard. We will cover the configuration process in detail in the lab 1.</p><p>USB drive Installation detailed process:</p><p>• Appliance has pre-loaded NGFW engine.</p><p>• Based upon licensing it can be configured into any of the roles previously discussed on</p><p>the features table of this module.</p><p>• Save the engine configuration to a configuration file on a USB.</p><p>• Insert the USB into the USB port of appliance prior to power-on.</p><p>• Actual connection to the appliance via monitor or serial connection is not required</p><p>Public © 2022 Forcepoint 21</p><p>Installation of NGFW</p><p>Client</p><p>SMC</p><p>Initial</p><p>Configuration</p><p>File</p><p>USB</p><p>Serial</p><p>Connection</p><p>Client</p><p>USB drive installation with automatic policy push</p><p>Manual configuration via the configuration wizard</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 23</p><p>Cloud-based Plug and play installation can reduce the workload for installation, especially at</p><p>remote sites. You only need to configure the Firewall elements in the Management Client</p><p>and upload the configurations to the Installation Cloud. In this scenario, the appliance</p><p>automatically connects to the Installation Cloud and retrieves its configuration information.</p><p>To make the Plug and Play deployment even more convenient, you can even use the</p><p>Multiple Firewalls wizard that allows you to create hundreds of Firewall elements at once.</p><p>This short animation demonstrates the process:</p><p>1. The administrator creates elements for the remote Firewalls and specifies the appliance</p><p>POS (Proof of Serial code) in the Firewall properties. The Firewalls must have a valid</p><p>license bound to their POS code. In the Firewall initial configuration settings, you must</p><p>select the Upload to Installation Server option and the Firewall policy to apply. The</p><p>Management server sends the Firewall’s initial configuration to the Forcepoint Installation</p><p>Cloud. The Installation Cloud stores the configurations and waits for appliance contact.</p><p>2. The appliances are shipped to the remote site and cables are connected.</p><p>3. After boot up, the appliance automatically contacts the Installation Cloud and asks if its</p><p>initial configuration is available.</p><p>4. If the configuration is available, the Installation Cloud sends it to the appliance</p><p>5. The appliance makes initial contact with the Management Server specified in the initial</p><p>configuration</p><p>6. The Management Server returns the predefined policy and configuration to the appliance</p><p>In case of connection problems, Forcepoint support can check the status of each appliance</p><p>installation from the Installation Cloud.</p><p>Public © 2022 Forcepoint 22</p><p>Cloud based plug and play installation</p><p>SMC</p><p>Installation Cloud</p><p>NGFW Engine</p><p>1. Initial configuration</p><p>upload to cloud</p><p>3. Connect home</p><p>4. Security policy</p><p>2. Call cloud for</p><p>initial configuration</p><p>24 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List the four common</p><p>NGFW deployments.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 25</p><p>The positioning of a firewall depends on the network environment and the function of the</p><p>firewall.</p><p>In a Typical Firewall deployment, the Firewall is a perimeter defense, positioned between</p><p>networks with different security levels.</p><p>In this setup, Firewalls generally control traffic between:</p><p>• External networks (the Internet) and your internal networks.</p><p>• External networks (the Internet) and DMZ (demilitarized zone) networks.</p><p>• Between internal networks (including DMZs).</p><p>In a Firewall deployment, Layer 3 interfaces provide Layer 3 features such as IPv4/IPv6</p><p>network boundaries, NAT, authentication, routing, VPN, and deep packet inspection.</p><p>Layer 2 physical interfaces can also be configured in the Forcepoint NGFW. The following</p><p>slides explain deployments requiring the use of Layer 2 interfaces.</p><p>Public © 2022 Forcepoint 24</p><p>Layer 3 Firewall role deployment</p><p>▪ Controls access on network perimeter and between internal networks.</p><p>▪ Has routing capable firewall with full deep inspection (IPS) capabilities.</p><p>▪ Features integrated IPsec VPN with SD-WAN capabilities</p><p>▪ Is configured with Layer 3 interfaces (and optionally, Layer 2 interfaces as seen on the next slide).</p><p>Internal</p><p>Network</p><p>NGFW in</p><p>Firewall role</p><p>Layer 3</p><p>Interfaces</p><p>DMZ</p><p>Internet</p><p>26 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>With an IPS or Layer 2 Firewall inline deployment, the traffic is switched directly through</p><p>the engine.</p><p>The engine has full control over the traffic flow and can be used to block any traffic. The</p><p>inline engine can also enforce block listing commands received from other components.</p><p>In an IPS deployment (but not a L2FW) fail-open network cards can be used to ensure that</p><p>traffic flow is not disrupted when the engine is offline.</p><p>Inline IPS and Layer 2 Firewall deployment require the configuration of inline Layer 2</p><p>interface pair.</p><p>Layer 2 interfaces provide transparent access control and logging for any traffic at Layer 2</p><p>and above.</p><p>Layer 2 interfaces</p><p>Client and user information is stored on the</p><p>Management Server.</p><p>By default, the SMC’s internal user database is not replicated automatically to firewall nodes. To enable the</p><p>user replication, enable “User DB Replication” on the firewall node. Use the “Reset User Database”</p><p>command to enforce the synchronization between the SMC and the firewall user database.</p><p>It is not possible to give external components (such as external authentication servers) access to the</p><p>internal LDAP database.</p><p>Users can be authenticated using authentication methods provided by the firewall.</p><p>Public © 2022 Forcepoint 8</p><p>Internal user database</p><p>The management server includes an integrated LDAP directory.</p><p>▪ Internal users are stored in the “InternalDomain”.</p><p>▪ Internal user account information and authentication settings are replicated to the firewalls.</p><p>Internal users & authentication</p><p>settings</p><p>Management</p><p>Server</p><p>Replica of internal user</p><p>authentication settings</p><p>Synchronization</p><p>252 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>In the internal user accounts, you can define all the information necessary for authenticating with the</p><p>authentication methods provided by the firewall. The user authentication settings (such as the user</p><p>credentials for the User Password method) are replicated to all the firewalls.</p><p>This illustration shows the authentication process for internal users.</p><p>1. Firewalls store their own replica of the Management Server’s internal LDAP database. Any changes to</p><p>the user database in SMC are automatically replicated to the firewalls.</p><p>2. If the user authentication succeeds, the firewall lists the user as an authenticated user, taking note of</p><p>both username and authentication method. When the user opens new connections, access rules that</p><p>contain an authentication requirement, now match. The username and authentication method are both</p><p>considered separately as matching criteria. When the configured timeout is reached, the authentication</p><p>expires, and the user is removed from the list of authenticated users. Access rules that require</p><p>authentication no longer match the user’s connections.</p><p>Public © 2022 Forcepoint 9</p><p>Authentication process for internal users</p><p>Internal user information and authentication settings are replicated to the firewalls.</p><p>1. Firewall queries local user information when users try to authenticate.</p><p>2. Access is granted to authorized services as defined in access rule.</p><p>Replica of internal users’</p><p>authentication settings</p><p>Authentication requestAccess granted to authorized</p><p>services</p><p>12</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 253</p><p>Integration with External Directory Servers</p><p>You can use an external directory server to store user group and user information instead of, or in addition</p><p>to, the internal user database.</p><p>The Management Server and the firewall engines both have an integrated LDAP client that can query the</p><p>external directory server. When the external directory server is integrated with the SMC, there is no need</p><p>to manually duplicate user account information. User and user group elements are automatically added to</p><p>the SMC from the external directory. This also allows you to make different authentication rules for different</p><p>users.</p><p>The external directory server is not replicated into the internal directory on the Management Server or into</p><p>the local directory of the firewalls. Instead, the external directory server is queried directly by the</p><p>Management Server when you view the user elements and by the firewalls when a user attempts to</p><p>authenticate.</p><p>Microsoft Active Directory Servers can be used as external directory servers. Any authentication method</p><p>supported by the external directory server can be used. There is a dedicated element in the SMC to ease</p><p>the integration of Active Directory Servers. In the illustration:</p><p>1. Users and groups stored in Active Directory are browsed through the Management Client. User</p><p>information is available for firewall policy configuration.</p><p>2. Policies with authenticated user rules and the external directory server settings are transferred to the</p><p>firewall by policy installation.</p><p>3. The NGFW firewalls query the external LDAP server for the user information. The LDAP server can</p><p>either authenticate the user or the authentication can be redirected to a third-party authentication</p><p>server.</p><p>Public © 2022 Forcepoint 10</p><p>External directory server stores user group and user information.</p><p>1. An external directory is browsed through the management server.</p><p>2. A policy with user authentication and the AD settings are transferred to the firewalls by policy installation.</p><p>3. A firewall queries user information on AD when users try to authenticate.</p><p>Integration with external directory servers</p><p>Policy upload</p><p>Management</p><p>Server</p><p>1</p><p>2</p><p>3</p><p>Active Directory Server</p><p>Management Server and NGFW</p><p>are LDAP Clients for AD</p><p>254 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This example illustrates how authentication is done when Active Directory is used as the directory server</p><p>and authentication is also done on Active Directory using LDAP Authentication.</p><p>Other authentication methods can be used with Active Directory including NPS authentication and the</p><p>authentication can be redirected to a third-party authentication server.</p><p>1. A user authenticates either when establishing a Client-to-Gateway VPN or via browser-based</p><p>authentication.</p><p>2. The firewall checks whether the user exists in the LDAP domain.</p><p>3. In this example, the default authentication method defined for the LDAP domain is LDAP</p><p>Authentication. The firewall verifies the user credentials on the directory server by performing an LDAP</p><p>Bind.</p><p>4. If authentication succeeds, the firewall lists the user as an authenticated user, taking note of both</p><p>username and authentication method. When the user opens new connections, access rules that</p><p>contain an authentication requirement, now match.</p><p>Public © 2022 Forcepoint 11</p><p>Authentication process for external users</p><p>1</p><p>2</p><p>4 1. Authentication request</p><p>using LDAP</p><p>Authentication.</p><p>User = Bill</p><p>Password = ********</p><p>3. Perform authentication based on the</p><p>method associated with the user or the</p><p>user’s domain.</p><p>User = “Bill”</p><p>Password = ********</p><p>Authentication method:</p><p>LDAP Authentication</p><p>2. Fetch user information</p><p>on “Bill” from AD.</p><p>4. Access granted to authorized services.</p><p>Active Directory Server</p><p>3</p><p>USER FOUND</p><p>ACCESS GRANTED</p><p>MATCHING PASSWORD</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 255</p><p>Objective</p><p>Explain the browser-</p><p>based user authentication</p><p>mechanism.</p><p>256 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Users can authenticate using a compatible VPN client or a Web Browser.</p><p>Browser-Based User Authentication allows end-users to authenticate to a NGFW using any standard</p><p>web browser. Alternatively, you can use browser-based user authentication with external RADIUS or</p><p>TACACS+ compatible authentication servers or enable Client Certificate Authentication.</p><p>You can change the look and feel of the HTML pages (login page, challenge page, and status page) shown</p><p>to end-users who authenticate to reflect your company’s identity.</p><p>Users can authenticate using plain HTTP connections or using encrypted HTTPS connections.</p><p>The interfaces of the firewall through which users can authenticate to the firewall can be restricted.</p><p>IPv4 and IPv6 are supported for user authentication.</p><p>Users can manually redirect, or be automatically redirected to, the URL originally requested after</p><p>authentication. To do this, you need to turn deep inspection on and utilize Inspection Exceptions.</p><p>VPN client will be discussed in the next module.</p><p>Public © 2022 Forcepoint 13</p><p>Authenticate to firewalls</p><p>▪ Users can authenticate using a compatible VPN client or a web browser.</p><p>▪ Browser-based user authentication supports:</p><p>• Portal customization</p><p>• HTTP and HTTPS communication</p><p>• Client certificate authentication</p><p>• Password authentication</p><p>HQ</p><p>VPN client software</p><p>Browser-Based</p><p>User</p><p>Authentication</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 257</p><p>Objective</p><p>Configure user</p><p>authentication.</p><p>258 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This example shows the configuration of an Active Directory server together with LDAP authentication.</p><p>Configuration varies depending on the selected user database and authentication server. Users are not</p><p>created in this example, as they are stored in the Active Directory.</p><p>In this example:</p><p>▪ No LDAP schema changes are needed on the Active Directory server.</p><p>▪ Active Directory security groups can be used directly in firewall access rules.</p><p>▪ Authentication with Windows passwords using the LDAP Bind in Windows Server 2012 and later to</p><p>authenticate end-users can be used.</p><p>Configuration Overview:</p><p>Create an Active Directory Server element to represent the external Active Directory server. This allows</p><p>you to use the Active Directory user database as an external user database. In addition, NPS</p><p>authentication can be configured in the same element. However, this is not mandatory and other</p><p>authentication methods can be used as well. The Active Directory Server element includes both the LDAP</p><p>user database (AD) and the authentication configuration, so only one element is needed for user</p><p>authentication purposes. If using other external servers providing authentication, you must create separate</p><p>server elements for each of the two features.</p><p>Define the LDAP settings:</p><p>The settings include user account information (Bind User ID) and other settings (like Base DN, the LDAP</p><p>tree under which the authenticating users’ accounts are stored) that the firewalls and the Management</p><p>Server use to connect to the Active Directory server. You can also select LDAPS or Start TLS to enable</p><p>Transport Layer Security (TLS) for connections to the server.</p><p>Public © 2022 Forcepoint 15</p><p>User authentication configuration</p><p>1. Create an Active Directory Server element.</p><p>2. Define authentication server settings.</p><p>3. Add an LDAP Domain.</p><p>4. Define user authentication in access rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 259</p><p>Define Authentication Server settings</p><p>You define the allowed authentication methods for the users stored on the Active Directory server.</p><p>You can optionally use LDAP authentication for simple password authentication against the LDAP</p><p>database on the external directory server where user accounts are stored. When users authenticate to</p><p>the NGFW Engine, the NGFW Engine sends the username and password to the active directory server for</p><p>authentication. The external directory server checks the username and password against the user’s</p><p>credentials in the directory, then responds to the firewall whether authentication succeeds or fails.</p><p>You can also optionally use the Internet Authentication Service (IAS) in previous Windows Server versions</p><p>or the Network Policy Server (NPS) in Windows Server to authenticate end users. You must configure the</p><p>NPS as a RADIUS server and define each firewall engine that authenticates users as a separate RADIUS</p><p>client for NPS.</p><p>The authentication can be redirected to a Radius or Tacacs+ authentication server.</p><p>Public © 2022 Forcepoint 16</p><p>User authentication configuration</p><p>1. Create an Active Directory Server Element.</p><p>2. Define Authentication Server settings.</p><p>3. Add an LDAP Domain.</p><p>4. Define User Authentication in Access Rules.</p><p>260 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Add an LDAP domain</p><p>Each LDAP server has its own LDAP domain in the SMC. One LDAP domain can be selected as the</p><p>default LDAP domain. Users who belong to the default LDAP domain do not need to specify the domain</p><p>(for example, “username@domain”) when they are authenticating. A default LDAP domain can be selected</p><p>per NGFW. Select the default Authentication Methods for all accounts in this LDAP domain. In this</p><p>example, LDAP Authentication is selected.</p><p>Public © 2022 Forcepoint 17</p><p>User authentication configuration</p><p>1. Create an Active Directory Server Element.</p><p>2. Define Authentication Server settings.</p><p>3. Add an LDAP Domain.</p><p>4. Define User Authentication in Access Rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 261</p><p>When the LDAP domain is defined, the Management Server connects to the external domain, and users</p><p>and groups can be browsed from the Management Client.</p><p>Public © 2022 Forcepoint 18</p><p>User authentication configuration</p><p>1. Create an Active Directory Server Element.</p><p>2. Define Authentication Server settings.</p><p>3. Add an LDAP Domain.</p><p>4. Define User Authentication in Access Rules.</p><p>262 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Define user authentication in the access rules. In Firewall Access Rules, the users/groups and</p><p>authentication methods defined in the Authentication cell are used as matching criteria for accessing a</p><p>particular service. Connections from users that have not successfully authenticated, or whose</p><p>authentication has expired, do not match rules with an authentication requirement (the connections are</p><p>matched to rules further down in the policy). To configure the authentication matching parameters, you can</p><p>drag and drop users and the associated authentication methods. Alternatively, you can double-click the</p><p>Authentication cell to open the Authentication Parameters dialog.</p><p>▪ In the Users tab of the Authentication Parameters dialog, you select the users or user groups that</p><p>this rule applies to.</p><p>▪ In the Authentication tab, you select the Authentication Method(s) for the selected users or user</p><p>groups. You can set the authentication method to ANY to allow any authentication method.</p><p>This rule allows Jennifer and users in the Mobile VPN users group who have authenticated using LDAP</p><p>Authentication to establish connections to the HQ network through a VPN tunnel. Jennifer and users in the</p><p>Mobile VPN group are stored in the Active Directory and Windows account credentials will be used for</p><p>authentication as LDAP authentication is selected.</p><p>Public © 2022 Forcepoint 19</p><p>User authentication configuration</p><p>1. Create an Active Directory Server Element.</p><p>2. Define Authentication Server settings.</p><p>3. Add an LDAP Domain.</p><p>4. Define User Authentication Rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 263</p><p>Objective</p><p>Differentiate between</p><p>User Authentication and</p><p>User Identification.</p><p>264 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Access control by user, lets you use user and user group elements as the source or destination of rules to</p><p>create user-specific rules without user authentication.</p><p>Access control by user requires Forcepoint User ID Service (FUID) or Endpoint Context Agent (ECA) for</p><p>transparent user identification.</p><p>Both Forcepoint components allow the NGFW to associate users with IP addresses. This makes it possible</p><p>to use user and user group elements as the source or destination of a rule to create user-specific rules</p><p>without requiring a user authentication.</p><p>User-specific rules do not replace user authentication; they are a tool to simplify the configuration of access</p><p>control and improve the end-user experience by allowing transparent access to services. They are</p><p>intended to be used for trusted users in a trusted environment where strong authentication is not required.</p><p>User-specific rules can be used together with user authentication rules to allow some user groups to</p><p>access a service, while otherwise requiring authentication for the same service.</p><p>Public © 2022 Forcepoint 21</p><p>User identification</p><p>▪ Transparent Access Control by User and User Group without requiring Firewall authentication.</p><p>▪ Usernames are mapped to IP addresses from Active Directory.</p><p>▪ Two integration options:</p><p>▪ Forcepoint User ID (FUID) collects user info from Active Directory or Exchange server.</p><p>▪ Endpoint Context Agent (ECA) collects user info from Windows End Points.</p><p>www.example.com</p><p>Sales</p><p>Mary</p><p>Bill</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 265</p><p>Objective</p><p>Explain the difference</p><p>between the Forcepoint</p><p>UID and ECA.</p><p>266 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Forcepoint User Identification</p><p>The Forcepoint User ID Service collects information about users, groups, and IP addresses from Windows</p><p>Active Directory (AD) servers and Windows Exchange Servers.</p><p>You can use the User ID Service in a high-availability (HA) configuration. In a HA configuration, you install</p><p>the User ID Service on additional servers, and the CockroachDB is synchronized between the cluster</p><p>members. You can also install more than one instance of the DC Agent.</p><p>Forcepoint User ID supports multiple AD domains and multiple AD forests.</p><p>Public © 2022 Forcepoint 23</p><p>Forcepoint User ID</p><p>▪ The Forcepoint User ID (FUID) monitors:</p><p>• Login events to associate users with IP addresses.</p><p>• Information about Groups.</p><p>▪ Login information is fetched from:</p><p>• Domain Controllers</p><p>• Exchange Servers</p><p>▪ Supports high availability configuration.</p><p>▪ Supports multiple AD domains.</p><p>FUID Services</p><p>Active Directory Server</p><p>172.10.10.1 is Mike</p><p>Mike video.example.com</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 267</p><p>Forcepoint User ID Service 2.0 consists of the following components:</p><p>▪ DC Agent: monitors user logins to the domain and reports users and their IP addresses to the UID</p><p>Service. You can install one or more DC Agents in the same AD domain. Each DC Agent can handle</p><p>up to 30 domain controllers and 30 000 users.</p><p>▪ User ID Service: receives domain, group, and user definitions, and associated IP address data from</p><p>the DC Agent and Active Directory Servers. The UID Server and the CockroachDB components are</p><p>part of the User ID Service. You can use the Forcepoint User ID Service Configuration Utility</p><p>(Configuration Utility) to perform the initial setup and modify the User ID Service configuration.</p><p>System requirements:</p><p>▪ UID Service supports CentOS versions 7 and 8 and Red Hat Linux Enterprise versions 7 and 8</p><p>▪ DC Agent supports Windows Server 2012, 2012 R2, 2016, 2019</p><p>Alternatively, you can now use the Integrated User ID Service directly on the NGFW Engines to provide</p><p>transparent user identification for access control by user. The Integrated User ID Service is primarily meant</p><p>for demonstration purposes and proof-of-concept testing of user identification services.</p><p>Public © 2022 Forcepoint 24</p><p>Forcepoint User ID 2.0 deployment</p><p>Active Directory</p><p>Server</p><p>DC Agent</p><p>User ID</p><p>Service</p><p>SMC</p><p>NGFW queries User ID</p><p>Service for user group and</p><p>IP information.</p><p>SMC queries users and</p><p>groups to use in policy.</p><p>User ID Service collects</p><p>users and groups</p><p>information from AD.</p><p>DC Agent monitors AD</p><p>security logs for user logins.</p><p>The User ID Service receives</p><p>user associated IP address</p><p>data from the DC Agent.</p><p>SMC uploads policy</p><p>using users/groups</p><p>to engine.</p><p>DAS queries users</p><p>and groups.</p><p>Port 5000</p><p>Linux</p><p>Windows</p><p>NGFW is the User ID</p><p>Service Client Product.</p><p>268 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Forcepoint Endpoint Context Agent (ECA)</p><p>Endpoint Context Agent (ECA) is a Windows client application that provides endpoint information to the</p><p>Forcepoint NGFW.</p><p>The endpoint information can be used to identify users, log their actions, and control access.</p><p>Forcepoint NGFW can enforce security policies based on the information that is sent by the endpoints. The</p><p>information can also be viewed in log data and used in reports.</p><p>In addition to user information, integrating ECA enables you to collect application information running on</p><p>Windows endpoint and OS related information like OS version, anti-malware and local firewall status.</p><p>Public © 2022 Forcepoint 25</p><p>Forcepoint Endpoint Context Agent</p><p>▪ Endpoint Context Agent (ECA) collects the Windows endpoint metadata.</p><p>▪ Provides endpoint information to the NGFW:</p><p>• Logged-in Windows user to associate users with IP addresses.</p><p>• Executables initiating network connections.</p><p>• Platform attributes like OS version and anti-malware.</p><p>Endpoint</p><p>Information</p><p>Network</p><p>Attributes</p><p>Application</p><p>Attributes</p><p>User</p><p>Attributes</p><p>Platform</p><p>Attributes</p><p>Mike video.example.com</p><p>ECA</p><p>Windows</p><p>Endpoint</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 269</p><p>Objective</p><p>Configure user behavior</p><p>monitoring.</p><p>270 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>User Monitoring</p><p>Firewalls track active users identified by various components: FUID, ECA service, and also the users</p><p>directly authenticated against the firewall.</p><p>The User ID Service status is monitored in the firewall info view.</p><p>Public © 2022 Forcepoint 27</p><p>User monitoring</p><p>▪ Track active users identified by system components (FUID, ECA) and authenticated users.</p><p>User Monitoring</p><p>(FUID, ECA)</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 271</p><p>User Dashboard</p><p>It is possible to access user specific information. In this dashboard, information from AD and Endpoint are</p><p>collected and made available to the administrators.</p><p>In the Home view of the Management Client, there are user dashboards where you can see an overview of</p><p>user activity.</p><p>For example, you can see if there is any activity that indicates suspicious behavior, such as the use of</p><p>certain network applications, attempts to access specific networks, or if a user has been associated with an</p><p>attack situation.</p><p>When users have been active and have caused log data to be generated, they are shown in the users list.</p><p>You can configure the time period within which a user must have been active. If there are no usernames</p><p>stored in log data, or in regions where privacy laws require that users must not be easily identified, you can</p><p>show the IP addresses of users instead of their names.</p><p>The Statistics panes contain charts and general statistics of user activities, and if you select an individual</p><p>user, you can see more detailed information about the user and their activities. If user information from</p><p>Active Directory (AD) and the Endpoint Context Agent (ECA) service is available, the information is shown</p><p>in separate panes in the Home view.</p><p>Note: To be able to monitor users by name, you must enable the logging of user information in the Firewall</p><p>IPv4 and IPv6 Access rules.</p><p>Public © 2022 Forcepoint 28</p><p>User dashboard</p><p>▪ Monitor user activities</p><p>272 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The User Behavior Events pane shows alerts related to User Alert Checks.</p><p>There are a set of system User Alert Checks, and you can add your own custom alerts.</p><p>▪ Bandwidth Check - Checks based on the amount of bandwidth consumed by the user. For example,</p><p>using non-business-related applications to consume large amounts of bandwidth.</p><p>▪ Web Content Check - Checks based on websites that the user visits. For example, uses URL</p><p>Category and Network Application elements.</p><p>▪ Access Check - Checks based on accessing a particular network. For example, users connecting to</p><p>resources in a particular region.</p><p>▪ File Transfer Check - Checks based on file types that are handled by the user.</p><p>▪ Attack Situations Check - Checks that are triggered if an attack situation is associated with a user.</p><p>▪ Endpoint Check - Checks based on information from ECA. For example, the applications that a user</p><p>is using.</p><p>The threshold options depend on the type of User Alert Check.</p><p>▪ Single Event - The User Alert is generated the first time that the threshold is exceeded.</p><p>▪ Event Count - The User Alert is generated after the specified number of times that the threshold is</p><p>exceeded within the specified time period.</p><p>▪ Bandwidth Count - The User Alert is generated when the specified volume of data is used within the</p><p>specified time period.</p><p>Public © 2022 Forcepoint 29</p><p>▪ User alerts are generated when users exceed a threshold.</p><p>User behavior events</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 273</p><p>Public © 2022 Forcepoint 30</p><p>Knowledge check</p><p>1. What is the difference between identification,</p><p>authentication, and authorization.</p><p>2. Where is information</p><p>about users defined and</p><p>stored?</p><p>3. When would you use an external Directory</p><p>Server?</p><p>1. Identification is the process of saying who or</p><p>what you are. Authentication is providing</p><p>the information necessary to validate your</p><p>identity. Authorization is being granted access to</p><p>a resource.</p><p>2. User information is stored in a directory server,</p><p>for example, in Active Directory or LDAP Server.</p><p>3. An external directory server is used in cases</p><p>where user information is already stored in</p><p>another location or where defining users in the</p><p>SMC isn’t scalable.</p><p>274 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 31</p><p>Knowledge check</p><p>4. What external authentication services are</p><p>supported by the NGFW?</p><p>5. What is the benefit of browser-based user</p><p>authentication?</p><p>4. The supported external authentication</p><p>mechanisms are NPS, LDAP Authentication,</p><p>TACACS+, and RADIUS.</p><p>5. Browser-based authentication allows end users</p><p>to authenticate using any standard web browser.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 275</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Mobile VPN and SSL VPN Portal</p><p>276 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 277</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ List NGFW Mobile VPN Access options.</p><p>▪ Describe the SSL VPN Portal and the URL Rewrite translation method.</p><p>▪ Configure an SSL VPN Portal.</p><p>Module objectives</p><p>278 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>List NGFW Mobile VPN</p><p>Access options.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 279</p><p>IPsec and SSL VPN are built in to Forcepoint NGFW and provide remote secure access to enterprise</p><p>network and services.</p><p>We distinguish:</p><p>▪ Client-based IPsec and SSL VPN remote access: If you need to provide remote secure access to</p><p>both HTTP-based services and non-HTTP-based services in the protected network, you need to install</p><p>the Forcepoint VPN client software. Forcepoint VPN Client settings are configured centrally in</p><p>the SMC. The settings are automatically updated to the Forcepoint VPN Client from the engines when</p><p>the clients connect.</p><p>▪ Clientless remote access with SSL VPN Portal: The SSL VPN Portal provides remote secure</p><p>access to HTTP-based services in the protected network from standard web browsers. There is no</p><p>need to install new software.</p><p>Public © 2022 Forcepoint 5</p><p>Mobile VPN access</p><p>Client-based and clientless remote access.</p><p>▪ Client-based IPsec and SSL VPN client:</p><p>• Need to install software to enable secure access to</p><p>enterprise network and services.</p><p>• Forcepoint VPN Client settings are defined in</p><p>the SMC.</p><p>▪ Clientless SSL VPN Portal:</p><p>• No need to install new software to enable secure</p><p>connection to Web services.</p><p>Internet</p><p>HQ</p><p>VPN client software</p><p>Clientless SSL VPN</p><p>using Portal</p><p>Remote</p><p>worker</p><p>Remote</p><p>worker</p><p>280 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>You can use both SSL VPN and IPsec VPN tunnels together in the same NGFW.</p><p>There are different types of Mobile VPNs for different platforms:</p><p>▪ Forcepoint VPN Clients run on Microsoft Windows, Android, Mac OS, and Linux platforms.</p><p>▪ The Forcepoint VPN Clients for Android Mac OS and Linux platforms are limited to SSL VPN client</p><p>tunneling.</p><p>VPN client IP address management</p><p>▪ Forcepoint VPN client address management using Virtual IP is mandatory for the SSL VPN Client and</p><p>recommended for the IPsec VPN client.</p><p>▪ For the IPsec VPN Client, you can alternatively use the NAT Pool feature to translate the IP addresses</p><p>in communications to give the VPN Clients an “internal” IP address in the internal network without the</p><p>need for a DHCP server.</p><p>NAT devices between the client and the VPN gateway</p><p>▪ NAT devices frequently break IPsec tunneling because it modifies the packet header.</p><p>▪ The Forcepoint Mobile IPsec has VPN NAT Traversal enabled by default to allow the IPsec packets to</p><p>pass through a NAT device. NAT-T encapsulates the IPsec communications in standard NAT-T UDP</p><p>packets to allow the IPsec packets to pass through a NAT device.</p><p>Public © 2022 Forcepoint 6</p><p>Client vs. clientless</p><p>IPsec SSL SSL VPN Portal</p><p>Type Client-based Client-Based Clientless</p><p>Supported</p><p>Environment</p><p>Windows* Win, Mac, Android,</p><p>Linux Any web browser</p><p>Full Tunnel Full Tunnel Web App</p><p>Connectivity Remote hosts to entire</p><p>networks</p><p>Remote hosts to entire</p><p>networks</p><p>Remote browser to</p><p>Web App</p><p>Application All IP-based</p><p>applications</p><p>All IP-based</p><p>applications</p><p>Web Apps like MS</p><p>OWA</p><p>Scalability Heavy User Heavy User Large number of</p><p>random users</p><p>Network Layer Layer 3 Layer 3 Layer 4-7</p><p>Protocol</p><p>Used ports:</p><p>• IP Protocol 50/51</p><p>(ESP/AH)</p><p>• UDP port 500 (IKE)</p><p>4500 with NAT-T</p><p>Used port: 443 (default)</p><p>NAT compatible</p><p>Easy FW traversal</p><p>* Third-party solutions available</p><p>for Linux and OS X. Apple</p><p>native iOS VPN supported.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 281</p><p>Firewall devices between the client and the VPN gateway</p><p>To make IPsec work through a firewall, you should open UDP port 500 and allow IP protocol numbers 50</p><p>and 51 on both inbound and outbound traffic. UDP Port 500 should be opened to allow Internet Security</p><p>Association and Key Management Protocol (ISAKMP) traffic to be forwarded through the firewall. IP</p><p>protocol ID 50 should be set to allow IPsec Encapsulating Security Protocol (ESP) traffic to be forwarded.</p><p>IP protocol ID 51 should be set to allow Authentication Header (AH) traffic to be forwarded.</p><p>Additionally, if NAT-T is used by the client and the VPN Gateway, you should open port 4500 on both</p><p>inbound and outbound traffic.</p><p>SSL VPN tunneling can easily traverse firewalls. It uses a single port, 443 which is usually allowed through</p><p>firewalls.</p><p>282 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the SSL VPN</p><p>Portal and the URL</p><p>Rewrite translation</p><p>method.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 283</p><p>The SSL VPN Portal is an integrated feature of the Forcepoint NGFW. It provides remote access to HTTP-</p><p>based services in the protected network from standard web browsers. End users must authenticate to</p><p>access the SSL VPN Portal web page. The SSL VPN Portal proxies end-user connections to HTTP-based</p><p>services in the protected network.</p><p>The end user is never directly connected to the back-end services.</p><p>End users can access SSL VPN Portal Services through the SSL VPN Portal, directly entering the external</p><p>URL of the service in their web browser (in this example https://ssl.example.com/intranet). They will be</p><p>prompted for authentication and redirected to the service after they are successfully authenticated.</p><p>Alternatively, end users can connect to the SSL VPN Portal hostname (in this example</p><p>https://ssl.example.com). Once they are authenticated on the SSL VPN Portal, they can see and access all</p><p>the services they are authorized to use.</p><p>Public © 2022 Forcepoint 9</p><p>Internet Internal</p><p>Network</p><p>SSL VPN portal services</p><p>▪ Clientless secure access for corporate Web-based services (Microsoft OWA, Intranet).</p><p>Clientless SSL VPN</p><p>using Portal</p><p>web based services</p><p>(HTTP/HTTPS)</p><p>Intranet</p><p>284 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>SSL VPN Portal Services map external URLs to HTTP-based services in the protected network.</p><p>The SSL VPN Portal translation method defines how the internal URLs of the HTTP-based services</p><p>are</p><p>translated to external URLs. URL translation ensures that all traffic to registered web resource hosts is</p><p>routed through the SSL VPN. The external URLs represent the URL where end users access the service.</p><p>The internal URLs represent the URL of the service in the protected network.</p><p>The SSL VPN Portal Services supports the following translation methods:</p><p>▪ URL Rewrite</p><p>▪ DNS Mapping</p><p>▪ Freeform URL</p><p>Public © 2022 Forcepoint 10</p><p>▪ SSL VPN Portal Services map external URLs to HTTP-based services in the protected network.</p><p>▪ Supported translation methods:</p><p>• URL Rewrite</p><p>• DNS Mapping</p><p>• Freeform URL</p><p>Internet Internal</p><p>Network</p><p>SSL VPN portal services</p><p>ssl.example.com</p><p>https://ssl.example.com/intranet http://192.168.2.201:80</p><p>Internal URLsExternal URLs</p><p>Internal</p><p>Service</p><p>`</p><p>Intranet</p><p>SSL VPN</p><p>Portal</p><p>Login: _____</p><p>URL Rewrite link</p><p>translation</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 285</p><p>URL Rewrite link translation method is simple to set up.</p><p>▪ The name of the web service is added to the URL link.</p><p>▪ Incoming connections are routed to the service in the protected network based on the URL prefix.</p><p>HTTP responses from the servers in the protected network are rewritten to change the outgoing URLs.</p><p>In URL Rewrite link translation, the name of the web resource is added to the URL link so no additional</p><p>DNS entries are needed.</p><p>In DNS mapping each service has its own DNS name. Using DNS mapping requires more effort but works</p><p>better with some applications.</p><p>In Freeform URL, users can manually type the URL they want to access.</p><p>286 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure an SSL VPN</p><p>Portal.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 287</p><p>The SSL VPN portal configuration involves several other components.</p><p>▪ SSL VPN Portal Policy: The SSL VPN Portal Policy contains rules that define which users can use</p><p>each SSL VPN Portal Service and the authentication requirements for accessing the SSL VPN Portal</p><p>Services.</p><p>▪ Cryptographic Algorithms: The SSL cryptographic algorithms that are supported by the SSL VPN</p><p>Portal.</p><p>▪ NGFW: The lists of firewalls hosting the SSL VPN Portal.</p><p>▪ Server Credential: The Server Credentials associated with the SSL VPN Portal contains the certificate</p><p>used to secure the SSL VPN Portal’s connections using HTTPS. The CN value of the certificate should</p><p>match the SSL VPN Portal hostname.</p><p>You can sign the certificate using an external certificate authority that the clients already trust (such as one</p><p>of the large commercial certificate authorities or a company internal certificate authority that all clients are</p><p>configured to trust).</p><p>Public © 2022 Forcepoint 13</p><p>SSL VPN portal</p><p>Configuration overview.</p><p>SSL VPN</p><p>Portal</p><p>Login: _____</p><p>SSL VPN Portal</p><p>ssl.example.com</p><p>NGFWsServer Credential</p><p>Cryptographic</p><p>Algorithms</p><p>SSL VPN</p><p>Policy Services</p><p>Users</p><p>Authentication</p><p>288 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The SSL VPN Portal provides secure browser-based access to services in the protected network. It is</p><p>recommended first to create the services you want to make available in the SSL VPN Portal.</p><p>Task 1: Define the SSL VPN Portal Service</p><p>SSL VPN Portal Services map external URLs to HTTP-based services in the protected network.</p><p>▪ For Link Translation method, you can select either URL Rewrite, DNS Mapping, or Freeform URL.</p><p>▪ The External URL Prefix specifies the prefix of the URL which is used to access this service.</p><p>▪ The Internal URL represents the URL of the service in the protected network.</p><p>▪ The SSO Domain lets users use single sign-on for all services that share credentials as part of the</p><p>same SSO domain.</p><p>▪ Client Trust specifies which certificate authorities (CA) are trusted by the engine when connecting to</p><p>the internal URL using HTTPS.</p><p>Alternative hosts can contain one or more additional host names or IP addresses at which the services in</p><p>the protected network can be contacted.</p><p>Public © 2022 Forcepoint 14</p><p>SSL VPN portal configuration</p><p>1. Define the SSL VPN Portal Service.</p><p>2. Define users and authentication.</p><p>3. Create the SSL VPN Portal Policy.</p><p>4. Define SSL VPN Portal.</p><p>5. Fine-tune the SSL cryptographic algorithms</p><p>(optional).</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 289</p><p>Additionally, you can configure the appearance of the service in the SSL VPN Portal, on the Look & Feel</p><p>tab.</p><p>▪ Configure the title that is displayed for the service on the SSL VPN Portal web page and the icon</p><p>associated with the service.</p><p>▪ The Start page allows you to define a path to the page to open when the user connects to the service.</p><p>Optionally, you can deselect the Visible in Portal option, if you do not want a link to the service to appear</p><p>on the SSL VPN Portal web page.</p><p>290 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 2: Define users and authentication</p><p>The users allowed to connect to the SSL VPN portal must be defined.</p><p>They can be created in the internal user database or integrated from an external directory server. In this</p><p>example, an Internal user with the User password authentication method provided by the firewall is</p><p>defined.</p><p>The user credentials chosen for the User password authentication method are defined in the user</p><p>properties.</p><p>Public © 2022 Forcepoint 16</p><p>SSL VPN portal configuration</p><p>1. Define the SSL VPN Portal Service.</p><p>2. Define users and authentication.</p><p>3. Create the SSL VPN Portal Policy.</p><p>4. Define SSL VPN Portal.</p><p>5. Fine-tune the SSL cryptographic algorithms</p><p>(optional).</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 291</p><p>Task 3: Create the SSL VPN Portal Policy</p><p>The SSL VPN Portal Policy contains rules that define which users can use each SSL VPN Portal Service</p><p>and the authentication requirements for accessing the SSL VPN Portal Services.</p><p>Public © 2022 Forcepoint 17</p><p>SSL VPN portal configuration</p><p>1. Define the SSL VPN Portal Service.</p><p>2. Define users and authentication.</p><p>3. Create the SSL VPN Portal Policy.</p><p>4. Define SSL VPN Portal.</p><p>5. Fine-tune the SSL cryptographic algorithms (optional).</p><p>292 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 4: Define SSL VPN Portal</p><p>The SSL VPN Portal element stores the configuration information related to your SSL VPN portal.</p><p>▪ SSL VPN Portal Policy: this defines which services are available in the SSL VPN Portal and which</p><p>users can access the services.</p><p>▪ Hostnames: this defines domain names and IPs of the SSL VPN portal.</p><p>▪ Server Credentials: this references a Server Credentials element which contains the private key and</p><p>the certificate associated with your portal.</p><p>▪ Target Engine: to enable the SSL VPN Portal on a Firewall, you must add the firewall to the list of</p><p>Target Engines. It is also possible to specify the SSL VPN portal used in the Engine editor.</p><p>▪ Look and Feel: this defines the look and feel of the SSL VPN Portal.</p><p>Optionally, you can customize the look and feel of the SSL VPN Portal web page to match the look and</p><p>feel of your organization. You can customize graphics, styles, and fonts. You can also change the</p><p>layout of the content and edit the text that is shown on the SSL VPN Portal web page. Customizing the</p><p>SSL VPN Portal web pages requires you to manually edit HTML and CSS files. Familiarity with HTML</p><p>and CSS is required.</p><p>In the Advanced tab, setting like session timeout and log level for SSL VPN portal services can be</p><p>configured.</p><p>Public © 2022 Forcepoint 18</p><p>SSL VPN portal configuration</p><p>1. Define the SSL VPN Portal Service.</p><p>2. Define users and authentication.</p><p>3. Create the SSL VPN Portal Policy.</p><p>4. Define SSL VPN Portal.</p><p>5. Fine-tune the SSL cryptographic algorithms</p><p>(optional).</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 293</p><p>Task 5: Select the SSL cryptographic algorithms (optional)</p><p>If you need to change the SSL cryptographic algorithms that are supported by the SSL VPN Portal, you</p><p>can create a TLS Cryptography Suite Set element to define</p><p>which cryptographic algorithms are allowed.</p><p>The default NIST (SP 800-52) Compatible SSL Cryptographic Algorithms element allows SSL</p><p>cryptographic algorithms that are compatible with the following standard:</p><p>“NIST SP 800-52 Rev.1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security</p><p>(TLS)”. These settings are found in the engine properties.</p><p>If the default SSL cryptographic algorithms meet your needs, there is no need to create a custom TLS</p><p>Cryptography Suite Set element.</p><p>Public © 2022 Forcepoint 19</p><p>SSL VPN portal configuration</p><p>1. Define the SSL VPN Portal Service.</p><p>2. Define users and authentication.</p><p>3. Create the SSL VPN Portal Policy.</p><p>4. Define SSL VPN Portal.</p><p>5. Fine-tune the SSL cryptographic algorithms</p><p>(optional).</p><p>294 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 20</p><p>Knowledge check</p><p>1. What is the difference between SSL VPN client-</p><p>based and clientless?</p><p>2. What applications can be tunneled using the</p><p>SSL VPN Portal?</p><p>3. What elements should be configured when</p><p>defining an SSL VPN portal?</p><p>4. How do you secure the use of a non-web-based</p><p>application?</p><p>1. Client-based SSL VPN access allows for full</p><p>network access. Clientless access allows for</p><p>access to specific resources through a portal.</p><p>2. Web-based applications can be accessed</p><p>through the portal in clientless mode.</p><p>3. SSL VPN Policy, SSL VPN Services, and</p><p>the hostname should be configured when</p><p>defining the SSL VPN portal.</p><p>4. To use non-web-based services, a client-based</p><p>VPN should be used.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 295</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Site-to-Site VPN</p><p>296 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 297</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Define the terms used by the Forcepoint NGFW VPN feature.</p><p>▪ Explain how site-to-site VPNs work.</p><p>▪ Describe Full Mesh, Star, and Hub VPN topologies.</p><p>▪ List the SD-WAN features that Forcepoint NGFW supports.</p><p>▪ Configure a policy-based VPN.</p><p>▪ Describe how route-based VPNs work.</p><p>Module objectives</p><p>298 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Define the terms used by</p><p>the Forcepoint NGFW</p><p>VPN feature.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 299</p><p>Virtual Private Networks (VPNs) allow secure communications over insecure networks.</p><p>VPNs secure communications through authentication, encryption, and integrity-checking</p><p>mechanisms.</p><p>Typically, VPNs are used to secure connections between the corporate LAN and a branch</p><p>office, a supplier or partner office, telecommuters, or mobile workers.</p><p>The gateway devices handling a VPN are called VPN Gateways. VPN feature is restricted to</p><p>NGFW in the Firewall role.</p><p>The Next Generation Firewall supports IPsec VPNs and additionally SSL VPNs for Mobile</p><p>VPNs. There are two types of VPNs you can configure. Policy-based VPNs and Route-</p><p>based VPNs. The main difference between the two is how traffic is selected to be sent into</p><p>the VPN.</p><p>For Policy-based VPNs, the firewall Access rules define which traffic is sent to the VPN and</p><p>which traffic is allowed out of the VPN.</p><p>Policy-based VPN includes:</p><p>• Site-to-Site VPNs are created between two gateway devices that provide transparent</p><p>secure access for other devices. Site-to-Site VPNs are supported for IPv4 and IPv6</p><p>traffic.</p><p>• Mobile VPNs are created between a gateway device and a VPN client installed on a</p><p>user’s computer.</p><p>• For Route-based VPN, the routing of the Firewall defines the traffic that is sent into the</p><p>VPN tunnel.</p><p>Public © 2022 Forcepoint 5</p><p>NGFW VPN overview</p><p>The NGFW supports IPsec and SSL VPNs.</p><p>▪ Site-to-Site VPN (IPsec)</p><p>▪ Mobile VPNs (IPsec and SSL VPN)</p><p>Internet</p><p>Secured connection</p><p>Mobile VPN</p><p>Remote user</p><p>Remote offices</p><p>Headquarters</p><p>IPsec or SSL Mobile VPN Tunnel</p><p>IPsec Site-to-Site VPN Tunnel</p><p>300 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain how site-to-site</p><p>VPNs work.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 301</p><p>The NGFW supports two types of site-to-site VPNs: policy-based VPNs and route-based</p><p>VPN.</p><p>The main difference between the two is how traffic is selected to be sent into the VPN.</p><p>• For policy-based VPNs the firewall access rules define which traffic is sent to the VPN</p><p>and which traffic is allowed out of the VPN.</p><p>• For route-based VPNs, the routing of the firewall defines the traffic that is sent into the</p><p>VPN tunnel.</p><p>Public © 2022 Forcepoint 7</p><p>Site-to-site VPN overview</p><p>The NGFW supports policy-based VPNs and route-based VPNs.</p><p>▪ Policy-based VPNs</p><p>Access rules define which traffic is sent to the VPN and which traffic is allowed out of the VPN.</p><p>▪ Route-based VPNs</p><p>Routing defines the traffic that is sent into the VPN tunnel.</p><p>Policy-based VPN</p><p>Route-based VPN</p><p>302 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The purpose of the next slides is to familiarize you with VPN-related terminology used by</p><p>the Next Generation Firewall.</p><p>A site-to-site VPN is created between two or more gateway devices that provide VPN</p><p>access to several hosts in their internal networks.</p><p>The NGFW Site-to-Site VPN follows the IPsec standards.</p><p>When there is traffic that needs to be sent through a VPN, the gateway at the</p><p>communication source contacts the gateway at the communication destination to establish a</p><p>VPN tunnel. The original packets are encapsulated when they enter the tunnel and de-</p><p>encapsulated when they exit the tunnel at their destination. In between, only the encrypted</p><p>packets can be detected in the traffic. The hosts that communicate through the tunnel are</p><p>not aware of the VPN.</p><p>Public © 2022 Forcepoint 8</p><p>Site-to-site VPN overview</p><p>VPN Terminology</p><p>Site-to-site VPN A VPN between two VPN Gateways that provide access to the VPN for other devices. The other devices are not</p><p>aware of the VPN.</p><p>Tunnel A descriptive term for how the traffic is encapsulated</p><p>VPN profile Contains tunnel settings (IKE and IPsec) related to authentication, integrity checking, and encryption</p><p>Internet</p><p>Tunnel &</p><p>VPN Profile</p><p>Endpoint Endpoint SiteSites</p><p>Protected NetworkProtected Network</p><p>VPN Gateway External VPN</p><p>Gateway</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 303</p><p>Devices that provide VPN access are called VPN gateways.</p><p>There are 3 types of Gateways in the system.</p><p>• VPN Gateways elements are Forcepoint NGFW engines that are managed by the</p><p>Management Server.</p><p>• All other gateway devices are External VPN Gateway elements. For example, third-party</p><p>Firewalls or NGFW devices managed by a different Management Server or administrative</p><p>Domain are also External VPN Gateway elements.</p><p>• The Mobile Client Gateway represents all NGFW and third-party Mobile VPN clients.</p><p>Public © 2022 Forcepoint 9</p><p>Site-to-site VPN overview</p><p>VPN Terminology</p><p>VPN Gateway A device that provides VPN access</p><p>VPN Gateway VPN Gateways managed by the same Management Server.</p><p>External VPN Gateway Any other VPN Gateways, third party firewalls, or NGFW devices managed by a</p><p>different Management Server.</p><p>VPN Client Gateway All Forcepoint NGFW and third-party VPN clients are represented by the default VPN</p><p>Client Gateway element.</p><p>Internet</p><p>Tunnel &</p><p>VPN Profile</p><p>Endpoint Endpoint SiteSites</p><p>Protected NetworkProtected Network</p><p>VPN Gateway External VPN</p><p>Gateway</p><p>304 | Forcepoint NGFW 7.0 Administrator Course © 2022</p><p>Forcepoint</p><p>In the VPN terminology, the Endpoints represent IP addresses of the firewall through which</p><p>the VPN Gateway is contacted by the other VPN Gateways</p><p>The Site represents the IP addresses and networks accessible through the VPN behind a</p><p>VPN Gateway.</p><p>Public © 2022 Forcepoint 10</p><p>Site-to-Site VPN overview</p><p>VPN Terminology</p><p>Endpoint One or several, typically public IP addresses of the firewall (CVI address in Firewall Clusters) through which the</p><p>VPN Gateway is contacted by other VPN gateways.</p><p>Site Represents the IP addresses / networks accessible through the VPN behind a VPN Gateway.</p><p>The VPN is negotiated based on Site definitions and negotiation is started only after a VPN rule has matched.</p><p>Internet</p><p>Tunnel &</p><p>VPN Profile</p><p>Endpoint Endpoint SiteSites</p><p>Protected NetworkProtected Network</p><p>VPN Gateway External VPN</p><p>Gateway</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 305</p><p>Objective</p><p>Describe Full Mesh, Star,</p><p>and Hub VPN topologies.</p><p>306 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Next Generation Firewall supports Full-Mesh, Star, and VPN HUB topologies.</p><p>The general VPN topology is defined by classifying Gateways as Central or Satellite. This</p><p>classification defines which tunnels are generated. You can then further disable any</p><p>unnecessary tunnels that may be generated.</p><p>In a Full mesh topology, VPNs are established between all endpoints in all VPN Gateways,</p><p>allowing communication from any site to any other site.</p><p>You create a Full mesh topology by configuring all the Gateways as central ones in a VPN</p><p>configuration.</p><p>Public © 2022 Forcepoint 12</p><p>Full mesh VPN</p><p>▪ VPN topology is defined by classifying gateways as Central Gateways or Satellite Gateways.</p><p>▪ Configure Central Gateways only for a full mesh VPN.</p><p>Central Gateways</p><p>Internet</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 307</p><p>In a Star topology, we generally see one central gateway and several satellite gateways.</p><p>VPNs are established between central gateways and satellite gateways, not between</p><p>satellite gateways.</p><p>Satellite Gateways must be configured as such in the VPN.</p><p>Topologies can be combined. For example, you can have several central gateways in a Star</p><p>topology. In this case, the central gateways have a full mesh topology with each other, and</p><p>satellite gateways have only tunnels to all central gateways.</p><p>Public © 2022 Forcepoint 13</p><p>Star VPN</p><p>▪ One Central Gateway and several Satellite Gateways creates a Star VPN.</p><p>Central</p><p>Gateway</p><p>Satellite</p><p>Gateways</p><p>308 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>A VPN hub topology, a gateway is configured to forward VPN traffic between different VPN</p><p>tunnels. The gateway that does this forwarding in hub VPN topology is called a hub</p><p>gateway. Note that forwarding is not restricted to hub gateways but can be configured to any</p><p>NGFW VPN gateway.</p><p>A Full mesh VPN between a large number of gateways can create a very high number of</p><p>tunnels. The Hub VPN allows having the same VPN connectivity with a much lower number</p><p>of tunnels since all gateways are able to connect to each other through the Hub gateway</p><p>that forwards the traffic.</p><p>Deployment of new gateways in a hub VPN is easier compared to full-mesh, but there is</p><p>increased resource consumption on the Hub gateway.</p><p>Public © 2022 Forcepoint 14</p><p>Hub VPN</p><p>Hub Gateway can route traffic from one spoke gateway site to another spoke gateway site.</p><p>Hub GatewayHub Sites</p><p>Spoke Gateways</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 309</p><p>Objective</p><p>List the SD-WAN features</p><p>that Forcepoint NGFW</p><p>supports.</p><p>310 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Clustering Firewalls and deploying Multi-Link VPN ensure VPN High availability.</p><p>Gateway Clustering</p><p>A VPN Gateway can be associated to a Firewall Cluster. The Firewall Cluster provides</p><p>redundancy and load balancing for the VPN Gateway.</p><p>There is no additional configuration step compared to configuring a gateway for a Single</p><p>Firewall.</p><p>To other Gateways, the Firewall cluster presents itself as a single device, the Cluster Virtual</p><p>Interface being the single end-point IP address to contact.</p><p>If one of the nodes goes offline or fails, the remaining nodes in the cluster take over the</p><p>VPN traffic that was handled by that node.</p><p>A Firewall cluster in balancing cluster mode also provides enhanced processing power for</p><p>encryption and decryption.</p><p>Public © 2022 Forcepoint 16</p><p>SD-WAN capability</p><p>Gateway clustering</p><p>▪ Use Firewall Clusters as VPN Gateways.</p><p>▪ Redundancy and load balancing for VPN Gateways.</p><p>▪ No additional configuration steps compared to Single Firewall.</p><p>InternetGateway Cluster</p><p>CVI</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 311</p><p>Multi-Link VPN</p><p>• Multi-Link distributes outbound traffic between multiple network connections and to</p><p>provide high availability and load balancing for outbound traffic. Using Multi-Link reduces</p><p>the possibility of link congestion or VPN failures in case of ISP network connectivity</p><p>breaks.</p><p>• The Multi-Link VPN combines Multi-Link and VPN deployment. In a Multi-Link</p><p>configuration, the traffic can use one or several alternative tunnels to reach the same</p><p>destination. Multi-Link guarantees that even if one or more tunnels fail, the VPN service</p><p>continues if any tunnel is available. The Multi-Link VPN fail-over is transparent to end</p><p>users. Multi-Link VPN also provides load balancing between links.</p><p>• This feature offers enterprises a cost-effective way to secure communications and ensure</p><p>availability between offices when connections are unreliable.</p><p>• Multi-Link VPN is an NGFW-specific feature supported only with NGFW gateways at both</p><p>ends. If an external gateway device allows configuring multiple VPN tunnels between two</p><p>devices, you may still be able to enjoy some of the benefits Multi-Link offers, but not all</p><p>Multi-Link features will be available.</p><p>• Clustering and Multi-Link VPN can be combined to provide further reliability to the VPN</p><p>architecture.</p><p>Public © 2022 Forcepoint 17</p><p>SD-WAN capability</p><p>Multi-Link VPN</p><p>▪ Multi-Link feature provides dynamic load-balancing across multiple ISPs.</p><p>▪ Multi-Link VPN combines Multi-Link and VPN deployment to provide fault-tolerant VPN tunnels.</p><p>▪ Requires NGFW Gateways at both ends.</p><p>VPN Gateway</p><p>3 Endpoints</p><p>VPN Gateway</p><p>2 Endpoints</p><p>6 Endpoint to Endpoint (Multi-link) Tunnels</p><p>1 Site-to-Site Tunnel</p><p>312 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Application Routing</p><p>Application routing allows you to select VPN tunnel, ISP link and proxy servers depending</p><p>on the network applications detected in the traffic.</p><p>In this example, the NGFW forwards certain web applications, Office 365 and YouTube,</p><p>directly to internet, while FTP connections are sent through a VPN tunnel and voice traffic is</p><p>sent over MPLS.</p><p>Application detection works best on protocols where the client sends data first. Web based</p><p>protocols usually work this way. To ensure that a Network Application element can be used</p><p>for matching in application routing, only use elements that have the Application Routing tag.</p><p>Some examples of use cases for application routing include the following:</p><p>• You can route traffic from specific network applications through the local Internet</p><p>connection, and route other business traffic to a data center using another connection,</p><p>such as MPLS.</p><p>• You can exclude specific network applications from being redirected to proxies.</p><p>• You can direct some network applications to one proxy and direct the rest of the web</p><p>traffic to another proxy.</p><p>• You can direct all traffic related to a specific network application to one ISP connection</p><p>and reserve the other ISP connection for more important traffic. For example, you could</p><p>direct YouTube traffic to a low-cost ISP connection, and direct business-critical traffic to a</p><p>faster, but more expensive ISP connection.</p><p>Public © 2022 Forcepoint 18</p><p>SD-WAN capability</p><p>Application Routing</p><p>▪ Enable ISP link, VPN, Proxy server selection based</p><p>on network application detection.</p><p>Video</p><p>Email</p><p>Voice</p><p>FTP Voice</p><p>FTP</p><p>Internet</p><p>Voice</p><p>MPLS</p><p>FTP</p><p>VPN</p><p>Email Video</p><p>ISP-2</p><p>ISP-1</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 313</p><p>Objective</p><p>Configure a policy-based</p><p>VPN.</p><p>314 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This configuration scenario walks you through creating a policy-based VPN between one</p><p>NGFW engine under your management and one external VPN gateway that is not managed</p><p>through the same Management Center and is represented by the third-party gateway.</p><p>This scenario includes additional configuration steps compared to setting up a VPN between</p><p>NGFW engines, where the system provides some predefined VPN settings based for</p><p>example on the NGFW routing definition.</p><p>Task 1: Define the Gateways</p><p>VPN Gateway and External VPN Gateway elements represent the physical devices that</p><p>establish the VPN in the configuration.</p><p>VPN Gateway elements represent NGFW Engines that are managed by the Management</p><p>Server (and administrative Domain) you are currently connected to with your Management</p><p>Client. One VPN Gateway element is automatically created for each Forcepoint NGFW in</p><p>the Firewall role so in this scenario you must only define the External VPN Gateway. The</p><p>External VPN gateways represent a third-party VPN device or NGFW Engines that are</p><p>managed by a different Management Server (or administrative Domain).</p><p>VPN Gateway elements are visible in the VPN configuration context under the VPN gateway</p><p>branch. They represent firewalls in VPNs and are used to build the VPN topology.</p><p>Public © 2022 Forcepoint 20</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>External GatewayVPN Gateway</p><p>Internet</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 315</p><p>The Gateway Profile introduces information about the features and options available so that</p><p>the VPN configuration can be automatically validated.</p><p>For example, the authentication and encryption settings defined in the Gateway Profile do</p><p>not directly influence which of the displayed settings are used for any VPNs; they are a</p><p>configuration aid and a reference for the system for checking that the settings defined for</p><p>the VPN correspond to the options supported by the gateway devices involved.</p><p>For Internal Security Gateways, the system selects the Gateway Profile automatically based</p><p>on the version of the engine software installed, and you cannot change the selection. For</p><p>External Security Gateways, it is important to set the Gateway Profile based on features and</p><p>options that the third-party VPN gateway supports.</p><p>316 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 2: Define the End-Points</p><p>The next VPN configuration step is to select the End-Points of your VPN Gateways</p><p>For VPN Gateway this is configured in the Engine Editor.</p><p>The End-Points menu lists the IP addresses that are used as VPN endpoint when the</p><p>firewall acts as a gateway in a VPN. The End-Points IP addresses are automatically defined</p><p>based on the firewall's interface configuration. Both IPv4 or IPv6 addresses can be used as</p><p>End-Point.</p><p>The End-Points are automatically selected based on the firewall's routing. Firewall IP</p><p>addresses that belong to interfaces towards the Internet are automatically selected based</p><p>on the firewall’s default routing table. In the Phase-1 settings, you can change the</p><p>identification type for your end-point according to your environment.</p><p>IP Address is the default identification type, and it must be changed when the end point is</p><p>dynamic.</p><p>You can enable NAT-T in the End-Point properties. NAT-T stands for NAT traversal. It</p><p>encapsulates the encrypted VPN traffic in UDP packets so that NAT does not cause issues</p><p>to the VPN. Enable NAT-T for your end points, when your gateway-to-gateway VPN</p><p>traverses a NAT device.</p><p>If the automatically defined settings meet your needs, there is no need to edit the End-</p><p>Points settings.</p><p>For External VPN Gateway End-Points are manually configured in the External VPN</p><p>Gateway Properties.</p><p>Public © 2022 Forcepoint 22</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>Phase-1 settings for</p><p>endpoint identification.</p><p>Define the IP address</p><p>for the endpoint.</p><p>External Gateway</p><p>Internet</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 317</p><p>Task 3: Define the Site content</p><p>The Site element defines the internal IP addresses that send or receive traffic through the</p><p>VPN.</p><p>IP addresses that are not included in the Sites cannot communicate through the VPN.</p><p>With VPN Gateway elements, you have the option to include a Site that is automatically</p><p>populated and updated according to the definitions of the routing.</p><p>For an External Gateways, you must define the protected IP addresses in the Site</p><p>associated to the Gateway.</p><p>Note that an IP address must be included in a Site to be valid in the VPN, but Access rules</p><p>define which connections are allowed to enter and exit a VPN tunnel.</p><p>Public © 2022 Forcepoint 23</p><p>IP addresses that</p><p>send or receive traffic</p><p>through the VPN</p><p>External Gateway</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>Internet</p><p>318 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 4: Define the Policy-Based VPN Element</p><p>The Policy-Based VPN element collects the Gateways and the VPN Profile and provides the settings for</p><p>defining the topology and the tunnels of the VPN.</p><p>The configuration of a new VPN element has two stages: first you define Policy-Based VPN Element that</p><p>contains some basic properties for the VPN, and then you can proceed to populating the VPN topology</p><p>with Gateways and adjusting the tunnels in the VPN editing view. VPN topology configuration is covered</p><p>in the next slide</p><p>The Policy-Based VPN Element properties refers to a default VPN Profile used for all tunnels configured</p><p>in the VPN.</p><p>Task 4: Define VPN Profile (optional)</p><p>Each VPN refers to a VPN Profile. The VPN profile is the main point of configuration for IKE and IPsec</p><p>VPN integrity checking, authentication, and encryption settings.</p><p>You are generally free to choose any combination of settings as long as all gateways involved support</p><p>those settings and are configured to accept them.</p><p>The same VPN Profile can be shared by several VPNs if the settings fit. Predefined VPN profiles that</p><p>contains the VPN settings specified for standard cryptographic suites are provided by the system.</p><p>In the VPN Profile you select the IKE Authentication Method.</p><p>You can select between pre-shared key and certificates as the authentication method.</p><p>If you choose pre-shared key authentication method, the pre-shared key is defined in the Gateway-to-</p><p>Gateway tunnel properties.</p><p>If you choose a certificate-based authentication methods, certificates are required to authenticate the</p><p>gateways.</p><p>Public © 2022 Forcepoint 24</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 319</p><p>SMC provides an internal VPN certificate authority. For internal VPN Gateways, all steps</p><p>can be completely automatic if the internal certificate authority is used for signing the</p><p>certificate.</p><p>Other certificate authorities (CAs) can be added to the list of CAs trusted by the gateway. If</p><p>some other certificate authority is used, the gateway certificate request can be exported</p><p>from the system and the signed certificate</p><p>is imported back.</p><p>320 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Task 5: Define the VPN Topology</p><p>The topology is determined by selecting whether the Gateways are Central or Satellite in</p><p>each particular VPN.</p><p>This is done by dragging and dropping the Gateways into either the Central or the Satellite</p><p>panels in the VPN topology.</p><p>The Sites and networks for each Gateway element can be adjusted in the VPN, but for the</p><p>most part, they are not VPN-specific. The only VPN-specific change is to disable some Site</p><p>elements in the VPN, which excludes the IP addresses from that VPN only.</p><p>Tunnels are generated based on the overall topology. You can further adjust the tunnels</p><p>generated to limit which gateways and end-points form tunnels with each other, and change</p><p>some of the properties for tunnels between two particular gateways or end-points, such as</p><p>the VPN Profile used. In Multi-Link VPN configuration, you can also define settings that</p><p>allow you to select standby and active tunnels.</p><p>If you use pre-shared keys for authentication with external gateways, either set the key</p><p>agreed with your partner or export the keys that have been automatically generated for your</p><p>partner to use.</p><p>Public © 2022 Forcepoint 26</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>VPN Topology</p><p>Tunnel VPN Profile Pre-Shared Key</p><p>Endpoint-to-endpoint</p><p>Tunnels</p><p>Site-to-Site Tunnels</p><p>generated by the</p><p>VPN Topology</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 321</p><p>Task 6: Create the Access Rules</p><p>No traffic is sent through the VPN until you direct traffic to the VPN in the Access rules.</p><p>The firewall Access rules define which traffic is sent to the VPN and which traffic is allowed</p><p>out of the VPN. These checks are made in addition to the enforcement of the Site definitions</p><p>of the Gateways, which define the allowed source and destination addresses for each VPN.</p><p>VPN Access rules behave the same as all other Access rules: you define certain matching</p><p>criteria and all traffic that matches is handled according to the Action set for the rule. Apply</p><p>VPN and Enforce VPN are set in the Allow action option. Both direct traffic from protected</p><p>local networks into the VPN tunnel and allow traffic that arrives through a VPN.</p><p>Enforce VPN drops any non-VPN traffic from external networks to the local network if it</p><p>matches the rule.</p><p>If you use Apply VPN, this non-VPN traffic will not be matched and therefore will be further</p><p>process by the following rules of the policy.</p><p>The main usage of forward action is to directs traffic from a VPN tunnel into a VPN tunnel in</p><p>a Hub topology.</p><p>In this example, two rules are created to allow the different directions of VPN traffic</p><p>separately.</p><p>Note that by default, the packets going through the VPN tunnels are not send to the NAT</p><p>rules. If you want to change this behavior, you need to specifically enable NAT for the VPN</p><p>and define Private Sites using the translated addresses.</p><p>The VPN configuration is applied once the policy is installed on the Firewall.</p><p>Public © 2022 Forcepoint 27</p><p>VPN configuration</p><p>1. Create an external gateway &</p><p>gateway profile (optional).</p><p>2. Define the endpoints.</p><p>3. Define the site content.</p><p>4. Create a policy-based VPN.</p><p>5. Define a VPN topology.</p><p>6. Create an access rule.</p><p>322 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Link Summary</p><p>You can Review the IP addresses and settings used in the individual tunnels by right clicking</p><p>the tunnels in the End-PointEnd-Point list and selecting View Link Summary. This is</p><p>especially useful in complex configurations that involve external components to check the IP</p><p>address details and other settings that must match with the external configuration.</p><p>VPN SA Monitoring</p><p>The VPN SA Monitoring view lists all VPN Security Associations (SAs) that have currently</p><p>been negotiated in the firewall. The view allows you to filter VPN SAs, create statistics,</p><p>aggregate the table by any field, and save VPN SA monitoring snapshots for further</p><p>analysis. You can also delete VPN SAs to reset VPN tunnels by forcing the renegotiation of</p><p>VPN SAs. This is especially useful for resetting external third-party Gateway VPN tunnels</p><p>that have stopped working.</p><p>Public © 2022 Forcepoint 28</p><p>Link Summary</p><p>VPN SA</p><p>Monitoring</p><p>VPN tools</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 323</p><p>Objective</p><p>Describe how route-</p><p>based VPNs work.</p><p>324 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Route-based VPN</p><p>For Route-based VPN, the routing of the Firewall defines the traffic that is sent into the VPN</p><p>tunnel.</p><p>The Route-Based VPN creates VPN tunnels between firewall interfaces called tunnel</p><p>interfaces that are designated as tunnel end-points. Any traffic that is routed to the tunnel</p><p>interfaces and allowed by the Access rules is sent into the Route-Based VPN.</p><p>Route-Based VPN can use Tunnel mode or Transport mode when additional GRE, IP-IP or</p><p>SIT tunnel type is used.</p><p>• When the tunnel mode is used, the encryption is provided by an existing separately</p><p>configured policy-based VPN.</p><p>• When the transport mode is used, only VPN profile is configured in route-based VPN</p><p>configuration, and this is used to negotiate IPsec tunnel to secure the RBV tunnel.</p><p>With VPN tunnel type there is no additional encapsulation used and traffic is just sent over</p><p>IPsec tunnel.</p><p>Public © 2022 Forcepoint 30</p><p>Route-based VPNs</p><p>▪ Route-based VPN can protect and route multicast communications between remote sites.</p><p>• Dynamic routing communications used by RIP, OSPF</p><p>• Multicast stream</p><p>▪ Traffic is forwarded to Tunnel Interfaces. IP Payload can be encrypted and encapsulated (GRE, IP-in-IP, or</p><p>SIT) in the route-based VPN tunnel depending on the configuration.</p><p>Internet</p><p>Route-based VPN tunnelDynamic routing</p><p>protocol updates</p><p>Multicast</p><p>traffic</p><p>Internal Network</p><p>Router</p><p>Internal Network</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 325</p><p>Public © 2022 Forcepoint 31</p><p>Knowledge check</p><p>1. What are the different types of VPNs you can</p><p>configure on Forcepoint NGFW?</p><p>2. What are the VPN standards used for?</p><p>3. What are VPN topologies supported by</p><p>Forcepoint NGFW?</p><p>4. What are the benefits of the SD-WAN</p><p>technology?</p><p>1. Route-based, policy-based, and client VPNs can</p><p>be configured on the NGFW.</p><p>2. The VPN standards provide interoperability</p><p>between different solutions.</p><p>3. The NGFW support Full-mesh, Star, and Hub</p><p>VPN topologies.</p><p>4. The main benefits of SD-WAN technology are to</p><p>ensure the availability of ISPs and to provide</p><p>resilience for VPN connections.</p><p>326 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 32</p><p>Knowledge check</p><p>5. Is NAT enabled for policy-based VPNs?</p><p>6. How is traffic selected to be sent into the route-</p><p>based VPN tunnel?</p><p>5. NAT is disabled for policy-based VPNs by</p><p>default. You must enable it in the VPN properties.</p><p>6. Traffic in a route-based VPN is selected</p><p>according to the routing table.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 327</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Advanced Logging</p><p>328 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 329</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Describe the log entry types available</p><p>in Forcepoint NGFW.</p><p>▪ Use the available interface to interpret and analyze logs.</p><p>▪ Configure and manage logs.</p><p>▪ Create permanent filters.</p><p>▪ Analyze how pruning filters affect log data.</p><p>▪ Configure the log server to forward logs to third-party SIEM systems.</p><p>▪ Describe the methods available for managing the space consumed by log data.</p><p>Module objectives</p><p>330 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the log entry</p><p>types available in</p><p>Forcepoint NGFW.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 331</p><p>• Log entries are most often triggered by Access rules. Other types of rules can be set to</p><p>create log entries as well. The system can also produce detailed Diagnostics logs, and</p><p>always produces some other internal log entries (such as entries related to policy</p><p>installation).</p><p>• Firewalls, IPS engines, and Layer 2 Firewalls send their log entries directly to the Log</p><p>Server. The Log Server either stores the entries or just relays them to be viewed in the</p><p>Logs view.</p><p>• If administrative Domains are configured, all log, alert, and audit entries are Domain-</p><p>specific. When you log in to a Domain, only the entries related to that specific Domain</p><p>can be viewed or managed. However, Audit entries from all Domains are displayed to</p><p>administrators that are logged in to the Shared Domain.</p><p>Public © 2022 Forcepoint 5</p><p>Log entry type: NGFW engine logs</p><p>▪ Records of connections triggered by a matching Access, Inspection, or File Filtering rule sent by NGFW</p><p>Engines.</p><p>332 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Auditing logs Administrator actions and allows Administrators with unrestricted privileges</p><p>to view and manage these logs to keep track of system changes.</p><p>Audit logs are a special type of log files that include information on actions performed on</p><p>the system through the Management Center:</p><p>• Actions concerning element configuration</p><p>• Actions performed on the engine nodes</p><p>• Use of command line tools</p><p>• Actions related to certificates</p><p>• Actions related to administrator login authentication</p><p>• Some system-generated events</p><p>This data is useful, for example, when troubleshooting the cause of malfunctions caused by</p><p>undocumented configuration changes.</p><p>Audit entries can be browsed in the Logs view like any other logs, as well as printed,</p><p>copied, and archived by Administrators with unrestricted privileges. Unlike other logs, audit</p><p>logs are not centrally stored on the log servers. Audit entries are stored on the Management</p><p>Server or on the Log Server that originally created them.</p><p>Public © 2022 Forcepoint 6</p><p>Log entry type: audit entries</p><p>Records of actions in the SMC:</p><p>▪ WHAT has been changed</p><p>▪ WHO has changed it</p><p>▪ WHEN has this happened</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 333</p><p>You can view logs sent by third-party devices directly in the Logs view.</p><p>• The Logging Profile editor defines how the Syslog data that the device sends is</p><p>converted to fields in the Logs view</p><p>• The validation tool can be used for checking that your definitions are correct</p><p>• IPFIX netFlow requires log accounting to be set at log level</p><p>Public © 2022 Forcepoint 7</p><p>Third-party monitoring</p><p>▪ Viewing Syslog sent by third-party devices</p><p>▪ Logging Profile editor</p><p>334 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Use the available</p><p>interface to interpret and</p><p>analyze logs.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 335</p><p>Diagnostic logs</p><p>• Provide more verbose logging for troubleshooting purposes</p><p>• Should only be enabled during troubleshooting</p><p>• Display additional diagnostics information regarding the selected options (IPsec,</p><p>Authentication, Cluster Protocol, Protocol Agents, State synchronization, etc.).</p><p>• The diagnostics settings take effect immediately, and the Logs view begins to display</p><p>additional entries for the options chosen.</p><p>• You can choose to create a filtering profile for these diagnostic messages, for example,</p><p>to export them for later analysis.</p><p>Caution! - Diagnostics significantly increase the quantity of log data generated. Diagnostics</p><p>should be disabled when the analysis is complete.</p><p>Note - Some error messages can be expected. For example: The state sync error message</p><p>indicates that the synchronization between clustered nodes cannot be done. In a single</p><p>node configuration, this error is expected because the Firewall is not a node in a cluster.</p><p>Public © 2022 Forcepoint 9</p><p>Troubleshooting: Diagnostic logs</p><p>More verbose logging for troubleshooting purposes.</p><p>To enable:</p><p>1. From the Home view, right-click a firewall or cluster to</p><p>access the menu.</p><p>2. Choose Options > Diagnostics.</p><p>3. Locate related diagnostics item from the tree.</p><p>336 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Details arrangement of the Logs view provides an overview of an individual event. It is</p><p>particularly useful for browsing alerts and records generated by Inspection rule matches.</p><p>Log entries can be browsed in the Details view one-by-one with the back and forward</p><p>toolbar icons.</p><p>Public © 2022 Forcepoint 10</p><p>Log details</p><p>Summary of all relevant info on an individual log event</p><p>Double-click an entry</p><p>to see details.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 337</p><p>In the Statistics arrangement of the Logs view, you can view charts of multiple events</p><p>interactively.</p><p>• Statistics allows you to create a quick report of the logs that match the active Query.</p><p>• Many predefined statistical items are available</p><p>• 500 statistical items available for creating your custom statistics</p><p>• The chart area can include a pie chart, a bar chart, a line chart, a stacked line chart, or a</p><p>map chart (based on the SMC’s internal Geolocation database).</p><p>Public © 2022 Forcepoint 11</p><p>Log statistics</p><p>Instant reports on displayed logs.</p><p>Pie chart, stacked curves, and bars Geolocation Map</p><p>338 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The Log Analysis arrangement provides various tools with which you can analyze logs,</p><p>alerts, and audit entries.</p><p>The analysis is performed on the logs that match the active Query.</p><p>• Aggregate the events based on one or more fields. The log data is sorted according to</p><p>the selected criteria without duplicated rows.</p><p>• View the data as a chart by selecting one of the pre-defined statistical items</p><p>• Visualize data on a diagram according to the option chosen:</p><p>• Audit Map: Displays a map based on how administrators manipulate elements.</p><p>• Network Application Usage: Displays a map of users and the applications that they</p><p>access. Also indicates allowed and disallowed connections between users and</p><p>applications.</p><p>• Service Map: Displays access to services in the network.</p><p>• Attack analysis: Shows host, targets and detected attack patterns</p><p>• Network Application and Client Executable Usage: Displays a map of users,</p><p>applications and ECA reported executables. Also indicates allowed and disallowed.</p><p>You can zoom in on the data presented in the visualization diagrams and select elements to</p><p>create filters.</p><p>Public © 2022 Forcepoint 12</p><p>Log analysis</p><p>Visualize log data for anomaly</p><p>detection.</p><p>▪ Log aggregations</p><p>▪ Visualizations</p><p>• Network application usage</p><p>• Service map</p><p>• Audit map</p><p>• Attack analysis</p><p>• Network application and</p><p>client executable usage</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 339</p><p>Objective</p><p>Navigate between</p><p>related policies and logs.</p><p>340 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>From the policy editor, you can see the logs generated by a rule. Right-click a Rule and</p><p>select ‘Show Related Logs’.</p><p>Similarly, in the Logs view, the ‘View Rule’ action allows you to display the rule that</p><p>generated the selected log entry.</p><p>You can add rules to policies based on log entries that have been generated from rules</p><p>(entries that include a rule tag). This allows you to create exceptions by changing the rule’s</p><p>action or logging options for a particular source, destination, and service.</p><p>perform transparent Layer 2 operations without the need of defining IPs</p><p>or MAC addresses.</p><p>Inline deployment is good for blocking attacks if you can identify a clear threat path</p><p>• From the Internet to the DMZ segment</p><p>• from anywhere to an important application server</p><p>• from internal networks to the Internet.</p><p>Public © 2022 Forcepoint 25</p><p>Layer 2 Inline IPS/Layer 2 Firewall deployment</p><p>▪ Inline deployment within the network traffic path</p><p>▪ Active responses (Terminate, Block list, HTTP redirect, HTML response)</p><p>▪ VLAN (802.1q) traffic inspection and re-tagging</p><p>▪ Aggregated links (802.3ax) inspection</p><p>▪ Configured using Inline Layer 2 Interfaces allowing transparent operations</p><p>NGFW in IPS or</p><p>Layer 2 Firewall role</p><p>Inline Layer 2 Interfaces</p><p>Internal</p><p>Servers</p><p>Internal</p><p>Network</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 27</p><p>In an IDS (intrusion detection system) installation or a Layer 2 Firewall in Passive mode,</p><p>external equipment duplicates the traffic flow for inspection, and the engine just “listens in”.</p><p>The engine does not have direct control over the traffic flow, but it can respond to selected</p><p>threats by sending packets that reset the connections. IDS or a Layer 2 Firewall in Passive</p><p>mode can send block listing requests to other NGW, but they cannot enforce block listing</p><p>requests from other components.</p><p>IDS / Passive Firewall mode requires the configuration of capture Layer 2 interfaces. TCP</p><p>reset requires the configuration of reset interfaces.</p><p>IDS / Passive Firewall mode is good for monitoring the traffic within network segments:</p><p>• Complements the “radar scope” of other NGFWs.</p><p>• Worm propagation within a single segment.</p><p>• IDS can request an NGFW or Inline IPS to isolate the segment from other networks.</p><p>IDS / Passive Firewall mode cannot make any modifications to the data stream (SSL</p><p>decryption and other similar functions are not possible).</p><p>Public © 2022 Forcepoint 26</p><p>Layer 2 IDS/Passive Firewall deployment</p><p>▪ Passively monitoring network traffic coming from wiretap, or switch mirror port (SPAN)</p><p>▪ Active responses (TCP reset, Block list)</p><p>▪ Aggregated traffic inspection from multiple SPAN or wiretap ports</p><p>▪ VLAN (802.1q) traffic inspection</p><p>▪ Configured using Capture Layer 2 Interfaces, invisible from monitored network</p><p>Layer 2 Capture</p><p>Interface</p><p>NGFW IDS or Passive FW</p><p>Internal</p><p>Servers</p><p>Internal</p><p>Network</p><p>28 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>In multi-layer deployment, a Firewall role NGFW can have both layer 2 physical interfaces</p><p>and layer 3 physical interfaces.</p><p>Layer 2 interfaces on Firewalls allow the engine to be deployed on the network in the same</p><p>way as IPS engines and Layer 2 Firewalls.</p><p>Layer 2 interfaces on NGFW Engines in the Firewall role provide the following benefits:</p><p>• When the same engine has both layer 2 and layer 3 interfaces, the administration is</p><p>easier because there are fewer NGFW Engine elements to manage in the SMC</p><p>• It is more efficient and economical to use one NGFW hardware device that has both layer</p><p>2 and layer 3 interfaces because a smaller number of NGFW appliances can provide the</p><p>same traffic inspection.</p><p>• When you use layer 2 interfaces on NGFW Engines in the Firewall role, the NGFW</p><p>Engine can use options and features that are not available on NGFW Engines in the IPS</p><p>or Layer 2 Firewall roles.</p><p>For example, an NGFW Engine in the Firewall role can use Forcepoint Endpoint Context</p><p>Agent (ECA), Forcepoint User ID service, NetLinks for communication with the SMC, and</p><p>dynamic control IP addresses, while also being capable of being deployed similarly on the</p><p>network as with the IPS and Layer 2 Firewall roles.</p><p>Public © 2022 Forcepoint 27</p><p>Multi-layer deployment</p><p>▪ Layer 3 Firewall and L2FW/IDS/IPS in one</p><p>physical appliance</p><p>▪ Layer 3 interfaces for traffic inspection, NAT,</p><p>routing, and VPN</p><p>▪ Inline Layer 2 interfaces for network segmentation</p><p>and content inspection</p><p>▪ Layer 2 Capture interface for traffic monitoring</p><p>NGFW FW/VPN</p><p>Layer 2 Interface</p><p>Layer 3</p><p>Interfaces</p><p>DMZ</p><p>Internal</p><p>Network</p><p>InternetInternal</p><p>Network</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 29</p><p>Public © 2022 Forcepoint 28</p><p>Knowledge check</p><p>What are the three roles that Forcepoint NGFW can</p><p>be deployed in?</p><p>The three modes of operation are:</p><p>1. Firewall</p><p>2. IPS</p><p>3. Layer 2 firewall</p><p>30 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 29</p><p>You should now be able to:</p><p>▪ List the Forcepoint NGFW benefits and differentiators.</p><p>▪ Explain the differences between the operating roles.</p><p>▪ Describe the Forcepoint NGFW engine and appliances.</p><p>▪ Explain basic concepts of virtualization.</p><p>▪ Describe at least one of the installation methods.</p><p>▪ List the four common NGFW deployments.</p><p>Module summary</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 31</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>SMC Overview</p><p>Forcepoint</p><p>Next Generation Firewall 6.7</p><p>32 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering Policy</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 33</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Describe the Security Management Center and its key features.</p><p>▪ Describe the NGFW system architecture.</p><p>▪ Identify the ports used for communication used between SMC components.</p><p>▪ Explain the use of locations and contact addresses.</p><p>▪ Explain the use of SMC Domains.</p><p>Module objectives</p><p>34 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the Security</p><p>Management Center and</p><p>its key features.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 35</p><p>The Security Management Center (SMC) provides unified network security management for</p><p>all NGFW security devices (Firewall, IPS, Layer 2 FW roles), whether physical or virtual.</p><p>The unified management platform provides the following benefits:</p><p>• Enhanced network visibility with centralized monitoring, logging, reporting, auditing, and</p><p>other tools</p><p>• Configuration using flexible re-usable elements, reducing the need for repetitive</p><p>configuration tasks and the likelihood of simple mistakes</p><p>• Current configuration is stored on the management server, facilitating recovery in case of</p><p>equipment failures</p><p>• All configurations done via secure and authenticated channels by default</p><p>Public © 2022 Forcepoint 5</p><p>Security Management Center</p><p>▪ Unified, centralized management of all modes of Forcepoint</p><p>Next Generation Firewall – physical, virtual, or cloud</p><p>Forcepoint NGFW</p><p>Single Physical Appliance</p><p>Forcepoint NGFW</p><p>Cluster Physical Appliance</p><p>Forcepoint NGIPS</p><p>Physical/Virtual Appliance</p><p>Web Services</p><p>Data Center</p><p>Data Center</p><p>Data Center. Public / Private Cloud</p><p>Regional Office</p><p>Branch Location</p><p>Home Office</p><p>Headquarter</p><p>SECURITY MANAGEMENT CENTER</p><p>(SMC)</p><p>Forcepoint NGFW</p><p>Single Cloud Appliance</p><p>Connectivity to SMC</p><p>AZURE</p><p>36 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 6</p><p>SMC key features</p><p>Role</p><p>Base</p><p>Administra-</p><p>tion</p><p>MSSP</p><p>Centralized</p><p>Management</p><p>High</p><p>Availability</p><p>Smart</p><p>Policies</p><p>Monitoring</p><p>Monitoring</p><p>▪ Real time monitoring</p><p>▪ High-performance logging system</p><p>▪ Log Analysis and Reporting</p><p>▪ User and endpoint context awareness</p><p>▪ Third party device monitoring</p><p>High availability option</p><p>▪ Management server high availability</p><p>▪ Log server high availability</p><p>Smart policies</p><p>▪ Policy templates</p><p>▪ Hierarchical policies</p><p>▪ Deployment workflow automation</p><p>MSSP</p><p>▪ Intelligent and</p><p>You have the</p><p>option to edit the rule that is generated.</p><p>Public © 2022 Forcepoint 14</p><p>Policy Editor Logs View</p><p>Drill-down into policies and logs</p><p>Create a new rule</p><p>related to the</p><p>selected event</p><p>View the rule that</p><p>caused the log entry to</p><p>appear</p><p>View the logs</p><p>generated by a rule</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 341</p><p>• From log statistics or a Reports chart, you can view logs that correspond to a chart</p><p>segment.</p><p>• The Timeline statistics plot the number of matching Log entries over time. You can filter</p><p>the logs based on the segment you selected in the chart.</p><p>Public © 2022 Forcepoint 15</p><p>Drill-down into statistics and logs</p><p>Drill-in to log records from log</p><p>statistics or stored reports</p><p>Filter logs from timeline</p><p>statistics</p><p>342 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Create permanent filters.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 343</p><p>Filter elements are defined using a flexible syntax that is capable of precise matching. A</p><p>Filter consists of one or more fields of event data (source IP address, time of the event,</p><p>etc.) and one or more operations that define how to filter the data using the selected event</p><p>data fields.</p><p>There are three operation types:</p><p>1. Calculation operations perform mathematical calculations.</p><p>2. Comparison operations check values against other values.</p><p>3. Logical operations combine the different filtering criteria.</p><p>When you need to construct a detailed, complex filter, it is usually more effective to start by</p><p>creating a Filter element by dragging and dropping. Even in this case you can create the</p><p>Filter element based on some filtering criteria and edit the Filter, rather than start from a</p><p>completely empty, new Filter element.</p><p>You can also save a local filter as a permanent Filter element that can be used anywhere in</p><p>the Management Client.</p><p>Public © 2022 Forcepoint 17</p><p>Filter editor for permanent filters</p><p>▪ Create permanent filters using:</p><p>• Logical operators (AND, OR, NOT)</p><p>• Variables</p><p>• Comparisons (such as less than,</p><p>equal to, between)</p><p>▪ Complex filters can be created by</p><p>combining filters.</p><p>344 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Analyze how pruning</p><p>filters affect log data.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 345</p><p>The primary method for coping with capacity limitations is to configure the logging options to</p><p>store only the necessary events. It is preferable to adjust log generation options instead of</p><p>letting log entries be generated and then pruning them, as this wastes system resources in</p><p>creating and transferring the unnecessary logs.</p><p>Log pruning consists of two filters: Immediate Discard Filters and Discard Before Storing</p><p>Filters.</p><p>If a log matches the Immediate Discard Filters, it will be discarded by the Log Server. If it</p><p>does not, it will be processed further. The log will be displayed in the management client</p><p>and if the log has been set for storage it will be matched against the Discard Before Storing</p><p>Filters. If there is a match, the log will not be stored in the Log Server.</p><p>Log pruning is needed, for example, when a rule generates both useful and unnecessary</p><p>logs. Log pruning gives you the ability to discard newly generated irrelevant log entries on</p><p>the Log Server. Only logs can be pruned: alerts and audit entries are never pruned.</p><p>Enable Log Pruning with caution! For example, selecting the Match All filter for log pruning</p><p>irreversibly destroys all new logs that are created.</p><p>Public © 2022 Forcepoint 19</p><p>Stored logs</p><p>Allows you to discard some of the generated logs according to filtering criteria.</p><p>Log pruning</p><p>No. Show current logs.</p><p>Management</p><p>Client</p><p>show stored</p><p>logs</p><p>No.</p><p>Logging option:</p><p>stored/</p><p>essential/</p><p>alert</p><p>Log entry</p><p>Discard before</p><p>storing filter</p><p>Immediate</p><p>discard filters</p><p>Log</p><p>Servers</p><p>Yes.</p><p>discard</p><p>Yes. Not stored</p><p>No. Store entries.</p><p>346 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure the Log Server</p><p>to forward logs to third-</p><p>party SIEM systems.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 347</p><p>Log Servers can be configured to forward log data to external hosts. You can define which</p><p>type of log data you want to forward and in which format. You can also use Filters to specify</p><p>in detail which log data is forwarded. SMC provides predefined log forwarding formats to</p><p>facilitate the integration with SIEM systems.</p><p>If log pruning is used, the Log entries must pass the Immediate Discard filter to be</p><p>forwarded from a Log Server to external servers.</p><p>Note that if you want to forward log data in the NetFlow or IPFIX format from the Log Server</p><p>to a third-party device, you must select Connection Closing with Log Accounting Information</p><p>in the logging option in the rule that creates the log data.</p><p>Public © 2022 Forcepoint 21</p><p>Syslog forwarding</p><p>▪ Easy integration with SIEMs</p><p>▪ Fully configurable log data syslog redirection from</p><p>Management Client</p><p>▪ Out-of-box templates for SIEM integration</p><p>• McAfee ESM</p><p>• ArcSight (CEF)</p><p>• Q1Labs (LEEF)</p><p>• RSA enVision</p><p>• NetFlow</p><p>• IPFIX</p><p>• Forcepoint FBA</p><p>• Kafka (Splunk)</p><p>LOG SERVER SYSLOG</p><p>NGFW</p><p>348 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the methods</p><p>available for managing</p><p>the space consumed by</p><p>log data.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 349</p><p>Log management is the process of configuring when logs are generated, which of the generated</p><p>logs are stored, and when stored logs can be deleted or archived.</p><p>Log management is needed to keep the number of logs to a reasonable level and to prevent logs</p><p>from filling the Log Servers (when the disk is full, the Log Server stops working until the log data is</p><p>cleared).</p><p>You can configure log pruning to reduce the number of logs stored on the Log Server.</p><p>You can also create Log Tasks to archive, export, and delete logs, and schedule the logs tasks to</p><p>be performed automatically at regular intervals.</p><p>Since log data is stored in the directory tree by hour and by device (see Log Files below), log</p><p>deletion and archiving can be also done with operating system tools, if no filtering besides by</p><p>sender and creation time is required.</p><p>An alert notification is sent at maximum disk capacity. Events are buffered on the engines until the</p><p>Log Server becomes available. If the engines’ buffers run out as well, some log entries are deleted</p><p>starting with the oldest entries (essential and alert logs are deleted last).</p><p>Log Tasks</p><p>Predefined Log Tasks are used for exporting, archiving, and deleting logs. Only administrators who</p><p>have the right to manage logs can create and run Log Tasks.</p><p>You can define Log Tasks and run them manually as necessary or automatically according to a</p><p>schedule.</p><p>You can specify a script in the Script to Execute After the Task field. The Log Server triggers this</p><p>script after completing the task.</p><p>Public © 2022 Forcepoint 23</p><p>Log data management</p><p>▪ Tasks can be created to:</p><p>• Export logs</p><p>• Archive logs</p><p>• Delete logs</p><p>▪ Filters can be applied.</p><p>▪ Tasks can be scheduled.</p><p>350 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The task properties define what each task does when executed:</p><p>Export Log Tasks:</p><p>The Operation Type defines the format for the exported data:</p><p>• Export XML: logs are exported in XML format.</p><p>• Export CSV: logs are exported in comma-separated (CSV) format.</p><p>• Export CEF: logs are exported in CEF format.</p><p>• Export LEEF: logs are exported in LEEF format.</p><p>• Export ESM</p><p>• Export IPS Recordings as PCAP/Snoop copies IPS traffic recordings to be viewed</p><p>in a“sniffer” tools such as tcpdump,</p><p>WinDump, or Wireshark.</p><p>Archive Log Task: Copies the selected log data to separate files in the NGFW log file</p><p>format. The Archive Log Task can also optionally delete the original data after it has been</p><p>copied. The task can also delete some other set of selected data.</p><p>The Log Server’s default archive directory is data/archive.</p><p>You can</p><p>define up to 32 alternative or additional directories to archive some or all of the</p><p>logs, for example on a network drive.</p><p>Delete Log Task: Deletes the selected data from the current log files on the Log Server.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 351</p><p>Log Files</p><p>A separate log file is created for the logged events each hour. The logs from different</p><p>engines are stored in separate files.</p><p>The log files are stored by default in the /data/storage/ directory on</p><p>the Log Server.</p><p>The log files have the name YYYYMMDD_hh_C_MMDDhhmmsssss.arch.</p><p>• The date YYYYMMDD_hh refers to the date and hour of the logged events.</p><p>• The rest of the file name starting with “_C” refers to the file creation date and</p><p>refers to the originator of the logged events.</p><p>• The dates in the file name use UTC (GMT) time.</p><p>352 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 26</p><p>Knowledge check</p><p>1. What are the different log entry types in</p><p>Forcepoint NGFW?</p><p>2. How can you prevent excessive log entries from</p><p>being generated?</p><p>3. How would you configure the logging options for</p><p>a rule that generates both useful and</p><p>unnecessary logs?</p><p>1. Audit, Security Engine, Alert, Inspection and</p><p>other log types are available in the log browser.</p><p>2. Excessive log entries can be avoided by setting</p><p>up the correct log level in the rules.</p><p>3. The logging would be set to stored or transient,</p><p>and log data pruning would be used to filter out</p><p>unnecessary log entries.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 353</p><p>Public © 2022 Forcepoint 27</p><p>Knowledge check</p><p>4. What is an example of how logs can be filtered</p><p>in the Logs view?</p><p>5. When should diagnostic logs be used?</p><p>4. Drag-and-drop filtering is an easy way to filter</p><p>logs and create local filters. For permanent filters,</p><p>filtering criteria must be saved in the filter editor.</p><p>5. Diagnostic logs are used for additional</p><p>information about a firewall facility, usually used</p><p>in troubleshooting and support.</p><p>354 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Policy Tools</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 355</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>356 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Describe the benefits of Policy Snapshots.</p><p>▪ Search rules in a Forcepoint NGFW policy.</p><p>▪ Analyze policy structure and apply tools to optimize access rules.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 357</p><p>Objective</p><p>Describe the benefits of</p><p>Policy Snapshots.</p><p>358 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>A Policy Snapshot is created each time a policy is successfully uploaded to the engine.</p><p>The Management Server stores the 100 latest Policy Snapshots for each engine. You can</p><p>compare the edited version of the policy with the one currently on the engine. The policy</p><p>comparison tool is convenient for checking the changes (made by other administrators)</p><p>before uploading the policy. You can also restore a policy from a policy snapshot.</p><p>Public © 2022 Forcepoint 5</p><p>Policy snapshots</p><p>▪ A policy snapshot is a stored record of a NGFW configuration.</p><p>▪ Policy installation always creates a new policy snapshot element.</p><p>▪ Compare different policy snapshots with each other to see the differences.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 359</p><p>Objective</p><p>Search rules in a</p><p>Forcepoint NGFW policy.</p><p>360 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The rule search tool is available for Access rules, NAT rules, and Exceptions in Inspection</p><p>Policies. It allows you to search rules by typing an IP address or dragging and dropping</p><p>elements into the cells. Inherited rules and rules in Sub-Policies are also highlighted.</p><p>In the Rules tree in the Inspection Policy, you can use the type-ahead search to find a</p><p>specific Situation.</p><p>Public © 2022 Forcepoint 7</p><p>Rule search</p><p>▪ Rule search tool: Find matching rules in</p><p>in access rules</p><p>▪ Type ahead search to find the matching</p><p>situation in the inspection rule tree</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 361</p><p>Objective</p><p>Analyze policy structure</p><p>and apply tools to</p><p>optimize access rules.</p><p>362 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The policy validation tool allows you to run various types of validation checks in the policy</p><p>views and at policy installations. The checks include, for example, searches for duplicate</p><p>rules and rules that can never match because of the policy structure. This helps you to find</p><p>logical mistakes and unreachable rules. You can also disable the validation for individual</p><p>rules.</p><p>Public © 2022 Forcepoint 9</p><p>Policy validation</p><p>Policy validation helps to find mistakes and unreachable rules.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 363</p><p>The Rule Counter Analysis provides information on which Access rules and Network</p><p>Address Translation (NAT) rules have matched the actual network traffic. The analysis can</p><p>help you find, for example, unnecessary Access rules. The Rule Counter Analysis is based</p><p>on statistical information stored on the Log Server. The number of connections that match</p><p>an Access rule is shown in the Hit cell of each Access rule. If the Rule Counter Analysis has</p><p>not been run, the Hit cell is empty. If an Access rule has just been added and there is no</p><p>statistical information about the rule, the Hit cell shows “N/A”.</p><p>Public © 2022 Forcepoint 10</p><p>Rule counter analysis</p><p>Rule counter analysis provides information on which access rules have matched the actual network traffic.</p><p>364 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>All changes made to the configuration including changes in routing information, VPN</p><p>configuration, engine configuration are transferred to NGFW engines during policy</p><p>installation. The entire configuration--and not just the changes done since previous</p><p>installation--is transferred to the engines.</p><p>Fail-safe policy installation with automatic rollback prevents the installation of policies that</p><p>prevent management connections.</p><p>Public © 2022 Forcepoint 11</p><p>NGFW policy activation</p><p>▪ Entire configuration transferred to engines during policy installation</p><p>▪ Fail-safe policy installation with automatic rollback</p><p>▪ Check for un-transferred configuration changes</p><p>NGFW policy</p><p>and configuration files</p><p>Management</p><p>Server</p><p>Policy Installation</p><p>NGFW engine</p><p>OKCheck for</p><p>Management</p><p>Connectivity</p><p>Policy</p><p>Applied</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 365</p><p>Public © 2022 Forcepoint 12</p><p>Knowledge check</p><p>1. What is a Policy Snapshot?</p><p>2. What is the benefit of Policy Snapshots?</p><p>3. What rule validation checks are available in</p><p>an NGFW Policy?</p><p>4. What information is transferred to the engine</p><p>during policy installation?</p><p>1. A Policy Snapshot is a copy of the NGFW</p><p>configuration at the time it was installed.</p><p>2. Policy Snapshots can be compared and restored</p><p>if needed.</p><p>3. Policy validation includes invalid rules, duplicated</p><p>rules, and unreachable rules. Rules that are</p><p>never matched by traffic can also be identified by</p><p>rule counters.</p><p>4. The entire configuration is transferred to engines</p><p>during policy installation.</p><p>366 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Monitoring</p><p>and Reporting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 367</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>368 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Monitor the system and firewall activity.</p><p>▪ Describe the use of overviews in the SMC user interface.</p><p>▪ Configure and generate reports.</p><p>▪ Monitor third-party components.</p><p>▪ Monitor Application Health.</p><p>Module objectives</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 369</p><p>Objective</p><p>Monitor the system and</p><p>firewall activity.</p><p>370 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Monitoring is done in the Management Client.</p><p>The Dashboards views provide the operating and connectivity status of SMC components</p><p>and third-party components that are set up to be monitored through the SMC. You can view</p><p>more details by clicking the displayed status information. The alert summary displayed here</p><p>refers to active alerts (alerts that have not yet been acknowledged).</p><p>The status information is stored on Log Servers. The Management Server compiles</p><p>the Dashboard views based on data from all Log Servers.</p><p>The Status Tree displays all components in your system that can be monitored and those</p><p>diagrams and groups that include monitored elements. Selecting an element in the Status</p><p>Tree switches the main view to graphical monitoring.</p><p>The automatic graphical monitoring diagram shows the selected component’s status and the</p><p>status of its connections with other system components.</p><p>When you select an individual engine node in the Status tree, the main view switches to</p><p>hardware monitoring with details on the status of network ports.</p><p>Selecting an element also shows detailed information about that component in the Info</p><p>panel.</p><p>When you select an individual engine node in the Status tree, the main view switches to</p><p>hardware monitoring with details on the status of network ports.</p><p>The information panes and diagrams displayed in the home view can be customized.</p><p>Public © 2022 Forcepoint 5</p><p>Status monitoring</p><p>The SMC Dashboards view allows you to see the system status at-a-glance.</p><p>NGFW Engines dashboard Connectivity Diagrams</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 371</p><p>System Connections Monitoring</p><p>When you select an individual engine node in the Status tree, the System Connections pane</p><p>shows all the connections established between the engine node and other system</p><p>components.</p><p>Appliance Status Monitoring</p><p>• When you select an individual engine node in the Status tree, the main view switches to</p><p>hardware status monitoring with details on the status of network ports. The node’s Info</p><p>panel provides more details on the appliance’s device status and its interfaces. This</p><p>allows you to monitor the hardware status (such as fan speed, temperature, and NIC</p><p>statuses) of compatible NGFW appliances directly through the Management Client.</p><p>Appliance status monitoring helps you to better identify problems with hardware and spot</p><p>issues earlier.</p><p>• You can also create your own diagrams to view and monitor the status of the elements in</p><p>your system.</p><p>Public © 2022 Forcepoint 6</p><p>Status monitoring</p><p>NGFW status monitoring.</p><p>System Connections Appliance Status</p><p>372 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>In the session monitoring views, you can see currently open connections, active VPN SAs,</p><p>active users, routing on the NGFW, as well as the enforced blacklist entries and directly</p><p>connected neighbors in the network.</p><p>• The Connections view shows you the currently active connections.</p><p>• The Blacklist view shows you the current blacklist entries.</p><p>• The VPN SAs view shows you all active VPN tunnels.</p><p>• The Users view shows you all currently active users.</p><p>• The Routing view shows you current static and dynamic routes.</p><p>• The Neighbors Monitoring shows directly connected neighbors in the network.</p><p>Note: To monitor LLDP neighbors, LLDP must be enabled for the NGFW Engine.</p><p>If LLDP is not enabled, the Neighbor Monitoring view only shows ARP and IPv6 neighbor</p><p>discovery protocol (NDP) entries.</p><p>Tools to better visualize the data, such as log aggregation and statistics, are available in</p><p>some of the views. You can also save snapshots of session monitoring.</p><p>You can terminate connections, delete VPN SAs, and close user sessions directly from the</p><p>relevant view.</p><p>Public © 2022 Forcepoint 7</p><p>Session monitoring</p><p>▪ There are multiple views for session monitoring.</p><p>• Connection monitoring</p><p>• VPN SA monitoring</p><p>• Neighbors monitoring</p><p>• User monitoring</p><p>• Route monitoring</p><p>▪ Features include:</p><p>• Statistics</p><p>• Filtering</p><p>• Aggregations</p><p>• Snapshots</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 373</p><p>SD-WAN dashboard</p><p>The SD-WAN dashboard allows you to monitor SD-WAN features, such as Multi-Link and</p><p>VPNs, and to view statistics and reports related to SD-WAN features.</p><p>Branches represent the VPN gateways and NetLink elements associated with</p><p>each NGFW Engine. The SD-WAN dashboard summarizes status information for all</p><p>branches and VPNs.</p><p>When you select a branch in the Status tree, detailed monitoring information about the</p><p>NetLinks, VPN tunnels, and traffic associated with the branch are displayed. When you</p><p>select a VPN in the Status tree, information about the configuration status of the VPN are</p><p>displayed.</p><p>Various statistics items related to SD-WAN monitoring are available when you customize the</p><p>SD-WAN dashboard. You can also use these statistics items in Reports and Overviews.</p><p>Public © 2022 Forcepoint 8</p><p>SD-WAN Dashboard</p><p>Monitor ISP links and VPNs.</p><p>374 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>User Dashboard</p><p>In the Management Client, there is a user dashboard where you can see an overview of</p><p>user activity.</p><p>For example, you can see if any activity indicates suspicious behavior, such as using certain</p><p>network applications, attempts to access specific networks, or if a user has been associated</p><p>with an attack Situation. The diagrams displayed in the User dashboard view can be</p><p>customized.</p><p>When users have been active and have caused log data to be generated, they are shown in</p><p>the Users list. You can configure the period within which a user must have been active. If</p><p>there are no usernames stored in log data, or in regions where privacy laws require that</p><p>users must not be easily identified, you can show the IP addresses of users instead of their</p><p>names</p><p>The Statistics panes contain charts and general statistics of user activities, and if you select</p><p>an individual user, you can see more detailed information about the user and their activities.</p><p>If user information from Active Directory (AD) and the Endpoint Context Agent (ECA) service</p><p>is available, the information is shown in separate panes in the Home view.</p><p>Note: To monitor users in the User Dashboard, you must enable the option in the global</p><p>system properties. To be able to monitor users by name, you must enable the logging of</p><p>user information in the Firewall IPv4 and IPv6 Access rules.</p><p>Public © 2022 Forcepoint 9</p><p>User dashboard</p><p>Monitor user activities.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 375</p><p>Objective</p><p>Describe the use of</p><p>overviews in the SMC</p><p>user interface.</p><p>376 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Overviews are monitoring views that provide real time information on the traffic and the</p><p>operating state of the SMC components.</p><p>Predefined overviews are available like Access overview, Inspection overview, Application</p><p>usage overview, VPN overview…</p><p>The administrator can customize these overviews selecting statistic information among the</p><p>hundred of statistics sent by the NGFW Engines.</p><p>Overviews consist of one or more Sections that can include a wide variety of system</p><p>information, such as:</p><p>• Element status information</p><p>• Tables consisting of traffic and counter data</p><p>• Reports</p><p>• Geolocation maps</p><p>• Different types of charts (pie/curve/stacked bar/stacked curves)</p><p>Section types can be Counters Statistics or System Summary</p><p>Statistics Types can be selected among:</p><p>• Progress (curve/bars)</p><p>• Top rate (pie/bars)</p><p>• Period total summary table</p><p>Public © 2022 Forcepoint 11</p><p>Overviews</p><p>Real-time statistics monitoring:</p><p>▪ Used for monitoring a</p><p>variety of statistics in one</p><p>window.</p><p>▪ Hundreds of statistics</p><p>available.</p><p>▪ Predefined overviews for</p><p>different purposes.</p><p>▪ Can be customized.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 377</p><p>It is possible to define a threshold for automatic tracking of monitored items in Overviews.</p><p>Thresholds activate automatic tracking of monitored items in Overviews. The values of the</p><p>monitored items are checked on a configurable period. An alert is sent if the threshold is</p><p>exceeded. You can escalate those alerts like any other alerts.</p><p>Public © 2022 Forcepoint 12</p><p>Alert thresholds</p><p>Automatic status surveillance:</p><p>▪ Graphical way to define thresholds for any</p><p>overview statistics.</p><p>▪ Alert is created whenever the threshold line is</p><p>exceeded.</p><p>378 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Configure and generate</p><p>reports.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 379</p><p>• Reports are summaries of log data and statistical monitoring information that allow you to</p><p>combine large amounts of data into an easily viewable form.</p><p>• With Reports, you can process log data and engine statistics into easily digestible</p><p>diagrams, charts, and tables. Reports allow you to identify specific information from a</p><p>large amount of data. Reports can be automated and scheduled for different purposes:</p><p>• Customers of Service Providers</p><p>• Supervision purposes</p><p>• Troubleshooting</p><p>• Intrusion investigation, etc.</p><p>• You can create reports on NGFW engine log, alert, and audit entries as well as statistical</p><p>monitoring information.</p><p>• You can view the generated reports on the screen, print the reports, or export them as</p><p>PDF files or in tab-delimited text format. When you create PDF reports, you can</p><p>customize the output using customer-specific templates.</p><p>• When you view the reports on the screen, you can interactively highlight and select for</p><p>display the different items in the charts.</p><p>• You can also e-mail the generated reports automatically from the SMC to a selected</p><p>address.</p><p>• Reports are also available in the Web Portal.</p><p>Public © 2022 Forcepoint 14</p><p>Reports</p><p>Fully configurable reports:</p><p>▪ Summaries of logged NGFW engine</p><p>events and monitoring statistics.</p><p>▪ Report content and appearance can be</p><p>customized.</p><p>▪ Reports can be scheduled.</p><p>▪ Reports can be delivered via email or</p><p>Web Portal in PDF format.</p><p>380 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Reports consist of Report Items, Report Sections, and Report Designs.</p><p>The Report Design defines what the Report includes, and how the Report should be</p><p>generated. The Report Design specifies, for example, the length of the reporting period and</p><p>the time resolution for the Report. There are several predefined Report Designs available for</p><p>NGFW Engines and system components.</p><p>The Report Design consists of one or more Report Sections. A Report Section defines how</p><p>the information is displayed graphically. Report Sections can be shared between Report</p><p>Designs. The SMC provides a large variety of predefined Report Sections, and you can</p><p>create thousands of different types of statistics sections.</p><p>The statistics that you have generated from the logs can be saved and added as a new</p><p>section in a Report.</p><p>Each Report Section includes one or more Report Items, which represent different types of</p><p>items in the log data and statistical monitoring information (for example, traffic load values or</p><p>the number of allowed connections). Report Items most often correspond to values in the</p><p>log fields. The generated Report shows the Report Items as defined in the properties of the</p><p>Report Sections.</p><p>Public © 2022 Forcepoint 15</p><p>Define reports</p><p>▪ Report design, sections, and items</p><p>Report</p><p>section</p><p>Report</p><p>items</p><p>Report</p><p>design</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 381</p><p>Progress Summary: A bar or a curve chart</p><p>• Illustrates how events are spread out within the reporting period.</p><p>• Useful for finding trends in the data. For example, a summary of the amount of traffic in a</p><p>network during a 24-hour period.</p><p>Top Rate Summary : A bar or a pie chart</p><p>• Illustrates events with the highest occurrences.</p><p>• Useful for highlighting the most common values in the data. For example, a summary of</p><p>the IP addresses that have received the most connections in a network yesterday.</p><p>• The first report item in a Top Rate Summary section must have a sorting criteria (for</p><p>example, Allowed connections by source IP address), because the sorting criteria is</p><p>applied to all the items of the section for ranking the top rates.</p><p>Period Total Summary: A table</p><p>• A simple table for displaying the exact event counts.</p><p>• Useful for providing data for further processing, for example, in a spreadsheet application.</p><p>System Information: A table</p><p>• Current value for the item in the database.</p><p>Public © 2022 Forcepoint 16</p><p>Summary types in Overviews and Reports</p><p>Progress Summary Top Rate Summary Period Total Summary</p><p>382 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Geolocations enable you to see where attackers are located.</p><p>• Map diagrams are available in all Reports, Statistics, and Overviews.</p><p>• You can view Top Rate diagrams as a map.</p><p>• The information is retrieved from the database that is included in the SMC. The database</p><p>is updated during SMC upgrades.</p><p>• Geolocations are also available in the log records table with country flags shown next to</p><p>IP addresses.</p><p>• Country flags are useful information for anomaly detection. They help you to visually</p><p>identify which log entries are related.</p><p>• To get more information on the source of the traffic that triggered a log entry, you can look</p><p>up the Whois record of IP addresses in log entries. The Whois information is queried from</p><p>the relevant Regional Internet Registry (RIR). These include but are not limited to ARIN</p><p>(American Registry for Internet Numbers), the RIPE NCC (Réseaux IP Européens</p><p>Network Coordination Centre), and the APNIC (Asia Pacific Network Information Centre).</p><p>Public © 2022 Forcepoint 17</p><p>Geolocations</p><p>Track anomalies in your network with geolocations.</p><p>Country flags in log records tableGeolocation map in statistics, reports, and overviews</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 383</p><p>Objective</p><p>Monitor third-party</p><p>components.</p><p>384 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Status monitoring:</p><p>SMC can probe status from third-party devices by using:</p><p>• Ping</p><p>• TCP</p><p>• SNMP v1</p><p>• SNMP v2</p><p>• SNMP v3</p><p>When you specify the probing profile for the third-party device, you see the status in SMC.</p><p>When one of the SNMP status probing methods is used, you can also query statistics from</p><p>the monitored device.</p><p>The SMC supports statistical monitoring of the following details:</p><p>• Amount of free and used memory.</p><p>• CPU load.</p><p>• Interface statistics.</p><p>Public © 2022 Forcepoint 19</p><p>Third-party monitoring</p><p>▪ SMC can probe status from third-party devices using:</p><p>• Ping</p><p>• TCP</p><p>• SNMP v1</p><p>• SNMP v2</p><p>• SNMP v3</p><p>▪ When SNMP is used for probing, SMC can also probe:</p><p>• Statistics related to memory</p><p>• CPU usage and interface statistics</p><p>SMC</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 385</p><p>Objective</p><p>Monitor Application</p><p>Health.</p><p>386 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public ©</p><p>2022 Forcepoint 21</p><p>Application Health Monitoring</p><p>▪ Application Health Monitoring visualizes</p><p>application connection quality metrics</p><p>monitored by NGFW engines.</p><p>▪ This data is visible via Application Health</p><p>Monitoring dashboard or per NGFW in the</p><p>NGFW Engines dashboard.</p><p>Application health monitoring collects the connection quality metrics of monitored network</p><p>applications.</p><p>NGFW engines monitor network and application layer latency, packet-loss and, and</p><p>retransmission rate by application.</p><p>This data is sent to the log server and used for displaying the application’s health status.</p><p>All application health information is available via Application Health Monitoring Dashboards.</p><p>Application Health information can be viewed per NGFW via NGFW Engines Dashboard.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 387</p><p>Public © 2022 Forcepoint 22</p><p>Application Health Monitoring Configuration</p><p>▪ Application Health Monitoring must</p><p>be enabled in Global System</p><p>Properties.</p><p>▪ If For Top Network Applications</p><p>option is selected NGFWs select</p><p>monitored applications.</p><p>▪ If For Network Applications</p><p>option is selected admin defines</p><p>monitored applications manually.</p><p>For Top Network Applications option discovers monitored applications automatically.</p><p>Applications are ranked based on the amount of traffic observed by NGFWs. When this</p><p>option is selected accounting logging must be enabled so NGFWs log traffic rates for each</p><p>connection.</p><p>Admin can configure how many applications are monitored. By default, 10 applications are</p><p>monitored.</p><p>For Network applications option requires that the admin defines the monitored application</p><p>manually. When using this option it is recommended to enable accounting logging for better</p><p>application visibility.</p><p>388 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 23</p><p>Application Health Monitoring Configuration</p><p>▪ Access rules define what traffic is monitored for</p><p>application health.</p><p>▪ Allow and Continue actions have the option to configure</p><p>Network Application Latency Monitoring.</p><p>▪ You can disable application health monitoring in NGFW</p><p>engine properties.</p><p>Access rules define what traffic is monitored for application health. This enables you to</p><p>monitor only an interesting part of the traffic going through the engine. For example, you can</p><p>monitor only internet traffic and exclude internal traffic from application monitoring.</p><p>You can enable Network Application Latency Monitoring either in continue or allow rule.</p><p>You can disable application health monitoring in NGFW engine properties. This allows you</p><p>to use the same policy in multiple NGFWs even when you want to monitor applications only</p><p>some of them</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 389</p><p>Public © 2022 Forcepoint 24</p><p>Knowledge check</p><p>1. What can you see in Overviews?</p><p>2. How are Overviews different from Reports?</p><p>3. What information can you get from hardware</p><p>monitoring?</p><p>1. Overviews show almost real-time statistics of</p><p>hundreds of items.</p><p>2. Overviews are based on statistics counters,</p><p>whereas reports are based on statistics counters</p><p>and log data.</p><p>3. Hardware monitoring provides many types of</p><p>information including interface status, CPU</p><p>temperature, fan speed, and file system usage.</p><p>390 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 25</p><p>Knowledge check</p><p>4. What summary types would you use for each of</p><p>the following cases?</p><p>a) The top 20 attacks in the reporting period.</p><p>b) The amount of traffic handled by each</p><p>engine in a 24-hour period.</p><p>c) The total number of connections inspected,</p><p>attacks detected, and alerts sent during the</p><p>reporting period.</p><p>a) Top Rate</p><p>b) Progress</p><p>c) Period total</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 391</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Troubleshooting</p><p>392 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 393</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Explain the troubleshooting process.</p><p>▪ Use the SMC for troubleshooting.</p><p>▪ Explain how to collect diagnostics for Technical Support.</p><p>▪ Resolve common SMC issues.</p><p>▪ Explain how NGFW packet processing works.</p><p>Module objectives</p><p>394 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain the</p><p>troubleshooting process.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 395</p><p>Many problems reported by users can be due to network failure that will require</p><p>troubleshooting.</p><p>They could also be related to NGFW dysfunction. For example, deploying NGFW in your</p><p>network, you may unintentionally misconfigure or misconnect your firewall. Knowing better</p><p>how to troubleshoot the NGFW will help you to identify and efficiently fix issues in the</p><p>NGFW system.</p><p>Public © 2022 Forcepoint 5</p><p>Troubleshooting process</p><p>When to troubleshoot?</p><p>▪ Connectivity issues:</p><p>• “I can’t send e-mail.”</p><p>• “My Internet is down.”</p><p>▪ Performance issues:</p><p>• “Web browsing is slow.”</p><p>• “FTP transfers take forever.”</p><p>▪ Firewall management issues:</p><p>• “My firewall status is red.”</p><p>• “I can’t push policy.”</p><p>▪ Administrative issues:</p><p>• “My license is invalid.”</p><p>• “Certificates have expired.”</p><p>▪ VPN issues:</p><p>• “The tunnel won’t come up.”</p><p>• “Tunnel is up but no traffic is going to the tunnel.”</p><p>• “IPsec VPN Client can’t connect.”</p><p>396 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 6</p><p>Troubleshooting process</p><p>What to do when troubleshooting</p><p>▪ Accurate problem descriptions</p><p>▪ Network diagrams</p><p>▪ System monitoring information</p><p>▪ System snapshots taken at the time when a problem occurs</p><p>▪ Notes</p><p>▪ Data collection</p><p>▪ Logs</p><p>▪ Traffic captures</p><p>It is important to be able to describe the problem accurately, you can draw network</p><p>diagrams and use monitoring information obtained by the management platform to</p><p>understand where the issue is. The product offers different ways to collect data from the</p><p>system and relies on logs and traffic capture during the troubleshooting phase.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 397</p><p>Objective</p><p>Use the SMC for</p><p>troubleshooting.</p><p>398 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 8</p><p>Troubleshooting with the SMC</p><p>The SMC provides a wide range of tools for easy and</p><p>extensive data collection.</p><p>▪ Logs and alerts</p><p>▪ Diagnostic logs</p><p>▪ Component connectivity monitoring</p><p>▪ View Configuration Snapshots remotely from the</p><p>Management Client</p><p>▪ Integrated Traffic Capture feature for engines</p><p>▪ SgInfo from SMC servers and NGFW engines</p><p>▪ Backup of the Management Server</p><p>Diagnostics</p><p>TCP Dump</p><p>Logs</p><p>Alerts</p><p>Snapshots</p><p>Monitoring</p><p>SMC offers a wide range of tools to perform troubleshooting. You can rely on different kinds</p><p>of logs and monitoring information from your NGFGWs. Collect traffic capture from each</p><p>separate engine interface is an easy operation and if you think that you will be needing help</p><p>from Forcepoint support it is important to get sginfos as soon as possible, before making</p><p>any changes, installing policies, rebooting, or even considering rebooting the SMC server or</p><p>NGFW.</p><p>The sgInfo command gathers system information often required by Forcepoint support.</p><p>NGFW Engine and SMC have separate sgInfos. The information in sginfos and tcpdump</p><p>captures is much more useful if it is collected the problem is present. Forcepoint Support</p><p>may also require a</p><p>management server backup in order to find out the cause of the problem</p><p>quicker. Sometimes a backup including a fix can be provided to the customer in return.</p><p>Optionally you can take a backup of the Management Server and provide it to Support.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 399</p><p>Public © 2022 Forcepoint 9</p><p>Troubleshooting with logs</p><p>▪ Access logs</p><p>Coming from FW, IPS, and L2FW IPv4/IPv6 access control</p><p>▪ Inspection logs</p><p>Coming from FW, IPS, and</p><p>L2FW IPv4/IPv6 inspection</p><p>▪ Diagnostics</p><p>Coming from other engine modules, like VPN (IPsec), authentication, DHCP, etc., to perform troubleshooting</p><p>In the NGFW engine, different modules such as packet filter, inspection, IPsec, or</p><p>authentication modules can create log events. The module at the origin of the log event is</p><p>specified in the facility field of the log.</p><p>There are different kinds of logs that SMC provides to perform troubleshooting:</p><p>• Packet filter logs are generated when an IPv4, and IPv6 access rule of the NGFW policy</p><p>matches the traffic. The logging settings must be explicitly configured in the access rule</p><p>or can be globally defined using a continue rule for the NGFW to generate packet filter</p><p>logs. An important field in the NGFW logs is the situation field. The situations define the</p><p>patterns that recognize the events in the traffic. When the traffic matches an access rule,</p><p>the related actions are Connection Allowed or Discarded depending on whether the traffic</p><p>is allowed to pass or not. A Connection Closed log can be also generated at the end of</p><p>the TCP connection.</p><p>• Inspection logs are generated when there are interesting contents within the packets that</p><p>the system looks for. Inspection logs are created when an inspection rule matches the</p><p>traffic in the NGFW inspection policy. For example, when an attack pattern has been</p><p>detected or when a banned URL is found in the payload. Inspection logs can also be</p><p>generated by an access rule when traffic matches the usage of an application. Inspection</p><p>policies usually use predefined inspection rules where the logging level is configured</p><p>according to the threat represented by the pattern to match. The logging level must be</p><p>specified if you create your own inspection rules. Inspection rules can match any patterns</p><p>in the traffic payload so the related situation you can find in the log can be countless.</p><p>When the traffic matches an inspection rule, the related actions are Connection Permit or</p><p>Terminate depending on whether the traffic is allowed to pass or not.</p><p>400 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>• Other log facilities exist, and they correspond to log events generated by other NGFW</p><p>modules like IPsec, authentication, DHCP, cluster protocol, etc. Sometimes you need to</p><p>enable diagnostic on the NGFW to see more verbose logs from a module. Diagnostics</p><p>mode provides more detailed log data for troubleshooting purposes. The diagnostics</p><p>settings take effect immediately, and the Logs view begins to display additional entries for</p><p>the options chosen. Be careful, diagnostics significantly increase the quantity of log data</p><p>generated. Diagnostics should be disabled when the troubleshooting is complete.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 401</p><p>Public © 2022 Forcepoint 11</p><p>Troubleshooting with logs</p><p>▪ Connection closed</p><p>Expected event at the end of a standard TCP connection.</p><p>The logging settings in the Access rules determine whether the connection closing is logged.</p><p>▪ Connection reset</p><p>Connection was removed from the state table because a TCP RST packet was seen in the connection.</p><p>Connection closed logs are expected at the end of standard TCP connection. By default, the</p><p>connection closing is not logged. It can be enabled in the logging settings in the access</p><p>rules.</p><p>Note that if you want to collect traffic volume information to use in reports for example,</p><p>connection closing must be logged with the Log Accounting Information option.</p><p>If a connection was closed because of a TCP Reset, a connection closed log is generated.</p><p>The information message in the log indicates the origin of the reset. If the connection closing</p><p>does not occur in the expected order of a normal TCP connection, the message may state</p><p>“connection closed abnormally”. Frequent abnormal connection closing or resets may</p><p>indicate problems in the network, such as an overloaded server.</p><p>402 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 12</p><p>▪ Connection timeout</p><p>• Connection timeout log messages are generated for inactive connections that the firewall clears out</p><p>from its connection tracking table.</p><p>• For some reason, the hosts that were communicating within this allowed connection have stopped</p><p>transmitting packets between each other.</p><p>Troubleshooting with logs</p><p>A connection closed log is also generated when a Connection Timeout occurs. You will see</p><p>a “connection timeout” clarification in the information message. Most connection timeouts</p><p>are normal and necessary to ensure that the firewall cleans up inactive connections from its</p><p>records, freeing up the resources.</p><p>However, sometimes the timeout may prevent communications from continuing. If there is</p><p>some application in your network that leaves connections inactive for long periods of time</p><p>before continuing again, you can increase the timeout for those connections in the Action</p><p>options for the Access rule that allows the connection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 403</p><p>Public © 2022 Forcepoint 13</p><p>Troubleshooting with logs</p><p>Incomplete connection closed</p><p>▪ TCP connection was closed before the three-way handshake was finished.</p><p>▪ Possibly the SYN was seen but the server never responded with SYN+ACK.</p><p>▪ Alternatively, the SYN packet and the SYN+ACK were seen but the client never completed the handshake</p><p>with the ACK packet.</p><p>Possible reasons:</p><p>▪ Server does not exist or is unavailable</p><p>▪ Asymmetric routing (SYN goes through the FW but SYN+ACK is routed elsewhere) “Connection timeout in</p><p>state TCP_SYN_SEEN”</p><p>▪ Connection attempt to a closed port (SYN, RST)</p><p>A “connection closed Abnormally” log event with an additional “incomplete connection</p><p>closed” message is generated when NGFW determines that a connection was unsuccessful</p><p>because the three-way handshake was not completed properly. The firewall then removes</p><p>the connection from its connection tracking table.</p><p>There can be several reasons for an uncompleted TCP handshake between 2 hosts. The</p><p>destination server is simply not available or the destination port on the server is closed. In</p><p>the case of asymmetric routing, the firewall can close the connection when it is not able to</p><p>see the full TCP handshake.</p><p>A high number of “incomplete connection closed messages’’ may indicate problems in your</p><p>network or the communicating applications. You can take some Traffic Capture to find out</p><p>where the packets are lost.</p><p>In some cases, SYN packets may be sent maliciously to random hosts in an attempt to find</p><p>out your network structure. These attempts may sometimes be seen as SYN packets to</p><p>hosts that do not exist, which may trigger the Incomplete Connection Closed messages if</p><p>access to those addresses is allowed and routable.</p><p>404 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 14</p><p>Troubleshooting with logs</p><p>Not a valid SYN packet</p><p>▪ There is no connection in the state table where this packet belongs.</p><p>▪ This packet is not a valid packet to open a new TCP connection.</p><p>Possible reasons:</p><p>▪ The connection was never opened</p><p>• Asymmetric routing (SYN+ACK is the first packet seen in FW)</p><p>• Stealth port scan (FIN scan for example)</p><p>▪ Connection used to exist but has been closed</p><p>• Normal FIN closure from one endpoint, the other FIN was delayed</p><p>• Idle timeout</p><p>The Messages indicates the flags set in the discarded packet</p><p>(A=Ack, F=FIN, R=RST, P=Push, S=SYN).</p><p>A “Not a Valid SYN Packet” message can appear in logs in conjunction with entries</p><p>on</p><p>discarded packets. “Not a Valid SYN Packet” means that there is a TCP packet that is not</p><p>the first packet of a TCP connection with the SYN flag set but is not part of an existing</p><p>connection either. However, this packet would be allowed by the policy if it was part of an</p><p>existing tracked connection.</p><p>This can happen in different situations:</p><p>Asymmetric routing, meaning that the opening packet does not go through the firewall, but</p><p>the reply (the SYN/ACK) does. If this is the case, there is a configuration error in the routing</p><p>of the surrounding network that must be fixed.</p><p>Network scans or attacks that use ACK or FIN packets can also generate this type of logs.</p><p>If a heavily loaded server or client sends a packet after the host at the other end of the</p><p>connection has already timed out and closed the connection the “Not a Valid SYN Packet”</p><p>message will be seen.</p><p>The idle timeout can also be at the origin of the log. A Connection that is idle for more than</p><p>the defined connection timeout in the access rule, the connection is erased from the firewall</p><p>records. If the connection resumes, the packets will be discarded with the “Not a Valid SYN</p><p>Packet” log. In this case the timeout value for the access rule that allows specific traffic can</p><p>be increased</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 405</p><p>You can capture network traffic data for network troubleshooting purposes. This data helps</p><p>you to analyze network traffic to and from the engines.</p><p>Traffic capture creates a .zip file that contains a tcpdump CAP file, which is compatible with</p><p>standard “sniffer” tools such as tcpdump, WinDump, or Wireshark. You can select whether</p><p>to include full packet information or only IP address headers in the tcpdump. You can also</p><p>include a free-form description and information about your configuration and trace files in the</p><p>traffic capture .zip file.</p><p>Engine Traffic capture tool is available directly in SMC. The data can be archived and</p><p>analyzed later, as the traffic capture .zip file is saved on the Management Server or in a</p><p>directory on your local workstation.</p><p>Public © 2022 Forcepoint 15</p><p>Capturing traffic</p><p>The engine traffic capture tool is available in the SMC.</p><p>406 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain how to collect</p><p>diagnostics for Support.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 407</p><p>SgInfo collects information about your system for NGFW’s technical support personnel.</p><p>SMC sgInfo file</p><p>• Configuration files for the Management Server/Log Server/Management Client.</p><p>• Program trace files with logs of problem situations</p><p>NOTE! SMC sgInfo files do not include any information on engine configuration, the traffic</p><p>going through the engines, or engine status.</p><p>Engine sgInfo file</p><p>• Engine configuration files (can be seen only if the files have been decrypted)</p><p>• Latest traffic logs</p><p>• Network information</p><p>• Snapshot of the current system and network status (load, ARP cache, connections,</p><p>routing table, etc.)</p><p>NOTE! Engine sgInfo files do not include any information on the SMC’s configuration or</p><p>status.</p><p>SgInfo can be run from the Management Client and retrieved on the client machine.</p><p>SgInfo should always be collected when the problem is present (if possible). Old sgInfo files</p><p>do not include any information on the current situation.</p><p>Public © 2022 Forcepoint 17</p><p>Gather system information for Support with sgInfo.</p><p>Diagnostics for Support - sgInfo</p><p>▪ Configuration files for</p><p>SMC servers</p><p>▪ Trace files with logs of</p><p>problem situations</p><p>▪ Engine configuration files</p><p>▪ Traffic logs</p><p>▪ Snapshot of current</p><p>system and network status</p><p>▪ Operating system information</p><p>▪ Client trace files</p><p>SMC sgInfo NGFW sgInfo Management Client sgInfo</p><p>408 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Sginfo script is a tool, which gathers information from the NGFW environment into a</p><p>compressed file. This information is needed for troubleshooting when requested by</p><p>Forcepoint support. The sginfo script is included by default in all NGFW engines and</p><p>management/log server distribution. Data collected is a snapshot of the current situation and</p><p>thus problematic configuration should be active when sginfo is collected.</p><p>Public © 2022 Forcepoint 18</p><p>Collecting sgInfos</p><p>SMC sgInfo NGFW sgInfo Management Client sgInfo</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 409</p><p>Always collect sgInfo and take tcpdump traffic captures while you are experiencing the</p><p>problem. Rebooting before collecting sgInfo files and tcpdump traffic captures should be</p><p>avoided if possible. The reboot may sometimes fix a problem, but it may be impossible to</p><p>find out what caused the problem.</p><p>Public © 2022 Forcepoint 19</p><p>Supporting Forcepoint Technical Support</p><p>Define the problem as accurately as you can</p><p>Which component or components are affected?</p><p>When did the problem occur?</p><p>What changes were made before the problem started?</p><p>1</p><p>Provide sgInfo files</p><p>Always collect sgInfo and take tcpdump traffic captures while you are</p><p>experiencing the problem. Avoid rebooting before collecting the sgInfo file</p><p>or taking a traffic capture.</p><p>2</p><p>Provide network diagrams</p><p>Visualization of the network environment makes the troubleshooting</p><p>process easier.3</p><p>410 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Resolve common SMC</p><p>issues.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 411</p><p>Public © 2022 Forcepoint 21</p><p>Case #1: Client cannot connect to the Management Server</p><p>User/password is incorrect</p><p>Let’s now focus on general problems you may encounter when using the Management</p><p>Client.</p><p>1. If you use an incorrect User Password to log in to the Management Client, the error</p><p>message displayed is explicit. An administrator who has unrestricted permissions can</p><p>change any password in the Management Center. In an emergency situation, there is the</p><p>possibility to create a new account with unrestricted permissions on the Management</p><p>Server.</p><p>412 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 22</p><p>Case #1: Client cannot connect to the Management Server</p><p>Server local FW / FW in the path is blocking the connection</p><p>Service is not running</p><p>1. If the Management Client reports a connection problem, make sure you entered the</p><p>Management Server address correctly on the login screen. If there is a NAT done</p><p>between the Management Client and the Management Server, the IP address used must</p><p>be the NAT address. Locations and Contact Addresses are not used for selecting the</p><p>correct address when you are just logging in.</p><p>Verify that the network between the Management Client and the Management Server is</p><p>working and routing the traffic correctly. It could be that the Server Firewall or an</p><p>external FW is blocking the connection (8902-8913/TCP)</p><p>2. If the Management Server is not running, try to manually start the Management server</p><p>using the command line to gain more information. You also can check the tmp directory</p><p>of your SMC installation. Open the latest file with a name starting with MGTSRV and</p><p>look for errors in the trace logs.</p><p>If the problem cannot be solved, collect an SMC sginfo and if possible, get the</p><p>Management Backup.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 413</p><p>Public © 2022 Forcepoint 23</p><p>Case #2: Logs are not shown</p><p>Logging is not enabled</p><p>These slides cover some common problems you may have with viewing logs</p><p>Logs are fundamental resources for troubleshooting your NGFW system. There are various</p><p>reasons why logs are not shown. Let’s review the various issues that can occur in this basic</p><p>setup where the logs server is in a private network behind a firewall and the administrator</p><p>connects to it from the internet.</p><p>1. Rules can create a log or alert entry each time they match. By default, logging options</p><p>set in a previous Continue rule are used. If no such rule exists, Firewalls and Layer 2</p><p>Firewalls log the connections by default. IPS engines do not log the connections</p><p>by</p><p>default. Each individual rule can be set to override the default values.</p><p>If you are using log pruning and you think that log entries are missing, check that the</p><p>logs you want to see are not being pruned.</p><p>414 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 24</p><p>Log Server IP: 192.168.0.10</p><p>Public IP: 172.29.100.10</p><p>Case #2: Logs are not shown</p><p>Logging is blocked between NGFW and SMC</p><p>(default tcp 3020)</p><p>2. The NGFW connects to the Log Server on port 3020 to send the Logged data. If there is</p><p>a Firewall between the engine and the log Server, you must allow the connection through</p><p>the Firewall. The log entries are spooled on the engines if they cannot be sent to the Log</p><p>Server.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 415</p><p>Public © 2022 Forcepoint 25</p><p>Case #2: Logs are not shown</p><p>Log Server is not up and running</p><p>3. If the Log Server is not up and running, you should identify the reason. Try to manually</p><p>start the log server using the command line to gain more information. If there is not</p><p>enough space for logs on the hard disk, you will be notified of the situation by the related</p><p>alerts before the log server stops working.</p><p>416 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 26</p><p>Case #2: Logs are not shown</p><p>Problem with locations</p><p>4. The Log Server must be reachable from the computer used for running the Management</p><p>Client to see logs. If there is a NAT device between the Management Client and the Log</p><p>Server, administrators must select the correct Location for the Management Client in the</p><p>status bar at the bottom right corner of the Management Client window.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 417</p><p>Public © 2022 Forcepoint 27</p><p>Case #2: Logs are not shown</p><p>101010101010100101010101010101010101010101</p><p>0</p><p>Certificate issue</p><p>Log ServerManagement</p><p>Client</p><p>NGFW Engine</p><p>The Log Server’s certificate for system communications may have expired, been deleted, or</p><p>become otherwise invalid. In that case you should certify again your log server.</p><p>On a more general level, all SMC components must have a valid license and if the license is</p><p>bound to an IP address, this IP address must be an active one on the server. All SMC</p><p>servers are Java based and must have the exact same software version for the system to</p><p>work.</p><p>If the log issue cannot be solved, you should get a cleartext sginfo from the NGFW node</p><p>and a SMC sginfo.</p><p>Notes about NGFW system certificates:</p><p>• SMC servers and NGFW Engines use certificates to identify each other and secure</p><p>communications in system communications. The certificates used in system</p><p>communications are always generated by the internal certificate authority (CA) that runs</p><p>on the Management Server.</p><p>• SMC and NGFW certificates are valid for three years from their creation. You must</p><p>renew SMC server certificates when the certificates are about to expire or have expired.</p><p>You can certify again your log server or your management server by launching</p><p>respectively the sgCertifyLogServer or the sgCertifyMgtServer script. The NGFW Engine</p><p>certificates are renewed automatically by default.</p><p>• The SMC’s internal Certificate Authorities are valid for 10 years.</p><p>418 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 28</p><p>Case #3: Policy installation fails</p><p>▪ An error message clearly reports the configuration issue in the upload status.</p><p>▪ SMC aborts the policy installation. Engine rolls back to previous installed policy.</p><p>Engine configuration is invalid</p><p>Other reasons for policy failure could be an error in the firewall configuration. SMC performs</p><p>validation when generating the policy and if the firewall configuration happen to be invalid,</p><p>the policy installation will stop. In this case, an error message will clearly report the</p><p>configuration issue.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 419</p><p>Public © 2022 Forcepoint 29</p><p>Case #3: Policy installation fails</p><p>▪ Policy installation will fail in the early stage.</p><p>▪ Connection time out message</p><p>▪ Various reasons:</p><p>• No network-level connectivity</p><p>• Wrong IP addresses configured for engine or Management Server</p><p>• Invalid certificates</p><p>Connectivity problem between SMC and the engine</p><p>If the policy installation fails in the early stage, this is a case of connectivity problem</p><p>between SMC and the Firewall. If there is no network-level connectivity, it could be that the</p><p>engine or the Management Server uses the wrong IP address, or the engine and the</p><p>Management Server reject each others’ certificates.</p><p>If you cannot solve the problem policy installation problem and feel there is an issue with the</p><p>system, you should get an sgInfo of the nodes refusing the configuration.</p><p>420 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 30</p><p>Case #3: Policy installation fails</p><p>▪ SMC cannot connect to engine after the new policy is applied.</p><p>▪ Engine rolls back to previous installed policy.</p><p>New Policy prevents connectivity between SMC and Engine</p><p>Once you have made the initial contact with the Management Server, you define the policy</p><p>to be installed on the firewall engine.</p><p>Keep in mind that together with the policy, the whole firewall configuration such as the</p><p>interface configuration, routing and anti-spoofing, and the VPN configuration is sent to the</p><p>engine.</p><p>The policy roll-back is a safety mechanism that prevents changing the engines’ policy in</p><p>ways that cut the connectivity between the engines and the Management Server. After each</p><p>policy installation, the engine apply its new configuration waits to be contacted by SMC. If</p><p>the contact fails in a defined time-out period, the engine automatically reverts its previous</p><p>policy. In this example, we omitted to specified a default gateway in the firewall routing</p><p>configuration. Therefore, the firewall was able to apply the policy but was then not able to</p><p>reply to SMC. The firewall rolled back to the previously installed policy version.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 421</p><p>Objective</p><p>Explain how NGFW</p><p>packet processing works.</p><p>422 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Ethernet rules</p><p>The NGFW Engine checks Ethernet frames against the Ethernet rules in the policy. The</p><p>packet is processed until it matches an Ethernet rule that tells whether to allow or discard</p><p>the packet.</p><p>Packet sanity checks</p><p>Packets dropped in this phase produce log entries with specific situations, such as TCP</p><p>Segment-SYN-No-Options. Not all invalid packet drops are logged unless Packet Filter</p><p>diagnostics are enabled.</p><p>Anti-spoofing</p><p>The firewall checks that the traffic is coming in through the correct interface as defined in the</p><p>routing and anti-spoofing configuration.</p><p>Public © 2022 Forcepoint 32</p><p>NGFW packet inspection procedure</p><p>An</p><p>tis</p><p>po</p><p>of</p><p>in</p><p>g</p><p>Spoofed? Packet</p><p>droppedYES</p><p>Pa</p><p>ck</p><p>et</p><p>Sa</p><p>ni</p><p>ty</p><p>C</p><p>he</p><p>ck</p><p>s</p><p>Et</p><p>he</p><p>rn</p><p>et</p><p>R</p><p>ul</p><p>es Allowed?</p><p>Valid</p><p>Packet?</p><p>YES</p><p>Packet</p><p>dropped</p><p>Incoming</p><p>packet NO</p><p>YES</p><p>Packet</p><p>droppedNO</p><p>NO</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 423</p><p>Connection tracking</p><p>The firewall checks the current connection tracking information to see if the packet is part of</p><p>an established connection (for example, a reply packet to a request that has been allowed).</p><p>If TCP SYN rate limits or other DoS protection features are enabled, they are enforced at</p><p>this stage.</p><p>Access Rules Matching</p><p>If the packet is not part of an existing connection, the packet is compared against the</p><p>Access rules in the installed Firewall Policy. The processing continues until the packet</p><p>matches a rule that tells the firewall to allow or stop the packet.</p><p>If there is no rule match anywhere else in the policy, the packet is discarded when the</p><p>firewall reaches the end of the Firewall Policy.</p><p>Protocol Validation</p><p>If the packet is allowed as an existing connection or in an Access rule, check that the packet</p><p>is valid for the state of the</p><p>connection. If not, the packet is dropped. For example, a TCP</p><p>connection must always begin with an SYN packet (as defined in the protocol standards).</p><p>The NGFW Engine checks that the first packet of a new connection is a valid SYN packet.</p><p>Public © 2022 Forcepoint 33</p><p>NGFW packet inspection procedure</p><p>Pr</p><p>ot</p><p>oc</p><p>ol</p><p>Va</p><p>lid</p><p>at</p><p>io</p><p>n</p><p>Ac</p><p>ce</p><p>ss</p><p>R</p><p>ul</p><p>es</p><p>M</p><p>at</p><p>ch</p><p>in</p><p>g</p><p>C</p><p>on</p><p>ne</p><p>ct</p><p>io</p><p>n</p><p>Tr</p><p>ac</p><p>ki</p><p>ng Existing</p><p>connection?</p><p>NO</p><p>NO Packet</p><p>droppedYES</p><p>YES</p><p>Valid</p><p>for connection</p><p>state?</p><p>YES</p><p>Packet</p><p>droppedNO</p><p>Allowed?</p><p>424 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Inspection and File Filtering Rules</p><p>The NGFW applies Inspection rules to connections that are selected for deep packet</p><p>inspection or file filtering in the Access rules. Inspection applies to all packets in a</p><p>connection, so the Inspection rules are applied even if the packet is a part of an existing</p><p>connection.</p><p>The Inspection rules are used to look for patterns of interest in allowed connections. The</p><p>patterns can indicate potential attacks, exploits, or other possible threats. They can also be</p><p>any other patterns of interest, such as multiple login attempts, peer-to-peer or instant</p><p>messaging software use, or protocol violations in traffic.</p><p>If a pattern in traffic matches a pattern defined in a rule, the actions defined in the rule are</p><p>taken.</p><p>NAT Modifications</p><p>The NGFW applies Network Address Translation (NAT) rules to IPv4 and IPv6 connections.</p><p>The source and destination addresses are translated according to the first matching NAT</p><p>rule (or not done if a NAT rule so defines). The packet continues with the original addresses</p><p>if none of the NAT rules match. By default, NAT is not applied to traffic to or from policy-</p><p>based VPNs.</p><p>VPN</p><p>Policy-based VPN processing includes finding the correct tunnel from the VPN</p><p>configuration. If a VPN configuration does not match Access rules correctly, packets might</p><p>be discarded with the message ”VPN tunnel selection failed”.</p><p>Public © 2022 Forcepoint 34</p><p>NGFW packet inspection procedure</p><p>Po</p><p>lic</p><p>y</p><p>Ba</p><p>se</p><p>d</p><p>VP</p><p>N</p><p>In</p><p>sp</p><p>ec</p><p>tio</p><p>n</p><p>an</p><p>d</p><p>Fi</p><p>le</p><p>Fi</p><p>lte</p><p>rin</p><p>g</p><p>R</p><p>ul</p><p>es</p><p>Harmful</p><p>Pattern or file?</p><p>N</p><p>AT</p><p>R</p><p>ul</p><p>es Address</p><p>Translation</p><p>NO</p><p>YES Action defined</p><p>in rule</p><p>VPN</p><p>Processing</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 425</p><p>Routing / Route-based VPN</p><p>If a Zone is used as the Destination in an Access rule, the packet is matched against the</p><p>Access rules after selecting the final route. It is dropped if the packet does not match a rule</p><p>due to applied NAT. If the packet is routed to a tunnel interface, the packet is encapsulated</p><p>according to the route-based VPN configuration.</p><p>Note: for GRE/IP-IP packets encapsulated with policy-based VPN, the packet goes back to</p><p>policy-based VPN processing.</p><p>QoS</p><p>The packet is let through the firewall according to its priority and any bandwidth limits or</p><p>guarantees that may be in place.</p><p>Public © 2022 Forcepoint 35</p><p>NGFW packet inspection procedure</p><p>R</p><p>ou</p><p>tin</p><p>g</p><p>/ R</p><p>ou</p><p>te</p><p>Ba</p><p>se</p><p>d</p><p>VP</p><p>N</p><p>Route Selection</p><p>Q</p><p>oS</p><p>QoS processing</p><p>Outgoing</p><p>packet</p><p>426 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 36</p><p>Knowledge check</p><p>1. Where should you look first when</p><p>troubleshooting the NGFW?</p><p>2. What is information is expected by Support</p><p>when opening a ticket?</p><p>3. What happens when SMC detects that a policy</p><p>is invalid during policy upload?</p><p>4. What happens if a new policy prevents</p><p>connectivity between the SMC and</p><p>NGFW Engine?</p><p>1. Key information is often available in NGFW logs</p><p>or NGFW diagnostic logs.</p><p>2. Accurate problem description and sgInfo from the</p><p>problematic component are expected by</p><p>Support.</p><p>3. SMC aborts the policy installation and report an</p><p>error. The previous version of the policy remains</p><p>in effect.</p><p>4. After the roll back timeout, NGFW rolls back to</p><p>the previously installed policy.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 427</p><p>Cover</p><p>Forcepoint NGFW Overview</p><p>SMC Overview</p><p>Getting Started with the SMC</p><p>NGFW Policies and Templates</p><p>Access Control and NAT</p><p>Traffic Inspection</p><p>Inspection Policies</p><p>Malware Detection and File Filtering Policies</p><p>Alerting and Notifications</p><p>User and Authentication</p><p>Mobile VPN and SSL VPN Portal</p><p>Site-to-Site VPN</p><p>Advanced Logging</p><p>Policy Tools</p><p>Monitoring and Reporting</p><p>Troubleshooting</p><p>efficient group</p><p>management with SMC Domains</p><p>▪ Visibility to third parties with Web</p><p>Portal Server option</p><p>▪ API service</p><p>Role based administration</p><p>▪ Accurate definition of administrator</p><p>▪ Custom and predefined roles</p><p>▪ Audit information about admin operations</p><p>Centralized management</p><p>▪ User-friendly single-pane</p><p>management</p><p>▪ Scalable (up to 2000 NGFWs)</p><p>▪ Manage all types of NGFWs installed</p><p>as Firewall, IPS, or Layer 2 FW</p><p>▪ Software deployment options or</p><p>appliance</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 37</p><p>Objective</p><p>Describe the NGFW</p><p>system architecture.</p><p>38 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>For more information about the NGFW components, see the Introduction to the NGFW</p><p>Management Center section of the NGFW Management Center Reference Guide.</p><p>The Security Management Center is composed of two mandatory elements: the</p><p>Management Server and the Log Server.</p><p>A Management Server and at least one Log Server are required to make configuration</p><p>changes and to see monitoring statistics or logs, but they are not necessary for the</p><p>continued operation of the NGFW Engines. If the connectivity between the NGFWs and the</p><p>SMC server is lost, NGFWs still process traffic according to their policy.</p><p>Management client(s):</p><p>The Management client is the unique graphical user interface for all day-to-day configuration</p><p>and management tasks, including network interface configuration and remote upgrades.</p><p>Either install Management client software on each workstation or use the SMC Web</p><p>Access feature to start and run the management client in a web browser.</p><p>If you are going to locally install the management client, it can be installed from the same</p><p>installation media as is used for the management and log servers. Alternatively, the</p><p>management server can be configured to make the installation files available for download</p><p>through a web browser.</p><p>All commands and configuration changes are relayed through the management server, so</p><p>the management clients never connect to the NGFW Engines directly.</p><p>Management clients also connect to log servers to fetch log entries for administrators to</p><p>view. Management clients can be deployed anywhere in the network.</p><p>Public © 2022 Forcepoint 8</p><p>NGFW system architecture</p><p>Web Portal</p><p>Server</p><p>Management</p><p>Server</p><p>AdministratorCustomer | Helpdesk</p><p>Web Portal Management Client</p><p>Security</p><p>Management</p><p>Center (SMC)</p><p>3rd Party Device</p><p>NGFWNGFWNGFWNGFW</p><p>Log</p><p>Server</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 39</p><p>Management Server</p><p>• One management server can manage a large number of different types of NGFW</p><p>Engines.</p><p>• Administration and system commands: The Management Server is the central point of</p><p>all administration tasks (accessed through the Management Client).</p><p>• Configuration database: The Management Server stores all configuration information</p><p>for NGFW Engines (NGFW in the Firewall role, IPS role, Layer 2 Firewall role, and other</p><p>system components.)</p><p>• Monitoring: The Management Server keeps track of the operating state of the system</p><p>components and relays this information to the administrators.</p><p>• Alert notifications: the Management Server can notify administrators about new alerts in</p><p>the system, for example, by sending out an e-mail or an SMS text message.</p><p>• Certificate authority (CA): The Management Server installation includes a basic CA that</p><p>issues all certificates that system components need for system communications and that</p><p>can be used to issue certificates for VPN authentication.</p><p>Log Server</p><p>• Multiple Log Servers can be deployed, which is particularly useful in geographically</p><p>distributed systems.</p><p>• Log data: Log Servers receive and store logs from other system components and make</p><p>the data available for viewing and generating reports.</p><p>• Statistics and status data: Log Servers receive, relay, and store information about the</p><p>operation of other system components and keep a record available for generating reports.</p><p>40 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>• Third party support: Log Servers can be configured to store logs from third party</p><p>devices in syslog format and also to forward log data to external hosts.</p><p>• Correlation: Log Servers can conduct further analysis of detected events and correlate</p><p>events originating from different NGFW Engines.</p><p>NGFW Engines</p><p>• Core components that control network traffic</p><p>• Run on an integrated, secured, Linux-based operating system</p><p>• Control traffic flow</p><p>• Each engine node communicates with the Management Server and log Server</p><p>• Engine clustering:</p><p>• Functions for all intents and purposes as a single system</p><p>• Provides high availability and load balancing for the NGFW</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 41</p><p>Web Portal Server (optional)</p><p>• It is an optional component (separate license required) that can be used to provide</p><p>restricted access to log data, reports, and policy snapshots.</p><p>• It provides a web-based interface that users with web portal user accounts can access</p><p>with their web browsers.</p><p>• The web portal server can also provide SMC Web Access.</p><p>System Communications</p><p>• All communications between Security Management Center and NGFW Engine are TLS</p><p>protected (Certificate based authentication) in all communication</p><p>• Management connection security is by default AES-256 / SHA-384</p><p>• 256-bit encryption for the connections between NGFW Engines and the management</p><p>server can be enabled. This requires both the engines and the management server to be</p><p>version 5.5 or higher. You must also use an Internal ECDSA Certificate Authority to sign</p><p>certificates for system communication.</p><p>42 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The look and feel of the Management Client is designed to allow the efficient management of</p><p>bigger networks but can also be used in a very small environment. The biggest advantage is the</p><p>cross-platform availability as well as the conceptual design offering all components in a single</p><p>UI (e.g., this allows users to drill down from a log event into the policy without the need to open</p><p>a new application).</p><p>You can install the Management Client locally on Linux or Windows operating systems.</p><p>As an alternative to installing the Management Client locally (Windows and Linux OS are</p><p>supported), you can enable the SMC Web Access feature to start and run the Management</p><p>Client in a web browser. The Web Access feature can be enabled on the Management Server</p><p>and the Web Portal Server. Administrators log on using a web browser, and all features of the</p><p>Management Client can be controlled in the web browser. You do not need to install the Java</p><p>Runtime Environment to run the management client with the Web Access feature.</p><p>Note that Web Access can consume resources. Especially if many administrators will be using</p><p>the feature, we recommend that you enable the feature on the Web Portal Server. If the</p><p>Management Server or Web Portal Server are installed on a Linux platform, xvfb-run must be</p><p>installed. Web Access support is limited to Google Chrome and Mozilla Firefox and this feature</p><p>is not available on the SMC Appliance.</p><p>Public © 2022 Forcepoint 12</p><p>Management Client properties</p><p>▪ Provides a user interface for configuring, controlling,</p><p>and monitoring the system. Connects to the</p><p>Management Server and Log Servers.</p><p>▪ Can be run in a web browser using the Web Access</p><p>feature.</p><p>▪ Management Clients can be used from any location</p><p>that has network access to the Management Server</p><p>and the Log Server.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 43</p><p>The Management Server is the central part in the NGFW environment as it stores all</p><p>configuration information for NGFW Engines, relay commands to the engines, and notifies</p><p>administrators of new alerts in the system. It can be run on different operating systems.</p><p>The Management Server is position in a central site where it is physically accessible to the</p><p>administrators responsible for maintaining its operation.</p><p>It can be deployed in a HA setup.</p><p>The Management Server offers a RESTful API allowing the usage of HTTP requests to GET,</p><p>PUT, POST and DELETE data in the system.</p><p>Public © 2022 Forcepoint 13</p><p>Management Server properties</p><p>▪ Stores all configuration data, relay commands to the</p><p>engines, and notifies administrators of new alerts in</p><p>the system.</p><p>▪ Is positioned in a central site where it is physically</p><p>accessible to the administrators responsible for</p><p>maintaining its operation.</p><p>▪ Offers a RESTful API for customized integration with</p><p>other tools.</p><p>44 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The log Server is the component to store all logs. If the number of events exceeds the</p><p>capacity of a single Log Server (>500,000 events/s.), another Log Server can be added.</p><p>This ensures that the Log Server can scale up to a high number of NGFWs.</p><p>In addition to scalability, another reason to add multiple Log Servers could be to meet a</p><p>legal requirement. For example, in Switzerland, you are not allowed to transfer any user</p><p>data across the border so you may want or need a Log Server unique to that region.</p><p>Each of the Swiss cantons has a cantonal data protection act, which regulates data</p><p>processing by cantonal bodies.</p><p>At the federal level, the collection and use of personal data is regulated by the Federal Act</p><p>on Data Protection (FADP) and its ordinance, the Ordinance to the Federal Act on Data</p><p>Protection (OFADP).</p><p>Public © 2022 Forcepoint 14</p><p>Log Server properties</p><p>▪ Stores logs and correlates events detected by</p><p>multiple NGFW Engines.</p><p>▪ Place Log Servers centrally and/or locally at sites</p><p>as needed based on log data volume,</p><p>administrative responsibilities, etc.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 45</p><p>The Web Portal Server provides lightweight access to the log information and can easily</p><p>split between different customers.</p><p>It‘s an additional component that requires a separate license.</p><p>The Web Portal Server can provide SMC Web Access, and this is the recommended</p><p>deployment when many administrators are using the feature.</p><p>When a web browser remotely connects to the SMC server providing the SMC Web Access,</p><p>it is equivalent to have a management client running locally on the Management Server.</p><p>Therefore, the amount resource you must allocate on the server is equivalent to the sum of</p><p>resources used by each remote management client.</p><p>Public © 2022 Forcepoint 15</p><p>Web Portal Server properties</p><p>▪ Provide restricted viewing of configuration</p><p>information, reports, and logs.</p><p>▪ The Web Portal Server can be deployed in any</p><p>location that has network access to the</p><p>Management Server and the Log Servers.</p><p>▪ The Web Portal can be customized and made</p><p>multi-lingual.</p><p>▪ The Web Portal Server can provide SMC Web</p><p>Access.</p><p>46 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Centralized Remote Management</p><p>A centralized point for managing all NGFW components simplifies the system administration</p><p>significantly and allows combining information from different sources without having to</p><p>integrate the components with an external system. The centralized management system is</p><p>not an add-on in the NGFW architecture—the system has been designed right from the start</p><p>to be centrally managed.</p><p>Centralized Remote Management – Benefits:</p><p>• Simplifies system administration significantly.</p><p>• Allows combining information from different sources without having to integrate the</p><p>components with an external system.</p><p>• Sharing of configuration data in different configurations eliminates the need for duplicate</p><p>work, which reduces the complexity of configurations and the amount of work required for</p><p>making changes.</p><p>• Remote upgrades can be downloaded and pushed automatically to several components.</p><p>• Fail-safe policy installation with automatic rollback prevents the installation of policies that</p><p>prevent management connections.</p><p>• The integrated backup feature allows saving all system configurations stored on the</p><p>management server in one manually or automatically run backup.</p><p>• Central access point for administrators.</p><p>• Several administrators can be logged in at the same time and simultaneously make</p><p>changes to the system. Conflicting changes are automatically prevented.</p><p>• Administrator privileges can be easily adjusted in a highly granular way.</p><p>Public © 2022 Forcepoint 16</p><p>NGFW system architecture and deployment</p><p>Centralized management and high availability options</p><p>Administrator</p><p>Management</p><p>Server</p><p>Log</p><p>Server</p><p>Log</p><p>Server</p><p>Log</p><p>Server</p><p>Backup</p><p>Management</p><p>Server</p><p>Layer 3 Virtual NGFW</p><p>Layer 2 NGFW</p><p>Layer 2 IPS</p><p>Layer 3 NGFW</p><p>Third Party Device</p><p>Site A</p><p>Site B</p><p>Site C</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 47</p><p>Distributed Architecture</p><p>In this example deployment, a company has operations in three different locations. There</p><p>are some NGFW Engines and administrators who are responsible for managing the local</p><p>equipment at each site.</p><p>• Site A is the main site of the company. The Management Server that manages all local</p><p>and remote components is located at Site A, since the main administrators responsible for</p><p>maintaining the server are stationed there. There are also two separate Log Servers at</p><p>Site A, since there are a high number of NGFW Engines (Firewall Clusters and IPS) at</p><p>this site, producing a high volume of logs. The Log Servers also work as backup servers</p><p>for each other.</p><p>• Site B is a large branch office that is also designated as the disaster recovery site for the</p><p>main site, although just the most important services are duplicated. This site has a</p><p>moderate number of NGFW Engines. A separate Log Server is installed at Site B to</p><p>ensure swift log browsing for the local administrators. There is also a Management Server</p><p>installed on the same server, but it is a secondary standby server that works as a backup</p><p>for the management server at Site A; the server at Site B is only used for managing the</p><p>system if there is a major incident at Site A.</p><p>• Site C is a small branch office that has only a few NGFW Engines. There is a single local</p><p>administrator who is an infrequent user of NGFW. There are no Management Center</p><p>components at Site C; the local NGFW Engines send their data to the log servers at Site</p><p>A.</p><p>48 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Positioning Log Servers</p><p>• Log Servers store the event data and traffic captures received from other components. As</p><p>the transferred amounts of data can be substantial, the primary concerns for Log Server</p><p>deployment are the number and throughput of the components that send data to the Log</p><p>Server. Several Log Servers can be located both at a central site and at remote sites. A</p><p>single shared Log Server can be sufficient for several remote sites with low traffic</p><p>volumes, whereas a large office with very high volumes of network traffic may require</p><p>even several log servers for efficient use.</p><p>• Log Servers also handle alerts and alert escalation to inform the administrators of critical</p><p>events. The alerts can be handled locally on each Log Server, or alternatively the alerts</p><p>can be forwarded to a different Log Server. For example, all the alerts from different</p><p>remote sites can be forwarded to a central Log Server at the corporate headquarters for</p><p>alert escalation.</p><p>Positioning the Management Server</p><p>• The Management Server is usually positioned on a central site at the corporate</p><p>headquarters or data center, from where it can reach NGFWs, and log servers. The</p><p>management server does not need to be located close to the administrators, as the entire</p><p>system is managed through the management clients that connect to the management</p><p>server and log servers over the network using an encrypted connection.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 49</p><p>We recommend using the same Management Server for all managed NGFWs. This unified</p><p>approach simplifies managing wide, physically distributed network environments and allows</p><p>closer integration, for</p><p>example, sending blocklist requests from the IDS components to the</p><p>Firewalls. In addition, the configuration information and log data can then be shared and</p><p>used efficiently together. A single management server can manage a very large number of</p><p>components.</p><p>Positioning Management Clients</p><p>• The Management Client provides a graphical user interface for managing and monitoring</p><p>the entire system. Management Clients can be used at any location where they can reach</p><p>the Management Server for system administration and the Log Servers for log and alert</p><p>browsing.</p><p>• The Management Clients can be installed by running the installer program locally. As an</p><p>alternative to installing the Management Client locally (Window and Linux OS are</p><p>supported), you can enable the SMC Web Access feature to start and run the</p><p>Management Client in a web browser. With SMC version 6.7 or older another alternative</p><p>to run the Management Client is using Java Web Start. This option requires that the Java</p><p>Runtime Environment (JRE) is installed on each workstation.</p><p>50 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Support for Large-Scale Installations</p><p>The Security Management Center (SMC) provides management for up to 2000 engines.</p><p>Several Log Servers are usually required in larger systems, but a single Management</p><p>Server can still effectively manage very large installations. The features that are specifically</p><p>targeted at making large-scale installations easy to manage include the possibility to</p><p>separate configurations into isolated Domains and to filter configuration definitions in and</p><p>out of view based on user-defined categorizations.</p><p>High Availability</p><p>Optionally, one or more additional Management Servers can be installed (depending on the</p><p>type of license). An additional Management Server allows controlling the system without</p><p>delays and without loss of configuration information if the active Management Server is</p><p>damaged, loses power, or becomes otherwise unusable. Log Servers can also be used as</p><p>backups for each other to allow continued operation when a Log Server is lost. When a Log</p><p>Server becomes unavailable, engines can automatically start sending new logs and</p><p>monitoring data to another pre-selected Log Server.</p><p>Public © 2022 Forcepoint 20</p><p>Capacity</p><p>▪ One Management Server can manage up to 2,000 NGFW Engines.</p><p>A Log Server can process more than 500,000 records per second.</p><p>▪ Additional Log Servers can be added to increase scalability.</p><p>▪ High availability option for:</p><p>▪ Management Server</p><p>▪ Log Server</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 51</p><p>• SMC is a Java-based management system.</p><p>• SMC components must be the same version to communicate. SMC Web Access should be used</p><p>when there is a need to connect to different SMC servers that run different versions of software.</p><p>Alternatively, different client versions can be installed to different installation directories.</p><p>• Windows and Linux operating systems are supported; Forcepoint recommends Linux for the</p><p>SMC, as the JRE implementation on Linux and the ext4 file system provide greater performance.</p><p>• The SMC components can be installed on the same system or distributed. Virtualization can also</p><p>be leveraged, provided the VM properties meets the system requirements as outlined in the</p><p>release notes. A combination of physical and virtual servers can be used also.</p><p>• Backups are platform independent, making transition from one base OS platform to another</p><p>possible.</p><p>The supported platforms are:</p><p>• Windows Server 2019</p><p>• Windows Server 2016</p><p>• Windows Server 2012 R2</p><p>• On Windows 10, you can install the SMC in demo mode. You can also install the management</p><p>client.</p><p>• Red Hat Enterprise Linux 7 and 8</p><p>• SUSE Linux Enterprise 12 and 15</p><p>• Ubuntu 18.04 LTS and 20.04 LTS</p><p>Other versions of these listed operating systems might be compatible but have not been tested. Only</p><p>U.S. English language versions of the listed operating systems have been tested, but other locales</p><p>might also be compatible.</p><p>Public © 2022 Forcepoint 21</p><p>Platforms</p><p>▪ SMC servers can be installed on the same machine or on separate machines.</p><p>▪ SMC servers can be virtual or installed on physical server hardware.</p><p>▪ Using the SMC Web Access, the management client can be run on any OS.</p><p>▪ Windows and Linux operating systems are supported (64-bit only).</p><p>• Windows Server 2019</p><p>• Windows Server 2016</p><p>• Windows Server 2012 R2</p><p>• Red Hat Enterprise Linux 7 and 8</p><p>• SUSE Linux Enterprise 12 and 15</p><p>• Ubuntu 18.04 LTS and 20.04 LTS</p><p>• Windows 10 (SMC in demo mode and the management client can be installed)</p><p>SMC Appliance</p><p>SMC</p><p>52 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Basic Management System Hardware Requirements</p><p>• Intel Core family processor or higher recommended, or equivalent on a non-Intel platform</p><p>• Disk space for a management server: 6 GB</p><p>• Disk space for a log server: 50 GB</p><p>• Memory requirements for 64-bit operating systems:</p><p>• 16 GB RAM for management server, log server, or web portal server (32 GB if all</p><p>components are installed on the same server)</p><p>• When using the SMC Web Access feature, add 2 GB RAM per administrator</p><p>session</p><p>• 2 GB RAM for management client</p><p>For more information, see Security Management Center Release Notes on Forcepoint web</p><p>site</p><p>Alternative methods for accessing the management client</p><p>To avoid installing the full Java-based management client on each workstation that an</p><p>administrator uses, you can use SMC Web Access.</p><p>• SMC Web Access. You can enable the feature on the Management Server or Web Portal</p><p>Server. Administrators log on to the Management Client on a web page, and the</p><p>Management Client runs as an HTML5 application in the web browser. The web browser</p><p>is the only requirement on the workstation.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 53</p><p>Objective</p><p>Identify the ports used for</p><p>communication between</p><p>SMC components.</p><p>54 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>This diagram presents an overview to the most important default ports used in</p><p>communications between the Security Management Center components.</p><p>Public © 2022 Forcepoint 24</p><p>SMC communications</p><p>Management</p><p>Client</p><p>Log Server Management Server</p><p>TCP</p><p>8914 - 8918</p><p>TCP</p><p>8902 - 8913</p><p>TCP 3021, 3023, 8902 - 8913</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 55</p><p>This diagram shows the destination ports for basic NGFW engine communications.</p><p>The listening TCP ports are indicated in the boxes next to each system component. The</p><p>connections are established in the direction of the arrows.</p><p>Public © 2022 Forcepoint 25</p><p>SMC and engine communications</p><p>*Single engines with “Node-initiated Contact to Management Server” selected</p><p>NGFW Engine</p><p>Log Server</p><p>Management Server</p><p>TCP 3020</p><p>TCP</p><p>3021, 3023, 8906*</p><p>TCP</p><p>636, 4950, 4987, 8888,</p><p>or none*</p><p>56 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain the use of</p><p>locations and</p><p>contact addresses.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 57</p><p>In this topology, the Management Server and the Log Server are installed in the</p><p>headquarters (HQ) internal network. NAT is applied between the Management Server/Log</p><p>Server and the branch office firewalls. The firewall at the headquarters provides the SMC</p><p>servers with a public IP address on the Internet. For the Branch Office Firewalls to contact</p><p>the SMC servers, you must configure the external addresses of the SMC servers as contact</p><p>addresses.</p><p>The Location elements define when a contact address is used. Elements that belong to the</p><p>same location, the Management Server, Log Server and the HQ Firewall in this example,</p><p>communicate with each other using their real IP addresses. Elements outside the HQ</p><p>location communicate with the Management Server and the Log Server using the contact IP</p><p>address.</p><p>The Location elements define when a contact address is used and which of the defined</p><p>contact addresses is used when several contact addresses are possible.</p><p>When a component</p><p>does not have a specific contact address definition for the contacting</p><p>component’s location, the default contact address is used. However, you can define a</p><p>contact address for each contacting component’s location you have defined in the system.</p><p>When an administrator inside the HQ location connects to the Management Server, s/he</p><p>uses the HQ Location to be able to browse logs. When an administrator outside the HQ</p><p>location connects to the management server, s/he uses the HQ Firewall public address and</p><p>the default location.</p><p>Public © 2022 Forcepoint 27</p><p>Locations & contact addresses</p><p>Locations and contact addresses are used when handling NAT between system components.</p><p>MANAGEMENT</p><p>SERVER</p><p>INTERNET</p><p>212.x.y.100</p><p>Real IP: 192.168.1.102</p><p>Contact IP: 212.x.y.100</p><p>Real IP: 192.168.1.101</p><p>Contact IP: 212.x.y.100</p><p>LOG</p><p>SERVER</p><p>HQ Firewall</p><p>Public IP Address: 212.x.y.100</p><p>HQ Location</p><p>BO1 Firewall</p><p>Public IP Address: 129.a.b.122</p><p>BO2 Firewall</p><p>Public IP Address: 129.a.b.222</p><p>NAT Device</p><p>FW</p><p>FW/VPN</p><p>FW/VPN</p><p>MANAGEMENT</p><p>CLIENT</p><p>HQ</p><p>Location</p><p>MANAGEMENT</p><p>CLIENT</p><p>Default</p><p>Location</p><p>Default Location</p><p>58 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Contact addresses</p><p>If NAT is applied between two system components, you must define the translated IP</p><p>address as a contact address for the component that needs to be contacted.</p><p>A single component can have several contact addresses.</p><p>You can define contact addresses for Firewall, IPS, Layer 2 Firewall elements, most types of</p><p>Server elements and External VPN Gateway End-Points.</p><p>The contact addresses are defined directly in the element properties. The contact addresses</p><p>can be tied to specific location.</p><p>Public © 2022 Forcepoint 28</p><p>Location and contact addresses</p><p>Contact addresses are needed to reach system components</p><p>located behind NAT devices.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 59</p><p>Locations</p><p>Location elements define when a contact address is used. They also define which contact</p><p>address is used in communications with a particular component. There is a default location</p><p>to which all elements belong if you do not assign them to a specific location.</p><p>The default contact address should be the address that is most commonly used to contact</p><p>the element. For example, if in most cases the Management Server is contacted by its NAT</p><p>address, the default should be the NAT address – not the Management Server’s own</p><p>address.</p><p>The SMC uses the location element to determine which IP address needs to be used when</p><p>system components connect to each other when NAT is applied between the components.</p><p>You can create the location elements and add other elements to them based on how your</p><p>network is set up.</p><p>Public © 2022 Forcepoint 29</p><p>Location and contact addresses</p><p>Locations define whether the component uses a private or</p><p>public IP address to communicate with other system</p><p>components.</p><p>60 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Explain the use of</p><p>SMC Domains.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 61</p><p>Public © 2022 Forcepoint 31</p><p>SMC Domains for multi-tenant MSSP operations</p><p>▪ One Management Server for managing several independent customer environments</p><p>▪ Customers’ configurations are isolated in separate SMC Domains</p><p>▪ All Domains inherit elements from the Shared Domain</p><p>▪ Requires a separate license</p><p>Customer 1</p><p>Customer 2</p><p>Customer 3</p><p>SHARED</p><p>DOMAIN</p><p>Security Management Center</p><p>Web Portal User</p><p>Read-only Web Portal access for</p><p>customers or local administratorsAdmins</p><p>Define administrator responsibilities:</p><p>Cross-Domain or Domain-specific actions</p><p>SMC</p><p>SMC Domains allow you to manage the network security of several independent</p><p>organizations with one Management Server. With SMC Domain elements, you can group</p><p>together elements that belong to specific configurations (for example, elements that belong</p><p>to a specific customer).</p><p>The configurations in different domains are stored in the same Management Server</p><p>database but they are isolated from each other. The Shared Domain offers the ability to</p><p>share elements and security policies between domains, as all domains inherit the content of</p><p>the shared domain.</p><p>The domains feature requires a separate management-bound license.</p><p>Domains are designed to divide responsibilities between administrators. They allow you to</p><p>define in which administrative domain(s) an administrator has permissions. However, SMC</p><p>Domains are not designed to provide the end customers of MSSPs with viewing access to</p><p>the Management Server. The Web Portal allows end customers to view policies, reports,</p><p>and logs.</p><p>31</p><p>62 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 32</p><p>Knowledge check</p><p>1. Name two components of the SMC?</p><p>2. What is the primary task of the Management</p><p>Server?</p><p>3. What is the primary task of the Log Server?</p><p>1. The Log and Management Servers</p><p>2. The Management Server is the primary point of</p><p>interface to the engines. It maintains policies and</p><p>controls access to the environment. It also</p><p>implements escalation and alert policies.</p><p>3. The Log Server collects logs based on policy</p><p>matches, system monitoring information, and</p><p>third-party log data</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 63</p><p>Public © 2022 Forcepoint 33</p><p>Knowledge check</p><p>4. What is the primary task of the NGFW Engines?</p><p>5. List three benefits of centralized management.</p><p>6. Provide two ways to run the Management</p><p>Client?</p><p>4. The engines enforce security policies created in</p><p>the Management Server.</p><p>5. Centralized monitoring, auditing, and other tools;</p><p>reusable elements; and up-to-date configuration</p><p>stored on the Management Server.</p><p>6. The Management Client can be installed locally</p><p>or run in a web browser using the SMC Web</p><p>Access.</p><p>64 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 34</p><p>Module summary</p><p>You should now be able to:</p><p>▪ Describe the Security Management Center and its key features.</p><p>▪ Describe the NGFW system architecture.</p><p>▪ Identify the ports used for communication used between SMC components.</p><p>▪ Explain the use of locations and contact addresses.</p><p>▪ Explain the use of SMC Domains.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 65</p><p>Public © 2022 Forcepoint 1Public © 2022 Forcepoint</p><p>Getting Started with the SMC</p><p>66 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Public © 2022 Forcepoint 2</p><p>Course roadmap</p><p>This course contains the following modules:</p><p>1. NGFW Overview</p><p>2. SMC Overview</p><p>3. Getting Started with the SMC</p><p>4. NGFW Policies and Templates</p><p>5. Access Control and NAT</p><p>6. Traffic Inspection</p><p>7. Inspection Policy</p><p>8. Malware Detection and File Filtering</p><p>9. Alerts and Notifications</p><p>10. Users and Authentication</p><p>11. Mobile VPN and SSL VPN Portal</p><p>12. Site-to-Site VPN</p><p>13. Advanced Logging</p><p>14. Policy Tools</p><p>15. Monitoring and Reporting</p><p>16. Troubleshooting</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 67</p><p>Public © 2022 Forcepoint 3</p><p>After successfully completing this module, you will be able to:</p><p>▪ Describe the management client and how it works.</p><p>▪ Create system backups.</p><p>▪ Describe the SMC high availability options.</p><p>▪ Configure the SMC Administrator Access.</p><p>▪ Apply configuration to NGFW engines.</p><p>▪ Describe how logs work.</p><p>Module objectives</p><p>68 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the</p><p>management client and</p><p>how it works.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 69</p><p>You can easily customize the information visible on Dashboard pages. You can use drag-</p><p>and-drop to re-organize the panes and select new panes from a predefined selection of</p><p>panes to replace existing panes on the Dashboard page. You can now include statistics in</p><p>Dashboard pages. Elements in Dashboard pages show different information depending on</p><p>the type of element.</p><p>The NGFW Engines Dashboard default components are the following:</p><p>• NGFW Engines status view shows at a glance whether elements</p><p>are online or offline,</p><p>and whether there are any errors, warnings, or alerts.</p><p>• Active alerts show alerts that are not yet acknowledged by administrators.</p><p>• Status tree displays the Firewall, IPS, Layer 2 Firewalls, and Master Engines elements</p><p>and indicate their status with colors.</p><p>• Drill-downs panel: Shortcuts to more details of the selected element</p><p>• The pending changes panel shows configuration and policy changes that have not yet</p><p>been transferred to the engines.</p><p>• Application Health shows application statuses with color codes.</p><p>• VPNs status view showing VPN statuses using colors.</p><p>• Servers & Devices showing server and third-party element statuses using colors.</p><p>Public © 2022 Forcepoint 5</p><p>Management client overview</p><p>Customizable Home page</p><p>Tree of</p><p>monitored</p><p>elements</p><p>Navigation</p><p>Toolbar</p><p>Details of the</p><p>selected element</p><p>NGFW Engines</p><p>status view</p><p>Shortcuts of the</p><p>selected element</p><p>Active</p><p>Alerts</p><p>Monitoring Stats or Other</p><p>Elements</p><p>Pending</p><p>changes</p><p>Search</p><p>bar</p><p>Home page</p><p>configuration</p><p>Application Health</p><p>monitoring</p><p>70 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Navigation Toolbar</p><p>• Back and forward buttons: The Management Client allows you to navigate backward</p><p>and forward in a browser-like manner.</p><p>• Dashboards icon: Enables easy access to different Dashboards.</p><p>• Menu Icon: You can select different panes, view, and, configure options through the</p><p>Menu</p><p>• Configuration icon: You can open a task-specific Configuration view by clicking the</p><p>Configuration icon in the toolbar and selecting the configuration that you want to change</p><p>(NGFW, User Authentication, SD-WAN, Administration, or Monitoring).</p><p>• Overview icon: Opens the Overviews, which include information on the system’s status,</p><p>and statistical charts on the system’s operation (such as engine load) and the traffic flow.</p><p>• Logs icon: Opens the Logs view, where you can browse logs, alert, and audit entries.</p><p>• New Tab: When you open a new tab (CRTL+T), further items related to Configuration</p><p>and Monitoring are available. Your bookmarks are also listed there.</p><p>• Bookmarks: The Management Client views can be bookmarked. Bookmarks in the</p><p>default Shared Bookmarks folder are shown to all administrators that log in to the same</p><p>Management Server. Other bookmarks are private to the Management Clients of</p><p>individual administrators. A Bookmark can be used as a startup view.</p><p>Public © 2022 Forcepoint 6</p><p>Management client overview</p><p>Back / forward</p><p>buttons</p><p>Menu</p><p>icon</p><p>Bookmarks</p><p>Logs iconDashboards icon</p><p>New tab</p><p>Overview</p><p>icon</p><p>Configuration icon</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 71</p><p>Configuration views allow you to view, modify, and add configuration information in the</p><p>system. There are different Configuration views for different tasks. In all views, the main</p><p>level of the tree contains the elements that need to be changed most often. Supporting and</p><p>less frequently changed elements can be found under the Other Elements branch.</p><p>You can open a task-specific Configuration view by clicking the Configuration icon in the</p><p>toolbar and selecting the configuration that you want to change (Security Engine, User</p><p>Authentication, SD-WAN, Administration, or Monitoring).</p><p>Other configuration contexts are available when you open a new tab. (CRLT+T)</p><p>Public © 2022 Forcepoint 7</p><p>Management client overview</p><p>Configuration Views</p><p>Tree of task-</p><p>specific element</p><p>types</p><p>Details of the</p><p>selected</p><p>elements</p><p>Selected</p><p>elements</p><p>Shortcuts of the</p><p>selected</p><p>element</p><p>72 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>The search bar is always shown at the top of the Management Client window. The search</p><p>bar is the fastest way to find elements, policies, folders, and actions. The search results are</p><p>grouped and ranked by relevance. You can also access related drill-down actions and drag</p><p>and drop elements from the search results list to other views, such as the Policy Editing</p><p>view or the Routing view for an engine.</p><p>The “Where Used?” search for references to elements, to see where they are used. For</p><p>example, you can find the references to elements you want to delete; referenced elements</p><p>cannot be deleted until the references are removed.</p><p>SMC also provides duplicate IP search and the search of unused elements</p><p>Public © 2022 Forcepoint 8</p><p>Management client tools</p><p>Search Bar “Where Used?” search</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 73</p><p>The SMC Online Help is available at https://help.forcepoint.com/ngfw/en-us/.</p><p>The Online Help provides easy navigation and is compatible with Internet search engines.</p><p>Optionally, you can download a copy of the Online Help to deploy on an internal web server</p><p>or use it locally on the management client computer. After you download the Online Help zip</p><p>package, you can manually configure the Management Client to use the local version of the</p><p>online help.</p><p>Public © 2022 Forcepoint 9</p><p>Management client tools</p><p>Online Help</p><p>▪ Available online via browser.</p><p>▪ Can be locally served.</p><p>74 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Create a system backup.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 75</p><p>The Management Server stores the configuration information for all system components.</p><p>The engines contain a working copy of the configuration details that allows them to carry out</p><p>traffic inspection independently. It is not possible to extract this information from the engines</p><p>if the Management Server is lost.</p><p>Taking regular Management Server backups and keeping copies of them in a safe location</p><p>is essential to be able to restore the configuration to solve various problems.</p><p>Backups allow you to save and restore the configurations for the Management Server and</p><p>Log Server on the same physical host (for example, after a clean reinstallation) or a different</p><p>physical host (for example, after a hardware change).</p><p>You can configure and schedule a backup task to create backups automatically.</p><p>Backups are upward-version-compatible and platform-independent.</p><p>There is an option for encryption.</p><p>Backups can be saved on network drive.</p><p>To configure a new backup location, stop the Management Service, open the</p><p>file /data/SGConfiguration.txt in a text editor and add the following</p><p>line to define a new backup folder path:</p><p>SG_BACKUP_DIR=</p><p>Public © 2022 Forcepoint 11</p><p>System backups</p><p>▪ Management server backup includes all system</p><p>configurations.</p><p>▪ Upward-version-compatible and platform-independent.</p><p>▪ Can be automated and scheduled.</p><p>76 | Forcepoint NGFW 7.0 Administrator Course © 2022 Forcepoint</p><p>Objective</p><p>Describe the SMC high</p><p>availability options.</p><p>© 2022 Forcepoint Forcepoint NGFW 7.0 Administrator Course | 77</p><p>You can install several additional Management Servers and Log Servers to provide a standby</p><p>system for the SMC.</p><p>Maximum of 5 Management Servers: one active Management Server and up to four standby</p><p>Management Servers.</p><p>The synchronization between the active Management Server and the additional Management</p><p>Servers is done incrementally in real-time. Only the changes to the Management Database are</p><p>replicated to the additional Management Servers.</p><p>You can control the Management Servers through a dialog in the Management Client. You can,</p><p>for example, synchronize the Management Servers, activate a Management Server, or set a</p><p>Management Server to standby.</p><p>Management Server high availability is mainly designed for disaster recovery:</p><p>When a Management Server is the active Management Server, it has full control of all Domains.</p><p>When you need to switch to a different Management Server, you must manually change the</p><p>active Management Server. Setting a Management Server to standby releases control of all</p><p>Domains. This allows another Management Server to take full control of all Domains and</p><p>become the new active Management Server.</p><p>The engines continue to operate normally even when no Management Server is reachable, so</p><p>there is no interruption to any network</p>