Transcription
Next GenerationFirewallInstallation Guide6.5Revision A
2018 ForcepointForcepoint and the FORCEPOINT logo are trademarks of Forcepoint.Raytheon is a registered trademark of Raytheon Company.All other trademarks used in this document are the property of their respective owners.Published 2018This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronicmedium or machine-readable form without prior consent in writing from Forcepoint. Every effort has been made to ensurethe accuracy of this manual. However, Forcepoint makes no warranties with respect to this documentation and disclaimsany implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any erroror for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or theexamples herein. The information in this documentation is subject to change without notice.
Forcepoint Next Generation Firewall 6.5 Installation GuideTable of contentsPreface. 7Introduction to the Forcepoint Next Generation Firewall solution. 91 Introduction to Forcepoint NGFW.11Components in the Forcepoint NGFW solution. 11Security Management Center. 12NGFW Engines.122 Preparing for installation. 15Supported platforms. 15Clustering.18Deployment options for Forcepoint NGFW Engines.19Cable connection guidelines. 21Speed and duplex settings for NGFW Engines.24Obtain installation files. 25Licensing Forcepoint NGFW components. 27Installation overview. 28Security Management Center deployment. 313 Installing the SMC.33SMC installation options.33Install SMC components. 36Install the SMC in Demo Mode. 42Install the SMC from the command line. 44Install the SMC Appliance.50Start the SMC after installation.52Post-installation SMC configurations. 574 Configuring the SMC. 59Configuring NAT addresses for SMC components.59Add Management Servers for high availability. 62Distribute Management Clients through Web Start. 64Forcepoint NGFW deployment. 675 Configuring Forcepoint NGFW for the Firewall/VPN role. 69Types of interfaces for NGFW Engines in the Firewall/VPN role. 69Interface numbering.71Install licenses for NGFW Engines. 72Configuring Single Firewalls.72Configuring Firewall Clusters. 866 Configuring Forcepoint NGFW for the IPS role.97Types of interfaces for NGFW Engines in the IPS and Layer 2 Firewall roles. 973
Forcepoint Next Generation Firewall 6.5 Installation GuideInterface numbering.98Install licenses for NGFW Engines. 99Configuring IPS engines. 100Bind engine licenses to IPS elements. 1127 Configuring Forcepoint NGFW for the Layer 2 Firewall role. 115Types of interfaces for NGFW Engines in the IPS and Layer 2 Firewall roles. 115Install licenses for NGFW Engines. 116Configuring Layer 2 Firewalls. 116Bind engine licenses to Layer 2 Firewall elements. 1298 Configuring NGFW Engines as Master NGFW Engines and Virtual NGFW Engines.131Master NGFW Engine and Virtual NGFW Engine configuration overview. 131Install licenses for NGFW Engines. 132Add Master NGFW Engine elements. 132Add Virtual Firewall elements. 141Add Virtual IPS elements. 146Add Virtual Layer 2 Firewall elements.1489 Configuring routing.151Getting started with routing.151Add routers. 152Add or view the default route. 153Add static routes. 15310 Initial configuration of Forcepoint NGFW software. 155Options for initial configuration. 155Using plug-and-play configuration.156Using automatic configuration.159Using the NGFW Initial Configuration Wizard. 16211 Creating and installing policies.175Create and install a Firewall Policy. 175Install a predefined policy on IPS engines and Layer 2 Firewalls. 176Maintenance. 17912 Upgrading licenses. 181Getting started with upgrading licenses.181Upgrade licenses manually. 181Install licenses. 182Check NGFW Engine licenses. 18213 SMC maintenance. 185Upgrading the SMC.185Uninstall the SMC. 18814 SMC Appliance maintenance.191Getting started with SMC Appliance maintenance. 191Patching and upgrading the SMC Appliance.192Roll back the SMC Appliance to the previous version on the command line. 19615 Upgrading NGFW Engines. 197How engine upgrades work. 1974
Forcepoint Next Generation Firewall 6.5 Installation GuideObtain NGFW Engine upgrade files. 199Prepare NGFW Engine upgrade files. 200Upgrade engines remotely. 201Upgrade engines locally.203Appendices. 207A Default communication ports.209Security Management Center ports. 209Forcepoint NGFW Engine ports.212B Command line tools. 217Security Management Center commands.217Forcepoint NGFW Engine commands. 230Server Pool Monitoring Agent commands. 237C Installing SMC Appliance software on a virtualization platform. 239Hardware requirements for installing SMC Appliance software on a virtualization platform. 239Install SMC Appliance software using an .iso file.239D Installing Forcepoint NGFW on a virtualization platform.241Hardware requirements for installing Forcepoint NGFW software on a virtualization platform. 241Install Forcepoint NGFW software using an .iso file.241E Installing Forcepoint NGFW software on third-party hardware.243Hardware requirements for installing Forcepoint NGFW on third-party hardware. 243Start the Forcepoint NGFW installation on third-party hardware.248Install Forcepoint NGFW in expert mode. 249F Example network (Firewall/VPN). 253Example Firewall Cluster. 253Example Single Firewall.256Example headquarters management network. 257G Example network (IPS). 259Example network overview (IPS). 259Example headquarters intranet network. 261HQ IPS Cluster.261Example headquarters DMZ network. 262H Cluster installation worksheet instructions. 263Cluster installation worksheet. 2635
Forcepoint Next Generation Firewall 6.5 Installation Guide6
PrefaceThis guide provides the information you need to work with your Forcepoint product.ConventionsThis guide uses these typographical conventions and icons.Book title, term, emphasisTitle of a book, chapter, or topic; a new term; emphasis.BoldText that is strongly emphasized.User input, code, messageCommands and other text that the user types; a code sample; adisplayed message.Interface textWords from the product interface like options, menus, buttons, anddialog boxes.HypertextA link to a topic or to an external website.Note: Additional information, like an alternate method of accessing anoption.Tip: Suggestions and recommendations.Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.Warning: Critical advice to prevent bodily harm when using ahardware product.Find product documentationOn the Forcepoint support website, you can find information about a released product, including productdocumentation, technical articles, and more.You can get additional information and support for your product on the Forcepoint support website athttps://support.forcepoint.com. There, you can access product documentation, Knowledge Base articles,downloads, cases, and contact information.7
Forcepoint Next Generation Firewall 6.5 Installation Guide8
PART IIntroduction to theForcepoint Next GenerationFirewall solutionContents Introduction to Forcepoint NGFW on page 11 Preparing for installation on page 15Before setting up Forcepoint Next Generation Firewall (Forcepoint NGFW), it is useful to know what the differentcomponents do and what engine roles are available. There are also tasks that you must complete to prepare forinstallation.Introduction to the Forcepoint Next Generation Firewall solution 9
Forcepoint Next Generation Firewall 6.5 Installation GuideIntroduction to the Forcepoint Next Generation Firewall solution 10
CHAPTER 1Introduction to Forcepoint NGFWContents Components in the Forcepoint NGFW solution on page 11 Security Management Center on page 12 NGFW Engines on page 12The Forcepoint Next Generation Firewall solution consists of Forcepoint NGFW Engines and the Forcepoint NGFWSecurity Management Center (SMC). The SMC is the management component of the Forcepoint NGFW solution.Components in the Forcepoint NGFWsolutionThe Forcepoint NGFW solution includes NGFW Engines, SMC server components, and SMC user interfacecomponents.Figure 1: Components in the Forcepoint NGFW solutionIntroduction to Forcepoint NGFW 11
Forcepoint Next Generation Firewall 6.5 Installation GuideNumber ComponentDescription1ManagementClientThe Management Client is the user interface for the SMC. You use the ManagementClient for all configuration and monitoring tasks. You can install the ManagementClient locally as an application, or you can start the Management Client with a webbrowser using the Java Web Start feature. You can install an unlimited number ofManagement Clients.2Web PortalThe Web Portal is the browser-based user interface for the services provided by theWeb Portal Server.3ManagementServerThe Management Server is the central component for system administration. OneManagement Server can manage many different types of NGFW Engines.4Log ServerLog Servers store traffic logs that can be managed and compiled into reports. LogServers also correlate events, monitor the status of NGFW Engines, show real-timestatistics, and forward logs to third-party devices.5Web PortalServerThe Web Portal Server is a separately licensed optional component that providesrestricted access to log data, reports, and policy snapshots.6NGFWEnginesNGFW Engines inspect traffic. You can use NGFW Engines in the Firewall/VPN,IPS, or Layer 2 Firewall role.Security Management CenterThe basic SMC components are the Management Server, Log Server, and one or more Management Clients.The Management Client is the user interface for the SMC. You can use the same SMC installation to managemultiple NGFW Engines in different roles.The SMC can optionally include multiple Management Servers, multiple Log Servers, and multiple Web PortalServers. Your licenses specify the type and number of optional components and engines that your environmentcan include. You can install the SMC components separately on different computers or on the same computer,depending on your performance requirements. The SMC all-in-one appliance is shipped with the ManagementServer and a Log Server pre-installed on it.NGFW EnginesYou can use NGFW Engines in the Firewall/VPN, IPS, and Layer 2 Firewall roles. You can also use NGFWEngines as Master NGFW Engines to host Virtual NGFW Engines in these roles.NGFW Engines are represented by different types of NGFW Engine elements in the SMC. The followingelements represent NGFW Engines in the SMC:Engine RoleElementsFirewall/VPNSingle Firewall elements represent firewalls that consist of one physical device.Firewall Cluster elements consist of 2–16 physical firewall devices that work together as asingle entity.Virtual Firewall elements are Virtual NGFW Engines in the Firewall/VPN role.Introduction to Forcepoint NGFW 12
Forcepoint Next Generation Firewall 6.5 Installation GuideEngine RoleElementsIPSSingle IPS elements represent IPS engines that consist of one physical IPS device.IPS Cluster elements combine 2–16 physical IPS devices into a single entity.Virtual IPS elements are Virtual NGFW Engines in the IPS role.Layer 2FirewallSingle Layer 2 Firewall elements represent Layer 2 Firewalls that consist of one physicaldevice.Layer 2 Firewall Cluster elements combine 2–16 physical Layer 2 Firewall devices into asingle entity.Virtual Layer 2 Firewall elements are Virtual NGFW Engines in the Layer 2 Firewall role.Master NGFW Master NGFW Engine elements represent physical devices that host Virtual NGFW Engines.EngineThese elements are containers for the main configuration information directly related to the NGFW Engines.Forcepoint NGFW in the Firewall/VPN roleIn addition to standard firewall features, Forcepoint NGFW in the Firewall/VPN role provides several advancedfeatures.The main features of Forcepoint NGFW in the Firewall/VPN role include: Advanced traffic inspection — Multi-Layer packet and connection verification process provides maximumsecurity without compromising system throughput. An anti-malware scanner and web filtering complementthe standard traffic inspection features when the firewall is licensed for the UTM (unified threat management)feature. Anti-malware is not supported on Virtual Firewalls. Master NGFW Engines do not directly inspecttraffic. Built-in load balancing and high availability — The clustering of the firewall nodes is integrated. Thefirewall dynamically load-balances individual connections between the cluster nodes. Multi-Link technology — Multi-Link allows configuring redundant network connections without the morecomplex traditional solutions that require redundant external routers and switches. It provides high availabilityfor inbound, outbound, and VPN connections. QoS and bandwidth management — You can set up the minimum and maximum bandwidth value and thepriority value for different types of traffic. Virtual private networks — The firewall provides fast, secure, and reliable VPN connections with the addedbenefits of the clustering and Multi-Link technologies. These features provide load balancing and failoverbetween ISPs and VPN gateways. Unified SMC and integration with other NGFW Engines — You can configure and monitor the Firewall/VPN and the other NGFW Engines through the same SMC and the same user interface. The SMC providesextensive reporting tools for generating statistical reports based on logs, alerts, and operating statistics.Introduction to Forcepoint NGFW 13
Forcepoint Next Generation Firewall 6.5 Installation GuideForcepoint NGFW in the IPS and Layer 2Firewall rolesIPS engines and Layer 2 Firewalls pick up network traffic, inspect it, and create event data for further processingby the Log Server.The main features of Forcepoint NGFW in the IPS and Layer 2 Firewall roles include: Multiple detection methods — Misuse detection uses fingerprints to detect known attacks. Anomalydetection uses traffic statistics to detect unusual network behavior. Protocol validation identifies violations ofthe defined protocol for a particular type of traffic. Event correlation processes event information to detect apattern of events that might indicate an intrusion attempt. Response mechanisms — There are several response mechanisms to anomalous traffic. These includedifferent alerting channels, traffic recording, TCP connection termination, traffic blacklisting, and traffic blockingwith Inline Interfaces. Unified SMC and integration with other NGFW Engines — The IPS engines, Layer 2 Firewalls, MasterNGFW Engines, Virtual IPS engines, and Virtual Layer 2 Firewalls are managed centrally through the SMC.The SMC provides extensive reporting tools for generating statistical reports based on logs, alerts, andoperating statistics.Master NGFW Engines and Virtual NGFWEnginesMaster NGFW Engines are physical devices that provide resources for multiple Virtual NGFW Engines.Any NGFW Engine that has a license that allows the creation of Virtual Resources can be used as a MasterNGFW Engine. Virtual NGFW Engines are represented by the following elements in the SMC: Virtual Firewall is a Virtual NGFW Engine in the Firewall/VPN role. Virtual IPS engine is a Virtual NGFW Engine in the IPS role. Virtual Layer 2 Firewall is a Virtual NGFW Engine in the Layer 2 Firewall role.Each Master NGFW Engine can only host one Virtual NGFW Engine role. To use more than one Virtual NGFWEngine role, you must create a separate Master NGFW Engine for each Virtual NGFW Engine role. Each MasterNGFW Engine must be on a separate physical Master NGFW Engine device.Introduction to Forcepoint NGFW 14
CHAPTER 2Preparing for installationContents Supported platforms on page 15 Clustering on page 18 Deployment options for Forcepoint NGFW Engines on page 19 Cable connection guidelines on page 21 Speed and duplex settings for NGFW Engines on page 24 Obtain installation files on page 25 Licensing Forcepoint NGFW components on page 27 Installation overview on page 28Before installing Forcepoint NGFW, identify the components of your installation and how they integrate into yourenvironment.Supported platformsSeveral platforms are supported for deploying Forcepoint NGFW and SMC components.CAUTION: To protect the privacy of your data, we recommend using dedicated hardware for allNGFW, SMC, and SMC Appliance installations. For cloud-based virtualization platforms, use aninstance type that runs on dedicated hardware. For on-premises virtualization platforms, install theNGFW Engines, SMC components, or SMC Appliance on a hypervisor that does not host any othervirtual machines. For third-party hardware, do not install any other software on the computer whereyou install the NGFW Engines or SMC components.Supported platforms for SMC deploymentSMC server components can be installed on third-party hardware or they are available as a dedicated ForcepointNGFW Security Management Center Appliance (SMC Appliance).Third-party hardwareCAUTION: Do not install the SMC components on the Forcepoint NGFW hardware. You can install the SMC on third-party hardware that meets the hardware requirements. For information abouthardware requirements, see the Release Notes. You can install all SMC server components on the same computer, or install separate components on differentcomputers.Preparing for installation 15
Forcepoint Next Generation Firewall 6.5 Installation Guide In a large or geographically distributed deployment, we recommend installing the Management Server, LogServer, and optional Web Portal Server on separate computers.SMC ApplianceThe Management Server and a Log Server are integrated with the hardware operating system as a dedicatedserver appliance.Management ClientAlthough the Web Start distribution of the Management Client is certified to run only on the listed officialplatforms, it can run on other platforms. These platforms include Mac OS X and additional Linux distributions withJRE (Java Runtime Environment) installed.Supported platforms for Forcepoint NGFWdeploymentYou can run NGFW Engines on various platforms.The following general types of platforms are available for NGFW Engines: Purpose-built Forcepoint NGFW appliancesNote: For information about supported appliance models, see Knowledge Base article 9743. VMware ESX and KVM virtualization platforms Microsoft Hyper-V virtualization platform (Firewall/VPN role only) Microsoft Azure cloud (Firewall/VPN role only) Amazon Web Services (AWS) cloud (Firewall/VPN role only) Third-party hardware that meets the hardware requirementsFor supported versions of virtualization platforms, see the Release Notes.The NGFW Engine software includes an integrated, hardened Linux operating system. The operating systemeliminates the need for separate installation, configuration, and patching.Deploying NGFW Engines on cloud-basedvirtualization platformsYou can deploy NGFW Engines on cloud-based virtualization platforms, such as the Amazon Web Services(AWS) cloud and the Microsoft Azure cloud.NGFW Engines on cloud-based virtualization platforms provide VPN connectivity, access control, and inspectionfor services hosted on cloud-based virtualization platforms.For information about deploying NGFW Engines i
Firewall/VPN Single Firewall elements represent firewalls that consist of one physical device. Firewall Cluster elements consist of 2–16 physical firewall devices that work together as a single entity. Virtual Firewall el
