Scribd Logo
Upload

Welcome to Scribd!

  • pn84k6hzsp8f WhatsNew NGFW Admin 65

    Uploaded by

    Mohamed Abdelhady
    23 views19 pages

    Original Title

    pn84k6hzsp8f-WhatsNew-NGFW-Admin-65

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    23 views19 pages

    pn84k6hzsp8f WhatsNew NGFW Admin 65

    Uploaded by

    Mohamed Abdelhady

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Forcepoint

    Next Generation Firewall


    6.5

    Appendix: What’s
    new in NGFW 6.5

    Copyright © 2018 Forcepoint. All rights reserved.


    Copyright © 2018 Forcepoint. All rights reserved. 1
    Features & Enhancement list

    •• SD-WAN
    NGFW System Architecture
    dashboard
    •• Application routing
    SMC Components
    •• Route
    NGFWmetrics
    Systemand monitoringExample
    Deployment
    •• ECMP routing Platforms and Capacity
    SMC Supported
    •• Dynamic routingCommunication
    NGFW System in load balancing cluster
    • Node initiated management connection for clusters
    • Locations and Contact Addresses
    • UID integrated to NGFW
    • Easy ECA rollout
    • DHCP relay for IPv6
    • Keep alive option for Ipsec VPN
    • Auto scale support for Azure
    • Dynamically resolved DNS elements

    Copyright © 2018 Forcepoint. All rights reserved. 2


    SD-WAN Dashboard

    • Provides information from VPN and netlink health and various other statistics.
    • VPN health is taken from multilink VPN monitoring.
    • For Netlinks link utilization is monitored.

    Copyright © 2018 Forcepoint. All rights reserved. 3


    SD-WAN Dashboard

    • Tunnels widget lists different VPN tunnels established by NGFW.


    • Traffic load, packet loss, latency and jitter are reported as observed by VPN
    multilink.
    • These values are used to calculate route health.
    • All VPNs that NGFW has been configured are listed even when these are not
    included in policy.

    Copyright © 2018 Forcepoint. All rights reserved. 4


    SD-WAN Dashboard
    • Widgets can be re-sized, removed and added by admin.

    Copyright © 2018 Forcepoint. All rights reserved. 5


    SD-WAN Dashboard
    • Widgets selection requires a simple drag and drop.

    Copyright © 2018 Forcepoint. All rights reserved. 6


    Application routing
    The need: NGFW must be able to select NAT, outgoing link or VPN tunnel based
    on application. This allows for example following scenarios:

    • NGFW can forward certain web applications, for example O365, directly to internet
    while other web traffic is sent to datacenter over MPLS.
    • All web traffic is forwarded to cloud proxy using IPsec tunnel or proxy forwarding.
    Netflix traffic is forwarded directly to internet.
    • Multiple internal web servers can be NAT to single public NAT address and port. NAT
    selection is done based on URL.

    Copyright © 2018 Forcepoint. All rights reserved. 7


    Application routing

    • While sending all the web traffic to proxy bypass proxy for certain
    applications. Select different NAT for bypassed applications.

    Copyright © 2018 Forcepoint. All rights reserved. 8


    Application routing

    • VPN tunnel selection based on application in the access rules.

    • Destination NAT based on URL list element. It allows having multiple server
    behind same NAT IP while using different destination ports.

    Copyright © 2018 Forcepoint. All rights reserved. 9


    Route metrics and monitoring

    • Customers need high availability for static routes. If firewall routes packets out
    of failed link communication does not work.

    • In 6.4 and older versions there were two ways to achieve this:
    • Multilink: It requires always NAT and it is not always desired by customers.
    • Dynamic routing: Adds complexity to the environment.

    Copyright © 2018 Forcepoint. All rights reserved. 10


    Route metrics and monitoring

    • Route metrics can be used to create active and standby route to same
    destination network using static routing without the needs of using Multilink.
    • Define different metrics on each route. Route with smallest metric is
    considered better.
    • Enable route monitoring on necessary routes.

    Copyright © 2018 Forcepoint. All rights reserved. 11


    ECMP Routing

    • ECMP (equal-cost multi-path) routing enables packets destined to same


    destination network take multiple routes via different connections.

    • Benefit is increased bandwidth because multiple connections are used at same


    time.

    • Similar end result like using multilink but does not require NAT.

    • Packets between same IPs is sent over same connection in order to avoid
    packet reordering.

    Copyright © 2018 Forcepoint. All rights reserved. 12


    ECMP Routing

    • ECMP is configured in same route metrics editor as route metric and


    monitoring.

    • Route monitoring can be used to monitor ECMP route health

    • ECMP weight must be same on all routes. If it is not SMC will prevent saving in
    engine editor and show validation error

    Copyright © 2018 Forcepoint. All rights reserved. 13


    ECA Roll-Out

    • Distributing ECA client software, configuration and required certificates is


    cumbersome when done manually.

    • With Easy ECA Rollout SMC server hosts web server where clients can download
    software bundle including client software, configuration and certificate.

    • Intended to be used in POC and small evaluations where third party tools for
    certificate management and software distribution are not available.

    Copyright © 2018 Forcepoint. All rights reserved. 14


    ECA Roll-Out

    • ECA client, configuration and certificate are downloaded from SMC using
    browser.

    Copyright © 2018 Forcepoint. All rights reserved. 15


    Node initiated management connection for clusters

    • Supported use case is one where cluster is located behind device(s) doing
    dynamic NAT.

    • Cluster interface options have now “Node-Initiated Contact to Management


    Server” checkbox.

    • When in use NGFW will contact to management server using TCP port 8906.

    Copyright © 2018 Forcepoint. All rights reserved. 16


    UID Integrated to NGFW

    • Intended only for POC or evaluation use. Performance is much worse than with
    FUID.

    • Integrated software in engine does what FUID and DC Agent do in normal setup.

    Copyright © 2018 Forcepoint. All rights reserved. 17


    DHCP Relay for IPv6

    • Enables customers to configure NGFW:s forward IPv6 DHCP messages from


    local LANs to centralized DHCP server.

    • Works over VPN

    Copyright © 2018 Forcepoint. All rights reserved. 18


    Additional enhancements

    • Keep Alive options for IPSEC: VPN tunnels are teared down if there is no traffic
    sent over them. Keep alive options provides easy built-in way to keep VPN
    tunnels up all the time.
    • Dynamically resolved DNS address: You can run a script on the NGFW Engine
    that resolves dynamic element names specific to a cloud platform to IP
    addresses.
    • Auto-Scale Support for Azure: Auto scale deploys new instances of cloud
    installed NGFW based for example on load.
    • Dynamic Routing in Load Balancing Clusters:You can now use dynamic
    routing in Firewall Clusters that use load-balancing mode. In load-balancing
    mode, all nodes in the cluster are online at the same time and traffic is balanced
    between the nodes, increasing performance for inspection and VPN traffic.

    Copyright © 2018 Forcepoint. All rights reserved. 19

    You might also like