Scribd Logo
Upload

Welcome to Scribd!

  • F4aj8sfoysvu WhatsNew NGFW Admin 67

    Uploaded by

    Mohamed Abdelhady
    15 views12 pages

    Original Title

    f4aj8sfoysvu WhatsNew NGFW Admin 67

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views12 pages

    F4aj8sfoysvu WhatsNew NGFW Admin 67

    Uploaded by

    Mohamed Abdelhady

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    What’s New in Forcepoint NGFW 6.

    7
    Highlights of NGFW 6.7
    On-premises DLP integration

    Rule Validity Time

    Forcepoint VPN Broker

    Other Enhancements

    © 2019 Forcepoint | 2
    On-premises DLP integration
    Data Loss Protection scanning is used for outbound file transfers to prevent sensitive data from
    being sent out
    Forcepoint NGFW provides DLP scanning and uses ICAP protocol to integrate with:
    • Forcepoint DLP solution
    • 3rd party DLP solutions

    HTTP(S)

    OK
    Is file tranfert allowed?

    ICAP Servers

    DLP scanning
    © 2019 Forcepoint | 3
    On-premises DLP integration – Engine Configuration
    1. Define ICAP Server representing the DLP Server
    • Use REQMOD method only
    • Support for ICAP X-headers
    2. Enable Data Protection add-on
    3. Select ICAP Server(s)

    © 2019 Forcepoint | 4
    On-premises DLP integration – Configuration
    DLP scanning method is configured in the File Filtering Policy
    • File Filtering rules define the content to scan
    • Direction is upload only
    • DLP Scan is enabled in the Allow After Action
    • User response can be displayed
    Supported protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, POP3S, SMTP
    DLP scan can be used together with Anti-Malware scanners

    © 2019 Forcepoint | 5
    Limitations
    Integrating DLP servers with Forcepoint NGFW has the following limitations:
    • Only the ICAP protocol is supported. The DLP server must support ICAP
    • Only the REQMOD method is supported for sending files to the DLP server.
    • DLP Server must return “204 - No modifications needed” – response to the NGFW when file is OK to be sent out.
    • To match DLP user-based policies, DLP server must be able to read user from the X-Authenticated-User header using
    “Local” auth-scheme method
    • Cloud-based DLP services are not supported

    DLP scanning is recommended only for outbound file transfers that use the FTP, HTTP, and
    HTTPS protocols. Other supported protocols are IMAP, IMAPS, POP3, POP3S, and SMTP

    The default file size limit for DLP scanning is 50 Mbytes. The DLP solution for storages and
    endpoints are better suited for large files.

    © 2019 Forcepoint | 6
    Rule Validity Time
    SMC administrator can now create rules that expire
    on specific day and time
    Rule Validity Time element defines
    • When each rule starts being enforced and automatically
    expires
    • When each rule is active
    Rule Validity Time can be reused in multiple rules and
    policies
    Rule Validity Time can refer to NGFW engine’s local
    time

    © 2019 Forcepoint | 7
    Forcepoint VPN Broker
    Full Mesh and Hub/Spoke VPN topologies limitations
    • Full Mesh and Hub/Spoke VPN topologies scalability is limited
    • A new architecture is necessary to scale to more than 5000 sites

    What is the problem? What is the problem?


    - Number of tunnels increases faster than the number of VPN - Central hub GW forwarding VPN traffic is a bottleneck
    GWs - Decryption / Inspection / Encryption
    - Any VPN changes requires updating all VPN GWs - High latency, low throughput
    - No tunnels can be established between 2 dynamic GWs

    Full Mesh VPN Hub/Spoke VPN


    © 2019 Forcepoint | 8
    Forcepoint VPN Broker
    Dynamic full mesh VPN Separated data and control planes
    Scale to more than 5000 GWs Supports all NGFW SD-WAN features
    Tunnels are created on-demand Works with lower-powered appliances
    Dynamic GW supported VPN tunnels monitoring in the Mgt Client
    High availability system

    © 2019 Forcepoint | 9
    For more information see the NGFW Manager and
    VPN Broker Architecture VPN Broker Product Guide

    1 VPN Broker domain

    2 VPN Broker gateway

    1 4 SMC

    3 VPN Broker member 2

    4 Dynamic VPN tunnels 3

    © 2019 Forcepoint | 10
    Other Enhancements
    DPI Support for QinQ
    • Enables deep inspection for double VLAN tagged traffic (QinQ) in Layer 2 interfaces in Inline
    or Capture mode.
    • Allow integration with third party solution (Gigamon) using QinQ in network traffic flow
    control.

    Filtering Category change


    • Security — Group of categories known to pose a security threat
    • Reputation — Group of categories that might have security implications
    • Legal Liability — Group of categories that contain content related to a potential age
    restriction or legal infringement
    • Bandwidth — Group of categories known to consume bandwidth resources
    • Baseline — Group of categories related to general web access traffic

    © 2019 Forcepoint | 12
    Other Enhancements
    HTTP/2
    • HTTP and HTTPS services with protocol include HTTP/2 support

    FUID 2.0
    • User ID Service and DC Agent application have been completely rewritten.
    • Performance and scalability have been greatly improved.
    • The configuration has been simplified.
    • Data storage in the internal database has been improved for User ID Service
    • Communication between components is now secured by TLS by default.

    © 2019 Forcepoint | 13

    You might also like