Forcepoint 110, 115 Hardware Manual

Next Generation

Firewall

Hardware Guide

Models 110, 115

Revision A

Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115

Contents

• Introduction on page 2

• Find product documentation on page 2

• Model N110 features on page 3

• Model N115 features on page 5

• Precautions on page 9

• Install the appliance on page 11

• Maintenance on page 16

• Compliance information on page 19

Introduction

Thank you for choosing a Forcepoint Next Generation Firewall (Forcepoint NGFW) appliance.

Familiarize yourself with the appliance ports and indicators and learn how to install the appliance safely.

Find product documentation

On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more.

You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com

. There, you can access product documentation, Knowledge Base articles, downloads, cases, and contact information.

2


Model N110 features

The figures and tables show the N110 (110) appliance components.

Front panel

The front panel has indicator lights.

1 2 3 4

1 Power indicator

2 Status indicator

3 Management (MGMT) indicator

4 Internet connectivity indicator

Back panel

The back panel includes the power connector and ports.

1 2 3 4 5

1 Power connector

2 USB ports

3 Console port (speed 115,200 bps)

4 Fixed Ethernet ports 0–1 (from left to right)

5 Ports 0–7 in the integrated switch (from left to right, 0–3 on the top row and 4–7 on the bottom row)

3


Note: This appliance does not support hardware flow control on the console port. If you do not disable this feature when using a terminal emulator program, you cannot enter commands into the console; you can only view the output.

Left side panel

There is a CFast Card on the left side panel of the appliance.

Indicator lights

Indicator lights show the status of the appliance.

Indicator Color

Power Green

Status Unlit

Amber

MGMT

Internet

Green

Green

Green

Description

Power is supplied to the appliance.

The initial configuration has not yet been generated.

Initial contact is established, but the NGFW Engine is offline. Flashes until initial contact is established.

The NGFW Engine is online.

Management connection is established.

Internet connection is up. This feature is not enabled by default.

Ethernet port indicators

Ethernet port indicators show the status and speed of the network ports.

1 2

1 2

Number Indicator

1 Activity/link indicator

2 Link speed indicator

Status Description

Green Link OK. Flashes on activity.

Unlit

Amber

10 Mbps link.

100 Mbps link.

4


Number Indicator Status

Green

Description

1 Gbps link.

Model N115 features

The figures and tables show the N115 (115) appliance components.

Front panel

The front panel has indicator lights.

1 2 3 4 5

1 Power indicator

2 Status indicator

3 Management (MGMT) indicator

4 Internet connectivity indicator

5 Wireless LAN (WLAN) connectivity indicator

5


Back panel

The back panel includes the power connector and ports.

1 2 3 4 5 6

1 Interface module slot

2 Power connector

3 USB ports

4 Console port (speed 115,200 bps)

5 Fixed Ethernet ports 0–1 (from left to right)

6 Ports 0–7 in the integrated switch (from left to right, 0–3 on the top row and 4–7 on the bottom row)

Note: This appliance does not support hardware flow control on the console port. If you do not disable this feature when using a terminal emulator program, you cannot enter commands into the console; you can only view the output.

Left side panel

There is a CFast Card on the left side panel of the appliance.

Indicator lights

Indicator lights show the status of the appliance.

Indicator Color

Power Green

Status Unlit

Amber

MGMT

Internet

Green

Green

Green

Description

Power is supplied to the appliance.

The initial configuration has not yet been generated.

Initial contact is established, but the NGFW Engine is offline. Flashes until initial contact is established.

The NGFW Engine is online.

Management connection is established.

Internet connection is up. This feature is not enabled by default.

6


Indicator Color

WLAN Green

Description

The access point is available for clients to connect to.

Ethernet port names

Ethernet port names are based on the slot and port numbers.

The first number in the name represents the slot on the appliance. The second number represents the port on the slot. For example, eth2_0 is located on port 0 of slot 2.

Component

Fixed Ethernet ports

Interface module ports 1

Slot number Slot location Port numbers

0 Back panel eth0_0 and eth0_1.

Back panel The port numbers start from 0 and increase from left to right. For example, the port farthest to the left in slot 1 is eth1_0.

Ethernet port indicators

Ethernet port indicators show the status and speed of the network ports.

1 2

1 2

Number Indicator

1 Activity/link indicator

2 Link speed indicator

Status Description

Green Link OK. Flashes on activity.

Unlit

Amber

Green

10 Mbps link.

100 Mbps link.

1 Gbps link.

Supported interface modules

Model 115 Forcepoint NGFW appliances support copper and small form-factor pluggable (SFP) modules.

Note: Do not remove any stickers from modules — they contain important information.

7


For a list of all available interface modules and compatibility information, see Knowledge Base article 10245 .

MMGE4 module

The MMGE4 module is a quad-port gigabit interface module.

1 2

3

Number

1

2

Component Color

Activity/link indicator Green

Link speed indicator Green

Thumbscrews

Amber

N/A 3

MMGESFP module

The MMGESFP module is a single-port gigabit interface SFP mini module.

2

Description

Link OK, flashes on activity.

1 Gbps link.

10 Mbps or 100 Mbps link.

N/A

1

Number

1

2

Component

Activity/link/link speed indicator

Thumbscrews

Color

Green

N/A

Description

1 Gbps link (other speeds not supported), flashes on activity.

N/A

8


Precautions

The precautions provide safety guidance when working with Forcepoint appliances and electrical equipment.

Safety precautions

Read the safety information and follow the procedures whenever you are working with electronic equipment.

CAUTION: Forcepoint appliances cannot be serviced by end users. Never open the appliance covers for any reason. Doing so can lead to serious injury and void the hardware warranty.

General safety

Follow these rules to ensure general safety.

• Keep the area around the appliance clean and free of clutter.

• Use a regulating uninterruptible power supply (UPS) to keep your system operating if there is a power failure and to protect the appliance from power surges and voltage spikes.

• If you need to switch off or unplug the appliance, always wait at least five seconds before turning on or plugging in the appliance again.

Operating precautions

• Power adapters — Do not open the power adapter casing. Only the manufacturer's qualified technician can access and service power adapters.

• WLAN precautions (115 appliance only) — Data traffic by a wireless connection might allow unauthorized third parties to receive data. Take the necessary steps to secure your radio network. See http://www.wi-fi.org

for information about securing your WLAN.

Restrictions and requirements might apply for authorizing wireless devices. Check with your local authorities for additional information.

For additional safety information, see the Forcepoint Product Safety and Regulatory Compliance Guide .

Electrical safety precautions

Follow basic electrical safety precautions to protect yourself from harm and the appliance from damage.

• Know the locations of the power on/off button and the emergency turn-off switch, disconnection switch, or electrical outlet for the room. If an electrical accident occurs, you can quickly turn off power to the system.

• When working with high-voltage components, do not work alone.

• When working with electrical equipment that is turned on, use only one hand. This is to avoid making a complete circuit, which causes an electric shock. Use extreme caution when using metal tools, which can easily damage any electrical components or circuit boards the tools come into contact with.

• Do not use mats designed to decrease electrostatic discharge as protection from electric shock. Instead, use rubber mats that have been designed as electrical insulators.

9


Restricted substances

The following table shows the restricted substances and their chemical symbols.

10


Install the appliance

Prepare and install the appliance in your network.

Before you begin

• Install a Security Management Center (SMC) on a separate server.

• Configure the Firewall element in the Management Client, and save the initial configuration on a

USB drive.

Note: For additional information on SMC installation and initial configuration, see the

Forcepoint Next Generation Firewall Installation Guide .

• Inspect the appliance, the delivery box, and all components included in the shipment.

Note: Do not use damaged appliances or components.

Install an interface module

If needed, install any interface modules.

Before you begin

• Read the safety precautions.

• Make sure any interface modules you install are the correct type for your appliance.

CAUTION: To avoid damaging the modules or the appliance, do not install or remove any interface modules if the appliance is turned on.

You must install an interface module or a placeholder module in each slot before making the appliance operational. If the appliance was delivered with a plate that covered the interface slot, you can cover the interface slot with the plate.

Note: We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.

Steps

1) Locate the slot to install the module in.

2) If the interface slot is covered with a plate, unfasten the thumbscrew that attaches the plate to the interface module slot and remove the plate.

Store the plate and the thumbscrew for later use in case you want to use the appliance without an interface module.

11


3) Push the module into the slot.

The module is seated correctly when the front panel of the module is even with the front panel of the appliance.

Important: Do not insert the module in the wrong orientation. Inserting the modules incorrectly might damage the appliance and the modules and voids the warranty.

4) Push and hold the thumbscrews on the module, then tighten them to secure the module in place.

Mount the 110 or 115 appliance

You can mount the appliance to a wall or place the appliance on a horizontal surface such as a desk or rack shelf.

Steps

1) Locate the two screws that are included in the appliance delivery.

2) Attach the two screws to the wall.

Note: Make sure that the spacing of the screws matches the spacing of the two holes on the bottom of the appliance.

3) Align the two holes on the bottom of the appliance over the two screws and slide the appliance down to secure the appliance in place.

Connect cables

Connect the network cables and power cable.

Copper cable types

Use at least CAT5e-rated cables for gigabit networks.

Speed and duplex settings

Network interfaces at both ends of each cable must have identical speed and duplex settings.

These settings include the automatic negotiation setting. If one end of the cable uses autonegotiation, the other end must also use autonegotiation. Gigabit standards require interfaces to use autonegotiation. Fixed settings are not allowed at gigabit speeds.

12


Ethernet port mapping

For appliances that have removable interface modules, Ethernet port names are based on the slot and port numbers.

The first number in the name represents the slot on the appliance, and the second number represents the port on the slot. Example: eth2_0 is located on port 0 of slot 2.

• Slot 0 contains the fixed Ethernet ports.

• Slots 1 and higher contain the ports on the interface modules. The port numbers start at 0 and increase from left to right.

During the initial configuration of the appliance, you map the Ethernet ports to the interface IDs that you defined in the Management Client.

The NGFW Initial Configuration Wizard shows the mapping between the interface IDs and port names. In the command line version of the NGFW Initial Configuration Wizard, Interface IDs appear in the Id column and port names appear in the Name column.

This mapping can change if you replace an interface module. If the new module has more Ethernet ports, the interface IDs for the new ports start from the next free interface ID number. Example: You have thirteen interfaces numbered 0–12, which includes a four-port module installed in slot 1.

Figure 1: Original interface ID mapping

If you replace the four-port module installed in slot 1 with a two-port module, eth1_2 with ID 10 and eth1_3 with

ID 11 are removed.

13


Figure 2: Changed interface ID mapping

Connect network cables

Ethernet ports are mapped to interface IDs during the initial configuration. Determine which Ethernet ports to use for connecting to your networks.

Note: On the 115 appliance, the port number of the integrated wireless network card is 2.

Steps

1) Connect network cables to the Ethernet ports.

If you use the plug-and-play configuration method, connect a cable to Ethernet port 0 for contacting the

Installation Server. The ports are numbered 0–1 from left to right.

2) Connect the cables to the ports in the integrated switch.

The ID of the integrated switch is 0. The ports are numbered from left to right: 0–3 on the top row and 0–1 on the bottom row.

Related concepts

How the integrated switch works on page 15

Connect network cables to SFP ports

If you installed an SFP interface module on the appliance or the appliance has an integrated SFP port, insert the copper or fiber-optic SFP transceiver into the port, then connect the cables.

Steps

1) Insert the SFP transceiver in the port slot until you feel the connector on the transceiver snap into place.

Note: Make sure that the latch on the SFP transceiver is up when you insert the SFP transceiver in the port slot.

14


2) If the SFP transceiver has a rubber plug, remove the plug.

3) Connect the copper or fiber-optic cable to the SFP transceiver.

Note: Each SFP port must match the wavelength specifications at the other end of the cable.

The cable must not exceed the stipulated cable length for reliable communications.

Connect the power adapter

Use the power cable to plug in the appliance.

Note: We recommend using a UPS to ensure continuous operation and minimize the risk of damage to the appliance in case of sudden loss of power.

Steps

1) Connect the power cable to the power connector on the back of the appliance.

2) Plug the power cable into a grounded, high-quality power strip that offers protection from electrical noise and power surges.

Port settings for plug-and-play configuration method

If you use the plug-and-play configuration method, the appliance uses Ethernet port 0 to contact the Installation

Server.

Make sure that the port settings are configured correctly in the Management Client for the initial configuration.

The interface that corresponds to Ethernet port 0 in the initial configuration must have a dynamic IPv4 address.

How the integrated switch works

The integrated switch enables you to configure port groups. The Forcepoint NGFW engine does not inspect traffic between ports in the same port group.

Note: You can only use the integrated switch if the appliance has been configured as a Single

Firewall. You cannot use the integrated switch as an external switch device without Forcepoint

NGFW properly configured and running.

When the Forcepoint NGFW engine is in the initial configuration state and no configuration has been saved to the integrated switch, ports in the integrated switch are not configured into port groups and the integrated switch does not yet route traffic. After a configuration has been saved, traffic is allowed between ports in the same port group according to the configuration, even if you reboot the appliance.

If you turn off the appliance, the port group configuration is reset and traffic between the ports in the same port group is interrupted. The last saved port group configuration is automatically applied to the appliance when the appliance is turned on again.

15


Note: The ports in the integrated switch do not support VLAN tagging.

Maintenance

Some Forcepoint NGFW appliances ship with replaceable components.

Turn off the appliance

Most Forcepoint NGFW appliance hardware components are not hot-swappable. Turn off the appliance and disconnect power before replacing the CFast card or interface modules.


Steps

1) Connect to the NGFW Engine command line. Depending on your appliance type, use one of these options.

• Connect a keyboard to a USB port and a monitor to the VGA port, then press Enter .

• Connect a computer running a terminal emulator program to the appliance console port, then press

Enter .

Note: The console port is not enabled by default on some appliances.

• Connect using SSH.

Note: SSH access is not enabled by default.

2) Enter the logon credentials.

The user name is root

and the password is the one you set for the appliance.

3) Enter the command halt

.

4) Unplug all power cords from the system or the wall outlets.

Replace the CFast card

Replace the CFast card with another card that you received from Forcepoint.


16


Steps

1) Turn off the appliance and disconnect any power cables.

2) Locate the CFast card on your appliance.

3) If there is still tape covering the CFast card, remove the tape.

4) Gently push in the CFast card to release the card from the slot.

5) Position the replacement CFast card. Turn the end with the slots toward the appliance. The wider slot must be on the left.

6) Insert the new CFast card into the slot and gently push to lock the card into place.

7) Reconfigure the appliance for the replacement CFast card. See the initial configuration information in the

Forcepoint Next Generation Firewall Installation Guide .

Replace an interface module

Replace an interface module with the same type or a different type of module.

If the appliance was delivered with a plate that covered the interface slot, you can cover the interface slot with the plate.


Steps


2) To release the module, unscrew the thumbscrews, then carefully pull the module out of the slot.

3) Insert the new module.

4) Push and hold the thumbscrews on the module, then tighten them to secure the module in place.

5) Connect the cables and plug the power cables to the system and to the wall outlets.

6) Turn on the appliance.

CAUTION: To ensure proper cooling, do not turn on the appliance if you have not installed an interface module or a placeholder module in each slot.

7) Update the interface configuration.

a) On the command line of the NGFW Engine, enter the following command to start the NGFW Initial

Configuration Wizard: sg-reconfigure

17

Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115 b) In the network interface configuration options, make sure that the autodetected information is correct and that all interfaces have been detected.

If autodetection fails, add network drivers manually. For detailed instructions, see the Forcepoint Next

Generation Firewall Installation Guide .

c) If the number of ports in the new module differs from the old module, adjust the mapping of interfaces to interface IDs.

CAUTION: Do not select the Clear action when modifying interface IDs in the NGFW

Initial Configuration Wizard on the command line. Selecting Clear removes all mapping information between interface IDs and Ethernet ports, and restores the default values.

d) On the Prepare for Management Contact page, highlight Finish , then press Enter .

e) If the number of ports in the new module differs from the old module, modify the interface definitions in the Management Client, then refresh the policy to transfer the interface changes to the engine.

Make sure to use the same interface IDs that you mapped to the interfaces in the NGFW Initial

Configuration Wizard for the interface definitions in the Management Client.

Reattach the cover plate to the interface module slot

Reattach the module cover plate if there is no module in the slot.

CAUTION: Do not turn on the appliance if a slot is empty or uncovered. Using the appliance without an interface module or the cover plate can damage the appliance and voids the warranty.


Steps

1) Turn off the appliance.

2) Remove the interface module from the interface module slot.

3) Locate the tab at the lower left corner of the plate.

4) Insert the tab into the hole in the lower left corner of the slot casing.

5) Push and hold the thumbscrews on the plate, then tighten them to secure the plate in place.

18


Remove SFP transceivers

Remove or replace an SFP transceiver.

CAUTION: Invisible laser radiation is emitted from the end of a fiber-optic cable and from the fiber port. Do not stare into the beam and avoid direct exposure to the beam.


Steps


2) Unplug all power cables from the system or the wall outlets.

3) Disconnect the cable from the SFP transceiver.

4) Pull down the latch on the transceiver and carefully pull the SFP transceiver out of the port slot.

5) If needed, insert a replacement SFP transceiver in the slot.

Compliance information

Forcepoint NGFW appliances that have wireless support are in compliance with certain EU directives and FCC standards for wireless devices intended for home and office use.

This information is valid for all dual band products (2.4 GHz, IEEE 802.11b/g/n, and 5 GHz, IEEE 802.11a/n/ac).

The supported channels and frequencies are listed by country in the Management Client. The wireless configuration is transferred to the appliance when you install the policy on the NGFW Engine.

EU Directives

This appliance is in compliance with:

• EMC directive 2014/30/EU

• RED directive 2014/53/EU

The frequencies and maximum transmitted power in the EU are:

• 2400–2483.5 MHz: 19.95 dBm (EIRP)

• 5150–5250 MHz: 22.95 dBm (EIRP)

Operations in the 5150–5350 MHz band are restricted to indoor usage only.

19


FCC Standards

This appliance is in compliance with FCC Part 15 .

Applied technologies

The appliance uses these technologies.

• Radio spectrum — Sub-bands 2400–2483.5 MHz and 5150–5250 MHz

• Safety — Dual band products

• Electromagnetic Compatibility (EMC) — Dual band products

National restrictions and requirements for authorization

These appliances can be operated within FCC DFS2 band or ETSI/EC DFS band, or other countries that regulate or plan to regulate mid-5 GHz band.

The usage of mid-5 GHz band is subject to the regulatory approval alone with the resided devices.

The requirements for any country or area might change. We recommend that you check with your local authorities for the latest status of national requirements for 2.4 GHz and 5 GHz wireless LANs.

20

© 2018 Forcepoint

Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

Raytheon is a registered trademark of Raytheon Company.

All other trademarks used in this document are the property of their respective owners.

Forcepoint 110, 115 Hardware Manual

Next Generation

Firewall

Hardware Guide

Introduction

Find product documentation

Model N110 features

Front panel

Back panel

Left side panel

Indicator lights

Ethernet port indicators

Model N115 features

Front panel

Back panel

Left side panel

Indicator lights

Ethernet port names

Ethernet port indicators

Supported interface modules

MMGE4 module

MMGESFP module

Precautions

Safety precautions

General safety

Operating precautions

Electrical safety precautions

Restricted substances

Install the appliance

Install an interface module

Mount the 110 or 115 appliance

Connect cables

Copper cable types

Speed and duplex settings

Ethernet port mapping

Connect network cables

Connect network cables to SFP ports

Connect the power adapter

Port settings for plug-and-play configuration method

How the integrated switch works

Maintenance

Turn off the appliance

Replace the CFast card

Replace an interface module

Reattach the cover plate to the interface module slot

Remove SFP transceivers

Compliance information

EU Directives

FCC Standards

Applied technologies

National restrictions and requirements for authorization

Related manuals

Forcepoint

115

Forcepoint

NGFW 51

Forcepoint

NGFW 51

Forcepoint

3202

Forcepoint

NGFW

Forcepoint

120W

Forcepoint

330 Series

Forcepoint

6205

Forcepoint

330 Series