advertisement
Next Generation
Firewall
Models 110, 115
Hardware Guide
Revision C
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Contents
■
on page 2
■
Find product documentation on page 2
■
■
■
■
on page 10
■
■
on page 19
Introduction
Thank you for choosing a Forcepoint appliance.
Familiarize yourself with the appliance ports and indicators and learn how to install the appliance safely.
Find product documentation
On the Forcepoint support website, you can find information about a released product, including product documentation, technical articles, and more.
You can get additional information and support for your product on the Forcepoint support website at https://support.forcepoint.com
. There, you can access product documentation, release notes, Knowledge Base articles, downloads, cases, and contact information.
You might need to log on to access the Forcepoint support website. If you do not yet have credentials, create a customer account. See https://support.forcepoint.com/CreateAccount .
2
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Model N110 features
The figures and tables show the appliance components and features.
Front panel
This panel has the following parts.
1 2 3 4
1 Power indicator
2 Status indicator
3 Management (MGMT) indicator
4 Internet connectivity indicator
Back panel
This panel has the following parts.
1 2 3 4 5
1 Power connector
2 USB ports
3 Console port (speed 115,200 bps)
4 Fixed Ethernet ports 0–1 (from left to right)
5 Ports 0–7 in the integrated switch (from left to right, 0–3 on the top row and 4–7 on the bottom row)
3
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Note
This appliance does not support hardware flow control on the console port. If you do not disable this feature when using a terminal emulator program, you cannot enter commands into the console; you can only view the output.
Left side panel
There is a CFast Card on the left side panel of the appliance.
Indicator lights
Indicator lights show the status of the appliance and any fixed Ethernet ports.
Indicator Color
Power Green
Status Unlit
Amber
MGMT
Internet
WLAN
(115 only)
Green
Green
Green
Green
Description
Power is supplied to the appliance.
The initial configuration has not yet been generated.
Initial contact is established, but the NGFW Engine is offline. Flashes until initial contact is established.
The NGFW Engine is online.
Management connection is established.
Internet connection is up. This feature is not enabled by default.
The access point is available for clients to connect to.
Ethernet port indicators
Ethernet port indicators show the status and speed of the network ports.
1 2
1 2
1 Activity/link indicator
2 Link speed indicator
4
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Indicator
Activity/link indicator
Link speed indicator
Color
Green
Unlit
Amber
Green
Description
Steady when link is present. Flashes on activity.
10 Mbps link.
100 Mbps link.
1 Gbps link.
Model N115 features
The figures and tables show the appliance components and features.
Front panel
This panel has the following parts.
1 2 3 4 5
1 Power indicator
2 Status indicator
3 Management (MGMT) indicator
4 Internet connectivity indicator
5 Wireless LAN (WLAN) connectivity indicator
5
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Back panel
This panel has the following parts.
1 2 3 4 5 6
1 Interface module slot
2 Power connector
3 USB ports
4 Console port (speed 115,200 bps)
5 Fixed Ethernet ports 0–1 (from left to right)
6 Ports 0–7 in the integrated switch (from left to right, 0–3 on the top row and 4–7 on the bottom row)
Note
This appliance does not support hardware flow control on the console port. If you do not disable this feature when using a terminal emulator program, you cannot enter commands into the console; you can only view the output.
Left side panel
There is a CFast Card on the left side panel of the appliance.
Indicator lights
Indicator lights show the status of the appliance and any fixed Ethernet ports.
Indicator Color
Power Green
Status Unlit
Amber
MGMT
Internet
Green
Green
Green
Description
Power is supplied to the appliance.
The initial configuration has not yet been generated.
Initial contact is established, but the NGFW Engine is offline. Flashes until initial contact is established.
The NGFW Engine is online.
Management connection is established.
Internet connection is up. This feature is not enabled by default.
6
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Indicator Color
WLAN
(115 only)
Green
Description
The access point is available for clients to connect to.
Ethernet port indicators
Ethernet port indicators show the status and speed of the network ports.
1 2
1 2
1 Activity/link indicator
2 Link speed indicator
Indicator
Activity/link indicator
Link speed indicator
Color
Green
Unlit
Amber
Green
Description
Steady when link is present. Flashes on activity.
10 Mbps link.
100 Mbps link.
1 Gbps link.
Ethernet port names for appliances with interface modules
Ethernet port names are based on the slot and port numbers.
The first number in the name represents the slot on the appliance. The second number represents the port on the slot. For example, eth2_0 is located on port 0 of slot 2.
Component
Fixed Ethernet ports
Interface module ports
Slot
0
1
Port numbers eth0_0 and eth0_1.
The port numbers start from 0 and increase from left to right.
For example, the port farthest to the left in slot 1 is eth1_0.
7
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Supported interface modules
Forcepoint NGFW appliances support the following types of interface modules. For a list of all available interface modules and compatibility information, see Knowledge Base article 10245 .
Note
Do not remove any stickers from modules — they contain important information.
MMGE4 module
The MMGE4 module is a quad-port gigabit interface module.
1 2
Number
1
2
3
3
Component
Activity/link indicator
Link speed indicator
Thumbscrews
Color
Green
Green
Amber
N/A
Description
Link OK, flashes on activity.
1 Gbps link.
10 Mbps or 100 Mbps link.
N/A
MMGESFP module
The MMGESFP module is a single-port gigabit interface SFP mini module.
2
1
Number
1
2
Component
Activity/link/link speed indicator
Thumbscrews
Color
Green
N/A
Description
1 Gbps link (other speeds not supported), flashes on activity.
N/A
8
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Precautions
The precautions provide safety guidance when working with Forcepoint appliances and electrical equipment.
CAUTION
Forcepoint appliances cannot be serviced by end users. Never open the appliance covers for any reason. Doing so can lead to serious injury and void the hardware warranty.
For additional safety information, see the Forcepoint Product Safety and Regulatory Compliance Guide .
General safety precautions
Read the safety information and follow these rules to ensure general safety whenever you are working with electronic equipment.
■ Keep the area around the appliance clean and free of clutter.
■ Use a regulating uninterruptible power supply (UPS) to keep your system operating during power failures and to protect the appliance from power surges and voltage spikes.
■ If you need to turn off or unplug the appliance, always wait at least five seconds before turning on or plugging in the appliance again.
Operating precautions
Follow these precautions when operating the appliance.
■ Do not open the power adapter casing. Only the manufacturer's qualified technician can access and service power adapters.
WLAN precautions
Model 115 has WLAN support. Data traffic by a wireless connection might allow unauthorized third parties to receive data. Take the necessary steps to secure your radio network.
See http://www.wi-fi.org
for information about securing your WLAN.
Restrictions and requirements might apply for authorizing wireless devices. Check with your local authorities for additional information.
Electrical safety precautions
Follow basic electrical safety precautions to protect yourself from harm and the appliance from damage.
■ Know the locations of the power on/off button and the emergency turn-off switch, disconnection switch, or electrical outlet for the room. If an electrical accident occurs, you can quickly turn off power to the system.
■ When working with high-voltage components, do not work alone.
9
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
■ When working with electrical equipment that is turned on, use only one hand. This is to avoid making a complete circuit, which causes an electric shock. Use extreme caution when using metal tools, which can easily damage any electrical components or circuit boards the tools come into contact with.
■ Do not use mats designed to decrease electrostatic discharge as protection from electric shock. Instead, use rubber mats that have been designed as electrical insulators.
■ If the power supply cable includes a grounding plug, the plug must be plugged into a grounded electrical outlet.
■ Use only the power cable or cables supplied with the appliance.
Unit
Restricted substances
The following table shows the restricted substances and their chemical symbols.
PCB
Chassis
Wiring cable
Carton
Power adapter
Lead (Pb) Mercury (Hg) Cadmium (Cd)
—
O
O
O
—
O
O
O
O
O
O
O
O
O
O
Hexavalent chromium (CR+6)
O
O
O
O
O
Polybrominated biphenyls (PBB)
O
O
O
O
O
Polybrominated diphenyl ethers (PBDE)
O
O
O
O
O
■ Exceeding 0.1 wt % and Exceeding 0.01 wt % indicate that the percentage content of the restricted substance exceeds the reference percentage value of presence condition.
■ O indicates that the percentage content of the restricted substance does not exceed the percentage of reference value of presence.
■ — indicates that the restricted substance corresponds to the exemption.
Install the appliance
There are several tasks that must be completed before the appliance is installed.
These tasks and the installation of the appliance might be done by the same person or by different persons:
■ The Security Management Center (SMC) administrator is responsible for the tasks that are needed before the appliance is installed.
■ The on-site installer is responsible for installing the appliance.
For more information, see the Forcepoint Next Generation Firewall Installation Guide .
To prepare for the appliance installation, the SMC administrator must do the following:
1) If the SMC has not yet been installed, install the SMC.
Important
Do not install the SMC on the NGFW appliance.
The SMC can manage many NGFW appliances.
10
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
2) In the Management Client component of the SMC, create and configure the NGFW Engine element that represents the appliance.
3) In the Management Client component of the SMC, save the initial configuration.
The SMC administrator must either:
■ Upload the initial configuration to the Installation Server for plug-and-play configuration of the appliance.
Note
There are additional requirements for plug-and play configuration. See Knowledge Base article 9662 .
■ Give the on-site installer a USB drive that contains an initial configuration file for each appliance.
The on-site installer must do the following:
1) Inspect the appliance, delivery box, and all components included in the shipment.
Important
Do not use damaged appliances or components.
2) Connect all necessary power and network cables and other components, then turn on the appliance.
If the plug-and-play configuration method is not used, the on-site installer must use the USB drive that contains the initial configuration files to configure the NGFW Engine software.
3) When you have finished installing the appliance, inform the SMC administrator so that the administrator can check the status of the appliance in the Management Client.
Install an interface module
If you have interface modules, install them in the appliance.
Before you begin
Read the safety precautions and make sure any interface modules you install are the correct type for your appliance.
CAUTION
To avoid damaging the modules or the appliance, do not install or remove any interface modules if the appliance is turned on.
Note
We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.
11
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Steps
1) Locate the slot to install the module in.
2) If the interface slot is covered with a plate, unfasten the thumbscrews that attach the plate to the interface module slot.
3) Remove the plate.
Store the plate for later use in case you want to use the appliance without an interface module.
4) Push the module into the slot.
The module is seated correctly when the front panel of the module is even with the front panel of the appliance.
Note
If the module has a sticker, make sure that the sticker faces up.
Important
Do not insert the module in the wrong orientation. Inserting the modules incorrectly might damage the appliance and the modules and voids the warranty.
5) Push and hold the thumbscrews on the module, then tighten them to secure the module in place.
Mount the appliance on a wall
You can mount the appliance on a wall or place the appliance on a flat surface, such as a desk or shelf.
Steps
1) Locate the two screws that are included in the appliance delivery.
2) Attach the two screws to the wall.
Note
Make sure that the spacing of the screws matches the spacing of the two holes on the bottom of the appliance.
3) Align the two holes on the bottom of the appliance over the two screws and slide the appliance down to secure the appliance in place.
Connect the cables
Connect the network and power cables.
Use at least CAT5e-rated cables for gigabit networks.
12
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Network interfaces at both ends of each cable must have identical speed and duplex settings. These settings include the automatic negotiation setting. If one end of the cable uses autonegotiation, the other end must also use autonegotiation. Gigabit standards require interfaces to use autonegotiation. Fixed settings are not allowed at gigabit speeds.
Ethernet port mapping
For appliances that have removable interface modules, Ethernet port names are based on the slot and port numbers.
The first number in the name represents the slot on the appliance, and the second number represents the port on the slot. For example, eth2_0 is located on port 0 of slot 2.
■ Slot 0 contains the fixed Ethernet ports.
■ Slots 1 and higher contain the ports on the interface modules.
The port numbers start at 0 and increase from left to right.
During the initial configuration of the appliance, you map the Ethernet ports to the interface IDs that you defined in the Management Client.
The NGFW Configuration Wizard shows the mapping between the interface IDs and port names. In the command line version of the NGFW Configuration Wizard, Interface IDs appear in the ID column and port names appear in the Name column.
This mapping can change if you replace an interface module. If the new module has more Ethernet ports, the interface IDs for the new ports start from the next free interface ID number.
Example: You have thirteen interfaces numbered 0–12, which includes a four-port module installed in slot 1. If you replace the four-port module installed in slot 1 with a two-port module, eth1_2 with ID 10 and eth1_3 with ID
11 are removed.
Example before and after ID mapping
Connect network cables
Ethernet ports are mapped to interface IDs during the initial configuration. Determine which Ethernet ports to use for connecting to your networks.
Note
On the 115 appliance, the port number of the integrated wireless network card is 2.
13
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Steps
1) Connect network cables to the Ethernet ports.
If you use the plug-and-play configuration method for a single NGFW appliance, the appliance uses Ethernet port 0 to contact the Installation Server. The ports are numbered 0–1 from left to right.
2) Connect the cables to the ports in the integrated switch.
The ID of the integrated switch is 0. The ports are numbered from left to right: 0–3 on the top row and 0–1 on the bottom row.
Related concepts
How the integrated switch works
on page 15
Connect network cables to SFP ports
If you installed an SFP interface module on the appliance or the appliance has an integrated SFP port, insert the copper or fiber-optic SFP transceiver into the port, then connect the cables.
Steps
1) Insert the SFP transceiver in the port slot until you feel the connector on the transceiver snap into place.
Note
Make sure that the latch on the SFP transceiver is up when you insert the SFP transceiver in the port slot.
2) If the SFP transceiver has a rubber plug, remove the plug.
3) Connect the copper or fiber-optic cable to the SFP transceiver.
Note
Each SFP port must match the wavelength specifications at the other end of the cable. The cable must not exceed the stipulated cable length for reliable communications.
Connect the power adapter
Use the power cable to plug in the appliance.
Note
We recommend using a UPS to ensure continuous operation and minimize the risk of damage to the appliance in case of sudden loss of power.
Steps
1) Connect the power cable to the power connector on the back of the appliance.
If the power cable has a knurled locking nut, tighten the nut to secure the cable in place.
14
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
2) Plug the power cable into a grounded, high-quality power strip that offers protection from electrical noise and power surges.
Port settings for plug-and-play configuration method
If you use the plug-and-play configuration method for a single NGFW appliance, the appliance uses Ethernet port
0 to contact the Installation Server.
Make sure that the port settings are configured correctly in the Management Client for the initial configuration.
To use the plug-and-play configuration method, the interface that corresponds to Ethernet port 0 in the initial configuration must have a dynamic IPv4 address.
How the integrated switch works
An integrated switch represents the switch functionality on purpose-built Forcepoint NGFW appliances. Integrated switches eliminate the need for an external switch device and reduce costs and clutter.
This Forcepoint NGFW appliance has a hardware integrated switch. You can configure one integrated switch.
You can configure one or more port groups on the integrated switch. The Forcepoint NGFW engine does not inspect traffic between ports in the same port group.
Note
You can only use the integrated switch if the appliance has been configured as a Single Firewall.
You cannot use the integrated switch as an external switch device without Forcepoint NGFW properly configured and running.
When the Forcepoint NGFW engine is in the initial configuration state and no configuration has been saved to the integrated switch, ports in the integrated switch are not configured into port groups and the integrated switch does not yet route traffic. After a configuration has been saved, traffic is allowed between ports in the same port group according to the configuration, even if you reboot the appliance.
If you turn off the appliance, the port group configuration is reset and traffic between the ports in the same port group is interrupted. The last saved port group configuration is automatically applied to the appliance when the appliance is turned on again.
Note
The ports in the integrated switch do not support VLAN tagging or PPPoE. You cannot use ports on the integrated switch as the control interface.
For more information, see the Forcepoint Next Generation Firewall Installation Guide and the Forcepoint Next
Generation Firewall Product Guide .
Maintenance
Some Forcepoint NGFW appliances ship with replaceable components.
15
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
Turn off the appliance
Most Forcepoint NGFW appliance hardware components are not hot-swappable. Turn off the appliance from the
NGFW Engine command line.
Turn off the appliance and disconnect power before replacing the CFast card or interface modules.
Tip
The SMC administrator can also turn off the appliance remotely using the Management Client. For more information, see the Forcepoint Next Generation Firewall Product Guide .
Steps
1) Connect to the NGFW Engine command line.
Depending on the appliance type, use one of the following options:
■ Connect a computer running a terminal emulator program to the appliance console port, then press
Enter .
■ Connect using SSH.
Note
SSH access is not enabled by default.
■ Connect a keyboard to a USB port and a monitor to the VGA port, then press Enter .
2) Enter the logon credentials.
The user name is root and the password is the one you set for the appliance.
3) Enter the following command: halt
4) Wait until the power indicator light turns red or is unlit, then unplug all power cables from the appliance.
Replace the CFast card
Replace the CFast card with another card that you received from Forcepoint.
Note
We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.
Steps
1) Turn off the appliance and disconnect any power cables.
2) Locate the CFast card on your appliance.
16
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
3) If there is still tape covering the CFast card, remove the tape.
4) Gently push in the CFast card to release the card from the slot.
5) Position the replacement CFast card. Turn the end with the slots toward the appliance. The wider slot must be on the left.
6) Insert the new CFast card into the slot and gently push to lock the card into place.
7) Reconfigure the appliance for the replacement CFast card. See the initial configuration information in the
Forcepoint Next Generation Firewall Installation Guide .
Replace an interface module
Replace an interface module with the same type or a different type of module.
If the appliance was delivered with a plate that covered the interface slot, you can alternatively cover the interface slot with the plate instead of replacing the interface module with another module.
Note
We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.
Steps
1) Turn off the appliance and disconnect any power cables.
2) To release the module, unscrew the thumbscrews.
3) Carefully pull the module out of the slot.
4) Insert the new module.
5) Push and hold the thumbscrews on the module, then tighten them to secure the module in place.
6) Connect the cables and plug the power cables to the system and to the wall outlets.
7) Turn on the appliance.
CAUTION
To ensure proper cooling, do not turn on the appliance if you have not installed an interface module or a placeholder module in each slot.
17
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
8) Update the interface configuration.
a) On the command line of the NGFW Engine, enter the following command to start the NGFW
Configuration Wizard: sg-reconfigure b) In the network interface configuration options, make sure that the autodetected information is correct and that all interfaces have been detected.
If autodetection fails, add network drivers manually. For detailed instructions, see the Forcepoint Next
Generation Firewall Installation Guide .
c) If the number of ports in the new module differs from the old module, adjust the mapping of interfaces to interface IDs.
CAUTION
Do not select the Clear action when modifying interface IDs in the NGFW Configuration
Wizard on the command line. Selecting Clear removes all mapping information between interface IDs and Ethernet ports, and restores the default values.
d) On the Prepare for Management Contact page, highlight Finish , then press Enter .
e) If the number of ports in the new module differs from the old module, modify the interface definitions in the Management Client, then refresh the policy to transfer the interface changes to the engine.
Make sure to use the same interface IDs that you mapped to the interfaces in the NGFW Configuration
Wizard for the interface definitions in the Management Client.
Reattach the cover plate to the interface module slot
Reattach the module cover plate if there is no module in the slot.
CAUTION
Do not turn on the appliance if a slot is empty or uncovered. Using the appliance without an interface module or the cover plate can damage the appliance and voids the warranty.
Note
We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.
Steps
1) Turn off the appliance.
2) Remove the interface module from the interface module slot.
18
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
3) Locate the tab at the lower left corner of the plate.
4) Insert the tab into the hole in the lower left corner of the slot casing.
5) Slide the plate inward until it covers the slot and the thumbscrew in the plate aligns with the screw hole to the right of the slot.
6) Push and hold the thumbscrews on the plate, then tighten them to secure the plate in place.
Remove SFP transceivers
You can remove or replace SFP transceivers.
CAUTION
Invisible laser radiation is emitted from the end of a fiber-optic cable and from the fiber port. Do not stare into the beam and avoid direct exposure to the beam.
Note
We recommend fastening a grounding strap to your wrist so that it contacts your bare skin and attaching the other end of the strap to the appliance.
Steps
1) Turn off the appliance and disconnect any power cables.
2) Unplug all power cables from the system or the wall outlets.
3) Disconnect the cable from the SFP transceiver.
4) Pull down the latch on the transceiver, then carefully pull the SFP transceiver out of the port slot.
5) If needed, insert a replacement SFP transceiver in the slot.
Compliance information
Forcepoint NGFW appliances that have wireless support are in compliance with certain EU directives and FCC standards for wireless devices intended for home and office use.
This information is valid for all dual band products (2.4 GHz, IEEE 802.11b/g/n, and 5 GHz, IEEE 802.11a/n/ac).
The supported channels and frequencies are listed by country in the Management Client. The wireless configuration is transferred to the appliance when you install the policy on the NGFW Engine.
19
Forcepoint Next Generation Firewall Hardware Guide | Models 110, 115
EU Directives
This appliance is in compliance with:
■ EMC directive 2014/30/EU
■ RED directive 2014/53/EU
The frequencies and maximum transmitted power in the EU are:
■ 2.41–2.47 GHz: 16.35 dBm (EIRP)
■ 5.18–5.24 GHz: 16.58 dBm (EIRP)
■ 5.26–5.32 GHz: 16.68 dBm (EIRP)
■ 5.50–5.70 GHz: 19.96 dBm (EIRP)
Operations in the 5150–5350 MHz band are restricted to indoor usage only.
FCC Standards
This appliance is in compliance with FCC Part 15 .
Applied technologies
The appliance uses these technologies.
■ Radio spectrum — Sub-bands 2400–2483.5 MHz and 5150–5250 MHz
■ Safety — Dual band products
■ Electromagnetic Compatibility (EMC) — Dual band products
National restrictions and requirements for authorization
These appliances can be operated within FCC DFS2 band or ETSI/EC DFS band, or other countries that regulate or plan to regulate mid-5 GHz band.
The usage of mid-5 GHz band is subject to the regulatory approval alone with the resided devices.
The requirements for any country or area might change. We recommend that you check with your local authorities for the latest status of national requirements for 2.4 GHz and 5 GHz wireless LANs.
20
© 2020 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Published 28 October 2020
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement