KB Article | Forcepoint Support

Problem Description

What are best practices when configuring the NGFW management connections?


Some best practices are listed below:
Do not configure the NGFW management connection to go through a VPN that terminates at the managed engine.
  • Configure your policy so the management connection is not put into a VPN by the firewall itself. Alternatively, if it is required, configure a backup management connection that does not use a VPN and use this connection if the VPN to the engine fails.
  • For the VPN to work, a management connection is needed, and for the management connection to work, the VPN must be working. Therefore the management connection is dependent on the continuing function of the VPN. This means that if the management connection or the VPN fails, you cannot fix the management connection without performing a new initial contact. If you have already set up your NGFW using a management connection over a VPN and experience an issue, perform a new initial contact and edit your policy so the management connection is not routed through the VPN. The Firewall Template automatic rules by default have an Allow action for the management connection (TCP port 4987 and 8906).
Do not configure the NGFW management connection to go through an aggregate interface on the NGFW itself.
  • Do not set an IP on the aggregated interface or on its VLAN to be the control IP, and ensure the packets between Management Server and NGFW are not routed through an aggregated interface on the NGFW itself.
  • It is not possible to configure an aggregate interface when the NGFW is in initial configuration. If the switch had LACP configured while NGFW was in initial configuration, communication with SMC is not possible in the first place and the policy cannot be installed. If the switch has no LACP configured yet and the policy which defines the control interface as aggregate is installed on the NGFW, the aggregate cannot come up and policy rollback is done to initial configuration as the connection to SMC fails with new policy in use. Even if the policy was somehow installed successfully, the same issue would come up again in the future if NGFW ever went into initial configuration for any reason or the hardware was replaced.

Article Feedback

Thank you for the feedback and comments.