Forcepoint NGFW

SMC Demo Lab Guide

Forcepoint LCC
10900-A Stonelake Blvd.
Quarry Oaks 1, Ste. 350
Austin, TX 78759
www.forcepoint.com

©2018 Forcepoint.  Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.  Raytheon is a registered
trademark of Raytheon Company.  All other trademarks used in this document are the property of their respective owners.
 
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without prior consent in writing from Forcepoint. Every effort has been made to ensure
the accuracy of this manual. However, Forcepoint makes no warranties with respect to this documentation and disclaims
any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or
for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the
examples herein. The information in this documentation is subject to change without notice.

2|
Table of Contents

Lab 1: Familiarizing with the SMC console.............................4

Accessing the SMC Demo in Go4Labs.................................4
Navigate it like a Web Browser and Spotlight Search Tools. 5
Lab 2: Preparing the SMC for a Demo....................................7
Opening the Tabs for Demo..................................................7
Lab 3: SMC Demo...............................................................12
Home Tab Demo – NGFW Engines....................................12
Home Tab Demo – SD-WAN..............................................14
Home Tab Demo – Users...................................................15
Overview Dashboard Tab Demo.........................................16
Logs View Tab Demo..........................................................19
Reporting Demo..................................................................22
Policies Tab Demo..............................................................23
VPN Tab Demo...................................................................26
Summary.............................................................................28

|
3
There are 2 ways to setup our SMC Demo

1. Download any version of the standard SMC software and select to install it in Demo mode in any supported OS (in
VMs), which is suitable for a long term readily accessible environment that can work in offline too

2. Contact your Forcepoint representative to spin up a demo lab in Go4Labs, which is quick to setup for a ‘look and
feel’ for a maximum of 2 weeks and can be access via any popular web browser.

Lab 1: Familiarizing with the SMC console

Accessing the SMC Demo in Go4Labs

1. Once at the Landing Machine, you may double-click on the SMC icon on the desktop to launch the client. Click on the
Management Server and you will be prompt for login. Login using the credentials below
Username: demo
Password: demo

2. With a successful login, you will see this page and you may close the “Getting Started” page to begin.

Lab 3 | 5
Navigate it like a Web Browser and Spotlight Search Tools

The SMC console is very similar to a modern web browser, so it should be relatively easy for anyone to get the hang of
it.

1. Click on the ‘+’ sign to open a new tab and you can select a range of shortcuts and Bookmarks

2. Click on NGFW to access the NGFW engines page, policies and elements.

*Tips: On the left panel, you may also access all the other components from here*

3. Like a browser, you can navigate forward and back of the pages you browsed. Click on the back arrow on the top
left corner beside Menu to go back to previous selection menu page.

6
4. Click the ‘X’ located beside the ‘Blank’ selection menu to close this tab

5. Back on the Home page, you can easily search for anything using the Spotlight Search located on the top right
corner of the console. Type in 192.168.1.0 and you will find the following result.

6. Clicking on the “Helsinki Internal Network” result itself will open the actual element for editing. However, it is more
common that you want to know where this element is used. Click on “Where Used?”

7. There are more search tools available for housekeeping in Menu > Search. Give it a try and see what you get.

Lab 3 | 7
 Lab 2: Preparing the SMC for a Demo
This lab exercise prepares some of the common and key functionalities of the SMC for demonstration. As it may take
time to launch each feature, it is recommended to open them up first for a smooth and speedy demo. Each customer
has different requirements, so you may wish to customize your demo once you are familiar with the SMC.

Opening the Tabs for Demo

1. On the top left, beside Menu, click on ‘Home’ to go back to home page

2. Click ‘+’ to open a new tab, go to Overviews and select ‘Network Application Usage’

3. Click ‘+’ to open a new tab, go to Overviews and select ‘VPN Overview’

4. Go to Overviews and click on ‘New Overview’, select ‘Engine Details’ and click ‘OK’

Tips: You may choose to open other type of Overview Dashboards for different demonstrations.

8
5. Click the Save button, give it a name or use the default and click ‘OK’. This overview and be available for you to
select next time.

Tips: You may customize any of the existing Overview Dashboards to your desired outlook, which saves you time to
create it scratch

6. Click ‘+’ to open a new tab and select ‘Logs’ from the Top Menu Shortcut, click on the Play button to make sure you
have live logs coming.

7. Right-click on any of the fields and choose ‘Column Selection…’

Lab 3 | 9
8. On the left panel, click on ‘All Fields’, select the Filter button and type in ‘URL’. Select both URL and URL Category,
drag and drop them in between ‘Network Application’ and ‘User’ columns.

9. Scroll to the right and you will see those 2 columns added, click ‘Save Column Settings’

10. On the top right of Logs View, click on Statistics and choose “Select” from the dropdown menu. Select any item and
type “network application” (the filter will automatically appear), choose ‘Top Network Application’ and click ‘Select’

Repeat Step 10 but select “Top Users” instead. Click on ‘Logs’ again to reset the view. Those statistics will appear
in your shortcut. *Tips: Prepare all those statistics you wish into shortcut for quick reference during your demo *

10
11. Click ‘+’ to open a new tab and select NGFW. Navigate to Policies > Firewall Policies

12. Click ‘+’ to open a new tab and select SD-WAN. Right-click and select ‘New Policy-Based VPN’

13. Give it a name and choose ‘VPN-A Suite’ as the Default VPN Profile, and click OK

14. On the left panel, click on Gateways, drag and drop ‘Helsinki VPN Gateway’ into the Central Gateways, and
‘Algiers & Atlanta VPN Gateway’ into the Satellite Gateways

Lab 3 | 11
12
Tips: To avoid setting this up again after you logged out, you may choose the save the current view as the Startup
Session

Tips: In case you close any panels or adjusted your view settings and need to revert the view, you may “Reset the
Layout” or “Reset All Layouts” in the SMC from here

Tips: Since it works like a Web Browser, almost every menu/item can be “Open in New Tab” or “Open in New Window”
for side-by-side comparison.

Tips: Global System Properties is where you can configure automatic updates & upgrades, Change Management
or Password Policies for users and administrators.

Lab 3 | 13
 Lab 3: SMC Demo
This lab exercise showcases some of the common and key functionalities of the SMC, and how easy administrators
can achieve their typical daily task. Please feel free to add, omit or modify your demo to your audiences’ requirements.

Home Tab Demo – NGFW Engines

*Before I start with the demo, I usually like to spend a minute showing how easy it is to navigate (Lab 1) the SMC UI. *

Typically, administrators start off their day with monitoring the health of the entire system.

1. In Home tab, we can see the health status of all engines managed by this SMC, regardless whether they are
physical, virtual or in the cloud.

2. This dashboard is interactive, select any engine of interest (e.g. Atlanta) and you get a drilled down status of the
engine. You can see that this is a 2 nodes Active/Active cluster, with 2 ISPs for internet and a Remote Office
firewall policy assigned. Also, it has some alerts and the cluster engines are at approximately 50% of their
capacity. What you have seen is the Logical information of the cluster engine.

3. On the Info Panel on the extreme right, you will get General information about the engines, like policies, versions,
interfaces & routing configurations and more.

14
Lab 3 | 15
 4. Expanding the (Atlanta) engine and selecting the individual nodes will give you the Physical information
instead, you can see the physical representation of the engine, interfaces and status.

5. If you have noticed, each dashboard has an “Edit” button on the top right of the main panel. This allows
administrators to personalize what they which to display and monitor. Click the
Edit” button and drag & drop ‘Link Selection’ to replace ‘Alerts’. Click the “X” button on the selection panel to
save your current view.

Tips: Also try rearranging the dashboard and fit in more widgets, and try going back to previous dashboards and
customize those widgets too

16
Home Tab Demo – SD-WAN

Since Forcepoint NGFW is also an enterprise SD-WAN solution *New in v6.5*, we have a SD-WAN dashboard to
monitor the health of all your subscribed links.

1. On the left panel, click on SD-WAN and you will see the connectivity status of all the branches.

2. Select any connection (e.g. Atlanta) to drill down on it’s individual status of the SD-WAN, like the links utilization
and the links quality of each SD-WAN sub-tunnels. The decision on which links to use are fully automated based
on attributes like current traffic utilization, packet loss, latency and jitter.

Lab 3 | 17
 *Tips: Even these dashboards can be personalized too, go try it*
Home Tab Demo – Users

As part of Forcepoint’s Human Point system, Forcepoint NGFW also provides a human-centric User Dashboard.

1. From the same Home tab on the left panel, click on Users, and you will see all the users and their activities
traversing through the NGFW engines.

2. Selecting any user (e.g. afischer) to drill down into his/her details. With AD integration and Endpoint Context
Agent, we are able to provide meaningful context and user activities to administrators, so they may understand
why certain breaches happens.

*Tips: Similarly, these dashboards can be personalized too, go try it*

18
Overview Dashboard Tab Demo

As Forcepoint SMC consolidates all logs from the NGFWs, it can produce a real-time graphical representation of the
information collected, which is what we call Overviews or Dashboards. Overviews are useful for administrators to
understand the current situation of your environment in a given time. We have many built in Overview templates and you
can customize you own.

1. In this tab, we have the Network Application Overview that gives you the breakdown of applications and users or
Source IP, or application traffic trends in the last 15 minutes.

2. In this VPN Overview, we can observe the traffic flow and trends passing through the different VPN tunnels

Lab 3 | 19
 3. In the Engine Details Overview, we see the current traffic throughput, load, concurrent connections and more.

4. Each of the sections are customizable or be removed. Click on ‘X’ on the ‘Top Source’ and ‘Top Destination’ to
remove these sections.

5. Go to New and select “Accounted Traffic Trends (Counters)” from the drop-down menu

20
 6. Adjust the newly added section so it displays as shown below, you have just customized your Overview.

Apart from passive monitoring, these Dashboards also can send an Alert if a certain threshold is exceeded in a
“Progress graph”. Each section can be independently adjusted to display what you desire.

7. Select the “Load” section and the right panel will show its settings. Check the “Enable Alert Threshold” and enter
“80” into the “Limit” field, then change the Severity to High. This means when the Load of the NGFW engine
exceeds 80% in the same hour, send a High Severity Alert to my administrators for investigation.

Lab 3 | 21
 8. Click on the Save button to save all the modifications you made.

Tips: Do explore changing other properties of the different sections and see what you get. You may also select “Save
As…” from the settings icon to avoid changing what you had before

22
Logs View Tab Demo

Logs are critical for administrators, so it is very important to provide a consolidated view for all kinds of logs received and
have capabilities to allow quick filters, drill downs and statistical analysis.

1. <Click on Play button in Logs View> You will notice that logs received from all NGFW engines are displayed in
real-time onto the Logs Viewer.

2. Filtering logs are very quick and simple. Find an “Allow” action, then drag & drop it into the filter and click “Apply”,
only Allow logs are shown now.

3. Now select the “Negate” button and click “Apply”, you will notice the results shows all other action except Allow.

4. Try building your filters to streamline the search further, drag any IP address in the Src Addr field and drop it into
the filter. Click “Apply” and only those Source IPs that has no “Allow” action are shown.

Lab 3 | 23
 5. This time try dragging any IP address from the Dst Addr field and drop onto the Source IP on the previous steps.
The filters should combine with an “OR” statement and click “Apply”. What results do you get this time?

Tips: By default, all filters are an “AND” statement so that the results become tighter. Try clicking on the “OR”
and it will also change to “AND”. You may choose to save your filters, so you can reference them easily next
time.

6. Right Click on any logs with a “Discard” action and you can view which rule in the policy this log is hitting or
create a rule on the fly

7. Click on “Logs” again to reset the view, this time you are going to use Statistical graphs to analyze your traffic

8. Click on “Statistics” on the top right of Logs view and select “Top Network Application”

The Logs will display the Top Network Applications discovered in the last 15 mins in a Bar Chart format.

24
 9. You may easily change the view to a Pie Chart and expand the duration as you desire. On the right panel, select
the Pie Chart button, change the time range to 1 hour and click “Apply”.

Tips: Can’t see the labels on the Pie Chart? Try minimizing the table below it and remember to ‘Apply’ your changes!

10. From this view, you may choose to drill down into a specific application, e.g. Youtube. Right click on Youtube
and select “Show Records” and you will get all the logs related to YouTube.

Lab 3 | 25
 11. From here, we can further drill down to show who are the users watching YouTube during this period. Click on
“Statistics” again and this time select “Top Users”.

12. Since the SMC works like a Browser, we can easily go “Back” to the previous pages and drill down into another
application, making analysis quick and easy. Click “Back” twice and try step 4 & 5 again with a different
application and see the results.

Reporting Demo

Logging and Reporting is included as part of the SMC, there are several report templates that you can use and customize, or
you may choose to build your report from scratch. One good way of building your report is to do it from the Logs view.

1. If the statistical graph result of your Logs Analysis is desirable, you may easily “Attach to Report Design” by clicking
on the Settings icon and select the option. Select “Application and Web Security” and click OK.

2. The Application and Web Security report will be opened in a new tab and you can find your newly added graph at
the end of this report *Scroll down*

3. From this report, you may run a preview of the Report by clicking on the “Preview Report…” icon shown below, click
“Current Time” and OK.

26
 4. A report preview will open in a new tab, click on “Print”, make sure the format is “PDF” and click OK

*Tips: In this lab, you may choose Microsoft Edge to open the PDF, otherwise you may install Adobe Reader before you
start your demo*

Scroll through the report to see what interesting information you can find. If time permits, go try other reports and see what
you get.

Lab 3 | 27
Policies Tab Demo

Policies are the basis of firewalling to determine what traffic should be discarded, inspected and/or allowed into your
environment. Hence it is very important that it is easy to configure and has a way to manage common rules of all your
hundreds of firewalls.

Notice that there is a hierarchy to the policies, this means all policies under the “Firewall Template” will inherit common
rules from it.

1. Right Click on “Remote Office Policy – Policy Based VPN” and select to Edit the policy. From the top right, select
the “Inherited Rules” button and you will see in Grey those rules that are inherited from the Firewall Template.

This means you can create your own templates and assign common rules to different groups of policies.
28
Creating new rules are very easy, we can Copy & Paste from another rule, drag & drop elements or simply type in
the fields to find the elements you need.

2. Unselect the “Inherited Rules” and expand the Outbound Rules section by clicking the “+” button. Right click on
rule 5.4 and select “Add Rule Before”

3. Drag “Sales” group from rule 5.7 and drop it into the Source column of the new rule

4. Click on the Destination field and type “Microsoft” and select “Microsoft Office 365 ProPlus” from the dropdown
search.

5. In the Service field, type “365” and select “Microsoft-Office-365”, right click on Action field and choose Allow.

You have successfully created a simple rule that allow users in Sales AD group to use Office 365.
Lab 3 | 29
 6. On the top right, click on the “Gear” button to access various tools like Policy Validation, Policy Comparison,
Rule Search and Rule Counters.

7. Select “Validate…” and among the options you will see find Duplicate, Unnecessary and Unreachable rules.
These are very useful for cleaning up your rules.

8. Click on the “Gear” button again and this time select “Rule Counters…”. Here we can define the Period of the
counter you want (e.g. 1 day) and click OK. Scroll to the right of your policy and you will see Hits count of all the
rules in the last 1 day.

From the columns, you can see that we also have Authentication field for Captive Portal, Logging and Time for time-
based rules. Each rule can be granularly configured making access very flexible and specific to reduce risk.

9. We can define the Inspection Policy and specific NAT rules to cater for different needs. Click on IPv4 NAT rules.

30
VPN Tab Demo

VPN is a major requirement for companies to securely connect multiple sites together across the WAN and internet, and
it is typically the underlying technology for SD-WAN. With multiple links and sites, SD-WAN configuration quickly become
tedious and complicated if you must do them on each gateway separately. Forcepoint SMC helps eliminate all these
complications with our easy VPN configuration.

In the VPN tab, you see a VPN policy with Helsinki VPN at the Central Gateway, and Algiers and Atlanta VPN at the
Satellite Gateways. This is a simple Hub & Spoke VPN topology with Helsinki at the Hub, and Algiers & Atlanta as
Spokes.

1. When you click on the Tunnels tab, you will see both VPN tunnels being automatically configured.

2. By default, all Forcepoint NGFW engine uses “VPN-A-Suite” VPN profile which contains all the Phase 1 and 2
settings. Right click on VPN-A-Suite and choose “Properties”. If you need to connect to a 3 rd party VPN gateway,
you can create your own VPN Profile.

Lab 3 | 31
 3. Even the Pre-shared Keys are automatically generated and distribute to all the NGFW engines managed by the
same SMC. If the gateways are not managed by this SMC, including 3 rd party gateways and NGFW engines,
then you need to share or configure the pre-shared key to make them identical at both ends. This can be easily
configured by double-clicking on the “Key” icon and change to your desired pre-shared key.

4. If your organization starts growing into more sites, e.g. you have another HQ (at Beijing) and 2 more remote
sites (at London & Madrid), you can easily provision those VPN connections. Go back to “Site-to-Site VPN” tab,
drag “Beijing VPN Gateway” and drop to the Central Gateways, and drag & drop “London & Madrid VPN
Gateway” into the Satellite Gateways.

5. Click on Tunnels tab again and you will see all the combinations of VPN tunnels to all sites will be automatically
configured for you.

32
 6. If you select different “Gateway <-> Gateway” VPN, you will notice the “Endpoint <-> Endpoint” changes? That is
our Enterprise SD-WAN technology. In the example below, Helsinki have 4 ISPs, while Algiers have 2 ISPs, and
the SMC automatically populates all 8 possible sub-tunnels, giving the Site-to-Site VPN high availability and load
balancing on all the available links.

7. Furthermore, we can granularly define which sub-tunnels combination should be Active or Standby, and you may
even define Quality of Service (QoS) to determine which sub-tunnels will handle what kind of QoS traffic class.
Right click on the your sub-tunnel under the “Mode” column, and select “Edit Mode”. Click ‘Add’ and select the
QoS class you desire and click OK.

Summary

This lab is a good start to conduct a Standard SMC Demo for most customers you meet, overcoming the most common
operational challenges that firewall administrators faced. Continue to explore and practice so you will be confident to
present this demonstration and dive into other specific questions that your customer may have.

Lab 3 | 33
Forcepoint LCC
©2018 Forcepoint.  Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.  Raytheon is a registered trademark of Raytheon Company.  All other
10900-A Stonelake Blvd.
trademarks used in this document are the property of their respective owners.
Quarry Oaks 1, Ste. 350
 
Austin, TX 78759 This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without
www.forcepoint.com prior consent in writing from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However, Forcepoint makes no warranties with respect
to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for
incidental or consequential
damages in connection with
the furnishing,
performance, or use of this
manual or the examples
herein. The information in
this documentation is
subject to change without
notice.