diff --git a/forcepoint-solutions/local/eventtypes.conf b/forcepoint-solutions/local/eventtypes.conf
new file mode 100644
index 0000000..bd85396
--- /dev/null
+++ b/forcepoint-solutions/local/eventtypes.conf
@@ -0,0 +1,5 @@
+[forcepoint_ngfw_network_traffic]
+search = sourcetype=next-generation-firewall (SITUATION="Connection_Refused" OR SITUATION="Connection_Closed" OR SITUATION="Connection_Allowed" OR SITUATION="Connection_Discarded" OR SITUATION="Connection_Closed-Abnormally" OR SITUATION="Connection_Progress")
+
+[forcepoint_ngfw_network_vpn]
+search = sourcetype=next-generation-firewall PEERSECURITYGATEWAY="VPN Client"
\ No newline at end of file
diff --git a/forcepoint-solutions/local/props.conf b/forcepoint-solutions/local/props.conf
index 7a70b7d..ad03160 100755
--- a/forcepoint-solutions/local/props.conf
+++ b/forcepoint-solutions/local/props.conf
@@ -21,6 +21,43 @@ TIME_PREFIX=<TIMESTAMP>
 category=Custom
 description=Forcepoint Next Generation Firewall Logs
 
+EVAL-action = case(ACTION=="Refuse","blocked",(ACTION=="Terminate" OR ACTION=="Discard"),"dropped",(ACTION=="Permit" OR ACTION=="Allow"), "allowed", true(), ACTION)
+
+FIELDALIAS-bytesin = ACCRXBYTES as bytes_in
+FIELDALIAS-bytesout = ACCTXBYTES as bytes_out
+EVAL-bytes = ACCRXBYTES + ACCTXBYTES
+
+FIELDALIAS-packetsin = ACCRXPACKETS as packets_in
+FIELDALIAS-bytesout = ACCTXPACKETS as packets_out
+EVAL-packets = ACCRXPACKETS + ACCTXPACKETS
+
+FIELDALIAS-dest = DST as dest
+FIELDALIAS-dest_ip = DST as dest_ip
+FIELDALIAS-dest_port = DPORT as dest_port
+FIELDALIAS-dest_translated_ip = NATDST as dest_translated_ip
+FIELDALIAS-dest_translated_port = NATDPORT as dest_translated_port
+
+FIELDALIAS-src = SRC as src
+FIELDALIAS-srcip = SRC as src_ip
+FIELDALIAS-src_translated_ip = NATSRC as src_translated_ip
+FIELDALIAS-src_translated_port = NATSPORT as src_translated_port
+
+FIELDALIAS-dvc = NODEID as dvc
+FIELDALIAS-dvc_ip = NODEID as dvc_ip
+
+FIELDALIAS-icmp_type= ICMPTYPE as icmp_type
+
+FIELDALIAS-rule = RULEID as rule
+FIELDALIAS-user = USERNAME as user
+
+EVAL-vendor = "Forcepoint"
+EVAL-product = "Forcepoint NGFW"
+FIELDALIAS-app = SERVICE as app
+EVAL-transport = case(match(app, "(TCP|HTTP)"), "tcp", match(app, "UDP"), "udp", match(PROTOCOL, "1"), "icmp", true(), "unknown")
+EVAL-protocol = "ip"
+FIELDALIAS-protocol_version = IPVERSION as protocol_version
+
+
 [cloud-security-gateway]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=([\r\n]+)
diff --git a/forcepoint-solutions/local/tags.conf b/forcepoint-solutions/local/tags.conf
new file mode 100644
index 0000000..115e289
--- /dev/null
+++ b/forcepoint-solutions/local/tags.conf
@@ -0,0 +1,8 @@
+[eventtype=forcepoint_ngfw_network_traffic]
+network = enabled
+communicate = enabled
+
+[eventtype=forcepoint_ngfw_network_vpn]
+network = enabled
+session = enabled
+vpn = enabled
\ No newline at end of file