Cloud Web Help
Cloud Web Help
Cloud Web Help
Portal Help
Forcepoint Web Security Cloud
2021
©2021, Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of their
respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for
incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information
in this documentation is subject to change without notice.
Cloud web protection products protect your organization against the threats of
malware, spam, and other unwanted content in web traffic.
The following web products are available in the cloud:
● Forcepoint URL Filtering offers malware protection and customizable web
content categories, enabling you to create highly granular acceptable use policies.
● Forcepoint Web Security Cloud includes the above features, plus real-time
security analysis, real-time content classification, detection of inappropriate
content in dynamic websites, granular configuration for social web controls, and
SSL decryption by category.
The cloud service offers the following add-ons for web products:
● The I Series appliance is an add-on to Forcepoint Web Security Cloud, and
provides on-premises URL analysis and application/protocol detection for web
traffic, along with centralized policy management and reporting capabilities in the
cloud. When policy indicates that a request requires additional analysis, it is
transparently routed to the cloud, where cloud analytics are applied and policy is
enforced.
● he Advanced Malware Detection for Web module enables you to send suspicious
files to a cloud-hosted sandbox for further analysis.
You configure and administer these services using the Forcepoint Cloud Security
Gateway Portal, also referred to in this Help as the Security Portal, or the cloud portal.
The portal provides a central, graphical interface to the general configuration, policy
management, and reporting functions of your web protection service, making it easy
to define and enforce web security.
To get started, see:
● Initial steps
● Logging on and portal security
● Navigating the cloud portal
Initial steps
If you have not already done so, take the following steps to get started.
1. Request a cloud portal account.
2. Select your deployment method (this may affect which of the following steps is
necessary).
3. Configure your firewall to allow connectivity to the cloud service.
4. Log on to the Security Portal.
See Logging on and portal security, page 2, for instructions.
5. Add your Internet gateway IP addresses to your policy.
See Proxied connections, page 157, for instructions.
6. Configure end-user authentication (if required).
If you have not already completed these steps, please see the Getting Started Guide
for detailed instructions.
Note
To use the Security Portal, your browser must have JavaScript enabled.
Privacy statement
The portal uses 2 cookies during logon. The first is used to identify whether the user’s
web browser is willing to accept and store cookies for the portal; it contains no
information. If the first cookie is successfully stored, a second cookie is stored
Idle timeout
For security reasons, if you are logged on to your cloud service account and are
inactive for a pre-defined period, you are automatically logged off. When you next
attempt to perform an action, you are asked to log on again. Once you have done so,
you are taken to the area of the portal that you requested. The inactivity timer is
between 30 and 60 minutes.
When you first log on to the cloud portal to configure your web protection product, a
setup wizard is displayed to guide you through the initial setup process. This initial
setup involves a combination of steps performed in your network (to allow
communication with the cloud service) and steps performed in the cloud portal (policy
configuration).
If you are not able to complete all of the in-network configuration steps immediately,
you can skip them temporarily while you perform the cloud portal configuration steps.
The wizard guides you through:
● Configuring your firewall to connect to the cloud service
● Sending end user information to the cloud service
■ Configuring the Directory Synchronization Client
■ Adding users manually
● Setting up your first policy
■ Configuring policy connections
■ Directing user traffic to the cloud service
■ Testing your policy settings
● Reviewing your configuration
Tip
To guarantee availability, Forcepoint Web Security Cloud uses global load balancing
to direct traffic across multiple geographic locations. In the event of localized
connectivity issues, data center load balancing automatically routes requests to the
next closest location. To make the most of the resilience offered by this
infrastructure, users must be allowed to connect to the entire cloud network.
For details of the IP address ranges in use by cloud service data centers, see the
article Cloud service IP addresses and port numbers in the Forcepoint Knowledge
Base.
● The proxy query page. Users can access a query page to find out whether their
browser settings are correct for accessing the proxy.
Note
Remote users should use the alternate PAC file addresses (using port 80 or 443) if
requesting access from networks that may have port 8081, 8082, or 8087 locked
down.
Click Test Connection to verify the connection between your network and the cloud
service.
When you are ready, click Next to continue the wizard. (Note that if you cannot
immediately complete the required firewall configuration, you can still move on to the
next step in the wizard.)
The next step is Sending end user information to the cloud service.
Perform the following steps on a machine that is inside the network that you defined
as a connection in the previous step. This may optionally be the same machine that
you are using to run the wizard.
When you are finished, return to the setup wizard and click Next.
The next step is Testing your policy settings.
Otherwise, use the URL shown in the wizard to run the test from a different machine.
When you are finished, click Next to review your configuration.
The next step is Reviewing your configuration.
The Security Portal interface can be divided into the following main areas:
1. Banner
2. Toolbar
3. Content pane
The banner shows:
● Any Alerts that are available for your account.
● A Cloud Service Status option that provides a link to the Cloud Operations
customer dashboard. Use this link if you are experiencing any kind of pervasive
service problem to determine what might be happening and see what steps are
being taken to correct the issues.
● Your current logon account. When you’re ready to end your administrative
session, click the arrow next to the administrator name and select Log Off.
● The Help menu, from which you can access assistance for the page you are
currently viewing, further product information, and Technical Support resources.
The Help menu also includes the Support PIN. You must authenticate yourself
with this PIN when calling Technical Support.
Each PIN is unique per portal user, and is generated when a user logs on. The PIN
is then valid for 24 hours after logon. After a 24-hour period has expired, a new
PIN is generated at the next portal logon.
Important
In order to preserve and maintain the security of your data, Support representatives
will not be able to provide customer support without an accurate, up-to-date PIN.
The toolbar indicates which part of the cloud portal is currently active:
● Dashboard provides access to the threat, productivity, and bandwidth dashboards.
See Cloud portal dashboards, page 11.
● Reporting gives access to all reporting options, including account service reports,
your saved reports, and the Report Catalog and Report Builder. See Report
Center, page 213.
● Web contains all configuration settings relating to your web protection product,
including account-wide web settings, policy management, access to endpoint and
single sign-on configuration, and management of devices in your network that
connect to the cloud service. To manage appliances, your subscription must
include the I Series appliance. See:
■ Configuring Web Settings, page 59
■ Defining Web Policies, page 149
● CASB, available when the Protected Cloud Apps feature has been purchased and
enabled, opens the Forcepoint CASB portal.
■ Users with account level Modify configuration permissions are logged in to
the portal. (See Configuring permissions, page 26.)
■ All other users are required to provide login credentials to access the portal.
See Configure protected cloud apps, page 100, for more information.
● Account provides access to configuration options that apply to all cloud services.
This includes administrator management, directory synchronization, licenses, and
groups. See Account Settings, page 21.
When you select an item in the toolbar, a navigation pane drops down, containing the
available navigation choices for that item. Click the toolbar item again to close the
navigation pane.
The content pane varies according to the selection you make in the navigation pane.
Click Dashboard in the cloud portal toolbar to see a snapshot view of how the cloud
service is performing. It includes the following tabs:
● The Threat Dashboard appears when you first access this page. It shows
information about suspicious activity that may be related to malware threats in
your network. See Threat Dashboard.
● The Bandwidth Dashboard shows information about traffic patterns in your
network, including the categories, groups, and users consuming the most
bandwidth. See Bandwidth Dashboard.
● The Productivity Dashboard shows information about blocked requests, and
activity in social media categories. See Productivity Dashboard.
● The Cloud Apps Dashboard shows information about cloud app usage, by
category and risk level. See Cloud Apps Dashboard.
● The Data Security Dashboard shows information about potential data leaks in
your organization. See Data Security Dashboard.
You can also add your own Creating custom dashboards in the cloud portal.
Drag a tab to re-order it on the page.
If you do not wish to see all of the standard dashboards, you can click the Settings icon
in the top right corner and select Hide Current Dashboard. Click Continue to
confirm. You can restore hidden dashboards at a later time by using the Settings >
Unhide Dashboard option.
Each dashboard includes the following features:
● A number of charts that provide detailed web activity information. Most
dashboard charts can be customized to change their display format (for example
stacked column, area chart, line chart, bar chart, or pie chart). On most charts, you
can click the Maximize button ( ) to see a larger version in a popup window.
You can also click columns or sections on a chart to drill down to the relevant
report in the Report Builder (see Using the Report Builder, page 220).
For more information on the available charts, see the sections for the individual
dashboard tabs.
● A summary statistic in the top left that covers web activity relevant to the current
dashboard over a defined time period (the last day by default). The selected time
period relates to both the number in the summary statistic, and the range displayed
in the dashboard charts. You can select a different time period from the drop-down
list: the alternative options are 1 hour, 4 hours, 8 hours, 12 hours, 3 days, 5 days,
and 7 days.
● One or more filters that define the range of content shown in the charts. To edit a
filter:
a. Click the filter name. On the popup that appears, use the drop-down list to
define how the filter handles the values that you specify. The options available
depend on the filter type. For example, you may be able to include or exclude
values, or state that search terms contain or do not contain your text.
b. Enter or select the search term or values that you wish to filter on. Depending
on the filter, you can:
○ Select one or more check boxes
○ Start typing text that will autocomplete based on data in the system
○ Enter the exact text that you want to use
For filters where you are including or excluding values already stored in the
system, start typing to see a list of potential matches, then select the option
you want from the list. You can add multiple values to the filter.
For filters where you enter free text, enter the terms you want separated by
commas.
c. Click OK when done.
If you change the filters and then wish to revert to the default All filter, click
Reset. Filters apply to individual dashboard tabs, so, for example, editing the
filters on the Threats tab has no effect on the Productivity tab.
The dashboard is automatically refreshed whenever you make a change, such as
editing the filters. You can also click the Refresh button in the top right corner to force
the charts to refresh.
Threat Dashboard
Use the Threats tab of the dashboard to monitor security risks and malware threats for
your organization. The summary statistic displays the number of web threats over the
time period that you specify.
The following charts are displayed:
● Security Event Summary shows a list of users who have triggered security
events, grouped by Critical, High, Medium, and Low severity. Click a figure in
the Hits column to see further details of the sites accessed in the Transaction
Viewer (see Viewing report results, page 223).
● Top Threat Types by Request provides a trend chart of the top threat types that
have been blocked in the selected time period. Click a threat type definition at the
bottom of the chart to include or exclude it in the chart.
● Top Security Risk Locations displays a map pinpointing the countries that are
considered a security risk. You can filter this map by either Source IP country or
Destination IP country. The larger the dot on the map, the greater the number of
threats; hover over a dot to see the country name and number of threats. Click a
dot to see a breakdown of the security risks by user for that country in Report
Builder.
● Top Security Threats shows a chart of the most frequently-accessed security
threats over the defined time period. Click a bar or section in the chart to see a
report of the users accessing a particular security threat.
● Top Security Risk Sites shows the domains that triggered the Security risk class
over the defined time period. Click a bar or section in the chart to see a report of
the users triggering security threats in each domain.
● X-Labs News shows an RSS feed of the latest news and blog entries from our
Security Labs.
Bandwidth Dashboard
Use the Bandwidth tab of the dashboard to see how bandwidth is being used in your
organization. The summary statistic displays the total amount of bandwidth used in
the time period that you specify.
The following charts are displayed:
● Overall Bandwidth Usage shows a trend chart of the bandwidth used during the
selected time period.
● Top Categories by Bandwidth shows a trend chart of the categories that used the
most bandwidth during the selected time period. Click a category definition at the
bottom of the chart to include or exclude it in the chart.
● Top Connection IPs by Bandwidth displays a trend chart of the connection IP
addresses that used the most bandwidth during the selected time period. Click an
IP address at the bottom of the chart to include or exclude it in the chart.
● Top Groups by Bandwidth shows the groups who have used the most bandwidth
in the selected time frame. Click a bar or section in the chart to see a report of the
users within that group who have used the most bandwidth.
● Top Sites by Bandwidth displays the domains that have used the most bandwidth
in the selected time frame. Click a bar or section in the chart to see a report of the
top 20 users who have accessed that domain.
● Top Users by Bandwidth shows the users who have used the most bandwidth in
the selected time frame. Click a bar or section in the chart to see a report of the
domains accessed by that user that have used the most bandwidth.
Productivity Dashboard
Use the Productivity tab of the dashboard to monitor how requests are being filtered,
which requests are being blocked, and how social media is being used in your
organization. The summary statistic displays the number of blocked requests over the
time period that you specify.
The following charts are displayed:
● Top Requested Categories shows a trend chart of the most requested categories
during the specified time frame. Click a category definition at the bottom of the
chart to include or exclude it in the chart.
● Top Filtering Actions by Request shows a trend chart of the actions (for
example, allowed or blocked) performed on web requests during the specified
time frame. Click an action definition at the bottom of the chart to include or
exclude it in the chart.
● Top Groups for Blocked Requests displays the groups who have most frequently
requested websites that were blocked. Click a bar or section in the chart to see a
report of the users within that group who have had requests blocked.
● Top Users for Blocked Requests displays the users who have most frequently
requested websites that were blocked. Click a bar or section in the chart to see a
report of the domains that were blocked for that user.
● Top Social Web Channels shows a trend chart of the most frequently-accessed
social media parent categories (for example, Facebook or Twitter).
● Top Social Web Activities displays a chart of the most frequently-accessed social
media parent categories, broken down into activities within each category. For
example, the Facebook category might be broken down into Facebook
Commenting and Facebook Events.
Note
Data returned to the cloud proxy by Data Protection Service does not support all of
the fields use to generate the dashboard charts.
1. From any dashboard, click the Settings icon ( ) in the top right corner
of the page.
2. Select Add Dashboard.
3. Give your dashboard a name, and click Add.
Your new dashboard appears as a blank tab. You can rename or delete the
dashboard from the Settings menu.
To add charts to a custom dashboard, click the Settings icon and select Add Chart.
Then choose whether you want to create a new chart, or a chart from an existing
report.
● Creating a new chart
● Creating a chart from a report
Once you have added charts to your dashboard, you can reorder them by dragging
them around the screen. You can also change the date range for all charts from the
drop-down at the top of the dashboard (the default is 24 hours).
To edit or delete a chart, click the arrow in the top right of any chart and select the
option you want.
Note
Choosing to view all results may mean the report takes a long time to generate.
■ To remove an attribute from the Grouping field, click the cross icon on the
attribute box.
3. To add filters to the chart, drag an attribute to the Filters field.
a. On the popup that appears, use the drop-down list to define how the filter
handles the values that you specify. The options available depend on the
attribute that you have selected. For example, you may be able to include or
exclude values, or state that search terms equal or do not equal your text.
b. Enter or select the search term or value(s) that you wish to filter on.
Depending on the filter, you can:
○ Select one or more check boxes
○ Start typing text that will autocomplete based on data in the system
○ Enter the exact text that you want to use
For filters where you are including or excluding values already stored in the
system, start typing to see a list of potential matches. Then select the option
you want from the list. You can add multiple values to the filter.
For filters where you enter free text, enter each term that you want on a new
line.
c. Click OK when done.
To edit a filter, click its attribute box. To remove an attribute from the Filters field,
click the cross icon on the attribute box.
4. Select the chart metric from the drop-down list. For more information on the
available metrics, see Report metrics: Web and Data Security, page 250.
5. Select the type of chart to display from the icons next to the Metric field. The
following are available:
■ column chart
■ bar chart
■ pie chart
■ line chart
■ area chart
All of these charts are available for a single-level grouping chart. For a chart with
2 attributes, only column and bar charts are available.
6. When you have finished defining your chart, you can click the Update button to
see how the chart results look.
7. Once you are happy with your chart, click Save, and give your chart a name and
optionally a description. Then click Save Chart.
The chart now appears on your custom dashboard. If you included a description,
you can see it by hovering your mouse over the information icon next to the chart
name.
Alerts
Click the speech bubble icon in the toolbar to see alerts for your account.
Alerts are the primary means of communicating with customers to keep you fully
informed of service issues. If you suspect that there may be a problem with the
service, log on and check for new alerts. The number of alerts for your account is
displayed with the alert icon.
You may see the following alert types:
Select an alert summary in the left pane to see more detail, if available, in the right
pane.
Administrators with account-level privileges can click Account in the cloud portal
toolbar to see the configuration options that apply to the complete account. The exact
options available on the menu depend on the services you are licensed for.
● To change the password for your cloud service administrator account, select My
Account.
● To view the configuration audit database for your account, select Audit Trails.
● Select Contacts to view and modify the contact details of people in your
organization who administer, support, and pay for services. The administrator
contacts can be given logons to the portal and their permissions restricted as
necessary. You can also use this page to modify your password settings, set two-
factor authentication, and display a terms of use page for administrators.
● Before configuring directory synchronization for your account, see Planning for
your first synchronization.
● Select End Users to search for end users so you can enable or disable their Web
access, delete them, or change their policy assignments. (This option is available
only to web accounts and accounts enabled for directory synchronization.)
● When you define Groups, they are available in all your policies in all services.
This allows you to define a consistent set of rules across the services for groups of
end users.
● Select Privacy protection if you want to prevent end-user identifying information
and/or data security incident trigger values from appearing in logs and web
reports.
● Configure Data Protection Settings to integrate with the Data Protection Service
and let that service handle your enterprise data security, including blocking or
monitoring data loss.
This chapter covers the configuration of account-level options. To configure the
majority of web service options, click Web in the toolbar and select the appropriate
setting type or policy.
My Account
Use the My Account page if you need to change your password or generate a new one.
Enter and confirm a password, then click Submit when done. The password must
conform to your password policy, as described on the screen.
Optionally, you can also change your password question. Select a question from the
drop-down list, then enter an answer to the question and click Submit.
See Changing passwords, page 31, for more information about passwords.
Use the Account > SIEM Storage page to configure the storage options for SIEM
output generated on the Reporting > Account Reports > SIEM Integration page.
(See Exporting data to a third-party SIEM tool for additional information.)
Click the radio button next to the Storage type you wish to use for SIEM output.
SIEM data can be stored by Forcepoint or you can Bring your own storage. If
Forcepoint is selected (the default selection), no further configuration is required. If
Bring your own storage is selected, follow the instructions provided to add and test
up to 5 storage devices to the Storage List: Bring Your Own table and activate a
specific device.
Note that the same storage selections are used for each data type (Web Security or
Email Security).
AWS is selected, by default, as the storage solution. To add storage options to the
Storage List:
1. Create one or more AWS S3 buckets on the AWS portal.
Note that bucket names must be globally unique.
2. Click Add to add your bucket to the table.
a. Enter the Bucket name from the AWS portal.
See this site for details on valid bucket names.
b. A Prefix is optional.
○ Add text that will be used as a prefix to each data file created when SIEM
data is exported.
○ Enter a ‘/’ to create a folder where the data files will be stored.
If no ‘/’ is included, the prefix is prepended to the file name.
Valid prefix values are SIEMData, log_files/, or traffic-logs. More
information can be found here.
c. Click Save when you have finished. The bucket information is added to the
table.
Click the bucket name in the table to open the Edit Bucket page and make
changes.
Contacts
Related topics:
● Adding a contact
● Password settings
Use the Contacts page to define the password policy for administrators in your
account, and to manage the contact list and administrator logons.
The Account Management area displays the current requirements for passwords in
your account, as well as any expiration limit. For more information, see Password
settings, page 28.
The contact information in the Contacts area is created with the details supplied
during enrollment. The initial contact assumes the role of master user, a super
administrator with the highest rights and privileges for your account.
Forcepoint Support uses the contact details defined on this page should they need to
contact you. You can specify multiple contact addresses and numbers for each contact,
plus a call order that specifies the order in which each contact method should be
attempted.
Note
If the contact also has logon privileges, you must enter an email address to enable
them to use the password reset function, if required.
It is your responsibility to administer the logon privileges for the contacts in your
account, and to ensure access to the cloud portal is maintained or protected as
appropriate. You are also responsible for any actions taken by the users of the
administrator logons that you create.
Adding a contact
To add a new contact:
1. Click Add.
2. Select the new contact’s Title, and enter the first name and surname. The Full
name field is automatically populated.
3. Select the Contact type from the drop-down list.
4. Optionally, enter further details for the contact, including the job title, department,
and address.
5. Enter a telephone number, email address, or both. It is recommended that you
provide at least one form of contact that Support can use if required.
6. Select a preference for each contact method, to inform Support of the preferred
order in which to attempt each contact method.
7. Click Submit.
Note
You can also access this screen by clicking the contact’s logon ID in the User Name
column on the main Contacts screen.
2. By default, the email address is used as the contact’s logon ID. To change this,
edit the User Name field.
3. Enter and confirm a password for the user.
You can type a password for the user and confirm it. Alternatively, if you want to
automatically generate a password that complies with the password policy, click
Create a password for me. The password, which meets the stated password
policy, populates into the Password field.
4. Define when the user’s password should expire. By default this uses the expiration
settings defined as part of your account’s password policy (see Password
expiration limit, page 30).
5. To force the user to change the password when they log on, mark Change
password next log on. This is recommended.
When the user first logs on, a screen is displayed giving them 8 days to select a
password question from the list provided and enter an answer. This password question
and answer is used if the user later forgets their password (see Forgotten passwords,
page 32). If the user does not set a password question within the 8-day limit, they are
forced to do so at their next logon
Note
If you have enabled two-factor authentication for a user, this page can be used to
reset authentication for users who have been locked out, or who are unable to use
their authenticator app. Click Reset beside the Two-factor authentication label to
require the user to configure authentication again. See Two-factor authentication,
page 33.
This page also displays the date and time of the user’s last successful and
unsuccessful logon, if available.
Configuring permissions
By default, all rights are assigned to the master user (the initial contact established in
your account, with super administrator privileges). When the master user creates a
new user, by default only the View All Reports permission is assigned to that account.
This is the minimum permission a user needs to be able to log on; it grants
permissions over only the Reporting tab on the main menu bar.
We provide flexible users’ rights so you can create a hierarchy of administrators. For
example, much of the functionality accessed from the portal is useful for help desk
agents to aid with problem isolation; but they do not necessarily require control over
policy configuration.
Likewise, you should assign Directory Synchronization privileges to the contact you
set up for the Directory Synchronization Client (see Set up authentication, page 53),
but no-one else should need this privilege.
Permissions are granted at an account and policy level. This lets you create multiple
policies, and administrators can control their own policy but no one else’s.
Note
Visibility for some account and policy permissions depends upon the permission
being assigned to your administrator account. If you do not have a permission, you
cannot view or manage that permission for other users.
Note
The Advanced button does not show for contacts with Manage Users permissions,
because they are assumed to have maximum account-level permissions.
5. Use the Group Filtering for Cloud Web Reporting options to restrict reporting
access to selected groups.
■ When you select one or more groups, only the users in those groups are
visible in the reports that the selected administrator can run.
■ Group filtering can be combined with the View Filtered Reports option for a
Web policy: for example, a user can view only reports that apply to the IT and
Engineering groups in the Default policy.
Note
The Group Filtering for Cloud Web Reporting option may not be enabled in your
account.
Note
The View Filtered Reports and View Data Security Reports options may not be
enabled in your account.
Users with any of these permissions can access the web service non-policy-specific
configuration options.
Note
If users are logged on to the portal when their permissions are changed, the changes
do not take effect until they log off and then log on again.
Password settings
Related topics:
● Password policy
● Password expiration limit
● Changing passwords
● Forgotten passwords
● Two-factor authentication
● Terms of use
Click Account > Contacts > Edit to define password settings for your account. On
this screen, you can define an expiration limit for your users, set the user lockout
option, and set two-factor authentication for all users. If you have more than one
password policy (a policy that defines how “strong” your users’ passwords must be),
you can also choose which policy to use.
If available in your account, you can also use the selected password policy for your
end users. Select Apply password policy to end users authenticating with the
service to impose the same password requirements for any end users who are
registered for the service and using manual authentication, including the minimum
and maximum length and restrictions on using previous passwords. If you have also
defined a Password expiration limit, you can select Remind end users when
passwords should be changed to send an email reminder to end users when they
need to change their passwords.
Note
Password policies for end users is a limited-availability feature and may not be
enabled in your account.
Password policy
Related topics:
● Password settings
● Password expiration limit
● Changing passwords
● Forgotten passwords
● Two-factor authentication
● Terms of use
A password policy defines how “strong” your users’ passwords are required to be. (A
strong password is a secure password.) The password policy in the cloud portal sets
the minimum length, maximum length, password history, sequence rules, and unique
character rules of a user’s password.
Following are the minimum requirements:
Parameter Default
policy value
Minimum length 8
Maximum length 30
Password history size (number of former passwords to check) 3
Maximum number of characters in sequence 4
Minimum number of unique characters 5
In addition, passwords:
● Cannot contain the user’s logon ID
● Cannot contain common words or keyboard sequences
● Must include uppercase letters
● Must include lowercase letters
● Must include numbers
Related topics:
● Password policy
● Password settings
● Changing passwords
● Forgotten passwords
● Two-factor authentication
We recommend that you require users to change their passwords on a regular basis.
Passwords can be set to automatically expire after a set number of days. You can
override this setting for individual users on their Login details screen (see Adding
logon details, page 25).
1. Navigate to Account > Contacts.
2. Select a Password expiration limit setting. If you select No, passwords will
never expire (not recommended). If you select Yes, a drop-down menu allows you
to set the number of days after which passwords will expire.
From the menu, select one of the following as the expiration period: 30, 60, 90,
120, 180 days, or Custom days. If you select Custom days, a new field appears so
you can enter any number of days you want. Periods longer than 365 days are not
supported.
3. Click Save.
User lockout
Related topics:
● Changing passwords
● Forgotten passwords
● Resetting two-factor authentication for a portal user
If a user enters an incorrect password when attempting to log on, they have a limited
number of further attempts before they are locked out for a period of time. You set up
the number of further attempts and the lockout time period on the main setup screen
for the user.
1. On the Contacts screen, click Edit.
2. From the User lockout drop-down list, select a lockout time period. The options
are 15 minutes, 1 hour, 4 hours, 24 hours, or Forever.
If you select Forever, an administrator with Manage Users permissions must
unlock the user account before the user can log on again.
3. Select the number of permitted failed attempts from the drop-down list. This can
be between 3 and 10.
4. Click Update.
Changing passwords
Related topics:
● Password policy
● Password settings
● Password expiration limit
● Forgotten passwords
● Two-factor authentication
Users are required to change passwords when they expire or when a change is forced
by an administrator. Only administrators with Manage Users permissions can force a
user to change his or her password. To force a change, select the Change Password
next logon box on the user’s contact screen. When users are required to change their
passwords, they see a Change Password screen the next time they log on.
Users can also opt to change their password from Account > My Account, which
displays the same Change Password screen.
If a user creates a password that does not meet the password policy standards, they
receive an error message and are asked to try again. For example:
This password has been used recently. Please try another.
To implement the changed password, users should click Save. They should also make
note of the password for future reference.
Forgotten passwords
Related topics:
● Password policy
● Password settings
● Password expiration limit
● Changing passwords
● Two-factor authentication
If a user forgets their password, they can click the Forgot your password? link on the
logon screen and follow the instructions to reset the password:
1. The user enters their portal user name and clicks Submit.
2. The cloud service sends an email to the email address listed in the contact details
associated with that user name.
Note
If the email address set up for the user name on the Contacts page is out of date or
invalid, the user must contact their administrator to get their password reset.
Note
If a user forgets the answer to their password question, they must contact their
administrator to get their password reset.
Should you need to generate a new password for a user, follow these steps:
1. Go to Account > Contacts.
2. In the User Name column of the contact list, click the required user name.
3. Click Edit on the User screen.
4. Click Create a password for me.
5. Make note of the password.
6. Click Submit.
Two-factor authentication
Related topics:
● Resetting two-factor authentication for a portal user
● Password policy
● Password settings
● Password expiration limit
● Changing passwords
Note
Compatible authenticator apps are available for Android, iOS, Blackberry, and
Windows Phone. Desktop and browser-based apps are also available for Microsoft
Windows, Mac OS, and Linux. This feature is validated with the Microsoft
Authenticator app, but alternative apps that use the Time-based One-time Password
Algorithm (TOTP) protocol, such as Google Authenticator, are also supported.
Terms of use
Related topics:
● Web: Configure block and notification pages
The Terms of use option allows you to display a page that requires administrators to
agree to your company’s terms of use before logging on to the portal. If enabled, this
setting applies to all portal administrators. Administrators must agree to the terms of
use each time they log on.
Your “Agree to Terms of Use” block page should be customized to include details of
(or provide a link to) your terms.
See Configure block and notification pages, page 108 for details of how to customize
block pages.
To enable the terms of use acceptance page for all portal users:
1. Go to the Account > Contacts page.
2. Toggle the Terms of use switch to ON.
3. Click Save.
The next time portal administrators log on, they will be prompted to either accept your
terms of use, or log off.
Note
By default, a generic “Agree to Terms of Use” block page is provided. Before
enabling this feature, ensure you customize this page to include details of (or a link
to) your company’s terms of use. See Configure block and notification pages, page
108 for details of how to customize block pages.
Identity Management
Related topics:
● Working with External Directories
● What is LDAP?
● How the service works with LDAP
● Basic steps
Click Account > Identity Management when you want to configure your account for
user provisioning. See Configure identity management, page 51, for details on this
screen and directory integration considerations.
End Users
Related topics:
● End Users tab
● Managing registered users
To view and manage user data, click Account > End Users. (This option is only
available if you have directory synchronization enabled or a web account.) The
resulting screen has 3 columns.
Column Description
Criteria to use Check the boxes on the left to indicate what search criteria to use.
Column Description
Search Criteria Narrow down the search by entering or selecting precise data in
the middle column. Under source, you can choose whether to
search synchronized users or portal-managed users.
Show in Results Check the boxes on the right to indicate what information to
include in the results.
Click Search when done. Please note that the search may be slow if there are a large
number of users.
From the resulting data, you can make individual edits or bulk edits. For example, you
can:
1. Move one or more users to another web policy, performing a manual override
2. Undo the manual override (applies only to directory synchronization)
3. Enable or disable web access
4. Delete one or more users
Use the Download results option at the bottom of the screen to export the search
results to a CSV file.
Using the drop-down list between the search box and the search results, select the
action you want to make, then select the users on which to perform the action and
click Go. All changes made on this screen override any group/policy assignments
(existing or future ones).
You can view and manage user data at the policy level as well using the End Users
screen for the policy. The account-level page shown here is available only to users
with account-level privileges.
Groups
Related topics:
● Downloading and uploading groups
The groups functionality enables you to create policies using your organization’s
hierarchy.
Groups can contain:
● email addresses of users in your organization
● other groups
Groups are configured at the account level. To set up groups in the cloud service, click
Account > Groups.
The resulting screen shows a list of groups currently defined for your account, an
indication of whether they were added manually on the portal or automatically
through the directory synchronization feature, and the web policy to which the group
is assigned.
On this screen, you have the ability to create new groups and edit group membership.
Click a group name to edit it, or click Add to add a new group.
Important
Add or load groups only if you intend to use them for policy assignment or
exceptions. You don’t need them just because users are members of them.
If available in your account, you can select how synchronized users are assigned to
web policies if they appear in more than one group in the directory. Click the Policy
assignment method link, and select one of the following:
● Directory hierarchy means that a user in multiple groups is assigned to the
policy associated with the group that has the fewest intermediate group
memberships. For example, if a user is a member of GroupA, and is also a
member of GroupB which itself is a member of GroupC, the policy for GroupA
takes precedence.
● Group ordering means that a user in multiple groups is assigned the policy
associated with the group highest in the list on the Groups page. The list is in
alphabetical order.
Warning
If you already have groups in place for web users and there are dependencies
between the groups and rules, selecting Replace all groups with CSV file could
void exceptions to your rules. (For example, if a rule states that no one but the
Accounting group can access www.financialnews.com, and then you upload a new
Group list, it is possible that Accounting could lose access to that website.)
To maintain existing group/rule associations, make sure that group names in the
CSV file match group names in the portal exactly. The best way to achieve this is to
download existing group configurations to a PC, manipulate them as needed, then
upload the changes to the cloud.
Licenses
Related topics:
● Licenses page
● License information
● Accepting licenses
Our subscription model operates in a similar manner to many software vendors: to use
the service, you must accept the terms of your agreement. Once you have done this,
your services are automatically enabled, renewed, or upgraded depending upon the
subscription type.
The purchase and billing systems are fully integrated with the cloud portal. Each cloud
service has a subscription associated with it, and that subscription is applied to each
customer account.
To view the subscriptions associated with your account, go to Account > Licenses.
You can use this area of the portal to view and manage your rights to use cloud
services.
Note
If an alert indicates that your account is currently unlicensed, or that a license has
been added or changed and must be accepted to place the provisions into service,
please check the Account > Licenses page for further information.
Licenses page
Related topics:
● License information
● Accepting licenses
The Licenses page provides basic information about your account, including:
● The account status
● Your enrollment key
● A summary of licenses for available products and add-on modules. A tick appears
next to the components that your account is licensed for.
● The length of time your reporting data is retained
● The location where your reporting data is stored.
Depending on the subscriptions associated with your account, you may also see up to
3 sections:
1. Pending licenses: Licenses that require accepting.
2. Current licenses: Licenses that have been accepted and are currently valid.
3. Previous licenses: Licenses that have either expired or been replaced by another
license.
License information
Subscriptions are generated automatically when you order a service. Each
subscription contains the following information:
● Users: The number of users or mailboxes for which your account is licensed.
● Started / Expires: Start and end dates of the license.
● Contract: The contract governing the license. This contains a link to a copy of the
contract.
Accepting licenses
The first time you log on to a new cloud service account, you are shown the licenses
screen and must accept the terms of the agreement to activate your account and
continue. If multiple subscriptions exist, you can accept them all at once.
Whenever a new subscription is ordered for you (for example, at renewal time or
following an upgrade), it is added to your account in a pending state. You must accept
this subscription to use the service. Each time you log on, you are taken to the licenses
screen to remind you that a subscription requires accepting.
Note
To ensure continuity of service, you should accept any pending licenses as soon as
possible. This requires Modify Configuration permissions.
If your license expires before you have a chance to renew it, you receive a grace
period. During that period, please order a new subscription as soon as possible.
Privacy protection
Use the Account > Privacy Protection page to prevent end-user identifying
information and/or data security incident trigger values from appearing in logs and
web reports. If required, you can still collect this information for security threats.
Note
If you select All policies, this applies to all existing policies and any new policies
you create in the future.
3. If you choose Only selected policies, select the policies you want from the
Available policies list. Use the Ctrl and/or Shift keys to make multiple selections.
4. Click the > button to move the policies into the Selected policies list.
5. To override all privacy protection selections in the event of a security threat, mark
Preserve end user information for security threats.
6. Define the attributes that should be anonymized in web reports.
■ By default, User name, Connection IP, Source IP, and Workstation are all
selected.
When the Connection IP option is selected, the connection name is also
anonymized.
■ You can select and clear the options most appropriate for your organization,
but at least one check box must be selected.
Note
If you have selected Preserve end user information for security threats, the
attributes that you select are not anonymized for any web traffic considered to be a
security risk.
Use the Account > Data Protection Settings page to enable and configure the
integration with Data Protection Service, part of Forcepoint DLP. With this
integration, enterprise data security, including blocking or monitoring data loss, is
handled by the Data Protection Service (DPS), rather than the cloud proxies or relays.
The cloud proxies and relays continue to handle all other aspects of processing web
and email traffic.
Note
Data Protection Service integration requires an additional license. If you would like
further information on integrating with Data Protection Service, contact your
account manager.
To monitor and prevent data loss using the Data Protection Service:
1. In the Tenant Information section, upload the configuration file provided by
Forcepoint in the fulfillment email you received. This file provides the
information needed to connect the cloud service to DPS and is the same file used
when configuring Data Protection Service in the Data module of the on-premises
Forcepoint Security Manager.
a. Click Browse, then locate and select the file.
The filename appears in the Configuration file entry.
b. Click Upload.
When the upload is successful, the remaining fields are automatically
populated.
The Browse and Upload buttons are not available for users with View
Configuration permissions.
2. Use the Web Defaults section to configure how data security is handled in new
web policies.
a. Select the option to be used, by default, when adding a policy.
○ When Use DLP Lite is selected, a Data Security tab is available for new
policies.
When a policy uses DLP Lite, basic data protection is provided by the
cloud proxy.
○ When Use Data Protection Service is selected, a Data Protection tab is
available when adding a new policy.
When a policy uses Data Protection Service, enterprise data protection is
provided and handled by Forcepoint DLP through the data protection
service. DPS is an external service that is part of the on-premises
Forcepoint DLP product.
Important
The same user information must exist in both Forcepoint Web Security Cloud and
Forcepoint DLP in order for user requests to be accurately inspected by Forcepoint
DLP.
b. Accept the default provided or enter a new value for DPS timeout. This value
determines the length of time, in seconds, that the cloud service waits for a
response from DPS after sending an inspection request.
c. Select Block or Allow as the DPS fallback behavior if a timeout or other
error occurs. If a response from DPS is not received within the time
configured in DPS timeout, the user request will be blocked or allowed based
on this setting.
d. Use the tables to change the data security selection for existing policies.
Each list contains the existing policies that currently use the data security
option indicated in the table heading. Use the arrows to move selected polices
from one list to the other. When the changes are saved, the policies are
updated to include the new data security type.
Note
Return to Web > Policy Management > Policies and edit each of the changed
policies to fully configure the new data security option. Otherwise, default values
are applied to the policy.
e. Click Export in the Export Categories to DPS section to create an xml file
containing all web categories, including Master Database categories, account-
level custom categories, and policy-level custom categories. This file can then
be uploaded to DPS and the categories can be used when defining Forcepoint
DLP policies.
The Export button is not available for users with View Configuration web
permissions.
In addition, when the timeout is exceeded, the request is blocked or allowed based on
the fallback selection but no log record is generated.
Important
Requests that include files that exceed 10MB in size are not forwarded to Data
Protection Service. These requests are allowed and no log record is generated.
● Your account can enforce multiple policies on your email and web traffic.
● It is good practice to keep the number of policies to a minimum, because if a
global change is required, you must make it across all policies.
● To prevent accidental changes, many configuration options are grayed out until
you click the appropriate edit box.
● Each service has its own configuration screen accessed by clicking the appropriate
tab on the main policy setup screen. Regardless of the services that you are
licensed to use, you see all tabs. If you click the tab for a service that you are not
licensed to use, you are informed of such.
● Where multiple email addresses, domains, or user names are entered into a screen,
they should be separated by commas.
● You can click Help at any time to access online help information.
● All changes are made in real time and usually only take a few minutes to
propagate across the cloud infrastructure.
● Cloud web products analyze inbound and outbound web traffic as well. Most
settings in the policy screens are specified separately for inbound and outbound
policy application. It is often not appropriate to set these identically for each
direction.
To access a web policy, go to the Web > Policy Management > Policies page.
On the Policies page, you are presented with a choice of service-specific policies.
Related topics:
● Maintenance
● Configure identity management
The cloud service allows you to make use of LDAP directories, such as Active
Directory, so you don’t have to re-create user accounts and groups for your email and
web services or manage users and groups in two places.
Important
The cloud service supports only one instance of the Directory Synchronization
Client for each account. Using multiple synchronization configurations, or even
using multiple installations of the Directory Synchronization Client, can cause data
on the cloud service to be overwritten.
What is LDAP?
Related topics:
● How the service works with LDAP
● Basic steps
● Cloud portal tasks
● Client tasks
● Maintenance
● Configure identity management
● Set up authentication
5. The client authenticates with the portal using a username and password that you
establish manually on the Contacts page. (Consider an appropriate password
expiration policy for that user so you don’t have to regularly update the client
application with the password changes.)
6. LDAP synchronized data is viewable but not editable through the portal.
The synchronization client resides on a computer at the customer’s site and accesses
one or more LDAP directories via the customer’s network. If more than one LDAP
directory is accessed, then this data can be merged together by the synchronization
client before it is synchronized with the cloud service.
When you are setting up user provisioning, it is important that you review the data you
are about to provision. The way that you structure user data in your LDAP-compliant
directoryaffects how you should structure groups and users in the portal for policies
and exceptions. You should devise a strategy before you start.
To start, what data do you want to get out of your user data and what do you plan to do
with it?
Second, how is that data organized?
Third, how do you need to structure users and groups in the portal to accommodate
your security requirements?
In a typical directory, users are members of many groups. For example, users may be
members of global groups like “All Sales;” they may be members of geographical
groups like “London” or “New York;” and they may be members of a department such
as “NY Telesales” and many others. When deciding on which groups to provision,
select only groups that are going to be useful to the cloud service, typically for setting
policy or group-based exceptions. See Deciding what to synchronize, page 49 for
more guidelines on this decision.
If you already have users and groups in the portal, then you’ll need to determine how
and whether to adjust that structure to match the data that is to be provisioned (or vice
versa).
For customers using LDAP, following are the most common use cases. Follow the
links to review considerations and checklists designed just for you.
● New customers:
■ Synchronizing users/groups with a single Web policy and exceptions
■ Synchronizing users/groups with more than one policy, and planning to
manage policy assignment through an LDAP directory
● Existing customers:
■ Wanting to manage users/groups from an LDAP directory
■ Wanting to manage users/groups from an LDAP directory but Web policy
assignment from the portal
Related topics:
● What is LDAP?
● How the service works with LDAP
● Basic steps
● Cloud portal tasks
● Client tasks
● Set up authentication
You do not need to provision all of the groups and users in your directory. Instead,
provision only groups that are useful to the cloud service.
Consider this Active Directory (AD) example:
If you are going to set up a policy for members of a US Telesales department that
gives them special permission to access certain websites, you should provision the
“US Telesales” group. There is no need to provision the “London” group if you are not
going to set up geographical policies in the cloud service, even if the London users are
going to be using the service.
Sometimes when users are provisioned to the cloud service, they are members of
multiple AD groups, but only a subset of those groups is provisioned. This is not a
problem: the cloud service is designed to accept users with group references that are
not on the service.
Note
If you add or change a group name in Active Directory or move a group from one
organizational unit (OU) to another, be sure to add the new name to the group
inclusion list on the Directory Synchronization Client before the next
synchronization. Otherwise, the group is deleted from the portal.
Regardless of how many groups you synchronize, user detail must be sent as part of a
separate user synchronization. When you synchronize a group, you transfer
information about the group but not about its contents. User synchronizations include
details of the group(s) to which users belong. When you apply a web policy or an
email policy to a synchronized group, that policy is applied to all synchronized users
who are members of that group.
Please refer to the Directory Synchronization Client Administrator’s Guide in the
Technical Library for more information on using the LDAP search feature to target
only those users and groups that are required.
Basic steps
Although the steps for your use case may vary, the basic steps for setting up user
provisioning follow:
In the portal
1. Configure identity management, page 51, for your account.
2. When using the Directory Synchronization, Set up authentication, page 53, for the
client machine. The client should have its own username and password to gain
access to the cloud service.
On the client
1. Download the Directory Synchronization Client (see Client tasks, page 53) and
install it on a network client machine. Download the client administrator’s guide
as well. This contains valuable information on helping you integrate your
directory service with the cloud service.
2. Configure the client. Use the username and password established in the Contacts
section of the portal to authenticate.
3. Test the Directory Synchronization Client to make sure it is returning the correct
data from the LDAP server to the client. If you are an existing customer switching
to directory synchronization for the first time, you should compare the data with
that which already exists in the cloud.
4. Initiate a synchronization. The service updates its groups and users, including
policy assignment where appropriate.
If a synchronization is unsuccessful, you can use the Restore feature to restore the
directory information to a previous version. (See Restore directories, page 57 for
more information.)
5. Schedule automatic synchronization. You can update the cloud service several
times a day if required.
Refer to the Directory Synchronization Client Administrator’s Guide for instructions
on items 2-5.
Related topics:
● Maintenance
To set up your account for directory synchronization, perform the following steps in
the portal:
1. Configure identity management, page 51, for your account.
2. Set up authentication, page 53, for the client machine.
Web
Assign users to policy Because you are synchronizing user and group data, you can
manage policy membership through group membership.
Select the web policy to which you want to assign users if
they have no group-based policy assignment already. By
default, the first policy in the list is chosen.
User policy assignment Specify whether you want the user policy assignment to be
fixed after the first synchronization, or if you want the
service to check the group policy membership every time
users are synchronized or group policy assignments are
changed in the cloud.
Select “Follow group membership” if you want users’ policy
assignments to change automatically when there are changes
to their group membership. If you move someone to another
group, he or she moves to a different policy. This is the
default.
Select “Fixed” if you want to manage policy assignments in
the cloud. When you select “Fixed,” the service makes a
policy assessment for an individual user only when that user
first appears in the system (in other words, is synchronized
for the first time). It either assigns the user a group-based
policy or the default policy specified above. If you want to
move someone to a new policy, you need to do so in the
cloud.
Email new users Select one of the radio buttons to indicate whether you want
email sent to new end users to notify them that they are now
protected by the cloud service. You can send email to all new
users, only those who do not have an NTLM identity, or no
one.
Be aware that sending to end users could flood your email
servers with messages and slow down performance. You’re
asked to confirm this decision. We recommend you do this
at a quiet time.
Email notification Choose which email you want to use to notify end users of
their enrollment in the cloud service. Initially, only the
default message is offered, but you can create custom
notifications if desired. See Configure block and notification
pages for more information.
For sender’s address, enter the address from which you want
notification messages sent to new users.
Note
You can turn off directory synchronization any time and revert to managing all
users, groups, and email addresses in the cloud. If you plan to do this, please see
Turn off directory synchronization, page 58 for possible considerations.
Set up authentication
On the Contacts page, set up authentication for the client machine. We strongly
recommend that the client have its own username and password to gain access to the
cloud service. This keeps the synchronization process separate from your other
administration tasks and enables you to establish longer password expiration policies.
Once you establish a contact for the client machine, you configure the client to pass
these logon credentials when connecting to the service.
1. On the main menu bar, click Account.
2. Click Contacts.
3. In the Contacts section, click Add.
4. Enter identifying information for the client machine in the First name and
Surname fields. For example, “Directory Sync” and “Client.”
5. Click Submit.
6. In the User Name field, click here to add a user name.
7. Enter a password for the client machine. It must conform to the password policy
on the main Contacts page.
8. Enter a password expiration date for the client. To avoid having to regularly
update it, this should be different than the regular account settings; it should span
a longer period.
9. Under Account Permissions, check the Directory Synchronization box, and any
other permissions you want to give this “user”. You can act as an administrator
from this logon.
10. Click Submit.
Client tasks
Select a client tool to download it. If you already have a Java Runtime
Environment (JRE), download the tool without a JRE. Otherwise, download the
one that includes a JRE. A JRE is required to run the client software.
4. When the download is complete, run the executable file.
5. Navigate through the installation wizard as prompted, accepting the license
agreement and indicating where to install the application. Review the installation
instructions in the client administrator’s guide for assistance.
6. Configure the client as described in the client administrator’s guide. Provide the
logon credentials that you established as part of the configuration.
Maintenance
After directory synchronization is set up and running properly, you can perform the
following tasks in the portal:
1. View and manage user data. Note you cannot edit data that has been synchronized
from your directory.
2. Assign a group to a different policy
3. View and print reports
4. View recent synchronizations
5. Restore directories to previous version
6. Troubleshoot synchronization failures
7. Turn off directory synchronization
All changes made on this screen override any group/policy assignments (existing
or future ones). To return to the automatic settings, manually undo your changes
here.
You can view and manage user data at the policy level as well as using the End Users
screen for the policy.
Note
Data from LDAP is read-only; you cannot change users and groups relationships
that were synchronized from the client directory. If a change is required, you must
make it in the client directory itself.
1. Open the policy to which you want to assign groups. For example, select Web >
Policy Management > Policies > DEFAULT.
2. Click the End Users tab.
3. Under Directory Synchronization, click Modify list of groups.
4. Select the groups you want assigned to this policy.
5. Click Submit.
If you set User policy assignment to Follow group membership when you
configured directory synchronization, the effect of this action is to assign all members
of the group already in the service to this policy. Users that are not members of
groups, or users in groups that are not explicitly assigned to a policy, are automatically
assigned to the default policy. All future additional users who are members of the
group are synchronized into the policy as well.
If you set User policy assignment to Fixed, the change affects only future additional
users.
Report Description
Synchronization History The history log provides a connection history for the
Log specified period, up to 1000 rows.
Synchronization Time The time summary provides a list of the 20 longest
Summary synchronization times.
Column Description
Heading
Date The date and time that the synchronization was performed in
coordinated universal time (UTC). Format YYYY-MM-DD
HH:MM:SS.
Status An indication of whether the synchronization completed or failed.
Possible HTTP response codes include:
● 200 OK - Completed successfully.
● >400 - Synchronization failed
■ 403 Error text - The client synchronization failed for reasons
given in the error text. For example:
■ 403 Groups contain circular references
■ 403 Transaction failed
■ 403 Attempt to overwrite cloud-managed group.
■ 403 Email address exists in another account
● 503 Service Unavailable.
Type The type of record that was synchronized: Users, Groups, Addresses,
or Test. Test indicates that the client connected to the cloud service to
verify its settings, but did not synchronize.
Additions The number of new records added during the synchronization. If the
synchronization is not yet complete, “In progress” is displayed.
Deletions The number of records deleted during the synchronization.
2. Click the timestamp in the date column to view details about a specific
synchronization.
In the resulting screen, you can see the time that the connection started and ended
in the local time zone of the client machine. (This lets you see how long the
synchronization took). You can view the IP address of the source connection, the
username of the client initiating the synchronization, and the number of records
amended, added, or deleted. You can also see reporting and logging information.
Restore directories
If necessary, you can undo the last directory synchronization and restore the system to
its state before the synchronization.
Important
It is not possible to undo the restore, so changes you made in the cloud between the
last synchronization and the restore operation may be lost. You are warned of the
potential impact and asked to confirm the action.
Partially transmitted and temporarily stored data remains in the cloud service for a few
days as a possible debugging aid. This data is not used when you try to synchronize
again.
Important
Ensure that a synchronization is not under way when you disable directory
synchronization. If a synchronization is running, you may end up with an
incomplete set of data: for example, your groups might have synchronized
successfully, but your users might not.
When you turn off directory synchronization, Group and user IDs on previously
synchronized items are retained, so you can easily re-enable synchronization at a later
date.
Please note that changes made manually in the cloud to data items that were
previously synchronized are lost if you later re-synchronize. When you re-enable
synchronization, you are indicating that it is now the LDAP directory that holds the
master data, and a full re-synchronization is performed.
Related topics:
● Defining Web Policies
Use the options in the Web > Settings and Web > Policy Management menus to
configure web protection settings for your account. You are presented with a number
of tools and configuration options.
Some options appear only if the corresponding feature has been enabled for your
account. Some features require the purchase of additional modules before they can be
enabled.
Related topics:
● Proxy auto-configuration (PAC)
● Proxy query page
● Web performance monitor
● Roaming home page
Use the Web > Settings > General page to access information about how traffic is
routed for your account.
By default, end user web traffic is routed to the nearest cloud data center based on the
egress IP address of your Domain Name Server (DNS). If your DNS is in a different
geographic location from some or all of your end users, this may mean that traffic is
not routed to the nearest data center to those users. To route your web traffic to data
centers based on the location of the end user, rather than your DNS, mark Route
traffic based on end users’ egress IP.
The General page also includes the following reference information:
● The proxy auto-configuration (PAC) file defines how web browsers choose an
appropriate proxy for fetching a given URL or whether it should be fetched
directly from the server of origin. For more information, see Proxy auto-
configuration (PAC), page 60.
● The proxy query page enables you to determine if a browser is correctly
configured. For more information, see Proxy query page, page 63.
● The web monitoring tool allows you to check web connectivity and speed. For
more information, see Web performance monitor, page 64.
● The roaming home page is designed for remote users, enabling them to connect to
the Internet via the cloud service from any location. For more information, see
Roaming home page, page 65.
There are a number of different URLs you can use to retrieve a service-generated PAC
file. The URL you choose determines which version of the PAC file is retrieved.
Different variants of the PAC file are suited to different network environments.
● Standard (account-wide) PAC file URL (found on the Web > General page). This
URL is an account-wide PAC file URL. This fetches a policy-specific PAC file on
connections from recognized IP addresses, and the standard, global PAC file from
unrecognized addresses.
● Policy-specific PAC file URL (found on the General tab of a policy). This URL
includes a policy identifier, which ensures that the PAC file specific to the policy
is always retrieved. This can be useful to ensure that remote users always get the
PAC file for a particular policy.
See the sections below for further information, and guidance on when to use each
option.
Note
If you have already deployed a standard cloud PAC file that uses a different URL
than the one displayed on the page, there is no need to change it unless you wish to.
PAC file URLs provided with earlier versions of your web product will continue to
work.
● A remote user requests access from a network that has port 8082 locked down (or
port 8087 for HTTPS). In this case, use the alternate PAC file address listed on the
policy’s General tab. This accesses the PAC file via port 80 (port 443 for HTTPS).
Remote users should also use the alternate policy-specific PAC file address if
requesting access from a network that has port 8081 locked down. Even if they
can access the PAC file on port 8082 or 8087, port 8081 is the standard required
port to be able to use the cloud service.
The policy-specific PAC file allows remote users to always use the correct PAC file
for their policy, although this is not always appropriate, because bypass destinations
may not be relevant for the remote users’ locations.
Important
There is a security implication related to the use of PAC files. If someone could
guess your unique policy identifier and download it, that person would know what
sites were not protected by the cloud service and could, in theory, use them as an
attack vector. To prevent this, PAC file identifiers are generated as non-sequential
alphanumeric strings. Users cannot assume that the number on either side of their
PAC file identifier is valid.
For additional security, use the HTTPS PAC file URL. Forcepoint also recommends
disabling the Automatically detect settings option in your LAN automatic
configuration settings.
To check which data center and policy you are currently using, as well as connection
and HTTP header information, access the query page using the following URL (note
the “with=all” query):
http://query.webdefence.global.blackspider.com/?with=all
The data center hostname is displayed under the Server Information section, in the
form: aaa##a.srv.mailcontrol.com (for example prx24lonb.srv.mailcontrol.com).
That data center name is also provided.
Optionally, check the data center identifier (e.g. “lonb”) against the knowledge article:
Cloud service data center IP addresses and port numbers.
Note
The web monitoring tool requires Microsoft Internet Explorer.
To run a test, click the Monitoring tool link on the Web > General page, then enter
the web address that you want to test.
Depending on your policy and current location, you may also be required to enter a
registered user’s email address and password (see Access Control tab, page 159, for
when and why this is required).
The test sends a request to the specified website both directly and via the proxy to
which you are connected. The results show the time to receive the first and last bytes
of the web page returned for each direct and proxied request. The median first byte
latency provides the best indication of how the cloud service feels to an end user, (i.e.,
generally how quickly the page starts to display). The median last byte latency
provides an indication of how quickly the page is completely displayed, even though
the end user begins to read or even click another link before the page is displayed
completely.
The results are affected by any local network and Internet connectivity issues and
cannot be assumed to prove where a fault lies if a website is responding slowly.
However they do provide a good indication of whether a slow website response is a
cloud-related issue or a problem with the website being accessed.
serve a non-policy specific notification page asking them to identify themselves. This
is a global page and cannot be customized.
Once a user is logged on with a unique user ID, the cloud service knows which policy
to apply to the user.
Note
Remote browser isolation is a limited-availability feature and may not be enabled
for your account.
Available at the account level, the remote browser isolation feature allows a user to
redirect a blocked request to a remote browser isolation service. A block page,
available for selection when a category is configured with Block Access, provides the
user the option to View in Remote Browser. When that option is available and
selected, the request is forwarded to the provider. See Managing categories, actions,
and SSL decryption, page 182, for information on configuring categories in a policy
Use the Web > Settings > Remote Browser Isolation page to enable and configure
the feature.
1. By default, Disabled is selected. Click the radio button next to the appropriate
provider and continue with the configuration to enable remote browser isolation.
Important
This feature requires a subscription with a supported remote browser isolation
provider.
Note
If a user has opted to View in Remote Browser, the request is no longer handled by
the cloud service. Subsequent requests from the same browser will continue to be
handled by the remote browser isolation provider until browser window is closed.
Related topics:
● Supported file types
● What does a file sandboxing transaction look like?
Note
You must have the Forcepoint Advanced Malware Detection for Web module to use
this feature.
Use the Web > Settings > File Sandboxing page to upload suspicious files to a cloud-
hosted sandbox for analysis. The sandbox activates the file, observes the behavior, and
compiles a report. If the file is malicious, an email alert is sent to the administrators
that you specify, containing summary information and a link to the report.
A file that qualifies for sandboxing:
■ Has been downloaded by an end user.
■ Is not classified as “malicious” in the Master Database
■ Passes all File Type Analysis checks
■ Fits the Security Labs profile for suspicious files
■ Is a supported file type. Executable files are always supported. See Supported
file types, page 69.
Note
Because the file was not detected as malicious, it was not blocked and has been
delivered to the requester.
For file sandboxing to be most effective, you should enable all of the advanced
analysis options in your policies. For more information, see Web Content & Security
tab, page 206.
1. File analysis is disabled by default. Select On to send qualified executable files to
the cloud-hosted sandbox for analysis.
2. Select Submit additional document types to send additional supported file types
to the sandbox for analysis.
3. Select Block access to files that have previously been detected as potentially
malicious to block requests made to files that were previously found to be
malicious.
4. Specify the email address of at least one person in your organization who will
receive notifications. This does not have to be a cloud service administrator. If you
specify multiple email addresses, ensure you enter one address per line.
Note
Single sign-on is a limited-availability feature and may not be enabled for your
account.
The single sign-on feature uses a third-party identity provider that authenticates user
identity, attributes, and roles using your enterprise directory. Single sign-on uses the
Security Assertion Markup Language 2.0 (SAML2.0) data format to send messages to
and receive responses from your identity provider. All communications between
components are secured.
If you already have an identity provider supported by the cloud service, you can
configure your provider to authenticate users browsing via the cloud proxy, enabling
seamless end-user login.
When single sign-on is enabled, end users connecting to the cloud proxy are redirected
to your identity provider, if specified in their policy. Once a user has been
authenticated against your directory service, they are directed back to the proxy and
the appropriate policy is applied. Clients who have authenticated once do not then
have to re-authenticate for subsequent web browsing sessions, for a specified period
of time (see Session timeout, page 162).
To configure single sign-on:
1. Go to Web > Settings > Single Sign-on.
2. Mark Use identity provider for single sign-on.
3. For customers new to single sign-on, the Identity provider entry displays SAML
2.0 Compliant Identity Provider and cannot be changed.
For customers who had configured single sign-on prior to the introduction of the
SAML 2.0 Compliant Identity Provider option, the previously selected identity
provider is displayed and a drop-down list offers the original provider and SAML
2.0 Compliant Identity Provider. The vendor-specific options remain available
strictly to support customers already using them. It is recommended that all
customers select the generic option.
4. To enable your identity provider to work with single sign-on, you must provide
metadata from your product.
■ If you select URL, locate the URL of your identity provider’s metadata and
enter it in the field provided.
■ If you select File upload, click Browse to locate the exported metadata file
from your identity provider.
If you have previously uploaded a metadata file, the file name and date and
time of upload are displayed on the page.
5. Click the Root Certificate link and save the certificate file to a location on your
network.
6. In order for the cloud proxy to talk to your identity provider, you must upload
cloud service SAML metadata to your product. Click the Metadata link to
download this data file.
7. Click Save.
When you click Save, the specified metadata source is validated. If it is found to
be invalid, the cloud portal displays an error and restores the previous
configuration. This means either reverting to the previous metadata source if one
was configured, or disabling the Use identity provider for single sign-on
checkbox if you are configuring single sign-on for the first time.
Once you have completed the setup on this page, you must do the following to
complete single sign-on activation:
● Add the downloaded SAML metadata file to your identity provider.
● Deploy the root certificate to end users’ machines, using your preferred
distribution method such as Group Policy Object (GPO).
● Enable single sign-on for your policies on the Access Control tab.
Note
For more information on the single sign-on service, including detailed configuration
guidance for supported providers, see the Single Sign-On Guide on the Support
website.
Related topics:
● Bypassing authentication settings
● Adding and importing sites that bypass the proxy
● Bypassing certificate verification
● Bypassing authentication decryption
The cloud service includes the following options for bypassing security and
authentication checks, if required for your end users:
● The Authentication Bypass tab enables you to add custom settings that bypass
authentication and content filtering for applications, user agents, and sites for
which authentication with the cloud service is problematic. If you have an I Series
appliance or a supported edge device, you can add authentication bypass rules for
internal networks behind the device. See Bypassing authentication settings, page
72.
● The Proxy Bypass tab enables you to add, and import in bulk, destinations that
bypass the cloud service for all policies. See Adding and importing sites that
bypass the proxy, page 76.
● The SSL tab enables you to specify trusted HTTPS domains that your end users
can always access even if the certificate is detected to be invalid (see Bypassing
certificate verification, page 78), and to define web categories that should never
be decrypted for end users authenticating with single sign-on or secure form-
based authentication. For I Series appliances, this applies to all authentication
methods. See Bypassing authentication decryption, page 79.
Related topics:
● Bypassing certificate verification
To bypass authentication for particular applications or sites that do not properly handle
authentication challenges, you can specify user agents, domains, URLs, or a
combination of these.
Tip
A user agent is identified by a string sent from your browser or Internet application.
This identifies which browser or application you are using, its version number, and
details about your system, such as the operating system and version. The destination
server can use this information to provide content suitable for your specific browser
or application. For example, this is the user agent information for Firefox:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6)
In this example, Windows NT 5.1 indicates that the operating system is Windows
XP, and the language setting is US English.
Note
You must have NTLM identification enabled for your account to use this option.
■ Form login: Displays the secure login form to users before they use their
cloud credentials to proceed over a secure connection. For more information,
see Access Control tab, page 159.
■ Basic: Uses the basic authentication mechanism supported by many web
browsers. No welcome page is displayed. For more information on basic
authentication, see Access Control tab, page 159.
■ Welcome page: Displays a welcome page to users before they use basic
authentication to proceed. The welcome page is configurable in each policy
on the Access Control tab. Note that the welcome page is not available for
traffic from I Series appliances. For more information, see Pre-logon welcome
page, page 161.
Warning
We strongly recommend you do not disable content filtering unless it is for
applications and sites that do not work with the cloud service and that you trust
implicitly. Disabling content filtering overrides all other filtering rules, including
web category filtering actions. This means that all content is allowed. This could
allow viruses and other malware into your network.
Note
This option will match against all applications that do not send a user agent. In this
case, we recommend you refine the rule by entering one or more URLs or domains
in the Destination sites field.
■ To apply the rule to all user agents, select All user agents. You might want to
do this if you are setting up a custom rule that applies to all browsers on all
operating systems in your organization.
■ If you want to apply the bypass rule to one or more user agents, select
Specific user agents, and enter each user agent on a separate line. Use the
asterisk wildcard to match one line to multiple user agent strings, for example
Mozilla/5.0*.
6. Define the destination sites (if any) for the rule:
■ To match against all domains and URLs, select All destinations. You might
want to do this if you are setting up a custom rule that applies to a specific
user agent that accesses multiple sites.
■ To apply the rule to one or more sites, select Specific destinations, and enter
each URL or domain on a separate line. URLs must include the protocol
portion (http://) at the beginning and a forward slash (/) at the end - for
example, http://www.google.com/. If these elements are not present, the string
is treated as a domain. Domains cannot include a forward slash at the end - for
example, mydomain.com.
Use the asterisk wildcard to match one line to multiple destinations: for
example, entering *.mydomain.com would match against all domains ending
in ‘mydomain.com.’
7. Click Save.
To view the user agents that have made authentication requests via the cloud service,
run the User Agents report (under Reporting > Report Catalog > Advanced). If a
user agent in this report has a high number of authentication requests, it may be
experiencing authentication problems.
Note
You must have NTLM identification enabled for your account to use this option.
■ Form login: Displays the secure login form to users before they use their
cloud credentials to proceed over a secure connection. For more information,
see Access Control tab, page 159.
■ Basic: Uses the basic authentication mechanism supported by many web
browsers. No welcome page is displayed. For more information on basic
authentication, see Access Control tab, page 159.
■ No authentication: Bypasses all authentication and identification methods in
the cloud service. Select this option for internal networks that should never
use authentication credentials.
4. Content analysis is enabled by default. Optionally, you can bypass all filtering
for the specified internal network(s) by selecting Disabled.
Warning
We strongly recommend you do not disable content filtering unless it is for
applications and sites that do not work with the cloud service and that you trust
implicitly. Disabling content filtering overrides all other filtering rules, including
web category filtering actions. This means that all content is allowed. This could
allow viruses and other malware into your network.
If your organization uses Microsoft Office 365, select the Office 365 box under Cloud
Applications and click Save to bypass the cloud service for sites and URLs associated
with Office 365.
Note
The URLs included in the bypass list for Office 365 are those domains that are
owned by Microsoft and used directly by the Office 365 application, listed here:
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
This list also includes third-party URLs that host Certificate Revocation Lists
(CRLs), which are not included in the bypass when you select the Office 365
checkbox. Bypassing these domains may not be appropriate for all customers.
If you have difficulty installing or using Office 365 with this option selected, you
may need to add one or more of these additional URLs as non-proxied domains. If
you need further assistance, please contact Technical Support.
You can also configure policy-specific bypass destinations on the Connections tab of
each policy. For more information, see Proxy bypass, page 158.
To add a new bypass destination:
1. Click Add.
2. Enter a Name and helpful Description for the destination.
3. Specify the destination Type, then enter the Address (single IP address), Subnet
(using CIDR notation or subnet mask), or Domain.
4. If the traffic should bypass the cloud proxy, but go through a third-party proxy in
your network, mark Send traffic to another proxy.
5. Use the optional Comment box to add helpful information, such as why the entry
was created.
6. Click Submit.
To import bypass destinations in bulk:
1. Click Import Destinations.
2. Click the CSV template link, and save the template in a location of your choice.
3. Add the bypass destination information to the template file.
The template file contains the following columns: Name, Type, Destination, and
Description. Only Description is optional; all other columns must be filled in.
Ensure the Type column contains either Address, Domain, or Subnet, and any
destinations with the Subnet type use CIDR notation. For example:
Name Type Destination Description
Dest1 Domain destination1.com Here is a description
Dest2 Address 154.10.2.36 Another description
Dest3 Subnet 154.10.2.38/19 Yet another description
4. Save the file.
5. On the Import Destinations page, browse to your CSV file, then click Import.
Once the destinations are successfully imported, the Import Destinations page closes
and the imported destinations are listed on the Proxy Bypass tab. If the import fails,
any errors are listed on the Import Destinations page. Each error states which line of
the CSV file is affected, and explains the problem; fix any issues before trying the
import process again.
Note
You can add a total of 1000 proxy bypass destinations per policy. Account-level
bypass destinations (added via Web > Proxy Bypass) count towards this limit for
each policy. For example, if your policy has 10 bypass destinations, and you have 10
account-level bypass destinations, this is counted as a total of 20 destinations for the
policy.
Important
We strongly recommend that you verify certificates for HTTPS sites. If you switch
this option off, there is a chance of increased security risks from malicious sites with
certificates that misrepresent their identity (for example, a site called gogle.com
pretending to be Google).
If certificate verification fails, the end user sees an error page and cannot access the
website unless you allow them to access sites with certificate errors by marking Allow
end users to bypass all certificate errors. In this case, end users see a notification
page informing them that a certificate error has been detected, and have the option to
either proceed to the site or go back. This notification page is not available for I Series
appliances.
If you choose to perform certificate verification, you can maintain a list of domains
and IP addresses for which the cloud service bypasses certificate verification errors.
This enables end users to visit a site even if the certificate is invalid. You may want to
do this for sites that you trust even if, for example, the certificate has expired, is not
yet valid, or is self-signed.
You can manage domains and IP addresses for bypass as follows:
● To add items for certificate verification bypass, enter one or more domain names
or IP addresses separated by commas, then click Add. IP addresses can also
include the port number (for example 127.0.0.1:80). You cannot add IP address
ranges.
● To delete a domain name or IP address from the bypass list, select the item and
click Delete. You can use the Ctrl and/or Shift keys to select multiple items for
deletion.
Click Save when done.
Note
The appliance does not currently support authentication decryption bypass for
custom categories.
To define a web category that is never decrypted during authentication on the SSL tab,
under Authentication Decryption Bypass, select the category in the Available
categories list, and click the > button to move it to the Selected categories list.
Note the following for the selected categories:
● The selections apply only to end users browsing from proxied connections. They
do not apply to roaming users.
● Users browsing these categories will be considered anonymous for both policy
enforcement and reporting.
Related topics:
● Policy-level domains
● Account-level domains
● Editing a domain
● Permissions implications
● Legal requirements
Email domains can be used to enable end-users to self-register with the cloud service.
Users with email addresses belonging to the domains that you add can create a
password to self-register with the service. Domains can be configured at either the
account level or policy level. Domains can be used to determine which policy users
are assigned when they register.
Before reading this section, we recommend that you read Proxied connections, page
157.
Permissions implications
Administrators who have permissions only for individual policies can access domain
configuration only from within the policy, and they cannot amend account-level
domains. They also receive a restricted set of controls when editing policy-level
domains. From this view, they can see all domains but have editing rights only to the
policy-level domains associated with their policy.
Legal requirements
Your terms and conditions for use of the service include a clause that restricts the use
of domains to those that are legally registered to your organization. Bulk registering
end users, page 170, explains the process of bulk registration, where the cloud service
sends email to a list of email addresses uploaded to the service. The legal restriction is
Policy-level domains
Policy-level domains are created in the policies themselves. Users with an email
address in this domain are registered to the policy to which the domain is assigned.
this is useful if you have users in your account with different email domains, who you
wish to manage using different policies.
To create a policy-level domain:
1. Select Web > Policy Management > Policies.
2. Click the name of the policy to open.
3. Click the End Users tab.
4. Under Self Registration, click Add.
No policy-level domain can exist in multiple policies or accounts.
When you are adding a policy-level domain, some options are grayed out, because
they are only applicable to account-level domains.
Account-level domains
Account-level domains can be added in order to allow users to self-register to any
policy in your account. The actual policy they are assigned to is determined by the IP
address from which they register (see Proxied connections, page 157).
Account-level domains must have a default policy for remote users. Users registering
with email addresses belonging to the domain, and connecting from unknown IP
addresses, will be added to this default policy. If there is no default policy, then remote
users cannot register and receive a error message when they try to do so.
Note
If all users within your account are on a single email domain and you have multiple
policies, you must configure an account-level domain assigned to all policies.
Click Web > Settings > Domains to see the end-user registration domains, and the
policy each domain is associated with. If they are account-level domains, the words
“By connection” are shown instead of a policy name.
Editing a domain
Related topics:
● Configure Domain settings
● Policy-level domains
● Account-level domains
● Permissions implications
● Legal requirements
In the list of domains, click the name of a domain you want to edit, and then click
Edit.
A domain can be associated with a specific policy or all policies. If you select
Associate this domain with all policies, you are prompted to assign a default policy
for remote users. If no account-level domains are assigned, remote users are registered
into the policy associated with the account to which their domain is assigned.
If remote users try to register using an email address that is associated with an
account-level domain and there is no default policy, they receive an error message.
Related topics:
● Endpoint overview
● Endpoint tab
● Configure General endpoint settings
● Configure endpoint End User Control settings
● Windows operating system users
● Mac operating system users
● Updating the endpoint
● Access Control tab
Use the Web > Settings > Endpoint page to configure the settings that apply to all
web endpoint clients deployed in your network.
● For information about the available web endpoint clients, see Endpoint overview,
page 83.
● Endpoint client deployment is managed within your policies. See the Endpoint tab
topic under Defining Web Policies for more information.
Note
Endpoint end user control is not supported for the Mac version of the Classic Proxy
Connect Endpoint client.
Instructions for using the End User Control tab are included in the configuration
procedures for Windows clients, linked in the previous step.
See also Configure endpoint End User Control settings, page 89, for more
information about the options on the End User Control tab.
● Use the Endpoint Bypass tab to specify applications on end user machines that
can access the Internet directly, bypassing endpoint policy enforcement.
See Endpoint bypass, page 99, for instructions.
Endpoint overview
Forcepoint Endpoint agents are lightweight software clients that run in the
background on user devices, providing a seamless browsing experience for your end
users. Endpoint agents automatically authenticate users with the service, and provide
policy enforcement and data security features. The endpoint clients have been
designed to consume minimal CPU, memory, and disk resources, and have tamper
controls to prevent users disabling the software.
Available endpoint agents are:
● Neo: this endpoint agent can be used in either proxy connect mode or direct
connect mode, and can automatically switch from one to the other when
necessary. For customers who have also purchased Forcepoint Dynamic User
Protection, Neo sends user activities there for analysis to compute the risk score.
● Proxy Connect: this classic endpoint agent redirects all traffic to the cloud proxy
for analysis. Proxy Connect is recommended for most scenarios, and supports the
widest set of security features.
● Direct Connect: this classic endpoint agent contacts the cloud service for each
request to determine whether to block or permit a website, but routes the web
traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud
service to perform content analysis, if configured in your policy. Direct Connect is
recommended for scenarios in which proxy connections may be problematic.
The differences between endpoint agents are further outlined below.
Neo
The Neo endpoint agent is a single agent that installs on the endpoint machine and
includes both proxy connect and direct connect modes. Neo can automatically switch
between the two modes depending on network conditions and performance.
Once Neo is activated, full functionality of proxy connect or direct connect is
available. Neo uses the appropriate endpoint mode, based on network conditions.
When proxy connect mode is in use but cannot connect to the proxy or if performance
becomes an issue, Neo will switch to the direct connect mode.
Neo collects activity data from the endpoint and, for customers who have purchased
Forcepoint Dynamic User Protection, sends the data there where it is analyzed for the
purpose of risk score calculation.
Note
The Direct Connect endpoint is not suitable where data security features are
required, since this requires all traffic to be directed to the cloud service.
Direct Connect endpoint is designed for use in situations where the use of proxy
connections may be problematic. Direct Connect endpoint can improve the security
and usability of the service in the following scenarios:
● Off-site (roaming) users for whom proxy connections may cause issues
● In complex or changing network environments
● In areas where geographic firewalls prohibit the use of proxies
● When users need to access websites that do not work well with a proxy
● When users need to use non-browser or custom applications that do not work well
with a proxy
● When geographically localized content is critical.
Important
While the Direct Connect endpoint can provide improved security coverage in these
scenarios, administrators should check that the networking requirements and level of
feature support are acceptable for your intended deployment.
For more information on feature support, see the Release Notes for Forcepoint Web
Security Direct Connect Endpoint, available in the portal on the Web > Endpoint >
General page.
Endpoint connectivity
The following diagram illustrates the connectivity for Proxy Connect (through Neo or
the Classic Proxy Connect endpoint) and Direct Connect (through Neo or the Cassic
Direct Connect endpoint).
The diagram shows the two different endpoint versions servicing a web request:
1. In the first scenario, Neo or the Classic Proxy Connect endpoint directs all web
traffic via the cloud proxy. If the request is permitted, the proxy connects to the
requested website and sends content back to the end-user client. (If the request is
blocked, the user is shown a block page.)
2. In the second scenario, a web request via Neo or the Classic Direct Connect
endpoint consists of two stages:
a. The endpoint connects to the cloud service to look up the user’s policy
settings for the requested site.
b. If the request is permitted, the client then redirects the request directly to the
Internet. (If the request is blocked, the user is redirected to a block page.)
If required, you can deploy a combination of Proxy Connect and Direct Connect
endpoints in your organization. However, only one classic endpoint instance (Classic
Proxy Connect or Classic Directory Connect) can be installed on a client machine at
any one time. The Neo endpoint agent includes both proxy connect and direct connect
modes.
Note
Neo is regarded as the default option and is recommended for most situations.
If in doubt about which version is appropriate for your deployment, please consult
the endpoint release notes, and/or contact Technical Support for advice.
Related topics:
● Configure Endpoint settings
● Configure endpoint End User Control settings
● Endpoint tab
● Updating the endpoint
● Endpoint bypass
● Access Control tab
Use the General tab of the Web > Settings > Endpoint page to configure settings
that apply to all endpoint clients deployed in your network, and to find information
needed for manual endpoint client deployment.
Manage Neo
Click the Forcepoint Neo management portal link to open that portal in a new tab.
Access to this option requires Modify Configuration permissions.
On the Neo management portal you can access the endpoint dashboard, endpoint
management, and advanced settings. Use the advanced settings to control the auto-
update mode and generate a release code to allow end users to uninstall the Neo
endpoint.
Select Dashboards, Endpoint management, or Settings in the Forcepoint Dynamic
User Protection Help for additional information.
Important
For security reasons, the cloud service does not retain a copy of your anti-tampering
password. If you forget your password, you can reset it in the portal by entering and
confirming a new password. All installed endpoints will be updated to use the new
password next time they connect to the Internet.
Related topics:
● Configure Endpoint settings
● Configure General endpoint settings
● Endpoint tab
● Updating the endpoint
● Endpoint bypass
● Access Control tab
Use the End User Control tab of the Web > Settings > Endpoint page to define
which users can enable or disable the endpoint client software on their machines.
It may be necessary to allow users to disable the endpoint client if they are working in
a location that blocks web traffic to the cloud service. This can introduce
vulnerabilities, since it permits end users to circumvent the protections offered by the
endpoint software.
To allow users to disable the endpoint client:
1. Toggle End user control to ON.
2. For Apply to:
■ Select Specified users or selections to allow those you specify to enable or
disable the endpoint on their machines.
Related topics:
● Configure Endpoint settings
● Distributing the endpoint via GPO (Classic Proxy Connect and
Direct Connect)
● Installing the endpoint on a single machine (Classic Proxy
Connect and Direct Connect)
● Updating the endpoint
The code is required during installation to associate the endpoint with your
customer account and enable your end users to log on transparently.
9. (Classic Proxy Connect and Direct Connect) On the End User Control tab, select
whether end users have the option to enable or disable endpoint software on their
machines. You may wish to enable this feature if your users are working in a
location that blocks web traffic to the cloud service. Note that this option can
introduce vulnerabilities: if enabled, it permits end users to circumvent the
protections offered by the endpoint software.
■ For Apply to, select Specified users or selections to allow those you specify
to enable or disable the endpoint on their machines. Select Everyone except
specified users or selections to prevent those you specify from enabling or
disabling the endpoint on their machines.
■ To add users to the end user control list, on the Users tab enter each user email
address on a separate line in the Users field.
■ To select groups, policies, or connections to add to the end user control list, on
the appropriate tab, click the item you want in the Available field, then click >
to move it to the Selected field. Ctrl + click to select multiple items.
■ Click Save when done.
Distributing the endpoint via GPO (Classic Proxy Connect and Direct
Connect)
Related topics:
● Configure Endpoint settings
● Installing the endpoint on a single machine (Classic Proxy
Connect and Direct Connect)
● Updating the endpoint
Note
See the Neo installation section of the Forcepoint Dynamic User Protection Help
for information about distributing the Neo endpoint using Microsoft Endpoint
Configuration Manager.
Details below apply to classic Proxy Connect and Direct Connect only.
Follow the steps below to deploy endpoint clients through an Active Directory group
policy object (GPO). You need to write different installation scripts for a 32-bit versus
a 64-bit operating system. Check in your script to see if the endpoint is installed,
because your script should only install the endpoint if it is not already installed.
1. Create a shared folder (create a folder and turn on sharing in the Properties menu).
2. Create a batch file (.bat) in the shared folder, for example “installmsi.bat”. This
can be done in any text editor.
Type the following msiexec command into the batch file and save it.
msiexec /package "\\path\WebsenseEndpoint.msi" /quiet /
norestart WSCONTEXT=xxxx
Here:
■ path is the path to the installer that you downloaded from the portal
■ xxxx is the unique code noted from the Endpoint Download page in the portal
3. Test your batch file manually to make sure it runs on other workstations. You can
do this by opening the server path to the file on a workstation and attempting to
run the file. If the file does not run, check your permissions.
4. Open the Group Policy Management Console (GPMC).
5. Create a new (or open an existing) GPO on the organization unit (OU) in which
your computer accounts reside. To create a new GPO:
a. In the console tree, right-click Group Policy Objects in the forest and
domain in which you want to create a Group Policy object (GPO).
b. Click New.
c. In the New GPO dialog box, specify a name for the new GPO, and the click
OK.
6. Open Computer Configuration > Windows Settings > Scripts, and double-
click Startup in the right pane of the screen.
7. Click Add.
8. In the Script Name field type the full network path and filename of the script
batch file you created in step 2.
9. Click OK.
10. Close the GPMC.
11. Run the gpupdate /force command at the command prompt to refresh the group
policy.
The application should be installed on startup. The client may not be fully functional
until a reboot occurs.
Related topics:
● Configure Endpoint settings
● Installing the endpoint on a single machine (Classic Proxy
Connect and Direct Connect)
● Updating the endpoint
Here, <path> is the path to your endpoint package, and xxxx is the anti-tampering
password you set in the cloud portal.
Important
If you uninstall the endpoint client, be sure to restart your operating system or your
web browsing experience may be affected.
To stop the endpoint client, navigate to the endpoint installation folder and run this
command:
wepsvc -stop -password <password> wspxy
Related topics:
● Configure Endpoint settings
● Identifying Mac endpoint end users
● Changing the policy of a Mac end user
● Uninstalling the endpoint from the Mac (Classic Proxy Connect
and Direct Connect)
● Updating the endpoint
5. Under Endpoint Client Download, select Mac from the Platform drop-down list
and click Download to download the endpoint zip file.
6. On the End User Control tab, enter users or select groups, policies, or
connections who are allowed to disable the endpoint on their machines. You may
wish to do this if your users are working in a location that blocks web traffic to the
cloud service. Note that this option can introduce vulnerabilities: if enabled, it
permits end users to circumvent the protections offered by the endpoint software.
■ To specify end users who can disable the endpoint client, enter each user
email address on a separate line in the Users field.
■ To select groups, policies, or connections who can disable the endpoint client,
click the item you want in the Available field, then click > to move it to the
Selected field. Use the Ctrl key to select multiple items.
■ Click Save when done.
7. (Classic Proxy Connect only) If you want the Classic Proxy Connect endpoint
client to use port 80 for proxying and PAC file retrieval, do the following before
installation:
■ Ask your endpoint support representative to add the “Send HWS endpoint to
port 80” template to your account. You can add this template globally, or to
specific policies.
■ Look at the endpoint client files, and locate the endpoint.pkg and
HWSConfig.xml files. The latter is specific to your account. The files must
reside in the same directory for the endpoint to successfully install.
■ In the HWSConfig file, make the following change:
Change this:
<PACFile URL="http://
webdefence.global.blackspider.com:8082/proxy.pac" />
To this:
<PACFile URL="http://
pac.webdefence.global.blackspider.com/proxy.pac" />
By applying this template, you will also move to port 80 any Proxy Connect
endpoints that are already installed.
8. Double-click the endpoint package to open an introductory screen for the installer.
Click Continue for step-by-step instructions on the installation process.
9. When you reach the “Standard install on Macintosh HD” screen, click Install to
begin the installation process.
You must install the endpoint on the local hard disk. You can change the
installation location on this screen by clicking Change Install Location...
10. Enter a user name and password for a user with administrator rights to install the
software.
If the installation process fails, check that the HWSConfig.xml file is present and
is in the correct format if you have edited it.
11. A confirmation screen informs you if the installation is successful. Click Close.
12. After installation, go to System Preferences > Other.
Related topics:
● Configure Endpoint settings
● Changing the policy of a Mac end user
● Uninstalling the endpoint from the Mac (Classic Proxy Connect
and Direct Connect)
● Updating the endpoint
When a Mac user is logged into an active directory-based domain, the endpoints
identify users in the same way as for Windows operating system users. For Mac users
not logged into a domain, however, the endpoint formats the user details in the cloud
service as mac.local.[local_username]@[local_address].
For example, if you are logged in as “Joe Bloggs,” it might appear as
mac.local.joebloggs@123-nosuchdomain.autoregistration.proxy.
To search for all locally logged-on Mac users, do the following:
1. Go to Account > Settings > End Users.
2. In the Name field, enter “mac.local*”
3. Click Search.
This brings up a list of all Mac users that are logged on locally.
Related topics:
● Configure Endpoint settings
● Identifying Mac endpoint end users
● Uninstalling the endpoint from the Mac (Classic Proxy Connect
and Direct Connect)
● Updating the endpoint
Uninstalling the endpoint from the Mac (Classic Proxy Connect and
Direct Connect)
Related topics:
● Configure Endpoint settings
● Identifying Mac endpoint end users
● Changing the policy of a Mac end user
● Updating the endpoint
6. You will receive a confirmation message if the endpoint client was successfully
uninstalled
7. Click OK to finish the process.
You can also uninstall the endpoint client through the command line:
1. After entering the Mac administrator password, run this command:
sudo wepsvc --uninstall
2. You will be asked for the anti-tampering password that you set in the portal.
To stop the endpoint client, do the following through the command line:
1. After entering the Mac administrator password, run this command:
sudo wepsvc --stop
2. You will be asked for the anti-tampering password that you set in the portal.
Note
For Neo, automatic updates are enabled by default but can be configured on the Neo
management portal, accessed from the Web > Settings > Endpoint page. For more
information, see the Settings section of the Forcepoint Dynamic User Protection
Help.
Details below apply to classic Proxy Connect and Direct Connect only.
For users with Windows operating systems, the Endpoint tab in your web policies
includes an auto-update feature which can automatically deploy newer versions to
browsers without desktop administrators getting involved. If you select this option, it
applies to all users in the policy who have installed the endpoint client, regardless of
whether it has been deployed via GPO or directly from the policy, assuming their
browser supports deployment from the cloud. For more information, see Endpoint tab,
page 166.
To deploy endpoint updates via GPO, first download the latest version from the
Web > Settings > Endpoint page. The latest version appears at the top of the list of
available downloads.
You can check which version of the endpoint client your end users have by running
the Installed Endpoint Client Statistics report.
Endpoint bypass
Related topics:
● Configure Bypass Settings
● Updating the endpoint
If you have deployed the endpoint client to your end users, occasionally some
applications do not work properly in conjunction with endpoint enforcement. This is
more likely with the Proxy Connect endpoint, and might affect, for example, custom-
designed applications for your organization.
If you are experiencing problems with applications on end users’ machines, use the
Endpoint Bypass tab of the Web > Settings > Endpoint page to add the names of
any applications that you want to bypass endpoint policy enforcement. For the Proxy
Connect endpoint, this feature does not work for applications that use system browser
settings to determine a proxy.
Note
You must update your endpoint deployments, if required, to a version that supports
this feature. See Updating the endpoint, page 98.
The Web > Settings > Protected Cloud Apps feature allows you to nominate a set of
cloud applications to use within your organization that are protected by Forcepoint
CASB. Forcepoint CASB is an integrated solution for cloud application access
discovery, activity analysis, access control, security monitoring and enforcement,
governance, policy compliance, and data loss prevention.
Note
The Protected Cloud Apps feature requires an additional license. If you would like
further information on accessing this feature, please contact your account manager.
The Protected Cloud Apps feature cannot be used with the Direct Connect endpoint
or Neo when it is in direct connect mode.
Use the Protected Cloud Apps page to connect the service to your Forcepoint CASB
account, to manage the applications that are protected, and to open the Forcepoint
CASB management portal. When an end user accesses one of your protected cloud
apps, the service forwards traffic to Forcepoint CASB for analysis, and CASB
determines whether to allow the request or apply an enforcement action, based on
your CASB configuration.
To protect cloud app usage via Forcepoint CASB:
1. Navigate to Web > Settings > Protected Cloud Apps.
2. Set the Enable connection with Forcepoint CASB toggle switch to ON.
3. In the dialog, enter the connection details provided in the fulfillment letter you
received when you purchased your Forcepoint CASB license.
If your fulfillment letter did not include these details, configure a new API access
key on the Settings > Access Management > API page of the Forcepoint CASB
portal. See Create a new API access key in the Forcepoint CASB
Administration Guide for instructions.
■ Access key ID
■ API key secret
■ Service URL
4. Click Connect.
5. From the list of cloud apps, select which apps to protect in Forcepoint CASB. You
can select up to the maximum number of apps that your CASB license covers.
Use the scrollbar, or begin typing the name of an app in the Search field. To view
only the apps that are currently selected, set the search menu drop-down menu to
Selected apps.
The contents of the list changes based on changes made in the CASB portal.
6. The list of selected apps can be used by all policies or applied to a specified subset
of policies. In the Traffic Forwarding section, Forward traffic to Forcepoint
CASB:
■ For all policies (the default) to forward all user requests to any of the selected
apps to Forcepoint CASB for enforcement.
■ Per policy to select the policies that should use the list of selected apps when
the policy is enforced.
7. When Per policy is selected, the Forward to Forcepoint CASB column provides
the complete list of existing policies. Use the arrows to move selected policies for
which protected cloud apps should not be applied to the Do Not Forward to
Forcepoint CASB column.
Use the arrows to move policies from one list to the other.
8. When you are done, click Save.
While the Enable connection with Forcepoint CASB switch is set to ON, traffic for
these cloud apps is forwarded to CASB for analysis and protection.
To stop CASB from protecting your traffic, set the switch to OFF and click Save.
Note
Setting the connection with Forcepoint CASB to OFF has no effect on the cloud app
usage and risk reporting features available in the Cloud Apps Dashboard and Cloud
App reports. Reporting information is always recorded for cloud app activity,
allowing you to discover and monitor cloud app usage in your organization.
See the Cloud Security Gateway Integration Guide for additional information.
For more information on using Forcepoint CASB, see the Forcepoint CASB
Administration Guide .
Important
The full traffic logging feature is not available by default. To make it available in
your account, contact Support.
As an alternative, consider migrating to SIEM Integration. Take advantage of Bring
your own storage or switch between Forcepoint storage and your own. See
Configuring SIEM storage.
Use the Web > Settings > Full Traffic Logging page to enable the ability to
download raw proxy request data from the cloud service for retention and analysis.
Mark the Enable full Web traffic logging checkbox to enable log retention for your
account. Note that if you enable this feature, the cloud service starts saving large
amounts of data that you must download to your own systems.
Log data is retained for 14 days. If you do not download the traffic data for a period of
14 days, log retention is disabled for your account.
For full details of how to set up and use full traffic logging, we strongly recommend
you read the “Configuring Full Traffic Logging” technical paper.
You can also retain full traffic logs for specific policies. For more information, see
General tab, page 152.
The cloud web service categorizes websites into dozens of built-in categories to help
you manage your end users’ web surfing. See Category list, page 191, for further
information about the built-in categories.
You can also create custom categories, each of which comprises a set of sites (for
example, “www.google.com”) or URLs (for example, “http://www.yahoo.com/
index.html”). Custom categories defined on the Web > Policy Management >
Custom Categories page are created at the account level and are available to all
policies.
For information on creating custom categories at the policy level, see Custom
Categories tab.
Use the Web > Policy Management > Custom Categories page to view and manage
the custom categories for your account.
Note
There is a limit to the maximum number of custom categories and sites you can add.
Based on analysis of custom category usage, this limit is designed to provide ample
capacity. If you have any questions about the custom category limit, please contact
Technical Support.
Important
When a file is uploaded, the contents of the file will replace the list of sites
previously associated with the category. It will not add to that list.
5. In the cloud portal, click Import File on the Web > Policy Management >
Custom Categories page.
6. In the Import Custom Categories dialog box, browse to your CSV file and click
Import File.
These custom categories can be used in the same way as the built-in categories; see
Category list, page 191, for further information.
Use the toggle at the bottom of the page to Enable custom categories per policy. If
this option is disabled, the Custom Categories tab is not available on the Web > Policy
Management > Polices page and policy level custom categories cannot be added.
When this option is enabled, all policy level custom categories display by policy.
Note
Certain characters have significance to the pattern matching mechanism, and should
be preceded with a backslash (\). These characters are: [ ] { } \ + *
Hostnames
Enter hostnames without a protocol, for example: abc.com. This will match:
● Any resource at the domain, using any protocol (for example http://abc.com,
https://abc.com, ftp://abc.com).
● Any subdomains of abc.com using any protocol, for example www.abc.com,
123.abc.com, www.123.abc.com.
You can use a wildcard (*) within a hostname or at the beginning of a hostname.
Wildcards at the beginning of a hostname match any hostname that ends with the
string you enter, for example *abc.com matches 123abc.com, and any subdomains
(for example www.123.abc.com, www.xxx.123abc.com).
A wildcard at the beginning of a hostname, followed by a dot (*.abc.com) matches
any subdomains of abc.com (for example 123.abc.com), but not the abc.com domain
itself.
Note
Wildcards placed at the end of the string are removed.
URL paths
Any address with a slash (/) following the hostname or IP address is treated as a URL
path (for example www.abc.com/, www.abc.com/mysite).
If you specify a URL path, it is treated as the start of a path, and matches anything
beginning with the string you enter (for example, www.abc.com/mysite matches
www.abc.com/mysite/folder/page.htm).
Note: URL paths will not match for HTTPS requests unless SSL decryption is being
performed. For HTTPS requests, the full path is not provided to the proxy.
IP addresses
Enter IPv4 IP addresses or ranges in one of the following formats:
● Explicit address: a single address. Example: 12.13.14.15
● Explicit range: 2 addresses separated by a dash (-). Example: 12.13.14.15-
12.13.14.99 (a space before and after the dash is allowed, but not required)
● Subnet: An address followed by a slash (/) and the number of bits, which is a
number between 1 and 32. Example: 12.13.14.15/24
● Subnet with subnet mask: an address followed by a slash (/) and a netmask.
Example: 12.13.14.15/255.255.255.0
Important
If you have entered an IP address range, subnet, or subnet mask, be sure your entry
does not have unintended impact. When a policy is applied, all addresses are
handled the same way. For example, if the category is blocked, all qualifying
addresses are blocked.
IP addresses and ranges are used to match the resolved address of a requested
hostname, using any protocol and port.
Ports
If you include a port number that is the standard port number for the protocol being
used (for example port 80 for HTTP, port 443 for HTTPS), the port number is ignored
and the entry is treated as described above. If the port number is a non-standard port
for the protocol being used, the proxy will match only URLs that include the port
number.
For example, if you enter www.abc.com:8080/, then http://www.abc.com:8080/mysite
will match, but http://www.abc.com/mysite will not.
Time periods
The cloud service allows you to configure policies that restrict web surfing by time of
day for either the whole policy or for website categories, users, and groups. When an
exception rule is configured, it is applied to a time period.
Use the Web > Policy Management > Time periods page to configure time periods
for your account. These are configured at the account level so that they can be
available for use in multiple policies, if required.
Each account is provided with 4 default time periods.
Note
Daylight saving time is supported where valid on all time zones except GMT and
UTC, which are static. For example, if you select GMT, British Summer Time is not
taken into account for this time period.
To delete a period
If you want to delete a time period, make sure that it is not being used by any rules
first. If it is in use, the Delete button is grayed out.
Important
This feature requires an I Series appliance.
The Policy Management > Protocols page provides a list of the protocol groups in
the cloud service master database. Each protocol group includes similar types of
Internet protocols (like FTP or IRC) and applications (like MSN Messenger or
BitTorrent). The database of protocol groups is updated regularly. These protocols
cannot be edited or deleted.
You can also add, edit, or delete custom protocols on the Protocols page. Custom
protocols are available to all policies.
● Use the Search field to search for a particular protocol or group in the protocols
list.
● To define a new custom protocol, click Add. See Adding or editing a custom
protocol, page 107, for instructions.
● To modify a custom protocol, select it in the list and click Edit. See Adding or
editing a custom protocol, page 107, for instructions.
● To remove a custom protocol, select it in the list and click Delete.
5. Repeat steps 3 and 4 for each additional identifier that you want to define or
modify.
6. Click Save.
7. To delete a protocol identifier, select it in the list and click Delete.
Related topics:
● Editing notification pages
● Language support
Use the Web > Policy Management > Block & Notification Pages page to view or
edit block page text and notification messages for your account.
When a cloud policy denies access to a resource or needs to inform the user of an
event, it can serve any configured notification page. There is a standard set of pages
included with your web product, and you can either modify these to suit your needs, or
add your own pages. You can then refer to the notification pages from any of your
policies.
The pages are grouped for ease of navigation. Click a down arrow next to a group
name to see a list of all the pages within that group. To see all available pages, click
All.
Note
General notification pages that you create are listed under Custom. Custom AUP
pages are listed under Acceptable Use Policy (a limited-availability feature that may
not be enabled for your account).
To delete a custom page, click the delete icon next to the page name. The delete icon
is displayed only if the custom page is not used in any policies.
The Page Details page is displayed, with the name and description at the top. You
can now edit the page as required.
For information about editing the content of a new or existing notification page, see
Editing notification pages, page 110.
For additional information about AUP pages, see Acceptable use policy, page 155.
Default language
The default language for block and notification pages is English. You can change this
by selecting a different language from the Default language drop-down list.
If you select a different default language and then click Save, your changes are
immediately visible to end users. Ensure that you have saved pages in the new default
language; if a page is not available in the new default language, the English page is
displayed.
Note
The end user registration pages for secure form-based authentication are already
available in the following languages: French, German, Italian, Dutch, Spanish,
Simplified Chinese, and Japanese.
Default logo
By default, the logo displayed on the notification pages is the Forcepoint Web
Security Cloud company logo. To change the logo:
1. Click Edit. The Default Logo popup window is displayed.
2. Select Custom images, and enter the URL of the image you want.
The image must be a JPEG, GIF, or PNG file. Click Verify Image to confirm the
format and location of the image file.
3. Click OK. The new logo is displayed in the Settings area.
4. Click Save.
Note
If you choose to display a custom logo, we recommend that you host it on an
HTTPS site. This ensures that your end users do not see warnings about unsecure
elements on notification pages that use HTTPS, such as end-user registration and
secure form authentication.
HTTPS notifications
To enable the cloud proxy to serve the correct notification page to the user for HTTPS
sites - for example, a block page if the site is in a category that the end user is
prevented from accessing, or the Pre-logon welcome page for authentication - you
need a root certificate on each client machine that acts as a Certificate Authority for
secure requests to the cloud proxy.
To install the root certificate for your end users and enable notification pages for
HTTPS sites:
1. In the Settings area, click the root certificate link and download the certificate to
a location on your network. You can then deploy the certificate manually, using
your preferred distribution method
2. Once the certificate has been deployed, return to this page and mark Use
certificate to serve notifications for HTTPS pages.
3. Click Save.
Related topics:
● Notification page variables
● Language support
Each notification is a complete HTML page. The Page Details page presents a simple
view of the page with editable sections, enabling you to customize the text and
images.
To change the content of a notification page:
1. For custom pages, click Edit to update the page Name or Description. Click Save
when done.
2. To change the page name that appears in the browser’s title bar, edit the Page title
field.
3. Hover your mouse over the page content to highlight the sections that are editable.
To edit a line of text or block of content, click its section to open a text editor
window.
4. Edit the text as required.
■ You can select all or part of the text and use the text formatting buttons to add
bold, italic, color and other formatting. Hover over each text formatting
button to see its function.
■ To add a variable to the section, click Variables/tokens, and select from the
drop-down list. See Notification page variables, page 112.
Click OK when done.
5. To edit the page footer:
a. Click the footer section to open a text editor window.
b. If you have already specified Default footer text, clear the Use default footer
text box.
c. Enter the footer text to use for this notification page. You can select all or part
of the text and use the text formatting buttons to add bold, italic, color and
other formatting.
d. Click OK when done.
6. To edit an image on the page:
a. Click on the image. The Image Properties popup window is displayed.
b. To use one of the standard images provided by the cloud service, select
Standard images and click on the image you want.
c. To use an image of your choosing, select Custom images and enter the URL
of the image you want.
The image must be a JPEG, GIF, or PNG file. Click Verify Image to confirm
the format and location of the image file.
d. Click OK.
7. To view and edit the HTML source, click HTML Editing. Any valid HTML may
be used within a notification page.
Note
If you edit a page in the HTML view and then click Basic Editing to return to the
basic editor, you will lose any changes made in the HTML view.
8. To see how the page appears to end users, click Preview. The page appears in a
separate window.
Note
Your browser may warn you that you are switching to an unsecured connection.
Note
When you edit a notification page, the Variables/tokens drop-down list contains the
only variables that are relevant to that page. From the list of valid variables, hover
over the name to see the associated HTML value.
Manually entering a variable name on the Edit Page Content panel that is not
included in the drop-down might result in the variable name displaying as part of the
notification page.
Variable Description
Category The web category that applies to the requested site and has
triggered the block or notification page.
Client IP address The IP address of the user attempting to authenticate,
register, or access a web page. This is optional on most
pages, and can be submitted for reporting purposes when a
user authenticates or confirms that they want to access the
URL via quota time or continue/confirm. It is mandatory on
the secure form logon page.
Agree Acceptable Use Link to accept your Acceptable Use Policy and continue to
Policy the requested website. Mandatory on any Acceptable Use
Policy page.
Close Acceptable Use Policy Link to close an Acceptable Use Policy page without
page agreeing to the policy. Mandatory on those pages.
Cloud app name The cloud application that the user is trying to access.
Content category Use to show the type of sensitive content that was detected.
For example, regulations, data theft, or custom.
Variable Description
Content classifier Use to show the content classifier that was matched. For
example, key phrase, regular expression, or dictionary.
Custom text Use to include your own text on an Acceptable Use Policy
page.
File extension Displays the file extension that the user has attempted to
access when file extension blocking is in use.
Maximum file size Displays the maximum file size allowed when file size
blocking is in use.
Requested file size Displays the size of the file that the user has attempted to
access when file size blocking is in use.
Host name The host name of the site that the user is trying to access.
Login host name The host name used for transactions involved in logging on
to the cloud service. For example, clicking the 'Log in'
button on the Welcome page submits a form to this host.
Login URL Link to log on to the cloud service using basic
authentication or NTLM identification.
HTTP request method The ‘method’ in the HTTP request that is being handled (for
example, ‘GET’, ‘POST’)
NTLM domain name The domain part of a user’s NTLM ID.
NTLM ID User’s NTLM ID, in the format domain\username.
NTLM username The user name part of a user’s NTLM ID.
Policy name The policy that has been applied to the web request.
Protocol Either HTTP or HTTPS. Used in embedded URLs, such as
image links, so the service can use a common page for
mixed HTTP and HTTPS without getting browser warnings
that the page uses one protocol but image links use the other
one.
Quota time disabled Used on the quota page to disable the OK button when the
user's daily quota has been used up.
Quota remaining The number of minutes remaining in the user’s daily quota
time.
Quota session length The session length available to the user if they choose to use
quota time to browse the site they have requested, as well as
other sites in that category (if per-category quotas are
enabled) or that are in categories set to use quota time.
Reason The reason the request was blocked. Only valid on pages
triggered by a blocked request.
Registered email address End user’s email address as registered in the cloud service.
This address is used to send emails as part of the end-user
registration process and the password reset process.
Variable Description
Registration URL Link included in forgotten password and end-user
registration email notification templates. When clicked, the
link takes the user to a page where they can reset their
password or complete their registration. This is mandatory
in both email notifications.
Requested URL The URL that the user is attempting to access, and that has
caused the block or notification page to be displayed. If the
notification page is a request for authentication, or to use
quota time or continue/confirm, the user is automatically
redirected to the URL when they authenticate or confirm.
Username End user’s user name. Can be used on an Acceptable Use
Policy compliance page, or in end-user notification emails
for password resets and self-registration.
Language support
You can create multiple language versions of block and notification pages to display
to end users, allowing a single corporate policy to be applied to a multi-national user
base. If you create multiple language versions of standard or custom pages, the most
appropriate version of the page is served to end users based on their browser settings.
The language version displayed to end users will be the version that matches the
primary language set in the user’s browser, if a version exists for that language. If a
version does not exist, the default language version will be used.
The default language for block and notification pages is English. You can change this
default in the Settings area of the Block & Notification Pages page (see Default
notification page settings).
To add a different language version for a notification page:
1. Click the page name to open it for editing.
2. Click Add Language.
3. Select the languages you wish to add from the Available Languages panel. You
can use the Shift and Ctrl keys to select multiple languages.
4. Click the right arrow (>) to move the languages to the Selected languages list.
5. Click OK.
The languages you selected are now available in the Languages drop-down list.
Select a language from the list to edit the page content for that language, as described
in Editing notification pages, page 110.
To delete a language version of a notification page, click Delete Language.
Note
You are responsible for translating and editing the content for different language
versions of a notification page.
Use the Web > Policy Management > Content Classifiers page to classify your data
using custom phrases, dictionaries, or regular expressions containing business-specific
terms or data. This can help to prevent the loss of intellectual property or sensitive
data over the web.
Once content classifiers are defined, select the classifiers that you want to enable for
the policy using the Data Security tab in the policy. (See Custom, page 205, for
instructions.)
You can use more than one classifier in your policies to reduce false positives.
Note
The total number of content classifiers you can create in your account is 100.
Note
You cannot delete classifiers that are being used in a policy. You must remove the
classifier from all the web policies that use it before you can delete it.
Field Description
Name Enter a name for this pattern, such as Visa card.
Description Enter a description for this pattern, such as Visa credit card patterns.
Field Description
Regular Enter the regular expression for which you want the system to search, such
expression as all 3-character strings followed by the sequence “123”. The expression
pattern. should be compatible with Perl syntax.
You can use alphanumeric characters and any of the following values:
. Any single character
[ ] Any one character in the set
^ Beginning of line
[^] Any one character not in the set
\s White-space character
| Or
\r?\n Line break
\ Escape special character
? Previous expression exists or not
{ } Range or frequency
() The expression in the parenthesis is
treated as one term
\b Word boundary
\x{hex-number} Unicode character
\d Digit character (0-9)
\D Non-digit character
\w Alphanumeric character
\W Non-alphanumeric character
To include Unicode characters in your pattern, use the format \X{hex-
number}.
Do not use +, *, or {X,} without an upper limit. Instead use a limited
quantifier such as {0,500}/{1,500}/{X,500}/{X}.When using a line
break, use the exact syntax shown above.
For example: \b[a-zA-Z][347]\d{3}\bwill match strings (separated with
word boundaries) starting with a letter followed by 3, 4 or 7 and then 3
digits, like “c3122”.
Test Because a regular expression pattern can be quite complex, it is important
that you test the pattern before saving it. If improperly written, a pattern
can create many false-positive incidents and slow down the system.
Create a .txt file (less than 1 MB) that contains values that match this regex
pattern. The file must be in plain text UTF8 format.
Browse to the file and click Test to test the validity of your pattern syntax.
If the pattern you entered is invalid, you’re given an opportunity to fix it.
You cannot proceed until the test succeeds.
Field Description
Name Enter a name for this key phrase classifier.
Field Description
Description Enter a description for this key phrase.
Key phrase Enter the key word or phrase that might indicate classified
information, up to 255 characters. Key phrases are not case sensitive.
Leading and trailing white spaces are ignored. If you need to use
slashes, tabs, hyphens, underscores, or carriage returns, define a
regular expression classifier rather than a key word classifier.
Unlike dictionaries, key phrases also identify partial matches. For example, the key
phrase “uri” reports a match for “security”.
Field Description
Name Enter a name for this pattern, such as Diseases.
Description Enter a description for this dictionary, such as Disease names.
Dictionary Dictionaries can have up to 100 phrases. To add content to the
Content dictionary, click Add. Complete the fields on the resulting dialog box
as follows:
● Phrase: Enter a word or phrase to include. This phrase, when
found in the content, affects whether the content is considered
suspicious.
● Weight - Select a weight, from -999 to 999 (excluding 0). When
matched with a threshold, weight defines how many instances of
a phrase can be present, in relation to other phrases, before
triggering a policy.
For example, if the threshold is 100 and a phrase’s weight is 10, a
web post can have 9 instances of that phrase before a policy is
triggered, provided no other phrases are matched. If phrase A has
a weight of 10 and phrase B has a weight of 5, 5 instances of
phrase A and 10 instances of phrase B will trigger the policy.
By default, if no weight is assigned, each phrase is given a weight
of 1.
Thresholds are defined on the policy’s Data Security tab.
Click OK and the phrase appears in the content list. You can add
phrases one by one, or import them from a CSV file using the import
button described below.
Remove phrases by selecting them and clicking Remove.
Field Description
Import If you have many phrases to include, create a text file listing the
phrases, then click Import and navigate to the text file.
The text file must be of UTF8 format. In the text file:
● List each phrase on a separate line. The phrase can be up to 256
characters.
● Optionally, provide one weight per phrase on the same line.
■ Separate the phrase and weight by a comma. Enclose the
phrase in quotes (not required if there is no weight). For
example, “private information”, 3
■ Valid weights are from -999 to 999, but you cannot assign a
weight of 0.
■ If a phrase has no weight, it is assigned the default weight of 1.
● Each phrase must be distinct. (Repeated values are ignored.)
● You can include up to 100 unique phrases. If you include more,
only the first 100 are added to the list. If there are already phrases
in the dictionary, fewer than 100 are imported.
● White spaces are ignored.
● Slashes, tabs, hyphens, underscores, and carriage returns are
included in the search.
● Common words are also included.
Sample file, custom_dictionary.txt:
"confidential",5
"ProjectX",8
"ProjectY",3
The phrases in Select this check box if you want the phrases that you entered to be
this dictionary added to the dictionary with the same case you applied.
are case-
sensitive
Related topics:
● Configuring Web Settings
● Defining Web Policies
● Managing edge devices
● Managing certificates for your IPsec devices
● Generating device certificates
● Managing EasyConnect services
● Managing I Series appliances
The Web > Network Devices > Device Management page lists the devices and
tunnel connections currently registered with the cloud portal. Depending on your
account, these may be edge devices, Forcepoint appliances, EasyConnect services, or
all.
Use this page to:
● Add, edit, or remove devices.
● Sort devices into folders, for ease of management.
● Investigate details for each device.
A table displays your current devices and connections. Use the left selection menu or
the drop-down list at the top of the table to filter what is shown. Above the table are
the tools that can be used to manage and review your appliances or devices.
Global options
Click , then select Add Edge Device (see Adding or editing edge device
information, page 127) or Add EasyConnect Service (see Adding or editing an
EasyConnect service, page 137).
● Add an appliance
Click , then enter a folder name and click Add. You can nest folders as
needed for ease of management.
Once you have created folders, you can use drag and drop to move devices into
folders, and to move folders.
● Delete network devices or folders from the table.
Mark the check box next to each device or folder that you want to delete, then
click the Delete button.
● For edge devices using IPsec tunneling that have a CA defined, use the
button to generate device certificates. You can generate certificates for multiple
selected devices at the same time. See Generating device certificates, page 134.
Note that the option to add an IPsec edge device is available only to customers
who had similar devices configured prior to the introduction of IPsec Advanced.
Note also that IPsec Advanced does not support certificates.
● For I Series appliances, use the Optimize performance link at the top, right of
the page to determine what traffic to send to the cloud service for analysis (see
Optimizing appliance performance, page 140, for details).
Related topics:
● Adding or editing edge device information, page 127
● Import multiple edge devices via a CSV file, page 131
● Managing certificates for your IPsec devices, page 133
● Generating device certificates, page 134
Select Edge Devices and Services in the left selection pane of the Device
Management table to view or add your edge devices for tunneling connectivity.
● GRE tunneling is used to forward traffic to the cloud service over a GRE tunnel
via a virtual point-to-point connection.
● IPsec Advanced tunneling is our next generation IPsec service, supporting wide
device interoperability, and devices with dynamic IP addresses using pre-shared
key authentication.
● IPsec tunneling is the product’s legacy VPN connectivity option. This option is
only available for customers who had IPsec tunnels configured prior to the
introduction of IPsec Advanced.
The number of tunnel connections used and available is displayed above the table. By
default, you can create 200 tunnel connections for your account. To add more
connections, contact your account manager to discuss your requirements.
The table displays the following elements for each device. Not all columns are
relevant for each tunneling type, and some columns are hidden when the right detail
pane is expanded.
Item Description
Status An icon indicating the current connection status of the device’s
tunnels, based on connectivity and tunnel status. (See the table
below.)
When an IPsec Advanced device is added or edited, a
Configuring icon displays. This process can take several minutes
per device to complete. Refresh the screen to confirm that the
Provisioned icon has replaced the Configuring icon.
If any tunnels for the device have a warning or error, the status
indicator for the worst condition will be shown in the status
column. Hover over the status icon to display the status for each
tunnel.
Name Device name, specified when a device is added or edited.
Description Optional device description, specified when an edge device is
added or edited.
Item Description
Folder The folder containing the device.
When you drill down into a folder, this column is not displayed.
Authentication Options are PSK (pre-shared key), Certificate, or N/A. GRE
tunnels do not use authentication.
Device Type Device model, specified when a device is added or edited.
An entry of “Not configured” indicates that the device was added
without a device type specified. You can update this property for
your devices using the Edit Edge Device page. (Device type is
a required property for newly added devices.)
Tunneling The type of tunnel connection this device is using. Options are
IPsec Advanced, IPsec or GRE.
You can filter the list to find specific devices based on the authentication type,
tunneling type, device type, or devices that use a specific policy. Click a filter name
under Edge Devices and Services in the left-hand pane, or select a filter from the drop-
down menu above the list.
The device status icons are shown in the following table. If a device has multiple
tunnels, hovering over the status indicator in the list reveals the status for each tunnel.
When a device is selected, the right detail pane shows additional information for each
device and tunnel. The Status section displays the following connectivity information:
Item Description
Data center The location of the data center to which the device is connected.
Server name The name of the server currently hosting the connection. (For
GRE devices, the server name is shown in brackets after the data
center name.)
Average speed An indicative sample of the data transfer rate over the last few
minutes, in Mbps (IPsec and IPsec Advanced tunnels only).
Tunnel uptime The length of time the tunnel has been established, in days,
hours, and minutes (IPsec and IPsec Advanced tunnels only.
Last activity The date and time traffic was last received from the device via
this tunnel.
The Configuration section shows setup information for the device. The information
shown here depends upon the tunneling type your device is using. The following items
are shown for all devices:
● Device type
● Tunneling type
● Public IP
● Default policy - an entry of “N/A” indicates that the device was assigned to a
policy, but the cloud service does not recognize the policy name.
● Other policies (if any) assigned to internal networks managed by the device
For devices connecting via IPsec Advanced or IPsec tunneling, the following
additional information is shown:
● MAC address (IPsec only)
● Pre-shared key or certificate details:
■ Pre-shared key details include the egress IP address and IKE ID (IPsec
Advanced) or device ID (IPsec tunneling). Administrators also have the
option to view the key.
■ Certificate details include the certificate file name and subject.( IPsec only)
● Service IP: address to which the edge device should connect. (IPsec Advanced
only)
Note that the option to add an IPsec edge device is available only to customers who
had similar devices configured prior to the introduction of IPsec Advanced.
For devices connecting via GRE tunneling, the following additional information is
shown for each tunnel:
● Data center: the name and identifier of the data center to which each tunnel
connects.
● Destination IP: address for the remote (data center) end of the GRE tunnel,
assigned by the cloud service.
● Source IP: address for the local (edge device) end of the GRE tunnel, assigned by
the cloud service.
● Service IP: address to which the edge device should connect..
Note
We recommend that you configure GRE or IPsec tunnels to connect to two data
centers for redundancy. The above information is repeated for each connection.
To import a CSV file containing edge device information, click the Add button and
select Import Edge Devices. See Import multiple edge devices via a CSV file, page
131.
To edit an existing device, select the device in the table, then click the Update button
in the detail pane. See Adding or editing edge device information, page 127.
Note
For detailed guidance on configuring your edge device, see the following guides:
● Forcepoint IPsec Advanced Guide
● Forcepoint GRE Guide
b. Select an IKE identity. The valid options are based on the IKE Version
selected.
If IKEv1 was selected as the IKE Version, the only option is Public IP
address.
c. Enter the Public IP address or DNS hostname.
d. Select a Pre-shared key option. Define whether to use your own key (keys
must be a minimum of 8 characters long) or generate a new key from the
cloud service.
e. If you select Use your own key, enter the key string. If you select Auto
generated new key, the new key is displayed.
Click the encryption settings link to view supported IKE and IPsec settings for
the device.
7. Under Data Centers, select the two most appropriate data centers for your
location. Use the arrows to move data centers from one list to the other.
If you change Data Centers, make sure your device configuration is correct.
Important
If your device supports it, configure one data center as the
primary and one as the backup. We strongly recommend
you configure your device to fail over to the backup data
center automatically.
8. Under Policy Assignment, select the Default policy to apply to traffic managed
by this device.
9. If you want to apply different policies to different internal networks whose traffic
is managed by the device, click Add under the Policy Assignment table, then:
a. Provide a unique Name for the network.
b. Use the Type list to specify how you want to define the network (as an IP
address, subnet, or IP range).
c. Enter the network information in the format that you specified.
d. Select the policy to apply to traffic from the network.
e. Click Add.
Repeat these steps for each internal network managed by the device to which you
want to assign a specific policy.
Note that networks (IP address ranges and subnets) may not overlap, and you can
assign only one policy to each network.
10. When you are finished configuring the device, click Save.
Repeat these steps for each internal network managed by the device to which you
want to assign a specific policy.
Note that networks (IP address ranges and subnets) may not overlap, and you can
assign only one policy to each network.
10. When you are finished configuring the device, click Save.
Important
If your device supports it, configure one data center as the
primary and one as the backup. We strongly recommend
you configure your device to fail over to the backup data
center automatically.
For each connection, the destination (data center) inner tunnel address and source
(edge device) inner tunnel IP address are provided. You will need these addresses
to configure the tunnel on your device.
8. Under Policy Assignment, select the Default policy to apply to traffic managed
by this device.
9. If you want to apply specific policies to different internal networks whose traffic
is managed by the device, click Add under the Policy Assignment table, then:
a. Provide a unique Name for the network.
b. Use the Type list to specify how you want to define the network (as an IP
address, subnet, or IP range).
c. Enter the network information in the format that you specified.
d. Select the policy to apply to traffic from the network.
e. Click Add.
Repeat these steps for each internal network managed by the device to which you
want to assign a specific policy.
Note that networks (IP address ranges and subnets) may not overlap, and you can
assign only one policy to each network.
10. When you are finished configuring the device, click Save.
1. To get started, click the template link for the appropriate devices, and save the
template file to your local machine. This template provides the column headings
for information that must be provided for each type of device.
2. Open the CSV template, and populate the file with the following details for each
device you want to add. Note that if an incorrect format is used in any cell of the
file, the import process fails.
For IPsec Advanced tunneling:
■ Name
■ Description
■ Device Type
■ Data Center: enter up to two data centers, identified by their ID, space
separated.
■ Pre-shared key: include this if you are using your own key. Leave the column
blank to auto-generate a key for each device
■ IKE Version
■ Egress IP address
■ Default Policy for traffic from the device
3. For IPsec tunneling: (if available with your account)
■ Name
■ Description
■ Device Type
■ MAC address
■ Egress IP address
■ Pre-shared key: include this if you are using your own key. Leave the column
blank to auto-generate a key for each device
■ Default Policy for traffic from the device
For GRE tunneling:
■ Name
■ Description
■ Device Type
■ Public IP
■ Data Centers: enter up to two data centers, identified by their ID, space
separated.
■ Default Policy for traffic from the device
Note
The Default Policy and Device Type fields must be populated with policy and
device names as listed in the portal. These fields are not case sensitive.
Supported devices are listed on the Add Device page, in the Device Type drop-down
menu (enter “Other” if using a device type that is not yet certified). For details of
supported devices for IPsec and GRE tunneling, see the Forcepoint IPsec Guide and
the Forcepoint GRE Guide.
4. When you have added your devices, save and close the file.
5. If you have defined multiple folders on the Device Management page, select the
Target folder for the devices in the CSV file. All devices must be imported into
the same folder.
6. Click Browse to select your CSV file.
7. Click Import.
Once the devices are added successfully, they are added to the list on the Device
Management page. Use the Device ID and pre-shared key information on this
page to configure your IPsec Advanced or IPsec devices.
Note
There is a different set of required columns for the IPsec Advanced, IPsec, and GRE
device import. For convenience, we recommend using the available CSV templates
and importing each device type separately.
Related topics:
● Managing edge devices, page 124
● Generating device certificates, page 134
Note that the IPsec option for edge devices is available only to customers who had
IPsec devices configured prior to the introduction of the IPsec Advanced
option.Certificates are supported for the legacy IPsec devices but are not supported for
IPsec Advanced.
Use the Web > Network Devices > Device Certificates page to manage the
certificates used for edge devices.
The page contains a table listing each certificate that you have defined, with the
following information:
● Certificate authority file name
● Certificate expiration date
● The number of devices using the certificate
To view details for an existing certificate, click the certificate name. The details pop-
up window includes the option to download the certificate.
To view information about the devices using the certificate, click the entry in the Used
By column.
To add a certificate:
1. Click Add.
2. In the Add Edge Device Certificate dialog box, click Browse and navigate to the
location of the certificate authority file.
3. Select the file and click Open to add the file name to the Certificate authority
field.
4. Click Save.
To remove a certificate, mark the check box next to the certificate authority file name,
then click Delete. You cannot delete a certificate that is being used by one or more
devices.
The portal includes a feature that allows you to generate a certificate for your device,
using the private key and passphrase for the certificate authority. Once generated, you
can download the certificate and add it to your device.
Note
If you do not have access to this feature, contact Technical Support.
2. Click the Generate Certificate button ( ) in the toolbar above the table.
This button is disabled when no CA has been defined for the selected device.
3. In the Generate Device Certificate dialog box, click Browse to navigate to the
Private key for the certificate authority.
The private key file has a name like “cakey.pem” or “privkey.key.” It is either
provided with a purchased CA or generated with your organization’s self-signed
CA.
4. Enter the private key Passphrase.
Important
For security reasons, private key data is not saved after the certificate is generated.
As a result, you must enter the key and passphrase each time you generate a device
certificate for this CA.
5. Indicate whether or not to Specify the password for the device certificate or
certificates.
If you select this option, enter and confirm the certificate password.
6. Click Generate.
7. Follow the on-screen instructions for downloading the certificates.
The following elements are displayed in the table when All Services is selected in the
left select pane of the Device Management table.
Item Description
Name Service name, specified when a service is added or edited.
Description Optional description of the service, specified when a service is
added or edited.
Folder The folder containing the service.
When you drill down into a folder, this column is not displayed.
In other views, like All or Specific version(s), if you have
created folders, the Folders column is displayed.
Authentication N/A
Device Type Forcepoint NGFW
Tunneling EasyConnect
You can filter the list to find specific services based on various properties. Click a
filter name under “EasyConnect Services” in the left-hand pane, or select a filter from
the drop-down menu above the list.
The right details pane provides additional information for each service. The
Configuration section shows the Device type, Tunneling type, and Default policy
associated with the selected EasyConnect service.
The table cannot be edited but key values can be copied, and passwords can be
regenerated by clicking Re-Generate. Passwords are protected but can be viewed
by clicking Show Passwords.
Click the Connectivity Details link to view Customer ID, port information,
Domain Name Server (DNS) and the keys that have been configured. Note that
you can copy the Customer ID, DNS name, and key values from this panel so they
can be used when configuring the service in the NGFW Security Management
Center.
Ports 8090 (HTTP) and 8011 (HTTPS) are used for communication between the
EasyConnect Service and NGFW.
6. Under Policy Assignment, select the Default policy to apply to traffic managed
by this service.
7. If you want to apply different policies to different internal networks whose traffic
is managed by the service, click Add under the Policy Assignment table, then:
a. Provide a unique Name for the network.
b. Use the Type list to specify how you want to define the network (as an
IPaddress, subnet, or IP range).
c. Enter the network information in the format that you specified.
d. Select the policy to apply to traffic from the network.
e. Click Add.
Repeat these steps for each internal network managed by the service to which you
want to assign a specific policy.
Note that networks (IP address ranges and subnets) may not overlap, and you can
assign only one policy to each network.
8. When you are finished configuring the service, click Save.
Related topics:
● Optimizing appliance performance, page 140
● Adding or editing appliance information, page 141
When you select I Series Appliances in the left selection pane of the Device
Management table, the table displays the following elements for each appliance. Some
of these columns are hidden when the right detail pane is expanded.
Item Description
Status An icon indicating the current status of the appliance, based on
connectivity, reported issues, version, and registration status. (A
legend explaining these icons is shown below this table.)
If an error or warning icon appears, select the appliance in the
table and check the detail pane for more information.
Name Appliance name, specified when an appliance is added or edited.
Description Optional appliance description, specified when an appliance is
added or edited.
Folder The folder containing the appliance.
When you drill down into a folder, this column is not displayed.
In other views, like All or Specific version(s), if you have
created folders, the Folders column is displayed.
Hostname Appliance host name or FQDN, specified on the appliance. If the
appliance is not registered, or this information has not been
received from the appliance, “N/A” is displayed.
Version The appliance version. If the appliance is not registered, or this
information has not been received from the appliance, “N/A” is
displayed.
You can filter the list to find specific appliances based on various properties such as
the appliance type, version, status or a specified policy. Click a filter name under “I
Series Appliances” in the left-hand pane, or select a filter from the drop-down menu
above the list.
The available status icons are:
Information Error
Filtering disabled or registration Critical error
incomplete
The General tab of the right detail pane includes additional information, including:
Item Description
Filtering Indicates whether or not a registered appliance is enabled for
managing web traffic.
Connectivity Indicates the state of the Internet connection between the
appliance and the cloud portal.
Item Description
Version In addition to the version number, a message is displayed for
versions that have expired or are nearing expiration.
Click the message to see a list of available software updates with
release notes for each available update. Select an update and
click Download to download the update to the appliance.
Issues Displays the number of issues for the appliance for the past 24
hours, along with an icon indicating the highest severity level
represented among the issues.
If the appliance has not generated issues for the past 24 hours,
“No issues reported” is displayed.
If any issues exist, click the number of issues to see a list with
details of each issue. You can review issues from the last 24
hours (default) or last 7 days.
Registration Indicates whether the appliance is registered or not
If the appliance is not registered, click the Not registered link to
get the registration key. Copy the registration key and enter it in
the Appliance manager under Configuration > Registration to
complete the registration process.
Note that it takes some time for registration status to be updated
in the cloud portal after your enter the registration key in the
appliance. This delay does not indicate a problem with the
registration.
Default policy The name of the default policy for the appliance
Other policies Lists policies other than the default policy (if any) assigned to
internal networks defined for this appliance
Last response Shows the date and time of the latest response from the
appliance.
If the appliance is not registered, or has not sent any information
to the cloud service, the display is “N/A”.
Uptime Shows the time since the last appliance restart.
The Performance tab of the right detail pane displays 4 charts showing appliance
performance over the Last 24 hours (by default). Use the drop-down list at the top of
the tab to optionally expand the performance charts to show information for the Last 7
days.
● Resource Usage
● Web Traffic (Transactions per second or Bandwidth)
● Protocol Traffic (Transactions per second or Bandwidth)
● Session Peaks
● To both Advanced Classification Engine (ACE) advanced analysis and file type
analysis
● Even when ACE advanced analysis is configured to include sites with a lower risk
profile
When appliance performance optimization is turned off:
● All traffic is sent to the cloud for true file type analysis.
● Sites with a lower risk profile may receive ACE advanced analysis, depending on
the options selected on the Web Content & Security tab.
See Web Content & Security tab, page 206, for more information about configuring
ACE and file type analysis.
To turn off performance optimization:
1. Click the next to Optimize performance (in the top, right corner of the Device
Management page).
2. On the popup that is displayed, select Off.
3. Click Save to confirm.
Related topics:
● Adding or editing appliance information
● Configure a certificate authority
● Define internal network settings
● Configure advanced settings (if needed)
1. Use the toggle at the top of the page to indicate whether this appliance is used for
filtering (ON, the default). When filtering is set to OFF, the appliance can
communicate with the cloud service, but allows all web traffic to pass through
unfiltered.
2. Under General, enter a unique appliance Name (1 - 512 alphanumeric characters)
and Description (up to 1024 characters).
3. Select a Default policy for this appliance, and the Time zone used to apply policy
settings.
You will have a chance to apply different policies to different internal networks
managed by this appliance later.
4. If you are using transparent NTLM identification and your appliance is not
connected to a local Active Directory instance, enter the domain that forms part of
your users’ NTLM identity. The NTLM domain is the first part of the
domain\username with which users log on to their Windows PC; for example,
MYDOMAIN\jsmith.
Important
You must configure your end users’ browsers to support transparent NTLM
identification, either manually or via GPO or similar. For more information, see
Deploying an I Series Appliance on the Forcepoint Support site.
If you have connected your appliance to a local Active Directory for NTLM
identification, this field is not required because the appliance automatically
retrieves this information from the local directory.
5. Select a time period after which a user’s login and password must be revalidated
from the Session timeout drop-down list. The default is 1 day.
6. Forward traffic to the cloud for advanced analysis is selected by default. This
means that appropriate web traffic is redirected to the nearest cloud service cluster
for additional analysis. Deselect this option if you do not want any traffic to be
forwarded to the cloud. All traffic will be analyzed through the appliance, but
without any cloud analytics.
Related topics:
● Adding or editing appliance information
● Configure general settings
● Define internal network settings
● Configure advanced settings (if needed)
Important
It is recommended that you define certificates when you add an appliance, in order
to avoid browser warnings regarding SSL termination block, authentication, or
quota/confirm operations. Some browsers, for example later versions of Chrome,
may block the transaction and display an error message.
Be sure to:
1. Generate a CA certificate. Each appliance should have a valid X.509 identity
certificate with an unencrypted key. This certificate can be generated using a
variety of tools, for example OpenSSL. For details and an example, see
Generating an appliance certificate, page 144.
2. Import this certificate to all relevant browsers.
3. Upload this certificate to each appliance as described below.
To use the cloud service SSL decryption feature, you should also install the
Forcepoint root certificate on each client machine. See Enabling SSL decryption,
page 181, for details.
You must supply a password, as OpenSSL does not allow the creation of a private key
without one. You can then strip the password from the key as follows:
openssl rsa -in CA_key_password.pem -passin pass:1234 -out
CA_key.pem
This also renames the private key file from CA_key_password.pem to CA_key.pem.
Finally, use the following statement to create the CA:
openssl req -x509 -days 11000 -new -sha1 -key CA_key.pem -
out CA_cert.pem
Note that this command prompts you to input information about different parameters,
such as country, state, locality, or your organization’s name.
Once you have created the private key (CA_key.pem) and public certificate
(CA_cert.pem), import the certificate to all relevant browsers, and upload the
certificate to each appliance using the Certificates tab.
Related topics:
● Adding or editing appliance information
● Configure general settings
● Configure a certificate authority
● Configure advanced settings (if needed)
Repeat these steps for each internal network that will use session-based
authentication.
Note
When session-based authentication is enabled, policy SSL decryption rules that
apply to sites or categories with the Confirm action are not currently supported.
Related topics:
● Adding or editing appliance information
● Configure general settings
● Configure a certificate authority
● Define internal network settings
Related topics:
● Creating a new policy
● Testing policy enforcement
● Uploading a policy assignment file
● Configure custom categories
● Configure block and notification pages
On the Web > Policy Management > Policies page, there is a list of policies
currently configured for your account. Click a policy name to view or edit a policy.
There are several tabs associated with each policy. Depending on your subscription
settings, you may not see all the tabs:
● General tab
● Connections tab
● Access Control tab
● Endpoint tab
● End Users tab
● Cloud Apps tab
● Custom Categories tab
● Web Categories tab
● Protocols tab
● Application Control tab
● File Blocking tab
● File Blocking tab
● Data Protection tab
● Data Security tab (DLP Lite)
● Web Content & Security tab
Standard account-level settings are shown in Standard Web Configuration, page 269.
Note
Selecting Default from the policy template drop-down is different than selecting the
Default policy from the Existing policy drop-down. The first option applies only to
web category blocking, while the second option uses the settings across all tabs in
the Default policy for your new policy.
You can select a policy template only when creating a new policy. Once you have
saved your settings for a new policy on the General tab, you cannot select a
different template.
4. To use time-based policy enforcement, select the Time zone where your users are
located.
5. In Internet availability, define any time-based web access controls that you want
to use. The default setting is to allow Internet access at all times. For more
information, see Internet availability, page 154.
6. If required, define confirm timeouts, quota settings, and search filtering. For more
information, see General tab, page 152.
7. If available, define whether your users should see and agree to an Acceptable use
policy.
When enabled, use the drop-downs to select the AUP page to use when this policy
is enforced and how frequently the notice should display.
8. Click Save when you are finished.
Use the Filtering Test section on the Policies page to check how your policies handle a
request for a URL. You can also test particular situations that may be causing issues
for your end users, such as including a user name or user agent header.
To run the test:
1. Under Filtering Test, enter the full URL that you want to test, including the http://
or https:// prefix.
2. Optionally, enter the email address of an end user registered or synchronized with
your account.
3. Specify the Egress point for the test. By default this is the current IP address that
you have used to access the cloud portal. You can also use:
■ Other IP to specify a different IP address that is registered as a proxied
connection in one of your policies
Note
If you select Other IP and then enter an IP address that is not associated with your
account, an error message results.
You can automatically assign end users to policies by uploading a file of policy and
user information to the cloud service.
Format the CSV file as two columns, with a header row consisting of the words
“EmailAddress” and “Policy”. The two columns must contain:
● An email address belonging to an existing user in your account
● A policy name in your account.
For example:
EmailAddress,Policy
address1@domain1.com,Default
address2@domain1.com,Sales Policy
Note that you do not have to include all of your existing users in the file, only those
whose policy assignment you wish to change. If a field contains a comma, it must be
quoted.
To upload the file:
1. Under Policy Assignment, browse to the file that you wish to use.
2. Click Upload.
The email addresses in the file are checked against the existing users in the account,
and a confirmation message is displayed once the file has uploaded successfully. If
there are errors in the file—for example, incorrect formatting, a non-existent policy
name, or an invalid, unknown, or duplicate email address—the upload is canceled and
an error message is displayed to explain the problem.
You can also download a CSV file containing the current list of end users assigned to
policies by clicking Download existing policy assignments.
General tab
Related topics:
● User and group exceptions for time-based access control
Use the General tab to configure settings that cover basic aspects of your users’ web
browsing, for example availability at certain times of the day, quota time limits, and
agreement to your acceptable use policy.
This is also the tab that you see, with some additional options, when you create a new
policy. For more information, see Creating a new policy, page 150.
If you make any changes to this tab, click Save when done.
Policy name
The name of the policy, which you may want to rename from Default to something
more meaningful to your organization, especially if you have a requirement for
multiple policies.
Administrator email
This is the email address for the web administrator of this policy. This email address is
used as the address from which system messages are sent. Your users may
occasionally reply to these messages, so this should be an email address that is
monitored by your IT staff or administrative contact.
Note
If you have already deployed a policy-specific PAC file that uses a different URL
than the one displayed on this page, there is no need to change it unless you wish to.
PAC file URLs provided with earlier versions of your cloud web product will
continue to work.
Time zone
To use time-based web filtering, the cloud service must first determine the time zone
where users are located. The time zone you set can be used as a single zone for the
whole policy, or you can set up time zones for one or more of your proxied
connections that override the time zone on the General tab (see Proxied connections,
page 157).
Daylight saving time is supported where valid on all time zones except GMT and
UTC, which are static.
Internet availability
Use this option to configure time-based policy enforcement. The default setting is to
allow Internet access at all times, although you can apply user and group-based
exceptions (see User and group exceptions for time-based access control, page 156).
Alternatively, you can restrict all access by time and display an appropriate block page
when access is unavailable. There are 2 formats for this:
1. Block access for the duration of a defined period (for example, during working
hours).
2. Block access outside a defined period (for example, allowing users to access the
Internet only during their lunch period).
The drop-down list contains the standard time periods and any custom periods you
have set up (see Time periods).
Important
The full traffic logging feature is not available by default. To make it available in
your account, contact Support.
As an alternative, consider migrating to SIEM Integration. Take advantage of Bring
your own storage or switch between Forcepoint storage and your own. See
Configuring SIEM storage.
When you enable full traffic logging for your account, all web policies inherit the
default setting that you configure. If you want to override the default log retention for
a particular policy, change the selection in the Full traffic logging drop-down list from
Use account default to either Enabled or Disabled.
For full details of setting up and using full traffic logging, see the “Configuring Full
Traffic Logging” technical paper.
Confirm timeout
Enter the maximum time in minutes (default 10) that a user who clicks Continue can
access sites in categories governed by the Confirm action. See Policy enforcement
actions, page 184.
Quota time
Use this option to configure quota times for web categories accessed by users in this
policy. See Using quota time to limit Internet access, page 185, for more information.
Select one of the following:
● A Daily quota applies to all users accessing categories with Quota as the filtering
action or exception. Enter the daily limit in minutes (default 60) for all users of
this policy. Then define the session length in minutes (default 10) during which
users can visit sites in quota-limited categories.
● A Per-category quota allows you to specify a daily limit per category and a
session length per category that applies to all quota-limited categories by
default. You can then change the daily quota time settings for particular categories
or filtering exceptions on the Web Categories tab. See Managing categories,
actions, and SSL decryption, page 182.
A session begins when the user clicks the Use Quota Time button.
The daily quota allocation for users within a policy is refreshed at midnight in the time
zone defined for the user’s proxied connection. If no specific time zones are defined in
either the proxied connection or the policy, the quota allocation is refreshed at
midnight UTC.
If you change the total quota time or session time after a user has started to use their
daily quota or has received the quota block page from the cloud-based service, the
changes will not take effect until the next day. Similarly, if you move a user to a
different policy after they have started to use their daily quota or has received the
quota block page from the cloud-based service, the change does not take effect until
the next day.
Search filtering
Search filtering is a feature offered by some search engines that helps to limit the
number of inappropriate search results displayed to users.
To activate this option, select Enable search filtering.
Ordinarily, Internet search engine results may include thumbnail images associated
with sites matching the search criteria. If those thumbnails are associated with blocked
sites, the cloud service prevents users from accessing the full site, but does not prevent
the search engine from displaying the image.
When you enable search filtering, the cloud service activates a search engine feature
that stops thumbnail images associated with blocked sites from being displayed in
search results. Enabling search filtering affects both local and roaming users.
Note
Acceptable use policy is a limited-availability feature and may not be enabled for
your account.
You can display a notice to users informing them of your organization’s acceptable
use policy for Internet use and asking them to agree to accept its terms before they can
continue browsing.
To display the notice, mark Require users to agree with acceptable use policy
every.... In the drop-down menus, select the AUP page and how frequently you would
like to display the notice. The choices are 1, 7, and 30 days.
You can tailor the default acceptable use policy notification to meet your needs, or add
different AUP pages for different polices. See Configure block and notification pages,
page 108.
To apply exceptions to the acceptable use policy for certain domains:
1. Click Domain Exceptions. This button appears only when you have selected the
Require users to agree with acceptable use policy box.
2. Enter one or more domain names, separated by commas. When users in this policy
browse to these domain names, they will never be asked to agree to the acceptable
use policy notification page configured for the policy.
3. Click Add. The domains you have specified are listed below the Add field. To
delete a domain, select it from the list and click Delete.
4. Click Save when you are done.
Related topics:
● Time periods
● Internet availability
You can apply both user and group exceptions to any time-based access control that
you set up on the Web > Policies > Time Access Exceptions page for a given policy.
To view the list of exceptions, or to add or edit an exception, click the link next to
Internet availability on the General tab for the policy.
To edit an exception, click the exception, then click Edit.
To add an exception:
1. Click Add exception.
2. The rule State is set to ON by default, meaning the rule will be enabled for the
users and groups you select. If you want to set up a rule but not enable it
immediately, click the State switch to set it to OFF.
3. Enter a Name and Description for the rule.
4. Choose the notification page that appears to users in this exception.
5. Select the Time period during which the rule is active. If you select During or
Outside, the drop-down list contains the standard time periods and any custom
periods you have set up (see Time periods).
6. For an exception that should be applicable to roaming users only, mark Apply
only when user is roaming.
7. Do one of the following:
a. To set up an exception for specific users or groups, select For these users and
groups. You can then enter a comma-separated list of email addresses, or
select one or more groups, or both.
b. To set up an exception for everyone except those in a specific group, select
For everyone not in the group, and choose a group from the drop-down list.
8. Click Save.
Connections tab
Use the Connections tab of the Web > Policy Management > Policies page for any
policy to define:
● The source IP addresses (proxied connections) assigned to the selected policy (see
Proxied connections, page 157)
● Destination domains and IP addresses that users assigned this policy can access
without going through the cloud service (see Proxy bypass, page 158)
Proxied connections
Most organizations have at least one proxied connection configured per policy. The
proxied connection address is used to identify traffic from your organization’s egress
IP address and, by default, apply the policy to that traffic.
Proxied connections:
● Are public-facing IP addresses, IP address ranges, or IP subnets for offices in your
organization using the cloud service.
● Are often the external address of your Network Address Translation (NAT)
firewall.
● May be appliances or edge devices configured on the Web > Settings > Network
Devices page.
● Could include branch offices, remote sites, or satellite campuses.
Proxied connections are NOT:
● IP addresses of individual client machines.
● IP addresses outside your organization.
If you have several points of presence on the Internet, you can combine all of these
under one policy, or have separate policies for each public-facing IP address.
Note
If you do not add any proxied connections to the policy, all users are treated as
remote and must authenticate to use the service. In this case, the policy they use is
determined by their email domain. They see a service-wide Remote User Welcome
page that is not configurable. Once logged on, they are served configurable
notification pages from the customer account.
Proxy bypass
Proxy bypass sites are destinations that users can access either directly, or through an
alternate (third-party) proxy, without going through the cloud service. For example,
organizational webmail sites and system traffic, like Microsoft and antivirus updates,
should be added to the bypass list.
● For users with the Neo or Direct Connect endpoint, bypass destinations are not
analyzed by the cloud service.
● For users whose traffic is sent to the cloud service via PAC file, including users of
the Proxy Connect endpoint, bypass destinations are added to the policy PAC file.
■ By default, the PAC file excludes all non-routable and multicast IP address
ranges; so if you are using private IP address ranges defined in RFC 1918 or
RFC 3330, you need not enter these.
■ Browsers configured to use the policy’s PAC file automatically use the cloud
service, but bypass it for the specified destinations.
Any destinations that you add to the Proxy Bypass table apply only to the selected
policy. To add bypass destinations that apply to all policies, use Proxy Bypass tab of
the Web > Settings > Bypass Settings page.
Important
The alternate proxy specified here must not be another Forcepoint proxy.
5. Use the optional Comment box to add helpful information, such as why the entry
was created.
6. Click Continue to save your changes and return to the Connections page.
Note
You can add a total of 1000 proxy bypass destinations per policy. Account-level
bypass destinations (added via Web > Proxy Bypass) count towards this limit for
each policy. For example, if your policy has 10 bypass destinations, and you have 10
account-level bypass destinations, this is counted as a total of 20 destinations for the
policy.
Related topics:
● NTLM identification
● Setting authentication options for specific users
Use the Access Control tab to configure how your end users are identified by the
cloud service. You can configure multiple authentication or identification options for
your users if required.
The cloud service works “out of the box” for many organizations. A single policy
applied to an organization’s web traffic provides protection from malware and
inappropriate content. However, most customers want to tailor the service to align it
with their Internet acceptable use policy, which may require granular configuration on
a per-user and per-group basis, with different users or groups assigned to specific
policies. Often, organizations want to report on the surfing habits of their employees.
These use cases require the service to identify specific users in order to apply the
correct policy, and to log user actions for reporting purposes.
There are a number of events that can lead to an end user being asked to authenticate:
● The user is connecting from an IP address configured as a proxied connection in
one of your policies, and the policy has the Always authenticate users option
enabled on the Access Control tab.
● The user is accessing a website within a category that has an action of Require
user authentication. You configure this within the category itself.
● The user is attempting to access a website for which there is a group or user
exception. At this point, the cloud service needs to find out who the user is in
order to determine whether the exception applies.
● The end user connects from an unknown IP address, so is considered a remote
user.
When a request is made from an unknown IP address, users are served a
notification page asking them to authenticate. Because the cloud service does not
know who the users are at this time, the notification page is a generic service-wide
page. See Roaming home page for further information.
Note
If user authentication is required by a connection-based policy, the service checks
whether the user is assigned to a specific policy, and applies the user’s policy. The
user’s “home” policy overrides the IP-based policy for enforcement actions.
Note
NTLM transparent identification is not valid for remote users (connecting from
unknown IP addresses). Such users must always authenticate with the web endpoint,
single sign-on, or a valid email address and password.
● Log in: To continue, users click Log in and are presented with the basic
authentication dialogue.
● Register: If the users have not previously registered to use the service, they can
do so by clicking Register. This takes them into the registration process. See End
Users tab, page 168 for further details.
● Forgotten your password?: If users cannot remember their password, they can
click Forgotten your password? They are redirected to a web page where they
enter their email address. An email is sent containing a link to the cloud service,
where they must create a new password before being allowed to continue to
authenticate.
As with all notification pages, you can tailor the default to meet your needs and use it
to remind your users that they are using company resources that are governed by an
acceptable use policy. In addition, you can select the option to display a notice to your
users that asks them to agree to accept the terms of your acceptable use policy if they
wish to continue browsing. See Acceptable use policy, page 155.
Session timeout
Note
The session timeout option of this page does not apply to traffic from an I Series
appliance. For information on configuring session timeout for appliances, see
Adding or editing appliance information, page 141.
Users’ credentials for single sign-on and secure form-based authentication are not sent
every browser session. However, the credentials must be revalidated periodically for
security reasons, and you define the time period for that revalidation under Session
timeout. The options are 1 day, 7 days, 14 days, 30 days, 3 months, 6 months, or 12
months.
Once the selected period has elapsed after a user’s credentials were last validated, the
user is either re-authenticated transparently through your identity provider, or asked to
supply their logon credentials again for form-based authentication.
NTLM identification
Related topics:
● NTLM registration page
● Further information about NTLM
● Access Control tab
Firefox on Linux. Non-supported user agents are presented with the pre-login
welcome page, and users can log on using the basic authentication mechanism.
Note
NTLM transparent identification is not valid for remote users (connecting from
unknown IP addresses). Such users must always authenticate with the web endpoint,
single sign-on, or a valid email address and password.
Related topics:
● Further information about NTLM
● Access Control tab
Users of policies where NTLM is selected must undergo an additional, once only,
registration task to associate their NTLM credentials with their registered cloud
credentials. See NTLM transparent identification, page 173 for further information.
As with all notification pages, you can use the default page, customize it, or create
your own.
NTLM identity
The NTLM identity is the domain\username with which users log on to their Windows
PC; for example, MYDOMAIN\jsmith.
NTLM credentials
NTLM credentials include the NTLM identity (as defined above), the PC’s identity,
and a non-reversible encryption of the user’s password. These are sent by the browser
when a server (in this case a cloud service proxy) sends an NTLM challenge.
hash, a network service must know the user’s password. The cloud service is outside
of the company network, and so does not know the user’s network password. For this
reason, the cloud service can use NTLM only to identify users, not to authenticate
them. This limitation helps to preserve the security of the user’s network passwords.
Limitations
1. Transparent identification does not authenticate; for example, it does not do
password checking. It relies on the customer site having secure NT or Active
Directory domains set up, along with physical security to stop unauthorized
access to the company network or the users’ computers.
Note
Although NTLM Identification works with Windows workgroups, it is not a
recommended solution if you are concerned about security and correctly identifying
end users.
2. You cannot use transparent identification for remote users. Remote users must be
registered and must log on using their email addresses.
3. Users of non-Windows systems in a transparent identification policy still have to
log on manually.
4. Many proxies do not pass NTLM challenges, so if you have a chained proxy
deployment, you should check this. Microsoft ISA/TMG Server and Blue Coat
ProxySG do support NTLM pass-through.
5. A browser that supports NTLM but is operating in a non-Windows environment
(e.g., Firefox on a Linux platform), may exhibit strange behavior and may not
work with a cloud policy that is configured to use NTLM. Where possible, we
attempt to identify such browsers by user agent type and send an authentication
request rather than an NTLM challenge.
6. The existing Welcome page is not shown to users of NTLM-capable browsers in a
transparent identification policy.
The a= parameter controls the authentication option used, where X can be one of the
following:
Parameter Description
a=n NTLM identification is used. If NTLM is not supported
by the browser or application, basic authentication is
used.
a=t Authentication is performed using single sign-on.
If the application or user agent cannot use single sign-
on, NTLM identification or basic authentication is used.
If a remote user cannot log on using single sign-on, they
are given the option to try again or log on using other
credentials.
a=f Authentication is performed using secure form-based
authentication.
For further details about PAC files, see Proxy auto-configuration (PAC).
Endpoint tab
Related topics:
● Configure Endpoint settings
Use the Endpoint tab to enable secure transparent authentication with the web
endpoint for end users whose requests are managed by this policy.
From this tab you can deploy the Proxy Connect endpoint to either the roaming users
or all users in the policy directly from the cloud. (The Direct Connect endpoint and
Neo must be installed manually; automatic installation from this tab is not supported.)
● Proxy Connect users in your network will be asked to install the endpoint software
on their machine when they start a browsing session.
● Roaming users must first authenticate themselves via the Roaming home page
before being asked to install the endpoint software.
See this Knowledge Base article for a list of browsers that support Proxy Connect
endpoint deployment directly from the cloud.
For Neo, Proxy Connect, and Direct Connect endpoint software, you can push the
endpoint manually to selected client machines using your preferred distribution
method. For more information, see Configure Endpoint settings.
Note
You must set an anti-tampering password for Proxy Connect or Direct Connect
endpoint installations before you can deploy the endpoint software. Set this
password on the Web > Settings > Endpoint page.
For both classic Direct Connect and Proxy Connect endpoint clients, you can choose
to automatically update endpoint whenever a new version is released. Note that if you
select an automatic update option, it applies to all users in the policy who have
installed the endpoint on the selected operating system, regardless of how the endpoint
software was originally deployed.
For Neo, automatic updates are enabled by default but can be configured on the Neo
management portal, accessed from the Web > Settings > Endpoint page. For more
information, see Settings section of the Forcepoint Dynamic User Protection Help.
Neo
Use this section to select the Neo mode to use. Select:
● Intelligent auto-switching...to automatically switch between proxy connect and
direct connect modes based on performance and network conditions. This is the
recommended option.
Neo uses the appropriate endpoint mode, based on network conditions When
proxy connect mode is in use but can’t connect to the proxy or if performance
becomes an issue, Neo will switch to the direct connect mode.
● Proxy Connect to use only the Proxy Connect endpoint mode. This Neo mode
corresponds to the functionality available in the standalone classic Proxy Connect
agent.
● Direct Connect to use only the Direct Connect endpoint mode. This Neo mode
corresponds to the functionality available in the standalone classic Direct Connect
agent.
From the Fallback mode drop-down, selecct the fallback behavior that should be
applied to a user request if the network connection to Neo is interrupted.
● Open to allow the user request.
● Closed to block the user request.
● Safe (not available with Proxy Connect) uses local cache to apply policy.
Note
These settings only apply to the Proxy Connect endpoint. The Retrieve PAC file
over HTTPS option requires build 2826 or later. Earlier versions of the Proxy
Connect endpoint will always download the PAC file over HTTP, and are not
affected by this setting. Ensure that your Endpoint clients have connectivity to a
Forcepoint data center on TCP ports 8087 or 443, as appropriate, before enabling
this option.
Related topics:
● NTLM transparent identification
● Editing end-user registration pages
● Managing registered users
● Rules for policy association during end-user registration
The End Users tab is where all end-user registration configuration is performed.
Registration is the method of getting user credentials into your cloud service account.
There are currently 3 methods of registering end users:
1. Registering by invitation
Registering by invitation
There may be users that you want to use your policy who do not have an email address
within your email domains; for example consultants or contractors working at your
location that you want to be bound by your Internet usage policy. You can invite these
users to use the policy by selecting Invite an End User from the End Users tab.
Once you have added the end users’ names, email addresses, and if available NTLM
identification, the cloud service sends them the registration email in the same way as if
they had self registered. They click on the link and are asked to enter their password.
Field Description
Name Name of the user you want to invite to use the policy.
Email address Email address of the user to invite.
NTLM Identity The NTLM identity of the user, if available.
State Enabled or disabled. If enabled, you can choose which block
page to display for this user.
Field Description
Upload File Browse to the text file to upload. See Bulk upload file format
below.
Character Set The character set of the file; this is normally either iso-8859-1
or Unicode.
Add New Users to You can add new users to a single or multiple groups by
Groups selecting them on this page. Alternatively you can specify
group membership in the upload file.
File Contains NTLM Click if the file contains NTLM identities.
Identities
Replace details of Click if you want to replace a current record with this one.
existing users
Notification Email Notification email address is the sender address of the
Address registration email.
Invitation Email The language variant of the registration email. To include
Language language variants of this email, edit the End User Registration
Email notification page. See Editing notification pages, page
110.
Batch the Invitation Registration emails are batched to prevent your email servers
Emails being flooded by thousands of messages at once. You can
specify the frequency.
For example:
Fred Bloggs,fred.bloggs@acme.com,"Corporate Finance,All in
Reading,"
Note
You can specify multiple groups, but because the field itself contains commas, you
must enclose them in quotes.
If you are including NTLM identities, they may appear at the beginning or end of the
line.
Name,EmailAddress,Groups,NTLMIdentity
NTLMIdentity,Name,EmailAddress,Groups
For example:
Anita Rao,arao@acme.com,QAGroup,testdomain\anita
The end of each line can be either a line feed, carriage return or both but you cannot
mix them. For example, you cannot end one line with a carriage return and another
with a line feed.
Note
If you are saving a file from Excel, do not Save As CSV (comma delimited) (*.csv),
because this does not end lines consistently. Save As CSV (MS-DOS) (*.csv)
instead.
Stage 1
End users visit https://www.mailcontrol.com/enduser/reg/index.mhtml and enter
their name and unique email address.
They can also access this page by clicking Register on the default logon page. Once
they have submitted their name and email addresses, the cloud service sends them an
email with a link, asking them to click it to confirm their registration.
Stage 2
Users click the link and are prompted for a password. From then on, if challenged by
the proxy service, they can enter their email address and password to gain access to
authenticated resources.
Directory synchronization
Related topics:
● NTLM transparent identification
● End Users tab
● Set up authentication
When you enable directory synchronization for your account, you can specify how
users are assigned to policies. If you have multiple web policies, you can use group
membership to assign users to policies. The assignment can be static (assigning a user
to a policy only when that user is initially registered) or dynamic (changing policy
assignment as group membership changes). This is all configured on the Manage
Directory Synchronization page: see Configure identity management.
The End Users tab enables you to assign the current policy to a group or groups of
synchronized users, overriding the default assignment:
1. Choose the End Users tab.
2. Under Directory Synchronization, click Modify list of groups.
3. Select the group(s) you want assigned to this policy.
4. Click Submit.
The effect of this action is to assign all members of the group to this policy.
Related topics:
● NTLM registration page
● Further information about NTLM
● Access Control tab
In order to access the cloud service using NTLM transparent identification, some
users are prompted to associate their NTLM credentials with their registration details
the first time they access the service (or the first time transparent identification is
enabled on their policy). This includes users who register themselves, are invited to
register, or are bulk registered.
Note
If you are using directory synchronization and have synchronized NTLM IDs, users
are not prompted for this information.
The cloud service includes a database of cloud applications that can be used to allow
or block user access to selected applications.
Click the Cloud Apps tab to configure a list of cloud apps to be blocked and a
separate list of cloud apps to be allowed by this policy.
Note that customers who have licensed and use the Protected Cloud Apps feature will
see slight differences when using the Cloud Apps tab for policies for which protected
cloud apps should be applied. See Using the Cloud Apps tab with Protected Cloud
Apps below.
1. Enable Always allow access to cloud apps on the Allow Access list to always
permit user access to cloud apps that have been added to the Allow Access list.
User requests to these applications are allowed regardless how the corresponding
category is configured on the Web Categories tab.
See Filtering action order for details on how the cloud service applies filtering
actions.
2. Select Block all high risk level applications to block access to any cloud app that
is considered high risk.
The number of high risk applications is provided in a link that can be used to open
a scrollable list of the qualifying apps. When the list is open, use your browser
search feature to locate specific apps.
3. Click the link to the Cloud Apps block page to navigate to Web > Block &
Notification Pages > Page Details and customize the block page created
specifically for blocking user access to cloud apps.
4. In the Block Access list, select specific cloud apps that should always be blocked,
regardless of their risk level.
a. Enter all or part of a cloud app name in the search box.
b. A drop-down list appears, containing cloud app names that qualify for the
search. As text is entered, the list of qualifying apps changes to match the
search criteria. Search results are listed alphabetically within each risk level.
Note that, if Block all high risk level applications has been selected, the
selection list is limited to medium and low risk apps. Search results provide
only the total number of high risk apps.
c. Select the app or apps you wish to add to the blocked list by marking the
check box next to the app name.
Apps that have already been included in the Allow Access list cannot be
selected. They must first be removed from that list.
Click Done when you have finished making your selections. Each selected
cloud app is added to the blocked list.
d. Remove an app from the list by removing the check mark.
The number of selected apps included in each risk level is provided next to the
risk level name. Cloud apps in the list are sorted alphabetically within each risk
level.
If Block all high risk level applications was enabled, the risk level and total is
automatically included in the list. The actual apps are not listed. If one of the high
risk apps is specifically selected in the Allow Access list, the count is reduced by
the number of high risk apps allowed.
Important
The Block Access list takes precedence over actions assigned on the Web
Categories tab. If a blocked cloud app is requested using a URL categorized in a
category that is set to allow, access to it is blocked.
5. In the Allow Access list, select cloud apps that should always be permitted.
a. Enter all or part of a cloud app name in the search box.
b. A drop-down list appears, containing cloud app names that qualify for the
search. As text is entered, the list of qualifying apps changes to match the
search criteria. Search results are listed alphabetically within each risk level.
c. Select the app or apps you wish to add to the allowed list by marking the
check box next to the app name.
Apps that have been included on the Block Access list cannot be selected.
They must first be removed from that list.
Click Done when you have finished making your selections. Each selected
cloud app is added to the permitted list.
Important
The Allow Access list takes precedence over the Block all high risk level
applications option. Access to a high risk app that is on the permitted list is allowed
even if Block all high risk level applications is enabled.
Important
Block actions assigned on the Web Categories tab take precedence over the Allow
Access list. If a permitted cloud app is requested using a URL categorized in a
category that is set to block, access to it is blocked.
A count of the number of selected apps is provided above each selection pane. Each
list is limited to 100 selections. When the limit is reached, search results no longer
allow selection of additional apps. An app that was previously selected must first be
removed from the list.
Use the Custom Categories tab to view and add custom categories used for this policy
only. Unlike the custom categories defined on the Web > Policy Management >
Custom Categories page, which are available for use in all policies, the categories
defined here can be applied only to the policy being edited.
Note that this tab is not available unless Enable custom categories per policy has
been enabled on the Web > Policy Management > Custom Categories page.
Note
There is a limit to the maximum number custom categories and sites you can add.
The number of used and available category entries is displayed on the page.
Based on analysis of custom category usage, this limit is designed to provide ample
capacity. If you have any questions about the custom category limit, please contact
Technical Support.
Important
When a file is uploaded, the contents of the file will
replace the list of sites previously associated with the
category. It will not add to that list.
Note
Certain characters have significance to the pattern matching mechanism, and should
be preceded with a backslash (\). These characters are: [ ] { } \ + *
Hostnames
Enter hostnames without a protocol, for example: abc.com. This will match:
● Any resource at the domain, using any protocol (for example http://abc.com,
https://abc.com, ftp://abc.com).
● Any subdomains of abc.com using any protocol, for example www.abc.com,
123.abc.com, www.123.abc.com.
You can use a wildcard (*) within a hostname or at the beginning of a hostname.
Wildcards at the beginning of a hostname match any hostname that ends with the
string you enter, for example *abc.com matches 123abc.com, and any subdomains
(for example www.123.abc.com, www.xxx.123abc.com).
A wildcard at the beginning of a hostname, followed by a dot (*.abc.com) matches
any subdomains of abc.com (for example 123.abc.com), but not the abc.com domain
itself.
Note
Wildcards placed at the end of the string are removed.
URL paths
Any address with a slash (/) following the hostname or IP address is treated as a URL
path (for example www.abc.com/, www.abc.com/mysite).
If you specify a URL path, it is treated as the start of a path, and matches anything
beginning with the string you enter (for example, www.abc.com/mysite matches
www.abc.com/mysite/folder/page.htm).
Note: URL paths will not match for HTTPS requests unless SSL decryption is being
performed. For HTTPS requests, the full path is not provided to the proxy.
IP addresses
Enter IPv4 IP addresses or ranges in one of the following formats:
● Explicit address: a single address. Example: 12.13.14.15
● Explicit range: 2 addresses separated by a dash (-). Example: 12.13.14.15-
12.13.14.99 (a space before and after the dash is allowed, but not required)
● Subnet: An address followed by a slash (/) and the number of bits, which is a
number between 1 and 32. Example: 12.13.14.15/24
● Subnet with subnet mask: an address followed by a slash (/) and a netmask.
Example: 12.13.14.15/255.255.255.0
IP addresses and ranges are used to match the resolved address of a requested
hostname, using any protocol and port.
Ports
If you include a port number that is the standard port number for the protocol being
used (for example port 80 for HTTP, port 443 for HTTPS), the port number is ignored
and the entry is treated as described above. If the port number is a non-standard port
for the protocol being used, the proxy will match only URLs that include the port
number.
For example, if you enter www.abc.com:8080/, then http://www.abc.com:8080/mysite
will match, but http://www.abc.com/mysite will not.
Related topics:
● Enabling SSL decryption
● Policy enforcement actions
● Exceptions
● Filtering action order
● Category list
The cloud service includes dozens of website categories (see Category list, page 191,
for more details). These categories are designed to help you apply policy to your
organization’s Web surfing. If a website has not previously been categorized, we
assign it the “Unknown” category.
Note
Websites can exist in one standard category, but multiple custom categories.
enables the cloud proxy to serve the correct notification page to the user. For example,
a block page if the SSL site is in a category that the end user is prevented from
accessing, or the Pre-logon welcome page, page 161, for authentication.
To implement SSL decryption for your end users, you need a root certificate on each
client machine that acts as a Certificate Authority for SSL requests to the cloud proxy.
To install the root certificate for your end users and enable notification pages for SSL
sites:
1. On the Web Categories tab, click the root certificate link and download the
certificate to a location on your network. You can then deploy the certificate
manually, using your preferred distribution method
2. Once the certificate has been deployed, return to this page and toggle the SSL
decryption switch to ON.
3. Click Save.
Note
You should also define a certificate when you add an appliance and install that
certificate on users’ machines, in order to avoid browser warnings regarding SSL
termination block, authentication, or quota/confirm operations. See Generating
device certificates, page 134.
do not enable any of these options on the Web Content & Security tab, the
categories you select are decrypted to enable correct notification pages, but
not analyzed.
Note
If you enable Analysis exceptions, page 210, on the Web Content & Security tab and
a site defined as an exception is also in a category selected for SSL decryption, the
exception defines whether or not the HTTPS version of the site is analyzed. For
example, if “google.com” is set to Never Analyze and the Search Engines and
Portals category is selected for SSL analysis, https://www.google.com would be
decrypted but not analyzed.
In the Standard Categories section, child categories are indented under their parent
categories. Expand the parent category to see its child categories.
Parent categories allow specific categories to be grouped by a more generic
description—for example, Internet Communication is the parent category for
General Email, Organizational Email, Text and Media Messaging, and Web
Chat. However, there is no hierarchical relationship between parent categories and the
child categories within them: you can set a filtering action for a parent category
without it affecting the child category, and vice versa.
Privacy categories are marked with a padlock icon. This predefined group includes
the following categories that may be subject to regulatory requirements:
● Financial Data and Services
● Prescribed Medications
● Education
● Government
● Health
Websites in these categories may include personal identification information that
should not be decrypted, and you may want to avoid specifying these sites for
decryption.
To edit the action applied to a category, or the SSL decryption behavior for a category:
1. Select a web category from the category list.
You can select a category directly from the list, or enter text in the search box to
locate the category you want.
To select multiple categories, use the Shift and/or Ctrl keys. You can also use the
drop-down menu above the category list to select Web 2.0 categories or privacy
categories, or to select or deselect all categories.
2. Select an Action for the category. See Policy enforcement actions, page 184.
3. If SSL decryption is enabled, select whether or not to decrypt sites in the category.
4. If you have made changes to one or more parent categories, optionally click
Apply to Subcategories to use the same settings for both parent and child
categories.
5. Click Save.
If you have selected the Decrypt option for a privacy category, a warning message
appears.
Important
The Block Access list configured on the Cloud Apps tab (see Cloud Apps tab) takes
precedence over actions assigned on the Web Categories tab. If a blocked cloud app
is requested using a URL categorized in a category that is set to allow, access to it is
blocked.
Related topics:
● Exceptions
● Filtering action order
● Category list
Each category has an action assigned to it. This is the action that the cloud service
takes in response to a user’s Internet request. The action applies to all users of this
policy unless exceptions are configured.
The available actions are:
● Allow access
Allow access means that any website within the category is always accessible,
regardless of whether it exists in another category that has the Block access
action.
● Do not block
If you do not want websites to be blocked, select Do not block. This ensures that
the site is not blocked under this rule, but if it also exists in another category that
has an action of Block access, it is blocked under that category.
● Require user authentication
This action allows you to monitor who is accessing sites in this category. If you
are forcing users to be identified or authenticate themselves, it has the same
impact as Do not block. If the users are not already identified or authenticated,
they are forced to do so to access the site. If the site also exists in a category that
has the action Allow access, the users are not forced to identify or authenticate
themselves.
● Confirm
Users receive a block page, asking them to confirm that the site is being accessed
for business purposes. Clicking Continue enables the user to view the site.
Clicking Continue starts a timer. During the time period that you configure (10
minutes by default), the user can visit other sites in the confirmed category
without receiving another block page. Once the time period ends, browsing to any
other Confirm site results in another block page.
The default time can be changed on the General tab for the policy.
● Use Quota
Users receive a block page, asking them whether to use quota time to view the
site. If a user clicks Use Quota Time, he can view the site.
Clicking Use Quota Time starts two timers: a quota session timer and a total quota
allocation timer.
■ If the user requests additional quota sites during a default session period (10
minutes by default), he can visit those sites without receiving another block
page. If you are using per-category quotas, the user can visit only other sites in
the same category without receiving another block page.
■ Total quota time is allocated on a daily basis. Once it is used up, each user
must wait until the next day to access sites in quota categories. The default
daily quota allocation is set on the General tab for the policy. If you are using
per-category quotas, the total quota time applies to each category and once it
is used up for a particular category, a user can still use quota time in another
category, if available.
The session length and total quota time available for each category depend on the
options selected on the General tab. If you have defined per-category quotas, you
can select Use Quota for a category on the Web Categories tab to change the
total quota time and session length available to users in the policy for that
category.
See Using quota time to limit Internet access, page 185, for more information.
● Block access
This blocks access to websites in this category unless they exist in another
category with that is assigned the Allow access action. If the website exists in
another category with the action Do not block, it is blocked under this category.
When a site is blocked, you can choose a notification page to be displayed.
Note that the block page that allows a user to View in Remote Browser is
available for selection only if the remote browser isolation feature is enabled. See
Configure Remote Browser Isolation for details.
This is because such applets are downloaded completely to a client machine and run
just like applications, without communicating back to the original host server. If the
user clicks the browser’s Refresh button, however, the cloud service detects the
communication to the host server, and then blocks the request according to applicable
quota restrictions.
Note
YouTube Restricted mode replaces the YouTube for Schools feature, which has
been withdrawn by YouTube.
End users can determine that the website they are viewing is not decrypted by
checking who has issued the certificate for that site. If the certificate was issued by
Websense, Inc., or Forcepoint LLC, traffic to the site has been decrypted.
Note
Single sign-on uses SSL decryption to handle encrypted traffic and redirect SSL
sites for authentication. If you have enabled single sign-on in a policy, you can
maintain a list of hostnames for which SSL decryption is not performed on the Web
Categories tab.
An end user accessing one of the specified hostnames using HTTPS will not be able
to use single sign-on. End users can still access these sites using HTTP and
authenticate successfully.
Exceptions
Related topics:
● Policy enforcement actions
● Filtering action order
● Category list
Exceptions allow the default action for a category to be overridden for specified users,
groups, and roaming users, and for defined time periods.
Note that Require user authentication is not available for category exceptions,
because for an exception to be applied, the cloud service must be aware of the users -
they must already be authenticated. If a user has not been authenticated, but wants to
access a category that has an exception for a user or a group, the cloud service
automatically asks the user to authenticate.
Note
If you set up an Allow exception, note that this overrides only the Block action on
URL categories. It does not bypass any other actions, including user authentication
and antivirus analysis.
When you select a category, the Category Exceptions section at the bottom of the page
shows the number of exceptions applied to that category. If no category is selected, the
list shows all category exceptions that have been defined.
On occasion you may want to add users to exceptions for policies they are not yet
using or leave users in an exception list for a policy they no longer use. This allows
you to set rules for users before they are moved between policies—for example, when
policy assignment has been changed in an LDAP directory. If you add an unknown
user or if the user belongs to another policy, you receive a message to this effect. You
can save rules that include users in other policies as well. These users are shown in the
exception list with a red asterisk.
The exceptions table provides the following summary information about each rule:
● The name assigned to the rule.
● The category or categories to which the rule applies. If there are multiple
categories in the exception, click the link to see the category list.
● The users and groups to which the rule applies. If none are shown, it applies to all
users of the policy.
● The time period to which the rule applies.
● The action for the rule, and whether it applies only to roaming users.
● The state of the exception rule - on or off. You can change the rule’s state in this
table by clicking the State switch.
To create an exception rule:
1. On the Web Categories tab, click a category name.
2. Click Add exception.
3. The rule State is set to ON by default, meaning the rule will be enabled for the
users and groups you select. If you want to set up a rule but not enable it
immediately, click the State switch to set it to OFF.
4. Enter a Name and Description for the rule.
5. Select the Action to apply from the drop-down list.
■ For the Confirm action, enter the time period for which a user who clicks
Continue can access sites in the selected category or categories.
■ For Use Quota, any further options depend on the quota time configured on
the policy’s General tab. If the policy has an overall daily quota set, that
quota applies to the exception and cannot be changed. If the policy is using
the per-category daily quota, enter the total quota time and session length
available to users and groups in the rule.
6. Select the Time period during which the rule is active.
7. For an exception that should be applicable to roaming users only, mark Apply
only when user is roaming.
8. Select the category or categories to which the rule applies. To select multiple
categories, use the Shift and/or Ctrl keys.
9. Enter or select the users and groups that will use the rule. You can also specify that
the rule applies to all users and groups in the policy except the group you select.
10. Click Submit.
Related topics:
● Policy enforcement actions
● Exceptions
● Category list
When a user requests access to a site, the cloud service determines whether to block or
permit access based on the details in the policy associated with the user. See Creating
a new policy for information.
By default, the cloud service applies the appropriate policy enforcement action to a
user request using these steps. If, at any step, the appropriate action is to block the
request, the user receives the appropriate block page.
1. Security category
2. Application control, File extension, File type, File Size
3. Cloud Apps
4. Standard or custom web categories:
a. Allow access
b. Require user authentication
c. Confirm
d. Quota
e. Block
f. Do not block
If the Always allow access to cloud apps on the Allow Access list option is selected
on the Cloud Apps tab of the policy, then requests to any cloud app listed on the Allow
Access list are allowed, regardless of the action assigned to the associated web
category or its security status. Requests to the apps listed on the Protected Cloud Apps
list are always forwarded to CASB for further enforcement.
Note
If you do not see the Always allow access to cloud apps on the Allow Access list
option on the Cloud Apps tab, contact Technical Support.
When this option is enabled, the cloud service applies the appropriate policy
enforcement action to requests using these steps.
1. File extension, File type, File Size
2. Cloud apps (This includes protected cloud apps. Requests to those apps are
forwarded to Forcepoint CASB for enforcement.)
3. Security category
4. Application control
5. Standard or custom web categories
a. Allow
b. Require user authentication
c. Confirm
d. Quota
e. Block
f. Do not block
When a category exception specifies a time period, several factors affect whether the
exception is applied:
● If the time period includes a timezone, the timezone is used.
● If a time period does not include a timezone, but the user request originates from a
proxied connection that has an associated timezone, the connection’s timezone is
used.
● If the time period does not include a timezone, and the user is either roaming or at
a proxied connection that has no timezone, the policy timezone is used.
● If no timezone is available for a time period, any exceptions based on that time
period are ineffective.
Given the considerations above, when a per-time, per-user, or per-group exception
also exists, it applies actions in this order:
● users with a time period defined
● users with no time period defined
● groups with a time period defined
● groups with no time period defined
● default with a time period defined
● default without a time period defined
In other words, rules with a usable time period defined take precedence over
equivalent rules with no time period.
Within each of these, the cloud service uses the same order as the default.
Category list
Related topics:
● Policy enforcement actions
● Exceptions
● Filtering action order
The cloud service uses the Master Database, which organizes similar websites
(identified by URLs and IP addresses) into categories. Each category has a
descriptive name, like Adult Material, Gambling, or Peer-to-Peer File Sharing.
The categories include the following:
● Advanced Malware Command and Control focuses on outbound network
transmissions from a compromised machine to a malicious command and control
center
● Advanced Malware Payloads focuses on inbound network transmissions of
payloads intended to exploit a machine
● Mobile Malware focuses on malicious websites and applications that are
designed to run on mobile devices
● Unauthorized Mobile Marketplaces focuses on websites that potentially
distribute applications that are unauthorized by the mobile operating system
manufacturer, the handheld device manufacturer, or the network provider. (Traffic
to websites in this category may be a sign of a jailbroken or rooted device.)
You can also create your own, custom categories or import a custom category file (in
CSV format) to group sites of particular interest to your organization (see Configure
custom categories). Together, the Master Database categories and user-defined
categories form the basis for Internet filtering.
Note
Categories are designed to create useful groupings of the sites of concern to
subscribing customers. They are not intended to characterize any site or group of
sites or the persons or interests who publish them, and they should not be construed
as such. Likewise, the labels attached to categories are convenient shorthand and are
not intended to convey, nor should they be construed as conveying, any opinion or
attitude, approving or otherwise, toward the subject matter or the sites so classified.
Go to the Web > Settings > Master URL Database Categories link in the cloud
portal to see an up-to-date list of Master Database categories.
To suggest that a site be added to the Master Database, use the Forcepoint Site Lookup
Tool. To access the tool:
1. Log in to your support account at https://support.forcepoint.com/Login
2. From the Tools & Links menu, click Site Lookup Tool.
Protocols tab
Click the Protocols tab to manage how protocols, or non-HTTP Internet traffic, are
handled by a policy.
Important
This feature requires an I Series appliance.
The list of protocols appears in a 2-level tree display similar to that in the Categories
tab. Protocol groups can be expanded to show the individual protocols within each
group.
The list on the Protocols tab includes both standard protocols and any custom
protocols that you have defined on the Policy Management > Protocols page. The
standard protocol groups are updated regularly.
Configure how a protocol is filtered by selecting it in the protocols tree and specifying
an action (Allow or Block) from the box on the right. You can select a protocol
directly from the list, or enter text in the search box to locate the protocol you want.
Use the Shift and/or Ctrl keys to select multiple protocols.
Protocol exceptions
Protocol exceptions allow the default action for a protocol to be overridden for
specified users and groups of users. The number of exceptions to the default filtering
action is shown at the bottom of the Protocols tab. Click a protocol to view exception
rules that may apply to it.
The exceptions table provides the following information about each rule:
● The name assigned to the rule
● The protocol or protocols to which the rule applies.
● The users and groups to which the rule applies. If none are shown, the rule applies
to all users of the policy.
● The action for the rule (Allow or Block)
● The status of the exception rule (Active or Inactive)
To create an exception rule:
Click the Application Control tab in the policy to configure social web controls for
your end users. This tab is available for Forcepoint Web Security Cloud only.
To use the options on the Application Control tab, you must enable Real-time Security
Classification on the Web Content & Security tab. See the Web Content & Security
tab, page 206.
Social web controls enable you to safely fine-tune access to popular sites within social
media such as Facebook, Twitter, and YouTube. For each available site, you can
specify whether users can access particular functions within the site, such as posting a
comment or joining a group. For example, you may want to allow users to access their
Facebook page, but not to upload photos or videos to the site.
The following filtering actions are available for social web controls:
● Do not block. This ensures that the function is not blocked, unless the category to
which the parent site belongs has the action Block access. If you select Do not
block for a function and the parent site is blocked on the Web Categories tab, a
popup warning appears when you save your changes.
● Block access. This blocks the function and depending on the nature of the
function, either displays the block page that you select, stops the function from
working, or displays an error message.
The functions specific to each site are grouped together. If you set a particular filtering
action for the parent application (for example, Twitter), it is also applied to all child
functions for that application. You can subsequently change the action for individual
functions.
Top-level sites related to the social web controls remain classified and filtered under
their existing categories on the Web Categories tab, page 181. For example, Facebook
Chat is classified as Web Chat. You can only apply social web controls to a site if its
corresponding web or custom category allows access or does not block the site.
If the top-level site is part of a category that has quota time applied to it, application
controls are applied according to your configuration when the user is in a quota
period. Similarly, if the site is in a category has the Confirm action applied to it,
application controls are applied according to your configuration once the user has
clicked Continue.
To configure application controls:
1. Select an application from the Applications list.
You can select an application directly from the list, or enter text in the search box
to locate the application you want.
To select multiple applications, use the Shift and/or Ctrl keys. You can also use
the drop-down menu above the Applications list to select or deselect all
applications.
2. Select an Action for the category. Note that if you have selected a parent
application (for example Facebook or Twitter), the action you select also applies
to all the controls within that application by default.
3. If you have selected Block access, select a block page to display.
4. Click Save.
Related topics:
● Application Control tab
Exceptions allow the configured action for an application control to be overridden for
specified users, groups of users, and roaming users.
On the Application Control tab, the exceptions to the default configuration are listed at
the bottom of the page. Click an application to view exception rules that may apply.
On occasion you may want to add users to exceptions for policies they are not yet
using or leave users in an exception list for a policy they no longer use. This allows
you to set rules for users before they are moved between policies—for example, when
policy assignment has been changed in an LDAP directory. If you add an unknown
user or if the user belongs to another policy, you receive a message to this effect. You
can save rules that include users in other policies as well. These users are shown in the
exception list with a red asterisk.
The exceptions table provides the following summary information about each rule:
● The name assigned to the rule.
● The application to which the rule applies. It always applies to the application you
are viewing, but this indicates whether it applies to other applications. If there are
multiple applications in the exception, click the link to see the application list.
Note that if this is the case, the exception is also listed when you select the other
application(s).
● The users and groups to which the rule applies. If none are shown, it applies to all
users of the policy.
● The action for the rule, and whether it applies only to roaming users.
● The state of the exception rule - on or off. You can change the rule’s state in this
table by clicking the State switch.
To create an exception rule:
1. On the Application Control tab, click a web application.
2. Click Add exception.
3. The rule State is set to ON by default, meaning the rule will be enabled for the
users and groups you select. If you want to set up a rule but not enable it
immediately, click the State switch to set it to OFF.
4. Enter a Name and Description for the rule.
5. Select the Action to apply from the drop-down list.
6. For an exception that should be applicable to roaming users only, mark Apply
only when user is roaming.
7. Select the application to which the rule applies. To select multiple applications,
use the Shift and/or Ctrl keys.
8. Enter or select the users and groups that will use the rule. You can also specify that
the rule applies to all users and groups in the policy except the group you select.
9. Click Submit.
Related topics:
● Blocking by file type
● Blocking by file extension
● Blocking executable file uploads
● Block file downloads based on size, or size and category
Click the File Blocking tab in the policy to configure file download blocking for
categories that users are allowed to access according to your settings in the Web
Categories tab. This capability allows your organization to restrict access to particular
files from websites in some or all permitted categories, based on true file type, file
extension, or size. For example, you could permit the category Sports, but block
multimedia (audio and video) files from sites in the Sports category.
Under Advanced Options, you can block the upload of executable files, or define file
download size limits, or size limits per category.
The following file blocking options are available:
● True file type blocking. True file types are detected during security analysis.
Several predefined groups of file types (for example, common image files) are
included on the File Blocking tab for ease of selection.
For example:
1. The General Email category has the Allow access action, but file type
blocking is enabled for multimedia files in the category.
2. An end user attempts to download a file with a known extension (for example,
“movie.mpeg”) or unknown extension (for example, “myfile.111”).
3. If analysis determines that the file is classified as multimedia, the user
receives a block page indicating that the download was blocked.
4. If analysis determines that the file is not a multimedia file, the download
request is permitted as long as the file is not categorized as another blocked
file type.
For more details, see Blocking by file type, page 197.
● File extension blocking. This blocks files based solely on file extensions that you
specify.
For example:
1. The General Email category has the Allow access action, but the file
extensions “.zip” and “.rar” are blocked for the category.
2. An end user attempts to download a file with a file with a .zip extension (for
example, “myfile.zip”).
3. The user receives a block page indicating that the download was blocked by
file extension, because the “.zip” file extension is specifically blocked for this
category.
For more details, see Blocking by file extension, page 198.
Important
Archived/compressed files are not extracted to determine if the contents contain a
file that should be blocked based on the type or extension. However, they are
inspected for malware. Archived and compressed files can be blocked, if needed, in
which case, all files contained in those archived files are blocked.
● Executable file upload blocking. This blocks the upload of any file identified as
an executable. For more details, see Blocking executable file uploads, page 200.
● File size blocking. This blocks files based on the maximum size that you specify.
You can block all files based on the following:
■ The file type and size.
■ The file type and size in a specific category or categories.
■ The file extension and size.
■ The file extension and size in a specific category or categories.
■ File size alone.
■ File size and category. See Block file downloads based on size, or size and
category, page 200.
Related topics:
● File Blocking tab
● Blocking by file extension
● Blocking executable file uploads
● Block file downloads based on size, or size and category
Note that this option is available for Forcepoint Web Security Cloud only.
1. On the File Blocking tab, click the file type that you want to configure for
blocking.
2. On the File Block Details page, set the file blocking Rule State to Enabled.
3. To configure blocking by file size:
a. Under Blocking Options, select Block all files over... KB.
b. Define whether you want to block all files of this type over a particular size
that you enter, or block files over a particular size for this type but only in
specific categories. You also have the option to block files in specific
categories without regard to size.
4. To block files in specific categories:
a. Select Category specific blocking.
b. Optionally, to block files by size, select Block files in certain categories
over... KB, then fill in the size in kilobytes.
Only files of the selected type that are over this size will be blocked in the
categories you choose.
c. By default, the selected file type is blocked for all categories. To change this,
use the category and action lists.
You can select a category directly from the list, or enter text in the search box
to locate the category you want. Click on the plus sign to the left of each
category to view subcategories to which you can also apply blocking actions.
If the parent and subcategory actions differ, an asterisk appears next to the
parent category.
To select multiple categories, use the Shift and/or Ctrl keys. You can also use
the drop-down menu above the category list to select all Web 2.0 categories or
privacy categories, or to select or deselect all categories.
5. Optionally, enter or select the users and groups to whom the file blocking applies.
You can also specify that the file blocking applies to all users and groups in the
policy except the group you select.
6. Select the block page that will be displayed when this file type is detected and
blocked. Block pages are not displayed for image files; instead images are
replaced by a 1x1 pixel transparent image.
7. Click Save.
Important
Archived/compressed files are inspected for malware but are not extracted to
determine if the contents contain a file that should be blocked based on file type.
Archived and compressed files can be blocked, if needed, and access to all files
contained in those archived files is blocked.
Related topics:
● File Blocking tab
● Blocking by file type
● Blocking executable file uploads
● Block file downloads based on size, or size and category
Note
If you include the period in the extension (for example, .jpg) it will be removed.
Wildcards are not supported.
Note
Blocking by file size is not available for web traffic that has been handled by an
appliance.
c. By default, files with the selected extensions are blocked for all categories. To
change this, use the category and action lists.
You can select a category directly from the list, or enter text in the search box
to locate the category you want. Click on the plus sign to the left of each
category to view subcategories to which you can also apply blocking actions.
If the parent and subcategory actions differ, an asterisk appears next to the
parent category.
To select multiple categories, use the Shift and/or Ctrl keys. You can also use
the drop-down menu above the category list to select all Web 2.0 categories or
privacy categories, or to select or deselect all categories.
6. Optionally, enter or select the users and groups to whom the file blocking applies.
You can also specify that the file blocking applies to all users and groups in the
policy except the group you select.
7. Select the block page that will be displayed when this file extension is detected
and blocked.
8. Click Save.
Important
Archived/compressed files are inspected for malware but are not extracted to
determine if the contents contain a file that should be blocked based on file
extension. Archived and compressed files can be blocked, if needed, and access to
all files contained in those archived files is blocked.
Advanced options
Related topics:
● File Blocking tab
● Blocking by file extension
● Blocking by file type
Important
Executable files included in archived/compressed files are not blocked. Archived/
compressed files are inspected for malware but are not extracted to determine if the
contents contain an executable file that should be blocked. Archived and
compressed files can be blocked, if needed, to avoid uploading an unwanted
executable file.
Click the Data Protection tab in the policy to configure options for handling potential
data issues using Data Protection Service (DPS).
This tab is available when adding a policy if Use Data Protection Service is selected
on the Web > Settings > Data Protection Settings page.
Note
Data Protection Service integration requires an additional license. If you would like
further information on integrating with Data Protection Service, please contact your
account manager.
To enable this tab for an existing policy, navigate to Web > Settings > Data
Protection Settings and use the table at the bottom to reset the data security selection
for the policy. See Data Protection Settings for details.
When Data Protection Service is enabled, the cloud proxy sends user requests that
may include sensitive data or files being posted to HTTP, HTTPS, and FTP sites to
Data Protection Service for inspection. Sensitive data may include intellectual
property, data that is protected by national legislation or industry regulation, and data
suspected to be stolen by malware or malicious activities. Such requests are then
blocked or allowed based on information provided to the cloud service by DPS, using
the policies defined in the on-premises Forcepoint DLP product.
Important
Data Protection is not compatible with the I Series appliance.
Important
The same user information must exist in both Forcepoint Web Security Cloud and
Forcepoint DLP in order for user requests to be accurately inspected by Forcepoint
DLP.
Users blocked for data security incidents receive a special block page. The block page
can be configured by doing one of the following:
● Click the Data Protection block page link at the top of the Data Protection tab in
a policy.
● Go to the Web > Policy Management > Block & Notification Pages page,
expand the General section, and then select Data Protection.
Note
Requests that include files that exceed 10Mb in size are not forwarded to Data
Protection Service. These requests are allowed and no log record is generated.
Click the Data Security tab in the policy to configure options for blocking or
monitoring data loss over web channels.
This tab is available when adding a policy if Use DLP Lite is selected on the Web >
Settings > Data Protection Settings page or if the Data Protection Service is not
licensed.
To enable this tab for an existing policy, navigate to Web > Settings > Data
Protection Settings and use the table at the bottom to reset the data security selection
for the policy. See Data Protection Settings for details.
Important
Data security features are not compatible with the I Series appliance.
When data security features are enabled, the cloud service searches for sensitive data
or files being posted to HTTP, HTTPS, and FTP sites, and reports on any incidents
that it discovers. Sensitive data may include intellectual property, data that is protected
by national legislation or industry regulation, and data suspected to be stolen by
malware or malicious activities. You can configure whether such incidents are blocked
or just monitored.
To search for data over HTTPS, be sure SSL decryption is enabled by following the
instructions provided in Enabling SSL decryption, page 181.
When blocking is enabled for data security incidents, users receive a special block
page. To configure this block page, do one of the following:
● Click the Data Security block page link at the top of the Data Security tab in a
policy.
● Go to the Web > Policy Management > Block & Notification Pages page,
expand the General section, and then select Data Security.
Regulations
Most countries and certain industries have laws and regulations that protect
customers, patients, or staff from the loss of personal information such as credit card
numbers, social security numbers, and health information.
To set up rules for the regulations that pertain to you:
1. Click No region selected. (To edit regions, click the link, “n regions selected.”)
2. Select the regions in which you operate. Forcepoint Security Labs provides a set
of predefined policies to cover regions all over the world and maintains those
policies as regulations change.
3. Select the regulations of interest.
Regulation Description
Personally Identifiable Detects Personally Identifiable Information—for example,
Information (PII) names, birth dates, driver license numbers, and identification
numbers. This option is tailored to specific countries.
Regulation Description
Protected Health Detects Protected Health Information—for example, terms
Information (PHI) related to medical conditions and drugs—together with
identifiable information.
Payment Card Industry (PCI Conforms to the Payment Card Industry (PCI) Data Security
DSS) Standard, a common industry standard that is accepted
internationally by all major credit card issuers. The standard
is enforced on companies that accept credit card payments,
as well as other companies and organization that process,
store, or transmit cardholder data.
4. Select an action to take when matching data is detected. Select Block to prevent
the data from being sent through the web channel. Select Monitor to allow it.
(Incidents are created either way.)
The Action column now appears in the Incident Manager by default, showing
whether each incident was monitored or blocked.
5. Select a sensitivity to indicate how narrowly or widely to conduct the search.
Select Wide for the strictest security. Wide has a looser set of detection criteria
than Default or Narrow, so false positives may result. Select Narrow for tighter
detection criteria. This can result in false negatives or undetected matches.
Default is a balance between the two.
Severity is automatically calculated for these regulations.
For more information on the detection rules for these regulations, see Data Security
Content Classifiers (DLP Lite only), page 281.
Data Theft
Use this section to detect when data is being leaked due to malware or malicious
transactions. When you select these options, the cloud service searches for and reports
on outbound passwords, encrypted files, network data, and other types of information
that could be indicative of a malicious act.
To see if your organization is at risk for data theft:
1. Select the types of data to look for.
2. Select an action to take when matching data is detected. Select Block to prevent
the data from being sent through the web channel. Select Monitor to allow it.
(Incidents are created either way.) You can filter by action in the Data Security
Incident Manager.
3. Select a sensitivity to indicate how narrowly or widely to conduct the search.
Select Wide for the strictest security. Wide has a looser set of detection criteria
than Default or Narrow, so false positives may result and performance may be
affected. Select Narrow for tighter detection criteria. This can result in false
negatives or undetected matches. Default is a balance between the two.
Some data theft classifiers cannot be changed from their default setting.
Severity is automatically calculated for these types.
Custom
Use this section if you want to detect intellectual property or sensitive data using
custom phrases, dictionaries, or regular expressions containing business-specific
terms or data.
1. Define new classifiers on the Web > Policy Management > Content Classifiers
page. See Configure Content Classifiers for Data Security (DLP Lite) for
instructions.
2. On the Data Security tab, select the classifiers that you want to enable for the
policy. If none are listed, none have been created yet.
3. Select a severity for each classifier to indicate how severe a breach would be.
Select High for the most severe breaches. Severity is used for reporting purposes.
It allows you to easily locate High, Medium, or Low severity breaches when
viewing reports.
4. Where applicable, configure a threshold for each classifier. To do so, click a link
in the Threshold column, and then indicate how many times this classifier should
be matched to trigger an incident. You can indicate a range if desired, such as
between 3 and 10. By default, the threshold is 1.
Also indicate if you want the system to count only unique matches when
calculating the threshold or all matches, even duplicates. Example: your classifier
has the key phrase “top secret” and a threshold of 5. If the key phrase is found 6
times in a single web post, the system would count that as one match if you select
Count only unique matches or 6 matches if you select Count all matches even
duplicates. In the first case, the threshold is not triggered. In the second case, it is.
Trusted Content
1. In Trusted domains, enter the domains you do not want to be monitored, one
entry per line. For example:
forcepoint.com
cnn.com
The system does not analyze trusted domains. This means users can send them
any type of sensitive information via HTTP, HTTPS, or other web channels from
your network.
Duplicate domains are not permitted. Wildcards are supported.
You can add up to 100 trusted domains per policy. Each one can have up to 256
characters.
2. Click Select Categories to select website categories that do not require DLP
analysis—for example, office collaboration sites.
Related topics:
● Advanced Classification Engine (ACE) analysis overview
● Configuring ACE analysis settings
● Configuring file analysis
● Analysis exceptions
Use the Web Content & Security tab of the Web > Policies page for a selected
policy to configure advanced analysis options, including exceptions. This tab is
available for Forcepoint Web Security Cloud only.
Note
For an I Series appliance deployment, when performance optimization is selected
the cloud service analyzes only sites with elevated risk profiles.
You must enable Real-Time Security Classification to use the options on the
Application Controls tab. See Application Control tab, page 193.
● Antivirus File Analysis - Inbound analyzes files using traditional antivirus (AV)
definitions to find virus-infected files that users are attempting to download.
● Advanced Detection File Analysis - Inbound analyzes files using advanced
detection techniques to discover malicious content, such as viruses, Trojan horses,
and worms, returning a threat category for policy enforcement.
You can configure the specific types of files to analyze under File Type Analysis
Options. Note that executable file analysis is configured separately (see
Configuring file analysis, page 209).
Note
If file analysis is configured to include multimedia files, when the streaming media
is buffered and analyzed, the connection to the server may time out. In such cases,
the best remedy is to create an analysis exception for that site. See Analysis
exceptions, page 210.
● Rich Internet Application Analysis is applied to active content like Flash and
Silverlight to detect and block malicious content.
There are also two ACE outbound traffic analysis options that are enabled by default
and cannot be turned off. This ensures that viruses and other malicious content cannot
be sent from your network.
● Antivirus and Advanced Detection File Analysis - Outbound parallels the
inbound file analysis applied by the Antivirus File Analysis and Advanced
Detection File Analysis.
● Bot and Spyware “phone home” Traffic Analysis detects phone-home
communication attempts from malware in your network and ensures that they are
categorized and blocked.
The cloud service must analyze and block outbound malicious traffic in order to
protect itself from being perceived as a malicious actor. Some origin servers blacklist
client IP addresses if they detect malicious communications or hack attempts. If
malicious communications were permitted to go through cloud proxies, the proxies
would be blacklisted. This could mean that a single infected client could cause all
clients browsing via the same cluster to be blacklisted.
This traffic is also logged, so you can run a report to obtain a list of the infected
computers in your network.
Note
For an I Series appliance deployment, when performance optimization is selected,
the cloud service analyzes only sites with elevated risk profiles.
Related topics:
● Advanced Classification Engine (ACE) analysis overview
● Configuring ACE analysis settings
● Analysis exceptions
Executable Files
Mark Analyze executable downloads on the Web Content & Security tab for a policy
to protect your organization from inbound executables.
If you choose to analyze executable file downloads, you can block executable files by
category on the File Blocking tab. Also use the File Blocking tab to:
● Configure the notification page presented to the user when an executable
download is blocked.
● Optionally block users from uploading executable files. See Blocking executable
file uploads.
Note
For an I Series appliance deployment, when performance optimization is selected,
the cloud service performs file type analysis only for sites with elevated risk
profiles.
2. To always analyze files having a specific extension, under Analyze these file
extensions, enter the extension in the entry field and click Add or press Enter.
You can enter multiple extensions, separated by commas. For example, enter gz,
cad, or js.
■ To edit an existing file extension, you must delete it, and add it again with the
changes that you want.
■ To remove an extension from the list, select the extension or extensions from
the list, and click Delete. To select multiple extensions, select each extension
while pressing the Ctrl or Shift key.
3. Next to Maximum file size to analyze, enter a size in megabytes. Files larger
than the specified size are not analyzed.
4. When you’re finished, click Save.
To configure exceptions to advanced analysis, see Analysis exceptions.
Analysis exceptions
Related topics:
● Advanced Classification Engine (ACE) analysis overview
● Configuring ACE analysis settings
● Configuring file analysis
Analysis exceptions are lists of trusted or untrusted sites (hostnames) that are never
analyzed or always analyzed. The type of analysis to never or always perform is
specified per hostname or group of hostnames.
Use the Always Analyze and Never Analyze lists to refine the advanced analysis
offered by the cloud service. When real-time content classification, real-time security
classification, or antivirus file analysis options are enabled, sites on the Always
Analyze list are always analyzed, and sites on the Never Analyze list are never
analyzed.
Use the Never Analyze list with caution. If a site on the list is compromised, the cloud
service does not analyze the site and cannot detect the security problem.
To add sites to the Always Analyze or Never Analyze lists:
3. Click the Add icon to add the host name to the list.
A site can appear in only 1 of the 2 lists.
4. When you are finished making changes to both lists, click Save.
To delete a site from a list, click the red “X” (delete) icon to the right of the hostname.
To edit a hostname in either list, click the pencil (edit) icon.
Related topics:
● Using the Report Catalog
● Using the Report Builder
● Scheduling reports
● Exporting data to a third-party SIEM tool
● Web: Using the Transaction Viewer
● Web: Using the Incident Manager
● Email: Using Message Details
● Report attributes: Web and Data Security
● Report metrics: Web and Data Security
● Web: Web predefined reports
● Service reports
● Account Reports
Web and email cloud protection solutions include many tools for reporting on service
activity and security events. For information specific to web and data reporting, see
Web Reporting Tools, page 235. The following sections describe the Report Center.
Report Center features include:
● Report Catalog offers predefined reports. You can copy a predefined report to
apply your own filters to create a custom report. See Using the Report Catalog,
page 214.
● Report Builder supports the definition and creation of custom reports. See Using
the Report Builder, page 220.
● Scheduler allows reports to be generated on a schedule that you define.
Optionally, reports are sent to recipients that you specify. See Scheduling reports,
page 225.
● The Transaction Viewer supports flexible, detailed display of web transactions
and requests. See Using the Transaction Viewer, page 236.
● The email Message Center supports flexible, detailed display of email
transactions. See Viewing detailed reports, page 374.
Related topics:
● Managing reports
● Managing folders
● Web predefined reports
● Email predefined reports
Use the Reporting > Report Center > Report Catalog page to access predefined
reports for common scenarios.
The Report Catalog includes the following elements:
● The Toolbar, at the top, contains buttons for returning to the previous page,
creating new reports and folders, copying, sharing, and deleting items. Hover the
mouse over a button to see a description of its function.
● The folder list, in the left-hand pane, contains the following top-level folders:
■ The Favorites folder enables you to easily locate your most frequently-used
reports. You can mark a report or report folder as a favorite in the following
ways:
○ Click the star to the left of the report or folder name in the Report Catalog.
The star turns yellow when selected.
○ Click the star to the right of the report name in the Report Builder or
Transaction View. You do not need to save your changes.
To remove a report from Favorites, click the star again to turn it gray.
When viewing the Favorites folder, note that you are essentially viewing a list
of shortcuts to the reports. Choose View in folder from a favorite report’s
drop-down menu to see the report in its original folder.
■ My Reports contains all of the reports and folders that you create.
■ Standard Reports contains the predefined reports provided in the cloud
service. If you have more than one service, separate subfolders contain the
predefined reports for each service.
For information about web and data security predefined reports, see Web
predefined reports, page 252.
■ Shared by Others contains items that have been shared for use by all
administrators in your account. Each folder has the user name of another
administrator, and contains the reports shared by that administrator.
If a folder contains one or more subfolders, click the arrow to see those subfolders
in the left-hand page. Click a folder name to see its contents in the right-hand
pane.
● The table in the right-hand pane displays the contents of the folder you select in
the folder list. This can be one or more subfolders, or a list of reports. To see a
description of a particular report, hover the mouse over the report name.
From this pane, you can perform actions on one or more reports and folders, such
as copying, renaming, and deleting folders, or editing, running, or sharing a
report. The actions available to you depend on the permissions configured. For
example, you cannot delete reports in the Standard Reports folder. See Managing
reports, page 215, and Managing folders, page 218.
● The Search field, in the top right corner, enables you to search for specific words
or phrases in report titles. Search results list the report name, its location, and if
applicable, the report owner and the last time it was edited. You can manage a
report directly from the search results list. For example you can run it, or if you
have suitable permissions, share or delete it.
Managing reports
The Report Catalog offers the options to run, edit, share, copy, schedule, and delete
reports. You can also access the Report Builder to create and save new reports.
The actions available to you depend on the permissions configured – for example, you
cannot delete reports in the Standard Reports folder.
Select a link below for further instructions.
● Run a report
● Add a new report
● Copy a report
● Edit an existing report
● Share a report
● Schedule a report
● Delete a report
Run a report
1. In the left-hand pane, navigate through the folder structure and select the
subfolder containing the report you want. The reports appear in the table on the
right of the screen.
2. Click the report you want to run. Alternatively, click the down arrow next to the
report, and select Run from the menu.
3. The results are displayed in the Report Builder. See Viewing report results and
Viewing detailed reports.
2. Define attributes (for a grouped report), filters, and date ranges for your report as
described in Creating a report.
3. To save your new report to the Report Catalog, click the Save button in the
toolbar.
4. Enter a name and optionally a description for the report. The name can be a
maximum of 200 characters, and the description a maximum of 400 characters.
5. Select the folder to store the report in. By default this is the My Reports folder; if
you have created subfolders, you can use the Folder drop-down to choose one of
those.
6. Click Save Report.
Copy a report
1. Navigate through the Report Catalog to find the report you want to copy. This can
be a standard report, one created by you, or a report shared by someone else.
2. Click the down arrow next to the report you want, and select Copy from the menu.
Note
To copy multiple reports, mark the check box to the left of each report, then click the
Copy button in the toolbar.
3. If you are copying a standard or shared report, select the folder where you want to
store the copied report. By default this is the My Reports folder; if you have
created subfolders, you can use the Folder drop-down to choose one of those.
If you are copying one of your own reports, it is automatically saved to the same
folder as the original. You can move it to a different location later if required; see
Move items between folders.
4. Click Copy.
The report is saved to the selected location. If you are copying a report that you
own, “Copy” is appended to the report name. You can now rename the report by
clicking its down arrow and selecting Rename from the menu. You can also edit it
as required.
4. If you are editing a report that you created, or a shared report for which you have
editing permissions, you can save your changes by clicking the Save button in the
toolbar. The report is saved with the same name and in the same location,
overwriting the previous version.
If you are editing a standard report, or a shared report for which you do not have
editing permissions, click the Save As button in the toolbar to save the edited
report to one of your folders.
Share a report
1. In My Reports, click the down arrow next to the report you want, and select
Sharing from the menu. Alternatively, mark the check box next to one or more
reports, and click the Share button in the toolbar.
Note
You can also share a report after running it in the Report Builder.
Note
If a shared report is set to automatically detect the time zone, a user accessing the
report will always get the report in their local time zone.
Schedule a report
In My Reports, click the down arrow next to the report you want, and select Schedule
from the menu. Alternatively, mark the check box next to one or more reports, and
click the Schedule button in the toolbar. You can select a maximum of 5 reports for
each scheduling job.
Note
You can also share a report after running it in the Report Builder.
The Add Job scheduler window opens. For more information, see Scheduling reports.
Delete a report
1. In My Reports, click the down arrow next to the report you want to delete, and
select Delete from the menu. Alternatively, mark the check box next to one or
more reports, and click the Delete button in the toolbar.
2. In the popup window, click Delete to confirm.
Managing folders
The Report Catalog offers the options to create, copy, share, delete, and move items
between folders. The actions available to you depend on the permissions configured.
For example, you can only move and share your own folders.
Select a link below for further instructions.
● Create a new folder
● Copy a folder
● Move items between folders
● Share a folder
● Delete a folder
Copy a folder
When you copy a folder, you also copy all of the contents in that folder, including
subfolders and their contents.
To copy a folder:
1. Navigate through the Report Catalog to find the folder you want to copy. This can
be a folder containing standard reports, one created by you, or a folder shared by
someone else.
2. Click the down arrow next to the folder you want, and select Copy from the menu.
Note
To copy multiple folders, mark the check box to the left of each folder, then click the
Copy button in the toolbar.
3. If you are copying a standard or shared folder, select the location where you want
to store the copied folder. By default this is the My Reports folder; if you have
created further subfolders, you can use the Folder drop-down to choose one of
those.
If you are copying one of your own folders, it is automatically saved to the same
location as the original.
4. Click Copy.
The folder is saved to the selected location. If you are copying a folder that you
own, “Copy” is appended to the folder name. You can now rename the folder by
clicking its down arrow and selecting Rename from the menu. You can also edit
the reports in the folder as required.
Note
If a report is shared, moving it to a folder that is not shared does not change the
sharing permission assigned to the report. If you move a report to a shared folder, the
report inherits the folder’s sharing permissions.
Share a folder
When you share a folder, you also share the reports in that folder with the same
permissions. You can then edit the sharing permissions for individual reports within
the folder, although note that changes will remove the sharing permission from the
folder. See Share a report for more information.
To share a folder:
1. Navigate through My Reports until the folder you want to share is shown in the
right-hand pane.
2. Click the down arrow next to the folder, and select Sharing from the menu.
Alternatively, mark the check box next to one or more folders, and click the Share
button in the toolbar.
3. In the popup window, select one of these options:
■ Not shared means you are the only person who can access the folder. Select it
if you want to remove sharing from a folder.
■ View only allows others to run the reports in this folder, but not save any
changes to them.
■ Allow editing enables others to both run and save changes to the reports in
this folder.
4. Click OK.
The folder now has the sharing icon next to it in the list. Hover the mouse over the
icon to see the sharing permissions allocated to the folder.
Delete a folder
Deleting a folder also deletes all reports and subfolders contained within it.
To delete a folder:
1. Navigate through My Reports until the folder you want to delete is shown in the
right-hand pane.
2. Click the down arrow next to the folder you want to delete, and select Delete from
the menu. Alternatively, mark the check box next to one or more folders, and click
the Delete button in the toolbar.
3. In the popup window, click Delete to confirm.
Related topics:
● Creating a report
● Viewing report results
● Viewing detailed reports
● Report attributes: Web and Data Security
● Email report attributes
The Reporting > Report Center > Report Builder page offers an enhanced model
for creating multi-level, flexible reports that allow you to analyze information from
different perspectives. If a high-level summary shows areas of potential concern, you
can drill down to find more details.
When you select the Report Builder, you may be asked which type of report you want
to create: web, data, or email.
The Report Builder has the following elements:
● The Toolbar contains buttons for starting a new report, saving, scheduling,
sharing, and updating the current report. There are also buttons for exporting
reports in PDF or CSV format.
● The Attributes list, in the left pane, contains the data types that you can use to
create reports.
■ For information about web and data report attributes, see Report attributes:
Web and Data Security, page 239.
Use the Search box at the top of the list to filter the Attribute list further.
● The Metrics list, in the left pane, contains options that you can add as columns to
the report. Drag metrics into and out of the report results area to add them to or
remove them from the report. The available metrics change depending on the
attributes that are selected.
■ For information about web and data security metrics, see Report metrics: Web
and Data Security, page 250.
All web reports contain Hits as the primary metric, as signified by a star in the
column name. To change the primary metric, drag a second metric to the report
and then sort by that new metric to make it the primary. For more information, see
Report Builder metrics.
Note
If you add the Browse Time metric to your report, note that the browse time totals
may not be accurate for second-level grouping data.
For example, if you create a report with the first attribute as User and the second as
Domain, and a user goes to 2 different sites within the same minute the browse time
totals are correct at the first level for the user, but at the second level the 2 sites are
each allocated 1 minute of browse time. Therefore you cannot accurately add up the
browse time totals at the second level.
● In the right pane, the Grouping field can contain up to 2 attributes to define the
data grouping that appears in the report. For example, in a web report, if you drag
the Category attribute followed by the Action attribute into this field, this creates a
summary report on hits by category, and also displays the data broken down by
action within those categories. In an email report, if you drag the Policy attribute
followed by the Recipient Address attribute into this field, this creates a summary
report on messages by policy, and also displays the data broken down by recipient
addresses within those policies. For more information about defining grouping
data, see Creating a report.
● The Filters field can contain attributes to filter the report results further. For more
information about defining filters, see Creating a report.
● The Date range defines the time period covered by the report. This can be a
standard period (between 1 hour and 8 months) or a specific date and time range.
You can also choose whether to automatically detect the time zone for the report,
or choose a specific time zone from the drop-down list.
● Next to the date range, the display options enable you to select how many rows
appear in your report. Once a report has been generated, this section also includes
options to page through longer reports, and to display the report results in different
table and graph formats. For more information, see Viewing report results.
● The report results appear in the right pane when you click Update Report, and
by default are in a table format. You can choose to display the results in different
formats as described above, and to select report elements to drill down further. For
more information, see Viewing detailed reports.
Creating a report
To create a report:
1. Drag up to 2 attributes from the Attributes list to the Grouping field.
■ The Report Builder does not allow you to add more than 2 attributes, nor can
you add the same attribute more than once.
■ By default, the report shows the top 10 matches by number of hits. Click an
attribute box in the Grouping field to change the grouping data to show a
specified number of top results, a specified number of bottom results, or all
results.
Note
Choosing to view all results may mean the report takes a long time to generate.
■ To remove an attribute from the Grouping field, click the “x” icon on the
attribute box.
2. To add filters to the report, drag an attribute to the Filters field.
a. On the popup that appears, use the drop-down list to define how the filter
handles the values that you specify. The options available depend on the
attribute that you have selected. For example, you may be able to include or
exclude values, or state that search terms equal or do not equal your text.
b. Enter or select the search terms or values that you want to filter on. Depending
on the filter, you can:
○ Select one or more check boxes
○ Start typing text that will autocomplete based on data in the system
○ Enter the exact text that you want to use
For filters where you are including or excluding values already stored in the
system, start typing to see a list of potential matches. Then select the option
you want from the list. You can add multiple values to the filter.
Note
A Use free text entry check box is available for filters that use autocompleted text.
Selecting this allows you to copy and paste multiple values into the text box rather
then entering each one individually. Any autocompleted values already added are
converted to free text when the check box is selected, and if the check box is cleared,
any free text values are converted to autocompleted values.
For filters where you enter free text, enter the terms you want separated by
commas.
c. Click OK when done.
To edit a filter, click its attribute box. To remove an attribute from the Filters field,
click the “x” icon on the attribute box.
3. Click in the Date range field to define the report period.
■ To specify a set period in hours, days, or months, select an option from the
Last drop-down list.
■ To specify a particular date range, select the From radio button and use the
calendars to choose the required dates. Date ranges include the whole 24-hour
period, unless you mark Specify start and end time to enable and edit the
times for the report as well as the dates.
Note that reports are run using your local time zone unless you specify otherwise.
Click Done when you are finished.
4. Click the Update Report button to generate the report.
Note
The Update Report button turns yellow when you enter or change valid report
content, signifying that you can generate a report with the selected criteria.
Use the options in the toolbar to define how you display and navigate through report
results:
Each item in the report has a check box. Select one or more check boxes to open a
popup window that enables you to:
● Drill down into more detailed information. See Drilling into report items.
● Show only the report items you have selected
● Filter out the report items you have selected
● View individual transactions for the items you have selected.
● Cancel any selections you have made.
2. In the popup window, select an available attribute from the Drill Into By the drop-
down list.
3. The new report loads. Note that as you have moved down a level in the report, the
items you selected in step 1 are now in the Filters field, while the Grouping field
contains the other report attributes, including the one you selected in step 2.
You can edit the content of the Grouping and Filters fields, and view the report in
different formats, in exactly the same way as for the previous report.
4. To drill down a further level, repeat steps 1-3 above.
Exporting a report
You can export your report results as either a PDF or CSV file.
To export a CSV file, click the Export to CSV button in the top right corner.
To export a PDF:
1. Click the Export to PDF button in the top right corner.
2. On the popup window that appears, enter a name, and optionally a description, for
the report.
3. Choose a page size and orientation for the PDF.
4. Click Export.
Scheduling reports
The Reporting > Report Center > Scheduler page lists the scheduled jobs created
for reports. The list gives basic information about the job, such as how frequently it
runs and which administrator owns it. From this page, you can add and delete
scheduled jobs, and edit the content and frequency of jobs.
The list provides the following information for each job.
Column Description
Job Name The name assigned when the job was created.
Recurrence The recurrence pattern (Once, Daily, Weekly, Monthly) set
for this job. For daily, weekly, and monthly reports, the
recurrence includes further options for the days the report is
run.
Starting The defined start date for the job.
Ending The end date for the job. If no end date is set, the column
displays Never.
Owner The user name of the administrator who scheduled the job.
● Click the job name link to edit the job definition. See Adding and editing
scheduled jobs, page 226.
● Click Add Job to define a new job. See Adding and editing scheduled jobs, page
226.
● Select a job and then click Delete to delete a scheduled job. After a job has been
deleted, it cannot be restored.
The Allowance in the top right corner shows you how many jobs are currently
scheduled, and the maximum number of jobs available to you.
Note
Reports saved with a static date range (for example, from 1 May to 1 June) cannot be
scheduled. If you move a report with a static date range to the Selected reports list,
a warning appears, and you can change the date range for the scheduled version of
the report using the drop-down in the Date Range column.
4. Repeat steps 1 and 2 until all reports for this job appear in the Selected reports
list, to a maximum of 5 reports.
5. Click Next to open the Scheduling Options tab.
Frequency Options
Once No additional recurrence options are available.
Daily Select whether the job is run every weekday, or on a certain
number of days in the month – for example every 3 days.
Weekly Click each day of the week the job is to run.
Monthly Either:
Select how frequently the job should run, in a range of every
month to every 12 months, then click each date the job is to
run.
Or:
Select how frequently the job should run, in a range of every
month to every 12 months, then select a frequency and a day
of the week. For example, you could run the report every 2
months on the 2nd Tuesday of the month.
2. Under Starting, set the start date for running the job.
Option Description
Never The job continues to run according to the established
schedule, indefinitely.
To discontinue the job at some time in the future, either edit
or delete the job.
On Set the date when the job stops running. It does not run on or
after this date.
After Select the number of times to run the job. After that number
of occurrences, the job does not run again, but it stays in the
Job Queue until you delete it.
4. Select a Timezone for the report. The reports in the scheduled job will be
delivered by 6am in the selected time zone on the days you define.
5. Click Next to open the Recipients tab.
Format Description
PDF Portable Document Format. Recipients must have Adobe
Reader v7.0 or later to view the PDF reports.
CSV Comma Separated Variable file. This can be opened in
Microsoft Excel or another spreadsheet program.
Use the Reporting > Account Reports > SIEM Integration page to format reporting
data for use by a third-party SIEM tool. Select data columns and apply filters to the
data, just as you do in other areas of the Report Center (for Web, see Using the
Transaction Viewer, for Email, see Using Message Details).
Before data can be exported, you need to configure SIEM Storage details. Navigate
to Account > SIEM Storage to select a storage type and configure your own storage
if you do not wish to use Forcepoint storage (the default). See Configuring SIEM
storage for details.
After selecting the type of data that you want to export to your SIEM tool, define the
data format, and enable SIEM data export.
To configure and enable SIEM integration:
1. Select a data type (Web Security or Email Security) from the drop-down list. Note
that:
■ You can select one or both options.
■ Only options appropriate to your account are displayed.
2. Use the Columns drop-down list, or drag items into the report panel from the
Attributes or Metrics lists to customize the information that will appear in the
exported data. You can drag columns in the report panel to re-order them.
The default columns vary, depending on which data type you have selected.
The number of columns allowed also varies, depending on the data type. For Web
Security, the limit is 35. For Email Security, the limit is 25.
See Report attributes: Web and Data Security or Email report attributes for
additional infomation.
3. Drag items from the Attributes or Metrics lists to the Filters field to define any
filters you want to apply to your reporting data before it is exported. On the popup
that appers, use the drop-down list to define how the filter handles the value that
you specify.
The attributes available for use as Filters is a subset of those available to add as a
column. Customers exporting Web data can select filters for the following:
■ Action
■ Category
■ Parent Category
■ Risk Class
■ Severity
■ Policy
■ Cloud App Risk level
Customers exporting Email data can select filters for:
■ Action
■ Direcion
■ Emb. URL Category
Only data that matches the selected filters will be included in the downloadable
files.
Note
You can click a column heading to sort the data by the entries in that column. This
may be useful to check that the export will include the data that you want. However,
note that this sort will not be applied to the data that is exported.
4. When you are satisfied with the columns and filters that you have selected, toggle
the Enable data export switch to ON.
Note
Enable data export cannot be set to ON unless a valid storage option has been
configured on Account > SIEM Storage.
The option is automatically set to OFF if:
● Forcepoint storage is enabled but no logs have been downloaded for 30 days.
● Bring your own storage is enabled but no SIEM data could be forwarded to the active
bucket for 14 days.
Multiple emails are sent prior to disabling the export option.
Note
If you give this contact only the Log Export permission and nothing else, the user
name and password cannot be used to log on to the cloud portal. Although log on
permissions are not needed to run the script, the View Reports permission is the
minimum permission a user needs to be able to log on.
Minimum permissions should be given to this user. The user password is needed to
run the script and is viewable in plain text. For that reason, it is recommended that
this user not be one with permissions to modify reports or account policies.
Warning
Forcepoint provides the sample log download script as a convenience to its
customers, but does not provide support for customization and will not be
responsible for any problems that may arise from editing the script.
The script can be run on Windows or Linux, and does the following:
● Connects to the cloud service using the URL specified in the script
● Optionally reports the log files available for download
● Downloads the available log files to a location of your choice, or by default to the
directory where the script is located
● Optionally checks the MD5 hash of each downloaded file to verify the file’s
integrity before deletion from the server
● Uses the HTTP DELETE method to exclude downloaded files from the list of
files to be processed.
Whether they have been downloaded or not, files that are 14 days old are deleted.
Note
Running the script on Windows requires a Perl distribution, which you can
download from http://www.perl.org/get.html.
The script (par file) contains all of the necessary modules, but, should you need to
install them manually, a list of the required modules is included in the ReadMe that
is part of the zip file.
If you customize the sample script or choose to write your own script, you must
always include the DELETE method to avoid listing the same files again and to
remove the downloaded files from the server. This is because files are only retained
for 14 days.
Optionally, you can use the Windows Scheduler or Linux cron and crontab
commands to schedule the script to run at regular intervals. Use the infinite_loop
option (see Running the SIEM log file download script for Forcepoint storage) to run
the script as a backgroud process.
For information about using the sample script, see Running the SIEM log file
download script for Forcepoint storage, page 232.
Running the SIEM log file download script for Forcepoint storage
You can use the parameters described below to customize the sample download script
used to download reporting logs from the cloud service for use by your SIEM tool.
Some parameters have a short form (for example, -v) and a long form (for example,
--verbose). For these parameters, both options are listed.
Parameter Description
-u <username> Mandatory. Defines the logon user name for connecting
--username to the cloud service. This must be an administrator
contact with Log Export permissions.
For example:
-u siem_user@example.com
-p <password> Mandatory. This is the password for the specified user
--password name.
For example:
-p Ft2016Logs
Parameter Description
--stream Mandatory. This is used to determine the type of files to
be downloaded. Valid values are web, email, or all.
If “all” is specified, /web and /email folders are created
under the destination directory and files are downloaded
to the corresponding folder.
-v Optional. Runs the script in verbose mode, which
--verbose displays progress messages.
Verbose mode provides feedback on the script’s
progress, for example:
● Downloading filelist from <host name> as <user
name>
● No files available to download
● Downloading <file> to <file name location>
-h <hostname> Optional. Defines the host name to connect to. This is
--host specified in the script by default, so you would only
need this option if you have edited the script to remove
it, or if you have been given a different URL to connect
to.
For example:
-h https://sync-web.mailcontrol.com
-d <file path> Optional. Defines the destination directory for the
--destination downloaded log files. If not specified, the files are
downloaded into your current working directory.
For example:
-d /cloudweb/logs
-m Optional. Checks the md5sum of each downloaded file.
--md5sum The MD5 hash is commonly used to verify the integrity
of files and can be used to check the files before they are
deleted from the server.
-l Optional. Displays a list of available log files without
--list-only downloading them.
--proxy <proxy details> Optional. Specifies an HTTP proxy to use if you are
having difficulty connecting to the cloud service. The
proxy must be in the form http://
username:password@host:port
For example:
--proxy http://
jsmith:Abc123@proxy_server:80
--max_download_children Optional. Specifies the number of downloading
processes to run in parallel. If not set, a single process is
used. The maximum number of processes that can run in
parallel is 10.
If the list-only parameter returns a large number of files
not yet downloaded, set this value to 10 to allow the
downloads to process those files.
Parameter Description
--infinite_loop Optional. When configured, the download and reformat
processes are run in an infinite loop. If not set, files that
become afailable when the script is running are not
doanloaded.
--man Optional. Displays the list of parameters with their
descriptions.
--help Optional. Displays a brief description of the program’s
purpose.
--cfgfile Optional. Specifies the location of a configuratoin file
which can include values for the other paramters.
See Getting started with SIEM integration for additional details on setting up SIEM
integration and scheduling the download.
Related topics:
● Using the Report Builder
● Using the Report Catalog
● Using the Transaction Viewer
● Using the Incident Manager
● Scheduling reports
● Service reports
Your web protection product provides several reporting tools that can help you
evaluate the effectiveness of your Internet access policies.
● Web Dashboard charts provide threat, risk, usage, and system information to
help you review Internet activity in your network at a glance. For most charts, the
time period, chart style, and set of results shown can be customized, and you can
also click columns or sections on a chart to drill down to the relevant report in the
Report Builder. See Web dashboards, page 13.
● Use the Report Builder to create Web Security and Data Security reports from
scratch.
■ See Using the Report Builder, page 220, for details about building reports.
■ See Report attributes: Web and Data Security, page 239, for explanations of
the attribute options in reports.
■ See Report metrics: Web and Data Security, page 250, for information about
the metrics available in reports.
● The Report Catalog offers a list of predefined Web Security and Data Security
reports. Copy any predefined report to apply your own filters to create a custom
report.
■ See Using the Report Catalog, page 214, for more information.
■ See Web predefined reports, page 252, for information about the available
reports.
● The Transaction Viewer provides detailed information about web transactions
and requests. You can drill into the Transaction Viewer from Web Security
reports, or access it directly from the Reporting menu. See Using the Transaction
Related topics:
● Using the Report Builder
● Report attributes: Web and Data Security
● Report metrics: Web and Data Security
● Scheduling reports
Use the Reporting > Report Center > Transaction Viewer page to find full details
of individual web transactions and requests. Where Report Builder shows you high-
level analysis from the perspective you select, Transaction Viewer gives you an
additional layer of granular information for each transaction. You can manipulate the
data further by adding extra filters and columns.
Access Transaction Viewer directly from the Reporting tab to build your own
transaction-level reports, or drill down from the Report Builder:
1. Mark the check box next to each item you wish to view.
You can select multiple items and change your selections, even after the popup
window appears.
2. In the popup window, select View Transactions.
You can also click an entry in any metrics column to view that entry as individual
transactions.
The Transaction Viewer loads, listing the date, time, and URL of each transaction
within the report item or items you selected.
In the Transaction Viewer, you can:
● Edit the filters and date range for the transactions you wish to see.
● Select the columns to display from the Columns drop-down. Click Close when
you have made your selections.
● Click a column heading to make it the active column for sorting transactions.
Click again to switch between ascending and descending order.
Note
To sort transactions by timestamp, click the Date column, not the Time column.
Sorting by the Date column automatically orders transactions by both date and time.
● Delete columns by clicking the X icon in a column heading. Note that you cannot
delete the current active column.
● Drag attributes and metrics from the left-hand pane into the Filters field.
● Drag attributes and metrics from the left-hand pane into the main report pane to
add them as new columns.
● Enable Detail View to see more detail for the selected transaction. You can also
double-click a row to open Detail View.
The Transaction Details pane opens at the bottom of the page, showing additional
information. Depending on the content of the transaction, you may see the
following tabs:
■ General lists information such as the user who performed the transaction, the
policy, the action, the Web category and risk class. When the risk class is
Security, Detail View also displays threat details.
■ Request Details shows the full URL, source and destination IP addresses, the
referrer URL, the full MIME type, and the request method.
■ Threat Details is displayed for transactions that involve a security risk. The
tab shows the category, severity level, threat name, and threat type, as well as
the direction of the transaction.
■ File Sandbox is displayed when the transaction is associated with a file that
was sent for advanced sandboxing analysis. The tab lists all files associated
with the transaction and the result returned by the File Sandbox, as well as a
link to the File Sandbox report.
■ Cloud App Details shows further information about the cloud app associated
with the transaction. The tab lists details for the cloud app, such as its name,
description, risk level, provider details, and URL, along with a detailed risk
profile.
■ Advanced lists HTTP status code, total bandwidth used, filtering time, server
response time, authentication method, and user agent.
● Export selected transactions in PDF or CSV format.
In PDF format you have the option to export the Detail View for the transactions
you select. This export is limited to 20 transactions.
Related topics:
● Using the Report Builder
● Report attributes: Web and Data Security
● Scheduling reports
Use the Reporting > Report Center > Incident Manager page to find full details
about data security incidents. Where Report Builder shows you high-level analysis of
data security results, Incident Manager gives you an additional layer of granular
information for each incident. You can manipulate the data further by adding extra
filters and columns.
In the Incident Manager, you can:
● Edit the filters and date range for the incidents you want to review.
● Select the columns to display from the Columns drop-down. Click Close when
you have made your selections.
● Use the Rows drop-down to configure the maximum number of rows displayed in
the table. The default is 100, and up to 200 rows many be shown.
● Click a column heading to make it the active column for sorting transactions.
Click again to switch between ascending and descending order.
Note
To sort incidents by timestamp, click the Date column, not the Time column. Sorting
by the Date column automatically orders transactions by both date and time.
● Delete columns by clicking the X icon in a column heading. Note that you cannot
delete the current active column.
● Drag attributes left-hand pane into the Filters field.
● Drag attributes from the left-hand pane into the main report pane to add them as
new columns.
● Enable Detail View to see more detail for the selected incident. You can also
double-click a row to open Detail View. The Incident Details pane opens at the
bottom of the page, and contains 3 tabs:
■ Matches shows the policies and classifiers that were matched, as well as the
number of matches, for the incident. Administrators with appropriate
permissions can also see the content that matched the classifiers.
■ Source & Destination shows name, IP address, and group information for the
end user who made the request (source), and IP address, URL, and
geographical location for the target of the request (destination).
■ Properties shows the severity, incident time, top matches, file name (if
applicable), and policy for the selected incident, as well as any other available
attributes from the incident table.
When you have configured the Incident Manager, you can save or export the report as
follows:
● To save the report to run again, click the Save icon in the button bar above the
table.
When prompted, provide a name and description for the report, then select a
folder. When you are finished, click Save Report.
■ To schedule a saved report, click the Schedule icon in the button bar above
the table.
■ To share a saved report, click the Share icon in the button bar above the table.
● To export selected transactions in PDF or CSV format, click the PDF or Excel
icon at the top, right of the page.
In PDF format you have the option to export the Detail View for the incidents you
select. This export is limited to 20 incidents.
If you are working in a saved report and want to create a new report, click the New
icon in the button bar above the table.
The tables below list the report attributes that are available in the Report Builder,
Transaction Viewer (for Web Security transactions), and Incident Manager (for data
security incidents). Attributes are listed in the order they appear on the page.
● Web Security reports
● Data Security reports
For many attributes, you have the option to choose “is”, “is not”, “contains”, “does not
contain”, “starts with”, and “does not start with”. Use these qualifiers to narrow your
results. For example, you may select Destination Country is not United States to
filter out U.S. events.
For information about report metrics, see Report metrics: Web and Data Security,
page 250.
Authentication attributes
Protocol attributes
The tables below list the report metrics that can be added to Report Builder and
Transaction Viewer reports. Incident Manager reports do not include metrics options.
The tables below list the predefined reports available in the report catalog.
● Advanced reports
● Bandwidth reports
● Cloud App reports
● Misconduct reports
● Productivity reports
● Risk Activity reports
● Security reports
● Social Media reports
● Web Activity reports
● Data Security reports
Advanced reports
Bandwidth reports
Note
A summary is displayed for each cloud application that appears in a report when you
hover your mouse over the “i” symbol next to its name. This summary text displays
the current risk level for that application. Risk levels may change over time as
applications are re-evaluated, so the risk level recorded for a particular transaction
may not be the same as the current risk level for that application.
Click the “i” symbol beside the cloud app name for more information about the app,
including a detailed risk profile.
Misconduct reports
Productivity reports
Security reports
Report Description
Content Type
Compliance Summary Which compliance rules are most often violated in
your organization and view a breakdown of the
incident count for each policy or rule.
Custom Classifier Summary Which custom classifiers triggered the most
incidents during the designated period.
Data Theft Summary A list of all data theft incidents that were detected
during the designated period, along with incident
details.
Incidents
Incident List List or chart of all data loss incidents that were
detected during the designated period, along with
incident details such as the destination, severity,
and transaction size.
Sources and Destinations
Destination Summary Destination URLs or IP addresses involved with
the most violations, broken down by severity.
Users Summary Users, machines, or IP addresses most frequently
violating data security policies and the severity of
their breaches.
Related topics:
● Endpoint Auditing Report (Classic Proxy Connect and Direct
Connect)
● Service reports
● Downloading report results
● Saving reports
● Scheduling reports
Go to Reporting > Account Reports to see the account-level reports available to you.
● For cloud web products, the Endpoint Auditing report, used for the classic
endpoint agents, lists the current status of all endpoints deployed to users and
workstations in your organization.
● If you have directory synchronization enabled for your account, you can generate
synchronization statistics for the service.
All reports are generated in real time using the cloud manager. Most include charts
and tables that are presented in an easy to read, printable format.
Note
For larger accounts, where a lot of data is to be retrieved, the reports may take some
time to generate. As soon as the relevant data has been retrieved it is displayed
while the remainder of the report is being compiled.
Commonly-used report criteria can be saved for easy access. For more information,
see Saving reports, page 264. Saved reports can be scheduled for regular delivery to
one or more recipients as described in Scheduling reports, page 264.
Use the Reporting > Account Reports > Endpoint Auditing page to see the current
status of all users and client machines with the endpoint installed.
By default the report displays the status of all endpoint users updated in the last 7
days, listing user names, workstation names, and the current endpoint status.
● To filter the report for one or more user names, enter the names in the search field
and click Search.
● To change the report to list a particular endpoint status, select one of the following
from the Endpoint status drop-down:
■ Enabled – all endpoints that are currently enabled
■ Enabled (manually) – endpoints that have been manually enabled by the end
user
■ Enabled (auto-recovery) – endpoints that have automatically returned to an
enabled state following a period of fallback due to a lack of connection with
the cloud service
■ Enabled (system restart) – endpoints that have been automatically re-
enabled on machine restart
■ Disabled (manually) – endpoints that have been manually disabled by the
end user
■ Fallback mode – endpoints that cannot connect with the cloud service fall
back to one of two modes. For Proxy Connect endpoints, the system allows
requests to go directly to the local network/Internet. For Direct Connect
endpoints, the system applies filters that have been cached for previously
blocked sites before sending requests to the Internet.
The Fallback mode for Neo is configurable and can be set to allow the user
request, block the user request, or use local cache to apply policy.
● To edit the time period, select an option from the Status updated drop-down.
● To see further details for a particular user or workstation, click the user or
workstation name. The User Details and Workstation Details pages show the
following additional information:
■ When the endpoint status was last updated
■ The endpoint version
■ The operating system on which the endpoint is installed
■ The endpoint status change history for that user or workstation
● To export the report results to a CSV file, click the CSV icon in the top right of the
page.
Service reports
The Service reports provide data that relates to directory synchronization and to end
user message report subscriptions.
Report Description
Synchronization History The history log provides a connection history for the
Log specified period, up to 1000 rows.
Synchronization Time The time summary provides a list of the 20 longest
Summary synchronization times.
3. From the during drop-down list, select the time period for the report. Click more
to select a specific date or time.
Note
The ‘last 6 full hours’ period does not include a synchronization just performed. You
must wait for the hour to pass for it to appear in this report. You can view the very
latest synchronization history in the Manage Directory Synchronization page on the
Setup tab.
On each report, you have the option to download the data as a PDF or CSV file.
Note
You can also download charts as image files or in PDF format. To download a chart,
right-click the chart and select the format to download (PDF, PNG, or JPEG).
Saving reports
Related topics:
● Scheduling reports
You can choose to save any Services report. Use this option to identify the reports you
generate most frequently and want to be able to locate quickly.
To see the list of reports that you have saved, select Reporting > Account Reports >
Saved Reports.
To save a report:
1. Under Reporting > Account Reports > Services, select the report you want.
2. Use the Selection screen to enter your report criteria.
3. Click Save Report.
4. Enter a name for the report, and click Save.
The Saved Reports list is displayed, and the report you entered is now listed.
As well as accessing the report from this screen, you now have the option to delete the
saved report or schedule it for regular delivery.
Scheduling reports
Related topics:
● Saving reports
You can run reports as they are needed, or you can define a schedule for running one
or more saved reports.
Reports generated by scheduled jobs are distributed to one or more recipients via
email. The reports can be in HTML, PDF, or CSV format. There is a limit on the
number of reports you can schedule for delivery: the Saved Reports list displays the
remaining number you can schedule in addition to any existing deliveries.
Note
You cannot schedule reports that have defined start and end dates, or that span
periods of less than 24 hours.
To schedule a report:
1. Select Reporting > Account Reports > Saved Reports.
2. You can schedule an existing saved report by clicking the report you want to
schedule on the Saved Reports list. If you do this, skip to step 5 below.
Otherwise, to create a new report for scheduling, click the Generate a new report
link. The page that appears includes only reports that are eligible for scheduling.
3. Create and save your report as described in Saving reports, page 264.
4. On the Saved Reports list, click the name of your new report.
5. Click Schedule email report.
6. Enter the email address of the report recipient. Multiple email addresses should be
separated by commas or spaces.
If you enter an address with a domain not registered to the account, a warning
appears when you save the schedule. Click OK on the warning to accept the
address.
7. Enter a subject for the report email, and the text you want to appear in the body of
the email.
8. Select the report format.
9. Set one of the following delivery periods for your reports:
■ daily
■ weekdays
■ weekly
■ every other week (biweekly)
■ monthly (the default option)
If you want to stop the a scheduled report temporarily, select suspend delivery.
10. Click Save.
You are returned to the Saved Reports list. Reports that have been scheduled display
the recipient list in the Email to column. Click an item in this column to open the
schedule, where you have the option to edit or delete the report delivery.
Use the Account > Settings > Audit Trail page to find information about
administrator actions and configuration changes.
To run the default search, which shows results for all users, actions, descriptions, and
SQL queries that have occurred so far today, click View Results without making any
changes on the page.
To perform a more targeted search, use the fields and selectors on the screen to specify
the type or range of data that you want to see. You can enter:
● All or part of an administrative User name, or * (default) to specify any user
● An Action type, like “Login” or “Delete,” or All (default) to specify all actions
● All or part of a Description of the action that occurred, like an IP address or
policy number, or * (default) to specify any description text
● All or part of the specific SQL query used to perform the action, or * (default) to
specify any SQL query
● A Date range (today’s date, by default) for the query
By default, when you enter a string in any field, the search looks for an exact match.
To configure the search to look for any string that contains the value you specify,
precede your entry with an asterisk (*) character (for example, *DELETE or *admin).
When you click View Results, any audit trail information that matches your search
parameters is displayed in a table. All results include the date and time that the action
occurred, a description of the action, the action type, and the user who performed the
action. If the action resulted in a change to the configuration database, the SQL query
used to make the change is also displayed.
Paging controls are displayed just above the results table. Use the controls to
configure how many results to display on the page, and to move through the results.
Click the back arrow above the table to return to the Audit Trail page where you can
enter new search parameters.
Click Export to CSV on either the Audit Trail page or the Search Results page to
export the results of your audit trail search to a file named audit_trail.csv. You can
open the file, save the file with the default name, or save the file with a new name.
The cloud service provides a standard configuration for all web accounts. These are
described below. To customize your settings, follow the instructions in Configuring
Web Settings, page 59.
Web > Settings > General page, Proxy auto-configuration (PAC) file settings:
Web > Policy Management > Block & Notification Pages page:
By default, all time periods use the Time Zone indicate when registering for the
service. Change the time zone if your end users are located in a different time zone
or multiple time zones.
Web > Settings > Domains page:
General tab:
Connections tab:
Endpoint tab:
Whether you are a new or existing customer, you should plan your approach before
performing your first synchronization. This section provides checklists for setting up
directory synchronization in various use cases. Find yours to determine the best course
of action.
● New Web and/or email customers
● Existing Web and/or email customers
● Considerations for existing customers
For existing cloud web and/or email customers, see the following:
● Wanting to manage users/groups from an LDAP directory, page 277
● Wanting to manage users/groups from an LDAP directory but Web policy
assignment from the portal, page 279
If you have already set up users, groups, passwords, policies, and exceptions in the
cloud manager and you want to switch to LDAP synchronization, consider the
following:
● You can minimize the impact by carefully matching your LDAP group names and
membership to the existing setup. Matching LDAP group names and membership
to those already in the cloud service allows existing policy selections and settings
to be maintained, as well as existing usernames/passwords where applicable.
● You are responsible for avoiding ambiguous configurations, for example, users
belonging to multiple groups which are assigned to different policies. It is up to
you to set up groups in the LDAP directories in such a way that ambiguities don't
occur. (When there are ambiguities, the service selects the closest group-to-policy
assignment for each individual user, taking the first group in alphabetical order
where there are multiple assignments at the same hierarchical level.)
● Existing users can retain their passwords and whether you manage users through
the portal, LDAP synchronization, or both is completely transparent to them.
For your convenience, Forcepoint Web Security Cloud includes predefined data
security content classifiers to detect and report on data loss in your organization and
help you conform to industry regulations in your geo-location.
Predefined classifiers enable you to quickly and easily define what type of content is
considered a security breach on your network.
Many policies are disabled by default, but you can enable them in the cloud portal by
navigating to the Data Security tab of your web policy.
You can also create custom data security classifiers on the Policy Management >
Content Classifiers page.
The predefined classifiers included in the cloud service are constantly being updated
and improved. There are several types of policies:
Type Description
Personally Identifiable Policies for detecting personally identifiable information
Information (PII) such as social security, passport, and drivers’ license
numbers. The rules that are enforced depend on the region
you selected.
Protected Health Policies for detecting personal health information such as
Information (PHI) disease names and medications. The rules that are enforced
depend on the region you selected.
Payment Card Industry Policies for detecting credit card numbers and cardholder
(PCI) data. The rules that are enforced depend on the region you
selected.
Data Theft Policies for detecting various attempts to steal sensitive
data.
The following predefined policies are available for the detection of private
information:
● Australia PII
● Australian PHI
Policy for detection of protected health information for Australian citizens. The
rules for this policy are:
■ Australia PHI: Australia Medicare and Sensitive Disease or drug
■ Australia PHI: Australia Medicare and Common Disease
■ Australia PHI: SPSS Text files
● Health Data
Policy for detection of data types pertaining to medical conditions, drugs etc. The
rules for this policy are:
■ Health Data: Credit cards and Common Diseases
■ Health Data: Credit cards and Sensitive Disease or drug
■ Health Data: DNA profile (Default)
Policy for promoting compliance with the Payment Card Industry Data Security
Standard (PCI DSS). PCI DSS is an industry standard, accepted internationally by all
major credit card issuers and is enforced on companies and organizations that accept
credit card payments or process, store, or transmit cardholder data. The standard
includes the mandate that credit card numbers and cardholder data should be highly
secured and that transactions comprising PCI data should be encrypted.
The rules for this policy are:
■ Credit card magnetic strips
■ Valid credit card numbers (Wide)
■ Valid credit card numbers, with proximity (Default)
■ Valid credit card numbers, with proximity (Narrow)
Data Theft
The cloud service includes the following data theft policies. The rules for these
policies are:
● Common password information
Searches for outbound passwords in plain text.
■ Common passwords information
■ Common passwords information (Wide)
■ Common passwords information (Narrow)
● Encrypted files - known format
Searches for outbound transactions comprising common encrypted file formats.
The rule for this policy is:
■ Encrypted files (known format)
● Encrypted file: encrypted data of unknown format
Policy for detection of encrypted files of unknown format. The rule in this policy
is:
■ Encrypted file: encrypted data of unknown format
● IT asset information