Professional Documents
Culture Documents
7
Highlights of NGFW 6.7
On-premises DLP integration
Other Enhancements
© 2019 Forcepoint | 2
On-premises DLP integration
Data Loss Protection scanning is used for outbound file transfers to prevent sensitive data from
being sent out
Forcepoint NGFW provides DLP scanning and uses ICAP protocol to integrate with:
• Forcepoint DLP solution
• 3rd party DLP solutions
HTTP(S)
OK
Is file tranfert allowed?
ICAP Servers
DLP scanning
© 2019 Forcepoint | 3
On-premises DLP integration – Engine Configuration
1. Define ICAP Server representing the DLP Server
• Use REQMOD method only
• Support for ICAP X-headers
2. Enable Data Protection add-on
3. Select ICAP Server(s)
© 2019 Forcepoint | 4
On-premises DLP integration – Configuration
DLP scanning method is configured in the File Filtering Policy
• File Filtering rules define the content to scan
• Direction is upload only
• DLP Scan is enabled in the Allow After Action
• User response can be displayed
Supported protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, POP3S, SMTP
DLP scan can be used together with Anti-Malware scanners
© 2019 Forcepoint | 5
Limitations
Integrating DLP servers with Forcepoint NGFW has the following limitations:
• Only the ICAP protocol is supported. The DLP server must support ICAP
• Only the REQMOD method is supported for sending files to the DLP server.
• DLP Server must return “204 - No modifications needed” – response to the NGFW when file is OK to be sent out.
• To match DLP user-based policies, DLP server must be able to read user from the X-Authenticated-User header using
“Local” auth-scheme method
• Cloud-based DLP services are not supported
DLP scanning is recommended only for outbound file transfers that use the FTP, HTTP, and
HTTPS protocols. Other supported protocols are IMAP, IMAPS, POP3, POP3S, and SMTP
The default file size limit for DLP scanning is 50 Mbytes. The DLP solution for storages and
endpoints are better suited for large files.
© 2019 Forcepoint | 6
Rule Validity Time
SMC administrator can now create rules that expire
on specific day and time
Rule Validity Time element defines
• When each rule starts being enforced and automatically
expires
• When each rule is active
Rule Validity Time can be reused in multiple rules and
policies
Rule Validity Time can refer to NGFW engine’s local
time
© 2019 Forcepoint | 7
Forcepoint VPN Broker
Full Mesh and Hub/Spoke VPN topologies limitations
• Full Mesh and Hub/Spoke VPN topologies scalability is limited
• A new architecture is necessary to scale to more than 5000 sites
© 2019 Forcepoint | 9
For more information see the NGFW Manager and
VPN Broker Architecture VPN Broker Product Guide
1 4 SMC
© 2019 Forcepoint | 10
Other Enhancements
DPI Support for QinQ
• Enables deep inspection for double VLAN tagged traffic (QinQ) in Layer 2 interfaces in Inline
or Capture mode.
• Allow integration with third party solution (Gigamon) using QinQ in network traffic flow
control.
© 2019 Forcepoint | 12
Other Enhancements
HTTP/2
• HTTP and HTTPS services with protocol include HTTP/2 support
FUID 2.0
• User ID Service and DC Agent application have been completely rewritten.
• Performance and scalability have been greatly improved.
• The configuration has been simplified.
• Data storage in the internal database has been improved for User ID Service
• Communication between components is now secured by TLS by default.
© 2019 Forcepoint | 13