Forcepoint Web Security Admin Course

Web Security 8.
5
Administrator Course
© 2020 Forcepoint Forcepoint Proprietary © 2020 Forcepoint

Module 1 Objectives
Describe features, components, and key integrations

that enable Web Security functionalities
Compare the advantages and disadvantages of

various deployment methodologies
Discover the available user interfaces and key

settings, including delegated administration
Copyright © 2018 Forcepoint. All rights reserved.

Module 1 Agenda
 Web Security Overview
 Components and Architecture
 Appliance Overview
 Deployment Overview
 Web Security Administration
 Delegated Administration

Web Security
Overview

Web Security Capabilities
Forcepoint DLP
ThreatSeeker Real-time Integration with

protection Forcepoint DLP,
AMD against Forcepoint Forcepoint CASB
advanced CASB, and
threats and data supported third-
theft party products
Forcepoint Mobile Security
Extended Multiple
protection to deployment
roaming users options
Forcepoint Cloud
platform

Enhanced Protection Modules
Add-on Capability
Web Hybrid Platform Web protection and policy enforcement to remote users
Web DLP Powerful, contextually aware DLP engine for added outbound
protection against data theft
Cloud Sandbox / Behavioural sandboxing for automatic and manual analysis of
Advanced Malware malware files
Detection
Mobile Security Policies and protection to iOS and Android users
Cloud Access Full CASB functionalities and complements existing ability to

Security Broker gain visibility into what cloud applications are being used
(CASB)

What’s New in
version 8.5

New Functionalities in 8.5
 Protected cloud apps

 Report Center
 Office 365 bypass

New Functionality: Protected Cloud Apps
 Must purchase the new Forcepoint Web Security
Cloud App Control module or licenses for
Forcepoint CASB to enable the integration
 Add a list of all locations, a.k.a. Filtered Locations,

where Internet traffic is managed by an instance of
Content Gateway
 Policy enforcement for managed sanctioned apps

New Functionality: Office 365 Bypass
 New bypass options allow requests to Office 365 to bypass either Content Gateway
user authentication, the Content Gateway proxy, or both

New Functionality: Report Center
 Allows the creation of multi-level, flexible reports that

can be used for analysis of logging data, including cloud
apps data

Other Changes in 8.5
Features Enhanced Features Removed/Discontinued
 Authentication caching exceptions, TLS v1.1 and  SMBv1
TLS v1.2, and WebSocket protocol traffic
tunneling support for Content Gateway  Windows Active Directory (Mixed Mode)
 New SIEM health alerts and attributes
 Advanced Detection scanning option
 Improved functionality for logging and reporting
 haveged is now required for the Web Security  Support for Red Hat Enterprise Linux 6.5,
Linux installer 6.6, 6.7, 7.0, and 7.1
 SMBv2
 Secure HTTPS connection to download all
database
 Test Filtering tool results pane now includes
information about cloud apps
 Stricter requirements for Password Override
 New platform support

Components
and
Architecture

WEB Security Components
User Service Transparent ID (XID) Agent TRITON Manager
Web Filter and Security Management

Filtering Service Policy Server Policy Broker
Real-Time Monitor Apache Tomcat
Usage Monitor Sync Service Web Server
Policy Database Directory Agent
Web Security
Network Agent
Log Server
Log Database Content Gateway
Logging / Reporting Integration

Third-party Products
Copyright © 2016 Forcepoint. All rights reserved. | 14

Web Filter and Security Components
• Policy enforcement and filtering
function
• User Identification
• Reporting of web activity
• Integration with Content

Gateway and/or Network Agent

Web Filter and Security Components Architecture
Tracking User Identification
Usage User Directory Services,

Logon Agent, DC Agent,
Monitor Service eDirectory Agent, Radius Agent
Policy Enforcement Broker Request Policy Repository
Filtering Policy Policy

Service Server Broker Policy
DB
(PostgreSQL)
Logging /
Integration Management
Report
Forcepoint Manager
(Apache Tomcat)
Policy Determination/Enforcement
Filtering
1
Master
http://download.forcepoint.com
DB Service
Networking/
URL RegEx Policy Integration
Determination /
Enforcement
Transparent ID
2 Agent
Blocked Page
Policy
5 Usage
3 Server
Monitor
Transparent ID
Clients
4 User
Service
6 Reporting/
Alerting
Considerations when Using Multiple Policy Servers
 Policy and most global configuration settings are shared between Policy Servers that
share a Policy Database.
• Risk class definitions
• Alerting options
 Because policy information is managed by Policy Broker, policy changes are made
available to all Policy Server instances when you click Save and Deploy.
 Configuration settings that are specific to a single Policy Server (like its Filtering Service
and Network Agent connections) are stored locally by each Policy Server and not
distributed.
 In order to apply time-based actions correctly, one or more instances of Forcepoint State
Server is required.

Limits and Best Practices
Policy Server Limits Filtering Service Best Practices Log Server Limits
Each Policy Server instance can The number of Filtering Service instances for a • One instance of the Log
support: Policy Server depends on: Server per Policy Server
• Up to 10 Filtering Service • The number of users per Filtering Service
instances • The configuration of the Policy Server and Multiple Log Server
• Caches Policy Data up to 14 days Filtering Service machines instances can send data to
• 1 User Service • The volume of Internet requests a central Log Server, which
• 1 Usage Monitor • The quality of the network connection sends the data to the Log
• 1 Web Security Log Server between the components Database
• 1 State Server
• 1 Multiplexer
• 1 Directory Agent

Authentication Components
User Networking
Origin
Web Server
User Service XID Agents
Configuration
Authentication Management
 Provides user information via a Filtering
directory service
 Allows transparent
identification
WEB module
Reporting /
Alerting Copyright © 2018 Forcepoint. All rights reserved.
User Authentication
User
Service
User Filtering
Authentication 1
Service
5 2 3
XID
Agents User
4 xyz\j_doe
Security Manager

On-prem and Off-site Users
On-prem Off-site/
Users Remote Users
Transparent Identification
DC RADIUS RADIUS
Agent Agent Agent
Logon eDirectory Remote

Agent Agent Filter

User Traffic Management
On-prem Off-site/
Users Remote Users
Filtering Hybrid
Service Service

KNOWLEDGE CHECK
FORCEPOINT
Copyright © 2018 Forcepoint.
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
QUESTION
Which of the following are new features in version 8.5 (pick two)?
A. Report Center
B. Windows Active Directory (Mixed Mode)
C. Forcepoint Security Account Manager 1.0
D. Office 365 Bypass
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Logging and Reporting Components
• Store logs from filtering service
• Encapsulate and provide tools to

display reports in useful forms

Logging / Reporting Components Architecture
Log
DB
(Microsoft SQL)
Multiplexer
TRITON Manager
Log Server
Reporting Tools

Log Database
 Records Internet activity and the associated Forcepoint filtering actions

 Installation creates the Log Database with a catalog database and one
database partition
wslogdb_1
Incoming Web Partitions
Transactions
Catalog DB
wslogdb
Data from all added partitions is

Log Data is inserted into crawled by the Web Security Reporting Tools
the active partition wslogdb_2

Log Database SQL Jobs
 Five SQL jobs, each with its own functionality inside the Log Database
 ETL, this job runs continuously, receiving data and then inserting it into the partition
database
 Database Maintenance, this job performs database maintenance tasks and preserves
optimal performance
 IBT, this job analyzes the data and calculates browse time
Runs nightly, by default.
 AMT ETL, the data processed by this job shows on the Threats Dashboard of Web
Security Manager
 Trend Job, this job is responsible for processing trend data available in Security Manager

Log Server Cache Files
 Cache files are the physical form of

incoming Web transactions/requests • User FQDN
Who • Source IP
• Source Server IP (EIMServer IP)
 Requests are in a text format
• Protocol • Reason Codes
 Repository: \bin\Cache What • Category • Analytics
• Action Code • HTTP headers
• Source, Destination IP
Where • Ports
• URL
• Time
When • Transaction Duration

Log Server Cache files
WEB Security Manager configuration
 Always confirm the default Cache location is the optimal to use

Real-Time Monitor
Gathers information from Usage Monitor,

which is typically installed with Policy
Server
Shows activity for one Policy Server at a

time
• Click in order to see data from a

specific Policy Server

Integration Components
• Content Gateway
 A proxy through which clients connect
to Web content Content Network
Gateway Agent
• Network Agent
 Monitors the network to identify non-web protocol traffic
Third-party
Integration
• Third-party Integration
 A supported third-party firewall, proxy server, cache, or network appliance (integration product) responsible
for monitoring Internet requests and sending them to Filtering Service for evaluation

Content Gateway
 Integrates with Forcepoint Web Security
 Runs on Forcepoint appliance or software

install
(Linux
server)
 Is a forward proxy that performs
advanced content analysis, traffic (Appliance)
management, and user authentication
Traffic
management HTTP/s
 Has its own GUI, Content Gateway
sites
Manager, to allow admins to configure
settings Advanced User
analysis authentication

Content Gateway Interaction
Content Proxy Plug-in Third-party

Gateway Interface Integration
Policy Policy
Web Filter Policy
Server Broker
DB
(PostgreSQL)
Logging /
Report
Forcepoint Manager
(Apache Tomcat)

Network Agent
 Requires bi-directional visibility into traffic
 Runs on a dedicated version of these operating systems:

• Linux
• Windows
 Supports multiple instances for large networks

• Each Network Agent instance monitors a specific IP address range or network segment

Third-Party Support
 Cisco ASA or routers
 Citrix
 ICAP Service
 Microsoft Forefront TMG
 Other supported integration (as a "universal" integration)

KNOWLEDGE CHECK
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
QUESTION
Which three of the following statements are true about web protection
components?
A. All components, except Content Gateway, can reside on Windows
servers.
B. Most components can reside on Linux servers.
C. In Web Security 8.5, most components can support Mac OS releases.
D. Most components can reside on Forcepoint appliances.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Let’s Take a Break

Appliance
Overview

Appliance Offerings
Forcepoint V5000 G2 / G3
Forcepoint V10000 G4R2
Forcepoint V20000 G1
Forcepoint V10000 G4

Forcepoint X10G
Appliance Deployment > Web Mode
Content Gateway
Available policy modes:

Most organizations, install the policy source off-appliance/on a Windows server.
• Full policy source
• User directory and filtering
• Filtering only (not supported in virtual appliances)

Appliance Web Security Modes
• Full Policy Source
• User Directory and Filtering
• Filtering only

CLI
Allows you to monitor, configure, and troubleshoot a Forcepoint appliance
Can be accessed via SSH and a terminal emulator (after firstboot)
Uses REST API

NOTE: Portions of the API will be published in the future.
Provides the following navigation options:

 Up and down arrow keys to cycle
through previous commands
 Tab key to complete commands
or show available parameters/values
Has three modes:

 view
 config
 diagnose

CLI: ‘view’ Mode
Is the active mode when you log on for the first time
Provides access to config and diagnose modes
Allows the following commands:
 clear session
Ends a config session allowing another admin
to enter config mode.
 exit
Closes the ssh session.
 help
Lists the commands available in view mode.
 help <command>
Lists information about the full syntax of a command.
 show
Lists 25+ commands to display current configurations. These commands are detailed on the following slides.

CLI: ‘config’ Mode

‘config’ Mode Sample Commands
To restart or shutdown an appliance:
# restart appliance
# shutdown appliance
To configure time and date:

# show system timezone
# show system timezone-list
# set system timezone
# show system ntp
# set system ntp
# sync system ntp
# show system clock
# set system clock

CLI: ‘diagnose’ Mode
 arp  tcpdump  get debugging
 ethtool  top  get proxy content_line
 ifconfig  traceroute  get proxy network_check
 nc  traceroute6  get proxy policy_engine
 netstat  wget
 get proxy print_bypass
 nslookup  wget-proxy
 get web cache_users
 ping
 ping6
 get web policy_broker
 route  get web usr_grp_ip_prec
 route6

Deployment
Overview

Network without Forcepoint Security
Branch LAN
Branch DMZ
Internet
Corporate Network
DMZ Active Mail Branch
Directory Server Users
Server
Management / Services-layer VLAN
Local Users VLAN Database

VLAN
Active Mail
Directory ArcSight
Server Logger
Server

Network with Forcepoint Web Security
Branch LAN
Branch DMZ
Internet
Forcepoint Manager
Corporate Network
ACE DMZ Active Mail Branch
Directory Server Users
THREATSEEKER Server
Web Filter and Management / Services-layer VLAN

SECURITY LABS Security Components
FORCEPOINT
Update servers Local Users VLAN Database
VLAN Active Mail
Directory ArcSight
Server
Server Logger
Web Filter and

Security Components

Required Components: Policy Source on an Appliance
• Content Gateway
• Policy Broker
• Policy Server
• Filtering Service
• Off-Box components • Network Agent
• XID agents • User Service
• Additional policy
enforcement
components
Log Server
• Security Manager
• Reporting Tools
• Real-Time Monitor

Required Components: Policy Source on a Server
• Policy Broker • Network

• Policy Server Agent
• Filtering • User Service
Service • XID agents
• Content Gateway
Log Server • Reporting Tools
• Real-Time Monitor

Typical Network Agent Deployment
Network Agent
Internet
3
2 2
4
LAN
1 Core Switch with

Port Span/Mirror configured

Content Gateway Deployments
Explicit Proxy
• User’s client software is configured to send requests directly to Content Gateway
• Manual browser configuration
• Supports GPO, WPAD or PAC File
Transparent Proxy
• User requests are transparently redirected to a Content Gateway proxy, typically by a switch
or router, on the way to their eventual destination
• Supports WCCP, PBR Layer 4 Switch

Content Gateway: Explicit Proxy vs Transparent Proxy
Activity Explicit Proxy Transparent Proxy Proxy Chain
Client HTTP Direct connection to proxy by Redirected to proxy by network Direct connection to parent
request browser to port 8080 (default) device using GRE proxy from child proxy
encapsulation or by rewriting the
L2 destination MAC address to
the proxy's address
Exception Exclude site, CIDR, etc., using Static or dynamic bypass rules Child/parent proxy configuration
management browser configuration settings and rules
PAC file settings.
Proxy user Proxy challenge using 407 Proxy Challenge using server-based Proxies in a chain may share
authentication Authentication Required code authentication scheme (client is credential information, or a
not aware of proxy) single proxy in the chain can
perform authentication.
Redundancy Proxy virtual IP pool shared across WCCP pool with multiple Parent/child configuration points
multiple proxies proxies to proxy virtual IP addresses.
Proxy Management clustering Management clustering Management clustering
management
Load balancers Supported N/A Supported
Explicit Proxy: Pros and Cons
Pros Cons
 Best-practice configuration  Requires mature IT

 Fewer interoperability issues  Management of end users
 Routing issues are simpler  Proxy can be bypassed by knowledgeable
users if firewall not correctly configured
 Proxy can be located ‘anywhere’
 DNS lookups consolidated
 Easy to troubleshoot
3 4 Internet
 Easy, accurate authentication Users
1 2
Web Security
Administration

Available User Interfaces
Console Address
https://<IP address or hostname>:9443/manager/

Security Manager
For example:
https://172.31.0.155:9443/manager/
https://<Appliance C interface IP address>:<adminport>

Content Gateway
Manager For example:
https://172.31.152:8081
Appliance CLI Access the appliance C interface via ssh
https://<IP address>:9443/cm/
Forcepoint Security
Appliance Manager For example:
https://172.31.0.155:9443/cm/

Security Manager

Content Gateway Manager
records.config

Appliance CLI

Forcepoint Security Appliance Manager
 View, add, or delete supported appliances
 Monitor appliance status and resource utilization
 Configure some appliance settings

CLI vs Forcepoint Security Appliance Manager
vs
 Does not require installation  Requires installation

 Allows you to do all tasks  Allows you to do:
• Quick configuration changes
• Centralized health check
Forcepoint Security Appliance Manager 1.x
In AP-WEB 8.2 and below: In Web Security 8.5
(started in AP-WEB 8.3):
Not yet possible to do:

 Viewing statistics and
vs remote access history
 Changing passwords
 Changing proxy settings for
hotfixes
 Changing the policy source
 Create backups

Licensing: Subscription Key
Required to use Web Security features

• Consists of a text string
• Controls which features are available
Specified in Security Manager

• Policy domain must be configured correctly
• Automatically applied to Content Gateway (shared subscription)
Subscription data appears only after the Master Database is downloaded and processed
Deployment Type Subscription Status Effect

Web Security Subscription is consistently You may be asked to increase your
exceeded subscription limit
Forcepoint URL Subscription expires Permitted or blocked based on

Filtering the Block users when
All deployments subscription expires setting

Shared Subscription Information

1.1.2: Download the Latest Database Updates and Verify Subscription
1. Initiate database download from the Dashboard.
2. Verify that the subscription

information matches the following:
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Delegated
Administration

Delegated Administration Overview
Global Security
Administrator
Security Manager Security Manager

Super Administrator Super Administrator
Security Manager
Delegated Administrators
m a n a g e d c l i e n t s

Role Types
Delegated administration roles = clients + administrators

Managed clients are clients in a delegated administration role
A role can include multiple administrators
Super Administrator
Unconditional / Conditional
Delegated
administration Investigative
Policy role reporting
management
and reporting

Permissions
 Policy management  Create investigative
 Policy management
• Full policy reports
• Full policy
• Exceptions only  Use tools: URL Category,
Conditional • Exceptions only
 Reporting URL Access
 Deployment status
 Real-Time Monitor  Investigative User
 Real-Time Monitor
 Content Gateway direct  View Dashboard charts
 Auditor
access  Auditor
 Auditor

Filters and Policies Administration
Delegated administrators with Policy and reporting

role type can create as many new filters and policies
as needed; they can also edit inherited policies and
filters.
Changes the Super Administrator makes to file types
and protocols automatically affect the filters and
policies in a delegated role.
When editing filter components, these are
limitations.
If Filter Lock restrictions are in effect, there are
additional categories or protocols that are blocked
automatically.
Only one administrator at a time can log on with full
policy or exceptions—only permissions in the shared
role.

Reporting Administration
Administrators limited to reporting on

managed clients can only access the
investigative reports features
Administrators with Policy and reporting role

have access to these permissions:

RECAP / Q&A
 Product functionalities
 Product components
 Sample deployments and best practices
 Product administration
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Thank you!
(End of Module 1)
FORCEPOINT
© 2018 Forcepoint
HOMEWORK
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
HOMEWORK
Complete all 1.4.1: Configure User Directory Service Settings
seven (7) lab
activities 1.4.2: Become Familiar with the Default Policy as a
belonging to Super Admin
1.4: Perform
Delegated
Administration. 1.4.3: Become Familiar with the Categories and
Protocols Blocked and Locked by Default
Collect 1.4.4: Configure Directory Service Settings for

questions and/or Administrator Accounts
key takeaways
when performing 1.4.5: Create Administrator Accounts
the lab activities.
1.4.6: Create Delegated Administration Roles
1.4.7: Access Security Manager using Delegated

Administration
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
HANDS-ON LAB
1.4: Perform Delegated Administration
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.1: Configure User Directory Service Settings
1. Navigate to Web > Settings > General > Directory Services.
2. Configure settings for Active Directory (Native Mode®).
3. Test the connection.
4. Save and deploy the changes.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.2: Become Familiar with the Default Policy as a Super Admin
1. Go to Main > Policy Management > Policies to view the Default policy details.
2. Take note of the clients and schedule.
3. Examine the Category Filter column.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.3: Become Familiar with the Categories and Protocols Blocked and
Locked by Default
1. Go to the Filter Lock > Categories page. 2. Go to the Filter Lock > Protocols page. Notice
Notice the categories that are blocked and that P2P File Sharing and related apps are
locked by default: blocked and locked by default:
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.4: Configure Directory Service Settings for Administrator Accounts
1. Click to go to Global Settings > General > User Directory and set the Active Directory
server.
2. Set the connection parameters.
3. Test the connection, and then

click OK.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.5: Create Administrator Accounts
1. Go to Global Settings > General > Administrators.
2. Create the infosec_admin local account.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
(cont.) 1.4.5: Create Administrator Accounts
3. Grant administrator access to AD users David Villa and Chad Smith.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.6: Create Delegated Administration Roles
1. Go to Web > Main > Policy Management > Delegated Administration to create three roles
with the following settings:
Role Name Role Type Administrator Clients Permission
Account(s)
Global executives Policy management and David Villa • Executives Policy management > Full policy
reporting • IT
Intern (auditor) Policy management and Chad Smith • Engineering Policy management > Auditor
reporting
IT reporting and Investigative reporting infosec_admin • Accounting Reporting
auditing • Engineering
• Executives
• HR
• IT
2. Add administrator accounts to the role.

3. Add managed clients to the role.
4. Save and deploy the new roles.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
(cont.) 1.4.6: Create Delegated Administration Roles
The role settings should match the following:
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
1.4.7: Access Security Manager using Delegated Administration
1. Log on to Security Manager using the following accounts (in the following order):
• csmith
• dvilla
• infosec_admin
Make sure to log off before using the next account.
2. Examine the options available.
Logged on as csmith (Intern role),

having Auditor permission.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
(cont.) 1.4.7: Access Security Manager using Delegated Administration
Logged on as dvilla (Global executives role),

having Policy management permission (no
reporting).
Logged on as infosec_admin (IT reporting and

auditing role), having Limited reporting
permission (Investigative Reports only).
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Module 2:
Policy Enforcement
and Filtering

Understanding filtering
and analysis capabilities
to meet an organization’s
security needs

Module 2 Objectives
Learn about the Default policy and components that

manage requests from specific users or machines
Discover the various filtering capabilities of Web
Security, including Content Gateway advanced
analysis and bypass features
Understand what happens when a request is
blocked

Module 2 Agenda
 Policy Management
 Advanced Analysis and Bypass Features
 Policy Enforcement

Policy
Management

What are policies?
Limited Govern
Category Protocol
access Schedule Internet
filters filters
filters access
Best Practice:
• Edit the Default policy first, to set the baseline for Internet access at your
organization.
• Create custom policies as needed to provide the levels of access needed for
different groups in your organization.

Filter Types
 Category Filters
Define which website categories
to apply filter actions
 Protocol Filters
Define which non-HTTP protocols
to apply filter actions
 Cloud App Filters

Define which cloud applications
to block or permit

Filter Actions
Cloud App Filter Actions:
Category Filter Actions: Protocol Filter Actions:

Policy Planning
IT Security Team needs to work with HR to define appropriate access
How will policies be applied?

• Which ones are the target clients?
Users, groups, IP addresses, Networks, OUs
• Should most or least restrictive group settings be used?
• What should be included in the Default policy?
Define policy elements

• Filter(s) + schedule

Policy Creation: Policy Name/Description
Policy Name and

Clients Policy Definition
Description

Policy Creation: Clients
Policy Name and

Description
Computers
Networks
Directory

Policy Definition: Schedule and Filter Type
Policy Name and

Description

Predefined Filters vs Filter Templates
Predefined Filters Filter Templates
Category filter Has seven: Has seven:

• Basic • Monitor Only • Monitor Only • Default
• Basic Security • Permit All • Permit All • Strict Security
• Block All • Strict Security • Block All • Basic Security
• Default • Basic
Protocol filter Has four: Has four:
• Basic Security • Monitor Only • Monitor Only • Basic Security
• Default • Permit All • Permit All • Default
Cloud app filter Has two:
• Basic Security n/a
• Monitor Only
Can be deleted or modified? Yes to some No
Create new? Yes No

Advanced
Analysis and
Bypass Features
with
Content Gateway

SSL/TLS
Support

SSL Encryption
Client Browser Secure site:

https://www.companyABC.com
Digital
Certificate
Trusted CAs

Intercepting SSL Traffic with Content Gateway

Digital
Certificate
Trusted CAs
Intercepting SSL: Trusted Man-in-the-Middle (MITM)


Content Gateway Data Flow
HTTP/s sites
ARM Proxy

KNOWLEDGE CHECK
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
QUESTION ANSWER
Which two of the following descriptions Answers are C and D.
best describe Content Gateway?
A. Like Network Agent, Content Gateway is
a proxy through which clients connect to
Web content.
B. Content Gateway provides the same

functionalities as Network Agent.
C. Content Gateway is a proxy through

which clients connect to Web content.
D. Content Gateway provides visibility into

SSL encrypted Web traffic.

Advanced
Analysis
and
Bypass Features

Content Gateway Advanced Analysis and Bypass Features
Analyzes web traffic that is not blocked and passing through the on-premises proxy
Uses a set of data files to perform the following advanced analysis features, in this
order:
• Tunneled protocol detection
• Content categorization
• Content security
• File analysis
• Outbound security analysis
• Other options: Content Categorization and Scanning Sensitivity Level, Content Delay Handling, Scanning
Timeout, Scan Size Limit, and Content Stripping
Supports bypass options:

• SSL decryption bypass
• Authentication bypass
• Content Gateway bypass
Allows exceptions Copyright © 2018 Forcepoint. All rights reserved.

Content Categorization
Content Gateway classifies

requests based on content, images,
multimedia, and links.
Link Analysis extracts resources

from a web page and performs
individual filtering lookups for each
link.

Tunneled Protocol Detection
Content Gateway analyzes traffic to

discover protocols tunneled over
HTTP, HTTPS, or traffic allowed to
tunnel over specific ports.

Content Security and File Analysis
Content Gateway offers dynamic

defense assessment focused on
emerging web-based threats.

Outbound Scanning
Performs specialized data theft protection,

analyzing for threats like bot and spyware phone
home traffic and blocking outbound custom
encrypted files, password files, and other forms
of sensitive data

Content Gateway Analysis Exceptions
Hostname exceptions
• List of trusted or untrusted sites
• Always scanned or never scanned
• Content Gateway allows exceptions
for tunneled protocol detection
Client exceptions
• List of trusted users that are never
scanned
• Exception precedence

SSL Decryption Bypass
Bypass decryption and analysis

of trusted clients, websites, and
website categories

SSL Decryption Bypass using Content Gateway Manager
For sites requiring client certificates, configure Content Gateway to tunnel a specific URL
• Bypass traffic without decryption (default setting)
Add the client certificate and private key to Content Gateway

• Allows the proxy to provide the client certificate to the server

Authentication Bypass
Bypass Content Gateway user

authentication for requests to
selected cloud applications

Content Gateway Bypass
Bypass Content Gateway for all

requests to any Office 365 product

HANDS-ON LAB
2.3: Test Advanced Filtering and
Analysis
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
2.3.1: Configure Content Gateway for Windows Authentication
and HTTPS Inspection
1. Access Content Gateway Manager from Security Manager.
2. Enable Integrated Windows Authentication
and join the fpcert.com domain.
3. Enable HTTPS inspection.

2.3.2: Test Proxy File Scanning
1. In Client-W10, configure the Internet browser to use
explicit proxy.
2. Download test virus files via HTTP.
3. Check Threats Dashboard for incidents.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
2.3.3: Enable and Test Link Analysis
1. Enable link analysis.
2. In Client-W10, attempt to go to the following sites:

• http://testdatabasewebsense.com/realtime/mwos2.html
• http://testdatabasewebsense.com/realtime/MWSLA.html
• http://testdatabasewebsense.com/realtime/GamblingLA.html
3. Check Threats Dashboard for incidents.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
2.3.4: Test Search Filtering
1. On Security Manager, verify that search filtering is disabled (Web > Settings >
General > Filtering > Search Filtering).
2. In Client-W10, launch a web browser, and then search for a word that will trigger the
Adult content policy.
Result: Real-time Monitor > Link Analysis categorizes the request as Sex.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
2.3.5: Configure Outbound Scanning
1. On Security Manager, ensure that Security Threats: Content Scanning is enabled.
2. Enable aggressive analysis.
3. On Client-W10, go to http://testdatabasewebsense.com/realtime/mwos.html and

then click Submit Query.
Result: A block page should appear.
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
2.3.6: Adjust Content Scanning Sensitivity Level
Modify the sensitivity level and re-run some of the earlier tests and see if the results differ.
Web > Settings > Scanning > Scanning Options > Advanced Options
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Policy
Enforcement

Policy Enforcement
Master Client
ACE
DB requests
User
User
authentic
identity
ation
Policy
Filtering
Service
Filter
Action

User Identification
Web Security Policy

User Identification Enforcement
• XID agent
• Manual authentication
using network credentials
• Content Gateway user
authentication

Manual Authentication

Content Gateway User Authentication
IWA
Legacy
NTLM
LDAP Content Gateway Policy
User Enforcement
Authentication
RADIUS
Rule-based
authentication

Enforcement Process
ii. Determine iii. Filter

i. Verify
which exception request based
subscription
or policy on exception or
compliance.
applies. policy action.
5. The Default
1. User 2. IP address 3. Groups 4. Domain (OU)
policy

Filtering Order
Policy
matches?
Cloud App Yes
Filtering
Policy
matches?
No Filtering Result
For example: Block Page
Category
Filtering Policy
matches?
Yes/No

URL Filtering: Step 1
Yes
Limited
Permit No Block No
Access
All? All? Filter?
Yes Yes

No Yes
Permitted
Sites
Permit/Display
URL
Block URL
URL Filtering: Steps 2-5
Non-
HTTP Re-
Unfiltered No No No Master
data classified
URLs? DB
requeste URLs?
d?
Yes Yes Yes Determine

Action

Permitted
Protocol?
Permitted
No
Sites
Yes Yes No
Permit/Display URL Block URL

URL Filtering: Steps 6-9
Restricted No Restricted No Blocked

Permitted Yes
Bandwidth
Category? File Type? Keyword?
?
Yes Yes No Yes
No
Permit/Display URL
Block URL

URL Filtering: Step 10
No No Click
Permitted Quota
Confirm Continue
? Time?
?
No
Yes
Yes

Yes
Use No
Quota
Yes Time?
Block URL
Permit/Display
URL Permit for a limited time

Category Filtering Enforcement Order
User
Computer
IP Address
Network
IP Address /
Range
Group
Organizational
Unit (OU)
Default Policy

RECAP / Q&A
 Policy management
 Advanced analysis
 Policy enforcement
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
Thank you!
(End of Module 2)
FORCEPOINT
© 2018 Forcepoint
Module 3:
Monitoring
Web Security Activities

Maximizing the available
reporting options to gain
actionable insights
about your environment

Module 3 Objectives
Be informed about various activities through

notifications and alerts
Use appropriately the various reporting options to

gain important insights about your environment

Module 3 Agenda
 Notifications and Alerts
 Reports

Notifications
and
Alerts

Web Security Alerts
Three main types:

• System alerts
• Usage alerts
• Suspicious activity alerts
To assure that administrators are

notified of significant events, configure
alerts to be distributed by email or
via SNMP trap.
By default, Alert Limits is 100 alert

messages per type, per day

Health Alerts

Suspicious Activity Alerts

Usage Alerts

Category Usage Alerts

Protocol Usage Alerts

Audit Log

Appliance Alerts and Notifications
Sent via SNMP (Configuration > Alerting)

User a monitoring server to monitor stander SNMP counters on the appliance
Send traps from the appliance to SNMP Server using the Appliance MIB File (included)


Reports

Reporting Overview
 Review Internet activity and gain insights

Legacy Report
 Evaluate the effectiveness of web policies Reports Center
 Investigate activity associated with specific
conditions in an interactive way Presentation Report Catalogue
 Identify areas for potential future investment Investigative Report Builder

in other communication technologies
Application Transaction Viewer
Advanced File
Scheduler
Analysis Report

Prerequisites
 Log Server must be deployed to enable reporting features (except Real-Time Monitor)
 Internet filtering activity logs must be enabled
 Adequate and capable computing resources (processor, available memory, some

network resources)

Considerations
 Use a custom port to connect to the Log Database
 Use SSL to connect to the Log Database
 Configure distributed logging

Log Server
 A Windows-only service that logs data about
internet requests
Filtering Service will initiate a
Filtering
 Is typically installed on the management server TCP/IP connection to the Log
Service Server and establish a logging
 Stores its configuration information from the session with the Log Server.
LogServer.ini file
 Main purpose is to take Filtering Server log
records and insert them into a SQL Server
Database
SQL Server
Log Policy
Server Server
Maintains a pool of Log Server shuts down if

shared ODBC database either Policy Server or Log
connections Database is unreachable
during initialization.
User
Service
For detailed reporting, Log
Server contacts User
Service to obtain an end
user’s full name and group
assignments Copyright © 2018 Forcepoint. All rights reserved.
Log Server Cache Files
CSV format Configurable via Settings > Reporting >
Log Server
By default:
One log record per line
Version, Source Server IP, Time, Disposition, Source Address, Destination Address, Protocol, Full URL, Port, Category,
Application Type, Bytes Sent, Bytes Received, Duration, Keyword, User Path

Log Database
Stores the records of Internet activity and the associated filtering actions
Includes one catalog database and one standard logging partition database, by default
Multiple standard logging partition databases are created as Internet activity is recorded
Has a collection of five jobs each with its own functionality inside the Log Database

Presentation Reports
Provide bar charts, trend charts, and

tabular
reports in HTML, PDF, or Microsoft
Excel (XLS)
format
Report Catalog organizes reports and

templates
into related report categories
Subscription determines the report

categories.

Investigative Reports
Allow admins perform analysis on the web

traffic via summary and drill-down
reporting
Based on a Perl CGI based application

deployed on an Apache HTTPD Web
Server (AKA "httpd")
Allows analysis of Internet activity in an

interactive way
Initial view is to show a summary report of

activity by risk class
Supports IPv6 for source and destination

IP addresses.
Applications (Browsers and OS) Report
Review client apps, operating systems, and

cloud applications used in your network

Advanced File Analysis Reporting
Threat Protection
Appliance (a.k.a. Forcepoint
Advanced Malware Detection
Appliance for Web
Web Sandbox
module
Web Security

Report Center
Allows admins to create flexible

reports with up to two levels
grouping that can be used for
analysis of logging data,
including cloud apps data
Features these reporting tools:

• Report Catalog
• Report Builder
• Transaction Viewer
• Scheduler

Thank you!
(End of Module 3)
FORCEPOINT
© 2018 Forcepoint
Module 4:
Disaster Response and
Recovery

Understanding incidents
and leveraging Web
Security to respond to
incidents such as minor
disasters
Module 4 Objectives
Use appropriately the ideas and guidelines related

to incident management and disaster recovery
Identify system health monitoring capabilities

Module 4 Agenda
 Incident Response
 System Health
 Disaster Recovery

System
Health

Web Security Alerts
Active Alerts
Shows the status of monitored
Web Security components
Real-Time Security Updates

Provides information about
emergency updates to the
Forcepoint Master Database

Active Health Alerts
Shows component alert and status messages
If an error or warning appears in the summary, click the alert message to open the Alerts
page, where more detailed information is available
Information in Health Alerts is updated every 30 seconds

Appliance Health
# show appliance status # show mem

# show email # show diskio
# show networkagent # show diskspace
# show proxy # show bandwidth
# show web
# show cpu

Updates

Web Security Updates
Forcepoint.com
• Product Installers
• Patches & Hotfixes
• Upgrades
 What version is my
installation on?
• Content Gateway Manager
• Appliance CLI

Web Security Upgrades
 Download each from https://support.forcepoint.com/Downloads
 Always check for additional notes

MD5 of executable is always added, make sure to verify the integrity of the downloaded file
 Other installers for other OS’s will also be found in this section, and any other
additional file not found on the compiled installer (full installer)
Example:

Web Security Hotfixes
 Download and Install product hotfixes from

https://support.forcepoint.com/Downloads
 These updates come in a single package

• Download them into the applicable server and
extract to a temporary location
• No automated way to track them,
keep your own log
• Always read the included Read Me file
Special instructions as well as specific service
restarts are included in this text file.
• Run a backup before any file change!

Disaster
Recovery

Disasters
Outage Impacts a
is server or
wide- an app
spread
•Major disasters
occur mostly •Many minor
without warning; disasters provide
Can
some with a sense Natural
damage
little warning
disaster
of warning reputation

Planning, Implementing and Testing
Planning
 Do a self-assessment to identify mission and
business-critical apps/servers and channels
that need protection.
Implementing Testing
 Consider all areas: protection,  Is backup and recovery
cloud services, communication sufficient?
servers and others.

Will traffic still flow if Web Security components go down?
Internet

Web Security Disaster Recovery Options
Recover from a disaster with successful backups

• Knowing what to backup is critical
Backup locations:
• Appliance backups
• Security Manager backups
• Web Security backups
• Content Gateway Manager snapshots

Appliance Backup: Backup Options
Two backup options in V Series Appliances
Option 1: Option 2:
• Remote
• Full Backup
• Web Security
• Can be scheduled
Appliance CLI
• Local Backup # create backup schedule
• Full Backup
• Web Security

Security Manager Backup
 Disabled by default
Needs extra configuration, backup directory, credentials, etc.
 Part of the Windows task scheduler
 Backs up all Web Security configuration
Located in C:\Program Files (x86)\Websense\EIP Infra\
 Task executes EIPBackup.vbs
IMPORTANT:
This backup
does NOT save
any Web Security
settings.

Security Manager Backup Example
An EIPBackup directory is created on the first time the Windows backup task
runs
• Inside this folder are the different backups sorted by time stamps
The backup files include certificates, databases and other Apache/Tomcat

configuration files
IMPORTANT:
This backup does NOT
save any Web Security
settings.

Web Security: Backup Mechanism
PGSetup
• Saves a copy of the Policy Database and client objects
• Only runs on Policy Broker machines
• Runs via DOS command line:
PgSetup -- save FileName.db
PgSetup -- save \\Server\Directory\File_Path\
WSBackup
• Saves a copy of all configuration files and folders needed to restore a Web Security installation
• Exports two files:
 Backup configuration parameters
 Compressed file with all files backed up in .tar.gz format

Web Security: Backup using WSBackup
Windows syntax:
wsbackup -b -d <directory>
• To schedule a backup:
wsbackup -s -t "<m> <h> <day_of_month> <month> <day_of_week>" -d <directory>
Linux syntax:
/wsbackup -b -d <directory>
• Make sure to export libraries:
export LD_LIBRARY_PATH=
• To schedule a backup:
./wsbackup -b -s -t \"<m> <h> <day_of_month> <month> <day_of_week>\" -d <directory>

Content Gateway Backup: Snapshots
Save and restore proxy configurations
IMPORTANT:
Restart is required for
restored snapshots
to take full effect.

Appliance Restore
Two restore options available in V-Series appliances:
Option 1: Option 2:
• Restore from Remote Server
• Full Appliance
• Web Security configuration
Appliance CLI
# restore backup
• Restore from Local Backup
• Full Appliance
• Web Security

Security Manager Restore
 Use the Forcepoint Security Setup > Use Backup data option
 Running this tool will overwrite

any existing configuration

Web Security Restore
WsBackup
• Restores configuration of previously installed components
• Cross-platform restore is not supported
• Syntax:
Wsbackup –r (Restore flag) –f (directory and file name of restore file)
PgSetup
• PgSetup --restore FileName.db

Content Gateway Restore
Easily restores previously saved Proxy configuration

RECAP / Q&A
FORCEPOINT
© 2 0 1 8 FAll
o r rights
c e p o ireserved.
nt
- End of the Course -
FORCEPOINT
© 2018 Forcepoint

Forcepoint Web Security Admin Course

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forcepoint Web Security Admin Course

Uploaded by

Copyright:

Available Formats

Web Security 8.

© 2020 Forcepoint Forcepoint Proprietary © 2020 Forcepoint

Describe features, components, and key integrations

Compare the advantages and disadvantages of

Discover the available user interfaces and key

Copyright © 2018 Forcepoint. All rights reserved.

 Web Security Overview

 Components and Architecture

 Web Security Administration

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

ThreatSeeker Real-time Integration with

Copyright © 2018 Forcepoint. All rights reserved.

Cloud Access Full CASB functionalities and complements existing ability to

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

 Protected cloud apps

Copyright © 2018 Forcepoint. All rights reserved.

 Add a list of all locations, a.k.a. Filtered Locations,

 Policy enforcement for managed sanctioned apps

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

 Allows the creation of multi-level, flexible reports that

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

Web Filter and Security Management

Logging / Reporting Integration

Copyright © 2016 Forcepoint. All rights reserved. | 14

• Reporting of web activity

• Integration with Content

Copyright © 2018 Forcepoint. All rights reserved.

Usage User Directory Services,

Policy Enforcement Broker Request Policy Repository

Filtering Policy Policy

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

Logon eDirectory Remote

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

B. Windows Active Directory (Mixed Mode)

C. Forcepoint Security Account Manager 1.0

D. Office 365 Bypass

• Encapsulate and provide tools to

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

 Records Internet activity and the associated Forcepoint filtering actions

Data from all added partitions is

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2017 Forcepoint. All rights reserved. | 29

 Cache files are the physical form of

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

Gathers information from Usage Monitor,

Shows activity for one Policy Server at a

• Click in order to see data from a

Copyright © 2018 Forcepoint. All rights reserved.

Copyright © 2018 Forcepoint. All rights reserved.

 Integrates with Forcepoint Web Security

 Runs on Forcepoint appliance or software

Copyright © 2018 Forcepoint. All rights reserved.

Content Proxy Plug-in Third-party

Copyright © 2018 Forcepoint. All rights reserved.