Forcepoint Web Security Administrator - Module 2

Prévia do material em texto

<p>forcepoint.com</p><p>Forcepoint Web Security</p><p>Administrator - Module 2</p><p>Student Guide</p><p>Rev: CA0300</p><p>Public</p><p>© 2020 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.</p><p>All other trademarks used in this document are the property of their respective owners.</p><p>This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or</p><p>reduced to any electronic medium or machine-readable form without prior consent in writing</p><p>from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,</p><p>Forcepoint makes no warranties with respect to this documentation and disclaims any implied</p><p>warranties of merchantability and fitness for a particular purpose.</p><p>Forcepoint shall not be liable for any error or for incidental or consequential damages in</p><p>connection with the furnishing, performance, or use of this manual or the examples herein. The</p><p>information in this documentation is subject to change without notice.</p><p>2 > 3</p><p>© 2020 Forcepoint Public</p><p>Module 2:</p><p>Policy Enforcement</p><p>and Filtering</p><p>4 > 5</p><p>Public © 2020 Forcepoint 137</p><p>Module agenda</p><p>This module contains the following topics:</p><p> Policy Management</p><p> Advanced Analysis and Bypass Features with Content Gateway</p><p> Policy Enforcement</p><p>The way we are going to meet this module’s objectives is through these topics.</p><p>6 > 7</p><p>A policy is a culmination of rules that determine how and when users, groups of users, or IP</p><p>addresses in your network access websites and Internet applications. At their simplest,</p><p>policies are made up of:</p><p>• Category filters, used to apply actions to URL categories</p><p>• Protocol filters, used to apply actions to Internet protocols</p><p>• Cloud app filters, used to apply actions to cloud applications</p><p>• A schedule used to determine when each filter is enforced</p><p>Public © 2020 Forcepoint 139</p><p>Clients</p><p>Schedule</p><p>Filters</p><p>Policy</p><p>What are policies?</p><p>Best Practice:</p><p>• Edit the Default policy first, to set the baseline</p><p>for Internet access at your organization.</p><p>• Create custom policies as needed to provide the</p><p>levels of access needed for different groups in</p><p>your organization.</p><p>8 > 9</p><p>• Begins monitoring Internet usage as soon as soon as a valid subscription key is</p><p>applied</p><p>• Controls Internet access for all clients not governed by another policy</p><p>• Permits all requests initially</p><p>The Web Security Master Database organizes similar Web sites (identified by URLs and IP</p><p>addresses) into categories. Each category has a descriptive name, like Adult Material,</p><p>Gambling, or Peer-to-Peer File Sharing. You can also create your own, custom categories</p><p>to group sites of particular interest to your organization. Together, the Master Database</p><p>categories and user-defined categories form the basis for Internet filtering. These</p><p>categories may be allowed or blocked depending on the preferences of the organization.</p><p>Create limited access filters to block access to all but a specified list of sites for certain</p><p>users.</p><p>In addition to housing URL categories, the Master Database includes protocol groups used</p><p>to manage non-HTTP Internet traffic. Each protocol group defines similar types of Internet</p><p>protocols (like FTP or IRC) and applications (like AOL Instant Messenger or BitTorrent).</p><p>The definitions are verified and updated as frequently as nightly.</p><p>With Web Security, it is possible to filter non-HTTP protocols that tunnel over HTTP ports</p><p>using Content Gateway. You can also use Network Agent to enable policy enforcement for</p><p>additional protocols. Learn more about Content Gateway analysis and policy enforcement</p><p>in general in succeeding sections.</p><p>A Cloud Apps database that includes a list of cloud applications is included with Web</p><p>Security for use in managing access to cloud applications.</p><p>Public © 2020 Forcepoint 140</p><p>Filter Types</p><p> Category Filters</p><p>Define which website categories</p><p>to apply filter actions</p><p> Protocol Filters</p><p>Define which non-HTTP protocols</p><p>to apply filter actions</p><p> Cloud App Filters</p><p>Define which cloud applications</p><p>to block or permit</p><p>10</p><p>better coverage through these</p><p>capabilities:</p><p>For example, a page that is categorized as desirable may have links to sites known to be</p><p>undesirable. By analyzing these links, the page can be more accurately categorized. In</p><p>addition,</p><p>link analysis can find malicious links embedded in hidden parts of a page and can detect</p><p>pages returned by image servers that link thumbnails to undesirable sites.</p><p>Consider the Google image results page. Google’s image search is commonly used to</p><p>circumvent filtering because all images are served from Google itself instead of the original</p><p>origin server. To a filter, it looks like a benign set of search results from Google since the</p><p>links to the actual images are embedded in scripts. The page has links that take the user to</p><p>the original content, but the thumbnails come from Google</p><p>itself. Employing Link Analysis on the page, Content Categorization could determine whether</p><p>the search was for objectionable content or not.</p><p>Link Analysis utilizes the existing filtering infrastructure to perform individual WISP lookups</p><p>for each link, process that we explained earlier in this section. The Category-Only Filtering</p><p>Service WISP Message used for doing a URL database lookup that has some important</p><p>features:</p><p>60 > 61</p><p>6. ANT_Server writes the scan result to the socket. In return, WTG Plugin reads the scan</p><p>result and sends the category for policy lookup through Websense Integrated Service</p><p>Protocol (WISP).</p><p>NOTE:</p><p>WISP also receives requests from other networking components.</p><p>7. WTG Plugin informs Content Gateway of the policy decision.</p><p>8. Content Gateway sends a block page or the requested web page.</p><p>62 > 63</p><p>Content Security is an advanced and highly dynamic defense assessment focused on</p><p>emerging threats that are web-based, fast moving and use exploit code, browser plug-ins,</p><p>malicious JavaScript, ActiveX, shell code, exploit kits, cross-site scripts (XSS) and other</p><p>malicious content.</p><p>These are the kinds of threats that are often used for drive-by infections and other web</p><p>page-based attacks. This area of malware activity is constantly moving and very dynamic.</p><p>They are used by broad, mass-market attacks designed to infect as many people as</p><p>possible, zero-day threats, and targeted Advanced Persistent Threats (APTs).</p><p>Content Security also provides additional outbound defense services within ACE, including</p><p>the identification of call-home botnet activity to command as well as control servers that are</p><p>then captured in the Bot Networks or Advanced Malware Command and Control</p><p>categories. In this way, Content Gateway can support both proactive defenses as well as</p><p>network monitoring of activity that can help identify already infected systems that may</p><p>connect to the network.</p><p>Public © 2020 Forcepoint 184</p><p>Content Security and File Analysis</p><p>Content Gateway offers</p><p>dynamic defense assessment</p><p>focused on emerging web-</p><p>based threats.</p><p>64 > 65</p><p>Scanning exceptions are lists of trusted or untrusted sites (hostnames and URLs) that are</p><p>never analyzed or always analyzed. The type of analysis to never or always perform is</p><p>specified per hostname or URL, or group of hostnames and URLs. You can also create a</p><p>list</p><p>of trusted client IP addresses whose content is never analyzed.</p><p>Hostname Exceptions</p><p>Scanning exceptions are lists of trusted or untrusted sites (host or domain names) that are</p><p>never scanned or always scanned.</p><p>The Never Scan and Always Scan lists are used to refine the behaviour of content</p><p>categorization, tunnelled protocol detection, security threats (content scanning and file</p><p>scanning), and content stripping.</p><p>Client Exceptions</p><p>Use the Client Exceptions list to identify trusted users (that is, client IP addresses) whose</p><p>outbound content is never scanned.</p><p>Public © 2020 Forcepoint 186</p><p>Content Gateway Analysis Exceptions</p><p> Hostname exceptions</p><p>• List of trusted or untrusted sites</p><p>• Always scanned or never scanned</p><p>• Content Gateway allows exceptions for tunneled</p><p>protocol detection</p><p> Client exceptions</p><p>• List of trusted users that are never scanned</p><p>• Exception precedence</p><p>66 > 67</p><p>Some organizations do not prefer, or by law are not allowed, to decrypt HTTPS connections</p><p>between employees and their personal banks, health providers, and other destinations they</p><p>are likely to contain private information. To keep such user data private, specify website</p><p>categories that will bypass SSL decryption.</p><p>To enable the speedy configuration of allowing users to communicate directly with such sites,</p><p>Forcepoint identifies certain categories as “Privacy Categories” that you can select</p><p>individually or all at once, as a group.</p><p>68 > 69</p><p>Use Configure > SSL > Incidents > Add Website to specify sites that you want to allow,</p><p>blacklist, or tunnel. Sites that are added manually are assigned chronological Ticket IDs.</p><p>These appear on the Incident List.</p><p>1. Enter the URL of the site you are adding to the Incident List.</p><p>NOTE:</p><p>When specifying an IPv6 address, do not enclose the address in square brackets ([]).</p><p>2. Select one of the following options:</p><p>• By Certificate: Provides greater security. If you add a site by certificate, clients</p><p>cannot bypass the policy by using the IP address rather than the URL.</p><p>When you select By Certificate, Content Gateway retrieves the server certificate and</p><p>adds the site to the Incident List. If sites are blocked by certificates, wildcard</p><p>certificates are not accepted, even if the common name is recognized.</p><p>• By URL: Allows you to tunnel, allow, or blacklist the site.</p><p>3. In the Action dropdown list, specify if the site should be added with Tunnel, Allow, or</p><p>Blacklist status.</p><p>• Tunnel: (Valid for By URL only) The site is tunneled. Traffic is not decrypted and</p><p>Content Gateway does not check the certificate.</p><p>IMPORTANT:</p><p>Alternatively, Tunnel by URL does not work for all transparent proxy requests.</p><p>It works under these conditions:</p><p>o When the client application uses TLS and includes an SNI (server name</p><p>indication), Content Gateway checks the Incident list for the hostname in the SNI.</p><p>o When there is no SNI, Content Gateway connects to the origin server to retrieve</p><p>the certificate. If the Common Name is a unique FQDN, Content Gateway looks it</p><p>up in the Incident list. If the Common Name contains a “*” (wildcard), or is not a</p><p>unique FQDN, Content Gateway looks for the IP address in the Incident list.</p><p>Alternatively, use ARM to direct requests from certain clients or to particular origin</p><p>servers around the proxy. Unlike dynamic bypass rules that are purged when you</p><p>restart the proxy, Configure bypass rules these static bypass rules are saved in a</p><p>configuration file (bypass.config). The bypass.config file contains static bypass</p><p>rules that Content Gateway uses in transparent proxy mode. Static bypass rules</p><p>instruct Content Gateway to bypass certain incoming client requests so that they</p><p>are served by the origin server.</p><p>70 > 71</p><p>With Authentication Bypass, Web Security can support the ability to bypass Content</p><p>Gateway user authentication for requests to selected cloud applications.</p><p>Requests to selected applications will bypass the authentication process configured in</p><p>Content Gateway Manager.</p><p>Authentication bypass for Office 365 is supported with explicit proxy deployments.</p><p>Transparent proxy deployments are supported only if Content Gateway bypass for</p><p>Office</p><p>365 and SSL decryption bypass for Office - Collaboration categories are not enabled.</p><p> Refer to the next section, Policy Enforcement > User Identification and Content Gateway</p><p>User Authentication, for details about user identification.</p><p>Public © 2020 Forcepoint 189</p><p>Authentication Bypass</p><p>Bypass Content Gateway user</p><p>authentication for requests to selected</p><p>cloud applications</p><p>72 > 73</p><p>In this lab, you will configure Integrated Windows Authentication (IWA) and test whether a</p><p>user-attempt to override content filtering by entering an alternate set of user credentials is</p><p>successful. You will also configure SSL inspection.</p><p>NOTE:</p><p>In the Web Security lab environment, the DC Agent component is already installed.</p><p>The secondary Policy Server that is running on the appliance already points to the instance</p><p>of DC Agent available on the Forcepoint Security Manager VM.</p><p>While managing Policy Server 172.31.0.155, checking the Web > Settings > General ></p><p>User Identification page will indicate that the DC Agent is already installed.</p><p>IWA applies the following authentication methods (in order):</p><p>Kerberos  NTLMv2  Basic Auth</p><p>If authentication fails, then IWA falls back to the XID methods configured—could either be</p><p>DC Agent or Logon Agent. In the case where both are running, the Logon Agent XID map</p><p>takes precedence as this agent updates the map every 15 minutes in “Persistent Mode”.</p><p>Consequently, to apply policies to individual users and groups, Web Security must be able</p><p>to obtain user, group, domain, and organizational-unit information from your directory</p><p>service. Access to Active Directory is ready, as you completed in lab exercise</p><p>1.4.1. Configure User Directory Service Settings. If you have not done so, please go back</p><p>and follow the steps in order to complete the exercises in this module.</p><p>Hands-on lab</p><p>2: Filtering</p><p>2.1 Understanding Forcepoint-</p><p>defined Filters</p><p>2.2 Customizing Filters</p><p>2.3 Testing Advanced Filtering and</p><p>Analysis</p><p>2.4 Testing HTTPS Inspection</p><p>74 General > Content Gateway Access screen, and then click</p><p>Log On.</p><p>A new browser tab opens which displays the Content Gateway Manager default</p><p>screen (Monitor tab > Summary).</p><p>NOTE:</p><p>Check that your browser allows pops from Security Manager.</p><p>Alternatively, open Google Chrome, go to https://172.31.152:8081, and then log on</p><p>using the admin/Forcepoint1! credential to launch Content Gateway Manager.</p><p>Public © 2020 Forcepoint 193</p><p>2.3.1: Configure Content Gateway for Windows Authentication</p><p>1. Access Content Gateway Manager from Security Manager.</p><p>2. Enable Integrated Windows Authentication</p><p>and join the fpcert.com domain.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 75</p><p>2. In Content Gateway Manager, enable Integrated Windows Authentication.</p><p>a. Go to the Configure > My Proxy > Basic > General tab > Features table.</p><p>b. Scroll down to the Authentication section, and then set Integrated Windows</p><p>Authentication to On.</p><p>c. Click Apply and then Restart for changes to take effect.</p><p>d. After Content Gateway is restarted, join the fpcert.com domain.</p><p>e. Still accessing Content Gateway Manager, scroll down and click the Configure link</p><p>next to Integrated Windows Authentication.</p><p>The Integrated Windows Authentication screen appears. Alternatively, you can open</p><p>this screen by navigating to Configure > Security > Access Control.</p><p>f. Type the following details:</p><p>• Domain Name: fpcert.com</p><p>• Administrator Name: Administrator</p><p>• Administrator Password: Forcepoint1!</p><p>• DC name or IP address: dc.fpcert.com</p><p>• Content Gateway Hostname: webva-1-wcg.fpcert.com</p><p>Refer to the screenshot above to ensure that your settings match the intended</p><p>configuration.</p><p>g. Click Join Domain.</p><p>When successful, a message similar to the above screenshot appears.</p><p>h. Go to the Configure > My Proxy > Basic > General tab, and then click Restart.</p><p>The proxy now has Integrated Windows Authentication enabled. Proceed to the next lab</p><p>activity.</p><p>76 > 77</p><p>The Content Categorization scanning option can include the analysis of URL links</p><p>embedded in a page. Such analysis can provide more accurate categorization of certain</p><p>types of pages. For example, a page that otherwise has little or no undesirable content but</p><p>has links to sites known to be undesirable, can itself be more accurately categorized.</p><p>URL link analysis can find malicious links embedded in hidden parts of a page and can</p><p>detect pages returned by image servers that link thumbnails to undesirable sites.</p><p>In this activity, you will enable and test content link analysis.</p><p>1. Enable link analysis (Analyze links embedded in Web content as part of content</p><p>categorization) on the Security Manager > Web > Settings > Scanning > Scanning</p><p>Options screen.</p><p>2. Still accessing Windows_test_client, go to the following URLs at</p><p>http://testdatabasewebsense.com and verify that the page is categorized correctly</p><p>through Real-Time Monitor.</p><p>• http://testdatabasewebsense.com/realtime/mwos2.html</p><p>• http://testdatabasewebsense.com/realtime/MWSLA.html</p><p>• http://testdatabasewebsense.com/realtime/GamblingLA.html</p><p>3. Check Threats Dashboard to look for related incidents.</p><p>Public © 2020 Forcepoint 195</p><p>2.3.3: Enable and Test Link Analysis</p><p>1. Enable link analysis.</p><p>2. In Windows_test_client, attempt to go to the following sites:</p><p>• http://testdatabasewebsense.com/realtime/mwos2.html</p><p>• http://testdatabasewebsense.com/realtime/MWSLA.html</p><p>• http://testdatabasewebsense.com/realtime/GamblingLA.html</p><p>3. Check Threats Dashboard for incidents.</p><p>78 Web > Settings</p><p>> Scanning > Scanning Options, and ensure that Security</p><p>Threats: Content</p><p>Scanning is enabled.</p><p>2. Select Aggressive analysis - Perform advanced security analysis…, and then save.</p><p>3. Accessing the Windows_test_client VM, go to</p><p>http://testdatabasewebsense.com/realtime/mwos.html and then click Submit Query.</p><p>A block page should appear.</p><p>Check the source code of the block page to see which category was used to block the</p><p>POST attempt.</p><p>Public © 2020 Forcepoint 196</p><p>2.3.4: Configure Outbound Scanning</p><p>1. On Security Manager, ensure that Security Threats: Content Scanning is enabled.</p><p>2. Enable aggressive analysis.</p><p>3. On Windows_test_client, go to http://testdatabasewebsense.com/realtime/mwos.html and then click</p><p>Submit Query.</p><p>A block page should appear.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 79</p><p>The Content Categorization Sensitivity Level control allows administrators to adjust the</p><p>sensitivity of thresholds that determine content categorization.</p><p>NOTE:</p><p>Forcepoint Security Labs tunes the sensitivity to provide best results for typical use.</p><p>The sensitivity level control is located under the Security Manager > Web > Settings ></p><p>Scanning > Scanning Options > Advanced Options menu.</p><p>Modify the sensitivity level and re-run some of the earlier tests and see if the results differ.</p><p>Public © 2020 Forcepoint 197</p><p>2.3.5: Adjust Content Scanning Sensitivity Level</p><p>Modify the sensitivity level and re-run some of the earlier tests and see if the results differ.</p><p>Web > Settings > Scanning > Scanning Options > Advanced Options</p><p>80 General > User</p><p>Identification page will indicate that the DC Agent is already installed.</p><p>DC Agent is not required for IWA, but if IWA fails, DC Agent allows the system to fall back</p><p>to NTLM authentication.</p><p>Consequently, to apply policies to individual users and groups, Web Security must be able</p><p>to obtain user, group, domain, and organizational-unit information from your directory</p><p>service. Access to Active Directory is ready, as you completed in lab exercise</p><p>1.4.1. Configure User Directory Service Settings. If you have not done so, please go back</p><p>and follow the steps in order to complete the exercises in this module.</p><p>Hands-on lab</p><p>2: Filtering</p><p>2.1 Understanding Forcepoint-</p><p>defined Filters</p><p>2.2 Customizing Filters</p><p>2.3 Testing Advanced Filtering and</p><p>Analysis</p><p>2.4 Testing HTTPS Inspection</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 81</p><p>In this activity, you will configure a Content Gateway to enable HTTPS inspection.</p><p>1. While still accessing the Security_Manager VM, perform the following:</p><p>a. Log on to Security Manager using the admin account.</p><p>b. Verify that you are still viewing the 172.31.0.151 Policy Server configuration.</p><p>If you are not, click Switch in Security Manager and select the 172.31.0.151 Policy</p><p>Server and click OK.</p><p>c. Go to the Web > Settings > General > Content Gateway Access screen, and then</p><p>click Log On.</p><p>A new browser tab opens which displays the Content Gateway Manager default</p><p>screen (Monitor tab > Summary).</p><p>NOTE:</p><p>Check that your browser allows pops from Security Manager.</p><p>Alternatively, open Google Chrome, go to https://172.31.152:8081, and then log on</p><p>using the admin/Forcepoint1! credential to launch Content Gateway Manager.</p><p>2. In Content Gateway Manager, enable SSL inspection.</p><p>a. Go to the Configure > My Proxy > Basic > General tab > Features table.</p><p>b. In the Protocols section, set HTTPS to On.</p><p>c. Click Apply and then Restart for changes to take effect.</p><p>Public © 2020 Forcepoint 199</p><p>2.4.1: Enable HTTPS Inspection</p><p>1. Access Content Gateway Manager from Security Manager.</p><p>2. Select On to enable HTTPS inspection.</p><p>82 > 83</p><p>In this activity, you will follow steps that will allow you to confirm whether Content Gateway</p><p>is decrypting HTTPS traffic.</p><p>1. Access the Windows_test_client VM and set the Internet browser to use explicit proxy.</p><p>a. Log on as tcrowne (password is Forcepoint!1).</p><p>b. Verify that the browser is still configured with explicit proxy server settings pointing</p><p>to webva-1-wcg.fpcert.com on port 8080 for both HTTP and Secure traffic.</p><p>2. When the certificate error is displayed, click Continue to this Website.</p><p>• Depending on the browser, you may need to click Advanced to continue.</p><p>• If using Google Chrome, bypass the certificate error page by typing the following:</p><p>thisisunsafe</p><p>3. Click Certificate Error in the URL bar, and then view certificates.</p><p>4. Check the Issued by field.</p><p>If you see that the Issuer is Forcepoint Certificate Authority instead of a legitimate</p><p>Google Certificate Authority, the Content Gateway is performing HTTPS decryption.</p><p>You have confirmed that Content Gateway is performing HTTPS decryption. Proceed to the</p><p>next lab activity.</p><p>Public © 2020 Forcepoint 200</p><p>2.4.2: Confirm HTTPS Traffic Decryption</p><p>1. Still accessing the Windows_test_client VM, confirm that the Internet browser is set to use explicit</p><p>proxy, and then access https://www.google.com.</p><p>2. When the certificate error is displayed, click Continue to this Website.</p><p>3. Click Certificate Error in the URL bar, and then</p><p>view certificates.</p><p>4. Check the Issued by field.</p><p>84 SSL > Internal Root CA > Create Root CA.</p><p>3. Refer to the screenshots above to complete the form.</p><p>Take note of the following:</p><p>• Common name is one of the most important fields. The common name is the</p><p>“Issued to” field in the certificate.</p><p>• Passphrase is mandatory as the public and the private keys of this Root CA will be</p><p>generated based on the passphrase you have provided here.</p><p>Type the following passphrase:</p><p>Forcepoint_1</p><p>4. Select Generate and Deploy Certificate, and then restart the proxy.</p><p>The existing Root CA certificate is replaced by the newly created certificate.</p><p>A success message is displayed.</p><p>5. Confirm if the newly deployed certificate is in use.</p><p>Public © 2020 Forcepoint 201</p><p>2.4.3: Create and Install a New Self-signed CA</p><p>1. Access the Landing Desktop VM, and then</p><p>launch Content Gateway Manager.</p><p>2. Go to Configure > SSL > Internal Root CA ></p><p>Create Root CA.</p><p>3. Complete the Internal Root CA form.</p><p>4. Select Generate and Deploy Certificate, and</p><p>then restart</p><p>the proxy.</p><p>5. Confirm if the newly deployed certificate is in</p><p>use.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 85</p><p>a. On the Windows_test_client VM ,</p><p>open an Internet browser, and then go</p><p>to https://www.google.com.</p><p>b. When the certificate error is displayed,</p><p>click Continue to this Website.</p><p>c. Click Certificate Error in the URL bar,</p><p>and then click View Certificates. You</p><p>may need to follow different steps</p><p>depending on the browser in use.</p><p>d. Check the Issued by field.</p><p>e. Confirm that the issuer is the Common</p><p>name you configured</p><p>in the create Root CA form.</p><p>The certificate error is displayed because the security certificate presented by Content</p><p>Gateway is not from a trusted certificate authority (CA). To resolve this issue, add the newly</p><p>created WCG root certificate authority certificate to the browser’s trusted root CA store.</p><p>Proceed to the next lab activity.</p><p>86 SSL > Internal Root CA > Backup Root CA > Save Public CA</p><p>Key.</p><p>c. Save PCAcert.cer, and then copy/move the file to the Windows_test_client VM</p><p>Desktop.</p><p>2. Access the Windows_test_client VM and import PCAcert.cer.</p><p>a. Launch an Internet browser, and then access the Manage certificates screen.</p><p>TIP:</p><p>In Google Chrome, search for “certificate” in Settings and then click Manage</p><p>certificates.</p><p>Public © 2020 Forcepoint 202</p><p>2.4.4: Import the Root CA Certificate</p><p>1. Download the Root CA Certificate</p><p>(PCAcert.cer) via Content Gateway</p><p>Manager, and then copy/move the file to the</p><p>Windows_test_client VM.</p><p>2. Access Windows_test_client and import</p><p>PCAcert.cer.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 87</p><p>b. Go to the Trusted Root Certification Authorities tab, and then click Import….</p><p>The Certificate Import Wizard is displayed.</p><p>On the Certificate Import Wizard Welcome screen, click Next >.</p><p>c. Use the Browse button to select the Content Gateway Root CA public certificate</p><p>(PCAcert.cer) that you have saved on the Windows_test_client VM Desktop (see</p><p>Step #1c), and then click Next >.</p><p>d. Confirm that Place all certificates in the following store is selected and that the</p><p>store is Trusted Root Certification Authorities.</p><p>e. Finish up and</p><p>acknowledge that</p><p>the import was</p><p>successful by clicking</p><p>the Next >, Finish,</p><p>Yes, and OK buttons.</p><p>f. Close any opened</p><p>browser dialogs.</p><p>(See next page for continuation.)</p><p>88 > 89</p><p>Policy</p><p>Enforcement</p><p>90 > 91</p><p>To apply policies to users and groups, Web Security must be able to identify the user</p><p>making a request, given the originating IP address. Various identification and authentication</p><p>methods are supported:</p><p>• Transparent identification (XID) agent: works in the background to communicate with a</p><p>directory service and identify users</p><p>• Manual authentication using network credentials: prompts users for network credentials,</p><p>requiring them to log on when opening a web browser</p><p>• Content Gateway user authentication: uses one or more several supported methods to</p><p>authenticate user requests</p><p>The first and last options can work together to provide a fallback method for applying user-</p><p>based policies when user authentication is unavailable.</p><p>Identification Authentication</p><p>User NEVER asked for credentials. User may be asked for credentials.</p><p>User ID is a ‘best effort’ approach. User MUST always be identified.</p><p>Correct ID is NOT guaranteed. Authentication ‘proves’ user ID.</p><p>ID not compatible with NAT or Citrix</p><p>without additional configuration.</p><p>Authentication works in all</p><p>environments.</p><p>User is unaware that ID is occurring. User can learn authentication occurs.</p><p>Public © 2020 Forcepoint 207</p><p>User Identification</p><p>Web Security</p><p>User Identification</p><p> XID agent</p><p> Manual authentication using network</p><p>credentials</p><p> Content Gateway user authentication</p><p>Policy</p><p>Enforcement</p><p>92 General > User Identification screen to do the following:</p><p>• Manage when and how on-premises Web Security attempts to identify users in the</p><p>network in order to apply user- and group-based policies.</p><p>• Create a list of specific machines with custom authentication settings on which users are</p><p>prompted to log on when they open a browser.</p><p>When manual authentication is enabled, users may receive HTTP errors</p><p>and be unable to</p><p>access the Internet if:</p><p>• They make three failed attempts to enter a password. This occurs when the username or</p><p>password is invalid.</p><p>• They click Cancel to bypass the authentication prompt.</p><p>When manual authentication is enabled, users who cannot be identified are prevented from</p><p>browsing the Internet.</p><p>Public © 2020 Forcepoint 208</p><p>Manual Authentication</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 93</p><p>In both explicit and transparent proxy modes, Content Gateway supports user</p><p>authentication with:</p><p>• Integrated Windows Authentication (Kerberos with SPNEGO to NTLM)</p><p>• Legacy NTLM authentication (NTLMSSP)</p><p>• LDAP authentication</p><p>• RADIUS authentication</p><p>Content Gateway also supports combinations of Integrated Windows Authentication (IWA),</p><p>Legacy NTLM, and LDAP using rule-based authentication.</p><p>The Content Gateway user authentication challenges a user to prove his/her identity. The</p><p>process occurs inline with a client’s session. HTTP response codes indicate challenge.</p><p>The 407 response code is used in explicit deployments. It is specifically intended for use by</p><p>proxies. Client must be explicitly configured.</p><p>The 401 response code is used in transparent deployments. This requires redirection for</p><p>successful use.</p><p>Public © 2020 Forcepoint 209</p><p>Content Gateway User Authentication</p><p>Content</p><p>Gateway</p><p>User</p><p>Authentication</p><p>IWA</p><p>Legacy NTLM</p><p>LDAP</p><p>RADIUS</p><p>Rule-based</p><p>authentication</p><p>Policy</p><p>Enforcement</p><p>94 > 95</p><p>In some cases, a user belongs to more than one group or domain, and no higher priority</p><p>policy applies. In these cases, web protection components check the policies assigned to</p><p>each of the user’s groups.</p><p>If all the groups have the same policy, Web Security enforces that policy.</p><p>If one of the groups has a different policy, Web Security uses the Use most restrictive</p><p>group policy selection on the Settings > General > Filtering page to determine which</p><p>policy to enforce.</p><p>If Use most restrictive group policy is enabled, and any of the applicable policies blocks</p><p>access to the requested category, the site is blocked. Otherwise, if the option is disabled, and</p><p>any of the applicable policies permits access to the requested category, the site is permitted.</p><p>If one of the applicable policies enforces a limited access filter, the Use most restrictive</p><p>group policy option can have different effects than expected.</p><p>If one of the groups has a different policy, and any of the potentially applicable policies</p><p>enforces file type blocking, the file type blocking settings are not considered.</p><p>96 > 97</p><p>On an appliance:</p><p>1. Edit the following EIMServer.ini parameters via a REST API:</p><p>curl –k –u admin: -X PUT</p><p>https:///wse/filter/ini/FilteringManager/UserGroupIp</p><p>Precedence?value=true</p><p>2. Restart Filtering Service:</p><p>curl -k -u admin: -X PUT</p><p>https:///wse/admin/filter/stop</p><p>curl -k -u admin: -X PUT</p><p>https:///wse/admin/filter/start</p><p> To access the latest Forcepoint Appliance REST API documentation, go to</p><p>https://www.websense.com/content/support/library/appliance/v85/appliance_api/index.html.</p><p>Account Override</p><p>Account override allows users to change the credentials used to apply a policy to a request.</p><p>If, for example, users access the Internet from a kiosk machine, or from a machine where</p><p>they log on using a local account, rather than a network account, administrators can</p><p>associate account override permissions with the computer or network (IP address-based)</p><p>client.</p><p>Account override permissions can also be given to directory clients (users, groups, and OUs).</p><p>When user requests are blocked by the current policy, and account override permissions are</p><p>assigned to the client being filtered (whether that is an IP address or a directory client), the</p><p>block page includes an Enter New Credentials button. The user can then provide a</p><p>username and password.</p><p>Using the account override option does not guarantee access to a blocked site. Instead, it</p><p>changes the policy used to filter the request.</p><p>98 > 99</p><p>Multiple criteria, applied in a specific order, are used to</p><p>determine whether to permit, block,</p><p>or limit requested Internet data.</p><p>For each request, on-premises software (Filtering Service) perform the following:</p><p>I. Verify subscription compliance, making sure that the subscription is current.</p><p>Before performing any filtering, subscription compliance is verified by firstly</p><p>establishing if the subscription is current. Subsequently, Forcepoint verifies the request</p><p>being made does not bring the number of unique clients passing through the</p><p>Forcepoint filtering service over 24 hours above the subscribed subscription level.</p><p>Provided that the subscription is valid, the filtering process commences.</p><p>II. Determine which exception or policy applies, searching in this order:</p><p>1. Policy or exceptions assigned to the user</p><p>2. Policy or exceptions assigned to the IP address (computer or network) of the</p><p>machine being used</p><p>3. Policies or exceptions assigned to groups the user belongs to</p><p>4. Policies or exceptions assigned to the user's domain (OU)</p><p>5. The Default policy</p><p>NOTES:</p><p>Configure Filtering Service to prioritize group and domain-based policies over IP</p><p>address-based policies, if needed. See Prioritizing group and domain policies.</p><p>For users whose requests are managed by the hybrid service, the same order is true</p><p>except for IP address of the machine being used.</p><p>Public © 2020 Forcepoint 213</p><p>Category Filtering Enforcement Order</p><p>User</p><p>Computer</p><p>IP Address</p><p>Network</p><p>IP Address /</p><p>Range</p><p>Group</p><p>Organizational Unit</p><p>(OU)</p><p>Default Policy</p><p>100 General > Filtering page to</p><p>determine which policy to enforce.</p><p>o If Use most restrictive group policy is enabled, and any of the applicable policies</p><p>blocks access to the requested category, the site is blocked.</p><p>o Otherwise, if the option is disabled and any of the applicable policies permits</p><p>access to the requested category, the site is permitted.</p><p>If one of the applicable policies enforces a limited access filter, the Use most</p><p>restrictive group policy option can have different effects than expected.</p><p>• If one of the groups has a different policy, and any of the potentially applicable policies</p><p>enforces file type blocking, the file type blocking settings are ignored.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 101</p><p>Public © 2020 Forcepoint 214</p><p>You should now be able to:</p><p> Describe the full scope and workflow of policy planning.</p><p> Identify standard and custom policies, including related filters.</p><p> Distinguish key settings in Security Manager.</p><p> Compare user identification and proxy authentication.</p><p> Explain how Web Security analyzes user requests and enforces policies.</p><p>Module summary</p><p>102</p><p>Filter Actions: Protocol Filter Actions:</p><p>Cloud App Filter Actions:</p><p>Filter Type Block Permit Bandwidth Confirm Quota Block</p><p>Keywords</p><p>Block</p><p>File</p><p>Types</p><p>Category       </p><p>Protocol    n/a n/a n/a n/a</p><p>Cloud app</p><p>  n/a n/a n/a n/a n/a</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 11</p><p>Learn how to apply specific filtering actions later while completing the lab activities for this</p><p>module.</p><p>12 > 13</p><p>Use the Policy Management > Policies screen to add, edit, and delete policies, review</p><p>existing policy information, copy policies to delegated administration roles (Super</p><p>Administrators only), and print detailed information about your policy configuration.</p><p>The Policies screen includes a list of existing policies. The list includes a name and</p><p>description for each policy, as well as the number of user, network, and computer clients to</p><p>whom that policy has been assigned.</p><p>Policy Name and Description</p><p>Provide a unique policy name and include a brief description.</p><p>The policy name must be between 1 and 50 characters long, and cannot include any of the</p><p>following characters:</p><p>* { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,</p><p>Policy names can include spaces, dashes, and apostrophes.</p><p>The description should be clear and detailed to help with policy management in the long</p><p>term.</p><p>The character restrictions that apply to policy names also apply to descriptions, with 2</p><p>exceptions: descriptions can include periods (.) and commas (,).</p><p>Public © 2020 Forcepoint 143</p><p>Policy Creation: Policy Name/Description</p><p>Policy Name and Description Clients Policy Definition</p><p>14 > 15</p><p>4. If there is no group policy, look for a policy assigned to the user’s domain (OU).</p><p>5. If no applicable policy is found, or the policy does not enforce a category filter at the time</p><p>of the request, enforce the Default policy for the role to which the client has been</p><p>assigned.</p><p>Users, Groups</p><p>To apply policies to individual users and groups in your network, configure User Service to</p><p>access your directory service to obtain directory object (user, group, and OU) information.</p><p>Web Security supports the following directory services:</p><p>User Service communicates with the directory service so that users, groups, and OUs can be</p><p>added as clients and assigned policies. User Service caches the user and group information</p><p>that it collects for up to 3 hours. If you make changes to user, group, or OU entries in the</p><p>directory service, use the Clear Cache button under User Service Cache to force User</p><p>Service to refresh its user and group mappings immediately. Note that user-based policy</p><p>enforcement may slow down for a brief period while the cache is being recreated. The Clear</p><p>Cache option applies only to user service cache and does not impact cache used by Filtering</p><p>Service.</p><p>If administrators will use their network accounts to log on to Security Manager, configure</p><p>directory service communication on the Global Settings > User Directory page. The same</p><p>directory must be used to authenticate all administrative users.</p><p> Refer to the Delegated Administrator section in Module 1 of this course.</p><p>16 > 17</p><p>Use the Policy Definition area to define which filters this policy applies at different</p><p>times. When any time block in the schedule is selected, the bottom portion of the Edit</p><p>Policies page shows the filters enforced during that time block. Each filter listing</p><p>includes:</p><p>• The filter type (category filter, limited access filter, or protocol filter)</p><p>• The filter name and description</p><p>• The filter contents (categories or protocols with actions applied, or a list of sites</p><p>permitted)</p><p>• The number of policies that enforce the selected filter</p><p>• Buttons that can be used to edit the filter</p><p>When you edit a filter on this page, the changes affect every policy that enforces the filter.</p><p>Before editing a filter that is enforced by multiple policies, click the Number of policies</p><p>using this filter link to see exactly which policies will be affected.</p><p>Public © 2020 Forcepoint 145</p><p>Policy Definition: Schedule and Filter Type</p><p>Policy Name and Description Clients Policy Definition</p><p>18 Policy Management > Filters page, selecting an existing filter as a model on the Add</p><p>Filter page, or using a filter template.</p><p>Category Filter</p><p>The Block All and Permit</p><p>All category filters are not</p><p>listed on the Filters page,</p><p>though they can be added to</p><p>policies. These filters are</p><p>handled differently than the</p><p>others, and cannot be</p><p>deleted or edited. When</p><p>Filtering Service receives an</p><p>Internet request, it</p><p>first checks to see if the</p><p>Block All or Permit All filter</p><p>applies, before performing</p><p>any additional checks.</p><p>Protocol Filter</p><p>The Permit All protocol filter,</p><p>like its equivalent category</p><p>filter, is not listed on the</p><p>Filters page and cannot be</p><p>edited or deleted. It is also</p><p>prioritized during the policy</p><p>enforcement process.</p><p>Cloud App Filter</p><p>The Monitor Only cloud app</p><p>filter (used as a default filter)</p><p>can be edited, but cannot be</p><p>deleted. In upgrade</p><p>environments, if there are</p><p>gaps in the Default policy,</p><p>Monitor Only are used to</p><p>filter requests during periods</p><p>when no other filter applies.</p><p>Public © 2020 Forcepoint 146</p><p>Predefined Filters vs Filter Templates</p><p>Predefined Filters Filter Templates</p><p>Category filter Has seven:</p><p>• Basic</p><p>• Basic Security</p><p>• Block All</p><p>• Default</p><p>• Monitor Only</p><p>• Permit All</p><p>• Strict Security</p><p>Has seven:</p><p>• Monitor Only</p><p>• Permit All</p><p>• Block All</p><p>• Basic</p><p>• Default</p><p>• Strict Security</p><p>• Basic Security</p><p>Protocol filter Has four:</p><p>• Basic Security</p><p>• Default</p><p>• Monitor Only</p><p>• Permit All</p><p>Has four:</p><p>• Monitor Only</p><p>• Permit All</p><p>• Basic Security</p><p>• Default</p><p>Cloud app filter Has two:</p><p>• Basic Security</p><p>• Monitor Only</p><p>n/a</p><p>Can be deleted or modified? Yes to some No</p><p>Create new? Yes No</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 19</p><p>Although you can modify or delete most pre-defined category and protocol filters, you cannot</p><p>edit or remove templates. Likewise, although you can create as many custom filters as</p><p>necessary, you cannot create new templates.</p><p>Because templates cannot be modified, they provide a constant method of referring to the</p><p>original actions applied by pre-defined filters. For example, the Default category and protocol</p><p>filter templates apply the same actions as the original Default category and protocol filters.</p><p>This means that you can always restore the original policy configuration by creating filters</p><p>that use the template defaults.</p><p>20 > 21</p><p>In this phase, you will learn about category, protocol, and cloud app filters.</p><p>In this lab, you will learn about the default filters, edit the Basic Security cloud app filter to</p><p>block an app, and then test the default policy.</p><p>Hands-on lab</p><p>2: Filtering</p><p>2.1 Understanding Forcepoint-</p><p>defined Filters</p><p>2.2 Customizing Filters</p><p>2.3 Testing Advanced Filtering and</p><p>Analysis</p><p>2.4 Testing HTTPS Inspection</p><p>22 Main tab > Policy Management > Filters page.</p><p>2. Read the descriptions of the available Forcepoint-defined filters.</p><p>The</p><p>Default category, protocol, and cloud app filters can be modified. However, it</p><p>cannot be deleted. All other filters can be edited and can be deleted.</p><p>3. Click the link for Default under Category Filters.</p><p>a. Take a moment to inspect the different website categories and their associated</p><p>actions (Bock, Permit, Quota, etc.).</p><p>b. Verify that the Gambling category is set to Block.</p><p>4. Go back to the Policy Management > Filters page, and then click the link for Default</p><p>under Protocol Filters.</p><p>a. Take a moment to inspect the different protocols and their associated actions (Bock,</p><p>Permit, Quota, etc.).</p><p>b. Verify that the all items belonging to the Instant Messaging / Chat protocol</p><p>category is set to Block.</p><p>Public © 2020 Forcepoint 151</p><p>2.1.1: Understand the Default Filters</p><p>1. Access the Main > Policy Management ></p><p>Filters screen.</p><p>2. Read the descriptions of Forcepoint-defined</p><p>filters.</p><p>Click each filter link to view the default settings</p><p>and associated policy (if any).</p><p>3. In Default Category Filter, verify that the</p><p>Gambling category is set to block.</p><p>4. In the Default Protocol Filter, verify that the</p><p>Instant Messaging / Chat category is set to</p><p>block.</p><p>5. In the Basic Security Cloud App Filter, verify</p><p>these settings:</p><p>• The option Block all high-risk apps is enabled</p><p>• Lists of Blocked and Permitted apps are empty</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 23</p><p>5. Go back to the Policy Management > Filters page, and then click the link for Basic</p><p>Security under Cloud App Filters.</p><p>a. Verify that the Block all high-risk apps option is enabled.</p><p>This setting prompts Web Security to block access to any cloud app that is</p><p>considered high risk.</p><p>IMPORTANT:</p><p>The Permitted apps list takes precedence over the Block all high-risk apps option.</p><p>Access to a high-risk app that is on the permitted list is allowed even if this option is</p><p>enabled.</p><p>b. Confirm that both the Permitted and Blocked apps lists are empty.</p><p>To activate any category, protocol, or cloud app filter, add it to a policy and apply the policy to</p><p>clients.</p><p>Proceed to the next activity.</p><p>24 Policy Management</p><p>> Policies page.</p><p>2. Take time to read the descriptions of the available Forcepoint-defined policies.</p><p>3. Click the Default policy link to set Default for the Category/Limited Access Filter.</p><p>This is the filter that you inspected in the previous activity.</p><p>4. Click OK, and then click Save and Deploy to commit your changes.</p><p>IMPORTANT:</p><p>Changes are cached. To implement changes, you must commit them using the Save</p><p>and Deploy button.</p><p>Click the magnifying glass button next to Save and Deploy to view any pending</p><p>changes.</p><p>Public © 2020 Forcepoint 152</p><p>2.1.2: Modify the Default Policy</p><p>1. Access the Policy Management > Policies screen.</p><p>2. Read the descriptions of Forcepoint-defined</p><p>policies.</p><p>3. Set the following filters for the</p><p>Default policy:</p><p>• Select Default from the Category/Limited</p><p>Access Filter drop-down list.</p><p>• Select Basic Security from the Cloud App</p><p>Filter drop-down list.</p><p>4. Save and deploy the changes.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 25</p><p>You will now verify that clients are being filtered by the Default policy.</p><p>1. Access the Forcepoint Virtual Lab, and then open a connection to the</p><p>Windows_test_client VM.</p><p>Log on to Windows_test_client using the following account:</p><p>Username: fpcert\tmuller</p><p>Password: Forcepoint1!</p><p>2. Configure your browser for explicit proxy:</p><p>a. HTTP server, Port: webva-1-wcg.fpcert.com, 8080</p><p>b. Secure server, Port: webva-1-wcg.fpcert.com, 8080</p><p>c. Exceptions: 172.31.*.*</p><p>Your settings should match the screenshot above.</p><p>3. In the web browser (for example, Google Chrome), attempt</p><p>to access the site http://testdatabasewebsense.com/gambling.</p><p>A block page should appear like the screenshot above.</p><p>Click More Information, right-click in the area above More Information, and choose View</p><p>frame source (in Google Chrome, or the applicable option in other browsers). Scroll down</p><p>to see the information shown below. You should be able to see how Web Security identifies</p><p>and blocks the user.</p><p>Public © 2020 Forcepoint 153</p><p>2.1.3: Test the Default Policy</p><p>1. Open a connection and log on to</p><p>Windows_test_client using the following</p><p>account:</p><p>Username: fpcert\tmuller</p><p>Password: Forcepoint1!</p><p>2. Configure the web browser for explicit proxy.</p><p>3. Attempt to access the following website:</p><p>http://testdatabasewebsense.com/gambling</p><p>26 > 27</p><p>Custom / Recategorized URLs</p><p>Web Security provides an option to manually change the category assigned to a URL.</p><p>URLs that have been added to a new category are called custom URLs (a.k.a.</p><p>recategorized URLs or reclassified URLs).</p><p>Use the Policy Management > Filter Components > Edit Categories > Recategorize</p><p>URLs page to add sites to the following:</p><p>• A different predefined category</p><p>• Any custom category</p><p>For example, if the Shopping category is blocked by your policies, but you want to permit</p><p>access to specific supplier or partner sites, you could move those sites to a custom</p><p>category.</p><p>Web Security looks for custom URL definitions for a site before consulting the Master</p><p>Database, and therefore filters the site according to the category assigned to the</p><p>recategorized URL.</p><p>TIP: Use the URL Category tool to verify that the site is assigned to the correct category.</p><p>A recategorized URL is not blocked by default. It is filtered according to the action applied</p><p>to its new category in each active category filter. If a site is recategorized into a permitted</p><p>category, and later becomes infected with malicious code, as long as Security Risk</p><p>category is blocked, then user requests for that site are blocked. By default, when a site</p><p>belongs to a Security Risk category, Filtering Service applies an action based on the site’s</p><p>Security Risk classification, even when the site is added as a recategorized URL in a</p><p>permitted category or appears in a limited access filter.</p><p>Public © 2020 Forcepoint 156</p><p>Category Filters > Special Attributes</p><p>Recategorized URLs</p><p>• Manually change the category</p><p>assigned to a URL</p><p>• Filter based on the action applied</p><p>to its new category</p><p>Keywords</p><p>• Match requests against keywords</p><p></p><p>Recategorized URLs</p><p>• Match requests against multiple</p><p>strings or groups of characters</p><p>28 General ></p><p>Risk Classes page in Security Manager.</p><p>If you want Web Security to manage requests based on custom categorization, regardless of</p><p>whether the URL is classified as a Security Risk, edit eimserver.ini on the Filtering Service</p><p>host (C:\Program</p><p>Files\Websense\Web Security\bin or /opt/Websense/bin/, by default) to add the following line</p><p>under the [FilteringManager] section:</p><p>SecurityCategoryOverride=OFF</p><p>Restart Filtering Service for changes to take effect.</p><p>Keywords</p><p>A keyword is a string of characters (like a word, phrase, or acronym) that might be found in a</p><p>URL. Assign keywords to a category, and then enable keyword blocking in a category filter.</p><p>Keywords are associated with categories, and then used to offer protection against URLs that</p><p>have not explicitly been added to the Master Database or defined as a custom URL.</p><p>Complete the following steps to enable keyword blocking:</p><p>1. Enable</p><p>keyword blocking at a global level.</p><p>2. Define keywords associated with a category.</p><p>3. Enable keyword blocking for the category in an active category filter.</p><p>Refer to the next section, Filtering Settings > General / Global, for details on how to enable</p><p>keyword blocking at a global level.</p><p>Use the Policy Management > Filter Components > Edit Categories > Add Keywords</p><p>page to associate keywords with categories.</p><p>Take note of the following recommended practices when defining keywords:</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 29</p><p>• When you define keywords, be cautious to avoid unintended overblocking.</p><p>You might, for example, intend to use the keyword “sex” to block access to adult sites, but</p><p>end up blocking search engine requests for words like sextuplets or City of Essex, and</p><p>sites like msexchange.org (Information Technology), vegasexperience.com (Travel), and</p><p>sci.esa.int/marsexpress (Educational Institutions).</p><p>• Enter one keyword per line.</p><p>• Do not include spaces in keywords. URL and CGI strings do not include spaces between</p><p>words.</p><p>• Include a backslash (\) before special characters such as:</p><p>. , # ? * +</p><p>If you do not include the backslash, web protection software ignores the special</p><p>character.</p><p>• Avoid associating keywords with any of the Extended Protection subcategories. Keyword</p><p>blocking is not enforced for these categories.</p><p>When keywords have been defined and keyword blocking is enabled for a specific category,</p><p>Web Security tries to match the keyword against each requested URL as follows:</p><p>• If the keyword contains only ASCII characters, the keyword is matched against the</p><p>domain, path, and query portions of a URL.</p><p>For example, if you associated the keyword “nba” with the permitted Sports category, the</p><p>following URLs are blocked:</p><p> sports.espn.go.com/nba/</p><p> modernbakery.com</p><p> fashionbar.com</p><p>• If the keyword contains characters outside the ASCII character set, the keyword is</p><p>matched against only the path and query portions of the string.</p><p>For example, if you associated the keyword “fútbol” with the permitted Sports category:</p><p> “www.fútbol.com” is permitted (the domain portion of the URL is not matched)</p><p> “es.wikipedia.org/wiki/Fútbol” is blocked (the path portion of the URL is matched)</p><p>When a request is blocked based on a keyword, the site is recategorized according to the</p><p>keyword match. Reports show the keyword category, rather than the Master Database</p><p>category, for the site.</p><p>The keyword is indicated on the block page that the user receives.</p><p>Regular Expressions</p><p>A regular expression is a template or pattern used to match multiple strings, or groups of</p><p>characters. You can use regular expressions in limited access filters, or to define custom</p><p>URLs or keywords. Filtering Service then tries to match the general pattern, rather than a</p><p>specific, single URL or keyword.</p><p>Consider this simple regular expression:</p><p>domain.(com|org|net)</p><p>This expression pattern matches the URLs:</p><p>Use regular expressions with care. They provide a powerful tool, but they need to be</p><p>constructed well. Poorly constructed regular expressions can result in excessive overhead,</p><p>over-blocking, or under-blocking. Using regular expressions as policy enforcement criteria</p><p>may increase CPU usage.</p><p>As with keywords, when non-ASCII characters appear in a regular expression, the</p><p>expression is matched against only the path and query strings in a URL, and not the domain</p><p>(“www.domain.com/path?query”).</p><p>30 > 31</p><p>There are options available in Web Security that affect how Internet requests are handled.</p><p>Enable and configure these options from the General > Filtering page of Security</p><p>Manager.</p><p>The General Filtering section allows you to configure the following options:</p><p>• Use most restrictive group policy</p><p>When the option is enabled, the policy that applies the most restrictive action is used. In</p><p>other words, if one applicable group policy blocks access to a category and another</p><p>permits access, the user’s request for a site in that category is blocked.</p><p>When the option is disabled, the most permissive setting is used.</p><p>• Keyword search options</p><p>Specify the following keyword search options:</p><p>o CGI only</p><p>Blocks sites when keywords appear in CGI query strings (after the “?” in a Web</p><p>address).</p><p>For example: search.yahoo.com/search?p=test</p><p>Filtering Service does not search for keywords before the “?” when this is selected.</p><p>o URL only</p><p>Blocks sites when keywords appear in the URL. If the requested address contains a</p><p>CGI query string, Filtering Service searches for keywords up to the “?”.</p><p>o URL and CGI</p><p>Blocks sites when keywords appear anywhere in the address. If a CGI query string</p><p>is present, Filtering Service searches for keywords both before and after the “?”.</p><p>o Disable keyword blocking</p><p>Use with caution. Disable keyword blocking turns off all keyword blocking, even if</p><p>Block keywords is selected in a category filter.</p><p>Public © 2020 Forcepoint 157</p><p>Filtering Settings > General / Global</p><p>32 > 33</p><p>• Password override timeout</p><p>Set the maximum number of seconds (up to 3600, default is 60) that a user can</p><p>access sites in all categories after selecting password override.</p><p>• Continue timeout</p><p>Set the maximum time in seconds (up to 3600,,default is 60) that a user who clicks</p><p>Continue can access sites in categories governed by the Confirm action.</p><p>• Account override</p><p>Set the maximum time in minutes (up to 3600, default is 5) that a user is filtered by</p><p>the policy assigned to the override account.</p><p>• Quota session length</p><p>Set the interval ((up to 60 minutes, default is 10) during which users can visit sites in</p><p>quota-limited categories. A session begins when the user clicks the Use Quota Time</p><p>button.</p><p>• Default quota time per day</p><p>Specify the quota time per day (up to 1440 minutes, default is 60) for all users.</p><p>Go to the Policies > Clients page to change the quota time for individual users.</p><p>As you make changes to the quota session length and the default quota time per day,</p><p>the Default quota sessions per day is calculated and displayed.</p><p>State Server</p><p>If your deployment includes multiple instances of Filtering Service that might handle a</p><p>request from the same user, an optional component, State Server, can be installed to</p><p>enable proper application of time-based actions (Quota, Confirm) or overrides (Password</p><p>Override, Account Override).</p><p>State Server tracks clients’ quota, confirm, password override, and account override</p><p>sessions to ensure that session time is allocated correctly across multiple Filtering Service</p><p>instances.</p><p>The State Server section on the General > Filtering page allows you to specify the IPv4</p><p>address or hostname and Port information when the following implementations happen:</p><p>• An environment includes multiple Filtering Service instances</p><p>• Any of the following is applied:</p><p>o Quota or Confirm actions</p><p>o Password override</p><p>o Account override</p><p>After providing the State Server</p><p>connection details, click Check Status to verify the</p><p>connection. Configure State Server connection information for each Policy Server</p><p>instance in your deployment.</p><p>Public © 2020 Forcepoint 158</p><p>Filtering Settings > State Server and Bandwidth Optimizer</p><p>• Limit Internet usage based on available bandwidth for a category or protocol</p><p>filter</p><p>• Even if the thresholds are set, but there is no category or protocol filters include</p><p>bandwidth-base actions, then bandwidth usage restriction does not apply</p><p>Specify connection details when:</p><p>• An environment includes multiple Filtering Service instances</p><p>• The Quota or Confirm actions, password override, or account override is used</p><p>34 Filtering page provides an option to limit Internet usage based</p><p>on available bandwidth when you create a category or protocol filter. Specifically, you can set</p><p>the default thresholds for the following:</p><p>When the thresholds are set and a category or protocol filter includes bandwidth-based</p><p>actions, then the following restrictions are possible:</p><p>For example:</p><p>Block the AOL Instant Messaging protocol if total network bandwidth usage exceeds 50% of</p><p>available bandwidth, or if current bandwidth usage for AIM exceeds 10% of the total network</p><p>bandwidth.</p><p>Block the Sports category when total network bandwidth usage reaches 75%, or when</p><p>bandwidth usage by all HTTP traffic reaches 60% of available network bandwidth.</p><p>Protocol bandwidth usage includes traffic over all ports, IP addresses, or signatures defined</p><p>for the protocol. This means that if a protocol or Internet application uses multiple ports for</p><p>data transfer, traffic across all of the ports included in the protocol definition are counted</p><p>toward that protocol’s bandwidth usage total. If an Internet application uses a port not</p><p>included in the protocol definition, however, traffic over</p><p>that port is not included in bandwidth usage measurements. Web Security records bandwidth</p><p>used by filtered TCP- and UDP-based protocols.</p><p>Forcepoint Security Labs updates web protection protocol definitions regularly to ensure</p><p>bandwidth measurement accuracy.</p><p>When installed, Network Agent sends network bandwidth data to Filtering Service at a</p><p>predetermined interval. This ensures that web protection software accurately monitors</p><p>bandwidth usage and receives measurements that are closest to an average.</p><p>In all Web Security deployments, Content Gateway collects bandwidth data for FTP, HTTP,</p><p>and, when enabled, the individual protocols that tunnel over HTTP. Measurement and</p><p>reporting parallel that used by Network Agent. You can specify that this data be used to</p><p>determine bandwidth-based policy enforcement for protocols in the Bandwidth Optimizer</p><p>settings.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 35</p><p>• Network: When total network traffic reaches this percentage of total available bandwidth,</p><p>start limiting access based on bandwidth, as configured in active filters.</p><p>• Protocol: When traffic for a specific protocol (like HTTP or MS Messenger) reaches this</p><p>percentage of total available bandwidth, start restricting access to that protocol, as</p><p>configured in active filters.</p><p>• Block access to categories or protocols based on total network bandwidth usage.</p><p>• Block access to categories based on total bandwidth usage by HTTP traffic.</p><p>• Block access to a specific protocol based on bandwidth usage by that protocol.</p><p>When bandwidth options are active, enforcement starts 10 minutes after initial configuration,</p><p>and 10 minutes after each Policy Server restart. This delay ensures accurate measurement</p><p>of bandwidth data.</p><p>When a request is blocked based on bandwidth limitations, the block page displays this</p><p>information in the Reason field.</p><p>Any changes to the defaults have the potential to affect any category and protocol filters that</p><p>enforce Bandwidth Optimizer restrictions.</p><p>To manage bandwidth usage associated with a particular URL category, edit the appropriate</p><p>category filter or filters. When you filter categories based on HTTP bandwidth usage, Web</p><p>Security measures total HTTP bandwidth usage over all ports specified as HTTP ports for</p><p>web protection software.</p><p>To manage bandwidth usage associated with a particular protocol, edit the active protocol</p><p>filter or filters.</p><p>36 Block Messages and Search Filtering</p><p>Allows the use of</p><p>an alternative</p><p>HTML block page</p><p>Prevents thumbnail</p><p>images and other</p><p>explicit content</p><p>associated with</p><p>blocked sites from</p><p>being displayed</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 37</p><p>Modify the General Filtering settings for a specific user, group, IP address, network, or</p><p>OU.</p><p>Take note of the following available UI elements:</p><p>• The Edit Client displays the client’s distinguished name—the object’s root as seen on</p><p>the configured Directory Service.</p><p>• Set the password to access blocked sites for a set time period in the Block Page</p><p>Override Options section.</p><p>• In the Quota Time Options, modify the quota time for categories that are configured</p><p>with this action.</p><p>IMPORTANT:</p><p>Editing this value does not change the global settings. Rather, editing client-specific values</p><p>basically overrides the global settings.</p><p>Public © 2020 Forcepoint 160</p><p>Filtering Settings > Client-specific</p><p>38 > 39</p><p>1. Access the Security_Manager VM.</p><p>a. Log on to Security Manager using the admin credentials.</p><p>b. Confirm that you are configuring the 172.31.0.155 Policy Server as this is the main</p><p>policy source.</p><p>2. Navigate to Web > Main > Policy Management > Policies, and then click Add to</p><p>create a new policy.</p><p>3. After specifying the following details, click OK, and then Save and Deploy the settings.</p><p>• Policy name: Engineering</p><p>• Base on existing policy: Default</p><p>Your settings should match the screenshot above.</p><p>TIP:</p><p>Using an existing policy as basis when creating a new policy makes the process quicker</p><p>and more efficient.</p><p>Proceed to the next section to create a new category filter, which you will apply to the policy</p><p>you just created.</p><p>Public © 2020 Forcepoint 163</p><p>2.2.1: Create a New Policy</p><p>1. Confirm that you are configuring the 172.31.0.155 Policy Server as this is the main policy source.</p><p>2. Add a new policy (Web > Main > Policy Management > Policies).</p><p>3. Save the following details:</p><p>40</p><p>Main > Policy Management > Filters.</p><p>a. Click Add under Category Filters to create a new filter.</p><p>b. Type or copy the following details, and then click OK:</p><p>• Filter name: Engineering</p><p>Categories</p><p>• Base filter on: Basic</p><p>Your settings should match the screenshot above.</p><p>c. Modify the new Engineering Categories filter to block the following categories:</p><p>• Bandwidth (all subcategories)</p><p>• Drugs (all subcategories)</p><p>• Job Search</p><p>NOTE:</p><p>To assign the Block action to all sub-nodes under this category, highlight the</p><p>category, click Block and then click Apply to Subcategories.</p><p>Refer to the screenshot above.</p><p>d. Click OK.</p><p>The Filters page re-appears.</p><p>Public © 2020 Forcepoint 164</p><p>2.2.2: Configuring Filter Settings</p><p>1. Add a new filter (Main > Policy Management > Filters) that will block the following:</p><p>• Bandwidth (all subcategories)</p><p>• Drugs (all subcategories)</p><p>• Job Search</p><p>2. Edit the Basic Security Cloud App</p><p>Filter to block WeTransfer.</p><p>3. Save and deploy the changes.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 41</p><p>2. On the Policy Management > Filters page, click the link for Basic Security under</p><p>Cloud App Filters.</p><p>a. In the Blocked apps list, search for WeTransfer and then click Add to add to the</p><p>blocked list.</p><p>b. Click OK.</p><p>3. Click Save and Deploy to apply the changes.</p><p>Proceed to the next section to define a schedule for the Engineering policy.</p><p>42 Main > Policy Management > Policies, and then click the</p><p>Engineering policy.</p><p>2. Set the weekends schedule following the settings above, and then click Add.</p><p>3. Set the 1st weekday outside working hours schedule following the settings above, and</p><p>then click Add.</p><p>4. Set the weekday working hours schedule following the settings above, and then click</p><p>Add.</p><p>5. Set the 2nd weekday outside working hours schedule following the settings above, and</p><p>then click Add.</p><p>6. Click OK, and then click Save and Deploy for changes to take effect.</p><p>Proceed to the next section to assign the Engineering policy to a client.</p><p>Public © 2020 Forcepoint 165</p><p>2.2.3: Define a Policy Schedule</p><p>Schedule Category / Limited</p><p>Access Filter Setting Protocol Filter Setting Cloud App Filter</p><p>Weekends, Saturday and</p><p>Sunday, all hours Basic Security Monitor Only Monitor Only</p><p>1st weekday outside working</p><p>hours, 0000-0900</p><p>2nd weekday outside</p><p>working hours, 1730-2400</p><p>Basic Default Monitor Only</p><p>Weekday working hours,</p><p>Monday to Friday, 0900-1730</p><p>Engineering</p><p>Categories Default Basic Security</p><p>Define the Engineering policy (Web > Main > Policy Management > Policies) to follow these definitions:</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 43</p><p>You will now assign the Engineering policy to a client.</p><p>1. Navigate to Web > Main > Policy Management > Clients, and then click Add.</p><p>a. Browse the Directory tree Directory Entries > DC=com > DC=fpcert, to find user</p><p>Tom Crowne under the Engineering OU.</p><p>b. Click the arrow button (>) to add each client to the Selected Clients list.</p><p>c. Assign the Engineering policy to user Tom Crowne.</p><p>d. Click OK, and then click Save and Deploy for changes to take effect.</p><p>2. In the right-hand column of the Security Manager, navigate to Toolbox and then click</p><p>Check Policy.</p><p>a. Type or copy the username tcrowne in the User field, and then click Go.</p><p>A popup window similar to the screenshot above appears confirming that user</p><p>tcrowne is being filtered by the Engineering policy.</p><p>b. Click Close.</p><p>IMPORTANT:</p><p>Because the lab environment integrates with Content Gateway, you will get to test how this</p><p>policy enforced in the next section, starting in Lab Activity 2.3.</p><p>Public © 2020 Forcepoint 166</p><p>2.2.4: Assign a Policy to a Client</p><p>1. Go to Web > Main > Policy Management > Clients to assign the Engineering policy to user Tom</p><p>Crowne.</p><p>2. Use the Toolbox > Check Policy</p><p>to verify the result:</p><p>44 > 45</p><p>In this section, learn about Content Gateway, specifically its advanced analysis and bypass</p><p>features, including SSL support.</p><p>Content Gateway</p><p>Analysis</p><p>46 > 47</p><p>In simple terms, SSL encryption works by employing the following infrastructure:</p><p>• Public key</p><p>• Private key</p><p>• Digital certificate</p><p>Public keys are used to encrypt data. Private keys are used to decrypt data/info. Any data</p><p>encrypted by the public key can only be decrypted by the private key. Digital certificates are</p><p>from certificate authorities (CAs).</p><p>To establish an HTTPS connection, the client sends an SSL connection request to the</p><p>server. If the server consents, the client and server use a standard handshake to negotiate</p><p>an SSL connection. Part of a standard handshake connection is a digital certificate.</p><p>Let’s use companyABC as the secured website in the illustration above. Mary and Greg are</p><p>a couple who wish to purchase stuff for their DIY home improvement project.</p><p>1. companyABC has their website designed, hosted, and ready for selling products online.</p><p>Ethically, business owners/online sellers who pay attention to security would want to</p><p>provide customers with a safe shopping experience. To do this, companyABC must</p><p>purchase a digital certificate. A digital certificate is an online ID card that identifies</p><p>companyABC who they are.</p><p>A public/private key pair must exist before making the certificate request. That public</p><p>key becomes part of the issued certificate.</p><p>Public © 2020 Forcepoint 172</p><p>SSL Encryption</p><p>Digital</p><p>Certificate</p><p>Secure site:</p><p>https://www.companyABC.com</p><p>User</p><p>Trusted CAs</p><p>48</p><p>shopping within the confines of companyABC’s site.</p><p>NOTE:</p><p>For additional information on SSL, TLS, and SSL/TLS certificates, consult any of the</p><p>commercially available articles, videos, eBooks, and other online resources.</p><p>Forcepoint Web Security Administrator Course (Module 2) >> 49</p><p>• Researches companies</p><p>• Checks references</p><p>• Assures identify and positively determines organizations that they are who they</p><p>claim online</p><p>• Encrypts data that flows to and from the site, keeping it secured from outsiders</p><p>• If a trusted CA has verified a digital certificate, then you know that a certain site is</p><p>secure.</p><p>Forcepoint Content Gateway is capable of intercepting and decrypting SSL/TLS traffic. In a</p><p>Web Security deployment, the recommended approach is to use Content Gateway.</p><p>Content Gateway supports TLSv1.x (SSLv3 support is disabled by default).</p><p>HTTPS interception technically happens using the man-in-the-middle approach. That is, a</p><p>Web proxy issues its own certificate to the client. The proxy pretends to be the client when</p><p>communicating with the OCS (Origin Content Server) that serves the HTTPS content.</p><p>NOTE:</p><p>Clients' browser should be updated with additional Root CA. Otherwise, a certificate</p><p>warning is issued.</p><p>Let’s use the same example with secure site companyABC and clients Mary/Greg.</p><p>However this time, Mary is doing her online shopping in the office during her lunchtime. Her</p><p>office infrastructure happens to have deployed a Forcepoint Content Gateway appliance.</p><p>The illustration above details the SSL/TLS connection when there is a Forcepoint Content</p><p>Gateway appliance between the client and the secure origin content server (OCS). Do note</p><p>that SSL manager is disabled. SSL traffic in not decrypted.</p><p>1. companyABC has their website designed, hosted, and ready for selling products online.</p><p>companyABC has also purchased a digital certificate from a reputable CA.</p><p>2. Client initiates an HTTP connection to Content Gateway via the CONNECT method</p><p>using port 8080 (by default, explicit proxy mode). Alternatively, a direct HTTPS</p><p>connection using port 443 can be initiated (transparent proxy mode).</p><p>3. Content Gateway initiates a secure HTTPS connection to the companyABC site using</p><p>port 443.</p><p>Public © 2020 Forcepoint 173</p><p>Intercepting SSL Traffic with Content Gateway</p><p>Digital</p><p>Certificate</p><p>User</p><p>Trusted CAs</p><p>Secure site:</p><p>https://www.companyABC.com</p><p>50 > 51</p><p>• One from the client browser to Content Gateway. This is the inbound connection.</p><p>• Another from Content Gateway to the origin content server that will receive the secure data.</p><p>This is the outbound connection.</p><p>• hen Content Gateway is an e licit ro y, a loo u is erformed and olicy is</p><p>a lied before the connection re uest is made. Transactions are logged as usual.</p><p>• hen Content Gateway is a trans arent ro y, if there is an N in the re uest, Content</p><p>Gateway gets the hostname from the N and erforms filtering based on the</p><p>hostname. Otherwise, when Content Gateway sends the connection to the server the</p><p>un nown rotocol error causes the re uest to be tunneled without the ro y being aware</p><p>of it no transaction is logged.</p><p>• ro ies re uests</p><p>• ecry ts content and erforms real time content and security analysis</p><p>• e encry ts content for delivery to the client or origin server</p><p>HTTPS connections between the client browser and Content Gateway require a certificate</p><p>issued by an internal CA.</p><p>Connections between Content Gateway and the original server require a certificate signed by</p><p>one of the certificate signing authorities listed in the Certificate Authority Tree on the</p><p>Configure > SSL > Certificates > Certificate Authorities tab. Content Gateway initially</p><p>populates the Certificate Authority Tree (trusted certificate store) with the list qualified by</p><p>modern internet browsers. Content Gateway trusts origin servers that offer these certificates.</p><p>52 > 53</p><p>While the high-level concept behind the functionality of the SSL manager seem simple and</p><p>straightforward, the actual process “under the hood” is rather complex and technically</p><p>advanced.</p><p>The diagram above provides an overview of how data is processed inside the Forcepoint</p><p>appliance. The process is different depending if the traffic received is HTTP or HTTPs.</p><p>1. The client initiates an HTTP or HTTP request.</p><p>• HTTP request can be made on port 80 (typical for transparent proxy deployment) or</p><p>port 8080 (typical for explicit proxy deployment)</p><p>• HTTPS request can be made on port 443 (typical for transparent proxy deployment)</p><p>or port 8080 (typical for explicit proxy deployment)</p><p>2. The Adaptive Redirection Module (ARM) detects if traffic is HTTP or HTTPS. The ARM</p><p>can easily detect if a connection coming from 8080 is HTTP or HTTPS.</p><p>3. The ARM redirects the internally all HTTPS traffic to the SSL module running on port</p><p>8070.</p><p>4. The SSL module ‘de-crypts’ the connection and sends it to the Proxy module. At this</p><p>point the Forcepoint Appliance can do the following:</p><p>• Inspect SSL connection for threats</p><p>• Perform advanced content filtering</p><p>5. The SSL module communicates with the secure website.</p><p>The HTTP traffic is redirected to the HTTP module on port 8080, regardless</p><p>of the port</p><p>used for the original connection by the client and regardless if it is explicit or transparent</p><p>HTTP request.</p><p>Public © 2020 Forcepoint 175</p><p>Content Gateway Data Flow</p><p>ARM Proxy</p><p>HTTP/s sites</p><p>54 > 55</p><p>To enable the advanced analysis and bypass features that are available with Web Security,</p><p>an appropriate subscription key must be entered in Security Manager.</p><p>The key is automatically passed to all Content Gateway instances associated with the</p><p>current Policy Server.</p><p>Content Gateway performs advanced analysis of web traffic as it flows through the on-</p><p>premises proxy. Only sites that are not already blocked, based on the active policy, are</p><p>analyzed. Analysis uses a set of data files/database, which Forcepoint Security Labs</p><p>updates regularly and release through the Forcepoint download server.</p><p>Public © 2020 Forcepoint 180</p><p>Content Gateway Advanced Analysis and Bypass Features</p><p> Analyzes web traffic that is not blocked and</p><p>passing through the on-premises proxy</p><p> Uses a set of data files to perform the following</p><p>advanced analysis features, in this order:</p><p>• Tunneled protocol detection</p><p>• Content categorization</p><p>• Content security</p><p>• File analysis</p><p>• Outbound security analysis</p><p>• Other options: Content Categorization and</p><p>Scanning Sensitivity Level, Content Delay</p><p>Handling, Scanning Timeout, Scan Size Limit, and</p><p>Content Stripping</p><p> Supports bypass options:</p><p>• SSL decryption bypass</p><p>• Authentication bypass</p><p>• Content Gateway bypass</p><p> Allows exceptions</p><p>56 > 57</p><p>• Traditional antivirus (AV) definition files to find virus-infected files</p><p>• Advanced File Analysis sends suspicious files for analysis and can be configured to send</p><p>alerts via email, SNMP, or both when a file is found to contain malicious content.</p><p>Scanning Timeout</p><p>Each content or file analysis consumes a variable amount of time that cannot be determined</p><p>before analysis begins. By default, to ensure a good user experience, analysis is limited to</p><p>1.5 seconds (1500 milliseconds). To adjust the timeout, select Custom and enter a value</p><p>within the range 500 - 10000 (milliseconds).</p><p>Scan Size Limit</p><p>Set the threshold to which Content Gateway performs analysis. Analysis stops when the</p><p>threshold is reached. The default is 10MB. To change the value, select Custom and enter a</p><p>size in megabytes.</p><p>Content Stripping</p><p>Threats to your system can be hiding in active content sent via web pages. Active content is</p><p>content that is embedded in the HTML page that performs actions, such as running an</p><p>animation or a program.</p><p>The content stripping options make it possible to specify that content in particular scripting</p><p>languages (ActiveX, JavaScript, or VB Script) be stripped from incoming web pages. If</p><p>content stripping is enabled, all content in the specified scripting languages is removed from</p><p>sites flagged as containing dynamic content or appearing on the Always Scan list.</p><p>Content is removed only after the advanced analysis options have categorized the site and</p><p>Filtering Service has determined which policy applies.</p><p>IMPORTANT:</p><p>Web pages that rely on active content that has been stripped do not function as expected. To</p><p>permit full access to sites that require active content, disable content stripping or add the</p><p>sites to the Never Scan list.</p><p>The user requesting a page with active content does not receive any notification that content</p><p>has been removed.</p><p>Content stripping can result in some content being garbled and unreadable.</p><p>To reduce the number of garbled and unreadable content:</p><p>1. Access Content Gateway Manager and go to the Configure > Protocols > HTTP ></p><p>Privacy tab.</p><p>2. In the Remove Headers > Remove Others field, add Accept-Encoding.</p><p>3. Click Apply and restart Content Gateway.</p><p>58 > 59</p><p>Link Analysis allows Content Categorization to achieve</p>