Forcepoint Web Security Administrator - Module 1

Prévia do material em texto

<p>Forcepoint Web Security</p><p>Administrator - Module 1</p><p>Student Guide</p><p>Rev: CA0300</p><p>Public</p><p>© 2020 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.</p><p>All other trademarks used in this document are the property of their respective owners.</p><p>This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or</p><p>reduced to any electronic medium or machine-readable form without prior consent in writing</p><p>from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However,</p><p>Forcepoint makes no warranties with respect to this documentation and disclaims any implied</p><p>warranties of merchantability and fitness for a particular purpose.</p><p>Forcepoint shall not be liable for any error or for incidental or consequential damages in</p><p>connection with the furnishing, performance, or use of this manual or the examples herein. The</p><p>information in this documentation is subject to change without notice.</p><p>2 > 3</p><p>Course Roadmap . . . . . . . . . . . . . . . . . . . . . . . . 7</p><p>Module 1 Lab Introduction . . . . . . . . . . . . . . . . . . . . 104</p><p>Lab Activity 1.1: Getting Started with Web Security . . . . 105</p><p>Lab Activity 1.2 Getting Started with the Appliance /</p><p>Content Gateway . . . . . . . . . . . . . . . . . 110</p><p>Lab Activity 1.3 Discovering Forcepoint Security</p><p>Appliance Manager. . . . . . . . . . . . . . . . 118</p><p>Delegated Administration . . . . . . . . . . . . . . . . . . . . . 123</p><p>Lab Activity 1.4 Performing Delegated Administration . . 137</p><p>Modules 2, 3, and 4: See corresponding PDF files</p><p>Lab Activity 1.5 Performing Bulk Hotfix Installation . . . . 156</p><p>4 > 5</p><p>Public © 2020 Forcepoint 4</p><p> Access, find, and modify key user interface options to accomplish administrative tasks.</p><p> Customize and manage Web Security policies to meet your organization’s filtering needs.</p><p> Extend and combine available reporting options to gain actionable insights related to Web</p><p>Security detections.</p><p> Leverage Web Security configuration options and available tools to respond to incidents.</p><p>Web Security Administrator course objectives</p><p>6 > 7</p><p>© 2020 Forcepoint Public</p><p>Course</p><p>Logistics</p><p>8 > 9</p><p>Public © 2020 Forcepoint 8</p><p>Pre-class tasks</p><p> Take note of specific details provided in the</p><p>following email notifications:</p><p> Forcepoint Cyber Institute (FCI) invitation:</p><p>Has the FCI user account information.</p><p> Class reminder:</p><p>Has details about class schedule and related</p><p>information.</p><p> Forcepoint Go4Labs access:</p><p>Has information about accessing the Web Security</p><p>Administrator course virtual lab environment.</p><p>Test access to the Go4Labs virtual lab</p><p>environment.</p><p>Test the Zoom connection, including computer</p><p>or device audio and video.</p><p>https://zoom.us/test</p><p> Follow the link in the FCI invitation to enable the</p><p>FCI account.</p><p>An FCI account allows</p><p>you to access course</p><p>resources, join a session,</p><p>take the certification</p><p>exam, and evaluate</p><p>a class.</p><p> In FCI, read and understand the Pre-Class Guide.</p><p>Perform the following tasks three days or so before the start of your scheduled session:</p><p> Check for the following email notifications from Forcepoint:</p><p>• FCI invitation: sent after you register for a Forcepoint training course</p><p>• Class reminder: sent three days and a day before a scheduled class</p><p>• Forcepoint Go4Labs access: sent a week or so before a scheduled class</p><p>A week or so before the scheduled class, Forcepoint sends these email notifications.</p><p> Test your Zoom connection.</p><p> Access the Go4Labs virtual lab environment using the information sent via email.</p><p> Follow the link in the FCI invitation email to enable your FCI account.</p><p>Change password when signing in for the first time.</p><p> After signing into FCI, go through the Pre-Class Guide.</p><p>10</p><p>data retention is enabled, the trend job uses daily trend data created by the ETL job to update</p><p>weekly, monthly, and yearly trend records for use in presentation reports.</p><p>62 > 63</p><p>By default, the Forcepoint Log Server creates the Cache log records inside the C:\Program</p><p>Files (x86)\Websense\Web Security\bin\Cache\ and it uses BCP as the mechanism to add</p><p>records into the Log Database. This is the preferred method and automatically selected when</p><p>SQL is present on the same server as the Forcepoint Log Server. At a minimum, Microsoft SQL</p><p>Client Tools must be installed on the Log Server machine to enable BCP.</p><p>Bulk Copy Program (BCP) inserts records into the Log Database in groups called batches. This</p><p>option is recommended because it offers better efficiency than the ODBC insertion method.</p><p>When enabled, BCP creates a BCP folder under the Websense bin\cache directory. You will</p><p>see BCP files appearing in this folder before they are inserted into the SQL Server database.</p><p>NOTE:</p><p>If log files continue to back up, even after enabling BCP, then analyze the number of Log</p><p>Servers, their location in the network, network bandwidth and path, SQL database size, and</p><p>server resources such as CPU, RAM, and the storage capacity/speed.</p><p>64 > 65</p><p>Content Gateway is a mandatory component of Forcepoint Web Security. Network Agent,</p><p>on the other hand, is largely used in the legacy Web Filter product, which exclude proxy</p><p>capabilities.</p><p>Content Gateway</p><p>A proxy through which clients connect to Web content. Forcepoint Content Gateway</p><p>integrates with Forcepoint Web Security to further increase the level of security for the Web.</p><p>The Forcepoint Content Gateway provides visibility into SSL encrypted Web traffic, to</p><p>ensure that malicious content cannot enter the network. It also enables real-time</p><p>categorization of dynamic Web 2.0 content, as well as identifying previously unvisited sites</p><p>that might only exist for a very short period of time such as those used for phishing attacks</p><p>and proxy avoidance Web sites.</p><p>Before the release of Forcepoint Web Security Gateway the Web Security product</p><p>integrated with proxies produced by other vendors (for example Microsoft’s ISA Server).</p><p>These integrations are still supported but Forcepoint recommends the use of the full</p><p>product suite as other proxies do not provide the real-time scanning offered by the</p><p>Forcepoint Content Gateway.</p><p>Network Agent</p><p>Monitors the network to identify non-web protocol traffic. Once identified this may be filtered</p><p>by Forcepoint Web Security.</p><p>Public © 2020 Forcepoint 59</p><p>Network</p><p>Agent</p><p>Content</p><p>Gateway</p><p> Transmit web traffic</p><p>to/from end-user and the</p><p>origin server</p><p> Perform SSL decryption,</p><p>security analysis,</p><p>sandboxing submission</p><p>and DLP detection</p><p>A u t h e n t i c a t i o n</p><p>F i l t e r i n g</p><p>R e p o r t i n g /</p><p>A l e r t i n g</p><p>O r i g i n</p><p>W e b S e r v e r</p><p>W E B</p><p>C o n f i g u r a t i o n</p><p>M a n a g e m e n t</p><p>U s e r</p><p>N e t w o r k i n g</p><p>Networking Components</p><p>66 > 67</p><p>Content Gateway is a Linux-only component that serves as a proxy in Forcepoint Web</p><p>Security, Email Security, and Forcepoint DLP solutions. Content Gateway is a forward</p><p>proxy that performs advanced content analysis as content flows through the proxy. It is a</p><p>trusted man-in-the-middle for clear texts and encrypted traffic. Content Gateway intercepts</p><p>and analyses web traffic before passing it to requesting clients or responding origin servers.</p><p>With Web Security, Content Gateway provides the following functionalities:</p><p>Traffic management</p><p>This includes interception of HTTP, HTTPS, FTP, SOCKS, and DNS traffic</p><p>Content Gateway intercepts the traffic from the client and does necessary checking</p><p>before it delivers it to the original server. Content Gateway monitors the responses</p><p>from the original server and sends them back to the client as well.</p><p>This component can work with other networked proxies, acting as a parent proxy or</p><p>acting as a child proxy, forwarding traffic to another proxy which is acting as the</p><p>parent. Multiple proxy instances can also be deployed in a cluster, automatically</p><p>sharing configuration information. As an active inline proxy, Content Gateway can</p><p>deny or allow URL requests, insert custom headers, strip/modify header information,</p><p>and prevent specified applications from traversing the proxy. Content Gateway also</p><p>implements connection and bandwidth management by optionally limiting client</p><p>concurrent connections and connection rate.</p><p> Learn more about the placement of Content Gateway as an explicit or transparent</p><p>proxy in Module 1 > Deployment Overview.</p><p>Public © 2020 Forcepoint 60</p><p>Content Gateway</p><p> Integrates with Forcepoint Web Security</p><p> Runs on Forcepoint appliance or software install</p><p> Is a forward proxy that performs advanced</p><p>content</p><p>analysis, traffic management, and user</p><p>authentication</p><p> Has its own GUI, Content Gateway</p><p>Manager, to allow admins to configure</p><p>settings</p><p>(Linux</p><p>server)</p><p>(Appliance)</p><p>HTTP/s</p><p>sitesAdvanced</p><p>analysis</p><p>Traffic</p><p>management</p><p>User</p><p>authentication</p><p>68 Content Gateway</p><p>Analysis.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 69</p><p>Network Agent acts as a packet sniffer – using promiscuous mode to capture and analyse</p><p>packets. Although it is not a mandatory component it offers considerably enhanced security.</p><p>The following are considerations relating to Network Agent deployment:</p><p>• Must be deployed where it can see all internal Internet traffic from the machines that it is</p><p>required to monitor.</p><p>• Can be installed on a dedicated machine to increase overall throughput.</p><p>• Must have bidirectional visibility into Internet traffic to allow the blocking of requests</p><p>Multiple instances of Network Agent may be required in larger or distributed networks. Each</p><p>Network Agent should be allocated to a specific IP address range or network segment. The</p><p>use of multiple Network Agents allows all network traffic to be readily monitored and</p><p>spreads the load over multiple hosts. Using multiple Network Agents ensures that all</p><p>network traffic is monitored and prevents server overload.</p><p>The required number of Network Agents depends on network size and Internet request</p><p>volume. Network Agent can typically monitor 50 Mbits of traffic per second, or about 800</p><p>requests per second. The number of users that Network Agent can monitor depends on the</p><p>volume of Internet requests from each user, the configuration of the network, and the</p><p>location of Network Agent in relation to the computers it is assigned to monitor. Network</p><p>Agent functions best when it is close to those computers.</p><p>Up to four Network Agents can be deployed per Filtering Service. One Filtering Service</p><p>may be able to handle more than four Network Agents, depending on the number of</p><p>Internet requests.</p><p>Public © 2020 Forcepoint 61</p><p>Network Agent</p><p> Requires bi-directional visibility into traffic</p><p> Runs on a dedicated version of these operating systems:</p><p>• Linux</p><p>• Windows</p><p> Supports multiple instances for large networks</p><p> Each Network Agent instance monitors a specific IP address range or network segment</p><p>70 Deployment Overview of</p><p>the Web Security Administrator course.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 71</p><p>As a quick reference, here are the third-party solutions that Web Security supports as of</p><p>version 8.5.x.</p><p>IMPORTANT:</p><p>The Web Security Administrator Course aims to take you on a journey of understanding the</p><p>product features to being able to manage, monitor, respond to incidents, and prove the</p><p>value of the solution.</p><p>The course does not cover topics such as third-party interoperability. Details about notable</p><p>integrations are provided in the Systems Engineer Course. For information about other</p><p>technical trainings and courses, please contact the Forcepoint Technical Training team</p><p>(learn@forcepoint.com).</p><p>Public © 2020 Forcepoint 62</p><p>Third-Party Support</p><p> Cisco ASA or routers</p><p> Citrix</p><p> ICAP Service</p><p> Microsoft Forefront TMG</p><p> Other supported integration (as a "universal" integration)</p><p>72 > 73</p><p>You can install most Web Security components on Forcepoint appliances.</p><p>Forcepoint appliance platforms include the following hardware families:</p><p>• V Series—a single rack-unit form factor</p><p>• X Series—a 10 rack-unit form factor with chassis hosting up to 16 X10G blade servers</p><p>All V Series (and X Series) appliances come with an integrated Dell Remote Access</p><p>Controller (iDRAC). The iDRAC has its own processor, memory, and network connection.</p><p>Its many features include power management, virtual media access, and remote console</p><p>capabilities. You can access this through a web browser or command line interface.</p><p>In a web browser, go to the iDRAC default IP address (https://192.168.0.120). Log on with</p><p>any of the following default credentials:</p><p>• Set 1:</p><p>Username: root</p><p>Password: Forcepoint#1</p><p> For details about appliance deployment, please consider availing of the Web Security</p><p>Systems Engineer Course.</p><p>• Set 2:</p><p>Username: root</p><p>Password: calvin</p><p>Public © 2020 Forcepoint 65</p><p>Forcepoint V5000 G4</p><p>Appliance Offerings</p><p>Forcepoint V10000 G4R2</p><p>Forcepoint V20000 G1</p><p>Forcepoint V10000 G4</p><p>Forcepoint X10G</p><p>Software Package</p><p>Appliance Platform</p><p>V5000 V10000 V20000 X10G Virtual</p><p>Web Security     </p><p>Network Agent   </p><p>URL Filtering </p><p>74 > 75</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_v_series_appliances_en.pdf</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_v_series_appliances_en.pdf</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_forcepoint_v_series_appliances_en.pdf</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_x_series_appliances_en.pdf</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_x_series_appliances_en.pdf</p><p>https://www.forcepoint.com/sites/default/files/resources/files/datasheet_x_series_appliances_en.pdf</p><p>Version 8.5 Web Virtual Appliances are certified for VMware ESXi 6.5 / 6.0 / 5.5. A stable</p><p>release of ESXi, such as 6.5d (build 5310538) or later, is recommended to avoid unexpected</p><p>issues.</p><p>The install OVA creates a virtual machine with the following specifications:</p><p>IMPORTANT:</p><p>Starting in v8.5.0, the vCPU cores and RAM allocation can be increased. Disk size and</p><p>network interface cannot be changed.</p><p>• 6 CPU cores</p><p>• 12 GB RAM</p><p>• 1 - 128 GiB and 1 - 129 GiB disk</p><p>• 4 E1000 virtual network interfaces (1 reserved port)</p><p>76</p><p>appliances are one component of a complete Forcepoint cloud solution.</p><p>Depending on the network size and other factors, web protection deployments can use a</p><p>mix of platforms — Forcepoint V Series or X Series appliance, and standalone Windows</p><p>and Linux servers.</p><p>Appliance can be deployed as a web proxy (Content Gateway) or policy source.</p><p>Content Gateway</p><p>Content Gateway is a high-performance web proxy. It is installed on every Web Security</p><p>appliance. In addition to providing core web proxy request handling and page caching</p><p>(optional), most importantly it applies Forcepoint real-time threat analytics and website</p><p>classification to protect the network from attacks and malicious and undesirable content.</p><p>Policy Source</p><p>In a web protection deployment, there is a policy source machine that hosts two</p><p>components that do not run on any other server or appliance: Policy Database and Policy</p><p>Broker. One of the first deployment decisions that must be made is the location of the policy</p><p>source machine.</p><p>Most sites install the policy source on a Windows server (off-appliance). An alternative is to</p><p>configure a V Series or X Series appliance (located in Slot-1). The policy mode of</p><p>remaining appliances is chosen during each appliance’s firstboot.</p><p>Here’s how it works:</p><p>1. The policy source machine is set up, either off-appliance or on-appliance.</p><p>2. When other appliances go through firstboot, the policy mode is set to either User</p><p>directory and filtering mode or Filtering only mode.</p><p>Public © 2020 Forcepoint 66</p><p>Appliance Deployment > Web Mode</p><p> Content Gateway</p><p> Available policy modes:</p><p>• Full policy source</p><p>• User directory and filtering</p><p>• Filtering only</p><p>(not supported in virtual appliances)</p><p> Most organizations, install the policy source off-</p><p>appliance/on a Windows server.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 77</p><p>Full Policy Source Mode</p><p>When enabled, the Policy Broker, Policy Server, Filtering Service and User Service, will</p><p>be available. The policy data will be hosted on the Policy Database instance, so that</p><p>means a PostgreSQL instance will be resident in the Web Security file system of the</p><p>appliance. When the appliance is the policy source, Policy Broker replication cannot be</p><p>used as it is currently NOT supported.</p><p>‘User directory and filtering’ Policy Mode</p><p>A User directory and filtering appliance is a lightweight version of the policy source</p><p>machine. Whenever you make a policy change, that change is immediately updated on</p><p>the policy source appliance. The change is pushed out to user directory and filtering</p><p>appliances within 30 seconds.</p><p>If the connection with the policy source machine is interrupted, user directory and filtering</p><p>appliances can continue handling traffic for as long as 14 days. So even if a network</p><p>connection is poor or is lost, traffic processing continues as expected.</p><p>A User directory and filtering appliance is configured to point to the full policy source for</p><p>updates. In addition, an appliance with this mode enabled runs the following components:</p><p>• Policy Server</p><p>• User Service</p><p>• Usage Monitor</p><p>• Filtering Service</p><p>• Control Service</p><p>• Directory Agent</p><p>• Content Gateway module (if Web Security is used)</p><p>‘Filtering only’ Policy Mode</p><p>A Filtering only appliance is configured to point to a Policy Server. This works best when</p><p>the appliance is close to the Policy Server and on the same network.</p><p>These appliances require a continual connection to the centralized Policy Server, not</p><p>only to stay current, but also to continue handling traffic. If the connection to the Policy</p><p>Server becomes unavailable for any reason, traffic on a filtering only appliance will</p><p>continue to be handled for up to 3 hours.</p><p>A Filtering only appliance does not run Policy Server. It runs only:</p><p>• Filtering Service</p><p>• Control Service</p><p>• Content Gateway module (if Web Security is used)</p><p>78 > 79</p><p>Accessing Other Modes</p><p>You can access another mode only when you are in view mode. Type the</p><p>following command:</p><p># config</p><p>- or -</p><p># diagnose</p><p>In the lab environment, enter Forcepoint1! as the password.</p><p>You must return to view mode to switch modes. Type the following command:</p><p># exit</p><p>Public © 2020 Forcepoint 68</p><p>CLI: ‘view’ Mode</p><p> Is the active mode when you log on for the first</p><p>time</p><p> Provides access to config and diagnose modes</p><p> Allows the following commands:</p><p>• clear session</p><p>Ends a config session allowing another admin</p><p>to enter config mode.</p><p>• exit</p><p>Closes the ssh session.</p><p>• help</p><p>Lists the commands available in view mode.</p><p>• help</p><p>Lists information about the full syntax of a</p><p>command.</p><p>• show</p><p>Lists 25+ commands to display current</p><p>configurations. These commands are detailed</p><p>on the following slides.</p><p>80 > 81</p><p>The restart command corresponds to the Restart appliance button available in the</p><p>General section of Forcepoint Security Appliance Manager Status tab.</p><p>Public © 2020 Forcepoint 70</p><p>‘config’ Mode Sample Commands</p><p> To restart or shutdown an appliance:</p><p># restart appliance</p><p># shutdown appliance</p><p> To configure time and date:</p><p># show system timezone</p><p># show system timezone‐list</p><p># set system timezone</p><p># show system ntp</p><p># set system ntp</p><p># sync system ntp</p><p># show system clock</p><p># set system clock</p><p>82</p><p>to determine the correct full syntax of each command.</p><p>Public © 2020 Forcepoint 71</p><p>CLI: ‘diagnose’ Mode</p><p> arp</p><p> ethtool</p><p> ifconfig</p><p> nc</p><p> netstat</p><p> nslookup</p><p> ping</p><p> ping6</p><p> route</p><p> route6</p><p> tcpdump</p><p> top</p><p> traceroute</p><p> traceroute6</p><p> wget</p><p> wget‐proxy</p><p> get debugging</p><p> get proxy</p><p>content_line</p><p> get proxy</p><p>network_check</p><p> get proxy</p><p>policy_engine</p><p> get proxy</p><p>print_bypass</p><p> get web</p><p>cache_users</p><p> get web</p><p>policy_broker</p><p> get web</p><p>usr_grp_ip_prec</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 83</p><p>Deployment</p><p>Overview</p><p>84 > 85</p><p>Network with Web Security</p><p>After Deployment</p><p>After deployment, expect a few changes in the network infrastructure. There are many</p><p>places within the network, where Forcepoint components can integrate.</p><p>Traffic coming from internal users is inspected by the local proxies, either being intercepted</p><p>by a network firewall or advanced network device performing redirection to the outbound</p><p>data; this traffic could also be analyzed against data theft policies, content scanning, real</p><p>time analysis, and SSL decryption functions. With these, Forcepoint can have visibility to all</p><p>aspects of the network. Remember that you have the ability to manage all of these different</p><p>security devices via a single console, providing centralized management and reporting.</p><p>This illustration shows components distributed across multiple servers in a typical and basic</p><p>software-based deployment.</p><p>All of the enforcement components, except for the optional transparent identification agents,</p><p>may reside on a Windows or Linux server, or a Forcepoint appliance.</p><p>For evaluation or very small (low traffic) deployments, all Forcepoint components, plus an</p><p>instance of SQL Server Express (installed by the Forcepoint Security Installer) may reside</p><p>on a single Windows server.</p><p>NOTE:</p><p>Additional information about required components for a successful Web Security</p><p>deployment, plus other best practices are presented in the succeeding sections.</p><p>86 > 87</p><p>A Forcepoint appliance supports three Web Security modes. Depending on the mode</p><p>enabled, certain services will be activated and some will be deactivated.</p><p>In Policy Source mode, Policy Broker is running on the appliance. All other Policy Server</p><p>instances will get policies directly from this server.</p><p>Notice the need of deploying additional off-box components where the majority of services</p><p>would be those that only run in Windows operating systems.</p><p>Public © 2020 Forcepoint 77</p><p>• Content</p><p>Gateway</p><p>• Policy Broker</p><p>• Policy Server</p><p>• Filtering</p><p>Service</p><p>• Network Agent</p><p>• User Service</p><p>• Off-Box components</p><p>• XID agents</p><p>• Additional policy</p><p>enforcement</p><p>components</p><p>• Log Server</p><p>Required Components: Policy Source on an Appliance</p><p>• Security Manager</p><p>• Reporting Tools</p><p>• Real-Time Monitor</p><p>U s e r s</p><p>88 > 89</p><p>Forcepoint Content Gateway provides the following proxy deployment options.</p><p>Explicit Proxy Deployment</p><p>Use of Content Gateway in an explicit proxy deployment is an easy way to handle web</p><p>requests from users. This type of deployment is recommended for simple networks with a</p><p>small number of users. Explicit proxy is also used effectively when proxy settings can be</p><p>applied by group policy. It requires minimal network configuration, which can be an</p><p>advantage when troubleshooting.</p><p>For explicit proxy deployment, individual client browsers may be manually configured to</p><p>send HTTP, and optionally, HTTPS and FTP, requests directly to the proxy. They may also</p><p>be configured to download proxy configuration instructions from a Proxy Auto-</p><p>Configuration (PAC) file. A group policy that points to a PAC file for configuration changes</p><p>is a best practice for explicit proxy deployments. Another option is the use of Web Proxy</p><p>Auto-Discovery (WPAD) to download configuration instructions from a WPAD server.</p><p>The implementation of an explicit proxy solution design requires you to explicitly configure</p><p>all of your internal clients to connect to a web proxy (such as Content Gateway) for web-</p><p>based access to the Internet. To enforce the use of the proxy, you must also configure your</p><p>firewall to block direct-connection attempts from internal clients to Internet-based websites</p><p>and allow only the proxy such access.</p><p>Public © 2020 Forcepoint 80</p><p>Content Gateway Deployments</p><p> Explicit Proxy</p><p>• User’s client software is configured to send requests directly to Content Gateway</p><p>• Manual browser configuration</p><p>• Supports GPO, WPAD</p><p>or PAC File</p><p> Transparent Proxy</p><p>• User requests are transparently redirected to a Content Gateway proxy, typically by a switch or router,</p><p>on the way to their eventual destination</p><p>• Supports WCCP, PBR Layer 4 Switch</p><p>90 > 91</p><p>Web Security</p><p>Administration</p><p>92 :9443/manager/ via a web browser.</p><p>For example:</p><p>https://172.31.0.155:9443/manager/</p><p>Forcepoint Content</p><p>Gateway Manager</p><p>Access https://: via a web browser.</p><p>For example:</p><p>https://172.31.152:8081</p><p>Forcepoint Appliance</p><p>CLI Access the appliance C interface via ssh.</p><p>Forcepoint Security</p><p>Appliance Manager</p><p>Access https://:9443/cm/ via a web browser.</p><p>For example:</p><p>https://172.31.0.155:9443/cm/</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 93</p><p>Since version 8.3, Security Manager (was known as TRITON Manager) has been</p><p>redesigned to provide faster access to the menus and options you need. Instead of having</p><p>two tabs in each module—Main and Settings—all options are now on one page.</p><p>The paths are the same. The functions are the same. But instead of clicking the Settings</p><p>tab and then making another selection, for example, you select the option in the Settings</p><p>section of the left navigation panel.</p><p>Security Manager runs on a variety of popular browsers. For a list of browsers and versions</p><p>that are supported, see the Certified Product Matrix Certified Product Matrix</p><p>(https://support.forcepoint.com/KBArticle?id=TRITON-Manager-Certified-Product-Matrix) on</p><p>the Forcepoint website.</p><p>NOTE:</p><p>There can be only one instance of Security Manager that generates and schedules reports.</p><p>Typically, only one instance is needed in a deployment. It is possible to install additional</p><p>instances of Security Manager in a deployment. However, these must be used as</p><p>configuration and administration-only instances (referred to as administration-only</p><p>instances). They cannot be used to generate reports.</p><p>Each administration-only instance of Security Manager must be associated with a separate</p><p>Policy Server instance that is not associated with a Log Server. Because the</p><p>administration-only instances are not associated with a Log Server, they will not display</p><p>Today and History charts. Also, reporting options will not be available. Only configuration</p><p>and administration functions will be available.</p><p>Public © 2020 Forcepoint 84</p><p>Security Manager</p><p>94 > 95</p><p>In version 8.2 and earlier, V Series appliances provided a logon portal to the Appliance</p><p>Manager and Content Gateway Manager. The portal could be accessed directly in a</p><p>browser or, if the appliance was registered in Security Manager, via a single sign-on link.</p><p>Starting in version 8.3, mostly configuration changes and health checks can be done using</p><p>CLI. However, the new Forcepoint Security Appliance Manager offers some configuration</p><p>options and allows you to view all registered appliances via a single web-based console.</p><p>Public © 2020 Forcepoint 86</p><p>Appliance CLI</p><p>96</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 97</p><p>SSO works in the backend to allow Forcepoint Security Appliance Manager to connect to the</p><p>appliance and query applicable configuration. SSO does not enable a direct link from</p><p>Security Manager to the new Forcepoint Security Appliance Manager. They are two separate</p><p>consoles.</p><p>In AP-WEB 8.2 or previous versions, customers have the option to connect to an appliance</p><p>and launch the legacy Appliance Manager via Security Manager. This is no longer possible</p><p>starting in version 8.3. Viewing and configuring appliance settings is mostly done using CLI</p><p>(and via Forcepoint Security Appliance Manager for some options).</p><p>Forcepoint Security Appliance Manager version allows you to do the following:</p><p>View, add, or delete Forcepoint V / X Series appliances and the Virtual Appliance for Web</p><p>and Email security (versions 8.3.0 and later) in one place</p><p>Monitor appliance status and resource utilization</p><p>Configure some appliance settings</p><p>NOTE:</p><p>In the lab environment, you can access Forcepoint Security Appliance Manager through any</p><p>of these methods:</p><p>• Clicking the shortcut on the Landing Desktop ( )</p><p>• Launching an Internet browser and going to https://172.31.0.155:9443/cm/</p><p>• Edit network interface</p><p>• Add, delete, or export static and component routes</p><p>• Enable access to an appliance CLI using a remote SSH client</p><p>• Enable Remote Assistance</p><p>Enable remote access only at the request of Technical Support. When remote access is</p><p>enabled, a passcode is automatically generated and displays in the Remote Assistance</p><p>section. Provide the passcode to the Technical Support technician.</p><p>• Generate a configuration summary file</p><p>The configuration summary tool gathers data from the appliance and generates a file that</p><p>can be sent to Forcepoint Technical Support for analysis and debugging. The file will take</p><p>approximately 3-5 minutes to generate.</p><p>• View the latest five (5) local backup files</p><p>• View and edit Simple Network Management Protocol (SNMP) setup and event</p><p>specifications</p><p>98 > 99</p><p>Prior to the availability of the Appliance CLI, the legacy Appliance Manager is used to configure</p><p>an appliance. However, since retiring the legacy Appliance Manager, introducing the appliance</p><p>CLI, and then releasing Forcepoint Security Appliance, tasks that can be configured in the</p><p>legacy Appliance Manager are not yet possible in the new console.</p><p>You can use the appliance CLI to complete the following tasks:</p><p>• Viewing statistics and remote access history</p><p>• Changing passwords</p><p>• Changing proxy settings for</p><p>hotfixes</p><p>• Changing the policy source</p><p>• Create backups</p><p>To view statistics and remote</p><p>access history, use the following</p><p>CLI commands, which can</p><p>run in view or config modes:</p><p>Obviously, being a command line</p><p>interface, there are no longer bar</p><p>graphs available. Though the ability to view statistics in real-time is possible.</p><p>For a complete list of commands corresponding to the tasks listed above, please refer to the</p><p>Forcepoint Appliance CLI Guide</p><p>(https://www.websense.com/content/support/library/appliance/v85/cli_guide/appl_cli_guide.pdf).</p><p>Sample results when running show cpu , show mem, and</p><p>show session:</p><p>Public © 2020 Forcepoint 89</p><p>Forcepoint Security Appliance Manager (FSAM)</p><p>Not yet possible to do:</p><p> Viewing statistics and</p><p>remote access history</p><p> Changing passwords</p><p> Changing proxy settings for</p><p>hotfixes</p><p> Changing the policy source</p><p>In legacy AP-WEB 8.2 and below:</p><p>In Web Security 8.5 (started in AP-WEB 8.3):</p><p>vs</p><p># show cpu</p><p># show mem</p><p># show diskspace</p><p># show diskio</p><p># show bandwidth</p><p># show session</p><p>100 General > Account page.</p><p>The syntax of the key is validated on clicking Apply, but the status of the license to which it</p><p>corresponds is not verified, and details about the product level, expiration date, and user</p><p>limit for the license are not displayed until after the initial Master Database download is</p><p>complete and it has been fully processed.</p><p>A limited version of the URL database is installed with Web Security, but it is a good idea to</p><p>download the full Master Database as soon as possible to enable the full capabilities of the</p><p>system.</p><p>Filtering Service maintains a subscription table of clients generating Internet requests each</p><p>day.</p><p>• If the number of subscribed clients is exceeded, there is no change in policy</p><p>enforcement when the number.</p><p>However, if the subscription is consistently exceeded, you may be asked to increase</p><p>your subscription limit.</p><p>• When a subscription expires, all requests are permitted or blocked, depending on the</p><p>same configurable setting.</p><p>When the expiration date approaches, administrators are notified through a combination</p><p>of email alerts and health alerts displayed in the Security Manager.</p><p>Public © 2020 Forcepoint 90</p><p>Licensing: Subscription Key</p><p> Required to use Web Security features</p><p>• Consists of a text string</p><p>• Controls which features are available</p><p> Specified in Security Manager</p><p>• Policy domain must be configured correctly</p><p>• Automatically applied to Content Gateway</p><p>(shared subscription)</p><p> Subscription data appears only after the</p><p>Master Database is downloaded and</p><p>processed</p><p>Deployment</p><p>Type</p><p>Subscription</p><p>Status</p><p>Effect</p><p>Web Security Subscription is</p><p>consistently</p><p>exceeded</p><p>You may be asked to</p><p>increase your</p><p>subscription limit</p><p>Forcepoint</p><p>URL Filtering</p><p>Subscription</p><p>expires</p><p>Permitted or blocked</p><p>based on the Block</p><p>users when</p><p>subscription expires</p><p>setting</p><p>All</p><p>deployments</p><p>IMPORTANT:</p><p>Starting in version 8.0, all deployments no longer enforce the license exceeded action.</p><p>Filtering remains operational. A series of emails and phone calls from by Forcepoint Sales</p><p>inform customers about them exceeding the license.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 101</p><p>In Security Manager, go to Settings > General > Account, and then select Block users</p><p>when subscription expires to block all Internet access for all users when the subscription</p><p>expires. Leave the option unselected gives users unrestricted Internet access when the Web</p><p>Security subscription expires.</p><p>The Status > Alerts page has two options about your expiring subscription, which are</p><p>enabled and can never be disabled—Your subscription expires in one month and Your</p><p>subscription expires in one week.</p><p>102</p><p>Subscription page lists both</p><p>expired and active subscriptions. This behavior was intended to provide clarity regarding a</p><p>subscription's current status. The entries listed in your subscription list observe the</p><p>following criteria:</p><p>• Subscriptions that are expired for longer than 60 days disappear, with a few exceptions.</p><p>• Expired subscriptions will also disappear if they are renewed.</p><p>• If there are multiple subscriptions, those that have not been renewed will remain listed</p><p>for 60 days.</p><p>• Presently, no option exists to delist or hide expired subscriptions. As indicated above,</p><p>expired subscriptions are delisted after 60 days.</p><p>Public © 2020 Forcepoint 91</p><p>Shared Subscription Information</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 103</p><p>By following the lab activities in Module 1, you will learn how to configure the lab</p><p>environment with some Web Security components already deployed. Learn how to access</p><p>the console, and then complete the initial setup to activate Web Security.</p><p>Hands-on lab</p><p>1: Getting Started</p><p>1.1 Getting Started with Web Security</p><p>1.2 Getting Started with Web Security</p><p>Appliance / Content Gateway</p><p>1.3 Discovering Forcepoint Security</p><p>Appliance Manager</p><p>1.4 Performing Delegated Administration</p><p>1.5 Performing Bulk Hotfix Installation</p><p>104 > 105</p><p>Access Security Manager and activate Web Security by following these steps:</p><p>1. Access the Forcepoint Virtual Lab, and then open a connection to the Forcepoint</p><p>Security_Manager VM.</p><p>2. Launch Security Manager through any of the following methods:</p><p>• Double-click the Security Manager shortcut (see icon above) placed on the desktop</p><p>during installation.</p><p>Doing so launches Google Chrome.</p><p>• Open any of the available browsers, and go to the following: URL</p><p>https://172.31.0.155:9443/manager/</p><p>TIP:</p><p>You can use the IP address or hostname of the Web Security host. However, it is</p><p>recommended that you use the IP address, especially when launching Security</p><p>Manager from a remote host.</p><p>If you are unable to connect to Security Manager from a remote machine, make sure</p><p>that your firewall allows communication on that port.</p><p>An SSL connection is used for secure, browser-based communication with the Content</p><p>Gateway manager. This connection uses a security certificate issued by Forcepoint</p><p>LLC. Because the supported browsers do not recognize Forcepoint LLC as a known</p><p>Certificate Authority, a certificate error displays the first time you launch the Content</p><p>Gateway manager from a new browser. To avoid seeing this error, install or</p><p>permanently accept the certificate within the browser. See your browser documentation</p><p>for details.</p><p>1.1.1: Access Security Manager and Activate Web Security</p><p>1. Open a connection to the Landing Desktop or</p><p>Forcepoint Security Manager VM.</p><p>2. Launch Security Manager through any of the following methods:</p><p>• Double-click the shortcut ( ) on the Desktop</p><p>• Open a browser and</p><p>go to https://172.31.0.155:9443/manager/</p><p>3. Use the following credentials to gain access:</p><p>Username: admin</p><p>Password: Forcepoint1!</p><p>4. Apply the Web Security subscription key.</p><p>106</p><p>General.</p><p>After the preliminary validation of the subscription key is done, the “Completed!” message</p><p>should appear.</p><p>Proceed to the next activity to download the latest updates.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 107</p><p>Activing Web Security allows the product to download the Master Database—consequently</p><p>enabling up-to-date policy enforcement—as well as the analytic databases, which support</p><p>real-time analysis of web content other available components.</p><p>Download the latest master database updates and verify product subscription by following</p><p>these steps:</p><p>1. Go to Main > Status > Dashboard, wait for the Security Manager Dashboard page to</p><p>display, and then click Database Download.</p><p>If the Database update status does not display “Download in progress” or “A database</p><p>update is being processed”, click Update to start the download process.</p><p>a. Click the IP address of the Policy Server listed in the navigation column of the</p><p>content screen (172.31.0.155, in this case).</p><p>b. Allow time for the download process to complete entirely, and then click Apply.</p><p>A screen similar to the screenshot above appears.</p><p>NOTE:</p><p>There is no need to wait for the download process to finish. Proceed to the next</p><p>activity.</p><p>c. Click Save and Deploy in the top-right corner of the web console to deploy the</p><p>changes.</p><p>1. Initiate database download from the Dashboard.</p><p>2. Verify that the subscription</p><p>information matches the following:</p><p>1.1.2: Download the Latest Database Updates and Verify Subscription</p><p>108 General > Account, and then verify that the following fields match the</p><p>screenshot above:</p><p>• Product level</p><p>• Key expiration date</p><p>• Subscribed features</p><p>Confirm that the date indicated in Key expires has not passed.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 109</p><p>To introduce the concept of administering Forcepoint appliances, this section features lab</p><p>exercises involving the use of the appliance CLI to perform common tasks. In addition,</p><p>some exercises include verifying appliance configuration via Security Manager.</p><p>The design of the Web Security Administrator Course lab environment includes a Policy</p><p>Broker (and with that, the Policy Database) on the Web Security/Security Manager</p><p>Windows-based host (Forcepoint Security Manager/Security_Manager). This</p><p>implementation is considered as an off-appliance deployment in full policy source mode.</p><p> Details about off- and on-box/appliance deployments are available in Module 1 ></p><p>Deployment Overview.</p><p>By default, Forcepoint appliances running Web Security components have their own</p><p>instances of Policy Broker (and Policy Server) and point to themselves as the (on-box) full</p><p>policy source. WebVA-1, the appliance deployed in the lab, initially runs this mode.</p><p>To illustrate the ability of Security Manager to manage multiple Policy Servers and to</p><p>ensure that both primary/secondary instances work properly, the lab environment is</p><p>preconfigured with the following settings:</p><p>• Security_Manager (172.31.0.155) is the primary Policy Server.</p><p>• The instance</p><p>of Policy Server that runs on WebVA-1 (172.31.0.151 on the C interface) is</p><p>retained and assigned as the secondary Policy Server implementing User Directory and</p><p>Filtering policy mode. WebVA-1 points to Security_Manager as its full policy source</p><p>Hands-on lab</p><p>1: Getting Started</p><p>1.1 Getting Started with Web Security</p><p>1.2 Getting Started with Web Security</p><p>Appliance / Content Gateway</p><p>1.3 Discovering Forcepoint Security</p><p>Appliance Manager</p><p>1.4 Performing Delegated Administration</p><p>1.5 Performing Bulk Hotfix Installation</p><p>• WebVA-1 is already registered to Security Manager and added as a managed appliance.</p><p>• WebVA-1 is added to the Policy Servers tree, with the Directory Services settings enabled to</p><p>inherit from the primary Policy Server on Security_Manager.</p><p>• The Filtering Service on WebVA-1 is set to communicate with the Log Server running on the</p><p>primary Policy Server.</p><p>110 > 111</p><p>SSH connection is available on all Forcepoint appliance platforms, which is enabled by</p><p>default.</p><p>For this exercise, connect to the command line interface (CLI) using PuTTY and then run</p><p>some commands to gain familiarity about the features of the appliance CLI.</p><p>1. To launch the appliance CLI:</p><p>a. Access the Forcepoint Virtual Lab, and then open a connection to the</p><p>Security_Manager VM.</p><p>b. On the Desktop or Windows taskbar, click the PuTTY icon.</p><p>c. Type 172.31.0.151, select SSH (if not yet selected), and then click Open.</p><p>TIP: Save the session so that you can easily access CLI the next time you need</p><p>it for other lab activities.</p><p>d. When prompted, type the following credentials, and then Enter.</p><p>Username: admin</p><p>Password: Forcepoint1!</p><p>Immediately after logon, admin is always in view mode.</p><p>Your logon session terminates automatically after 15 minutes of inactivity.</p><p>2. Still in view mode, enter the following commands to verify the appliance status:</p><p># show appliance info</p><p># show appliance status</p><p>Results similar to the screenshots above should appear.</p><p>show appliance info displays hardware and software.</p><p>show appliance status displays the status of services running in each module.</p><p>1.2.1: Access the Appliance CLI</p><p>1. Launch the appliance CLI. 2. Verify the appliance status.</p><p>112 ’</p><p>must be enclosed in single or double quotation marks. Length is</p><p>limited to 100 characters.</p><p>Use backlash (\) to include an apostrophe (‘) in the description. See sample in the</p><p>screenshot above.</p><p>d. Check the host information once again to verify whether the description has been</p><p>saved.</p><p># show system host</p><p>Results similar to the ones in the screenshot above appear.</p><p>Proceed to the next activity.</p><p>(cont.) 1.2.1: Access the Appliance CLI</p><p>3. Add an appliance description.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 113</p><p>Verify appliance settings from Security Manager to determine whether the preconfigured</p><p>settings are saved properly.</p><p>1. Verify that Web Virtual Gateway (WebVA-1.fpcert.com) is added to the list of</p><p>Registered Appliances in the content-display area of the Manage Appliances page by</p><p>following these steps:</p><p>a. Access the Forcepoint Virtual Lab, and then open a connection to the</p><p>Security_Manager VM.</p><p>b. On the Windows desktop, double-click the Security Manager shortcut.</p><p>c. Log on to Security Manager using the following credentials:</p><p>Username: admin</p><p>Password: Forcepoint1!</p><p>The Dashboard page appears.</p><p>d. Click the Appliance icon ( ) in the header area to go the Manage Appliances</p><p>page.</p><p>e. Click to expand and review the information that is displayed.</p><p>Click Refresh Details to ensure that the latest value, which is the appliance</p><p>description you specified in the previous exercise, is displayed.</p><p>Public © 2020 Forcepoint 100</p><p>1.2.2: Verify Appliance Configuration from Security Manager</p><p>1. Verify that the appliance, Web Virtual Gateway / WebVA-1.fpcert.com, is added to the list of Registered</p><p>Appliances.</p><p>114 Settings > General > Policy Servers.</p><p>Use the Policy Servers page to review Policy Server information for all Policy Server</p><p>instances associated with a Forcepoint Security Manager instance.</p><p>In the lab environment, 172.31.0.151 (WebVA-1’s IP address) is the secondary Policy</p><p>Server.</p><p>a. Click 172.31.0.151 to view details.</p><p>b. Optionally, add a description for the secondary policy server.</p><p>3. Confirm the master database download on WebVA-1.</p><p>Use the Switch button in the header area of Security Manager to manage the instance of</p><p>Policy Server running on the appliance.</p><p>a. Click Switch.</p><p>b. Select 172.31.0.151 using the dropdown menu, and then click OK.</p><p>c. Confirm that the IP address of the Policy Server listed to the right of the Switch button</p><p>is 172.31.0.151.</p><p>d. Go to Main > Status > Dashboard, and then click Database Download.</p><p>e. On the Database Download page, confirm the completion of the download and</p><p>processing of the Master Database.</p><p>(cont.) 1.2.2: Verify Appliance Configuration from Security Manager</p><p>2. Check that the appliance is added to the Policy</p><p>Servers tree.</p><p>3. Confirm the master database download on WebVA-1.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 115</p><p>4. Check the Log Server connection on WebVA-1.</p><p>Ensure that the Filtering Service on the secondary Policy Server (172.31.0.151) can</p><p>communicate with the Log Server running on the Web Security Server.</p><p>Depending on the sequence in which the environment is configured, sometimes this</p><p>setting is not picked up automatically from the primary policy server.</p><p>a. Confirm that you are still working on the 172.31.0.151 Policy Server.</p><p>b. Go to Web > Settings > General > Logging.</p><p>c. In the Reporting Log Records section, verify (or enter, if necessary) the IP address</p><p>for the Log Server (172.31.0.155) and accept the default port number 55805. Also,</p><p>accept the default port number 55885 for logging hybrid activity.</p><p>d. Click Check Status for the 55805 port to confirm that a connection to the Log</p><p>Server can be established.</p><p>e. Click OK, and then Save and Deploy.</p><p>5. Check the Content Gateway Manager access from Security Manager.</p><p>NOTE:</p><p>Being a designated secondary policy server, the virtual appliance running in the lab</p><p>environment obtains its subscription information from its associated primary server.</p><p>a. As with step 4, confirm that you are still working on the 172.31.0.151 Policy Server.</p><p>b. Go to Web > Settings > General > Content Gateway Access.</p><p>(cont.) 1.2.2: Verify Appliance Configuration from Security Manager</p><p>4. Check the Log Server connection on WebVA-1.</p><p>5. Check Content Gateway</p><p>Manager access from Security Manager.</p><p>116 My</p><p>Proxy > Summary page.</p><p>Click More Detail to display additional details.</p><p>Features similar to the ones subscribed in the screenshot above should be listed. The</p><p>subscription key is automatically sent to Content Gateway after you have entered it in</p><p>Web Security.</p><p>e. Take some time to explore Content Gateway Manager, and then go ahead and clear</p><p>any alerts that appear to be no longer relevant (such as subscription alerts).</p><p>f. Log off and close the Content Gateway Manager session and then switch the Security</p><p>Manager back to managing the 172.31.0.155 instance of Policy Server.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 117</p><p>FSAM is already installed on the Security_Manager VM.</p><p>Gain familiarity with this GUI by completing the lab activities in this section.</p><p>Hands-on lab</p><p>1: Getting Started</p><p>1.1 Getting Started with Web Security</p><p>1.2 Getting Started with Web Security</p><p>Appliance / Content Gateway</p><p>1.3 Discovering Forcepoint Security</p><p>Appliance Manager</p><p>1.4 Performing Delegated Administration</p><p>1.5 Performing Bulk Hotfix Installation</p><p>118 > 119</p><p>FSAM displays the All Appliances page, which lists information about all registered</p><p>appliances, including the following details:</p><p>To change the sort order of a column, click the column header to display the sorting arrow,</p><p>and click the arrow.</p><p>To filter the appliances that display in this table, use the filtering panel.</p><p>After 10 minutes of idle time, a warning message appears to inform you that your session will</p><p>expire in five (5) minutes.</p><p>• Status, as indicated by the appliance status icons</p><p>• Hostname of the appliance</p><p>• IP address of the C interface</p><p>• Software version number</p><p>• Mode—Web or Email</p><p>120 > 121</p><p>In this lab activity, practice how to create a custom appliance group, and then add or remove</p><p>appliances to/from a custom group.</p><p>1. Still accessing the Landing Desktop or Security Manager VM, log on to Forcepoint Security</p><p>Appliance Manager.</p><p>2. To create and add appliances to a new custom group:</p><p>a. In the Appliances list, select the checkboxes next to the available appliances (for</p><p>example, webva-1 and webva-2) to be added to the new custom group.</p><p>Alternatively, to add an appliance to an existing custom group, select the appliance, and</p><p>then select Add to group in the Actions dropdown menu.</p><p>b. Select Create Group in the Actions dropdown menu.</p><p>c. In the Create Custom Group dialog box, enter a name for the new custom group (for</p><p>example, Pilot Testing).</p><p>A custom group name can only be 18 characters long.</p><p>d. Click Submit.</p><p>The new custom group should now list the two appliances.</p><p>3. To remove an appliance from the custom group you created in the previous step:</p><p>a. In the Appliances list, select the checkbox next to the first listed appliance that will be</p><p>removed.</p><p>b. Select Remove from group in the Actions dropdown menu.</p><p>c. In the Remove from Custom Group dialog box, select the group from which the selected</p><p>appliance should be removed.</p><p>d. Click Submit.</p><p>The message “The action was successful.” appears. Your custom group should now list</p><p>one appliance.</p><p>Public © 2020 Forcepoint 106</p><p>1.3.3: Manage a Custom Group</p><p>1. Log on to Forcepoint Security Appliance Manager.</p><p>2. Create and add appliances to a new custom group.</p><p>3. Remove an appliance from a custom group.</p><p>122 > 123</p><p>Delegated administration provides an effective way to distribute responsibility for Web</p><p>Security configuration, policy management, reporting, and compliance auditing to multiple</p><p>individuals.</p><p>For example:</p><p>• Allow individual managers to set policies and run reports on users in their teams.</p><p>• Give local administrators for regional offices or campuses policy management</p><p>permissions, as well as some access to local configuration options, but limit reporting</p><p>access to protect end-user privacy.</p><p>• Ensure that Human Resources can run Internet activity reports on some or all clients,</p><p>identified by username or IP address.</p><p>• Grant auditors access to view all configuration and policy management screens in the</p><p>Web module of the Security Manager without the ability to save changes.</p><p>You can define levels of access to the Security Manager to allow specified administrators to</p><p>manage one or more Forcepoint modules. Within the Web module, you can further refine</p><p>access permissions to allow administrators to manage policies, perform reporting tasks,</p><p>and more.</p><p>Delegated administration roles are made up of any number of related clients (directory,</p><p>computer, or network) and the administrators who manage their policies, run reports on</p><p>their Internet usage, or both.</p><p>Delegated administration distributes configuration, policy management, and reporting</p><p>responsibilities across an organization. In the next pages, learn about roles and</p><p>permissions to help effectively manage your Security Manager system.</p><p>Public © 2020 Forcepoint 109</p><p>Delegated Administration Overview</p><p>Global</p><p>Security</p><p>Administrator</p><p>Security Manager</p><p>Super Administrator</p><p>Security Manager</p><p>Delegated Administrators</p><p>Security Manager</p><p>Super Administrator</p><p>M a n a g e d C l i e n t s</p><p>124</p><p>changed.</p><p>Administrators assigned to the Super Administrator role have the ability to create roles,</p><p>assign administrators and managed clients to roles, and determine the permissions for</p><p>administrators in the role. Global Security Administrators can add administrators to the</p><p>Super Administrator role.</p><p>Super Administrators manage policy for those clients not assigned to a delegated</p><p>administration role.</p><p>Public © 2020 Forcepoint 110</p><p>Role Types</p><p> Delegated administration roles = clients + administrators</p><p> Managed clients are clients in a delegated administration role</p><p> A role can include multiple administrators</p><p>rolePolicy</p><p>management</p><p>and reporting</p><p>Super Administrator</p><p>Investigative</p><p>reporting</p><p>Unconditional / Conditional</p><p>Delegated</p><p>administration</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 125</p><p>Super Administrators can perform the following:</p><p>Policy management and reporting</p><p>Administrators manages user policies through this role.</p><p>Administrators in the role can optionally also run reports, either on clients in the role, or</p><p>on all clients. Clients can be added to only one policy management and reporting role.</p><p>Investigative reporting</p><p>Administrators can run investigative reports showing Internet activity for only managed</p><p>clients in this role. Administrators in this role cannot manage policies. Clients can be</p><p>added to multiple investigative reporting roles.</p><p>Any administrator account that has been granted access to the Web module appears on the</p><p>Delegated Administration > View Administrator Accounts page. These accounts are also</p><p>listed on the Delegated Administration > Edit Role > Add Administrators page.</p><p>Only administrators that have already been granted Web module access via Global Settings</p><p>can be added to roles.</p><p>Delegated administration roles are made up of any number of related clients and the</p><p>administrators who manage their policies, run reports on their Internet usage, or both. Clients</p><p>refer to users, groups, domains (OUs), computers, and networks. Clients in a delegated</p><p>administration role are referred to as managed clients. Administrators can perform different</p><p>tasks (like managing policies or running reports) for managed clients in their role, based on</p><p>their permissions. A role can include multiple administrators, and different administrators</p><p>within a role can have different privileges.</p><p>The role type determines the permissions that can be granted to administrators in the role.</p><p>Continue to the next page for details.</p><p>• Create a set of master restrictions that limit the access delegated administrators can</p><p>grant to their clients via policies.</p><p>• Send copies of their policies and filters to delegated administrators, who can use</p><p>them as templates for creating policies and filters to apply to their clients.</p><p>• Create the other two types of delegated administration and reporting roles.</p><p>126 Administrators page, or select the Grant access and the ability to modify access</p><p>permissions for other accounts option for the Web module, the account is automatically</p><p>added to the Super Administrator role in the Web module with unconditional permissions.</p><p>Unconditional Super Administrators can:</p><p>• Access all system configuration settings in the Web module (managed via the Settings</p><p>options).</p><p>• Add or remove administrators in the Super Administrator role.</p><p>• Create or edit the Filter Lock that blocks certain categories and protocols for all users</p><p>managed by delegated administration roles.</p><p>• Manage policies for clients in the Super Administrator role, including the Default policy</p><p>that applies to all clients not assigned another policy in any role.</p><p>• Create and run reports on all clients, regardless of which role they are assigned.</p><p>• Access Real-Time Monitor.</p><p>• Review component status and stop or start components from the Status > Deployment</p><p>page.</p><p>Public © 2020 Forcepoint 111</p><p>Policy Permission</p><p> Policy management</p><p>• Full policy</p><p>• Exceptions only</p><p> Reporting</p><p> Real-Time Monitor</p><p> Content Gateway direct</p><p>access</p><p> Auditor</p><p>Conditional</p><p> Policy management</p><p>• Full policy</p><p>• Exceptions only</p><p> Deployment status</p><p> Real-Time Monitor</p><p> Auditor</p><p> Create investigative reports</p><p> Use tools: URL Category,</p><p>URL Access</p><p> Investigative User</p><p> View Dashboard charts</p><p> Auditor</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 127</p><p>When an unconditional Super Administrator adds additional administrators to the Super</p><p>Administrator role (via the Policy Management > Delegated Administration page), the new</p><p>administrators are granted conditional permissions.</p><p>Unlike unconditional Super Administrators, whose permissions cannot be changed,</p><p>conditional Super Administrators can be granted a combination of policy management,</p><p>reporting, and access permissions.</p><p>Full policy permissions allow conditional Super Administrators to:</p><p>Exceptions only permissions allow conditional Super Administrators to create and edit</p><p>exceptions.</p><p>Exceptions permit or block URLs for specified users, regardless of which policy</p><p>normally governs their Internet access.</p><p>Policies, filters, filter components, the Filter Lock, and all Settings pages are hidden</p><p>for Super Administrators with exceptions only permissions.</p><p>Reporting permissions allow conditional Super Administrators to:</p><p>Real-Time Monitor permissions allow Super Administrators to monitor all Internet</p><p>activity for each Policy Server associated with the Security Manager.</p><p>Content Gateway direct access permissions allow Super Administrators to be logged</p><p>on to the Content Gateway manager automatically via a button on the Settings ></p><p>General > Content Gateway Access page in the Security Manager.</p><p>• Review the audit log, which records administrator access to and actions within the</p><p>Web module.</p><p>• Launch Content Gateway Manager via a button on the Settings > General > Content</p><p>Gateway Access page and be logged on automatically, without having to provide</p><p>credentials.</p><p>• Create and edit delegated administration roles, filter components, filters, policies,</p><p>and exceptions, and to apply policies to clients that are not managed by any other</p><p>role.</p><p>• Access database download, directory service, user identification, and Network</p><p>Agent configuration settings. Conditional Super Administrators with reporting</p><p>permissions can also access configuration settings for the reporting tools.</p><p>• Create and edit delegated administration roles, but not to delete roles or remove the</p><p>administrators or managed clients assigned to them.</p><p>• Access Status > Dashboard page charts.</p><p>• Run investigative and presentation reports on all users.</p><p>If an administrator is granted reporting permissions only, the Check Policy tool does</p><p>not appear in the Toolbox.</p><p>128</p><p>Course (Module 1) >> 11</p><p>The lab activities aim to kick-start your understanding of the post-installation tasks that</p><p>apply to most standard installation.</p><p>The virtual lab environment is tailored specifically to the needs of the Web Security</p><p>Administrator course. All available virtual machines provided are hosted on the Technical</p><p>Training team’s virtual infrastructure.</p><p>© 2020 Forcepoint Public</p><p>Virtual Lab</p><p>Overview</p><p>12 > 13</p><p>Each student will have access to a lab environment that features the virtual machines</p><p>(VMs) listed above. The Web Security components, plus other necessary applications, are</p><p>already pre-installed.</p><p>Host Description</p><p>WebVA-1.fpcert.com</p><p>C interface:</p><p>172.31.0.151</p><p>Hosts the first appliance, which is a virtualized version of a</p><p>Forcepoint V Series appliance, which is already registered with</p><p>FP-Sec-SVR.</p><p>This virtual appliance runs the following:</p><p> Security mode: Web only mode</p><p> Policy mode: User Directory and Filtering</p><p> Content Gateway</p><p>WebVA-2.fpcert.com</p><p>C interface:</p><p>172.31.0.155</p><p>Hosts the second appliance, which is another virtualized</p><p>version of a Forcepoint V Series appliance, which is already</p><p>registered with FP-Sec-SVR. This is included to reflect a</p><p>common use case of running more than one appliance in a</p><p>deployment.</p><p>Domain_Controller</p><p>172.31.0.150</p><p>Hosts the Domain Controller for fpcert.com.</p><p>Domain_Controller also hosts Microsoft Exchange Server,</p><p>which is configured to accept email from any server on the</p><p>network.</p><p>Windows_test_client</p><p>172.31.0.157</p><p>Hosts another Windows 10 client for additional client-to-client</p><p>testing and/or applicable lab activities.</p><p>Web Security Virtual Lab Network Topology</p><p>Host: Traffic_Generator</p><p>IP: 172.31.0.180</p><p>OS: Ubuntu</p><p>Role: Proxy traffic generator</p><p>Host: Security_Manager</p><p>IP: 172.31.0.155</p><p>OS:Windows Server 2016</p><p>Roles: Forcepoint Security</p><p>Manager, SQL Server</p><p>Host: Windows_test_client</p><p>IP: 172.31.0.157</p><p>OS:Windows 10</p><p>Host: WebVA‐1.fpcert.com</p><p>C: 172.31.0.151</p><p>OS: CentOS</p><p>Policy mode: User directory and</p><p>filtering</p><p>Host: Domain_Controller</p><p>IP: 172.31.0.150</p><p>OS:Windows Server 2016</p><p>Roles: Domain Controller, Active</p><p>Directory, Exchange Server</p><p>Host: WebVA‐2.fpcert.com</p><p>C: 172.31.0.155</p><p>OS: CentOS</p><p>Policy mode: User directory and</p><p>filtering</p><p>14 > 15</p><p>The Lab Resource shortcut on the Security_Manager Desktop provides link to the</p><p>c:\Forcepoint folder, which contains all keys and resource files that are used in the lab</p><p>environment. These are the sub-folders:</p><p>• License_Keys: Contain all needed subscription keys for all products will be available on</p><p>this folder, including the Forcepoint DLP subscription XML file.</p><p>• My_Share: A shared folder (UNC path is \\Security_Manager\My_Share) that keeps files</p><p>related to all products, anything from files used for fingerprinting tests, database files,</p><p>emails containing spam and other viruses for testing.</p><p>• Scripts: Contains a few scripts for testing and connecting. Particularly, the SSH-TO-</p><p>V10K batch file, a batch file that you can use to automatically connect to the V10K shell.</p><p>This script has been pre-configured with the decoded passcode for you to connect to the</p><p>V10K shell so you can enable root access later in the course.</p><p>Public © 2020 Forcepoint 14</p><p>FP_Sec_SVR > “Lab Resources” shortcut</p><p>16 > 17</p><p>© 2020 Forcepoint Public</p><p>Module 1:</p><p>Understanding and</p><p>Getting Started with</p><p>Web Security</p><p>18 > 19</p><p>Public © 2020 Forcepoint 20</p><p>Module agenda</p><p>This module contains the following topics:</p><p> Web Security Overview</p><p> Components and Architecture</p><p> Appliance Overview</p><p> Deployment Overview</p><p> Web Security Administration</p><p> Delegated Administration</p><p>The way we are going to meet this module’s objectives is through these topics.</p><p>20 > 21</p><p>Forcepoint Web Security is a secure web gateway that stops advanced threats from getting</p><p>in and sensitive data from getting out—whether an organization’s users are in the office,</p><p>working from home or on the road. Web Security easily integrates with other Forcepoint</p><p>solutions for single, consistent security controls that can protect against inbound and</p><p>outbound threats with even the smallest of security teams.</p><p>Real-time protection against advanced threats and data theft</p><p>Web Security offers real-time protection against advanced threats and data theft.</p><p>Identify threats with over 10,000 analytics, machine learning and other advanced</p><p>techniques maintained through real-time global threat intelligence. Web Security provides</p><p>threat protection</p><p>a role.</p><p>Policy Management and Reporting Permissions</p><p>Delegated administrators in policy management and reporting roles can be given any</p><p>combination of the following permissions:</p><p>Full policy permissions allow delegated administrators to create and manage filter</p><p>components (including custom categories and recategorized URLs), filters (category,</p><p>protocol, and limited access), policies, and exceptions (black and white lists) for their</p><p>managed clients.</p><p>Filters created by delegated administrators are restricted by the Filter Lock, which</p><p>may designate some categories and protocols as blocked and locked. These</p><p>categories and protocols cannot be permitted by delegated administrators. (As part of</p><p>enforcing the Filter Lock, delegated administrators cannot give their managed clients</p><p>password override permissions.)</p><p>Only one administrator at a time can log on to a role with policy permissions.</p><p>Therefore, if an administrator is logged on to a role to perform policy tasks, other</p><p>administrators in the role can log on with auditing (read-only), reporting, or Real-Time</p><p>Monitor permissions only. Administrators who have been assigned to multiple roles</p><p>also have the option to select a different role to manage.</p><p>Exceptions only permissions allow delegated administrators to create and manage</p><p>exceptions for managed clients in their role.</p><p>(Exceptions permit or block URLs for specified users, regardless of which policy</p><p>normally governs their Internet access.)</p><p>Policies, filters, and filter components are hidden for delegated administrators with</p><p>exceptions only permissions.</p><p>Deployment status permissions allow delegated administrators to review component</p><p>status on the Status > Deployment page. Delegated administrators with deployment</p><p>status permissions can also be granted permission to start components, stop</p><p>components, or both.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 129</p><p>Real-Time Monitor permissions allow administrators to monitor all Internet activity for</p><p>each Policy Server associated with the Security Manager.</p><p>Investigative Reporting Permissions</p><p>Administrators in this role can create investigative reports for managed clients in their role.</p><p>Clients’ policies are managed in other roles. They can also use the URL Category, URL</p><p>Access, and Investigate User tools.</p><p>These administrators do not have access to presentation reports or Real-Time Monitor, but</p><p>can optionally be allowed to view charts on the Status > Dashboard page.</p><p>Auditors</p><p>Any conditional Super Administrator or delegated administrator account can be granted</p><p>Auditor permissions. An auditor can see most Web module features and functions, but</p><p>cannot save any changes.</p><p>Instead of the OK and Cancel buttons that allow other administrators to cache or discard</p><p>changes, Auditors are given a single Back button. The Save and Deploy button is disabled.</p><p>• Any delegated administrator with reporting permissions can be given access to the</p><p>Status > Dashboard page, investigative reports, and the Settings pages used to</p><p>manage Log Server and the Log Database.</p><p>• Delegated administrators with the option to report on all clients can also be given</p><p>access to presentation reports.</p><p>Reporting permissions can be granted in either of two general categories: report on all</p><p>clients, or report on only managed clients in the role.</p><p>130 > 131</p><p>Delegated administrators can edit inherited policies and filters. Changes made affect</p><p>only such role. Any changes the Super Administrator later makes to the original policies</p><p>and filters do not affect the delegated roles. They can also edit filter components for their</p><p>role, with some limitations.</p><p>If a Super Administrator has implemented Filter Lock restrictions, there may be categories or</p><p>protocols that are automatically blocked and cannot be changed in the filters you create and</p><p>edit (aside from the default settings).</p><p>In the sample screenshots above, the Global executives role features dvilla as its</p><p>administrator. When logging on to Security Manager, dvilla can add create policies and filters</p><p>that are specific to the managed clients in this role. On the other hand, the IT reporting and</p><p>auditing role has the investigative role type, which offers its administrator a different set of</p><p>features when accessing Security Manager.</p><p>NOTE: Only super administrators can add more administrations in a delegated role.</p><p>Only one administrator at a time can log on with full policy or exceptions-only permissions in</p><p>the shared role.</p><p>• Categories: Add or edit custom categories; assign custom URLs and keywords to custom</p><p>or Master Database categories; change the action applied by default in category filters.</p><p>Changes to a category’s default action are implemented only if the category is not locked</p><p>by the Filter Lock.</p><p>• Protocols: Change the action applied by default in protocol filters in your role.</p><p>Changes to a protocol’s default action are implemented only if the protocol is not locked by</p><p>the Filter Lock. Delegated administrators cannot add or delete protocol definitions.</p><p>• File types: View the file extensions assigned to each file type. Delegated administrators</p><p>cannot add file types or change the extensions assigned to a file type.</p><p>132</p><p>Use the remaining options in the Reporting Permissions area to set the specific</p><p>permissions for administrators in this role. This option enables access to the Advanced File</p><p>Analysis report.</p><p>• Report on managed clients only: Select this option to limit administrators to reporting on the</p><p>managed clients assigned to this role. Then, select the investigative reports features these</p><p>administrators can access.</p><p>• Access presentation reports: Enables access to presentation reports features. This option</p><p>is available only when administrators can report on all clients.</p><p>• Access the Status > Dashboard page: Enables display of charts showing Internet activity</p><p>on the Risks, Usage, and System dashboards.</p><p>If this option is not selected, administrators can view only the Health Alert and Value</p><p>Estimates (if displayed) sections of the System dashboard.</p><p>o Access the Threats dashboard: Allows administrators to access charts, summary</p><p>tables, and event details related to advanced malware threat activity in your</p><p>network.</p><p>o Access forensics data in the Threats dashboard: Allows administrators to view files</p><p>associated with threat activity, and review information about attempts to send the</p><p>files.</p><p>Public © 2020 Forcepoint 113</p><p>Reporting Administration</p><p> Administrators limited to reporting on</p><p>managed clients can only access the</p><p>investigative reports features</p><p> Administrators with Policy and reporting role</p><p>have access to these permissions:</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 133</p><p>• Access investigative reports: Enables access to basic investigative reports features. When</p><p>this option is selected, additional investigative reports features can also be selected. This</p><p>option enables access to the Source IP link on the Advanced File Analysis report.</p><p>o View usernames in investigative reports: Allows administrators in this role to view</p><p>usernames, if they are logged.</p><p>Deselect this option to show only system-generated identification codes, instead of</p><p>names. This option is available only when administrators are granted access to</p><p>investigative reports.</p><p>o Save investigative reports as favorites: Allows administrators in this role to create</p><p>favorite investigative reports. This option is available only when administrators are</p><p>granted access to investigative reports.</p><p>o Schedule investigative reports: Allows administrators in this role to schedule</p><p>investigative reports to run at a future time or on a repeating cycle.</p><p>This option is available only when administrators are granted permissions to save</p><p>investigative reports as favorites.</p><p>• Manage the Log Database: Allows administrators to access the Settings > Reporting ></p><p>Log Database page.</p><p>• Access application reports: Allows administrators to see browser, platform, cloud</p><p>application, and user agent data on the Reporting > Applications page.</p><p>134 > 135</p><p>If administrators with policy permissions in the same role try to connect at the same</p><p>time, the first administration can log on with full policy or exceptions-only</p><p>permissions. The second administrator is presented with limited options:</p><p> Log on with read-only access (similar to temporary auditor permissions).</p><p> When this option is selected, the Role drop-down box shows “Role Name - [Read-</p><p>Only]” as the current role and offers the option of switching to “Role Name” (without</p><p>any modifiers). This makes it possible to access the role with policy permissions when</p><p>the role is no longer locked.</p><p> Log on for reporting only, if the administrator has reporting permissions.</p><p> Log on to a different role, if the administrator is assigned to any other roles.</p><p> Log on to view only the Status pages until the role becomes available (Limited Status</p><p>access).</p><p> Try again later, after the first administrator logs off.</p><p>Administrators who are not using their policy permissions can do one of the following to</p><p>unlock the role and allow another administrator to log on to manage polices:</p><p> If generating reports, select Release Policy Permissions from the Role drop-down list.</p><p>When this option is selected, policy management features are hidden from the logged-</p><p>on administrator, but reporting features remain active.</p><p> If monitoring system performance, select Status Monitor from the Role drop-down list.</p><p>Administrators in Status Monitor mode can access the Status > Dashboard and</p><p>Alerts pages, as well as Real-Time Monitor (if applicable). Their session does not</p><p>time out. If administrators in Status Monitor mode try to go to a page other than</p><p>Dashboard, Alerts, or Real-Time Monitor, they are prompted to log on again.</p><p>Use the Delegated Administration > Advanced > Manage Role Priority page to tell</p><p>Security Manager what to do if different policies apply to the same user because of an</p><p>overlap. When a conflict occurs, web protection software applies the policy from the role that</p><p>appears highest on this list. Directory services allow the same user to belong to multiple</p><p>groups. As a result, a single user may exist in groups that are managed by different</p><p>delegated administration roles. The same situation exists with domains (OUs). Additionally, it</p><p>is possible for a user to be managed by one role and belong to a group or domain (OU) that</p><p>is managed by a different role.</p><p>If the administrators for these roles are logged on simultaneously, the administrator</p><p>responsible for the user could apply policy to that user at the same time as the administrator</p><p>responsible for the group applies policy to the individual members of the group.</p><p>136</p><p>Gateway</p><p>1.3 Discovering Forcepoint Security</p><p>Appliance Manager</p><p>1.4 Performing Delegated</p><p>Administration</p><p>1.5 Performing Bulk Hotfix Installation</p><p>Delegated administration requires the following steps, which are covered as lab exercises</p><p>in this lab activity:</p><p>I. Prepare Web Security.</p><p>1. Configure user directory service settings.</p><p>2. Become familiar with the Default policy.</p><p>3. Become familiar with Filter Lock.</p><p>II. Set up delegated administrator accounts.</p><p>1. Configure directory service settings for delegated administrators.</p><p>2. Create administrator accounts.</p><p>III. Configure delegated administration of policy management and reporting tasks.</p><p>1. Create the Web Security delegated administration roles.</p><p>2. Test roles and their access to Security Manager and feature set.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 137</p><p>Make sure that Web Security can communicate with a user directory so that you can identify</p><p>user, group, and domain (OU) clients for use in applying policies.</p><p>1. Access the Forcepoint Virtual Lab environment, and then open a connection to the</p><p>Security_Manager VM.</p><p>a. Log on to Security Manager using the following credentials:</p><p>Username: admin</p><p>Password: Forcepoint1!</p><p>b. Navigate to Web > Settings > General > Directory Services.</p><p>2. Verify that Active Directory (Native Mode®) is selected (by default) from the list of</p><p>supported directories, and then configure the following settings:</p><p>a. In the Active Directory (Native Mode®) section, click Add.</p><p>The Add Global Catalog Server screen.</p><p>b. Type 172.31.0.150 in the IPv4 address or hostname field.</p><p>NOTE:</p><p>172.31.0.150 is the IP address of the fpcert domain controller. Alternatively, you can</p><p>also use the DNS of Domain_Controller (dc.fpcert.com) instead of the IP address.</p><p>c. In the Administrative Access section, select Full Distinguished name, and then</p><p>type the following settings:</p><p>User distinguished name: CN=Administrator, OU=IT, DC=FPCERT, DC=COM</p><p>Password: Forcepoint1!</p><p>Public © 2020 Forcepoint 117</p><p>1.4.1: Configure User Directory Service Settings</p><p>1. Navigate to Web > Settings > General > Directory Services.</p><p>2. Configure settings for Active Directory (Native Mode®).</p><p>3. Test the connection.</p><p>4. Save and deploy the changes.</p><p>138 > 139</p><p>As a safety net, the Default policy is in effect 24 hours a day, 7 days a week. This policy is</p><p>used to handle requests whenever no other policy applies. Initially, the Default policy</p><p>monitors requests without blocking.</p><p> Learn about Default policy in Module 2 > Policy Management.</p><p>1. Access the Landing Desktop (Bastion) or Forcepoint Security Manager</p><p>(Security_Manager) VM, log on to Security Manager using the admin account.</p><p>Navigate to the Main > Policy Management > Policies page, and then click Default to</p><p>view policy details.</p><p>2. Take note of the following:</p><p>• Clients summary at the top of the content pane</p><p>Note that even if no clients are listed here, the Default policy applies to any client</p><p>not currently governed by another policy.</p><p>• Schedule in the Policy Definition section</p><p>Initially, in the Super Administrator role, the Category / Limited Access Filter column</p><p>shows that the Monitor Only filter is in effect. In delegated administration roles, the</p><p>Default policy initially enforces the Default category filter. A category filter is a list of</p><p>categories and the actions (such as Permit or Block) assigned to them. The</p><p>category filter enforced by a policy determines how user Internet requests are</p><p>treated.</p><p>Initially, in the Super Administrator role, the Protocol Filter column shows that</p><p>the Monitor Only filter is in effect. In delegated administration roles, the Default</p><p>policy initially enforces the Default protocol filter.</p><p>Public © 2020 Forcepoint 118</p><p>1.4.2: Become Familiar with the Default Policy as a Super Admin</p><p>1. Go to Main > Policy Management > Policies to view the Default policy details.</p><p>2. Take note of the clients and schedule.</p><p>3. Examine the Category Filter column.</p><p>140 > 141</p><p>Unconditional Super Administrators can create a Filter Lock to define categories and</p><p>protocols that delegated administrators cannot permit for any clients.</p><p>Clients managed by the unconditional super administrator role can access categories (with</p><p>related file types and keyboard) or protocols that are blocked and locked in the Filter Lock</p><p>page. For example, if the super administrator role manages members of the legal team or</p><p>InfoSec, they can be given access to websites that provide information about, support, or</p><p>promote online gambling.</p><p>1. In Security Manager, go to Main > Policy Management > Filter Lock from the left</p><p>navigation pane, and then click Categories under Manage Filter Components.</p><p>Notice the categories (and related file types or keywords) that are blocked and locked</p><p>by default:</p><p>• Adult Material > Adult Content, Nudity, Sex</p><p>• Gambling</p><p>• Illegal or Questionable</p><p>• Intolerance</p><p>• Tasteless</p><p>• Violence</p><p>2. Click Cancel to go back to the Filter Lock page, and then click Protocols under</p><p>Manage Filter Components.</p><p>Public © 2020 Forcepoint 119</p><p>2. Go to the Filter Lock > Protocols page. Notice</p><p>that P2P File Sharing and related apps are</p><p>blocked and locked by default:</p><p>1.4.3: Become Familiar with the Categories and Protocols Blocked and</p><p>Locked by Default</p><p>1. Go to the Filter Lock > Categories page.</p><p>Notice the categories that are blocked and</p><p>locked by default:</p><p>142</p><p>Lock, the red Block icon is displayed with an</p><p>overlapping Lock icon. This means that such category or protocol can never be accessed by</p><p>their clients.</p><p>• Ares</p><p>• BitTorrent</p><p>• DirectConnect</p><p>• eDonkey</p><p>• EZPeer</p><p>• FastTrack (Kazaa iMesh)</p><p>• Gnutella (Morpheus Xolox)</p><p>• Hotline Connect</p><p>• Skype</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 143</p><p>Administrative users can log on to Security Manager using either local accounts or their</p><p>network accounts.</p><p>NOTE:</p><p>In this lab activity, designate two AD users and one local user to have administrator access</p><p>to the Web Security module.</p><p>To enable, network accounts to log on to Security Manager, configure Security Manager to</p><p>communicate with a single directory servicer to authenticate logons.</p><p>1. Go to the Global Settings > User Directory page in Security Manager.</p><p>2. Select Active Directory from the User directory server and set the following fields:</p><p>• IP address or host name: 172.31.0.150</p><p>• Port:</p><p>• User distinguished name: CN=Administrator, OU=IT, DC=FPCERT, DC=COM</p><p>• Password: Forcepoint1!</p><p>• Root naming context: dc=fpcert, dc=com</p><p>3. Click Test Connection, and then click OK.</p><p>Your settings should match the screenshot above.</p><p>Public © 2020 Forcepoint 120</p><p>1.4.4: Configure Directory Service Settings for Administrator Accounts</p><p>1. Click to go to Global Settings > General > User Directory and set the Active Directory server.</p><p>2. Set the connection parameters.</p><p>3. Test the connection, and then click OK.</p><p>144 General > Administrators page. Global Security Administrators—</p><p>such as the one used in this lab, admin—add accounts and grant them permission to</p><p>access Web Security or other modules. Accounts are not available to be added to</p><p>delegated administration roles until they have first been added in Global Settings.</p><p>NOTE:</p><p>This lab activity focuses on creating one local account and granting Web Security</p><p>administrator access to two AD users. If unavailable, create two AD users (Chad Smith and</p><p>David Villa) by accessing the domain controller (Domain_Controller VM).</p><p>1. Log on to Security Manager using the admin account, and then navigate to the Global</p><p>Settings > General > Administrators page.</p><p>Initially, only the admin account is listed on this page.</p><p>2. Click Add Local Account, and then add infosec_admin as a local account.</p><p>a. Specify the following details for infosec_admin:</p><p>Username : infosec_admin</p><p>Email address : infosec_admin@fpcert.com</p><p>Password : Forcepoint1!</p><p>b. Clear the following options:</p><p>• Global Security Administrator</p><p>This local administrator account, infosec_admin, should only have access to</p><p>Web Security.</p><p>Public © 2020 Forcepoint 121</p><p>1.4.5: Create Administrator Accounts</p><p>1. Go to Global Settings > General > Administrators.</p><p>2. Create the infosec_admin local account.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 145</p><p>• Notify administrator of the new account via email</p><p>(Optional) Go to the Global Settings > Notifications page to customize the email</p><p>message sent to new administrators.</p><p>• Force administrator to create new password at logon</p><p>The local account infosec_admin will stick to the default password.</p><p>Local administrators can change their own password at any time on the Global</p><p>Settings > My Account page.</p><p>c. Under Module Access Permissions, select the following options:</p><p>• Web > Grant access to this module</p><p>The infosec_admin local account should only have access to Web Security and</p><p>will later obtain Auditor permission.</p><p>• Appliance Manager > Full access</p><p>The infosec_admin local account can access the Appliance Manager of all</p><p>available appliance. Also, this local account can register or unregister appliances</p><p>if needed.</p><p>d. Click OK to create the local account.</p><p>146 User Directory page.</p><p>a. Type all or part of the following usernames, and then select to add to the Selected</p><p>accounts list:</p><p>Chad Smith</p><p>David Villa</p><p>b. Clear the following options:</p><p>• Global Security Administrator</p><p>These network accounts should only have access to Web Security.</p><p>• Notify administrator of the new account via email</p><p>(Optional) Go to the Global Settings > Notifications page to customize the</p><p>email message sent to new administrators.</p><p>c. Under Module Access Permissions, select the following:</p><p>• Web > Grant access to this module</p><p>• Appliance Manager > Full access</p><p>Public © 2020 Forcepoint 122</p><p>(cont.) 1.4.5: Create Administrator Accounts</p><p>3. Grant administrator access to AD users David Villa and Chad Smith.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 147</p><p>d. Click OK to create the AD-based delegated administrator accounts.</p><p>Your settings should match the screenshots in the previous page.</p><p>The new administrator accounts are immediate available for configuration within Web</p><p>Security and has full access to all Web module features and functions.</p><p>148 Policy Management > Delegated Administration page,</p><p>and then click Add to create delegated administration roles.</p><p>A list of existing roles is displayed. Initially, this shows only the Super Administrator</p><p>role.</p><p>NOTE:</p><p>Refer to the screenshot above for the specific values that you should specify in the</p><p>fields below.</p><p>a. Specify a Role Name and Description, and then specify the role type.</p><p>The name must be between 1 and 50 characters long, and cannot include any of the</p><p>following characters:</p><p>* ' { } ~ ! $ % & @ # . " | \ & + = ? / ; : ,</p><p>A role name can include spaces and dashes. Its description may be up to 255</p><p>characters. The character restrictions that apply to role names also apply to</p><p>descriptions, with two exceptions—descriptions can include periods (.) and commas</p><p>(,).</p><p>b. Set the role type and additional options.</p><p>Refer to the table above to define the role type and related settings.</p><p>c. Click OK to define the administrators and clients in the Edit Role page.</p><p>Public © 2020 Forcepoint 123</p><p>1.4.6: Create Delegated Administration Roles</p><p>1. Go to Web > Main > Policy Management > Delegated Administration to create three roles with the</p><p>following settings:</p><p>Role Name Role Type Administrat</p><p>or</p><p>Account(s)</p><p>Clients Permission</p><p>Global</p><p>executives</p><p>Policy management</p><p>and reporting</p><p>David Villa • Executives</p><p>• IT</p><p>Policy management ></p><p>Full policy</p><p>Intern (auditor) Policy management</p><p>and reporting</p><p>Chad Smith • Engineering Policy management ></p><p>Auditor</p><p>IT reporting and</p><p>auditing</p><p>Investigative</p><p>reporting</p><p>infosec_ad</p><p>min</p><p>• Accounting</p><p>• Engineering</p><p>• Executives</p><p>• HR</p><p>• IT</p><p>Reporting</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 149</p><p>2. To add administrators to the role, do the following:</p><p>a. Click the Add button below the Administrators list.</p><p>b. Add administrators and set permission.</p><p>Refer to the table above to select administrators to add to the role and specific</p><p>permission.</p><p>NOTE:</p><p>When an unconditional Super Administrator adds additional administrators to the</p><p>Super Administrator role, the new administrators are granted conditional</p><p>permissions.</p><p>For an investigative reporting role, there are no permissions to configure on this</p><p>page.</p><p>c. Click OK to return to the Edit Role page.</p><p>3. To add clients to the role, do the following:</p><p>a. Click the Add button under the Managed Clients list.</p><p>b. Select or enter clients to add, and then click the right-arrow button to move them to</p><p>the Selected list.</p><p>Refer to the table above to define the clients</p><p>per role.</p><p>Public © 2020 Forcepoint 124</p><p>(cont.) 1.4.6: Create Delegated Administration</p><p>Roles</p><p>2. Add administrator accounts to the role.</p><p>3. Add managed clients to the role.</p><p>4. Save and deploy the new roles.</p><p>The settings for Global executives should match.</p><p>150 > 151</p><p>Public © 2020 Forcepoint 125</p><p>(cont.) 1.4.6: Create Delegated Administration</p><p>Roles</p><p>The settings for Intern (auditor) should match.</p><p>152 > 153</p><p>Administrators in different roles can access the Web module of the Security Manager</p><p>simultaneously to perform whatever activities their role permissions allow. Since they</p><p>manage different clients, they can create and apply policies without conflict.</p><p>Refer to the screenshots above for a glimpse on how Security Manager renders various</p><p>options depending on the delegated administrative account/role used.</p><p>Public © 2020 Forcepoint 127</p><p>1.4.7: Access Security Manager using Delegated Administration</p><p>1. Log on to Security Manager using the following accounts (in the following order):</p><p>• csmith</p><p>• dvilla</p><p>• infosec_admin</p><p>Make sure to log off before using the next account.</p><p>2. Examine the options available.</p><p>Logged on as csmith (Intern role),</p><p>having Auditor permission.</p><p>154 > 155</p><p>Since version 2.0, FSAM allows installation of hotfixes to more than one appliance</p><p>simultaneously.</p><p>Hands-on lab</p><p>1: Getting Started</p><p>1.1 Getting Started with Web Security</p><p>1.2 Getting Started with Web Security</p><p>Appliance / Content Gateway</p><p>1.3 Discovering Forcepoint Security</p><p>Appliance Manager</p><p>1.4 Performing Delegated</p><p>Administration</p><p>1.5 Performing Bulk Hotfix Installation</p><p>156 /cm/</p><p>b. At the logon page, type the following credentials, and then click Log On.</p><p>Username: admin</p><p>Password: Forcepoint1!</p><p>2. Select the custom group that you have created</p><p>in Lab Activity 1.3.3, and then select Install</p><p>hotfix from the Actions dropdown list.</p><p>The Bulk Hotfix Install dialog appears.</p><p>3. Click Next to select the following:</p><p>• Storage location: Forcepoint Server</p><p>• Hotfix to install:</p><p>NOTE:</p><p>Only hotfixes available to the selected appliances display. Installed hotfixes also</p><p>display. Hover over the hotfixes to see additional information.</p><p>4. On the Summary screen, review the target appliances (those that belong in the custom</p><p>group that you have created) and hotfixes that will be installed.</p><p>Public © 2020 Forcepoint 130</p><p>1.5.1: Install Multiple Hotfixes</p><p>1. Access FSAM.</p><p>2. Select the custom group that you have created in Lab Activity 1.3.3, and then</p><p>select Install hotfix from the Actions dropdown list.</p><p>3. Select Forcepoint Server as the storage location and hotfix APP-8.5.0-001 and APP-8.5.0-200.</p><p>4. Click Start.</p><p>NOTE: Depending on your preference, you may</p><p>opt to test other hotfix files.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 157</p><p>Click Start to begin the bulk installation process.</p><p>A status window appears.</p><p>A restart is necessary, which will prompt the appliances to restart automatically.</p><p>In general, during a bulk hotfix installation, the target appliances might restart multiple times</p><p>depending on how many hotfixes are being installed.</p><p>158 > 159</p><p>We have reached the end of Module 1.</p><p>Public © 2020 Forcepoint 132</p><p>You should now be able to:</p><p> Describe features, components, and key integrations that enable Web Security</p><p>functionalities.</p><p> Articulate the licensing structure for Web Security and related modules.</p><p> Distinguish key settings in Security Manager, Content Gateway Manager, Forcepoint</p><p>Security Appliance Manager, and other available user interfaces.</p><p> Describe the differences between Super Administrators and delegated administrators.</p><p>Module summary</p><p>160</p><p>with Forcepoint Advanced Classification Engine (ACE), Forcepoint</p><p>ThreatSeeker Intelligence, and Advanced Malware Detection (AMD).</p><p>Forcepoint ACE, maintained by Forcepoint Security Labs researchers, improves your threat</p><p>defenses by identifying and classifying information crossing your network to deliver real-</p><p>time security ratings to all products built on the Forcepoint Management Infrastructure. Web</p><p>Security goes beyond anti-virus defenses through the ACE assessment capabilities.</p><p>Working in parallel with Forcepoint ACE, with global input from 155 countries,</p><p>Forcepoint ThreatSeeker Intelligence collects and users the ACE assessment capabilities</p><p>to analyze the vast expanse of online content for potential threats. ThreatSeeker also</p><p>serves to distribute threat intelligence to Forcepoint solutions around the world.</p><p>Forcepoint AMD provides deep content inspection and provides additional defense against</p><p>zero-day and other advanced, evasive malware through signature-less inspection and</p><p>analysis.</p><p>Forcepoint Cloud platform</p><p>Forcepoint CASB</p><p>Real-time</p><p>protection</p><p>against</p><p>advanced</p><p>threats and data</p><p>theft</p><p>Integration with</p><p>Forcepoint DLP,</p><p>Forcepoint</p><p>CASB, and</p><p>supported third-</p><p>party products</p><p>Extended</p><p>protection to</p><p>roaming users</p><p>Multiple</p><p>deployment</p><p>options</p><p>Web Security capabilities</p><p>AMDThreatSeeker</p><p>Forcepoint DLP</p><p>22 > 23</p><p>https://www.forcepoint.com</p><p>Additional modules listed provide enhanced protection in order to meet today’s network</p><p>security needs required for a successful web security strategy.</p><p>Forcepoint Web Security Cloud</p><p>Extend web protection and policy enforcement to remote users by deploying Forcepoint Web</p><p>Security as a physical or virtual appliance for a private cloud. Either choice can be further</p><p>extended with Forcepoint’s global cloud infrastructure for remote user protection.</p><p>Forcepoint Web DLP</p><p>The Forcepoint Web DLP provides containment defenses against data theft and enables</p><p>regulatory compliance with over 1,700 pre-defined policies and templates. It also includes</p><p>industry-leading protection such as Drip-DLP against slow data leaks,</p><p>Forcepoint Cloud Sandbox / Advanced Malware Detection</p><p>Analyze suspicious files in a virtual environment and look far deeper than simple file execution</p><p>to provide the highest level of protection from advanced malware. Detailed forensic reporting is</p><p>automatically provided when malicious files are detected.</p><p>Forcepoint CASB</p><p>Extend full CASB functionalities to complement existing ability to gain visibility into what cloud</p><p>applications are being used. These full CASB functionalities can be used to control cloud</p><p>applications for inline (proxy) deployments, and easily extended from the web security</p><p>gateway.</p><p>Over the years, Forcepoint has worked to develop solutions that enable businesses to protect</p><p>their networks from the threats of the present day.</p><p>With new advances in technology, and the evolving nature of threat activity, Forcepoint has</p><p>continued to invest in solutions that provide top of the line, advanced protection, for</p><p>organizations around the world.</p><p>Public © 2020 Forcepoint 23</p><p>Enhanced Protection Modules</p><p>Add-on Capability</p><p>Web Security Cloud Web protection and policy enforcement to remote users</p><p>Web DLP Powerful, contextually aware DLP engine for added outbound</p><p>protection against data theft</p><p>Cloud Sandbox /</p><p>Advanced Malware</p><p>Detection</p><p>Behavioral sandboxing for automatic and manual analysis of</p><p>malware files</p><p>Cloud Access Security</p><p>Broker (CASB)</p><p>Full CASB functionalities and complements existing ability to gain</p><p>visibility into what cloud applications are being used</p><p>24 > 25</p><p>The following areas feature functionality changes in version 8.5.4.</p><p>Learn more about these notable enhancements in the next section.</p><p>Public © 2020 Forcepoint 25</p><p>New Functionalities in 8.5.4</p><p>Content</p><p>Gateway</p><p>enhancements</p><p>SIEM</p><p>enhancements</p><p>Remote</p><p>Browser</p><p>Isolation (RBI)</p><p>General</p><p>enhancements</p><p>26</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 27</p><p>Public © 2020 Forcepoint 27</p><p>Content Gateway enhancements:</p><p>Enabling authentication of HTTPS requests over HTTPS</p><p> New variable in /opt/WCG/config/records.config:</p><p>CONFIG proxy.config.auth.ssl_auth_url INT 1</p><p> Default setting: Disabled (INT 0)</p><p> When enabled, you can set the</p><p>HTTPS request authentication over HTTPS</p><p>(using port 4443) in transparent proxy</p><p>deployments:</p><p>When Content Gateway is used for authentication in transparent mode, Content Gateway</p><p>cannot send back a 407 Proxy Authentication required since the browser in unaware of its</p><p>presence. Therefore, in order to authenticate, the proxy first responds with a HTTP 307</p><p>Auth Required, which requests the browser to redirect to the proxy itself. Browser then</p><p>makes a request to the new URL which is now hosted on Content Gateway. If the original</p><p>URL is HTTPS but redirected to HTTP URL for authentication, the browser sees a</p><p>suspicious behavior and throws a mixed content error. To avoid this error, Content Gateway</p><p>now supports authentication using HTTPS URL.</p><p>You can enable this feature using the Redirect Options section in Content Gateway</p><p>Manager > Configure > Security > Access Control > Global Authentication Options</p><p>page. Prior to version 8.5.4, this section was labeled Redirect Hostname.</p><p>When enabled, all authentication for HTTPS URLs will be redirected to a secure auth URL.</p><p>28 My Proxy > Basic > General</p><p>page in Content Gateway Manager, you can only</p><p>select Web DLP or ICAP:</p><p> When enabled (INT 1), you can select both Web</p><p>DLP and ICAP options when integrating the DLP</p><p>module with Content Gateway:</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 29</p><p>Public © 2020 Forcepoint 29</p><p>Content Gateway enhancements:</p><p>Sending “unknown” file type to Filtering Service</p><p> New /opt/WCG/config/records.config variable:</p><p>CONFIG wtg.config.filter_unknown_file INT 1</p><p> Default setting: Disabled (INT 0)</p><p> Enables Content Gateway to send "unknown" files as</p><p>a valid file type to Filtering Service.</p><p> When this variable is enabled, Content</p><p>Gateway can:</p><p>• Identify a file with unknown type</p><p>• Sends unknown file types to Filtering</p><p>Service</p><p> In Security Manager, "unknown" is included</p><p>in the list of file types displayed when</p><p>creating a Block file types list for a specific</p><p>category on the Policy Management ></p><p>Filters > Add/Edit Category Filter page.</p><p>For example, when the configuration wtg.config.filter_unknown_file is enabled and</p><p>an end user tries to access the unknown file type http://10.204.64.11/GLOBE.ANI, the</p><p>following log entries are present:</p><p>[May 22 12:24:34.678] 3502 DIAG: (wtg_txn_type_undef) [51] File Type ==></p><p>WCG_UNKNOWN</p><p>[May 22 12:24:34.689] 3504 DIAG: (wtg_txn) [51] WISP lookup required for</p><p>TFT</p><p>[May 22 12:24:34.689] 3504 DIAG: (wtg_txn_wisp) [51] WispClient</p><p>(tid=3504): Doing http lookup with 0 dynamic category and TFT = 11 , src</p><p>ip: 10.203.165.30</p><p>Sample log entries indicate that:</p><p>• Content Gateway identifies the file as "WCG_UNKNOWN".</p><p>• A second WISP Lookup is done.</p><p>• With TFT = 11 (indicating unknown file type), Content Gateway sends it to Filtering</p><p>Service.</p><p>30 SSL ></p><p>Decryption / Encryption > Outbound</p><p>tab of Content Gateway Manager, has</p><p>been removed to avoid Content</p><p>Gateway restarts.</p><p>Upgrades to v8.5.4 will automatically</p><p>disable these options if they had been</p><p>previously enabled.</p><p> No significant performance differences</p><p>were found after removing these</p><p>caching options.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 31</p><p>Due to ongoing stability issues and difficulty in troubleshooting, clustering has been</p><p>removed from SIEM components. Each Policy Server is responsible for sending its own</p><p>logs to SIEM. With this enhancement, troubleshooting is efficient because you will only</p><p>check affected Policy Servers and their associated SIEM components instead of multiple</p><p>Policy Servers in a cluster.</p><p>Public © 2020 Forcepoint 31</p><p>SIEM enhancements:</p><p>Supporting up to 10 SIEM integrations</p><p> The Settings > General > SIEM Integration</p><p>page of Security Manager now supports the</p><p>entry of up to 10 SIEM integrations.</p><p> The main page provides details for each of the</p><p>SIEM solutions added.</p><p> With this enhancement, data from each Policy</p><p>Server is no longer forwarded to all SIEM</p><p>solutions configured for other Policy Servers</p><p>assigned to the same Policy Broker.</p><p>32 General > SIEM</p><p>Integration page, you can now send audit log</p><p>records to a SIEM integration defined for the</p><p>primary Policy Server.</p><p> In the new Audit Log Data section, select</p><p>Enable SIEM integration for this Policy</p><p>Server to enable the feature, then complete the</p><p>remainder of the section.</p><p> This feature is available only for the primary</p><p>Policy Server and does not appear if you are</p><p>logged into a secondary Policy Server.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 33</p><p>Public © 2020 Forcepoint 33</p><p>Remote Browser Isolation (RBI)</p><p> Forcepoint Web Security Cloud</p><p> Forcepoint Next Generation</p><p>Firewall</p><p> Forcepoint Data Loss Prevention</p><p> Forcepoint Cloud Security Gateway</p><p> Forcepoint Email Security On-</p><p>Premises</p><p>License modes:</p><p> Full mode</p><p> Targeted mode</p><p>Forcepoint RBI</p><p>Cloud or On-prem/</p><p>Ericom Shield</p><p>Integration with RBI is available with Web Security (and other Forcepoint products) today</p><p>through a partnership with Ericom.</p><p>Forcepoint RBI (aka Ericom Shield or Shield RBI) isolates all web content away from</p><p>endpoints to help ensure that no malware can infect endpoints and networks.</p><p>Forcepoint RBI takes a zero-trust approach, assuming any website might contain malicious</p><p>code. Ericom executes content in an isolated container or environment. This works with</p><p>any modern web browser. There are no plug-ins or applications to install.</p><p>When configured in Web Security, Forcepoint RBI prevents web-based malware, web mail</p><p>phishing attacks, and malware in content downloads from the web.</p><p>Licensing</p><p>There are two factors to consider when discussing Forcepoint RBI licensing.</p><p>• How many end users can access the system?</p><p>• How many active sessions can those end users browse concurrently?</p><p>Forcepoint RBI licenses is based on "Named Users".</p><p>Each license represents a single Named User that can access Ericom Shield. The</p><p>maximum number of Named Users that can access Ericom Shield is equal to the number of</p><p>licenses licensed. For example, for 1000 licenses, 1000 different Named Users can access</p><p>Ericom Shield. Each Named User can have "unlimited" browsing sessions (subject to Fair</p><p>Usage Policy below) from unlimited browsers, devices and locations.</p><p>The Named User list is the list of users that have accessed the Shield Proxy via a web</p><p>browser in the prior 14 days.</p><p>34</p><p>Proxy via a web browser in the prior 14 days is</p><p>removed from the Named User count.</p><p>The number of total active sessions available in the system is dependent on the license type:</p><p>There is a 90-day grace period for both license types to ensure no downtime during renewal.</p><p>When license does expire, the following occurs:</p><p>Please contact Forcepoint for more details about RBI integration and licensing options.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 35</p><p>• Full license mode</p><p>Unlimited number of concurrent browsing sessions from unlimited browsers, devices and</p><p>locations. Subject to Fair Usage Policy.</p><p>• Targeted license mode</p><p>Limited number of concurrent browsing sessions from unlimited browsers, devices and</p><p>locations.</p><p>The Targeted Mode limit is equal to 10% of the number of users licensed.</p><p>• The RBI Admin console is no longer accessible.</p><p>• When redirected to Forcepoint RBI, end users will see a disconnected page.</p><p>With this integration, Web Security can redirect risky websites to the Forcepoint RBI On-</p><p>Prem server or Cloud service. You can set which sites Web Security will block based on</p><p>policies.</p><p>Doing so allows your end users to securely access uncategorized websites, new domains,</p><p>and questionable categories like Social Media, such as business use of LinkedIn/Twitter for</p><p>users through targeted isolation.</p><p>Forcepoint RBI communicates with Forcepoint Web Security via Block Page Redirect to</p><p>provide isolation-based zero-day malware protection.</p><p>Take note of the following constraints when integrating Web Security On-Prem and</p><p>Forcepoint RBI:</p><p>• Unable to redirect username information, as a result, Web Security cannot apply User or</p><p>User Group policies via Ericom Portal.</p><p>• Relies on editing JavaScript of Block Redirect Page.</p><p>• There is no current method to determine which end user is accessing service.</p><p>Public © 2020 Forcepoint 34</p><p>Forcepoint Web Security x Forcepoint RBI integration</p><p>Forcepoint RBI</p><p>Cloud or On-Prem /</p><p>Ericom Shield</p><p>36 > 37</p><p>Please contact Forcepoint for more details about RBI integration.</p><p>Public © 2020 Forcepoint 36</p><p>General enhancements:</p><p>Requiring vcruntime140.dll during installation or upgrade</p><p> When installing or upgrading Web Security on a Windows platform, ensure that the target host already has</p><p>vcruntime140.dll. Otherwise, the following error appears during installation/upgrade:</p><p>“Installation Failed: Installation failed with error code 3004”</p><p> The installation/upgrade log file in the Temp folder of the user running the installer will contain a line like:</p><p>java.lang.UnsatisfiedLinkError:</p><p>C:\Users\Administrator\AppData\Local\Temp\2\I1588276985\Windows\resource\jre\bin\freetype.dll:</p><p>Can't find dependent libraries</p><p> The dependency referenced in this log entry is for vcruntime140.dll, a file that is part of the Redistributable</p><p>Package.</p><p> During install/upgrade, do not stop the process, locate and install the latest 64-bit Redistributable Package</p><p>for Windows from https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-</p><p>downloads, and then return to the install/upgrade process.</p><p>Should the error occur during the install/upgrade process:</p><p>1. Close the error window but do NOT stop the install/upgrade process. Leave the installer</p><p>window open.</p><p>2. Locate the latest 64-bit Redistributable Package for your Windows version from</p><p>https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-</p><p>downloads.</p><p>3. Download and install the package.</p><p>4. Return to the installation/upgrade window and continue the process.</p><p>38 > 39</p><p>Public © 2020 Forcepoint 38</p><p>Resources</p><p> What’s New in 8.5.4:</p><p>https://www.websense.com/content/support/library/web/v854/release_notes/rnws_</p><p>new.aspx</p><p> System requirements:</p><p>http://www.websense.com/content/support/library/deployctr/v85/dic_sys_req.aspx</p><p> Supported platforms, directory services, and log databases:</p><p>https://support.forcepoint.com/KBArticle?id=TRITON-AP-WEB-and-Web-Security-</p><p>Gateway-Anywhere-Certified-Product-Matrix</p><p> Supported browsers:</p><p>https://support.forcepoint.com/KBArticle?id=TRITON-Manager-Certified-Product-</p><p>Matrix</p><p> Installation and Deployment Guide for Forcepoint Web Security Endpoint</p><p>(deployments using the Hybrid Module/Web Security Cloud):</p><p>http://www.websense.com/content/support/library/endpoint/v20/installation.pdf</p><p> Incremental Upgrade Guide:</p><p>https://www.websense.com/content/support/library/web/v85/upgrade/incremental_</p><p>upgrade.pdf</p><p>During an incremental upgrade, SIEM Integration feature enhancements may</p><p>result in the loss of SIEM data. Refer to the guide for details.</p><p> Content Gateway Help:</p><p>https://www.websense.com/content/support/library/web/v85/wcg_help/toc.aspx</p><p>40 > 41</p><p>Use Web Security to develop and enforce policies to protect your network. Together, a</p><p>series of Forcepoint components provide security for web-based transactions, as well as</p><p>management, user identification, alerting, reporting, and troubleshooting capabilities.</p><p>Knowing the following groups of components is important to help successfully administer</p><p>Web Security in your network environment:</p><p>Networking components</p><p>Transmit Web traffic to/from end-user and the origin server. Enforce security and policy</p><p>decisions with the help of Filtering components. Perform SSL decryption, security analysis,</p><p>sandboxing submission and DLP detection.</p><p>Filtering components</p><p>These components encapsulate all the decision making in the product. They take the</p><p>corporate Web policy configured by the Forcepoint product administrator and apply it to</p><p>each Web transaction. They communicate the decision with the Networking components to</p><p>enforce the policy decision.</p><p>Configuration Management components</p><p>These components provide means for the Forcepoint product administrator to configure the</p><p>product (which includes policies, auxiliary settings, and related options). Such components</p><p>also provide the mechanism to distribute configuration to the Filtering and Networking</p><p>subsystems.</p><p>Public © 2020 Forcepoint 43</p><p>Web Security Components</p><p>A u t h e n t i c a t i o n</p><p>F i l t e r i n g</p><p>R e p o r t i n g /</p><p>A l e r t i n g</p><p>O r i g i n</p><p>W e b S e r v e r</p><p>W E B</p><p>C o n f i g u r a t i o n</p><p>M a n a g e m e n t</p><p>U s e r</p><p>N e t w o r k i n g</p><p>42 > 43</p><p>The Filtering components encapsulate all the decision-making processes in Web Security.</p><p>They take the corporate web policy configured by a Forcepoint administrator and apply it to</p><p>each web transaction. They communicate the decision with the Networking components to</p><p>enforce the policy decision.</p><p>Filtering components interact with Authentication components to guarantee that user-based</p><p>policies do get applied. Filtering components work with Reporting components to record all</p><p>web activities.</p><p>Filtering Service</p><p>Provides policy enforcement in your network.</p><p>When a user requests a site, it is the responsibility of the Filtering Service to receive the</p><p>request and determine the applicable policy. Filtering Service must be running for Internet</p><p>requests to be filtered and logged.</p><p>Filtering Service is the component that works with Content Gateway or with Network Agent</p><p>or a third-party integration product, to provide policy enforcement. When a user requests a</p><p>site, Filtering Service receives the request, determines which policy applies, and uses the</p><p>applicable policy to determine whether the site is permitted or blocked.</p><p>Each Filtering Service instance downloads its own copy of the Forcepoint Master Database</p><p>to use in determining how to handle Internet requests. Filtering Service also sends</p><p>information about Internet activity to Log Server, so that it can be recorded and used for</p><p>reporting. The System Dashboard > Summary in Security Manager lists the IP address</p><p>and current status of each Filtering Service instance associated with the current Policy</p><p>Server. Click a Filtering Service IP address for more detailed information about the selected</p><p>Filtering Service.</p><p>Public © 2020 Forcepoint 44</p><p>Filtering Components</p><p> Policy enforcement and</p><p>filtering function</p><p> Reporting of web</p><p>activity</p><p>Filtering</p><p>Service</p><p>Policy Broker</p><p>Policy Server</p><p>A u t h e n t i c a t i o n</p><p>F i l t e r i n g</p><p>R e p o r t i n g /</p><p>A l e r t i n g</p><p>O r i g i n</p><p>W e b S e r v e r</p><p>W E B</p><p>C o n f i g u r a t i o n</p><p>M a n a g e m e n t</p><p>U s e r</p><p>N e t w o r k i n g</p><p>44 > 45</p><p>Filtering Service provides policy enforcement in your network. This service works in</p><p>conjunction with Network Agent or an integration product to provide Internet filtering. When</p><p>a user requests a site, it is the responsibility of the Filtering Service to receive the request</p><p>and determine the applicable policy. The Filtering Service must be running for Internet</p><p>requests to be filtered and logged.</p><p>The diagram illustrates how policy determination is achieved through the interaction</p><p>between Filtering Service and other Forcepoint components.</p><p>1. The integration/networking component captures a request for web access.</p><p>2. The Transparent Identification Agent (if used) provides the user the IP address</p><p>mapping, which allows user- and group-based policies to be applied.</p><p>3. The Policy Server / Policy Database holds Filter and Policy settings – these are cached</p><p>by the Filtering Service and updated if any settings amended and committed (using the</p><p>Save All button).</p><p>4. The Filtering Service communicates with the User Service to determine (and cache)</p><p>group memberships.</p><p>5. The Filtering Service shares information with the Usage Monitor for category, protocol,</p><p>or app usage alerts, and then provides information to applicable Reporting/Alerting</p><p>components.</p><p>6. The Filtering Service provides information to the Log Server Service.</p><p>Public © 2020 Forcepoint 45</p><p>Policy Determination/Enforcement</p><p>Block Page</p><p>P o l i c y</p><p>S e r v e r</p><p>1</p><p>2</p><p>3</p><p>4 U s e r</p><p>S e r v i c e</p><p>Master DB</p><p>URL RegEx</p><p>N e t w o r k i n g /</p><p>I n t e g r a t i o n</p><p>F i l t e r i n g</p><p>S e r v i c e</p><p>P o l i c y</p><p>D e t e r m i n a t i o n /</p><p>E n f o r c e m e n t</p><p>R e p o r t i n g /</p><p>A l e r t i n g</p><p>https://download.forcepoint.com</p><p>XID</p><p>Clients</p><p>U s a g e</p><p>M o n i t o r</p><p>6</p><p>5</p><p>X I D</p><p>A g e n t</p><p>46</p><p>(like its Filtering Service and Network Agent</p><p>connections) are stored locally by each Policy Server and not distributed.</p><p> In order to apply time-based actions correctly, one or more instances of Forcepoint State Server is required.</p><p>Forcepoint Web Security Administrator Course (Module 1) >> 47</p><p>Policy Server</p><p>The list above highlights what an instance of a Policy Server can support.</p><p>Filtering Service</p><p>Filtering Service caches policy data for up to three hours. As a best practice, no more than</p><p>10 Filtering Service instances should be deployed per Policy Server. Each Filtering Service</p><p>can support up to 4 Network Agent instances. A Policy Server instance may be able to</p><p>handle more, depending on the load. However, if the number of Filtering Service instances</p><p>exceeds the Policy Server’s capacity, responses to Internet requests may be slowed.</p><p>Multiple Filtering Service instances are useful to manage remote or isolated subnetworks.</p><p>The appropriate number of Filtering Service instances for a Policy Server depends on:</p><p>• The number of users per Filtering Service</p><p>• The configuration of the Policy Server and Filtering Service machines</p><p>• The volume of Internet requests</p><p>• The quality of the network connection between the components</p><p>If a ping command sent from one machine to another receives a response in fewer than 30</p><p>milliseconds (ms), the connection is considered high-quality.</p><p>Log Server</p><p>• One instance of the Log Server per Policy Server</p><p>• Multiple Log Server instances can send data to a central Log Server, which sends the</p><p>data to the Log Database</p><p>Public © 2020 Forcepoint 47</p><p>Limits and Best Practices</p><p>Policy Server Limits</p><p>Each Policy Server instance</p><p>can support:</p><p>• Up to 10 Filtering Service</p><p>instances</p><p>• Caches Policy Data up to 14</p><p>days</p><p>• 1 User Service</p><p>• 1 Usage Monitor</p><p>• 1 Web Security Log Server</p><p>• 1 State Server</p><p>• 1 Multiplexer</p><p>• 1 Directory Agent</p><p>Filtering Service Best Practices</p><p>The number of Filtering Service</p><p>instances for a Policy Server depends</p><p>on:</p><p>• The number of users per Filtering</p><p>Service</p><p>• The configuration of the Policy Server</p><p>and Filtering Service machines</p><p>• The volume of Internet requests</p><p>• The quality of the network connection</p><p>between the components</p><p>Log Server Limits</p><p>• One instance of the</p><p>Log Server per Policy</p><p>Server</p><p>• Multiple Log Server</p><p>instances can send</p><p>data to a central Log</p><p>Server, which sends</p><p>the data to the Log</p><p>Database</p><p>48 > 49</p><p>The illustration above shows the interaction between Filtering Service and User Service</p><p>when handling a request from the user NIS1\j_doe belonging to a Microsoft Active Directory</p><p>network.</p><p>1. Filtering Service asks the User Service for xyz\j_doe’s qualified username.</p><p>2. User Service then searches the global catalog servers for the domain xyz. Once xyz is</p><p>found, it searches that domain for user j_doe.</p><p>The OS returns the qualified name “LDAP://xyz.websense.com dc=websense,</p><p>dc=com/J Doe” to the Filtering Service.</p><p>3. Filtering Service caches the username locally for three hours.</p><p>The caching of user and group information means that updates to a user’s group</p><p>memberships will not immediately affect the Policy they receive.</p><p>4. Filtering Service now has to build a policy for “LDAP://xyz.websense.com</p><p>dc=websense, dc=com/J Doe”.</p><p>To build the policy, the Filtering Service asks User Service for the user’s groups.</p><p>• User Service performs the following searches:</p><p> Search for xyz.domain.com for the group membership</p><p> Searches for each group for group membership. This membership is cached since most</p><p>users have similar groups.</p><p>• User Service then returns the groups to Filtering Service.</p><p>Public © 2020 Forcepoint 49</p><p>User Authentication</p><p>F i l t e r i n g</p><p>S e r v i c e</p><p>User</p><p>xyz\j_doe</p><p>Security Manager</p><p>1</p><p>325</p><p>U s e r</p><p>S e r v i c e</p><p>U s e r</p><p>A u t h e n t i c a t i o n</p><p>X I D</p><p>A g e n t s</p><p>4</p><p>50 > 51</p><p>With Web Security, Internet activities from both on-prem and off-site users can be filtered.</p><p>On-prem Users</p><p>Transparent identification describes any method used to identify users in your directory</p><p>service without prompting them for logon information. This includes any of the optional</p><p>transparent identification agents available when user requests are managed by the</p><p>following on-prem components:</p><p>DC agent</p><p>DC Agent is an XID agent used in networks that authenticate users with Microsoft Active</p><p>Directory. DC Agent subscribes to successful Kerberos authentication notifications from AD</p><p>to obtain usernames and their associated computer names. DC Agent performs a DNS</p><p>lookup to resolve the computer name to an IP address and then stores the username/IP</p><p>address pair in its user map in local memory. This user map is synced with the Filtering</p><p>Service user map.</p><p>Logon agent</p><p>Logon Agent (also called Authentication Server) identifies users in real time, as they log on to</p><p>domains. Logon Agent works with a logon application that runs on Windows or Mac client</p><p>machines.</p><p>With Logon Agent, the customer deploys a thin app on Windows/Mac clients. This app is</p><p>invoked when the end user logs into the operating system and NTLM authentication is</p><p>initiated between the Logon App, Logon Agent and Active Directory. Once successful, Logon</p><p>Agent adds an entry to its mapping of the client IP addresses and usernames. This user</p><p>map is synced with Filtering Service, as with other XID agents.</p><p>RADIUS agent</p><p>RADIUS Agent provides transparent identification of users who access the network using</p><p>Public © 2020 Forcepoint 50</p><p>On-prem and Off-site Users</p><p>Off-site/</p><p>Remote</p><p>Users</p><p>On-prem</p><p>Users</p><p>D C</p><p>a g e n t</p><p>L o g o n</p><p>a g e n t</p><p>Transparent Identification (XID) Agents</p><p>R A D I U S</p><p>a g e n t</p><p>e D i r e c t o r y</p><p>a g e n t</p><p>R A D I U S</p><p>a g e n t</p><p>W e b H y b r i d</p><p>( W e b S e c u r i t y</p><p>C l o u d )</p><p>52 > 53</p><p>Configure the Web Hybrid module for Web Security in the cloud to manage off-site users,</p><p>regardless of how those user requests' are handled when they are in-network.</p><p>Users inside the network</p><p>For users whose requests are handled by on-premises components (Filtering Service)</p><p>when they are inside the network, you can configure the browser PAC file to determine</p><p>whether the user is in-network or off-site before forwarding an Internet request.</p><p>If you are using the PAC file generated by the hybrid service, this configuration occurs</p><p>automatically based on the settings that you provide in the Security Manager.</p><p>Users managed by the hybrid service both in and outside the network</p><p>For users managed by the hybrid service both in and outside the network, no PAC file</p><p>changes are required. When off-site users make an Internet request, they are prompted to</p><p>log on to the hybrid service so that the appropriate user or group-based policy can be</p><p>applied.</p><p>What is a PAC file?</p><p>A Proxy Auto-Configuration (PAC) file is a JavaScript function definition that determines</p><p>whether web browser requests (HTTP, HTTPS, and FTP) go direct to the destination or are</p><p>forwarded to a web proxy server.</p><p>PAC files are used to support explicit proxy deployments in which client browsers are</p><p>explicitly configured to send traffic to the web proxy. The big advantage of PAC files is that</p><p>they are usually relatively easy to create and maintain.</p><p>The use of a PAC file is highly recommended with explicit proxy deployments of Forcepoint</p><p>Web Security Gateway (for the Content Gateway -- web proxy -- component) and</p><p>is required to support the hybrid web filtering feature of Web Security Gateway Anywhere.</p><p>Public © 2020 Forcepoint 51</p><p>User Traffic Management</p><p>F i l t e r i n g</p><p>S e r v i c e</p><p>W e b</p><p>H y b r i d</p><p>Off-site/</p><p>Remote</p><p>Users</p><p>On-prem</p><p>Users</p><p>54 > 55</p><p>The Configuration Management components provide the following functionalities:</p><p>• Allow multiple Web Security components deployed on different hosts to share a single</p><p>repository of policy and configuration data</p><p>• Separate policy and deployment configuration data both logically and physically</p><p>• Support concurrent calls for data, maintain access control and referential integrity, and</p><p>prevent data corruption</p><p>• Support delegated administration</p><p>EIP Infrastructure</p><p>Forcepoint Security Manager provides a single pane of glass (SPOG) for the administrative</p><p>interface of Web Security, Email Security, and DLP products. Those who buy more than</p><p>one of these products can manage them from the same interface with shared administrator</p><p>roles and without having to log on to each of the products separately. While each of the</p><p>three products has its own management stack, they all share an infrastructure—Essential</p><p>Information Protection (EIP) infrastructure—that provides the following services:</p><p>• Configuration database: a database that stores the administrator definitions for Security</p><p>Manager, appliance definitions for Web/Email Security, and inventory of installed</p><p>modules and their installation status.</p><p>• Application Server: an application that runs on Tomcat, which provides an interface to</p><p>the information stored in the Web Security database.</p><p>• Web Server: an Apache HTTP-based web server that supports certificate-based</p><p>authentication and RSA Security ID integration for two-factor authentication. It functions</p><p>as a reverse proxy to provide a seamless experience to Forcepoint product</p><p>administrators.</p><p> Learn about the available user interfaces in Module 2 of this course.</p><p>Public © 2020 Forcepoint 52</p><p>EIP</p><p>Infrastructure</p><p>Security</p><p>Manager</p><p>Content</p><p>Gateway</p><p>Manager</p><p>Configuration Management Components</p><p> Allow admins to manage,</p><p>store, and distribute Web</p><p>Security settings</p><p> Distribute configuration to</p><p>other components</p><p>Security</p><p>Appliance</p><p>Manager</p><p>A u t h e n t i c a t i o n</p><p>F i l t e r i n g</p><p>R e p o r t i n g /</p><p>A l e r t i n g</p><p>O r i g i n</p><p>W e b S e r v e r</p><p>W E B</p><p>C o n f i g u r a t i o n</p><p>M a n a g e m e n t</p><p>U s e r</p><p>N e t w o r k i n g</p><p>56 > 57</p><p>Log Server</p><p>The Log Server Service is a Windows-only component that is required to enable the</p><p>reporting features of Security Manager (including charts, presentation reports, and</p><p>investigative reports). Before this component can be installed, Microsoft SQL Server or</p><p>Microsoft SQL Server Express must be installed.</p><p>Log Server provides the following capabilities:</p><p>• Receives logs from Filtering Service</p><p>• Creates cache files to later insert them in the SQL DB</p><p>• Interacts with the SQL DB</p><p>• Sends records of Internet activity to the Log Database—including category names,</p><p>protocol names, and risk class names from the Master Database to the Log Database.</p><p>• Requires an MS SQL Server/SQL Express for report data</p><p>NOTE: Database and Log Server services may be located on Windows 2008 and</p><p>Windows 2012 server</p><p>Log Database</p><p>The Forcepoint Log Database can be created and maintained by any of the following</p><p>database engines:</p><p>• Microsoft SQL Server 2012</p><p>• Microsoft SQL Server 2008</p><p>• Microsoft SQL Server 2005</p><p>Log Server logs Internet activity information to only one Log Database at a time.</p><p>Public © 2020 Forcepoint 54</p><p>Reporting Flow</p><p>58 > 59</p><p>The Web Security Log Database stores the records of Internet activity and the associated</p><p>Forcepoint filtering actions. Installation creates the Log Database with a catalog database</p><p>and one database partition.</p><p>The following diagram represents the Forcepoint Log Database Schema. The key elements</p><p>here are the Catalog Database and the Partition Database. These two in SQL will look as</p><p>any other Database attached to the SQL Server, nothing special graphically. The</p><p>uniqueness is in the role each database plays.</p><p>Take note of the following flow:</p><p>1. Incoming Web transactions come in from the Filtering Service to the Log Server and are</p><p>converted into Cache files, we will talk about cache files in the next slide</p><p>2. Then, the cache files are grabbed by the Log Server and inserted into the Catalog</p><p>Database via an ODBC or BCP connection. The Catalog database provides a single</p><p>connection point for the various Forcepoint components that need to access the Log</p><p>Database Status pages, Log Server, Presentation reports, and Investigative reports.</p><p>3. After inserting the incoming web transactions into the Catalog DB, which reside in a</p><p>temporary buffer, then data is inserted into the active partition through the ETL job.</p><p>Database partitions store individual log records of Internet activity. New partitions are</p><p>created based on size or date interval and partitions provide flexibility and performance</p><p>advantages.</p><p>Public © 2020 Forcepoint 55</p><p>Log Database</p><p> Records Internet activity and the associated Forcepoint filtering actions</p><p> Installation creates the Log Database with a catalog database and one database partition</p><p>Catalog DB</p><p>wslogdb</p><p>Incoming Web</p><p>Transactions</p><p>The Web Security Reporting</p><p>Tools crawl data from all</p><p>added partitions.</p><p>Log Data is inserted</p><p>into the active partition wslogdb_2</p><p>wslogdb_1</p><p>Pa</p><p>rt</p><p>iti</p><p>on</p><p>s</p><p>60 > 61</p><p>The Log Database has a collection of five jobs each with its own functionality inside the Log</p><p>Database. The WSG Reporting Job definition is stored in wse_db_jobs, you can view this</p><p>table by running the query select * from wse_db_jobs inside SQL Management Studio. The</p><p>following is an explanation of the SQL Jobs created when the Log DB is installed/created:</p><p>• The Extract, Transform, and Load (ETL) job runs continuously, receiving data from Log</p><p>Server, processing it, and then inserting it into the partition database. The ETL job must</p><p>be running to process log records into the Log Database</p><p>• The database maintenance job performs database maintenance tasks and preserves</p><p>optimal performance. This job runs nightly, by default.</p><p>• The Internet browse time (IBT) job analyzes the data received and calculates browse</p><p>time for each client. The IBT database job is resource intensive, affecting most database</p><p>resources. This job runs nightly, by default.</p><p>• The Advanced Malicious Threat, Extract, Transform, and Load (AMT ETL) job runs in the</p><p>similar fashion as the ETL job for the catalog database the only difference is that the</p><p>data processed by this job is for the data shown on the Threats Dashboard of the Web</p><p>Security Manager.</p><p>• Trend Job, this job is responsible for processing the trend data available in the Web</p><p>Security Manager</p><p>Public © 2020 Forcepoint 56</p><p>Log Database SQL Jobs</p><p> ETL: runs continuously, receiving data and then inserting it into the partition database.</p><p> Database Maintenance: performs database maintenance tasks and preserves optimal performance.</p><p> IBT: analyzes the data and calculates browse time.</p><p>Runs nightly, by default.</p><p> AMT ETL: data processed by this job is displayed on the Threats Dashboard of Security Manager.</p><p> Trend Job:</p><p>When trend</p>