ECA and how it works

Integrating ECA enables you to collect per-connection user and application information about Windows endpoint clients that connect through an NGFW Engine managed by the SMC.

To use ECA, the ECA client must be installed on the endpoints. For more information about ECA clients, see the Installation and Deployment Guide for Forcepoint Endpoint Context Agent.

The endpoints send metadata to the NGFW Engine, and you can use the information as criteria for access control in policies. This information about the endpoints can also be viewed in log data and used in Report elements.

On the home page for an NGFW Engine, you can see the number of endpoint clients that are connected and sending information. You can also use the drill-down menu to see which users are connected.

ECA is supported on Firewalls, Layer 2 Firewalls, IPS engines, and on Virtual Firewalls. The NGFW Engine license includes support for ECA integration.

You cannot use ECA if there is a NAT device between the NGFW Engines and the endpoints.

Use cases

An example use case is a point of sale (PoS) terminal. For example, you can:

  • Allow a certain browser version to access the corporate intranet, only if the local firewall on the endpoint is enabled and the operating system was updated within the past 30 days.
  • Allow the PoS application to access corporate servers
  • Allow the Windows Update service
  • Block all other applications