Integrate on-premises DLP servers with Forcepoint NGFW

You can integrate on-premises DLP servers, such as Forcepoint DLP, with Forcepoint NGFW and use them as a scanning method in the file filtering policy.

Before you begin

To use TLS to secure the connection to the DLP server, you must:

Create a TLS Profile element that specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected communication with the DLP server.
Configure TLS on the ICAP server or in the environment in which the TLS server is deployed. See the documentation for your DLP server for more information.

DLP scanning is typically used for outbound file transfers to prevent sensitive data from being sent out. DLP scanning is supported for the following protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, POP3S, and SMTP.

NGFW Engines communicate with the integrated DLP servers using the ICAP protocol. ICAP Server elements represent the DLP servers. You can integrate one or more ICAP servers with the NGFW Engine. When you integrate multiple ICAP servers, traffic is balanced between the ICAP servers.

The NGFW Engine sends files to the ICAP server, then allows or blocks the file transfers depending on the response it receives from the ICAP server. The NGFW Engine can optionally add headers to the request to communicate the user and IP address from which the original request came to the ICAP server. You can specify the header names to use for each of these headers. By default, the standard names are used. If you leave the name of the header blank, the specified header is not sent to the ICAP server.

Integrating on-premises DLP servers with Forcepoint NGFW has the following limitations:

Only the ICAP protocol is supported. The DLP server must support ICAP.
Only the REQMOD method is supported for sending files to the DLP server.
Only on-premises DLP servers are supported. Cloud-based DLP services are not supported.

Each NGFW Engine node is counted as a separate client of each ICAP server. The same NGFW Engine node can make several connections to the same ICAP server, up to the Max-Connections value returned in the server’s OPTIONS response. Make sure that the Max-Connections value for the ICAP server is large enough to allow all connections from all NGFW Engine nodes with which it is integrated. For more information about adjusting the Max-Connections value, see the documentation of your DLP server.

For more details about the product and how to configure features, click Help or press F1.

Steps

Create an ICAP Server element to represent the DLP server.
1. Select Configuration, then browse to Network Elements.
2. Right-click Servers, then select New > ICAP Server.
3. (Optional) To enable TLS for ICAP connections, select Secure ICAP, then select a TLS Profile element.
4. Configure the settings, then click OK.
Enable ICAP for data protection on the NGFW Engine.
1. Select Configuration.
2. Right-click an engine, then select Edit <element type>.
3. Browse to Add-Ons > Data Protection.
4. Select Enable ICAP for data protection.
5. Click Add next to the ICAP Servers field, then add one or more ICAP Server elements.
6. Click Save and Refresh to transfer the changed configuration.

Result

You can now use the DLP scan for data protection in the File Filtering Policy.

ICAP Server Properties dialog box

Use this dialog box branch to define ICAP Server elements for DLP scanning.

Option	Definition
General tab
Name	The name of the element.
IP Address	Enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the ICAP server.
Port	Enter the port number for communication between NGFW Engines and the ICAP server. The default ports are 1344 for ICAP and 11344 for ICAP with TLS.
Path	Enter the path of the ICAP service on the ICAP server. The default value is reqmod.
Full URL (Not editable)	Shows the full URL for sending requests to the ICAP server. The URL consists of the values of the IP Address, Port, and Path fields. For example: icap://icap.example.com:1344/reqmod
Secure ICAP (Optional)	When selected, TLS is used to secure the connection to the ICAP server.
TLS Profile	Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Click Select to select a TLS Profile element.
Include X-Headers (Optional)	When selected, the NGFW Engine adds the specified headers to the request to communicate the user and IP address from which the original request came to the ICAP server.
Username	The header name for the header that specifies the user from which the original request came. The default value is X-Authenticated-User. To prevent the header from being added to the request, remove the header name from the field.
Client IP Address	The header name for the header that specifies the IP address of the client from which the original request came. The default value is X-Client-IP. To prevent the header from being added to the request, remove the header name from the field.
Server IP Address	The header name for the header that specifies the IP address of the server from which the original request came. The default value is X-Server-IP. To prevent the header from being added to the request, remove the header name from the field.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds commands to the right-click menu for the element. Click Select to select an element.
Comment (Optional)	A comment for your own reference.

Option	Definition
Monitoring tab
Log Server	The Log Server that monitors the status of the element.
Status Monitoring	When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile	Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception	Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile	Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone	Selects the time zone for the logs.
Encoding	Selects the character set for log files.
SNMP Trap Reception	Enables the reception of SNMP traps from the third-party device.
NetFlow Reception	Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).

Option	Definition
NAT tab
Firewall	Shows the selected firewall.
NAT Type	Shows the NAT translation type: Static or Dynamic.
Private IP Address	Shows the Private IP Address.
Public IP Address	Shows the defined Public IP Address.
Port Filter	Shows the selected Port Filters.
Comment	An optional comment for your own reference.
Add NAT Definition	Opens the NAT Definition Properties dialog box.
Edit NAT Definition	Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition	Removes the selected NAT definition from the list.

Engine Editor > Add-Ons > Data Protection

Use this branch to enable ICAP for data protection on the NGFW Engine.

Option	Definition
Enable ICAP for data protection	When selected, the NGFW Engine sends files to the specified ICAP servers for DLP scanning.
ICAP Servers list Click Add to add an element to the list, or Remove to remove the selected element. If you add multiple ICAP servers, traffic is balanced between the ICAP servers.

Option

Definition

Enable ICAP for data protection

When selected, the NGFW Engine sends files to the specified ICAP servers for DLP scanning.

ICAP Servers list

Click Add to add an element to the list, or Remove to remove the selected element.

If you add multiple ICAP servers, traffic is balanced between the ICAP servers.