Integrate Forcepoint User ID Service with Forcepoint NGFW
Integrating Forcepoint NGFW with Forcepoint User ID Service provides transparent user identification for access control by user.
Before you begin
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
In the Management Client, create a Forcepoint User ID Service element.
-
Select
Configuration.
-
Select
-
Select a Forcepoint User ID Service element for NGFW
Engines.
-
Select Configuration.
-
Click
Save and Refresh.
-
Select
Next steps
If you want the Forcepoint User ID Service server to authenticate the NGFW Engine with the Management Server's internal certificate authority, export the certificate of the Management Server's active internal certificate authority.
Forcepoint User ID Service Properties dialog box
Use this dialog box to define the properties of the Forcepoint User ID Service element.
| Option | Definition |
|---|---|
| General tab | |
| Name | The unique name of the element. |
| IP Addresses | The IP address of the Forcepoint User ID Service server from which the NGFW Engine receives user information. |
| Resolve | Automatically resolves the IP address of the host. |
| Contact addresses | A Contact Address is needed if NAT is applied between the NGFW Engine and
a Forcepoint User ID Service server.
|
| Port | The port on which the Forcepoint User ID Service server communicates with the engine. If you change the port from the default, you must configure the same port in the Forcepoint User ID Service server on the Linux system. |
| Monitored User Domains | |
| Add | Click Add to define an Active Directory domain from which the NGFW Engine receives user information. Enter the fully-qualified domain name (FQDN) of each monitored Active Directory domain on a separate row. |
|
Remove
|
Removes the selected item from the list. |
| Category | Includes the Forcepoint User ID Service in predefined categories. |
| Comment | An optional comment for your own reference. |
| Option | Definition |
|---|---|
| Certificate tab | |
| TLS Profile | Allows you to select a TLS Profile element that contains, for example, the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Click Select to select or to create a TLS Profile element. |
| TLS Server Identity (Optional, only if a TLS Profile is selected) | Select the identity of the TLS server to secure TLS-protected traffic from the NGFW Engine to the Forcepoint User ID Service server.
|
| Fetch From Certificate | Opens the Import Certificate dialog box for fetching the value of the server identity field from
a certificate. Note: You can fetch the value of the server identity field from a certificate only if the server identity
field is Distinguished Name, SHA-1, SHA-256,
SHA-512, or MD5.
|
| Option | Definition |
|---|---|
| Advanced tab | |
| Cache Expiration | The length of time before the cache expires if there is a connection problem between the NGFW Engine and the Forcepoint User ID Service server. |
| Connection Timeout | The maximum amount of time that the NGFW Engine tries to connect to the Forcepoint User ID Service server and the next connection attempt. The default is 10 s. |
Note: The monitoring of the Forcepoint User ID Service is configured in the SMC in the same way as
the monitoring of third-party devices. However, the Forcepoint User ID Service does not send SNMP traps or NetFlow data.
| Option | Definition |
|---|---|
| Monitoring tab | |
| Log Server | The Log Server that monitors the status of the element. |
| Status Monitoring | When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view. |
| Probing Profile | Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element. |
| Log Reception | Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected. |
| Logging Profile | Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element. |
| Time Zone | Selects the time zone for the logs. |
| Encoding | Selects the character set for log files. |
| SNMP Trap Reception | Enables the reception of SNMP traps from the third-party device. |
| NetFlow Reception | Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10). |
TLS Profile Properties dialog box
Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.
| Option | Definition |
|---|---|
| Name | The name of the element. |
| TLS Cryptography Suite Set | The cryptographic suite for TLS connections. |
| Trusted Certificate Authorities |
Specifies which certificate authorities to trust.
Click Add to add an element to the list, or Remove to remove the selected element. |
| Version | The TLS version used. |
| Use Only Subject Alt Name
(Optional) |
Uses only Subject Alternative Name (SAN) certificate matching. |
| Accept Wildcard Certificate
(Optional) |
Allows the use of wildcards in certificate matching. |
| Check Revocation
(Optional) |
Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority. |
| Delay CRL Fetching For (Optional, NGFW Engine only) |
The time interval for the NGFW Engine to fetch the CRL. If the CRL expires sooner than the specified
interval, the CRL expiration value defines the interval for fetching the CRL. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
| Ignore OCSP Failures For (Optional, NGFW Engine only) |
The number of hours for which the NGFW Engine ignores OCSP failures. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
| Ignore Revocation Check Failures if There Are Connectivity Problems (Optional, NGFW Engine only) |
When selected, the NGFW Engine ignores all CRL check failures if connectivity problems are detected. This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server. |
| Category (Optional) |
Includes the element in predefined categories. Click Select to select a category. |
| Comment (Optional) |
A comment for your own reference. |
Internal Certificate Authority Properties dialog box
Use this dialog box to view the details of an Internal Certificate Authority element or to export the certificate of an internal certificate authority.
| Option | Definition |
|---|---|
| General tab | |
| Name | The name of the element. |
| Subject Name | The identifier of the certified entity. |
| Public Key Algorithm | The algorithm used for the public key. |
| Key Length | The length of the key in bits. |
| Serial Number | The sequence number of the certificate. The number is issued by the CA. |
| Signature Algorithm | The signature algorithm that was used to sign the certificate. |
| Signed By | The CA that signed the certificate. |
| SubjectAltName | The subject alternative name fields of the certificate. |
| Valid From | The start date of certificate validity. |
| Valid To | The end date of certificate validity. |
| Fingerprint (SHA-1) | The certificate fingerprint using the SHA-1 algorithm. |
| Fingerprint (SHA-256) | The certificate fingerprint using the SHA-256 algorithm. |
| Fingerprint (SHA-512) | The certificate fingerprint using the SHA-512 algorithm. |
| Status | The status of the internal certificate authority. |
| Option | Definition |
|---|---|
| Certificate tab | |
| Certificate text area | The contents of the certificate. |
| Export | Exports the certificate text. |
| Import | Opens a file browser to import a certificate file. |