Integrate on-premises DLP servers with Forcepoint NGFW

You can integrate on-premises DLP servers, such as Forcepoint DLP, with Forcepoint NGFW and use them as a scanning method in the file filtering policy.

Before you begin

To use TLS to secure the connection to the DLP server, you must:
  • Create a TLS Profile element that specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected communication with the DLP server.
  • Configure TLS on the ICAP server or in the environment in which the TLS server is deployed. See the documentation for your DLP server for more information.

DLP scanning is typically used for outbound file transfers to prevent sensitive data from being sent out. DLP scanning is supported for the following protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, POP3S, and SMTP.

NGFW Engines communicate with the integrated DLP servers using the ICAP protocol. ICAP Server elements represent the DLP servers. You can integrate one or more ICAP servers with the NGFW Engine. When you integrate multiple ICAP servers, traffic is balanced between the ICAP servers.

The NGFW Engine sends files to the ICAP server, then allows or blocks the file transfers depending on the response it receives from the ICAP server. The NGFW Engine can optionally add headers to the request to communicate the user and IP address from which the original request came to the ICAP server. You can specify the header names to use for each of these headers. By default, the standard names are used. If you leave the name of the header blank, the specified header is not sent to the ICAP server.

Integrating on-premises DLP servers with Forcepoint NGFW has the following limitations:

  • Only the ICAP protocol is supported. The DLP server must support ICAP.
  • Only the REQMOD method is supported for sending files to the DLP server.
  • Only on-premises DLP servers are supported. Cloud-based DLP services are not supported.

Each NGFW Engine node is counted as a separate client of each ICAP server. The same NGFW Engine node can make several connections to the same ICAP server, up to the Max-Connections value returned in the server’s OPTIONS response. Make sure that the Max-Connections value for the ICAP server is large enough to allow all connections from all NGFW Engine nodes with which it is integrated. For more information about adjusting the Max-Connections value, see the documentation of your DLP server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create an ICAP Server element to represent the DLP server.
    1. Select Configuration, then browse to Network Elements.
    2. Right-click Servers, then select New > ICAP Server.
    3. (Optional) To enable TLS for ICAP connections, select Secure ICAP, then select a TLS Profile element.
    4. Configure the settings, then click OK.
  2. Enable ICAP for data protection on the NGFW Engine.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > Data Protection.
    4. Select Enable ICAP for data protection.
    5. Click Add next to the ICAP Servers field, then add one or more ICAP Server elements.
    6. Click Save and Refresh to transfer the changed configuration.

Result

You can now use the DLP scan for data protection in the File Filtering Policy.

ICAP Server Properties dialog box

Use this dialog box branch to define ICAP Server elements for DLP scanning.

Option Definition
General tab
Name The name of the element.
IP Address Enter the IPv4 address, IPv6 address, or fully qualified domain name (FQDN) of the ICAP server.
Port Enter the port number for communication between NGFW Engines and the ICAP server.

The default ports are 1344 for ICAP and 11344 for ICAP with TLS.

Path Enter the path of the ICAP service on the ICAP server. The default value is reqmod.
Full URL

(Not editable)

Shows the full URL for sending requests to the ICAP server.

The URL consists of the values of the IP Address, Port, and Path fields. For example:

icap://icap.example.com:1344/reqmod

Secure ICAP

(Optional)

When selected, TLS is used to secure the connection to the ICAP server.
TLS Profile

Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic.

Click Select to select a TLS Profile element.

Include X-Headers

(Optional)

When selected, the NGFW Engine adds the specified headers to the request to communicate the user and IP address from which the original request came to the ICAP server.
Username The header name for the header that specifies the user from which the original request came. The default value is X-Authenticated-User.

To prevent the header from being added to the request, remove the header name from the field.

Client IP Address The header name for the header that specifies the IP address of the client from which the original request came. The default value is X-Client-IP.

To prevent the header from being added to the request, remove the header name from the field.

Server IP Address The header name for the header that specifies the IP address of the server from which the original request came. The default value is X-Server-IP.

To prevent the header from being added to the request, remove the header name from the field.

Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

Engine Editor > Add-Ons > Data Protection

Use this branch to enable ICAP for data protection on the NGFW Engine.

Option Definition
Enable ICAP for data protection When selected, the NGFW Engine sends files to the specified ICAP servers for DLP scanning.
ICAP Servers list

Click Add to add an element to the list, or Remove to remove the selected element.

If you add multiple ICAP servers, traffic is balanced between the ICAP servers.