Data Protection Settings

Use the Account > Data Protection Settings page to enable and configure the integration with Data Protection Service, part of Forcepoint DLP. With this integration, enterprise data security, including blocking or monitoring data loss, is handled by the Data Protection Service (DPS), rather than the cloud proxies or relays. The cloud proxies and relays continue to handle all other aspects of processing web and email traffic.


	Note Data Protection Service integration requires an additional license. If you would like further information on integrating with Data Protection Service, contact your account manager.

To monitor and prevent data loss using the Data Protection Service:

In the Tenant Information section, upload the configuration file provided by Forcepoint in the fulfillment email you received. This file provides the information needed to connect the cloud service to DPS and is the same file used when configuring Data Protection Service in the Data module of the on-premises Forcepoint Security Manager.

Click Browse, then locate and select the file.

The filename appears in the Configuration file entry.

Click Upload.

When the upload is successful, the remaining fields are automatically populated.

The Browse and Upload buttons are not available for users with View Configuration permissions.

Use the Web Defaults section to configure how data security is handled in new web policies.

Select the option to be used, by default, when adding a policy.

When Use DLP Lite is selected, a Data Security tab is available for new policies.

When a policy uses DLP Lite, basic data protection is provided by the cloud proxy.

When Use Data Protection Service is selected, a Data Protection tab is available when adding a new policy.

When a policy uses Data Protection Service, enterprise data protection is provided and handled by Forcepoint DLP through the data protection service. DPS is an external service that is part of the on-premises Forcepoint DLP product.

User requests considered to represent a potential data security risk are forwarded to Data Protection Service by the proxy. DPS then determines the risk and returns a response telling the proxy to block or allow the request.

When a user is not identified, DPS returns specific allow or block instructions only if a DLP policy for all sources exists. If all DLP policies apply to specific users or groups, no match is found and the proxy allows the request.


	Important The same user information must exist in both Forcepoint Web Security Cloud and Forcepoint DLP in order for user requests to be accurately inspected by Forcepoint DLP.

Accept the default provided or enter a new value for DPS timeout. This value determines the length of time, in seconds, that the cloud service waits for a response from DPS after sending an inspection request.

Select Block or Allow as the DPS fallback behavior if a timeout or other error occurs. If a response from DPS is not received within the time configured in DPS timeout, the user request will be blocked or allowed based on this setting.

Use the tables to change the data security selection for existing policies.

Each list contains the existing policies that currently use the data security option indicated in the table heading. Use the arrows to move selected polices from one list to the other. When the changes are saved, the policies are updated to include the new data security type.


	Note Return to Web > Policy Management > Policies and edit each of the changed policies to fully configure the new data security option. Otherwise, default values are applied to the policy.

Click Export in the Export Categories to DPS section to create an xml file containing all web categories, including Forcepoint URL Database categories, account-level custom categories, and policy-level custom categories. This file can then be uploaded to DPS and the categories can be used when defining Forcepoint DLP policies. Note that the export needs to be repeated each time a new custom category is added.

The Export button is not available for users with View Configuration web permissions.

Log records (web) with DPS

Records returned to the cloud proxy from DPS do not contain all of the data elements included in log records generated by Data Security (DLP Lite).

In addition, when the timeout is exceeded, the request is blocked or allowed based on the fallback selection but no log record is generated.


	Important Requests that include files that exceed 10MB in size are not forwarded to Data Protection Service. These requests are allowed and no log record is generated.