Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service

Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service

Firewall Redirect | Forcepoint Web Security Cloud

Firewall redirection is a simple and effective method for sending web traffic to the cloud service. Firewall redirection is easy to configure and maintain, with no configuration required on client machines - traffic is redirected transparently. Firewall redirection works for both HTTP and HTTPS traffic. NTLM and basic authentication are supported.

Firewall redirection is well suited for:

Guest Wi-Fi networks where users do not belong to a domain, and authentication and SSL decryption are not required

Branch offices in hybrid deployments (where no on-premises appliance is installed)

Other deployments where the Forcepoint Web Security Endpoint client or proxy auto-config (PAC) files cannot be used - for example, where there are unmanaged devices that require web enforcement.


	Important Cloud service firewall redirection does not provide automatic data center failover. Where transparent redirection with automatic failover is required, please use Forcepoint GRE or IPsec connectivity.

This document includes the following topics:

Supported devices

Configuration for firewall redirection

Device configuration examples

Cloud service IP addresses

Configuring end-user authentication with firewall redirect

Configuring proxy bypass destinations with firewall redirect

Limitations and known issues

Supported devices

The following devices have been tested and verified to support firewall redirection to the Forcepoint cloud service:

Forcepoint NGFW (port 80, 443)

Aruba Networks (ports 80, 443)

Check Point Enterprise Firewall (ports 80, 443)

Cisco ASA (ports 80, 443)

Juniper SSG (ports 80, 443)

Juniper SRX (ports 80, 443)

SonicWall (port 80 only)


	Note Cisco ISR and Palo Alto devices do not support firewall redirection to the Forcepoint cloud service.

Configuration for firewall redirection

The requirements for using firewall redirect are as follows:

All web traffic must exit your network through an edge device (such as a supported firewall or router).

Port forwarding (NAT and PAT) must be configured on the edge device to forward web traffic on ports 80 and 443 to specific Forcepoint data center IP addresses and ports:

Forward port 80 (HTTP) traffic to port 8081

Forward port 443 (HTTPS) traffic to port 8443

Different IP addresses must be used, per data center, for cloud and hybrid configurations. See Cloud service IP addresses.


	Note When using Forcepoint NGFW for firewall redirection to the cloud service in Generic Proxy mode, use port 8081 as the destination port for both HTTP and HTTPS.

The following diagram shows an edge device redirecting traffic to a Forcepoint data center. Port 80 (HTTP) traffic is forwarded to port 8081, while port 443 (HTTPS) traffic is forwarded to port 8443. Traffic is forwarded to the IP address of the geographically closest data center.

Preventing data leakage

As a best practice, Forcepoint recommends that you lock down your firewall to prevent traffic leakage via different protocols and ports. In particular, Google Chrome can default to the experimental QUIC protocol, which uses UDP on port 443. We recommend that you block UDP traffic on port 443 in order to force traffic over TCP. For more information, see the Knowledge Base article Google QUIC protocol is not supported by the Forcepoint cloud service.

Device configuration examples

Detailed configuration examples for the following devices can be found in the Forcepoint Knowledge Base:

You must be logged in to My Account to see these articles.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service

Copyright 2022 Forcepoint. All rights reserved.