Documentation
|
Support
Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service
Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service
Firewall Redirect | Forcepoint Web Security Cloud
Firewall redirection is a simple and effective method for sending web traffic to the cloud service. Firewall redirection is easy to configure and maintain, with no configuration required on client machines - traffic is redirected transparently. Firewall redirection works for both HTTP and HTTPS traffic. NTLM and basic authentication are supported.
Firewall redirection is well suited for:
Guest Wi-Fi networks where users do not belong to a domain, and authentication and SSL decryption are not required
Branch offices in hybrid deployments (where no on-premises appliance is installed)
Other deployments where the Forcepoint Web Security Endpoint client or proxy auto-config (PAC) files cannot be used - for example, where there are unmanaged devices that require web enforcement.
Important
Cloud service firewall redirection does not provide automatic data center failover.
Where transparent redirection with automatic failover is required, please use Forcepoint GRE or IPsec connectivity.
This document includes the following topics:
Supported devices
Configuration for firewall redirection
Device configuration examples
Cloud service IP addresses
Configuring end-user authentication with firewall redirect
Configuring proxy bypass destinations with firewall redirect
Limitations and known issues
Supported devices
The following devices have been tested and verified to support firewall redirection to the Forcepoint cloud service:
Forcepoint NGFW (port 80, 443)
Aruba Networks (ports 80, 443)
Check Point Enterprise Firewall (ports 80, 443)
Cisco ASA (ports 80, 443)
Juniper SSG (ports 80, 443)
Juniper SRX (ports 80, 443)
SonicWall (port 80 only)
.
Note
Cisco ISR and Palo Alto devices do
not
support firewall redirection to the Forcepoint cloud service.
Configuration for firewall redirection
The requirements for using firewall redirect are as follows:
All web traffic must exit your network through an edge device (such as a supported firewall or router).
Port forwarding (NAT and PAT) must be configured on the edge device to forward web traffic on ports 80 and 443 to specific Forcepoint data center IP addresses and ports:
Forward port 80 (HTTP) traffic to port 8081
Forward port 443 (HTTPS) traffic to port 8443
Different IP addresses must be used, per data center, for cloud and hybrid configurations. See
Cloud service IP addresses
.
Note
When using Forcepoint NGFW for firewall redirection to the cloud service in Generic Proxy mode, use port 8081 as the destination port for both HTTP and HTTPS.
The following diagram shows an edge device redirecting traffic to a Forcepoint data center. Port 80 (HTTP) traffic is forwarded to port 8081, while port 443 (HTTPS) traffic is forwarded to port 8443. Traffic is forwarded to the IP address of the geographically closest data center.
Preventing data leakage
As a best practice, Forcepoint recommends that you lock down your firewall to prevent traffic leakage via different protocols and ports. In particular, Google Chrome can default to the experimental QUIC protocol, which uses UDP on port 443. We recommend that you block UDP traffic on port 443 in order to force traffic over TCP. For more information, see the Knowledge Base article
Google QUIC protocol is not supported by the Forcepoint cloud service
.
Device configuration examples
Detailed configuration examples for the following devices can be found in the Forcepoint Knowledge Base:
Aruba
Check Point
Cisco ASA
Juniper SSG
SonicWall
You must be logged in to
My Account
to see these articles.
Firewall Redirect: Forwarding Traffic to the Forcepoint Cloud Service
Copyright 2022 Forcepoint. All rights reserved.