Content Gateway advanced analysis options

Administrator Help | Forcepoint Web Security | v8.5.x

Related topics:

Configuring Content Gateway analysis

Configuring content categorization

Configuring content security

Configuring file analysis

Content Gateway outbound security analysis

Configuring exceptions to Content Gateway analysis

Reporting on advanced real-time analysis

Use these options to:

Set the sensitivity level of Content Categorization and Content Security analysis.

Set the analysis time limit for all incoming traffic.

Set the analysis size limit for all incoming traffic.

Enable stripping of specific types of code from HTML content for all incoming traffic.

Content categorization and scanning sensitivity level

The algorithms used to perform content categorization and analysis are tuned by Forcepoint Security Labs to provide optimal results for most organizations. If the Optimized setting does not produce the results you expect, however, you can adjust the sensitivity level of the analytics.

The sensitivity levels affect how strictly real-time analysis applies its criteria to determine whether analyzed content contains a threat, or needs to be recategorized.

When more strict criteria are used, fewer sites are found to be threats, and fewer sites are recategorized in real time.

This may increase the number of false negatives, where risky sites are treated as safe.

When less strict criteria are used, more sites meet the criteria for threats or recategorization.

This may increase the number of false positives, where innocuous sites are treated as risky.

If you are receiving too many false positives, adjust the sensitivity level to the right (more strict). This means that a site will have to meet a higher threshold (match more criteria) to be considered malicious or require recategorization.

If you believe that sites that should have been blocked are being permitted, adjust the sensitivity level to the left (less strict). This means a site won't have to reach so high a threshold (match fewer criteria) to be considered malicious or require recategorization.

If you make an adjustment, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Scanning timeout

Each content or file analysis consumes a variable amount of time that cannot be determined before analysis begins. By default, to ensure a good user experience, analysis is limited to 1.5 seconds (1500 milliseconds). To adjust the timeout, select Custom and enter a value within the range 500 - 10000 (milliseconds).

Scan size limit

The scan size limit is the threshold to which analysis is performed. Analysis stops when the threshold is reached. The default is 10 MB. To change the value, select Custom and enter a size in megabytes.

Content delay handling

Depending on the Content Gateway configuration and load conditions, very large files, streamed transactions, and slow origin servers can leave clients waiting for content.

The options in this section provide a tool for delivering a portion of buffered content to the client before analysis is performed. Analysis begins when all data is received or the scan size limit is exceeded.

Use Begin returning data to the client after to specify a time period after which a percentage of buffered data is released to the client. The default is 30 seconds. Select Custom to enter another value.

Use Specify how much data to return to the client to specify the percentage of buffered data to release to the client. The default is 80 percent. Select Custom to enter a different value, up to 90 percent.

Content stripping

Threats to your system can be hiding in active content sent via web pages. Active content is content that is embedded in the HTML page that performs actions, such as running an animation or a program.

The content stripping options make it possible to specify that content in particular scripting languages (ActiveX, JavaScript, or VB Script) be stripped from incoming web pages. If content stripping is enabled, all content in the specified scripting languages is removed from sites flagged as containing dynamic content or appearing on the Always Scan list (see Configuring Content Gateway analysis).

Content is removed only after the advanced analysis options have categorized the site and Filtering Service has determined which policy applies.


	Warning Web pages that rely on active content that has been stripped do not function as expected. To permit full access to sites that require active content, disable content stripping or add the sites to the Never Scan list.

The user requesting a page with active content does not receive any notification that content has been removed.

Use the Settings > Scanning > Scanning Options > Advanced Options area to set content stripping options.

In the Advanced Options > Content Stripping area, select the types of scripting languages to be removed from incoming web pages.

To disable content stripping for a selected language, clear the associated check box.

When you are finished, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.


	Warning Content stripping can result in some content being garbled and unreadable. You can reduce the number of such occurrences by making a small change to the Content Gateway configuration. 1) Open the Content Gateway manager and go to the Configure > Protocols > HTTP > Privacy tab. 2) In the Remove Headers > Remove Others field, add: Accept-Encoding 3) Click Apply and restart Content Gateway.