Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Tailoring your policies
The default policy you configured using the initial setup applies a standard set of enforcement actions to all users in your organization. (For reference, the standard default web configuration is summarized in the topic Standard Web Configuration in the Web Security Cloud help.)
Forcepoint Web Security Cloud also allows you to create more granular policy configuration on an IP address, user or group basis. For example, specific users or departments may be permitted to access particular web resources, or you may define times of day when certain resources are restricted or permitted for some users. For data security, some users may be permitted to share sensitive information, while it is restricted for others.
There are a number of ways to make your web policies more granular:
The approach you take depends on the scale and complexity of your setup. You may deploy a combination of the above methods.
Web category filtering
Forcepoint Web Security Cloud includes over 95 website categories, designed to help you apply policy filtering to your organization's web traffic. Website classifications are drawn from the Forcepoint URL Database, the industry's most accurate, current, and comprehensive classification of URLs. Website classifications are updated according to automated threat monitoring from Forcepoint Threatseeker Intelligence, research by Forcepoint Security Labs, and intelligence from customer feedback.
In addition to standard categories, you can create your own custom categories in order to classify specific websites. Use the Policy Management > Custom Categories page to define your own categories.
Click the Web Categories tab in a policy to configure the action you want to take when users try to access websites in each of the categories.
In the standard categories section, child categories are indented under their parent categories. Parent categories allow specific categories to be grouped by a more generic description. You can set an action for a parent category without it affecting the child category, or apply the action to all sub-categories.
The following actions can be applied to your categories:
Allow access means that any website within the category is always accessible, regardless of whether it exists in another category that has the Block access action. (Note: websites blocked by a security category override this action, and are always blocked.)
Do not block ensures that the site is not blocked under this rule, but if it also exists in another category that has an action of Block access, it is blocked under that category.
Confirm means that users receive a block page, asking them to confirm that the site is being accessed for business purposes. Clicking Continue enables the user to view the site, and starts a timer. During a configurable time period (10 minutes by default), the user can visit any site that requires confirmation without receiving another block page. Once the time period ends, browsing to these sites requires the user to click Confirm again.
Use Quota means that users receive a block page, asking them whether to use quota time to view the site. If users click Use Quota Time, they can view the site for a configurable period.
Clicking Use Quota Time starts two timers: a quota session timer and a total quota allocation timer. The session length and total quota time available for each category depend on the options selected on the General tab.
Block access blocks access to websites in this category unless they exist in another category with the Allow access action. When a site is blocked, you can choose a notification page to be displayed.
For more information, see Web Categories tab in the Web Security Cloud help.
Category exceptions
Exceptions allow the default action for a web category to be overridden for specified users and groups of users, and for defined time periods. For example, you can allow users to access certain categories outside of working hours, or apply a time quota between certain hours.
Define exceptions for a policy under Category Exceptions on the Web Categories tab. You can click a category to view the exception rules that apply to it.
Click Add to add a new exception.
For more information, see Exceptions in the Web Security Cloud help.
Testing filtering actions
To test how the proxy filters a specific website, use the Filtering Test feature on the Web > Policies page.
This feature can be used to test a specific URL for a named user, for traffic from your current IP address, an unknown IP address, or a specific IP address.
Enable file blocking
In addition to category-based web filtering, Forcepoint Web Security Cloud allows you to block users from accessing specific file types. File types can be blocked based on extension, or based on true file type. True file type blocking scans the file itself to determine its format, regardless of its extension.
File blocking can be configured per web category, or per user and group. For example, you can enable the Sports category, but prevent users from downloading multimedia files from sites in that category.
Configure file blocking via the File Blocking tab of your policy. For more information, see File Blocking tab in the Web Security Cloud help.
Enable data security features
Use the Data Security tab to monitor and prevent the loss of sensitive data and intellectual property via the web. You can protect intellectual property, data that is protected by national legislation or industry regulation, and data suspected to be stolen by malware or malicious activities.
The service has a default set of content classifiers that can identify data types that are important for regulatory compliance, and you can create custom content classifiers that are used to identify intellectual property and other protected data types important for your organization. Once defined, these classifiers can be used to identify and filter traffic that may constitute attempted data theft. This traffic can be blocked, or monitored for reporting purposes. Configure content classifiers via Web > Content Classifiers. Configure data security settings in your policies using the Data Security tab.
For more information on getting started with this feature, see Data Loss Prevention in Forcepoint Web Security Cloud on the Forcepoint Support site.
ACE security scanning
The Forcepoint Advanced Classification Engine (ACE) identifies and classifies security threats such as malware, viruses, and compromised websites, in real time before they can enter your network. ACE is built into Forcepoint Web Security Cloud, and enabled by default with a standard set of scanning options. You can adjust your level of protection by selecting the types of sites, files, and applications whose content is analyzed, and defining exceptions for trusted hostnames.
View and edit your ACE settings via the Web Content & Security tab of your policy. For more information, see Web Web Content & Security tab in the Web Security Cloud help.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2022 Forcepoint. All rights reserved.