Configuration steps

Forcepoint GRE Guide | Forcepoint Web Security Cloud and Hybrid Solutions

This section details the configuration process for setting up your service for GRE connectivity, and covers the following topics:

Step 1: Cloud portal configuration

Step 2: device configuration

Step 1: Cloud portal configuration

Add your GRE device in the cloud portal, via the Web > Device Management page (this requires that your administrator account has the Manage Edge Devices permission). To add a device:

Define the device name, type, public IP address, and an optional description.

Under Points of Presence (PoPs), use the drop-down lists provided to select the two most appropriate points of presence (data center or local PoP) to connect to.

Select a default policy to handle traffic from your GRE device.

Optionally, define specific policies to apply to different internal networks managed by your device.

For each connection, the destination (PoP) inner tunnel address and source (edge device) inner tunnel IP address are provided when the data is saved. You will need these addresses to configure the tunnel on your device.

See Managing Network Devices in the Forcepoint Web Security Cloud help for further details, including information on bulk uploading devices using a CSV file.


	Note By default, you can create 200 tunnel connections for your account. To add more connections, contact your sales account manager to discuss your requirements.

Step 2: device configuration

Configure your device for GRE connectivity based on the manufacturer's guidelines, using the IP addresses provided by Forcepoint. Configure your device to forward port 80 and port 443 traffic through the GRE tunnel.

You will need the destination (PoP) inner tunnel address and source (edge device) inner tunnel address for each connection. These are available in the cloud portal.

Two point of presence (data center or local PoP) connections are provided for each device. Forcepoint strongly recommends that you configure your device to fail over to the secondary tunnel to achieve cluster redundancy.

An example GRE configuration is shown in the diagram below. (Note that the addresses used below are examples only.)

Example configuration instructions for Juniper SRX and Cisco ISR are provided in the section Example device configuration.


	Important Once you have completed device configuration, ensure that the remote inner tunnel IP address can be pinged.

Maximum segment size (MSS)

The encapsulation overhead of the GRE tunnel means that TCP sessions sent over the tunnel must be limited to a lower Maximum Segment Size (MSS) than usual. Most TCP clients will propose an MSS value of 1460 bytes when connecting over an Ethernet network. The GRE encapsulation overhead comprises 24 bytes (4 bytes for the GRE header, and 20 bytes for the inner IP header).

TCP clients must use an MSS value of no more than 1436 bytes for GRE. This can often be achieved by using the MSS clamping feature of a firewall or router, to ensure that any TCP traffic sent down the GRE tunnel is limited to an MSS value of 1436.

Where the WAN connection to Forcepoint's points of presence is using the IPoE or PPPoE protocol, the MSS value may need to be lower still, to account for the encapsulation overhead of the WAN connection.

To display the current MSS setting for your tunnel interface, use the appropriate "show interface" command on your edge device.

Preventing data leakage

As a best practice, Forcepoint recommends that you lock down your firewall to prevent traffic leakage via different protocols and ports. In particular, Google Chrome can default to the experimental QUIC protocol, which uses UDP on port 443. We recommend that you block UDP traffic on port 443 in order to force traffic over TCP. For more information, see the Knowledge Base article Google QUIC protocol is not supported by the Forcepoint cloud service.