Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Connecting and registering the appliance > Configuring your firewall
Configuring your firewall
Deploying an I Series Appliance | Forcepoint Web Security Cloud
If your network includes a firewall, by default your appliance is configured to use the standard destination TCP ports 80 and 443 for connections to the cloud service. Ensure these ports are open.
Alternatively and depending on your corporate firewall policy, you can configure your appliance to use the following ports, which are the ones used for non-appliance connections to the cloud service:
Port
Purpose
8002
Configuration and policy update information retrieval from Forcepoint Web Security Cloud. This port must be open for an I Series appliance to retrieve periodic configuration and policy updates from the cloud service.
8081
Proxy service. This is where the cloud-based content analysis is provided.
80
Notification page components. The default notification pages refer to style sheets and images served from the Forcepoint Web Security Cloud cloud platform. For these pages to appear correctly, this Web site is accessed directly (i.e., not through the cloud service).
This port should also be opened for standard web traffic that does not need to be sent to the cloud for further analysis.
443
Service administration. The cloud portal is similarly unproxied. Otherwise, it would be possible for you to accidentally block access and then be unable to rectify the situation.
This port should also be opened for standard secure web traffic that does not need to be sent to the cloud for further analysis, and for database updates.
You can switch between the standard and alternative ports at any time using the appliance command-line interface (CLI). To switch port settings:
1.
On the appliance machine, open a command-line window.
2.
Type device.
cmd> device
3.
Type one of the following:
device> use_standard_ports yes
for the standard ports 80 and 443
device> use_standard_ports no
for the alternative ports 8002 and 8081, plus 80 and 443
The CLI returns the confirmation Done when the ports have been switched. If the ports are already set to the option you specify, the CLI returns Not changed.
You must also open outbound UDP port 123 to enable the appliance to synchronize its clock with the Network Time Protocol.
To guarantee availability, Forcepoint Web Security Cloud uses global load balancing technology to direct traffic across multiple geographic locations. Content analysis is typically always performed by proxies from the cloud service closest to the end user. In the event of localized or Internet-wide connectivity issues, the global load balancing technology automatically routes requests to the next closest location. To make the most of the resilience offered by this infrastructure, users must be allowed to connect to the entire cloud service network, both those IP addresses that the service uses now and those that may be deployed in the future.
If you decide to lock down your firewall, you should permit all the IP address ranges in use by the Forcepoint cloud service for all the above ports. These ranges are published in the Knowledge Base article Cloud service data center IP addresses and port numbers. Note that you must log on to your Forcepoint support account to view this article.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Connecting and registering the appliance > Configuring your firewall
Copyright 2022 Forcepoint. All rights reserved.