Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v8.2.0 Release Notes for Web Protection Solutions : New in Web Protection Solutions
New in Web Protection Solutions
Release Notes | TRITON AP-WEB and Web Filter & Security | 27-Apr-2016
*
*
*
*
*
*
*
*
*
*
*
*
The TRITON Settings Help, TRITON AP-WEB Administrator Help, and Content Gateway Help are available in Japanese as well as English for 8.2.x. The language selection for Help for modules of TRITON Manager (including TRITON AP-WEB) can be changed on the TRITON Settings > My Account page. The language selection for Content Gateway Help can be changed on the Configure > My Proxy > UI Setup > General page in the Content Gateway manager.
TRITON APX
Version 8.0 was the first product release that used a new, simplified product naming and grouping of the familiar TRITON product line.
 
 
Security enhancements
Research to assess potential vulnerabilities or security issues has continued. Miscellaneous security improvements have been made in version 8.2.0, including an upgrade to OpenSSL version 1.0.1q.
Look and feel enhancements
To support the transition from Raytheon | Websense to Forcepoint LLC, TRITON Manager has a new look and feel. The colors and logos, as well as the logon screen and the toolbar, have been updated to reflect the Forcepoint brand.
In addition, if you are using the default block and notification pages, end users will see that the Websense logo has been replaced by the Forcepoint logo. If you have previously changed the default logo or customized your notification pages, however, your changes remain in effect and end users will not see any change.
These changes do not affect product functionality.
Over time, you may notice the branding extended to other areas, such as the Help system, as well as to external content, such as the Knowledge Base.
 
Note 
Threat Protection integration
A second option for file analysis is available on the Settings > Scanning > Scanning Options page of the TRITON Manager. Users who have purchased Threat Protection Appliance can now integrate it with their TRITON AP-WEB deployment and use it for advanced file analysis.
 
Note 
1.
Navigate to the Settings > Scanning > Scanning Options page and locate the Advanced File Analysis section.
2.
Check the box next to Enable Advanced File Analysis.
3.
Select Threat Protection as the File analysis platform.
By default, images and txt files are not sent to Threat Protection.
4.
5.
Click Check Status to confirm that Threat Protection is installed at that IP address.
Alerts are the mechanism used to send information about files found to be malicious by advanced file analysis. To configure alerts for Advanced File Analysis and receive either an email or SNMP alert when analysis determines a file is malicious:
1.
On the Settings > Alerts > Enable Alerts page of the TRITON Manager,
a.
Mark Enable email alerts and configure the email settings to send advanced file analysis alerts via email.
b.
Mark Enable SNMP alerts and provide information about your SNMP Trap system to deliver the advanced file analysis messages using SNMP.
c.
Click OK and then Save and Deploy to save your changes.
2.
Navigate to Settings  > Alerts > Suspicious Activity and locate the Advanced File Analysis section.
3.
Check the box under Email to enable email alerts and under SNMP to enable SNMP alerts from advanced file analysis.
4.
Click OK, then Save and Deploy.
 
Note 
Advanced File Analysis reporting
Advanced File Analysis report
A new Reporting > Advanced File Analysis option is available when Advanced File Analysis is enabled on the Settings > Scanning > Scanning Options page. The option opens a report that provides specific information about the results of advanced file analysis. The report is designed to provide visibility into suspicious files accessed through your network and sent for advanced file analysis to either the File Sandbox or to Threat Protection.
Use the options above the table to filter the data that is displayed.
*
The Time period for the report.
*
If you are using Microsoft SQL Express, the maximum time period is 30 days.
*
The Total number of incidents reported for that time period is provided.
*
*
Malicious to include files that analysis has found to be malicious.
*
Suspicious to include files found to have suspicious characteristics.
*
No threat detected to report on files in which analysis did not find any malicious or suspicious characteristics.
The number of files included in the table is provided for each threat level.
The top (up to 200) results that match your filter are displayed in a table. By default, the following columns are included:
*
Threat Level: an assessment of the level of threat (malicious, suspicious, or none) associated with a file.
Click a link in this column to:
*
*
 
Note 
*
Incident time: the date and time the file was sent for analysis.
*
User: the user name (or IP address) associated with the activity that prompted the file analysis.
*
Source: the IP address of the client machine in your network that sent or received the file.
Click an IP address to open an Investigative Report that will provide more details for the browsing being done by that source IP on the day the file was analyzed.
*
Destination: the IP address of the recipient of the HTTP request.
*
URL: the URL from which the file is being downloaded or to which the file is being posted.
In some cases the URL may be truncated. Hover over the entry to view the complete URL.
*
Analyzed by: the IP address of the Threat Protection cluster or the location of the File Sandbox data center.
Use the Customize option to add or remove columns from the table. In the window provided, check the box next to the column headings you want to include. Uncheck the box next to any column heading you want to remove.
*
Platform: The platform that provided the file analysis (Threat Protection or File Sandbox).
*
Severity: the level of severity of the threat, on a scale of 1 to 10.
*
Result Type: indicates whether there was a Hash match or this was considered New analysis.
Hash match means that the file hash (not the file) was actually sent for analysis and was found in the records of the analysis platform. The file is recognized and the Threat Level is known.
New analysis means we have don't have a record of having seen the file before so the entire file was sent for analysis. Analysis shows whether or not the file contains a threat.
*
Protocol: the protocol used to transfer the file.
*
File Name: the name of the file sent for analysis.
*
File Hash: an SHA1 hash of the file sent for analysis.
*
File Size (KB): the total file size, in kilobytes.
*
File Type: the type of file sent for analysis. Types include PDF, Image, Executable, Document, and Web Page as well as others.
*
Content Gateway: the IP address of the Content Gateway machine that sent the file for analysis
Note that customized column selections are not stored. The columns reset each time you exit and return to the page.
 
Note 
Use the other links and options to:
*
Use the arrows beside a column heading to change the report's sort order.
*
Click Export to CSV to add the data to a file named excel.csv, by default. If the displayed data has been filtered, the same filter is used. All columns are included in the exported data, even if not previously selected for the report.
A maximum of 10,000 rows can be included in the exported data. Any data that exceeds the limit will not be included in the spreadsheet.
*
Use the paging options below the table to display other report pages.
*
Click Refresh to update the displayed data to include information that was added to the log database files since the report was initially displayed.
Delegated administrator access to the Advanced File Analysis report is determined by the Access investigative reports and Report on all clients options in the Reporting Permissions section of the Delegated Administration > Edit Roles page. The menu option Advanced File Analysis report will not be available to administrators whose role does not have both options selected.
Advanced File Analysis in the dashboard
When the Advanced File Analysis feature is enabled, the number of requests processed by Advanced File Analysis displays on the Threats tab of the Status > Dashboard. The number is generated based on the Time period displayed on the Advanced File Analysis report. Click the link to navigate directly to the Reporting > Advanced File Analysis page and view the details.
Note that this entry displays only for Super Administrators. It is not displayed to delegated administrators regardless of the options used to define their role.
Advanced File Analysis data
New temporary data files for the advanced file analysis data are created by Filtering Service and forwarded to Log Server. Log Server then handles the data files based on settings configured on the Settings > Reporting > Log Server page.
*
The temporary data files are created based on the Cache file creation rate and Maximum cache file size options that also apply to log cache files.
*
The data files are processed into the database using either ODBC (Open Database Connectivity) or BCP (Bulk Copy Program), depending on the Log Record Creation settings on the Settings > Reporting > Log Server page.
The exception to this is the first file analysis temporary data file. That file is always processed using ODBC.
Note that Filtering Service does not forward the log records created for advanced file analysis data to Usage Monitor for inclusion in the Real-Time Monitor display nor to any SIEM integration.
To support the new data, new tables have been added to the Log Database and stored in the catalog database. The tables are populated by the Advanced Malware Threat (AMT) ETL job, that is also used to populate the tables used by the Threats dashboard.
Advanced file analysis data is maintained for 120 days.The database maintenance job purges data that is older than 120 days.
Single Sign-on support for Microsoft Active Directory Federation Services (AD FS) (hybrid)
TRITON AP-WEB customers who purchase the Hybrid module and for whom single sign-on is enabled, can now use Microsoft AD FS as a single sign-on identity provider.
To use this feature, open the Settings > Hybrid Configuration > Hybrid User Identification page of TRITON Manager and locate the Single Sign-on section.
1.
If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the "Continue to this website (not recommended)" link, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User Identification page
2.
Select Use identity provider for single sign-on to enable the single sign-on feature.
3.
For Identity provider, select Active Directory Federation Services.
4.
See Integrating the hybrid service with a single sign-on identity provider in Administrator Help for more information.
Policy exceptions based on HTTP referer header
A new setting has been added to the Add Exceptions and Edit Exceptions pages that will allow for an exception that will permit access to URLs only when they are accessed from a specific site (a referer).
Use this new exception setting, for example, when access to YouTube is blocked for your employees, but you want to allow them to view a video that is linked on your company intranet.
 
Note 
Open the Policy Management > Exceptions > Add Exception or Edit Exception page.
1.
Enter the unique Name for the exception.
2.
List the URLs that should be permitted by the exception.
The URLs entered should be those that will be added as links and accessed from the specified site. If, however, there will be multiple links to the same hostname, enter the hostname in the URLs list. Leave the list blank to permit access to all links that are included on the specified site.
In our example, enter the full URL to the video that is linked on your intranet site or enter www.youtube.com. If www.youtube.com is normally blocked by category, access is permitted only to videos specifically linked on your intranet site. Access to any video from www.youtube.com will not be permitted.
 
Note 
3.
Check Permit only when accessed via a specific site and then, under Approved Referer URLs, enter the sites from which access should be granted.
Note that access to the referer URLs must be permitted by an existing policy or exception. This exception does not imply permitted access to the referer URLs.
Following our YouTube example, you would enter something like intranet.company.com.
By default, a maximum of 10 referer URLs can be added. An eleventh entry will not be accepted. You need to add another referer exception for it.
HTTP and HTTPS are the only protocols supported for referer URLs.
4.
Specify which Clients are affected by this exception.
5.
Note that Permit has been selected and cannot be changed.
6.
Indicate when the exception Expires and determine the exception State.
7.
Click Advanced to
a.
Change the default selection for Block URLs that become a security risk, even if they are permitted by exception. (Not recommended)
When this option is checked, this setting also applies if a URL permitted by this exception is associated with a Security Risk category. The URL is filtered based on the active policy.
b.
8.
Click OK to cache and save your changes and return to the Exceptions page. Changes are not implemented until you click Save and Deploy.
If the URLs and Regular expressions lists are both empty when you click OK, a message will display asking if you intended to create an exception that will allow access to all links on the referer URL pages. Remembering that this may open a security hole, click OK on the message window to leave the URLs and Regular expressions blank. Click Cancel to close the window, return to the exception, and add URLs or regular expressions to it.
The Exceptions table will display the new referer exception with the usual permit icon but the mouse over will indicate that the exception is "Permitted by referer". In addition, when a referer exception has been added:
*
If a single approved referer URL was added to the exception, the URL is displayed. If multiple referer URLs were added, the number of URLs is displayed. Click the link to open a complete list of approved referer URLs.
*
When editing multiple exceptions at the same time, if one of the selected exceptions contains referer information and you change the exception type to Block, the change will not be applied to the referer exception. Referer exceptions can only be defined with a Type of Permit. Any other changes will be carried to all selected exceptions.
 
Note 
Threats dashboard includes hybrid log data
In previous releases of TRITON AP-DATA with the Web Hybrid module, the Threats tab of the Status > Dashboard page did not include hybrid reporting data.
An enhancement has been added so that hybrid reporting data is now included in the information provided on the Threats dashboard.
Advanced user search in Toolbox options
An advanced search feature has been added to the Find User option available with the Check Policy and Test Filtering Toolbox tools.
Now, on the Find User page:
1.
2.
Use the Search for list to specify how to perform the search:
*
Select Entries containing search string to find all directory entries that contain the search term you entered.
*
Select Exact search string only to find only the directory entry that precisely matches the search term.
3.
You must click a folder (DC, OU, or CN) in the tree to specify the context. This populates the field below the tree.
4.
Click Search. Entries matching your search term are listed under Search Results.
5.
Click a user name to select a user, or click Search Again to enter a new search term or context.
To return to browsing the directory, click Cancel Search.
6.
If you are using the Test Filtering tool, make sure that a URL or IP appears in the URL field before you click Go.
Browser support
TRITON Manager and Content Gateway Manager are now supported on the following browsers:
*
*
*
Logon application support
Logon Agent communicates with the logon application (LogonApp) on client machines to identify users as they log onto or off of Windows domains.
This release adds logon application support for:
*
The logon application also supports the following operating systems:
*
*
For more information about Logon Agent and the logon application, see the Using Logon Agent for Transparent User Identification white paper.
Third-party platform and product support
All components
This version adds support for:
*
*
*
Note that installing web protection components on Windows Server 2012 or 2012 R2 requires Microsoft .NET Framework v3.5. Install .NET Framework v3.5 before running the TRITON Unified Installer.
Content Gateway
This version is supported on:
*
*
*
*
In addition, Content Gateway is certified on the following 64-bit platforms:
*
*
Note 
*
*
Content Gateway is also supported on the corresponding CentOS versions, including update 4 (CentOS version numbers have a one-to-one correspondence with Red Hat Enterprise Linux version numbers)
Support for the following version has been dropped with this release:
*
*
 
Important 
Visit www.redhat.com for kernel information. To display the kernel version installed on your system, enter the command:
/bin/uname -r
Only kernels listed above are certified or supported.
"Best effort" support for the version of Red Hat Enterprise Linux and CentOS listed above is provided. Under "best effort" support, Technical Support makes a best effort to troubleshoot cases in standard fashion until the issue is deemed a Red Hat Enterprise Linux- or CentOS-specific issue, at which point you must contact Red Hat directly for assistance.
As a best practice, Red Hat Enterprise Linux systems that host Content Gateway should be registered with Red Hat Network and kept up-to-date with the latest security patches.
 
Important 
 
Important 
For a complete platform requirements information, see System requirements for this version in the Deployment and Installation Center.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
v8.2.0 Release Notes for Web Protection Solutions : New in Web Protection Solutions
Copyright 2016 Forcepoint LLC. All rights reserved.