Forcepoint Appliances Getting Started Guide: V Series, X Series, & Virtual Appliances
Forcepoint Appliances Getting Started Guide: V Series, X Series, & Virtual Appliances
Forcepoint Appliances Getting Started Guide: V Series, X Series, & Virtual Appliances
v8 .4 .x
©1996–2017, Forcepoint LLC
10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin, TX 78759, USA
All rights reserved.
Published 2018
Printed in the United States and Ireland
D230317840
The products and/or methods of use described in this document are covered by U.S. Patent Numbers 5,983,270; 6,606,659; 6,947,985; 7,185,015;
7,194,464 and RE40,187 and other patents pending.
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-
readable form without prior consent in writing from Forcepoint LLC.
Every effort has been made to ensure the accuracy of this manual. However, Forcepoint LLC, makes no warranties with respect to this
documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not be liable for
any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein.
The information in this documentation is subject to change without notice.
Trademarks
Forcepoint is a registered trademark and TRITON is a trademark of Forcepoint LLC, in the United States and certain international markets.
Forcepoint has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their
respective owners.
Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Mozilla and Firefox are registered trademarks of the Mozilla Foundation in the United States and/or other countries.
eDirectory and Novell Directory Services are a registered trademarks of Novell, Inc., in the U.S and other countries.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
Red Hat is a registered trademark of Red Hat, Inc., in the United States and other countries. Linux is a trademark of Linus Torvalds, in the United
States and other countries.
This product includes software distributed by the Apache Software Foundation (http://www.apache.org).
Copyright (c) 2000. The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property
of their respective manufacturers.
Contents
Topic 1 Forcepoint Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Supported software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Forcepoint Email Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Forcepoint Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Forcepoint URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Forcepoint DLP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Appliance platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
V Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
X Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Forcepoint Virtual Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Platform hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Command-line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Forcepoint Security Appliance Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Custom appliance user account management . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Forcepoint appliance platform API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Stacking module on X10G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
10GBe PCI NIC on V10K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration and management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Topic 2 Deploying Forcepoint Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deployment planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deployment big picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Required off-appliance components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Web protection deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Forcepoint Email Security deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deployment activity summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Forcepoint appliance installation summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Topic 3 V Series Hardware Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
V10000 hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
V10000 with Forcepoint Web Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
V10000 with Forcepoint Email Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
V5000 hardware setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using the iDRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
ii Forcepoint Appliances
Contents
iv Forcepoint Appliances
1 Forcepoint Appliances
Related topics:
● Supported software, page 2
● Appliance platforms, page 4
● Features, page 6
● Deployment, page 8
● Configuration and management, page 8
● Documentation
Supported software
Forcepoint DLP
Important
Information about Forcepoint DLP appliances is not
included in this guide. See the Forcepoint DLP section of
the Forcepoint Documentation page.
Forcepoint DLP protects organizations from information leaks and data loss. It can
operate alone in the network, or can be paired with Forcepoint Web Security,
Forcepoint Email Security, or both.
Forcepoint DLP Network prevents data loss through email and over Web channels. It
includes Forcepoint DLP Cloud Email, deployed in Microsoft Azure. It provides DLP
policy enforcement for Microsoft Exchange Online.
The protector appliance intercepts and analyzes traffic on a variety of channels, such
as email, HTTP, and FTP. (HTTP traffic is monitored but not enforced.)
The mobile agent appliance can be configured to secure email content that is
synchronized to a user’s mobile devices via Exchange ActiveSync. This includes
content in email messages, calendar events, and tasks.
Forcepoint DLP includes an analytics engine that identifies and ranks high-risk
incidents. It consumes incidents generated by DLP policies and reports on those with
the highest data loss or data theft risk score.
Forcepoint Data Discovery is used to learn the location of sensitive data within
on-premises data centers and cloud hosted applications. It can be configured to scan
data on file servers, email servers, databases, and content collaboration applications.
Forcepoint DLP Endpoint prevents data loss over endpoint channels such as
removable storage devices, mobile devices, browser uploads, email clients, and
applications. It can also discover and remediate sensitive data stored on laptop and
desktop systems.
For more information, see the Forcepoint DLP Deployment Guide (PDF).
Appliance platforms
V Series
1 rack-unit form factor
See the V-Series Appliance datasheet (PDF) for specifications of the current model.
Models supported with version 8.4:
■ V10000 G4 (Forcepoint Web Security, Forcepoint Email Security (V1000 &
V5000)
■ V10000 G3
All V10000 models support Forcepoint Web Security or Forcepoint Email
Security
■ V5000 G4
■ V5000 G3
■ V5000 G2R2
All V5000 models support Forcepoint Web Security, Forcepoint URL Filtering, or
Forcepoint Email Security
V Series Hardware Setup
X Series
10 rack-unit form factor; chassis hosts up to 16 X10G blade servers
See the X-Series Appliance datasheet (PDF) for specifications of the current model.
Models supported with version 8.4:
■ X10G G2 blade server
■ X10G G1 blade server
All X10G models support Forcepoint Web Security or Forcepoint Email Security
X Series Hardware Setup
ESXi VMware
VMware virtual appliances are certified with ESXi versions 5.5, 6.0, and 6.5.
Important
These resources must be maintained as specified.
When Forcepoint security software starts, if the resources
do not match the specification, the application containers
do not start. In the CLI, a persistent message displays
indicating that the resources have been modified.
Network interfaces
All VMware virtual appliances come with 4 virtual Ethernet interfaces.
C — Supports appliance management communication
P1, P2 — Support MTA traffic
N — Reserved
Important
These resources must be maintained as specified.
When Forcepoint security software starts, if the resources
do not match the specification, the application containers
do not start. In the CLI, a persistent message displays
indicating that the resources have been modified.
Network interfaces
All VMware virtual appliances come with 4 virtual Ethernet interfaces.
C — Supports appliance management communication
P1, P2 — Support Content Gateway web proxy traffic
N — Reserved; Network Agent and the Content Gateway decryption mirror port
feature are not supported on VMware virtual appliances.
Forcepoint Virtual Appliance Setup
Features
Platform hardening
These measures harden all Forcepoint V Series, X Series, and Virtual Appliances:
● CentOS 7.2 operating system -- Base operating system and Forcepoint Email
Security container
● CentOS 6.8 operating system -- Web protection containers (Web, Proxy,
Network Agent)
● SELinux enabled (not enforcing)
● Apache Tomcat removed
Command-line interface
All Forcepoint appliances share a common command-line interface (CLI) that
supports all appliance management functions, including monitor, configuration, and
troubleshooting.
After initial appliance configuration, performed with the firstboot wizard, the CLI
can be accessed via SSH and a terminal emulator such as PuTTY. In addition, V Series
and X Series appliances can access the CLI through the Virtual Console feature of the
integrated Dell Remote Access Controller (iDRAC), or by attaching a keyboard and
monitor directly to the appliance. On VMware virtual appliances, the CLI can also be
accessed in the vSphere Client.
The CLI has 3 modes: view, config, and diagnose.
For more information, see the Forcepoint Appliances CLI guide.
Deployment
Forcepoint appliances are configured and managed with the command-line interface
(CLI), the Forcepoint Security Appliance Manager, and the appliance API.
Configuration and management activities generally include:
● Setting, synchronizing, and monitoring the system time and date
● Configuring network interfaces
● Defining a filestore location and filestore name alias
● Configuring the STP bridge, if used (X Series only)
● Defining static routes, as needed
● Optionally, enabling and configuring SNMP traps
● Monitoring system performance
● Reviewing system log files
● Installing upgrades and hotfixes
● Scheduling and performing backups
● Enabling and disabling logon accounts, as needed
● Running system diagnostics, as needed
For detailed information, see the Forcepoint Appliances CLI Guide.
Documentation
Related topics:
● Deployment planning, page 11
● Deployment big picture, page 13
● Deployment activity summary, page 21
● Forcepoint appliance installation summary, page 21
Important
Before deploying Forcepoint technologies, work with your
Forcepoint distributor and Forcepoint Sales Engineer to
create a deployment plan. A vetted deployment plan is the
best preparation for a trouble-free deployment that delivers
the results you expect.
Deployment planning
In this section:
● Required off-appliance components, page 14
● Web protection deployments, page 15
● Forcepoint Email Security deployments, page 20
Forcepoint deployments can include any or all of these Forcepoint solutions:
● Forcepoint DLP
● Forcepoint Web Security, with or without hybrid cloud web protection services
● Forcepoint Email Security, with or without hybrid cloud email protection services
● Forcepoint Endpoint
Important
Forcepoint appliances are one component of a complete
Forcepoint security solution.
When you are ready to begin deployment, be sure to start
with the installation guides for your Forcepoint security
solutions. Those guides link to this guide for appliance
setup and initial configuration activities.
See these topics in the Forcepoint Deployment and Installation Center to become
familiar with the details of Forcepoint deployments.
● Deployment planning for Forcepoint solutions
● System requirements
● Default ports for on-premises Forcepoint solutions
Forcepoint DLP
● Planning Forcepoint DLP Deployment
● Installing Forcepoint DLP Agents
● Integrating Forcepoint DLP with Existing Infrastructure
● Scaling Forcepoint DLP
Important
All components in the deployment, including those
running off-appliance, must run the same version of
Forcepoint software.
Forcepoint infrastructure
Forcepoint security infrastructure is made up of many components, including a web-
browser-based graphical user interface and logging and reporting components.
Services include:
● Forcepoint Security Manager
● Forcepoint Central Access
● Forcepoint Settings Database
● Forcepoint Reporting Database (if using SQL Server 2008 R2 Express)
Note
SQL Server 2008 R2 Express should be used only in
evaluation environments.
Full SQL Server should be used in all production
environments.
Log Server
Instances of Log Server, one for web security deployments and one for email security
deployments, receive information about Internet and email activity and process the
information into their respective Log Database.
Because record processing is resource-intensive, Log Server is installed on its own
Windows Server and should not run on the same machine as other resource-sensitive
components, such as Filtering Service, the Forcepoint management server, or the SQL
Server host.
Log Server cannot be installed on an appliance.
Log database
Web and email products require Microsoft SQL Server to host the reporting database,
called the Log Database. The Web Log Database and the Email Log Database can be
hosted by the same database engine instance. Information stored in the Log Database
is used to create reports.
Before you install Web or Email Log Server, SQL Server must be installed and
running on a machine in your network. SQL Server must be obtained separately; it is
not included with your subscription.
Important
● Web protection deployments can use a mix of
Forcepoint platforms — V Series, X Series, Virtual
Appliances, and standalone Windows and Linux
servers.
Policy source
In a web protection deployment, there is a policy source machine that hosts 2
components that do not run on any other server or appliance: Policy Database and
Policy Broker. One of the first deployment decisions that must be made is the
location of the policy source machine.
Important
● Deployments that include installations of Policy
Server on standalone Windows or Linux servers and
on Forcepoint appliances, must locate the policy
source on a Windows or Linux server, and not on a
Forcepoint appliance.
● Deployments that configure Policy Broker
Replication must locate the primary and replica Policy
Broker instances on Windows or Linux servers.
All machines running Web protection components connect to the policy source
machine to get up-to-date policy information. Your primary instance of Policy Server
also runs on the policy source machine.
Most sites install the policy source on a Windows server (off-appliance). An
alternative is to configure a V Series or X Series appliance (located in Slot-1). The
policy mode of remaining appliances is chosen during each appliance’s firstboot.
Here’s how it works:
1. The policy source machine is set up, either off-appliance or on-appliance.
2. When other appliances go through firstboot, the policy mode is set to either User
directory and filtering mode or Filtering only mode.
If the policy source is located off-appliance, you have the option to configure
replicated policy source servers. See Managing Policy Broker Replication.
● Filtering Service
● Control Service
● Directory Agent
● Content Gateway module (Forcepoint Web Security only)
Filtering only
A Filtering only appliance is configured to point to a Policy Server. This works best
when the appliance is close to the Policy Server and on the same network.
These appliances require a continual connection to the centralized Policy Server, not
only to stay current, but also to continue handling traffic. If the connection to the
Policy Server becomes unavailable for any reason, traffic on a filtering only appliance
will continue to be handled for up to 3 hours.
A Filtering only appliance does not run Policy Server. It runs only:
● Filtering Service
● Control Service
● Content Gateway module (Forcepoint Web Security only)
The individual components required for these modes are automatically enabled when
firstboot completes. You do not need to choose components individually.
Component Description
Policy Database Stores Forcepoint software settings and policy information.
Installed automatically with Policy Broker. Runs on the
policy source machine only. Typically installed on a
Windows server.
Policy Broker Manages requests from Forcepoint components for policy
and general configuration information. Runs on the policy
source machine only. Typically installed on Windows
server.
Policy Server Can run on any web appliance. The primary copy runs on the
policy source machine.
● Identifies and tracks the location and status of other
Forcepoint components.
● Stores configuration information specific to a single
Policy Server instance.
● Communicates configuration data to Filtering Service,
for use in handling Internet requests.
Policy Server settings are configured in the Web Security
module of the Security Manager.
Policy and most configuration settings are shared among all
Policy Servers that share a Policy Database.
Filtering Service Can run on any web appliance.
Provides Internet traffic management in conjunction with
Network Agent or a third-party integration product. When a
user requests a site, Filtering Service receives the request and
determines which policy applies.
● Filtering Service must be running for Internet requests to
be handled and logged.
● Each Filtering Service instance downloads its own copy
of the Forcepoint Master Database.
Configure enforcement policies and Filtering Service
behavior in the Web Security module of the Security
Manager.
Network Agent Can be deployed on V Series appliances and Windows and
Linux servers.
● Enhances security and logging functions
● Enables non-HTTP and non-HTTPS protocol
management
Master Database ● Includes more than 36 million websites, sorted into more
than 95 categories and subcategories
● Contains more than 100 non-HTTP protocol definitions
for use in managing protocols
After all modules are set up, download the Forcepoint
Master Database to activate Internet management, and
schedule automatic updates. If the Master Database is more
than 2 weeks old, no traffic management occurs.
Component Description
Forcepoint Web Security Runs on a Windows server.
module of the Forcepoint Serves as the configuration, management, and reporting
Security Manager interface for Forcepoint software.
Use the Web Security module of the Security Manager to
define and customize Internet access policies, configure
Forcepoint software components, report on Internet activity,
and more.
The Web Security module of the Security Manager is made
up of the following services:
● Web Security
● Web Reporting Tools
● Explorer Report Scheduler
● Information Service for Explorer
● Reporter Scheduler
● Real-Time Monitor
Usage Monitor Can run on any appliance.
● Enables alerting based on Internet usage.
● Provides Internet usage information to Real-Time
Monitor.
Usage Monitor tracks URL category access (shown in Real-
Time Monitor) and protocol access, and generates alert
messages according to the alerting behavior you have
configured.
Content Gateway Runs on every Forcepoint Web Security appliance.
● Provides a robust proxy and cache platform.
● Can analyze the content of websites and files in real time
to categorize previously uncategorized sites.
● Analyzes HTML code to find security threats.
● Inspects file content to assign a threat category (for
example, viruses, Trojan horses, or worms).
Important
If you deploy Forcepoint Email Security on an X10G
chassis that also hosts Forcepoint Web Security blades,
you must choose a location for and configure the
Forcepoint Web Security policy source (Policy Broker/
Policy Database) machine before configuring any other
web or email appliances. See Policy source, page 15, for
details.
Email components
The following services run on Forcepoint Email Security appliances:
● Configuration service
● Authentication service
● Quarantine service
● Log service
● Update service
● Filtering service
● Mail Transfer Agent
The appliance also provides access to the Personal Email Manager and Secure
Message Delivery end-user portals.
Related topics:
● V10000 hardware setup, page 24
● V5000 hardware setup, page 25
● Using the iDRAC, page 26
● Connecting directly to the appliance, page 27
Deploying Forcepoint appliances includes 5 core tasks. This topic covers Task 2a.
Task 1: Prepare for deployment
Task 2: Set up appliance hardware and virtual appliances
a. V Series Hardware Setup (this section)
b. X Series Hardware Setup, page 29
c. Forcepoint Virtual Appliance Setup, page 39
Task 3: Run the firstboot wizard (initial command-line configuration)
Task 4: Configure appliances (post-firstboot)
Task 5: Install off-appliance and optional components
Important
The Quick Start poster packaged in the appliance shipping
box shows you all items included in each appliance
shipment. This 2-page poster explains how to set up the
hardware and shows how to connect cables to the
appliance and to your network. You can find appliance
Quick Start posters on support.forcepoint.com/
documentation.
For instructions on setting up the integrated Dell Remote
Access Controller (iDRAC), see Using the iDRAC, page
26.
Forcepoint appliance network interfaces must be able to access a DNS server and the
Internet, as described below. This information varies slightly depending on the
security mode selected for the appliance.
● V10000 with Forcepoint Web Security
● V10000 with Forcepoint Email Security
The appliance’s network interfaces must be able to access a DNS server and the
Internet, as described below. This information varies slightly depending on the
security mode you select for the appliance.
● V5000: Forcepoint Web Security
● V5000: Forcepoint Email Security
● V5000: Forcepoint URL Filtering (no Content Gateway)
All V Series (and X Series) appliances come with an integrated Dell Remote Access
Controller (iDRAC). The iDRAC has its own processor, memory, and network
connection. It’s many features include power management, virtual media access, and
remote console capabilities. It’s easily accessed through a web browser or command-
line interface.
To set up the iDRAC on a V Series appliance:
1. Cable the iDRAC interface.
After hardware setup, it is recommended that you access the appliance console
through the iDRAC.
Alternatively, you can:
● Connect a monitor and keyboard directly to the appliance.
● Connect via the serial port. The connection should be set to:
■ 9600 baud rate
■ 8 data bits
■ no parity
Deploying Forcepoint appliances includes 5 key tasks. This topic covers Task 2b.
Task 1: Prepare for deployment
Task 2: Set up appliance hardware and virtual appliances
a. V Series Hardware Setup, page 23
b. X Series Hardware Setup (this section)
c. Forcepoint Virtual Appliance Setup, page 39
Task 3: Run the firstboot wizard (initial command-line configuration)
Task 4: Configure appliances (post-firstboot)
Task 5: Install off-appliance and optional components
Important
The Quick Start poster packaged in the appliance shipping
box shows you all items included in each appliance
shipment. This 2-page poster explains how to set up the
hardware and shows how to connect cables to the
appliance and to your network. You can find Appliance
Quick Start posters on support.forcepoint.com/
documentation.
Below is a back view (left) and front view of the chassis, with on-chassis switches
enlarged (at lower left) and security blades (at lower right).
The chassis and security blade hardware are manufactured by Dell. All blades are
accessible through a web-based integrated Dell Remote Access Controller (iDRAC).
Security blades are typically shipped separately. Insert the security blades after
racking the chassis.
Important
You need a loading dock to receive the chassis, or a
delivery vehicle with a lift gate.
You will need 4 people to lift the chassis into the rack in
your computer room.
● Unpack and rack the chassis before you insert the security blades. Save the
handled cardboard lifter, if a future chassis move is likely.
● Security blades are packaged separately. Blades are imaged with the Forcepoint
software you ordered.
● Some Forcepoint components are Windows-only and must be installed and run off
the chassis. The installer for these components is named
Forcepoint84xSetup.exe. Download the installer from the Forcepoint
Downloads page.
The Quick Start poster packaged in the appliance shipping box shows you all items
included in each appliance shipment. This 2-page poster explains how to set up the
hardware and shows how to connect cables to the X10G switches and to your network.
You can find Appliance Quick Start posters on support.forcepoint.com/
documentation.
Blade slots across the top half of the chassis front are numbered from 1 to 8, beginning
at the left as viewed from the front. Bottom slot numbers begin with slot 9 at the left,
ending at slot 16.
● Slot 1: After racking the chassis, insert the first blade into slot 1. Ensure that any
blade inserted into an upper slot is engaged on the hanging rail just inside the top
of the slot. When properly engaged, the blade slides easily into the slot. Do not
force a blade into a slot. The metal flap covering the backplane in each slot
retracts automatically when the blade is inserted.
● Slots 2 through 16: Insert blades into consecutive slots, with no empty slots
between blades.
Plan to have a sequential range of IP addresses reserved for the interfaces you plan to
use on every blade server (such as C (eth0), P1 (eth1), and optionally P2 (eth2)).
How you cable the X10G depends on your planned deployment. Cabling and
deployment options are discussed in detail in the X Series Switch Configuration
guide. X10G switches can be configured to support VLAN and switch high
availability. By default, the switches are not VLAN-aware.
Before finalizing your cable connections, consult with your Forcepoint partner to
ensure that your deployment plans are appropriate for your network traffic. See
Deployment big picture for related deployment topics and links to other deployment
materials.
Power cables, Ethernet cables, a serial cable, and SFP+ cables are shipped with the
X10G chassis.
1. Note that the 2 on-chassis switches are oriented vertically at the back of the
chassis. The switch on the left side is switch A1. The bottom of the switch is
shown at the left in the diagram below. Use an SFP+ cable or install an optical
transceiver and use your own fiber optic cable if desired (see details below).
○ Fiber optics: If you ordered an optical transceiver kit with your chassis, see
the instructions provided here. This allows you to use fiber optic cables to
connect the chassis switches to your network. Begin by connecting the P1
interface on switch A1 to your network. The X10G switch requires an LC
connector at the end of the optical cable.
○ If you are not using fiber optic cables, no transceiver kit is required.
Connect an SFP+ cable (provided) to the P1 interface on switch A1.
○ While several ports may be labeled on both switches, the only port
required for deployment is the P1 port on switch A1. The P2 port on switch
A2 is optional and dependent upon your network topology. To ensure
correct cabling for your deployment, see the X Series Switch
Configuration guide.
2. Next, cable the Chassis Management Controller (CMC). Connect a Category
5 network cable (do not use a crossover cable) from the left-most CMC
network port, labeled Gb in the illustration, to a switch on the subdomain
where the CMC IP address is located.
The CMC is located at the back of the chassis at the upper left side. Connect
the Gb port to the network.
● Use the power cables to connect the 4 on-board power supply units (PSUs) at the
bottom (back of chassis) to the power outlets on your computer rack. Ensure that
the power cables are fully inserted into the PSUs and the power source. Confirm
that the power lights are illuminated on the PSUs.
Power on
Power on the chassis at the front (recessed button at the lower left corner below slots 9
and 10). This powers on all blades. Blades can also be turned off and on individually.
The X10G chassis includes a small, built-in LCD screen at the lower left front.
With the chassis powered on, pull out the LCD screen and use it to:
1. Set your language preference
2. Specify the IP address of the Chassis Management Controller (CMC)
Setting the CMC IP address enables you to communicate with the controller through a
browser, from which you can quickly set remote access (iDRAC) addresses for the
blades. The following illustration shows the built-in LCD screen and its associated
keypad.
Use the silver arrow pad to the right of the LCD screen to move to a selection. Press
the center of the silver pad when you are ready to confirm your choice.
After you choose a language, you are ready to configure the CMC.
.
Move to a laptop and open a browser that has connectivity to the network where the
CMC IP address resides.
Point the browser to the IP address you assigned to the CMC:
https://CMC_IP_Address
When you are ready to run the firstboot wizard on each blade server, sequentially
access the iDRAC on each blade and open the Virtual Console to interact with the
firstboot wizard. Firstboot runs when you power on the appliance.
To access the iDRAC:
1. Open a Web browser and in the URL entry field enter:
https://<blade iDRAC IP address>
2. Log on with the default credentials (root/Forcepoint#1, or root/calvin)
3. Change the default logon password to meet your organization’s security
requirements. Do not continue to use the factory default password.
a. Go to Overview > iDRAC Settings > User Authentication and click on the
number that corresponds to the default log on (root).
b. Select Configure User and click Next.
c. Change the password and click Apply.
4. To launch the Virtual Console, go to Overview > Server and in the upper right
Virtual Console Preview area click Launch.
See The firstboot wizard (initial command-line configuration).
After firstboot completes, remain in the console and log on to the command-line
interface (CLI) as ‘admin’. Use the password you set during firstboot.
VMware virtual appliances are certified with ESXi version 6.0 and supported with
v5.5 and other versions of 6.x.
Deploying Forcepoint appliances includes 5 key tasks. This topic covers Task 3.
Task 1: Prepare for deployment
Task 2: Setup appliance hardware and virtual appliances
Task 3: Run the firstboot wizard (initial command-line configuration)
○ Gather data for firstboot
○ Run firstboot
Task 4: Configure appliances (post-firstboot)
Task 5: Install off-appliance and optional components
The first time you power on (boot) a Forcepoint appliance, a firstboot wizard prompts
you to:
● Select the security mode for the appliance – Forcepoint Email Security,
Forcepoint Web Security, or Forcepoint URL Filtering.
● Enter settings for the appliance management Ethernet interface (C) IP address,
subnet mask, default gateway IP address, and DNS server IP addresses.
● Define several basic configuration settings, such as hostname, admin password,
and system time zone and time.
You are also asked whether you want to send feedback to Forcepoint. Feedback data
improves URL categorization, making your Forcepoint solutions more effective. The
default setting is “yes” (enabled). To disable feedback, enter “no” at the prompt. When
you upgrade to a major new version, you may be prompted to confirm the setting.
You are given the opportunity to review and change settings before you exit the
firstboot wizard. After you approve the settings, the appliance is provisioned and
configured. The process can take 30 minutes or more.
Later, if you want to change settings, except the security mode, you can make
changes using the command-line interface (CLI). To change the security mode, you
must re-image the appliance with an image acquired from the Forcepoint Downloads
page. After re-imaging, upon reboot, the firstboot wizard runs again.
1 - 60 characters long.
The first character must be a letter.
Allowed: letters, numbers, dashes, or periods.
The name cannot end with a period.
For sites using Forcepoint URL Filtering, the Choose your third-party integration
integration method. Choose one: product, if any.
● Standalone (Network Agent only)
● Microsoft TMG
● Cisco ASA
● Citrix
Send usage statistics? Usage statistics from appliance
modules can optionally be sent to
Forcepoint to help improve the
accuracy of URL categorization.
For sites using Forcepoint Web Security or IMPORTANT: There is only one full
Forcepoint URL Filtering, the policy mode of the policy source machine per
appliance. deployment. Most sites locate the full
● Full policy mode policy source installation on a
Windows server (off-appliance). An
● User directory and filtering alternative is to configure a V Series
● Filtering only or X Series appliance (typically
NOTE: With Web security mode, the Filtering located in Slot-1). The policy mode of
only policy mode is supported on physical remaining appliances is chosen
appliances only, not virtual appliances. during each appliance’s firstboot.
Run firstboot
1. Access the appliance console.
■ With V Series or X Series appliances, use one of these options.
○ iDRAC: Access the appliance iDRAC and open the virtual console. See
Using the iDRAC, page 26.
○ Attach a USB keyboard and monitor directly to the appliance.
○ Attach a keyboard and monitor through the serial port.
Note
For serial port activation, use:
● 9600 baud rate
● 8 data bits
● no parity
■ With a VMware virtual appliance, access the console with the vSphere
Client. In vSphere Client, select the virtual machine, open the Console, and
click into the window to give it focus.
2. When prompted, read and accept the subscription agreement.
3. At the first prompt, select the security mode. You must have a subscription for the
mode you select.
On an X10G or V10000 appliance, the choices are:
○ Forcepoint Web Security
○ Forcepoint Email Security
Note
Occasionally, due to an I/O timer in the virtual console
software, during the software provisioning process
firstboot output to the console may stop. To restart console
output, simply press Enter.
Note
If the off-box appliance is unreachable, the system will
boot in Full policy mode.
After the wizard completes, stay in the console and log on to the CLI using the
password you set during firstboot.
You are now ready for Task 4: Configure Appliances (post-firstboot)
Setting up a Forcepoint appliance involves 5 key tasks. This topic covers Task 4.
Task 1: Prepare for deployment
Task 2: Setup appliance hardware and virtual appliances
Task 3: Run the firstboot wizard (initial command-line configuration)
Task 4: Configure appliances (post-firstboot)
Task 5: Install off-appliance and optional components
After completing firstboot, finish initial appliance configuration using the command-
line interface (CLI). In the CLI you can view system status, configure network and
communication settings, and perform general appliance administration tasks. For a
complete guide to using the CLI, see the Forcepoint Appliances CLI guide.
Post-firstboot appliance configuration activities include:
● SSH access to the CLI (optional)
● Verify firstboot configuration settings
● Establish a filestore
● Set an email address for password recovery
● Configure additional network interfaces
● Configure routes (if needed)
● SNMP polling and alerting (optional)
After firstboot you may have stayed connected to the appliance console and logged on
to the CLI. The method you used to connect to the appliance console remains
available to you.
You can also connect to the CLI using a terminal emulator and SSH. SSH access is
enabled by default. (Instructions for disabling SSH are included below.)
To connect to the appliance console with SSH, on a Windows system use PuTTY, or
similar, on a Mac system use Terminal. Connect to the appliance management
interface (C) IP address on port 22. Use the admin credentials set during firstboot.
On V Series or X Series appliances, you can also access the CLI using the Virtual
Console feature of the DELL Remote Access Controller (iDRAC), or you can attach a
keyboard and monitor directly to the appliance. See the Quick Start poster for your
appliance model.
On a VMware virtual appliance, you can also access the CLI through the vSphere
Client.
To disable or enable SSH access:
1. Log on to the CLI and change to config mode by entering ‘config’ on the
command line. When prompted, enter the admin password again.
2. To display SSH enabled/disabled status:
show access ssh --status
3. To disable or enable SSH access:
set access ssh --status <on|off>
All system verification and configuration tasks are performed in the CLI. For a
complete description of every CLI command, see the Forcepoint Appliances CLI
Guide.
To perform the activities in this section, log on to the CLI and enter config mode.
Configuration basics
Verify the appliance security mode, policy mode (web protection only), version, and
hostname.
show appliance info
Note
IPv4 addresses must be used with all Forcepoint
management interfaces.
Warning
After configuration in firstboot, do not change the
C interface IP address. If you must change the C interface
IP address, see the article Changing the C Interface IP
Address.
Be cautioned that the set interface ipv4 command allows
you to change the configuration of any available network
interface, including interface C.
Important
Before changing the time, stop all Forcepoint services
running in your network. Then, reset the time and make
certain that the time is consistent across all servers running
Forcepoint services. Finally, restart Forcepoint services.
If you do not stop the services first, client updates and
policy changes entered after the time reset are not saved.
Important
If you synchronize the system clock with an NTP server,
NTP protocol packets and their response packets must be
allowed on any firewall or NAT device between the
appliance and the NTP server. Ensure that you have
outbound connectivity to the NTP servers. Add a firewall
rule that allows outbound traffic to UDP port 123 for the
NTP server.
Establish a filestore
Example:
set filestore --alias fstore --type samba
--host 10.123.48.70 --path myfiles/myfolder --user jdoe
Set an email address and SMTP server in the event that the admin password is
forgotten or lost. A temporary password is sent to the address when an administrator
enters Ctrl+P at the CLI logon prompt.
To set an email address and SMTP server:
set account email --address <email_address>
set account smtp --host <location> --port <port>
--user <name>
When no email address is set, Ctrl+P prompts to confirm that a password reset is
wanted. When confirmed (yes), a security code is displayed. Write it down. To get a
temporary password, contact Technical Support and provide the security code.
Important
After IPv6 support is enabled, subsequent disablement
requires a full restart of the appliance.
Important
Changing the C interface IP address can significantly
impact the deployment. If at all possible, do not change the
C IP address. If you must change the C IP address, see the
technical article Changing the C Interface IP Address.
● Both the P1 and P2 proxy interfaces can be used to accept users’ Internet requests
(inbound traffic) and communicate with web servers (outbound traffic). In other
words, both interfaces can be configured to handle traffic into and out of the proxy
module.
● A typical configuration is to use P1 for both inbound and outbound traffic; P2 is
not used.
● Another option is to configure P1 to accept users’ Internet requests (inbound
only). In this case, P2 is configured to communicate with web servers (outbound).
Important
If you use the P2 interface, the P1 interface is bound to
eth0, and the P2 interface is bound to eth1. Keep this in
mind when you configure Content Gateway.
For example, suppose you are using a transparent proxy
deployment, and the P1 interface is connected to a WCCP
router. In this case, you must configure Content Gateway
to use eth0 for WCCP communications (in Content
Gateway Manager, see the General tab of the Configure >
Networking > WCCP page).
To view the interface bindings in the CLI:
(view)# show interface info
CLI example:
Note
Network Agent is supported on V Series appliances and on
standalone servers.
Important
Network interface N configuration is only necessary when
Network Agent is installed and running on the appliance
and you want blocking to go through interface N.
IP address of Required.
interface N Network Agent should be able to see the outbound and inbound traffic
in your network. Network Agent ignores ports 80, 443, 8070, and
8080.
Subnet mask Required.
Default gateway Required.
Primary DNS Required.
IP address of the domain name system server.
CLI example:
(config)# set interface ipv4 --interface n
--ip 10.200.200.20 --mask 255.255.0.0
--gateway 10.200.0.5
(config)# set interface dns --module network-agent
--dns1 10.10.10.10 --dns2 10.10.10.11
Note
The names of the interfaces vary depending on appliance
model.
● On V10000, E1 and E2 are used.
● On V5000, X10G, and virtual appliances, P1 and P2 are used.
● Both the E1 (P1) and E2 (P2) interfaces can be used to accept inbound traffic and
send outbound traffic.
● A typical configuration is to use E1 (P1) for both inbound and outbound traffic;
E2 (P2) is not used.
● Another option is to configure E1 (P1) to accept inbound and E2 (P2) to send
outbound traffic.
● When you need to support a large volume of outbound traffic, you can configure
virtual interfaces on E1 or E2 (P1 or P2).
Important
On the V10000, if you use the E2 interface, the E1
interface is bound to eth0, and the E2 interface is bound to
eth1. Keep this in mind when you configure Forcepoint
Email Security.
On other appliances, if you use the P2 interface, the P1
interface is bound to eth0, and the P2 interface is bound to
eth1. Keep this in mind when you configure Forcepoint
Email Security.
CLI example:
(config)# set interface ipv4 --interface e1
--ip 10.200.200.20 --mask 255.255.0.0
--gateway 10.200.0.5
(config)# set interface dns --module email
--dns1 10.10.10.10 --dns2 10.10.10.11
Interface bonding
V10000 appliances can bond interfaces for failover or load balancing. Configuration
details are provided below.
Interface bonding is not supported on V5000, X10G, or virtual appliances.
Important
Do not bond interfaces that have different speeds or duplex
modes. Doing so can result in performance problems.
CLI example:
(config)# set interface bond --mode active-standby
Configure routes
Static routes
● The same route cannot be added for 2 different interfaces on the same module. If
attempted, an error message displays.
● Static routes that are defined for an interface that is later made inactive remain in
the routing table.
● Static routes that become invalid because the IP address of the interface changes
are disabled.
● Static routes can be added and deleted, but not modified. To modify a route, delete
it and add a new route specifying the new values.
● Static routes can be bulk added from a text file. See the Forcepoint Appliances
CLI Guide.
● The static route table has a maximum limit of 5000 entries.
CLI example:
(config)# set route --dest 11.0.0.0 --mask 255.0.0.0
--gateway 10.206.7.254 --interface c
(config)# set route6 --dest 2222:3333:4444:5555::0
--interface p1 --prefixlen 64
--gateway 1234:5678::8765:4321
Component routes
Although the appliance management interface (C) is typically reserved for
management traffic, in some deployments it is necessary or desirable to route some
web or email traffic through the C interface rather than P1/P2 or E1/E2.
The component route table has a maximum limit of 5000 entries.
CLI example:
(config)# set component_route --dest 11.0.0.0
--mask 255.0.0.0 --module email
Forcepoint appliances can issue alerts using SNMP trap data when integrated with a
supported Security Information Event Management (SIEM) system. SNMP traps send
alerts to system administrators about significant events that affect the security of the
network.
In the CLI, the appliance can be configured to:
● Allow your SNMP manager to poll the appliance for standard SNMP counters.
● Send SNMP traps for selected events to your SNMP manager.
Support is included for SNMP v1, v2c, and v3.
■ With SNMP v1 and v2c, a suffix (-proxy, -web, -na, or -email) is appended to
the community name to indicate the originating module for the counter.
■ With SNMP v3, you can specify the context name (Proxy, Web, NA, or
Email) to poll counters for each module.
If you use v1 or v2c, you must specify the community name for the appliance.
If you use v3, you must specify security level, user, authentication, and encryption
type to associate with SNMP communication.
To enable polling:
set snmp service --status on
set snmp version --options <values>
SNMP traps
SNMP monitor service and SNMP trap settings are independent, but SNMP monitor
service must be enabled before you activate the SNMP trap configuration.
Use these commands to work with SNMP traps:
show snmp config
show trap config
show trap events
set snmp service
set trap service
set trap version (v1, v2c, v3) --options <values>
save trap --location <filestore_alias>
load trap --location <filestore_alias> --file <name>
save mibfile --location <filestore_alias>
test trap event
Use ‘test trap event’ to verify your configuration. If there is a problem sending the test
trap, verify the community name, IP address, and port, and make sure that the network
allows communication between the appliance and the SNMP manager.
See the Forcepoint Appliances CLI Guide.
Setting up a Forcepoint appliance involves 5 key tasks. This topic covers Task 5.
Task 1: Prepare for deployment
Task 2: Setup appliance hardware and virtual appliances
Task 3: Run the firstboot wizard (initial command-line configuration)
Task 4: Configure appliances (post-firstboot)
Task 5: Install off-appliance and optional components
After the appliance has been configured, install the remaining off-appliance
components. See your deployment plan. For a refresher, see Required off-appliance
components, page 14.
To install off-appliance components, return to the following guides.
● Forcepoint Email Security: Installing email protection appliance-based
solutions.
● Forcepoint Web Security: Installation Instructions: Forcepoint Web Security.
● Forcepoint URL Filtering: Installation Instructions: Forcepoint URL Filtering.