Forcepoint ONE

Lab Guide v1.0b

© 2022 Forcepoint | Forcepoint Proprietary

Table of Contents
▪ Module 1 - Overview

▪ Module 2 - Identity

▪ Module 3 - Login Policies

▪ Module 4 - Adding Applications and Policy

▪ Module 5 - Secure Web Gateway (SWG)

▪ Module 6 - Zero Trust Network Access (ZTNA)

▪ Module 7 - Advanced DLP and Policy

▪ Module 8 - API and SSPM

▪ Module 9 - Logging and Reporting

© 2021 Forcepoint © 2021 Forcepoint 2

Notes
All lab exercises will leverage the SaaS applications you setup in pre-work
content prior to this training
1. Your Go4Labs environment should have the additional mailbox
[email protected]
2. Your OKTA Developer environment should have 2 users, your admin
account and [email protected] along with the groups IT and
Finance
3. You should have the DLP Test Files downloaded
4. Your SFDC Developer Account should be accessible and ready to go

Please Note: As we transition from Bitglass naming convention to Forcepoint

ONE, you will see a mixture of names used interchangeably inside the platform,
agents, services, and documentation. For the purpose of this lab, these names
represent the same solution.

© 2022 Forcepoint 3
Notes
All lab exercises will be completed with Go4Labs. Please access
either the web consoles or RDP console to gain access to your lab

Please open GNS3, this is where all devices referenced within the
exercises can be accessed

© 2022 Forcepoint 4
Admin Guide
As we go through all the lab exercises, we will be using the Admin
Guide to help us with configuration. This can be accessed through the
Forcepoint ONE portal by clicking the ? In the top-right hand corner.

The admin guide is your resource for learning how to setup and deploy
Forcepoint ONE. The guide is designed logically to be structured in the
same manner as the Forcepoint ONE Admin portal tabs for easier
navigation. In addition, a search bar at in the top right will allow you to
quickly locate the information you are specifically looking for.

Table of Contents: The contents tab will display a Table of Contents of all
guide pages. Guide pages are ordered in a similar manner to the tab layout on
the Forcepoint ONE Admin portal. Some guide items can be expanded to
display more guide pages where applicable.

Search Bar: The Search bar will allow admins to quickly search for specific
key words to locate relevant guide pages. Results will display a link to the
guide page with a brief excerpt of where the search term appears. Results are
sorted based on the search terms appearance in a guide pages title and then
the number of appearances within the guide page.

Page Body: The guide page body sections are separated by header levels.
Some sections will be collapsed to make guide pages easier to read and
navigate through.
© 2022 Forcepoint 5
Forcepoint ONE

Overview

© 2022 Forcepoint
 Forcepoint ONE SASE Platform
8. SDWAN Security
Integrated with leading SDWAN
vendors at AWS Transit Gateway 7. Zero Trust Network Access
Access control, DLP & threat
1. Protection in the cloud protection for internal apps;
Audit, threat protection & control of data at agentless or agents
rest in cloud services

2. Protection on Managed Devices

Real-time access control, DLP & threat
protection for managed apps 6. Visibility
Analytics & logging; UEBA & anomaly detection; Cloud
Security Posture Management; SaaS Security Posture
Management; Shadow IT Discovery
Managed
devices
5. Identity
IDP integration, native identity & MFA, patented
zero trust access control
3. Web Security on Managed Devices
Deep URL filtering, AUP, threat protection & DLP for
unmanaged apps & web; Browser Isolation, low latency Unmanaged
devices 4. Protection on Personal Devices
and privacy Agentless real-time access control, visibility, DLP, RBI
& threat protection for managed apps

© 2022 Forcepoint 7
Forcepoint Public Cloud SASE Fabric

Verified Uptime

99.99%
since 2015

Performance Impact - Sao Paulo, Brazil

O365 direct (avg): 6.63s

O365 via SASE (avg): 4.38s

33 % faster via Forcepoint ONE fabric

© 2022 Forcepoint 8
Managed Apps: Zero-Day Control for Any App
Internal apps Major SaaS Long-tail SaaS IaaS

Proxy + API
● Contextual access control
● DLP w/ adv. remediation ● Known & Zero-day malware protection
● Field and file encryption ● Account hijack protection
● Zero-Trust Remote Access Data Threat
Protection Protection

Zero-Day Core TM

● Integrated with leading IDP Identity Visibility

● Native SSO & SAML proxy ● UEBA (Behavioral Analytics)
● Step-up multi-factor auth ● Policy-based remediation
● Session management ● CSPM reporting & remediation

Agent/Agentless Proxy Agentless Proxy

Managed Devices Unmanaged Devices

© 2022 Forcepoint 9
 IaaS SaaS Unsanctioned Apps Web
Architecture

1 API

2 Reverse Proxy any app any network

3 Forward Proxy

4 SmartEdge SWG

5 Integration

Policy & Exact Log KMIP IPSEC

ZTNA Identity ICAP Feeds
Match Import

Internal Apps AD On-prem DLP SWG/FW SIEM HSM SDWAN

any device

Managed Devices Unmanaged Devices

© 2022 Forcepoint 10
Prep: Windows10-Managed Host
Right click on the Windows10-Sysprep client. Select Console.
Leave all settings default, except change Time Zone to UTC+00:00.
Click next.
Accept Legal Terms.
Use Express Settings.

© 2022 Forcepoint 11
Prep: Windows10-Managed Host
Once the device is ready, select ‘Join a local Active Directory
domain’. Select Next.
Add user student1 with password Forcepoint1 and Fp1 as hint.
Select ‘Yes’ to allowing the device to be discoverable.

© 2022 Forcepoint 12
Prep: Windows10-Managed Host
Open Microsoft Edge and browse to https://library.go4labs.net, navigate Forcepoint ONE Training folder.
Download and Install Chrome

© 2022 Forcepoint 13
Prep: Windows10-Managed Host
Change IP Address & DNS – open settings -> network & Internet ->
ethernet -> change adaptor options.
right click on icon -> select properties.
Highlight Internet Protocol Version 4, hit properties.
Fill in IP Address, Subnet, Default gateway & Preferred DNS server.
Hit ok, and Hit ok again.

© 2022 Forcepoint 14
Prep: Windows10-Managed Host
Add to Domain
Open Settings -> System -> Click on About
Click Join a Domain -> type go4labs.local -> hit Next
Type: admin Forcepoint1
User account: admin with Administrator account Type
Restart PC Now

© 2022 Forcepoint 15
Prep: Windows10-Managed Host
Open Chrome and browse to https://library.go4labs.net, navigate Forcepoint ONE Training folder.
Download and install Office (while office is downloading and installing please start the lab work)

© 2022 Forcepoint 16
Module 2

Identity

© 2022 Forcepoint
Content
▪ Overview

▪ Create Local User

▪ Create Local Groups

▪ Configure RBAC
▪ Configure OKTA

▪ Configure SCIM

© 2022 Forcepoint
Forcepoint ONE Portal Access
Please access the Windows10-Sysprep client device
from within GNS3
username: admin
pwd:Forcepoint1

Open chrome and browse to

https://portal.us.bitglass.net
Userrname: [email protected]
Pwd: Bitglass225!

Navigate to Protect-->Objects. IF you only see

common objects, please navigate to IAM-->Admin
Roles, refresh the browser page. Then navigate
to Protect-->Objects and you should see Common
Objects, Host app and Host Networks

© 2022 Forcepoint 19
Users and Groups

The User and Groups page is where you will manage everything related to your domain, users, groups,
and authentication. This is also where you perform certain individual user functions, such as selectively
wiping users’ mobile devices. There are 4 main functions you can manage:
1. Username Domains and Authentication: This is where you can add and provision the domains you wish
to use with Forcepoint ONE.
2. Active Directory User Source: This is where you can setup synchronization with your AD system to use
for provisioning and deprovisioning users into Forcepoint ONE.
3. Groups: Here you can create and manage local groups. Groups can be used for access control as well
as policy actions. Groups synced from AD will appear here, but they cannot be adjusted or changed (all
user/group provisioning must occur in AD).
4. Users: Here is where you can add/manage local users in the Forcepoint ONE system. Users synced
from AD will also appear here, but their settings/attributes cannot be changed within Forcepoint ONE (all
user/group provisioning must occur in AD). You can also view user application activity history.

© 2022 Forcepoint 20
Identity Management

Authenticate via Forcepoint ONE IdP, AD, or any 3rd party IAM Forcepoint
ONE auto-redirect via proxy
▪ SAML transparently redirects users from any cloud app
▪ No vanity URLs, device config, or user experience change
SAML / WS-
Only CASB with native identity management
Fed IdP
▪ AD/local authentication and sync AD Sync +
Auth MFA
▪ Contextual multifactor authentication
Integration with existing solutions
▪ ActiveDirectory sync and provisioning
SAML SP
▪ Support for all major IdPs including ADFS, Ping, Okta

© 2022 Forcepoint 21
Patented Access Control
Any Cloud App

SAML Proxy: US Patent 10,757,090

1 User connects directly to app

2 User directed to Forcepoint ONE then to IDP

3 User directed to Forcepoint ONE after

authentication; contextual proxy controls
enforced

ACS Proxy: US Patent 10,855,671

1 User connects directly to app

2 User directed to IdP

Any SAML 2.0
3 User directed to Forcepoint ONE after Compliant IdP
authentication; contextual proxy controls enforced

Any User, Any

Device
© 2022 Forcepoint 22
Authentication Flow

Any User, Any Device Any SAML 2.0 Bitglass SAML Any Cloud
Compliant IdP Relay App

passive authentication request

browser redirects to Forcepoint

ONE

browser redirects to IdP

user authentication

SAML response to Forcepoint

ONE
request client certificate device multi-factor auth based
on client certificates
device presents client certificate

challenge mfa
multi-factor
user presents mfa token challenge

authenticated requests and responses

Forcepoint ONE Proxies

© 2022 Forcepoint 23
Exercise 1: User and Group Management (Local)
We are first going to add local users and groups. Local users and groups are great for trial/testing environments and are
recommended for admin users. It’s a good idea to have local admin users just in case 3rd party external authentication
(Okta, Azure AD) have issues, you then still have admin access to your tenant

© 2022 Forcepoint 24
Exercise 1: User and Group Management (Local)
Step 1: Add Local user
• From your Windows10-Sysprep client. machine Navigate to
IAM➔Users and Groups
• Click green + icon in user list

• Add a User Manually

• Enter in user details (username, first name, last name, email)
• Set username and email to the email address to
[email protected]
• Set admin role to None

• Set password to Forcepoint1!

• Click create

© 2022 Forcepoint 25
Exercise 1: User and Group Management (Local)
Step 2: Add Local group

• Click green + icon in group list

• Name Group Exercise 1 Group

• Click create

© 2022 Forcepoint 26
Exercise 1: User and Group Management (Local)
Step 3: Add user to new group
• Under groups, click on Exercise 1 Group
• Under Domain Users, click the radio box beside your
newly created user, then click the green arrow

• Your new user will now show as a member on the right

side
• Click Save

© 2022 Forcepoint 27
Exercise 1: User and Group Management (Local)
Step 4: Verify Group Membership

• Navigate to IAM→ User and Groups

• Click on your user and scroll to the bottom

• You will now see Group membership section (make note, Admin
role section is blank

© 2022 Forcepoint 28
Admin Roles
The "Admin Roles" page is where Forcepoint ONE admins can create different and unique admin roles to assign to users or
groups. The role permissions can allow users to Edit, View, or Disabled (i.e. hidden) to each individual tab and the sub-component
within the tab.
It is important to not try to layer admin roles by assigning roles to groups and to individual users that are part of those groups.
Meaning if you want a user to individually have a specific admin role (e.g. the sys admin role) it is important that the user is not
assigned to a group with a different admin role. Forcepoint ONE will display an error on the user's profile if there is a role conflict
due to the user being assigned to multiple groups with admin roles. See the bottom section on "Assigning Admin Roles" for more
details.
Default Administrative Roles
The very first account created in the admin portal is set to a 'System Administrator' role. System Administrators have the most
control of any account type and are generally used to setup, manage, and modify settings for the entire company that they are
part of
• Multiple System Administrators are allowed to be configured. A minimum of 2 should be created for a live deployment (one for
nominal tasks and the other as a backup.) If you are deploying the AD Sync Agent, you should have a separate user account
with System Administrator access to operate correctly.
• System Administrators are limited to local authentication only. This is intentional and allows access to settings in case a 3rd
party (SSO or AD) authentication method fails and needs to be changed. As a System Administrator, you can still login to the
user portal, however, it is generally desirable to have a separate user account.
• The Admin portal timeout is set separately from the user timeout. You can adjust the default timeout by going to the Admin tab
under Settings and modifying the Admin Portal Inactivity Timeout value.

© 2022 Forcepoint 29
Admin Roles
Custom Admin Roles
• Custom Admins Roles can be limited by Read/Write, Read, or Deny access to each tab. New Applications can only be
created by System Admins while custom admins do not have this privilege. Custom admins can only modify Polices
and Objects under Applications. Restrictive access to selective Groups or Policies can be added into roles. For
example, a role could be created which only has access to modify users in the "Production Users" group, while all
other groups would be inaccessible.
• Custom Admins are allowed to have any authentication type, unlike System Administrators. They will be locked out if
there is a problem with 3rd party authentication.
• The Admin portal timeout is set separately from the user timeout. You can adjust the default timeout by going to the
Admin tab under Settings and modifying the Admin Portal Inactivity Timeout value.

© 2022 Forcepoint 30
Exercise 2: Admin Roles (RBAC)
Step 1: Setup Admin Roles
We are now going to make the new user an Admin, with
restrictions
• Navigate to IAM➔Admin Roles
• Click click + icon to add a new role
• Set name to Exercise 2 RBAC
• Scroll Down to Forward Proxy
• Set SmartEdge Proxy to Disable
• Scroll Down to Integrations
• Set ICAP to Disabled
• Scroll Down to Settings
• Set Appearance to View
• Set Oauth to Disabled
• Save Changes

© 2022 Forcepoint 31
Exercise 2: Admin Roles (RBAC)
Step 2: Assign Admin Role
There are a few ways we can add this role to our local user; Groups
and/or directly to the user. We will first focus on directly to the user

• Log out of the portal and log in as your test user, you will
notice you are denied access to the portal
• Log back in as your admin user
• Navigate to IAM→User and Groups
• Under Users, click on your test user
• Scroll to bottom and set Admin Role to System Administrator
• Click Save
• Log out of portal and log in as your test user
• Notice, your user is a full admin, no restrictions

© 2022 Forcepoint 32
Exercise 2: Admin Roles (RBAC)
Step 3: Assign Admin Role
There are a few ways we can add this role to our local user;
Groups and/or directly to the user. We will now focus on through
groups
• Log out as your test user and log in as your admin user
• Navigate to IAM→User and Groups
• Under groups, click on Exercise 1 Group
• In the drop down beside Members Admin Role, select
Exercise 2 RBAC (Note: This role will be applied to
anyone in the group)
• Click Save
• Navigate to IAM→User and Groups
• Under users click on your test user and scroll to the
bottom. You will now see your user has inherited admin
roles from the Group (note the role is active) and note
Admin Role is blank.

Admin Roles set manually will be overridden if Group > Member Admin Role
assignment is utilized.

© 2022 Forcepoint 33
Exercise 2: Admin Roles (RBAC)
Step 4: Verify Admin Role
• Log out of portal and log in as [email protected]
• Navigate to Protect→ Forward Proxy
• You will notice SmartEdge proxy is no longer visible
• Navigate to Protect→Integrations
• You will notice ICAP is no longer visible
• Navigate to Settings→Apperance
• You will notice the page is view only (cannot make changes
• Under Settings→API Interface
• You will notice Oauth is no longer visible

© 2022 Forcepoint 34
Exercise 3: 3rd Party IDP (Okta)
We are now going to setup Okta as an external IDP provider. While Forcepoint ONE does have IDP capabilities built
in, we do support a wide range of 3rd party IDP vendors. Doing so allows customers to utilize their existing
authentication methods along side Forcepoint ONE

© 2022 Forcepoint 35
Exercise 3: 3rd Party IDP (Okta)
Step 1: Setup External IDP
• Log out of Forcepoint ONE as your test user and log in as your admin user
• Also log into your Okta developer account
• On the left hand navigate bar in Okta Navigate to Applications→Applications→Create App Integration
• Select SAML 2.0

© 2022 Forcepoint 36
Exercise 3: 3rd Party IDP (Okta)
Step 2: Setup External IDP
• Enter an "App name" to distinguish the application and then you can upload an "App logo" though it is not necessary.
• Now you will need to enter the SAML Settings for the Forcepoint trial environment. a) Make sure you select "Show
Advanced Settings". Enter the following setting configurations:

© 2022 Forcepoint 37
Exercise 3: 3rd Party IDP (Okta)
Step 3: Setup External IDP
• Now with Okta, you will need to enter the SAML Settings for the Forcepoint trial environment.
• Make sure you select "Show Advanced Settings". Enter the following setting configurations:

Single Sign on URL: https://portal.us.bitglass.net/sso/acs

Keep "Use this for Recipient URL and Destination URL" checked as we use the same URL.
Audience URI (SP Entity ID)https://sso.us.bitglass.net
Default Relay State: bg_portal_login
Name ID Format: EmailAddress
Application username: Okta username
Update application username on Create and update
Response: Unsigned
Assertion Signature: Signed
Signature Algorithm: RSA_SHA256
Digest Algorithm: SHA256
Assertion Encryption: Unecrypted
SAML Single Logout: Disabled
Authentication context class: PasswordProtectedTransport
Honor Force Authentication: No
SAML Issuer ID: http://www.okta.com/${org.externalKey}

© 2022 Forcepoint 38
Exercise 3: 3rd Party IDP (Okta)
Step 4: Setup External IDP
• On the final page choose the top option to identify as a "Customer" and then for "App type" select "This is
an internal app that we have created”. Click Finish

© 2022 Forcepoint 39
Exercise 3: 3rd Party IDP (Okta)
Step 5: Assign SAML 2.0 App
• Once completed you can navigate back to the Forcepoint portal to modify the SAML and add a new External IdP. In the
Forcepoint portal navigate to the Protect→ Objects→ Common Objects page and add a new "External IdP". Set the IdP
Type dropdown to Okta and add an object name.

© 2022 Forcepoint 40
Exercise 3: 3rd Party IDP (Okta)
Step 6: Assign SAML 2.0 App
• On the Okta portal, click the View Setup Instructions button, copy the SAML IDP Login URL (Item 1 in Okta setup
instructions), and paste it into the Forcepoint portal under the IdP Login URL field
• On the Forcepoint Portal, the SAML Logout URL will be your Okta domain and then /login/signout. In our example it is
https://bitglass3.okta.com/login/signout
• Go back to the Okta portal and click the Token Signing Certificate link (Item 3 in Okta Portal) to download the certificate.
Upload of the token signing certificate to the Forcepoint portal under the "Token Signing Certificate" field.
• Click Save

© 2022 Forcepoint 41
Exercise 3: 3rd Party IDP (Okta)
Step 7: Assign SAML 2.0 App
• In the Forcepoint Portal navigate to IAM →Users and Groups
• Edit your domain select "External Identity Provider” and select your Okta IDP
• Leave Auto-provision users upon auth success unchecked

© 2022 Forcepoint 42
Exercise 3: 3rd Party IDP (Okta)
Step 8: Add Users To Okta
Right now, the only user we have in OKTA is our admin user,
we want to add [email protected] as a user in
OKTA as well
• In OKTA navigate to Directory→People→Add Person
• Enter in your details
• Set password to activate user
• Click Save

© 2022 Forcepoint 43
Exercise 3: 3rd Party IDP (Okta)
Step 9: Create Groups in OKTA
• In OKTA navigate to Directory→Groups
• Click Add Group
• Set Name to IT
• Click Save
• Do the same for HR and Finance

© 2022 Forcepoint 44
Exercise 3: 3rd Party IDP (Okta)
Step 10: Add users to Groups in OKTA
• In OKTA navigate to Directory→Groups
• Click on the IT Group
• Click on Assign People
• Click on The Admin user and click save
• Perform the same task to add the
[email protected] user to the Finance Group

© 2022 Forcepoint 45
Exercise 3: 3rd Party IDP (Okta)
Step 11: Assign SAML 2.0 App to Users
• In OKTA navigate to Directory→People
• Click on your [email protected] user
• Click on assign applications
• Click Assign beside your SAML 2.0 application
• Click Save and Go Back
• Click Done

© 2022 Forcepoint 46
Okta SCIM Integration
With Okta set, this option leverages SAML 2.0 user authentication which provides Single Sign-On (SSO). Authentication requests for
users in the configured domain are sent to Okta.
Auto-provision users upon auth success - With this option, Forcepoint auto-create users upon successful SAML auth to an external
IdP. Required attributes such as Last Name, First Name, User Principal Name, SAMAccount Name and NetBIOS Domain can be
optionally imported directly from the SAML response. This eliminates the need to manually create users or to synchronize account
information via ActiveDirectory Sync Client.
On our case, we want the users and groups to populate before a successful SAML auth. This way we can create rules based on group
membership before putting the solution into production. This can be done through SCIM. The SCIM API integration with Okta allows
admins to provision/deprovision users directly in Okta and have those users automatically created, attributes edited, or disabled within
Forcepoint. You will need to create an OAuth connected app in Forcepoint as well as a SCIM application inside of Okta.

© 2022 Forcepoint 47
Exercise 4: Okta SCIM Integration
Step 1: Add SCIM Integration with OKTA
• Log into the Forcepoint ONE portal as your admin
• Navigate to Settings→API Interface→Oauth
• You will first need to add a new OAuth application by clicking
the "green plus" icon.
• In the new window provide a recognizable name, select "User
and Group Provisioning" and then select "SCIM API". Click
"Ok" at the bottom to save.
• Leave this page open

© 2022 Forcepoint 48
Exercise 4: Okta SCIM Integration
Step 2: Add SCIM Integration with OKTA
• Log back into Okta and navigate to Applications→Applications→ Browse App Catalog
• Search for SCIM and select SCIM 2.0 Test App (Header Auth) and click Add

© 2022 Forcepoint 49
Exercise 4: Okta SCIM Integration
Step 3: Add SCIM Integration with OKTA
• In the next window rename the "Application Label" so it is recognizable and then click "Next" at the bottom. On the next
page select "SWA" as the Sign on Method and then select "Administrator sets username and password" and "Email" as
the Application username format. Click done to move on.

© 2022 Forcepoint 50
Exercise 4: Okta SCIM Integration
Step 4: Add SCIM Integration with OKTA
• Now inside the settings for your newly created app select the Provisioning tab and then click "Configure API Integration”
• Click the checkbox to "Enable API integration" to expand additional options.

© 2022 Forcepoint 51
Exercise 4: Okta SCIM Integration
Step 5: Add SCIM Integration with OKTA
• For Base URL enter the following URL: https://portal.us.bitglass.net/api/bitglassapi/v2/scim/
• For the API token you will need to switch back to the Forcepoint portal where we left off on step 1. Select the OAuth
application you created in that step and click the URL link. Approve the access and then copy over the generated token
over to the "API Token" field here.
• Click Test API Credentials
• Click Save

© 2022 Forcepoint 52
Exercise 4: Okta SCIM Integration
Step 6: Add SCIM Integration with OKTA
• Once you have successfully enabled the API integration, you will see options for what is being provisioned to the App
(Forcepoint). Click the Edit button and check off the options you want to control (Create Users, Update User Attributes,
Deactivate Users). After checking the boxes click Save. Forcepoint currently does not support "Sync Password".

© 2022 Forcepoint 53
Exercise 4: Okta SCIM Integration
In order to provision users into Forcepoint you can assign them individually or by group under the Assignments tab. You can also
navigate to each individual user or group profile and add the application to them that way. Doing either of those options will push
those users into Forcepoint along with their attributes. This DOES NOT push the group objects themselves. In order to include the
group object (i.e. the group information in addition to the users) you will need to add those groups to the Push Groups tab.

© 2022 Forcepoint 54
Exercise 4: Okta SCIM Integration
Step 7: Assign Groups to SCIM app
• Within Okta navigate to Applications→Applications
• Click on your SCIM app
• Click on Assignments
• Click on Assign→Assign Groups
• Assign Groups Everyone, Finance and IT
• Click on Push Groups Tab
• Click Push Groups→Find Group by name
• Select Push group membership immediately
• Search for IT and click on the group
• Click Save & Add Another
• Do the same for Finance and HR (click save after your last
group)

© 2022 Forcepoint 55
Exercise 4: Okta SCIM Integration
Step 8: Assign Groups to SCIM app
• You will now see your 3 groups active
• Navigate back to Forcepoint Portal, under IAM→User and
Groups you will see your 3 groups under Groups with Type
the name you set for your API
• You will also see your firstname@yourdomain user

© 2022 Forcepoint 56
Exercise 4: Okta SCIM Integration
Step 9: Test IDP Access
• In an incognito browser, navigate to
https://portal.us.Bitglass.net
• For the user, enter in [email protected]
• You will then be redirected to OKTA
• Use the credentials you created for this user in your pre-
work
• Click Sign In
• Authentication should be successful, and you will now be
redirected to the Forcepoint ONE portal

© 2022 Forcepoint 57
Module 3

Login Policies

© 2021 Forcepoint
Content
• Overview
• Create Delay Login Policy
• Create Block Login Policy
• Create MFA Policy
• Create Expire Session Policy

© 2022 Forcepoint
Login Policies
The Login Policy allows admins to apply global login policies to their users across all protected cloud
applications contextually based on a number of variables such as user group, device, location and
behavior. These policies are grouped by the action you are taking and can be added one by one to the
app tile. There are a total of 4 primary actions:
▪ Delay Login: Delay a users login for a specified amount of time based on the context and behavior
(i.e. failing login attempts)
▪ Block Login: Block logins to applications entirely. Usually blocking users from risky locations or
time based for contractors (i.e. not allowing access outside of work hours).
▪ Expire Session: Expire a users session forcing them to re-authenticate such as after a certain
period of inactivity.
▪ Two-Factor Authentication: Enforce an MFA check after a user authenticates before granting
access.

© 2022 Forcepoint 60
Exercise 1: Login Control Policies – Delay Login
Step 1: Configure Delay Login Policy
• Navigate to Protect➔Policies
• Click green + icon under Delay login and set rule to mimic rule shown below

© 2022 Forcepoint 61
Exercise 2: Login Control Policies – Block Login
Step 1: Configure Block Login Policy
• Click green + icon under Block Login
• Set the location to your current location
• The Group will be the Finance group from OKTA

© 2022 Forcepoint 62
Exercise 2: Login Control Policies – Block Login
Step 2: Test Block Login Policy
• In an incognito browser, navigate to the Forcepoint ONE Portal
• Login as [email protected], you will be redirected to OKTA
• Once redirected back to the portal, you will be denied
• Delete the rule you just created

© 2022 Forcepoint 63
Exercise 3: Login Control Policies – MFA
Step 1: Configure MFA Policy
• Click green + icon under Multi-Factor Authentication
• Set action to Security Questions
• Set the location to your current location
• The Group will be the Finance group from OKTA

© 2022 Forcepoint 64
Exercise 3: Login Control Policies – MFA
Step 2: Test MFA Policy
• In an incognito browser, navigate to the Forcepoint ONE Portal
• Login as [email protected], you will be redirected to OKTA
• Once redirected back to the portal, you will be asked to setup security questions
• Users can always reset MFA by clicking edit profile in the top right-hand corner
• Admins can also reset MFA for Users from within the portal
• You can delete the rule once it has been tested

© 2022 Forcepoint 65
Exercise 4: Login Control Policies – Expire Session
Step 1: Configure Expire Session Policy
• Click green + icon under Expire Session and set rule to mimic rule shown below

© 2022 Forcepoint 66
Module 4

Adding Applications &

Contextual Access Control

© 2021 Forcepoint
Content
▪ Overview
▪ Add M365 for Managed Device Access
▪ Configure M365 API connectivity
▪ Configure M365 Proxy Policy
▪ Configure Salesforce with Forcepoint as a SAML IDP
▪ Configure Salesforce Proxy Policy

© 2022 Forcepoint
Adding Applications
Add Predefined App
There are two primary ways for adding a licensed application. You can do so when sitting on the Policies page and clicking
the green plus icon or you can select the "Managed Apps" option under Protect > Policies > Add Apps. Doing either will take
you to the "Add Application" page prompting you to select either a predefined application to add to your policies page for
protection, or choose one of the customizable options (Any API, Custom Licensed App, or Unlicensed App).
Any Managed Application
The "Any Licensed Application" option allows customers to add SaaS applications that are not part of Forcepoint ONE's
current list of predefined applications. This includes any cloud applications as well as any custom applications that customers
may have developed on their own servers, datacenters, or IaaS/PaaS systems.

Contextual Access Control

Policy Match Criteria
Each application can have multiple policy rules which are evaluated in a top down fashion until a match is found. All
rule criteria must match for the actions to be applied. An implied deny rule is applied if no rules match at the end of
policy evaluation. Forcepoint ONE policies match and function in a manner like a traditional corporate firewall.

© 2022 Forcepoint 69
Unmanaged Apps: Zero-day Discovery & Protection

Zero-day Shadow IT Discovery

● Patent-pending index of 660K+ apps, 20X the competition
● Comprehensive reports on app risk, compliance, etc.
Secure access to unmanaged apps from managed devices
● Route traffic via agent or agentless PAC file on devices
Zero-Day
● Automated identification/DLP of upload paths (Patent Pending)
upload DLP
○ Machine-learning tech inspects all upload traffic
○ Data-paths with natural language payloads identified
● No signatures required, works for all apps - Facebook, Linkedin, etc.
Competition
Agent
● Manual catalog of supported apps with upload path signatures
● Breaks/outdated when apps change or new apps surface

© 2022 Forcepoint 70
Adding M365 for Managed Device Access
Because we are adding M365 for managed device access,
we don’t need to setup SAML authentication and there is no
need to federate the domain. We will be setting up API as
well as access control rules and DLP policy.

© 2022 Forcepoint 71
Exercise 1: Adding M365 for Managed Device Access
Step 1: Adding M365 Application
• Navigate to Protect→Add Apps→Managed Apps
• Click on Microsoft 365
• Click Ok
• Click Save

© 2022 Forcepoint 72
M365 API Scanning
In order to gain visibility into data at rest in your cloud applications you will first need to authorize
Forcepoint to access your corporate account via the API in any application you wish to provide
API scanning. After Forcepoint has been authorized to access your corporate cloud application
account, you need to configure selective scanning to tell Forcepoint what information to look for.
Selective scanning enables you to have complete control of what and how much data in your
account Forcepoint should scan via the API.
Once configured, All the files at rest will then be analyzed against DLP Patterns and a report will
be generated to identify any DLP violations in your corporate account. API scanning requires
Microsoft E3 license or higher. This license must be applied to all of your users you wish to
include in the scan and not just the admin account used for this API setup.
Note: The admin account being used in the Forcepoint ONE portal to setup the API must be a
Forcepoint system administrator and not a standard Role Admin. If you are using a Role Admin
account the setup will not be completed successfully.

© 2022 Forcepoint 73
Exercise 2: Configuring M365 API
Step 1: Configuring M365 API
• Navigate to Protect→Policies
• Scroll down and click on Microsoft 365 logo
• Click on Setup API
• Select Enable API Scanning and Click Save (top
right-hand corner)
• Click on API Scanning Settings and follow the
steps
• Note: If you receive a authorization error, try
again. If you still receive the error skip the
M365 API section and then try authorizing the
API later. M365 has been having issues when
multiple people are authorizing at the same
time

© 2022 Forcepoint 74
Exercise 2: Configuring M365 API
Step 2: Configuring M365 API
• Navigate to Protect→Policies
• Scroll down and click on Microsoft 365 logo
• Click on Setup API
• Make sure OneDrive is selected
• Under Users, set to selected and included IT,
Finance, Bitglass Admins, Exercise 1 Group and
HR
• Leave DLP area, blank, we will configure that later
• Click Save
• Note: We will do more with M365 API in Module 8

© 2022 Forcepoint 75
Exercise 2: Configuring M365 API
Step 3: Verify M365 Connectivity
Now that the API has been connected, we want to start gaining visibility ( and then control) into the files at rest. In the P e-work you
downloaded some DLP Test Files (they can also be found here). Please make sure these files are downloaded to the Windows10-
sysprep device in the lab (keep on desktop for easy access. Please Unzip the folder and upload the folders to your
[email protected] OneDrive.
• Once the files have been uploaded, it may take a few moments for the API logs to populate with details n the data at rest.
• You can navigate to Analyze→Logs→API
• You will start to see files being reported under summary
• Scroll down to Event logs, and you will see details on all your files. Clicking on the file name will provide greater detail
• If you don’t see files yet, you can jump to the next steps

© 2022 Forcepoint 76
Exercise 3: Configuring M365 Access Control Rules
Step 1: Configuring M365 Policy (Proxy)
• Navigate to Protect→Policies
• Scroll down to M365
• Create your policy to mimic the policy below
• Don’t worry about the settings when you set the action to
Secure App Access, leave everything as default
Note: We will test our M365 policy in module 5

© 2022 Forcepoint 77
Adding Salesforce for Unmanaged Device Access
Unlike M365, we want to configure Salesforce for unmanaged
device access, this requires us to deploy Forcepoint ONE as a
SAML IDP. This will ensure visibility and access control of
Salesforce via Forcepoint ONE. To complete these steps you
will need to be logged into the Forcepoint ONE portal as well
as logged into your Salesforce portal as an admin.

© 2022 Forcepoint 78
Exercise 1: Setting up SSO for Salesforce (SAML)
Step 1: Adding Salesforce Application
• Navigate to Protect→Add Apps→Managed Apps
• Click on Salesforce
•In the Admin Guide, navigate to Protect > Applications Setup and Configuration > Salesforce > Salesforce: Deploying Bitglass as
a SAML IdP

NOTES:
• Skip step Creating a
Subdomain in Salesforce
• When you get to the section to
edit the Authentication
Service. Enable your SSO and
keep Login form enabled.
Keeping both boxes checked
is good for allowing admins to
login directly or during
demo/trial purposes
• Make sure to complete the
note at the bottom of the
install guide related to using
Salesforce Dev accounts
© 2022 Forcepoint 79
Exercise 1: Setting up SSO for Salesforce – Creating Users
Step 1: Creating Users in Salesforce
We want to make sure your [email protected]
user exists in Salesforce
• In Salesforce navigate to Setup→Manager
Users→Users→New User
• Make sure email and username is set to
[email protected]
• Click Save

© 2022 Forcepoint 80
Salesforce Access Control
Each application can have multiple policy rules which are evaluated
in a top down fashion until a match is found. All rule criteria must
match for the actions to be applied. An implied deny rule is applied
if no rules match at the end of policy evaluation. Forcepoint ONE
policies match and function in a manner like a traditional corporate
firewall.

In this exercise, we are going to test out Secure App Access and
Direct App Access

© 2022 Forcepoint 81
Salesforce Access Control
Secure App Access: Will connect users to the applications through Forcepoint
ONE's proxy. This will also implicitly deny them the ability to access the cloud
application directly.
• This is where you configure actions for data leakage prevention. Users are sent
either through the Bitglass reverse proxy or through the forward proxy if you are
using either the forward proxy agent or PAC file.

Direct App access: After authentication, allows users to connect directly to the
cloud application bypassing the Forcepoint ONE reverse proxy. When this access
mode is matched users will authenticate against either Forcepoint ONE or your
SAML IdP, and upon successful authentication, will be redirected to access the
application directly, bypassing the Bitglass proxy.
• Many customers use this mode as a mechanism for migrating groups of users to
Forcepoint ONE over time. When you wish to migrate a particular group, simply
change the policy to ensure that the group matches a Secure App Access rule.
• Another common use case is providing Direct App Access for managed devices
while using Secure App Access for unmanaged devices.

© 2022 Forcepoint 82
Exercise 3: Configuring Access Control for Salesforce (Secure App Access)
Step 1: Configure Contextual Access Control Rules
• Navigate to Protect→Policies
• Scroll down to your Salesforce app
• Click green + icon to add a rule
• Create your policy to mimic the rules (and order) below
• Our user in the next step will hit the secure app access rule

© 2022 Forcepoint 83
 84

Exercise 3: Configuring Access Control for Salesforce (Secure App Access)

Step 2: Testing Salesforce access (Secure App Access)
• In GNS3 log into the Windows10-Agentless machine
• Navigate to your Salesforce URL
• Click on your SSO option
• You will be redirected to OKTA
• Enter your credentials ([email protected])
• You will be redirected to Salesforce
• Notice the URL is now a bitglass.net domain. This is our Reverse-Proxy (AJAX-VM)

© 2022 Forcepoint 84
Exercise 4: Configuring Access Control for Salesforce (Direct App Access)
Step 1: Configure Contextual Access Control Rules
• Navigate to Protect→Policies
• Scroll down to your Salesforce app
• Change your Secure App Access rule to Direct App Access
• Save changes

© 2022 Forcepoint 85
Exercise 4: Configuring Access Control for Salesforce (Direct App Access)
Step 2: Testing Salesforce access (Direct App Access)
• Using the Windows10-Agentless machine Navigate to your Salesforce URL
• Click on your SSO option
• You will be redirected to OKTA
• Enter your credentials ([email protected])
• You will be redirected to Salesforce
• Notice the URL is no longer a bitglass.net domain

© 2022 Forcepoint 86
Exercise 4: Configuring Access Control for Salesforce (Deny)
Step 1: Configure Contextual Access Control Rules
• Navigate to Protect→Policies
• Scroll down to your Salesforce app
• Change your Direct App Access rule to Deny
• Save changes

© 2022 Forcepoint
Exercise 5: Configuring Access Control for Salesforce (Deny)
Step 2: Testing Salesforce access (Deny)
• Using the Windows10-Agentless machine Navigate to your Salesforce URL
• Click on your SSO option
• You will be redirected to OKTA
• Enter your credentials ([email protected])
• You will be redirected to Salesforce
• Your access will be denied
• Once tested, change your rule back to Secure App Access

© 2022 Forcepoint
Module 5

SmartEdge Secure Web

Gateway

© 2021 Forcepoint
Content
▪ Overview
▪ Configure SmartEdge Agent Settings
▪ Download and install SmartEdge Agent
▪ Configure and Test uninstall Capability
▪ Configure Notifications
▪ Configure SWG Content Policy
▪ Review Web and Web DLP Logs and Alerts
▪ Configure M365 Access Control Policy

© 2022 Forcepoint
SmartEdge Secure Web Gateway
Onboard SWG for managed endpoints
● Patent-pending trapdoor proxy for SSL key management
● No backhaul - low latency & privacy
● URL content filtering & threat blocking
● DLP & malware inspection
● Visibility into every interaction
Cloud SWG for mobiles and fixed wire networks
● URL content filtering & threat blocking
● DLP & malware inspection
● Visibility into every interaction

© 2022 Forcepoint 91
 SmartEdge Secure Web Gateway for Remote Workers

Direct to cloud access

● High performance
● Low latency
Analytics & Policy in the Cloud ● Privacy
● Full visibility of every interaction
● Analytics
● DLP & Threat Protection policies for managed
& unmanaged apps
● No certificates to manage
DLP, Threat Protection & AUP on endpoint

● Full decryption of traffic on endpoint

● Acceptable Use Policies (AUP)
● Threat protection
● DLP on managed & unmanaged apps
● Self-managed certificates*
Competition

● Limited visibility, no traffic decryption on endpoint

● Backhaul bottleneck

*Patent-pending Trapdoor proxy technology ensures that lost devices & certificates do not compromise security
© 2022 Forcepoint 92
SmartEdge patent-pending trapdoor proxy technology
● A trapdoor proxy never trusts its anothers CA
● Proxy keys & certificate unique to device
● Immune to MITM attacks across devices

Man-In-The-Middle attack
blocked during TLS handshake

SmartEdge proxy
generates CA cert used
to sign server certs for Device only trusts its local
TLS inspection CA during TLS handshake
browsers & browsers &
thick clients thick clients

© 2022 Forcepoint 93
SmartEdge Secure Web Gateway
Forcepoint ONE's SmartEdge endpoint agent provides Secure Web Gateway (SWG)
controls on managed devices without the latency or overhead costs involved with
backhauled cloud proxies or physical SWG boxes. The SmartEdge agent executes
policies from the agent itself eschewing the need to wait for the device to connect to a
network box or cloud proxy before policies are applied. This also ensures protection of
user credentials and traffic since neither the users credentials or their private traffic are
inspected at the cloud proxy, instead being handled locally on the device

© 2022 Forcepoint 94
SmartEdge Secure Web Gateway
We are going to be downloading and installing
the agent on the Windows10-Sysprep client
device in your lab. Please log into this device
through GNS3.

© 2022 Forcepoint 95
Exercise 1: Configure Settings
Step 1: Configure Settings
• On your Windows10-Sysprep client., log into the portal as your
admin
• Navigate to Protect➔Forward Proxy➔SmartEdge Proxy
• Under Auto-Update→Windows Production Devices, set to the
latest build (in our case 1.5.0.210923-419)
• Enable Allow Uninstall as well as Control Proxy Settings
• Set User Authentication to Auto-Login, Login prompt
• Set Mode to ALL HTTP/S Traffic
• Everything else can stay default
• Click Save

© 2022 Forcepoint 96
Exercise 2: Install
Step 1: Download and Install
• Navigate to Protect➔Forward Proxy➔SmartEdge Proxy
• Click the download icon beside Windows under Download Agent
• Once download, extract zip file
• In the newly created folder, double click the autoinstall file

© 2022 Forcepoint 97
Exercise 2: Installation
Step 2: Download and Install
• Click through the install until it finishes
• Click Finish
• Reboot machine
• Once rebooted, right click Forcepoint tray icon and click login
• You will then be prompted for authentication
• Enter in your [email protected]
• You will be redirected to OKTA
• Enter in your credentials
• Right click on the tray icon to verify authentication and that status is
healthy

© 2022 Forcepoint 98
Exercise 3: Verify Device is Connected
Step 1: Verify Device is Connected
• Navigate to Analyze→Devices→SmartEdge Agent
• You will see your newly connected device

© 2022 Forcepoint 99
Exercise 4: Controlling Uninstall Capability
Step 1: Verify Settings
Admins can control if users with admin access on their machines are
able to uninstall the SmartEdge Proxy agent. This control can be
applied globally or on individual devices. Preventing Uninstallation
will also prevent users from stopping the services of the agent.

Under the Install links you will see a checkbox titled "Allow Uninstall".
If left unchecked all devices will be restricted from uninstalling the
SmartEdge agent even if the user has full admin access on the
machine. If you check the box to "Allow Uninstall" it will then allow
users with admin access to uninstall the agent.

© 2022 Forcepoint 100

Exercise 4: Controlling Uninstall Capability
Step 2: Verify Settings
Leaving the box unchecked will allow you to select individual devices to allow the ability to uninstall the
agent. To do so navigate to Analyze > Devices > SmartEdge Agent to see the list of devices that have
the agent installed. You will see a grayed out button titled "Toggle Uninstall" in the top right if you have
the option to allow uninstall checked

© 2022 Forcepoint 101

Exercise 4: Controlling Uninstall Capability
Step 3: Test Uninstall Settings
• With Allow Uninstall enabled, navigate back to your machine with the
agent running
• Open Services (start→services)
• Right click a Bitglass Services, notice you have the ability to disable
services
• Navigate back to Protect➔Forward Proxy➔SmartEdge Proxy
• Uncheck Allow Uninstall
• Save Changes
• Navigate back to your windows machine and try to stop a service,
you will notice it is greyed out

© 2022 Forcepoint 102

Exercise 4: Controlling Uninstall Capability
Step 4: Toggle Uninstall per device
• Navigate to Analyze→Devices→SmartEdge Agent
• Select the radio button beside your device and click Toggle
uninstall
• You will now see a unlock icon beside the device name

© 2022 Forcepoint 103

Exercise 4: Controlling Uninstall Capability
Step 5: Toggle Uninstall per device
• Navigate back to your windows device
• Right click a Bitglass service, you will now be
able to stop/restart the service

© 2022 Forcepoint 104

Notifications
Admins can create custom notification objects that can be applied to policies. This will
determine which admins or users are notified when a policy is violated and what the custom
message says. Admins will need to configure the notifications object under one of the pages
under Protect > Notifications and then configure which objects are used on the Protect >
Policies page when you are setting up your policy action lines.
Begin under Protect > Notifications on the left nav bar. You will see three primary options for
notifications and a fourth option for other messages.

© 2022 Forcepoint 105

Notifications
Inline Popup: This is where you can configure the inline messages that appear when a user violates a policy in real time.
User Emails: These will be email notifications to the individual users who are violating the policy.
Group Emails: These will be email notifications that you can send to an entire group. These groups are sourced from the
People page and will be a dropdown that you can select from. Typically this will be used to email specific IT or admin groups
based on the policy violation and severity.
We are going to focus on Inline Popup

© 2022 Forcepoint 106

Exercise 5: Notifications
Step 1: Configure Notification Page
• From your Windows10-Sysprep client device log into the portal
• Navigate to Protect→Notifications→Inline Popup
• Click New inline notification
• Set name to SWG Block and title to SWG Block Page
• Set body to
Your request for [WEB_BROWSING_DOMAIN] was denied
• Click Save

© 2022 Forcepoint 107

Exercise 5: Notifications
Step 2: Configure Notification Page
• Navigate to Protect→Notifications→Inline Popup
• Click New inline notification
• Set name to Block Page and title to Your actions were blocked
• Set body to
Your [USER_ACTIVITY] was [POLICY_ACTION_MESSAGE] due to DLP Pattern [PATTERN_NAME]

User [USER_EMAIL]
Time [DATE_TIME_UTC]
• Click Save

© 2022 Forcepoint 108

SmartEdge Secure Web Gateway
The SmartEdge agent not only provides forward proxy capabilities for applications to apply
contextual access controls and inline DLP, but it can also be used to apply web proxy based
policies controlling websites based on other variables such as category or cloud risk score.
With the agent installed, admins can now configure web proxy policies to control and prevent
users from accessing certain sites or domains that are untrustworthy or are possible points of data
leakage. This is in addition to all of the normal proxy policy actions that admins can configure.

© 2022 Forcepoint 109

Exercise 6: Web Proxy Policy Configuration
Step 1: Configure Web Proxy Policy (Acceptable Use Policy)
• Navigate to Protect→Policies→SWG Content Policy
• Set URL Category to Gambling
• Set action to deny and inline notification to SWG Block
• Navigate back to your Windows10-Sysprep device and open a web
browser
• Navigate to poker.com, confirm request is denied
• Navigate to espn.com, confirm request is allowed

© 2022 Forcepoint 110

Exercise 6: Web Proxy Policy Configuration
Step 2: Configure Web Proxy Policy (DLP)
• Back in the portal navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set Name to Confidential
• Set Type to simple

© 2022 Forcepoint 111

Exercise 6: Web Proxy Policy Configuration
Step 3: Configure Web Proxy Policy (DLP)
• Click Match criteria
• Under Keyword(s) enter confidential and click Ok
• You will not see your pattern in the Data Pattern List

© 2022 Forcepoint 112

Exercise 7: Web Proxy Policy Configuration
Step 4: Configure Web Proxy Policy (DLP)
• Navigate to Protect→Policies→SWG Content Policy
• Click green + icon to add a new rule
• Set URL Category as Web-based Mail
• Click Ok
• Click on Secure App Access Under Action
• Add your confidential pattern under Upload DLP and Set Action to Deny
• Make sure Notify is checked as well as Bitglass Alert
• Set Inline Notification to Block Page
• Click Ok
• Save Changes

© 2022 Forcepoint 113

Exercise 7: Web Proxy Policy Configuration
Step 5: Configure Web Proxy Policy (DLP)
• Compose new email On your Windows10-Sysprep client device, navigate to
mail.yahoo.com
• Username: [email protected]
• Password: Forcepoint1

• In the DLP files you downloaded earlier, find the file titled Confidential Test
• Try to attach this file to the email, it should be blocked

© 2022 Forcepoint 114

Alerts
Alerts provide quick access to important events and information. The main navigation provides an updated
counter of new events as they occur based on user activities. Clicking on the Alerts tab will show you the
most recent events, categorized according to:

© 2022 Forcepoint 115

Exercise 8: Verify Alerts
Step 1: View Alerts
• Navigate to Analyze→Alerts→Suspicious Data Usage
• Because we enabled Bitglass Alerts, we will see our events here
• You can click Summary to get a little snippet of the transaction
• We will gather more detail when we look at the full logs in the next step

© 2022 Forcepoint 116

SmartEdge Agent Log Dashboards
Web Logs
The Web Browsing Dashboard is where all of the web browsing events generated from users using
the SmartEdge agent while accessing websites are logged. Reports are generated every 5 minutes
with new log data. Log data is kept for 30 days.

Web DLP Logs

The SmartEdge agent supports the ability to block possible data leakage attempts on uploads to any
sites. Policies configured to block uploads based on data patterns under the Web Proxy Policy options
will be logged on this Dashboard.

© 2022 Forcepoint 117

Exercise 9: Verify Web and Web DLP Logs
Step 1: View Web Logs
• Navigate to Analyze→Logs→Web
• We do log all events, by default we filter for Denied
• Here you will see our access to poker.com being blocked
• You can click on each event to gather detail on the transaction

© 2022 Forcepoint 118

Exercise 9: Verify Web and Web DLP Logs
Step 2: View Web DLP Logs
• Navigate to Analyze→Logs→Web DLP
• Here, all Web events that triggered DLP will be shown
• Here you will see your upload to Yahoo Mail
• You can click on each event to gather detail on the transaction

© 2022 Forcepoint 119

M365 Access Control
When an application is added as a managed app, as we have done with M365, traffic to this
application from the SmartEdge agent will be processed by the rules with the managed
application and not the SWG Content Policy

We will now make use of the M365 rules we created in the previous module

© 2022 Forcepoint 120

Exercise 10: M365 Access Control and DLP
Step 1: Configure/Review M365
Policy
• Navigate to Protect→Policies
• Scroll down to M365
• We are going to edit the rule we
assigned to the Finance Group
• Click on Secure App Access
Under Action
• Set your rule to match below
• Click Ok
• Click Save

© 2022 Forcepoint 121

Exercise 10: M365 Access Control and DLP
Step 2: Test Policy (Upload)
• On your Windows10-Sysprep client device navigate to https://portal.office.com
• Login with [email protected]
• Open OneDrive
• In the DLP files you downloaded earlier, find the file titled Confidential Test
• Try to upload this file, your request will be denied

© 2022 Forcepoint 122

Exercise 10: M365 Access Control and DLP
Step 3: Test Policy (Download)
• On your Windows10-Sysprep client device navigate to https://portal.office.com
• Login with [email protected]
• Open OneDrive
• Search for the file titled Confidential Labeling Test with MIP
• Click on the file

© 2022 Forcepoint 123

Exercise 10: M365 Access Control and DLP
Step 4: Test Policy (Download)
• Try Downloading the file
• You will notice the file downloads as a html file
(read-only)

© 2022 Forcepoint 124

Exercise 10: M365 Access Control and DLP
Step 4: Test Policy (Download)
• Open file
• Enter in your credentials
([email protected])
• You will notice you cannot alter the file
( no right click, copy, paste etc)

© 2022 Forcepoint 125

Module 6

Zero Trust Network

Access (ZTNA)

© 2022 Forcepoint Forcepoint Proprietary © 2022 Forcepoint

Content
▪ Overview
▪ Configure ZTNA Connector Settings
▪ Configure ZTNA Connector
▪ Configure SAP as ZTNA App
▪ Configure Splunk as ZTNA App
▪ Configure Access Control for SAP
▪ Configure Access Control for Splunk

© 2022 Forcepoint
ZTNA with DLP & Threat Protection
Zero Trust Network Access
Access control, DLP & Threat
protection for internal apps;
agentless or agent

Protection on Managed Devices

Real-time access control, DLP & Threat
protection for internal apps

Protection on Unmanaged Devices

Agentless real-time access control, visibility,
DLP & Threat protection for internal apps

© 2022 Forcepoint 128

ZTNA Architecture

Customer Firewall
User 1

Unmanaged Dev
app-example-com. ZTNA App /
ZTNA Servers
ztna.btglss.net Connectors Service

User 2 app.example.com

Managed Dev
app.example.com
Forcepoint
Customer Environment
ONE Cloud

© 2022 Forcepoint 129

Agentless ZTNA
Benefits over VPN
● No hardware appliances
○ Better user experience
○ Scalability & cost savings
● Agentless Access to private web apps
○ managed or unmanaged devices
○ employees, contractors & partners
● Zero Trust control
○ Access to specific apps
○ Step up MFA
● Enforce data and threat protection
○ DLP
○ ATP
● Available Now

© 2022 Forcepoint 130

ZTNA Lab
There is already a CentOS machine in your lab with the ZTNA
Connector downloaded, all you need to do is configure the
connector, add an application (SAP and Splunk) and configure
access control.

© 2022 Forcepoint
Exercise 1: Installation
Step 1: Configure ZTNA Connector
• We first need to get your egress IP for your lab (this can be found in Go4Labs→Labs. Under properties you will see your
Primary IP
• In Firefox, navigate to Forcepoint ONE Portal and login as your admin
• Navigate to Protect→Objects→Common Objects
• Click The Green + Icon beside Custom Locations
• Set name to ZTNA DC
• Add your IP and mask
• Click Ok

© 2022 Forcepoint 132

Exercise 1: Installation
Step 2: Configure ZTNA Connector
• Navigate to Protect→ZTNA
• Copy installer key to a text editor
• Click Green + icon beside Data Center Public IP Locations
• Set Data center location to the location we just created
• Click Green + icon beside Data Centers
• Set a unique name for your data center (make note of name)
• Save Changes

© 2022 Forcepoint 133

Exercise 1: Installation
Step 3: Configure ZTNA Connector
• Log into the ZTNA connector from within GNS3
• Open Terminal
• Run command sudo ./setup_ztna.sh
• Select option 1 to configure
• Select Y to change hostname
• set hostname to ztnademo1
• Set IP info
• If already set to static, select N
• If set to DHCP, make note of the IP information
displayed, then select Y and set to static and input
the IP information you made note of
• Enter in the DNS server that is displayed
• The machine should now reboot

© 2022 Forcepoint 134

Exercise 1: Installation
Step 4: Configure ZTNA Connector
• Log back the ZTNA connector from
within GNS3
• Open Terminal
• Run command sudo ./setup_ztna.sh
• Select option 1 to configure
• Select No for hostname
• Select No for Network
• Select No for Proxy
• Select Yes to configure Data Center
Name and Installer Key
• Paste in your key from the portal
• Make sure Data Center Name matches
what you configured in the portal
• Select No for SSH (keep enabled)

© 2022 Forcepoint 135

Exercise 1: Installation
Step 5: Configure ZTNA Connector
• Select Option 3 to Update Container
Software
• ZTNA Client will pull down data and
create the connection to your tenant

© 2022 Forcepoint 136

Exercise 1: Installation
Step 6: Verify ZTNA Connector
• Back in the Forcepoint ONE Portal
Navigate to Analyze→Connectors
• You will see your new connector

© 2022 Forcepoint 137

Exercise 2: Configure ZTNA Application-SAP
Step 1: Configure ZTNA Application-SAP
• Navigate to Protect→Add Apps→Managed
Apps→Any ZTNA App/Service
• Set Name to SAP
• Upload Logo (search google for SAP logo)
• Upload Icon (not required)
• Set destination to SAP IP (found in GNS3)
• Set Service to HTTP
• Set port to 80
• Set Data Center to the one we just created
• Click Save

© 2022 Forcepoint 138

Exercise 2: Configure ZTNA Application-Splunk
Step 2: Configure ZTNA Application-Splunk
• Navigate to Protect→Add Apps→Managed
Apps→Any ZTNA App/Service
• Set Name to Splunk
• Upload Logo (search google for Splunk logo)
• Upload Icon (not required)
• Set destination to Splunk IP (found in GNS3)
• Set Service to HTTP
• Set port to 8000
• Set Data Center to the one we just created
• Click Save

© 2022 Forcepoint 139

Exercise 3: Verify Connectivity
Step 1: Verify Connection to Internal App
• In the Forcepoint ONE Portal, click the menu icon
(top right-hand corner) and click User Portal
• You should now see both applications

© 2022 Forcepoint 140

Exercise 3: Verify Connectivity-SAP
Step 2: Verify Connection to SAP
• Click the SAP Icon
• You should now be able to access the internal
server

© 2022 Forcepoint 141

Exercise 3: Verify Connectivity-Splunk
Step 3: Verify Connection to Splunk
• Click the Splunk Icon
• You should now be able to access the internal
server

© 2022 Forcepoint 142

Exercise 4: Access Control Rules for ZTNA
Step 1: Configure Access to SAP
We only want to allow those in Finance to access
SAP
• Navigate to Protect→Policies
• Scroll down to your SAP app
• There will already be a default rule
• Set the group in that rule to finance
• Save changes

© 2022 Forcepoint 143

Exercise 4: Access Control Rules for ZTNA
Step 2: Configure Access to Splunk
We only want to allow Forcepoint ONE Admins to
access Splunk
• Navigate to Protect→Policies
• Scroll down to your Splunk app
• There will already be a default rule
• Set the group in that rule to Bitglass Admins
• Save changes

© 2022 Forcepoint 144

Exercise 4: Access Control Rules for ZTNA
Step 3: Verify Access Control-SAP
• From your Windows10-Agentless machine, try to access SAP (192.168.123.22), your machine isn’t
able find the site.
• Navigate to the Forcepoint ONE Portal
• Log in as [email protected]
• In the Forcepoint ONE Portal, click the menu icon (top right-hand corner) and click User Portal
• You will only see the SAP application
• Click on the tile, you can now access the site

© 2022 Forcepoint 145

Exercise 4: Access Control Rules for ZTNA
Step 4: Verify Access Control-Splunk
• Log out of Forcepoint ONE portal
• From your Windows10-Agentless machine, try to access Splunk (http://192.168.123.12:8000), your machine isn’t able
find the site.
• Navigate to the Forcepoint ONE Portal
• Log in as your admin account
• In the Forcepoint ONE Portal, click the menu icon (top right-hand corner) and click User Portal
• You will only see the Splunk application
• Click on the tile, you can now access the site

© 2022 Forcepoint 146

Module 7

DLP and Proxy Policy

Actions

© 2022 Forcepoint © 2022 Forcepoint

Content
▪ Configure Metadata DLP Pattern
▪ Configure File Fingerprinting DLP Pattern
▪ Configure FPSL DLP Pattern
▪ Configure Exact Data Match
▪ Configure Proxy Policy for M365 and test DLP patterns

© 2022 Forcepoint
Data Patterns
DLP is a data loss prevention capability that allows for pattern matching (via regular expressions and keywords)
against data as it is either being downloaded, uploaded, or scanned via API at rest. DLP Pattern objects allow
us to set the criteria match for protecting and controlling sensitive data. Forcepoint ONE provides an extensive
library of DLP patterns to allow customers to maintain compliance with legislative or company requirements
(e.g. HIPAA, SOX, PCI, etc). The Data Pattern card is made up of predefined patterns and custom patterns that
you create.

Forcepoint ONE contains a large number of predefined DLP patterns based on commonly used objects
including matching patterns for Credit Cards, sensitive keywords, U.S. Social Security Numbers, and more.
You can find the predefined DLP pattern objects by clicking on the "Library" button at the top of the Data
Patterns card.
On the Library page you can add patterns to use in your policies by clicking the "Import" button associated with
the data pattern you wish to use.

© 2022 Forcepoint
DLP Types
Simple: Allows for simple keyword matches and/or regular expressions. The most commonly used data pattern type.
Advanced: Allows for more complex patterns doing combinations of other patterns or variable patterns based on boolean
logic.
Exact Match: Allows for the creation of a data pattern based on an exact data set in order to identify specific exact data
(such as a particular persons personal information).
File Fingerprinting: Can create a "fingerprint" of example file(s) in order to identify a percentage based match (i.e. look for
other files that look like this example file, must match at least 70%).
File Mime Type: Base a pattern on the format/nature of the file (i.e. identifying and blocking PDF type documents).
File Size: Allows customers to apply a data pattern based on the size of the file (i.e. block all downloads if they are larger
than 50mb).
File Metadata: Can specify the exact metadata to check and what value you wish to match on. This can be any of the
inherent metadata of the file such as the file name, product version, exact size, etc.

© 2022 Forcepoint
Exercise 1: Configure DLP Pattern (Metadata)
Step 1: Configure metadata DLP object
• In the Forcepoint ONE Portal Navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set name to Confidential Metadata and set type to File Metadata
• Click on Match Criteria
• Set Property to keyword and Value to [Confidential]
• Click Ok

© 2022 Forcepoint 151

Exercise 1: Configure DLP Pattern (Metadata)
Step 2: Test metadata DLP object
• Click on your Confidential Metadata pattern in the Pattern list
• Click Test Pattern
• Click Choose File
• In the DLP files downloaded earlier, find the file titled “Expense Trends II - Titus”
• Click Open
• You should have a successful match

© 2022 Forcepoint 152

Exercise 2: Configure DLP Pattern (File Fingerprinting)
Step 1: Configure File fingerprinting DLP object
• On your Windows10-Sysprep client device log into the portal and Navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set name to File Fingerprinting and set type to File Fingerprinting
• Click Continue
• Click on Match Criteria
• Click Download File Fingerprinter
• Keep this window in the portal open
• Unzip file

© 2022 Forcepoint 153

Exercise 2: Configure DLP Pattern (File Fingerprinting)
Step 2: Configure File fingerprinting DLP object
• Open the unzipped folder and you will see 5 files
• In the DLP files you downloaded earlier, there is a
folder titled “File Fingerprint test files”
• Copy the two files to the same location as the
fingerprint files
• In this location create a folder named inputform and
put the file Client Intake Form (Filled) in that folder
• We want to fingerprint the filled out form, as we want
the policy to trigger when the form is filled out, not
when its blank

© 2022 Forcepoint 154

Exercise 2: Configure DLP Pattern (File Fingerprinting)
Step 3: Configure File fingerprinting DLP object
• Before we run the command, make sure Java is installed on your machine (download from here)
• The fingerprinter supports Java 8 or 11 on Linux and Java 8 on Windows
• We need to change the tmp_folder location for the fingerprint.ini file
• Right click and edit the fingerprint.ini file
• Set tmp_folder to \Users\admin\AppData\Local\Temp
• Save file

© 2022 Forcepoint 155

Exercise 2: Configure DLP Pattern (File Fingerprinting)
Step 4: Configure File fingerprinting DLP object
• Open terminal or cmd and navigate to location of the Bitglass file fingerprinter
• Run command:
• Mac: ./run.sh -c fingerprint.ini -s inputform -o output.gz
• Windows: run.bat -c fingerprint.ini -s inputform -o output.gz
• If successful, you will see 1 signature saved
• Navigate back to the fingerprint folder and you will see the output.gz file

© 2022 Forcepoint 156

Exercise 2: Configure DLP Pattern (File Fingerprinting)
Step 5: Test file fingerprinter object
• Back in the portal under Match Criteria Click Choose File. Locate the output.gz file and upload it
• Click ok
• You will now see your Pattern in the DLP Library
• Click Your Pattern→Test Pattern
• Click Choose file
• Locate the file Client Intake Form (Filled) (will be in your fingerprint folder)
• Click Open
• Click Test
• You should have a successful match (100% match)
• Test with the blank form, your match will fail

© 2022 Forcepoint 157

Field Programmable SASE Logic (FPSL)
Field Programmable SASE Logic (FPSL) provides unprecedented support for inline controls over user
action and activities within cloud services. Utilizing Forcepiont’s SmartEdge agent combined with a Lua
code backend, customers can create policies to granularly control inline actions across any cloud
application. This can range from simple login controls distinguishing between corporate vs personal
accounts to more refined and specific controls per cloud service such as preventing users from sharing
files externally. This feature provides nearly unlimited capabilities and customization for policy controls
without needing to build out specific features or integrations with apps. FPSL merely uses Forcepoint
ONE's native DLP engine to inspect headers and content to control granular actions in HTTPs
requests.

© 2022 Forcepoint
Exercise 3: Configure DLP Pattern (FPSL)
Step 1: Set Advanced DLP Pattern (FPSL)
• In order to complete our FPSL policy, we will need to leverage 3 Data Patterns
• 1. Confidential Data pattern (based on keyword, which we created in thee SWG exercise
• 2. Web Mail Compose Data Pattern
• 3. Web Mail DLP Block Data Pattern
• Navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set name to Web Mail Compose
• Set Description to FPSL code to trigger if new email is
being composed
• Set Type To Advanced

© 2022 Forcepoint 159

Exercise 3: Configure DLP Pattern (FPSL)
Step 2: Set Advanced DLP Pattern (FPSL)
• Click Match Criteria
• In the expression, copy and paste the following code
[[LUA_AF_REQUEST_SCOPE]]
if BG.uri then
local qs = BG.qs
if not qs then qs = "" end
local uri = string.lower(BG.uri)
if ((BG.method == "POST") and
(string.find(uri, "compose") or
(uri == "/") or
string.find(qs, "name=messages.saveAndSend"))) then
BGResult.match = 1
BGResult.log = "Message Blocked"
end
End

• Click Ok

© 2022 Forcepoint 160

Exercise 2: Configure DLP Pattern (FPSL)
Step 3: Set Advanced DLP Pattern (FPSL)
• Navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set name to Web Mail DLP Block
• Set Description to FPSL code to block web based email if body contain the word confidential
• Set Type To Advanced

© 2022 Forcepoint 161

Exercise 3: Configure DLP Pattern (FPSL)
Step 4: Set Advanced DLP Pattern (FPSL)
• Click Match Criteria
• In the expression, copy and paste the following code
Count("Web Mail Compose") > 0 and Count("confidential") > 0
• Note: Make sure the spelling and syntax of your patterns (Web Mail Compose and confidential) are correct
• Click Ok

© 2022 Forcepoint 162

Exercise 2: Configure DLP Pattern (FPSL)
Step 5: Testing FPSL Policy
• Navigate to Protect→Policies
• Locate your Web-based Email rule we created in the SWG exercise under SWG Content Policy
• Click on the Action
• Set your policy to match as below
• Click Ok
• Save Changes

© 2022 Forcepoint 163

Exercise 3: Configure DLP Pattern (FPSL)
Step 6: Testing FPSL Policy
• On your Windows10-Sysprep client device, navigate to
mail.yahoo.com
• Username: [email protected]
• Password: Forcepoint1
• Compose a new email
• In the DLP files you downloaded earlier, find the file titled
Confidential Test
• Try to attach this file to the email, it should be blocked, like it was in
the previous exercise
• Enter your [email protected] in the To Field
• Set Subject to Read-Me
• Copy the following to the body of the email
Attention:
This document is confidential. Do not distribute outside this
organization. Violators will be subject to disciplinary action, up to and
including having to watch the Emoji Movie.
• Try to send the email
• Your email should be blocked

© 2022 Forcepoint 164

Exercise 4: Configure DLP Pattern (EMD)
Exact Match allows you to upload a tokenized csv file, this allows for the creation of a data pattern based on an
exact data set in order to identify specific exact data (such as a particular persons personal information).
Note: The "RecordID" is a mandatory field, but it is not a field that is matched on. It represents a row identifier
for Forcepoint ONE logging purposes. If you have columns for user identifiers (such as Social Security
Numbers) you will have to input that column name separately.

Simple: Exact match is registered if at least X number of columns match where X is the selected value you
choose on the dropdown.
Custom: You can set customized logical conditions for the definition of an exact match incident.

The file we will be using contains ICD10 codes and their description. The ICD-10-CM (International
Classification of Diseases, Tenth Revision, Clinical Modification) is a system used by physicians and other
healthcare providers to classify and code all diagnoses, symptoms and procedures recorded in conjunction with
hospital care in the United States.

© 2022 Forcepoint 165

Exercise 4: Configure DLP Pattern (EMD)
Step 1: Set Advanced DLP Pattern (Exact Match)
• Log into the Ubuntu Machine within GNS3
• Open Firefox and navigate to the portal and login
• In the portal Navigate to Protect→Objects→Common Objects
• Click green + icon beside Data Patterns
• Set name to EDM-ICD10 and set type to Exact Match
• Click Match Criteria
• Set Column names to the following (case sensitive)
• RECORD_ID,CODE,DESCRIPTION
• Click Continue
• Set Match Pattern to Simple
• Set Exact match incident is registered if at least 1 column(s)
match
• Download Data Hasher

© 2022 Forcepoint 166

Exercise 4: Configure DLP Pattern (EMD)
Step 2: Set Advanced DLP Pattern (Exact Match)
• Unzip the Data hasher
• Open Firefox and Navigate to M365 and access your OneDrive folder where you uploaded
your DLP Test Files. There is a folder titled EDM Test File
• Copy the file titled ICD10 Codes-April2020 to the data hasher folder, rename the file
input.csv

© 2022 Forcepoint 167

Exercise 4: Configure DLP Pattern (EMD)
Step 3: Set Advanced DLP Pattern (Exact Match)
• Right click within this folder and click Open in Terminal
• Run the following command
• python run.py -i input.csv -o out.csv
• Output will mimic below when successful
• You will also see the out.csv file was created in the hashing folder

© 2022 Forcepoint 168

Exercise 4: Configure DLP Pattern (EMD)
Step 4: Set Advanced DLP Pattern (Exact Match)
• Navigate back to the Forcepoint ONE Portal within your
Ubuntu machine
• Navigate to Protect→Objects→Common Objects
• Click on your EDM-ICD10 object
• Click Match Criteria
• Click Browse and upload the out.csv file
• Click Ok
• The file contains over 70,000 records so it will take
some time to process
• You will know it has completed as the Last Upload, Records
Uploaded and Records Processed is now populated

© 2022 Forcepoint 169

Exercise 4: Configure DLP Pattern (EMD)
Step 5: Testing Exact Match
• Within the Pattern Click Test Pattern
• Set Test Against to File
• Click Choose file and find the COVID
Information.pdf file
• Click Test
• Scroll down to bottom of results
• You should see the pattern match was
successful

© 2022 Forcepoint 170

Proxy Policy Actions
The final column under each app titled "Actions" allows you to
apply DLP policy actions via secure app access, grant direct
app access or deny access to the app. To learn about
creating custom DLP patterns or managing the DLP Pattern
library, please view the Objects guide page. Forcepoint ONE
can scan and apply policy actions in real time through the
Bitglass proxy on the following document types: Office Docs,
PDFs, HTML, and Text files
Secure App Access: Will connect users to the
applications through Forcepoint ONE's proxy. This will
also implicitly deny them the ability to access the cloud
application directly.
This is where you configure actions for data leakage
prevention. Users are sent either through the
Forcepoint ONE reverse proxy or through the forward
proxy if you are using either the forward proxy agent or
PAC file.
© 2022 Forcepoint
Proxy Policy Actions
Deny: Allows you to block users from using an
application based on a rules match criteria (e.g.
when using an unmanaged device outside the
United States).
Direct App access: After authentication, allows users to connect directly
to the cloud application bypassing the Bitglass reverse proxy. When this
access mode is matched users will authenticate against either Forcepoint
ONE or your SAML IdP, and upon successful authentication, will be
redirected to access the application directly, bypassing the Forcepoint
ONE proxy.
Many customers use this mode as a mechanism for migrating groups of
users to Bitglass over time. When you wish to migrate a particular group,
simply change the policy to ensure that the group matches a Secure App
Access rule.
Another common use case is providing Direct App Access for managed
devices while using Secure App Access for unmanaged devices.
© 2022 Forcepoint
Exercise 5: Configure and Test Proxy Policy for M365
Step 1: Set Policy for M365 to control data patterns
• Navigate to Protect→Policies
• Scroll down to M365
• Let's Edit the rule we already created for the Finance Group
• Click Secure App Access Under Action
• Set your rule to mimic the rule below
• Click Ok
• Save Changes

© 2022 Forcepoint 173

Exercise 5: Configure and Test Proxy Policy for M365
Step 2: Test Policy
In Previous exercises we tested out access when policy was set to Secure App Access, Direct App Access
and Deny. We are now going to focus more on the DLP component when Access is set to Secure App
Access
• Log into your Windows10-Sysprep-1 device
• Open a web browser and navigate to M365 and access. Your OneDrive

© 2022 Forcepoint 174

Exercise 5: Configure and Test Proxy Policy for M365
Step 3: Test Policy-Encrypt Download using Metadata
• We are now going to download a file that will trigger
Encryption
• In OneDrive search for the file titled “Expense Trends
II - Titus”
• Download File
• You will notice the file triggers encryption and
downloads as a zip file
• Unzip file
• View SECURITY MESSAGE text file
• Follow the steps to get your password
• Open file and use your password
• You now have access to the file

© 2022 Forcepoint 175

Exercise 5: Configure and Test Proxy Policy for M365
Step 4: Test Policy-Encrypt Download using Metadata
• View SECURITY MESSAGE text file
• Log into the portal and edit your profile
• Click on Password History
• Default password should still be set, click Show
password and copy password
• Open file and use your password
• You now have access to the file

© 2022 Forcepoint 176

Exercise 5: Configure and Test Proxy Policy for M365
Step 5: Test Policy-Block Download using File fingerprint
Earlier, we created a fingerprint of a Client Intake form
We are now going to try download the file from OneDrive
• Search for the file Client Intake Form (Blank).pdf
• View File, notice its empty
• Try downloading the file
• It will be allowed, as we don’t want to block if the file isn’t
filled out
• Search for the file Client Intake Form (Filled).pdf
• View file, notice it is filled out
• Try downloading the file
• It will be blocked

© 2022 Forcepoint 177

Exercise 5: Configure and Test Proxy Policy for M365
Step 6: Test Policy-Encrypt Upload using Exact Match
Earlier, we created a hash/token of a .csv file that
contained ICD10 codes and descriptions
• On your Windows10-Sysprep-1 machine, find the file
titled COVID Information.pdf
• Try uploading this file to OneDrive
• Your file will upload, and you will receive the message it
was encrypted
• Try to open the file in OneDrive
• Try to view the file, notice you can view the file (no
password require). This is because the agent (corp
device) is running, and gives you the ability to view the
file

© 2022 Forcepoint 178

Exercise 5: Configure and Test Proxy Policy for M365
Step 6: Test Policy-Encrypt Upload using Exact Match
• Lets try to share our encrypted file
• Copy the link and open it on another workstation
• You will receive a message that the file is encrypted
• Downloading the file will not give you access

© 2022 Forcepoint 179

Module 8

API and SSPM

© 2022 Forcepoint © 2022 Forcepoint

Content
▪ Overview
▪ Configure SFDC API
▪ Configure SFDC SSPM
▪ Configure M365 API Policy
▪ Test M365 API Policy

© 2022 Forcepoint
Managed Apps: High-Performance API Protection
Scan data-at-rest in Managed Apps

● File scans in minutes with Polyscale Architecture

Comprehensive Data & Threat Protection

● DLP and Zero-day threat protection

● Watermark, DRM, Create Copy, Quarantine, Encrypt, Classify APIs
● Modify sharing permissions, time based controls

Granular cross-app visibility

Data Threat
Protection Protection
● Track and log file accesses, logins, policy violations, more
● Prioritized alerts for risky activity Zero-Day CoreTM

Competition Identity Visibility

● File scans delayed by hours or never complete

© 2022 Forcepoint 182

API
Salesforce
In this exercise we are going to configure API connectivity into Salesforce. We are going to
leverage the API so we can scan for SSPM (SaaS Security Posture Management) to audit
Salesforce security configurations. Steps will be done in Classic View

M365
We already have configured API connectivity into M365, in this exercise we are going to focus
on create policy to control and secure data at rest

© 2022 Forcepoint
Salesforce

© 2022 Forcepoint © 2022 Forcepoint

Exercise 1: Enable API and SSPM (Salesforce)
Step 1: Configure Salesforce API
• In the portal login as your admin and Navigate to Protect→Policies
• Scroll down to your Salesforce app, click the Salesforce logo
• Click your domain name under App Instance
• Check Enabling DLP Scanning of Objects and SSPM
• Click Ok
• Click Save in the top right-hand corner
• Keep this page open
• In a new tab,Log into Salesforce as your admin
• Click Setup, Under Build Click Create > Apps and the "New" button in
the Connected Apps section.
• Configure the following required fields and any optional fields as desired
(e.g. Logo Image) and click Save.
Connected App Name: Forcepoint
API Name: Forcepoint
Contact Email: <Salesforce Admins Email>
Enable OAuth Settings: Checked
Callback URL:
https://portal.us.bitglass.net/appapis/salesforce/code/
https://portal.us.bitglass.net/api/salesforce/authz_result/
Important: The ending "/" must be present for the callback to work
correctly.

© 2022 Forcepoint 185

Exercise 1: Enable API and SSPM (Salesforce)
Step 2: Configure Salesforce API
• Selected OAuth Scopes:
• Manage user data via APIs(api)
• Perform requests on your behalf at any time (refresh_token,
offline_access)
• When you are done click "save" at the bottom to create the new Forcepoint
app.
• Keep this page open for the next section as you will need the consumer key
and secret for authorizing the API in Forcepoint.

© 2022 Forcepoint 186

Exercise 1: Enable API and SSPM (Salesforce)
Step 3: Configure Salesforce API
• Navigate back to the Forcepoint portal
• Click On Authorize Scanning
• Back in Salesforce, copy the Consumer Key and
paste it into the field in Forcepoint
• Back in Salesforce, click reveal to see Consumer
secret, copy it and paste it into the field in
Forcepoint
• Click Save

© 2022 Forcepoint 187

Exercise 1: Enable API and SSPM (Salesforce)
Step 4: Configure Salesforce API
• Click Authorize Scanning
• You will be asked to log into Salesforce. Log in with
your admin account
• Click Allow
• You will be redirected to Forcepoint
• You should see a green check mark beside
Scanning Authorized

© 2022 Forcepoint 188

Exercise 1: Enable API and SSPM (Salesforce)
Step 5: Configure Salesforce API
• Click Scanning Authorized
• Under Synchronization Status Click Sync Now

© 2022 Forcepoint 189

Exercise 2: Verify API and SSPM
Step 1: Verify Salesforce SSPM
• After a few moments (gives the API time to pull data) Navigate to Analyze→SSPM
• You will now see your Salesforce instance
• Click on your instance
• Click Investigate
• You can now view which settings are in violation

© 2022 Forcepoint 190

Exercise 2: Verify API and SSPM
Step 2: Verify Salesforce API ( Data at rest)
• In the portal login as your admin and Navigate to Protect→Policies
• Scroll down to your Salesforce app, click the Salesforce logo
• Click On Setup beside API Scanning under App Instance
• Set Data Patterns to confidential
• Click Save

© 2022 Forcepoint 191

Exercise 2: Verify API and SSPM
Step 3: Verify Salesforce API ( Data at rest)
• Log into your salesforce instance as [email protected]
• Click your name→ My Profile
• On your Feed, click File→Upload a file from your computer
• Upload the file Confidential Test from the DLP test Files
• Click Share

© 2022 Forcepoint 192

Exercise 2: Verify API and SSPM
Step 4: Verify Salesforce API ( Data at rest)
• Navigate back to the Forcepoint Portal and go to Analyze→Logs→API
• It make take a few moments to populate, but you should see your file listed

© 2022 Forcepoint 193

M365

© 2022 Forcepoint © 2022 Forcepoint

Exercise 1: Configure API Policy
Step 1: Configure API Policy
Since we already have the M365 API configured and all our files uploaded, we are going to focus now on creating policy
to control and secure that data at rest.
First thing we want to do is apply all the DLP patterns we created in the previous module to the M365 API
• In the portal navigate to Protect→Polices
• Scroll down to M365 and click the M365 icon
• Click on Setup API
• Scroll down to DLP
• Make sure “Match Patterns if file is” is set to Public, External, Internal, Private
• Under Data Patterns make sure the following are set (see below)
• Click Save

© 2022 Forcepoint 195

Exercise 1: Configure API Policy
Step 2: Configure API Policy
• In the portal navigate to Protect→Polices
• Scroll down to M365
• Under API you should see a default rule, we are going to edit this rule
• Click on the condition

© 2022 Forcepoint 196

Exercise 1: Configure API Policy
Step 5: Configure API Policy
• In the Cloud Policy window, set User
Groups to All Scanned Users
• Under Condition Click Add Column
• Set condition to Data Pattern is equal to File
Fingerprinting
• Set Action to Encrypt
• Leave email as none
• Enable generate alert
• Click Ok
• Save Changes

© 2022 Forcepoint 197

Exercise 2: Test API Policy
Step 1: Test API Policy (Manual Action)
Another way to apply policy is to manually action a file
• In the Forcepoint Portal Navigate to Analyze→Logs→API
• Click the radio box beside any file. In my case I selected the file confidential-new12.docx
• On the right-hand side, select Encrypt Under Manual Cloud Action
• Enable Generate Alert and Click Ok
• It may take a few minutes for action to be applied

© 2022 Forcepoint 198

Exercise 2: Test API Policy
Step 2: Test API Policy (Manual Action)
• After a few minutes navigate to Analyze→Alerts→Cloud
• You will see your action was applied
• Next navigate to Analyze→Logs→API
• You will now see your file in encrypted

© 2022 Forcepoint 199

Exercise 2: Test API Policy
Step 3: Test API Policy (Encrypt)
• In the DLP Test Files find Client Intake Form (Filled).pdf
• Log into OneDrive as [email protected]
• Upload the Client Intake Form (Filled).pdf file
• Navigate back to the portal, Analyze→Logs→API, In a few moments you will see the API picked up the file and matched
the pattern File Fingerprinting

© 2022 Forcepoint 200

Exercise 2: Test API Policy
Step 3: Test API Policy (Encrypt)
• A moment later, under Analyze→Alerts→Cloud You will see your file triggered policy
• Under Analyze→Logs→API you will now see your file is Encrypted

© 2022 Forcepoint 201

Module 9

Logging and Reporting

© 2022 Forcepoint © 2022 Forcepoint

Content
▪ Overview
▪ Configure Weekly and Daily Reports
▪ Configure Proxy Log Filters
▪ Configure API Log Filters
▪ Configure Admin Log Filters
▪ Configuration Integration with Splunk

© 2022 Forcepoint
Logs
Proxy Logs
The Proxy Logs are where admins go to review all user activity (events/logs/etc) in all protected applications
associated with inline access control and DLP policies. The Proxy Logs can be found under Analyze > Logs
> Proxy and are broken down into four cards providing a holistic and highly customizable view of user's proxy
activity.

API Logs
The API Logs can be found under Analyze > Logs > API and provides visibility into data at rest in cloud
applications integrated via API.
Forcepoint ONE scans all files to categorize them for public, external, or internal sharing and private files and
identifies the files matched against DLP patterns to provide a summarized interactive report. This makes it
easier for the admin to know if any confidential information exists in the cloud application or is shared outside
the organization.

© 2022 Forcepoint
Logs
Health Logs
The Health dashboard allows admins to identify if issues that users encounter are brought on by Forcepoint ONE or the
backend server (e.g. Google, Exchange, Salesforce, etc). The dashboard graphs error codes to quickly view the type
and source of issues that have been generated as well as a customizable filter to help sift through the results. You can
access the System Health Logs by navigating to Analyze > Logs > Health. The Health dashboard is broken down into
two tabs, Access and Cloud. Access displays response codes and latency time inline while the cloud tab displays any
API related errors received from the cloud application.

Admin Logs
The Admin Log page will display all admin activity within the Forcepoint ONE portal. For the admin logs, Activity is the
high level activity that the admin was doing while action is the subcategory or more refined thing that was interacted
with. For example The "Critical" activity is a high level tag for an error/issue whereas the "Deviceprofileerror" Action is
the more specific item that had the issue.

© 2022 Forcepoint
Logs
Web Logs
The Web Browsing Dashboard is where all of the web browsing events generated from users using the SmartEdge agent
while accessing websites are logged. Reports are generated every 5 minutes with new log data. Log data is kept for 30
days.

Web DLP Logs

The SmartEdge agent supports the ability to block possible data leakage attempts on uploads to any sites. Policies
configured to block uploads based on data patterns under the Web Proxy Policy options will be logged on this Dashboard.

© 2022 Forcepoint
Exercise 1: Enable Weekly and Daily Reports
Step 1: Enable Weekly and Daily Reports
• Navigate to Analyze>Logs→Settings
• Set email weekly dashboard report group to Weekly Overview Report
• Enable Email Data Leakage report to Bitglass administrators

© 2022 Forcepoint 207

Exercise 2: Configure Log Filters
Step 1: Configure Proxy Log filters
• Navigate to Analyze→Logs→Proxy
• Set Date range to cover the last 30 days
• Add the following filter by clicking Add
filter→Column Specific
• User = [email protected]
• Activity = Uploaded
• Under filter name set to Module 9 Filter
• Click Save Current
• You should only see upload activity

© 2022 Forcepoint 208

Exercise 2: Configure Log Filters
Step 2: Configure API Log filters
• Navigate to Analyze→Logs→API
• Add the following filter by click Add Filter→Column Specific
• Owner = [email protected]
• Data Pattern = confidential
• Click On the name of a file in the Event logs and inspect all the details provided about the file

© 2022 Forcepoint 209

Exercise 2: Configure Log Filters
Step 3: Configure Admin Log filters
• Navigate to Analyze→Logs→Admin
• Set Date range to cover the last 30 days
• Add the following filter
• Action = AppPolicy
• View Results
• Under filter name set to Module 9 Filter-Policy
• Click Save Current
• Clear Current Filter
• Add the following filter
• Action = AppConfig
• View Results
• Under filter name set to Module 9 Filter-Config
• Click Save Current

© 2022 Forcepoint 210

Exercise 3: Configure SIEM Integration
Step 1: Configure Integration with Splunk
• From your Windows10-Sysprep machine open a
tab and browse to Splunk
(http://192.168.123.12:8000)
• In another tab log into the Forcepoint ONE
Portal as your admin
• Navigate to Settings→API Interface→OAuth
• Click on OAuth Instructions
• Select Splunk App Integration
• Click the SplunkBase link to download the
Bitglass app
• Click Login to download
• Username: setraining
• Password: Forcepoint1!
• Click Download

© 2022 Forcepoint 211

Exercise 3: Configure SIEM Integration
Step 2: Configure Integration with Splunk
• Navigate to your Splunk instance
• Click the gear icon beside Apps on the top left-hand corner
• Click on Install app from file ( top right-hand corner
• Choose the file we just downloaded
• Click Upload

© 2022 Forcepoint 212

Exercise 3: Configure SIEM Integration
Step 3: Configure Integration with Splunk
• Install should be successful, Click Set up
Now
• In the portal, Navigate back to the OAuth
Instructions
• We can jump to step 3 under Download
and Setup App
• Follow the remaining steps in the guide
• You will see your OAuth is Authorized
• Give it a few minutes before logs are
pulled over and you see log results

© 2022 Forcepoint 213

End of Lab

© 2021 Forcepoint
Appendix A
Replacement Windows10-Agent Client

© 2021 Forcepoint
Appendix A : Replacement Windows10-Agent Client - sysprep
For labs that were created from the Forcepoint ONE Hands On Lab v1.0 template, you must follow these steps to
replace the Windows10-Agent client in your lab.

These additional steps are necessary to remove the duplicate GUID issue with clients reporting into their Forcepoint ONE
tenants. This issue would not be experienced in a production customer environment and is a result of duplicating
devices.
Locate your lab and select ‘Action’ then ‘Refresh Lab Devices’.

© 2022 Forcepoint 216

Appendix A : Replacement Windows10-Agent Client - sysprep
Located ‘Windows10-Sysprep’ in the list of new appliances and the select ‘Update’ then ‘Close’

© 2022 Forcepoint 217

Appendix A : Replacement Windows10-Agent Client - sysprep
Please access either the web consoles or RDP console to gain access to your lab
Please open GNS3, this is where all devices referenced within the exercises can
be accessed

© 2022 Forcepoint 218

Appendix A : Replacement Windows10-Agent Client - sysprep
Right Click on the Windows10-Agent Device in the Branch Office
Agent Based Device (reference as arrow 1 below).

Click Delete to remove the device from your lab.

© 2022 Forcepoint 219

Appendix A : Replacement Windows10-Agent Client - sysprep
Click on the Devices List icon (arrow 1 below).
Scroll down to the Windows10-Sysprep device (arrow 2 below),
drag it into your lab in the Branch Office Agent Based Device box
(arrow 3 below).

1
3

© 2022 Forcepoint 220

Appendix A : Replacement Windows10-Agent Client - sysprep
Now we will connect the new Windows10-Sysprep client into the
network. Click on the Add a link icon (arrow 1 below).

Click on the Windows10-Sysprep (arrow 2 below), choose the open

Ethernet0 port. 2
Click on the IDF-Switch device & choose the open eth0 port. (arrow
3 below).

© 2022 Forcepoint 221

Appendix A : Replacement Windows10-Agent Client - sysprep
Now we must start the new device. Right click on the Windows10-
Sysprep client. Select Start from pop-up menu.

© 2022 Forcepoint 222

Appendix A : Replacement Windows10-Agent Client - sysprep
Right click on the Windows10-Sysprep client. Select Console.
Leave all settings default, except change Time Zone to UTC+00:00.
Click next.
Accept Legal Terms.
Use Express Settings.

© 2022 Forcepoint 223

Appendix A : Replacement Windows10-Agent Client - sysprep
Once the device is ready, select ‘Join a local Active Directory
domain’. Select Next.
Add user student1 with password Forcepoint1 and Fp1 as hint.
Select ‘Yes’ to allowing the device to be discoverable.

© 2022 Forcepoint 224

Appendix A : Replacement Windows10-Agent Client - sysprep
Open Microsoft Edge and browse to https://library.go4labs.net, navigate Forcepoint ONE Training folder.
Download and Install Chrome

© 2022 Forcepoint 225

Appendix A : Replacement Windows10-Agent Client - sysprep
Change IP Address & DNS – open settings -> network & Internet ->
ethernet -> change adaptor options.
right click on icon -> select properties.
Highlight Internet Protocol Version 4, hit properties.
Fill in IP Address, Subnet, Default gateway & Preferred DNS server.
Hit ok, and Hit ok again.

© 2022 Forcepoint 226

Appendix A : Replacement Windows10-Agent Client - sysprep
Add to Domain
Open Settings -> System -> Click on About
Click Join a Domain -> type go4labs.local -> hit Next
Type: admin Forcepoint1
User account: admin with Administrator account Type
Restart PC Now

© 2022 Forcepoint 227

Appendix A : Replacement Windows10-Agent Client - sysprep
Open Chrome and browse to https://library.go4labs.net, navigate Forcepoint ONE Training folder.
Download and install Office

© 2022 Forcepoint 228