Deployment considerations for integration with Cisco products

Applies to:
Forcepoint URL Filtering, v8.5.x

Cisco ASA

A simple and common network topology places web policy enforcement components on a single machine, or group of dedicated machines, communicating with a Cisco Adaptive Security Appliance (ASA) via TCP/IP.

Forcepoint Security Manager and reporting components are installed on separate Windows machines.
If you install Network Agent, it must be positioned to see all traffic on the internal network.

See Integrating Forcepoint URL Filtering with Cisco for configuration instructions.

Other configurations are possible. See your Cisco ASA documentation and the information in this section to determine the best configuration for your network.

The diagram provides a general overview and best practice location for your integration product, but does not show all components. Larger networks require components to be distributed across several dedicated machines.

Cisco IOS Routers

In this common configuration, web policy enforcement components are installed on a single machine, communicating with the Cisco IOS Router.

Forcepoint Security Manager and reporting components are installed on separate Windows machines.
If you install Network Agent, it must be positioned to see all traffic on the internal network.

The router has firewall functionality and can be used with or without an accompanying firewall.

If the Cisco IOS Router is used with a separate firewall, ensure that all Internet traffic is configured to pass through the router and is not set to bypass the router and go directly to the firewall. Traffic that bypasses the router cannot be managed by Forcepoint URL Filtering.

Other configurations are possible. See your Cisco Router documentation and the information in this chapter to determine the best configuration for your network.