Forcepoint ONE Bypass Lists for Firewalls and Security Software

Ensure the following domains/URLs are permitted through your firewall to guarantee seamless service and functionality while using Forcepoint ONE SSE services. Unless explicitly specified, most requests are made to Forcepoint ONE Cloud Services via HTTPS on port 443.

Forcepoint ONE login and administrative pages

Both administrators and users traverse portal.us.bitglass.net (Trial Cloud), portal.bitglass.com (Commercial Cloud), and portal.eu.bitglass.net (EU Cloud) to different sub-sites, domains listed below are relevant for anyone logging into Forcepoint ONE. Only administrators will have access to the Forcepoint ONE support portal.

Table 1. Portal Page - Commercial Cloud
URL/Domain Description
portal.bitglass.com Login page
looker.bitglass.com Analytics page

d35yjcem1gita5.cloudfront.net

dmksmfp72wh99.cloudfront.net

CSS/scrips for portal.bitglass.com

ajax.aspnetcdn.com

cdnjs.cloudflare.com

Scripts for portal.bitglass.com
s3.us-west-2.amazonaws.com Images for custom apps
*.sso.bitglass.com Login client cert check
www.btglss.net Agentless / reverse proxied app access

cdn.walkme.com

s3.walkmeusercontent.com

ec.walkme.com

Walk-Me Portal Assistance
Table 2. Portal Page - EU Cloud
URL/Domain Description
portal.eu.bitglass.net Login page
www.eu.bitglass.net Agentless / reverse proxied app access

ajax.aspnetcdn.com

cdnjs.cloudflare.com

code.jquery.com

Scripts for portal.eu.bitglass.net
d2v4ojxgeuzgdy.cloudfront.net portal.eu.bitglass.net page objects

cdn.walkme.com

playerserver.walkme.com

ec.walkme.com

Walk-Me Portal Assistance
s3.eu-central-1.amazonaws.com Images for custom apps
bitglass-prodeu-agent-artifacts.s3.amazonaws.com AD sync agent download
<tenant domain>.sso.eu.bitglass.net Login client cert check
support.forcepoint.com Forcepoint Support portal

Forcepoint Security Manager DLP to Forcepoint ONE SSE

Each of the below domains will resolve to multiple IP addresses, and all should be included in any firewall Access Control Lists (ACLs).

Table 3. Trial Cloud
Domain/URL
portal.us.bitglass.net
proxyapi.us.bitglass.net
Table 4. Commercial Cloud
Domain/URL
portal.bitglass.com
proxyapi.bitglass.com
Table 5. EU Cloud
Domain/URL
portal.eu.bitglass.net
proxyapi.eu.bitglass.net

ZTNA

Table 6. Commercial Cloud
URL/Domain Description
ZTNA OVA:
ztnarouter.bitglass.com OVA management connection
bg-prod-ova.s3.amazonaws.com ZTNA ISO
github.com GitHub
download.docker.com Docker
cv.bitglass.com Agent Configuration
HTTP ZTNA:
www.ztna.bitglass.com HTTP ZTNA
<domain>-<id>.ztna.bitglass.com HTTP ZTNA
TCP ZTNA (SmartEdge Agent):
ztnarouter.bitglass.com ZTNA Router
ztnahaproxy-*.bitglass.com ZTNA Load Balancer
Table 7. EU Cloud
URL/Domain Description
ZTNA OVA:
ztnarouter.eu.bitglass.net OVA management connection

ztnaserver-eu-central-1a-bank2.eu.bitglass.net

ztnaserver-eu-central-1b-bank2.eu.bitglass.net

ztnaserver-eu-central-1c-bank2.eu.bitglass.net

OVA data connection

096923413011.dkr.ecr.us-west-2.amazonaws.com

prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com

OVA docker container
prodeu-ova-repo.s3.eu-central-1.amazonaws.com Updates
github.com GitHub
download.docker.com Docker
HTTP ZTNA:
www.ztna.eu.bitglass.net HTTP ZTNA
<domain>-<id>.ztna.eu.bitglass.net HTTP ZTNA
TCP ZTNA (SmartEdge Agent):
ztnarouter.eu.bitglass.net ZTNA Router
ztnahaproxy-*.eu.bitglass.net ZTNA Load Balancer

Reverse Proxy

Reverse proxy involves users logging into an application and being directed back through Forcepoint ONE proxies via a dashified domain. Application configuration is done in the admin portal. User traffic will be directed to the dashified domain after logging into the portal. For example:
Domain/URL Description
<tenant domain>.us.bitglass.net Dataplane for Trial Cloud - Proxied app traffic domain
<tenant domain>.btglss.net Dataplane for Commercial Cloud - Proxied app traffic domain
<tenant domain>.eu.bitglass.net Dataplane for EU Cloud - Proxied app traffic domain
Admin Portal All portal page domains listed at the beginning of this article.

Cloud API

Cloud API communication occurs between Forcepoint ONE Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.

URL/Domain Description
Admin Portal All portal page domains listed at the beginning of this article.

CSPM

CSPM communication occurs between Forcepoint ONE Analytics/dataplane nodes to the application and is not initiated from on-premise. No special considerations are required for Firewall bypass lists aside from the portal page domains listed at the beginning of this article.

URL/Domain Description
Admin Portal All portal page domains listed at the beginning of this article.

Discovery

Discovery involves navigation of the Forcepoint ONE portal page as well as uploading logs, or downloading an OVA to stream logs out.

Table 8. Commercial Cloud
URL/Domain Description
bg-prod-ova.s3.amazonaws.com Discovery OVA and ISO downloads
syslog.bitglass.com (TCP port 1999) Syslog
*.dkr.ecr.us-west-2.amazonaws.com Container download
Admin Portal All portal page domains listed at the beginning of this article.
Table 9. EU Cloud
URL/Domain Description
bg-prodeu-ova.s3.amazonaws.com Discovery OVA and ISO downloads
096923413011.dkr.ecr.us-west-2.amazonaws.com OVA docker download
prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com OVA docker container
syslog.bitglass.eu (TCP port 1999) Syslog
Admin Portal All portal page domains listed at the beginning of this article.

IAM

Depending upon your unique deployment, you may need to allow a Forcepoint ONE AD Agent or calls to create users in the Forcepoint ONE cloud. See the information below on specific user source/destinations for bypasses.

AD Agent

Table 10. Commercial Cloud
Domain/URL
cv.bitglass.com
dirsync.bitglass.com
Table 11. EU Cloud
Domain/URL
cv.eu.bitglass.net
dirsync.eu.bitglass.net

SCIM

SCIM uses communicates directly between Forcepoint ONE servers in the cloud to Applications (Microsoft/Google/etc.) Servers to gather users and are not impacted by on-premise network firewalls.

User API

Requests to create a user via the Forcepoint ONE user API are made using resources on portal.us.bitglass.net, portal.bitglass.com, and portal.eu.bitglass.net.

MFA

Requests from a user device to Forcepoint ONE initiated MFA are done using resources on portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net and do not require additional bypass domains. If an administrator has selected third-party MFA such as Google or Duo and so on relevant domains for those entities will need to be allowed as needed.

Log Poll API

Requests to fetch log data are made to resources at portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net.

IP API

Requests to fetch Bitglass IP lists are made to resources at portal.us.bitglass.net, portal.bitglass.com, or portal.eu.bitglass.net.

ICAP

ICAP DLP initiates connections from Forcepoint ONE Data planes to a server defined in the admin portal. The server listed will have to allow connection from external sources. These sources are listed in the Forcepoint ONE SSE datacenters and IPs.

Remote Browser Isolation (RBI) Exclusions

Environment Exception URL Outbound Ports for Connection
Trial Cloud *.rbi.poc.forcepoint.com 30000 – 32767
Commercial Cloud *.rbi.forcepoint.com 30000 – 32767
EU Cloud *.rbi.forcepoint.com 30000 – 32767