Configuring SWG policies

You can configure SWG Connection Policy, Cloud SWG Authentication Policy and SWG Content Policy to manage traffic through Cloud SWG and SmartEdge agent.

The SmartEdge agent not only provides forward proxy capabilities for applications to apply contextual access controls and inline DLP, but it can also be used to apply web proxy based policies controlling websites based on other variables such as category or cloud risk score.

Note:
  • CASB forward-proxy only occurs with the SmartEdge agent. Thick client traffic also requires the SmartEdge agent.
  • For devices without the SmartEdge agent, Agentless-ZNTA and CASB applications traffic is reverse proxied as defined by the policy.
  • VDI deployments are currently not supported. They will be supported in the future with the SmartEdge agent. This requires the SmartEdge agent to be extended to support multiple simultaneous users on shared servers.

The Cloud SWG provides the ability to apply web proxy-based policies controlling websites and enforce inline DLP. The Reverse Proxy can be used in conjunction with Cloud SWG to apply contextual access controls and inline DLP to managed applications.

This chapter walks you through how to configure these policies both for the SmartEdge agent and the Cloud SWG.

  • SWG Connection Policy
  • Cloud SWG Authentication Policy
  • SWG Content Policy
Note: The Cloud SWG Authentication Policy tile is only applicable to the Cloud SWG. Whereas, the SWG Connection Policy and SWG Content Policy tiles are applicable for Cloud SWG and SmartEdge Agent.

Sequence of Execution

Policies are evaluated in the order shown below for each scenario:

  • When only the SmartEdge Agent is present on the user's device, then the policies are evaluated in the order shown below:
    1. Agent Connection Policy
    2. Agent Content Policy
    Note: Devices running the SmartEdge Agent should also need to have the Cloud SWG certificate installed.
  • When the SmartEdge Agent is present on the user's device and the Cloud SWG is configured, then the policies are evaluated in the order shown below:
    1. Agent Connection Policy
    2. Agent Content Policy
    3. Cloud SWG Connection Policy

    Agent Connection and Content policies are evaluated first followed by Cloud SWG Connection policy. The Cloud SWG Connection policy is applied to agent traffic since the connection policy operates at a TCP level. However, the Cloud SWG Content and Cloud SWG Authentication policies will be skipped for Agent traffic.

  • When only the Cloud SWG is configured, then the policies are evaluated in the order shown below:
    1. Cloud SWG Connection Policy
    2. Cloud SWG Authentication Policy
    3. Cloud SWG Content Policy

    The SWG Connection Policy is applied at a TCP connection level and therefore can be applied to traffic without SSL decryption. If none of the connection policy rules matches, evaluation continues to the Authentication and Content policies. If the Authentication policy determines that the user should be authenticated, the user will first be redirected to the login page. Once the user is successfully authenticated, policy evaluation continues to the Content Policy. Alternatively, if user authentication is not required, policy evaluation continues directly to the Content Policy.

  • When only the SmartEdge Agent is present on the user's device while accessing managed applications, then the policies are evaluated in the order shown below:
    1. Managed application's Policy
    2. Agent Connection Policy
    3. Agent Content Policy
    Note: Devices running the SmartEdge Agent should also need to have the Cloud SWG certificate installed.

    Forcepoint ONE SSE sends global bypassed traffic direct to internet and non-bypassed Managed App traffic to Forcepoint ONE cloud dataplanes for processing before applying agent policies.

  • When the Cloud SWG is configured while accessing managed applications, then the policies are evaluated in the order shown below:
    1. Cloud SWG Connection Policy
    2. Cloud SWG Authentication Policy
    3. Cloud SWG Content Policy
    4. Managed application's Policy

    Forcepoint ONE SSE sends global bypassed traffic direct to internet and non-bypassed Managed App traffic to Cloud SWG before sending it to Forcepoint ONE cloud dataplanes for processing.

    The SWG Connection Policy is applied at a TCP connection level and therefore can be applied to traffic without SSL decryption. If none of the connection policy rules matches, evaluation continues to the Authentication and Content policies. If the Authentication policy determines that the user should be authenticated, the user will first be redirected to the login page. Once the user is successfully authenticated, policy evaluation continues to the Content Policy. Alternatively, if user authentication is not required, policy evaluation continues directly to the Content Policy.

  • When the SmartEdge Agent is present on the user's device and the Cloud SWG is configured while accessing managed applications, then the policies are evaluated in the order shown below:
    1. Agent Connection Policy
    2. Agent Content Policy
    3. Cloud SWG Connection Policy
    4. Managed application's Policy

    Forcepoint ONE SSE sends global bypassed traffic direct to internet and non-bypassed Managed App traffic to SWG before sending it to Forcepoint ONE cloud dataplanes for processing.

    Agent Connection and Content policies are evaluated first followed by Cloud SWG Connection policy. The Cloud SWG Connection policy is applied to agent traffic since the connection policy operates at a TCP level. However, the Cloud SWG Content and Cloud SWG Authentication policies will be skipped for Agent traffic.