IntroductionForcepoint ONE SSE Cloud SWG solution enables web traffic filtering when a SmartEdge agent cannot be deployed on the end user's machine, such as for Guest users or IoT devices or when the organization does not want to deploy an agent.
IPsec overviewIPsec is an extension to the IP protocol that provides secure traffic tunneling by authenticating and encrypting information sent over a network.
ThroughputFor Forcepoint ONE SSE Cloud SWG, Forcepoint allocates 0.1 megabits per second (Mbps) per licensed user per virtual datacenter.
AudienceDefines the audience of this document.
Configurations in Forcepoint ONE SSE portalThis section details the configurations required to setup IPsec tunnel in Forcepoint ONE SSE portal.
Creating SitesA Site represents a corporate location from which traffic will originate. While creating a Site, you can configure IPsec tunnel through which traffic should be sent over to cloud and create or add subnets groups within the site.
Viewing TunnelsAfter creating tunnels, you can monitor the status of each tunnel under Analyze > Tunnels page.
Creating Traffic TypesWithin a company network, there will be multiple subnets. Each subnet will be assigned for a particular purpose, that is assigned to managed devices, IoT, guest, servers and so on.
SettingsOn the Protect > Forward Proxy > Settings page, you can set Cloud SWG Session Timeout, Cloud SWG Certificate Authority and Bypass Domains, Host IPs or Subnets.
Configurations on Forcepoint NGFWThese instructions explain how to forward web traffic from the Forcepoint NGFW site through the Forcepoint ONE SSE cloud proxy service using policy-based IPsec VPN.
Create External VPN Gateway elementsIn the Management Client, create an External VPN Gateway elements to represent the Forcepoint ONE SSE cloud VPN gateway.
Configure Policy-Based VPN elementsIn the Management Client, create a Policy-Based VPN element, and then define the topology and tunnel settings.
Configure the endpoint for the NGFW EngineVerify that your assigned site IKE ID in the Forcepoint ONE SSE portal matches your NGFW VPN endpoint IKE ID. If necessary, you can add VPN-specific exception for the NGFW endpoint IKE ID.
Configure rules for policy-based VPN trafficThe Access rules define which traffic is allowed through the firewall and policy-based VPN tunnels.
Verifying high availability failoverFor each site you add, it is important to ensure that the High Availability (HA) failover capability is provisioned and configured correctly such that failover happens successfully when required.
Installing Root CertificateYou may get an error Software is Preventing Firefox from safely connecting to site while accessing websites on Mozilla Firefox if the user is enforced to authenticate using the domain's identity provider.