Integrate Forcepoint User ID Service with Forcepoint NGFW

Integrating Forcepoint NGFW with Forcepoint User ID Service provides transparent user identification for access control by user.

Before you begin

You have installed and configured the components that send the user, group, and IP address information to the NGFW Engines. For information about integrating the Forcepoint User ID Service with other Forcepoint products, see the document How to integrate Forcepoint User ID Service with other Forcepoint products and Knowledge Base article 14100.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Management Client, create a Forcepoint User ID Service element.
    1. Select Configuration.
    2. Browse to Other Elements > Engine Properties > User Identification Services.
    3. Right-click User Identification Services, then select New > Forcepoint User ID Service.
    4. In the Name field, enter a unique name for the Forcepoint User ID Service element.
    5. In the IP Addresses field, enter the IP address of the server on which the Forcepoint User ID Service is installed.
    6. Enter the port for communication between the Forcepoint NGFW Engine and the Forcepoint User ID Service server.
      Note: The default port number is 5000. Use the same port that is used in the Forcepoint User ID Service configuration on the Forcepoint User ID Service server.
    7. In the Monitored User Domains section, click Add to define an Active Directory domain from which the NGFW Engine receives user information.
  2. Enable TLS protection for the communication from the NGFW Engine to the Forcepoint User ID Service server.
    1. On the Certificate tab, click Select, then select a TLS Profile.
      Note: The minimum supported TLS version for Forcepoint User ID Service 2.1 and higher is TLS 1.2. The TLS Profile element must use TLS 1.2.
    2. From the TLS Server Identity drop-down list, select a TLS server identity.
    3. In the Identity Value field, enter a value for the TLS server identity.
      Note: If the TLS server identity is Distinguished Name, SHA-1, SHA-256, SHA-512, or MD5, click Fetch Certificate to fetch the value of the TLS server identity from a certificate.
  3. Enable the Log Server to receive log data from the Forcepoint User ID Service.
    1. On the Monitoring tab, select the Log Server that receives the log data from the Forcepoint User ID Service.
    2. (Optional) To receive status information from the Forcepoint User ID Service, select Status Monitoring, then select a probing profile.
    3. To receive log data from the Forcepoint User ID Service, select Log Reception, then select the logging profile.
      The logging profile defines in which log fields the log data from the Forcepoint User ID Service is stored. If you create a new Logging Profile element that uses the default settings, all the log data is stored in the Syslog message field.
  4. Click OK.
    The Forcepoint User ID Service element is created.
  5. Select a Forcepoint User ID Service element for NGFW Engines.
    1. Select Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Browse to Add-Ons > User Identification.
    4. In the User Identification Service list, select a Forcepoint User ID Service element.
      If the Forcepoint User ID Service element that you want to use is not listed, select Select, then select a Forcepoint User ID Service element.
    5. Click Save and Refresh.

Next steps

If you want the Forcepoint User ID Service server to authenticate the NGFW Engine with the Management Server's internal certificate authority, export the certificate of the Management Server's active internal certificate authority.

Forcepoint User ID Service Properties dialog box

Use this dialog box to define the properties of the Forcepoint User ID Service element.

Option Definition
General tab
Name The unique name of the element.
IP Addresses The IP address of the Forcepoint User ID Service server from which the NGFW Engine receives user information.
Resolve Automatically resolves the IP address of the host.
Contact addresses A Contact Address is needed if NAT is applied between the NGFW Engine and a Forcepoint User ID Service server.
  • Default — Used by default whenever a component that belongs to another Location connects to a Forcepoint User ID Service server.
  • Exceptions — Opens the Exceptions dialog box.
Port The port on which the Forcepoint User ID Service server communicates with the engine. If you change the port from the default, you must configure the same port in the Forcepoint User ID Service server on the Linux system.
Monitored User Domains
Add Click Add to define an Active Directory domain from which the NGFW Engine receives user information. Enter the fully-qualified domain name (FQDN) of each monitored Active Directory domain on a separate row.
Remove

Removes the selected item from the list.
Category Includes the Forcepoint User ID Service in predefined categories.
Comment An optional comment for your own reference.
Option Definition
Certificate tab
TLS Profile Allows you to select a TLS Profile element that contains, for example, the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Click Select to select or to create a TLS Profile element.
TLS Server Identity (Optional, only if a TLS Profile is selected) Select the identity of the TLS server to secure TLS-protected traffic from the NGFW Engine to the Forcepoint User ID Service server.
  • DNS Name — Use the DNS name of the server.
  • IP Address — Use the IP address of the server.
  • Common Name — Use the common name (CN) of the server.
  • Distinguished Name — Use the distinguished name (DN) of the server.
  • SHA-1 — Use SHA (Secure Hash Algorithm) hash function 1.
  • SHA-256 — Use SHA (Secure Hash Algorithm) hash function 256.
  • SHA-512 — Use SHA (Secure Hash Algorithm) hash function 512.
  • MD5 — Use MD5 Message-Digest Algorithm.
Fetch From Certificate Opens the Import Certificate dialog box for fetching the value of the server identity field from a certificate.
Note: You can fetch the value of the server identity field from a certificate only if the server identity field is Distinguished Name, SHA-1, SHA-256, SHA-512, or MD5.
Option Definition
Advanced tab
Cache Expiration The length of time before the cache expires if there is a connection problem between the NGFW Engine and the Forcepoint User ID Service server.
Connection Timeout The maximum amount of time that the NGFW Engine tries to connect to the Forcepoint User ID Service server and the next connection attempt. The default is 10 s.
Note: The monitoring of the Forcepoint User ID Service is configured in the SMC in the same way as the monitoring of third-party devices. However, the Forcepoint User ID Service does not send SNMP traps or NetFlow data.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).

TLS Profile Properties dialog box

Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.

Option Definition
Name The name of the element.
TLS Cryptography Suite Set The cryptographic suite for TLS connections.
Trusted Certificate Authorities

Specifies which certificate authorities to trust.

  • Trust any
  • Trust selected

Click Add to add an element to the list, or Remove to remove the selected element.

Version The TLS version used.
Use Only Subject Alt Name

(Optional)

Uses only Subject Alternative Name (SAN) certificate matching.
Accept Wildcard Certificate

(Optional)

Allows the use of wildcards in certificate matching.
Check Revocation

(Optional)

Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Delay CRL Fetching For

(Optional, NGFW Engine only)

The time interval for the NGFW Engine to fetch the CRL. If the CRL expires sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore OCSP Failures For

(Optional, NGFW Engine only)

The number of hours for which the NGFW Engine ignores OCSP failures.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore Revocation Check Failures if There Are Connectivity Problems

(Optional, NGFW Engine only)

When selected, the NGFW Engine ignores all CRL check failures if connectivity problems are detected.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.

Internal Certificate Authority Properties dialog box

Use this dialog box to view the details of an Internal Certificate Authority element or to export the certificate of an internal certificate authority.

Option Definition
General tab
Name The name of the element.
Subject Name The identifier of the certified entity.
Public Key Algorithm The algorithm used for the public key.
Key Length The length of the key in bits.
Serial Number The sequence number of the certificate. The number is issued by the CA.
Signature Algorithm The signature algorithm that was used to sign the certificate.
Signed By The CA that signed the certificate.
SubjectAltName The subject alternative name fields of the certificate.
Valid From The start date of certificate validity.
Valid To The end date of certificate validity.
Fingerprint (SHA-1) The certificate fingerprint using the SHA-1 algorithm.
Fingerprint (SHA-256) The certificate fingerprint using the SHA-256 algorithm.
Fingerprint (SHA-512) The certificate fingerprint using the SHA-512 algorithm.
Status The status of the internal certificate authority.
Option Definition
Certificate tab
Certificate text area The contents of the certificate.
Export Exports the certificate text.
Import Opens a file browser to import a certificate file.