Redundancy and failover

For each device you configure in the cloud portal, two Forcepoint points of presence (data centers or local PoPs) can be selected. Forcepoint strongly recommends configuring your device to achieve geographic redundancy using both PoP addresses.
Important: Connection redundancy is a requirement for the Forcepoint Web Security Cloud SLA
You can achieve geographic redundancy by either:
  • Configuring primary and secondary tunnels, and using the connectivity monitoring address to monitor the status of the primary tunnel, with automatic failover to the secondary tunnel, or
  • Configuring the two point of presence addresses as multiple IPsec peers for the same tunnel.

Use the appropriate IP addresses for your selected points of presence. These are listed in the article IP addresses for GRE and IPsec Advanced connectivity.

To decide which points of presence are best for your environment, consider:
  • Which are nearest
  • Any geographical or data sovereignty concerns around where users browse or where their reporting data is stored.
    Note:

    Failover behavior, particularly cross-point of presence failover, could change an end user’s browsing experience. For example, some sites may change localization or presentation between a UK PoP and a German PoP (for example, www.google.co.uk might automatically redirect to www.google.de or www.google.nl, depending on which point of presence users’ traffic is directed though).

    Bear in mind that point of presence failover should be an exceptional occurrence, so this behavior might be acceptable in emergency circumstances.