Network interface cards (NICs)

Network Agent requires at least one network card (NIC) to monitor and block traffic, and can be configured to use multiple NICs. Each NIC that Network Agent uses for monitoring must be able to see all inbound and outbound traffic for the network or segment that it is configured to monitor.

Install and configure each NIC before installing Network Agent:

  • Each NIC must be connected to a switch or hub and enabled in the operating system.
  • The NIC used to monitor traffic must be configured to capture all packets on the network, not only the packets addressed directly to it (promiscuous mode).

If Network Agent is installed on a Linux machine make sure that either:

  • The blocking NIC and monitoring NIC have IP addresses in different network segments (subnets).
  • You delete the routing table entry for the monitoring NIC.

If both the blocking and monitoring NIC on a Linux machine are assigned to the same subnet, the Linux operating system may attempt to send the block via the monitoring NIC. If this happens, the requested page or protocol is not blocked, and the user is able to access the site.

If your network uses 802.1Q VLAN tagging, the NIC used to monitor Internet traffic connects to the switch port with a 802.1Q protocol header. The NIC used for blocking does not need to include the 802.1Q protocol header. As a result, it cannot be connected directly to trunk ports.

If you add a NIC after installing Network Agent, restart the Network Agent service, and then use the Web module of the Forcepoint Security Manager to configure the new NIC.