Connectivity, analysis, and boundary conditions
| Configuration Variable | Data Type | Description |
|---|---|---|
| wtg.config.subscription_key | STRING |
Default: NULL The Forcepoint Web Security subscription key value. |
| wtg.config.download_server_ip | STRING |
Default: download.forcepoint.com The hostname or IP address of the download server. |
| wtg.config.download_server_ port | INT |
Default: 443 The port number of the download server. Download also does a license check. |
| wtg.config.policy_server_ip | STRING | The IP address of the Policy Server. |
| wtg.config.policy_server_port | INT |
Default: 55806 The port number of the Policy Server. |
| wtg.config.wse_server_ip | STRING | The IP address of the Filtering Service. |
| wtg.config.wse_server_port | INT |
Default: 15868 The port number of the Filtering Service WISP interface. |
| wtg.config.wse_server_timeout | INT |
Default: 5000 The maximum timeout period, in milliseconds, for communication with Filtering Service. |
| wtg.config.ssl_bypassed_ categories | STRING |
Default: NULL A list of category identifiers that will bypass SSL decryption. Do not change the value of this variable. It is included strictly as a troubleshooting aid. Use the Web Security module of the Forcepoint Security Manager to specify categories to bypass SSL decryption. |
| wtg.config.ssl_decryption_ bypass_ip_based | INT |
Default: 0 Whether the SSL category bypass process uses only the IP address (not the hostname) when performing a category lookup. 0 = disabled 1 = enabled |
| wtg.config.ssl_fail_open | INT |
Default: 0 Whether SSL sites are decrypted if Filtering Service becomes unreachable. 0 = all SSL sites are decrypted when Filtering Service is unreachable. 1 = no SSL sites are decrypted when Filtering Service is unreachable |
| wtg.config.fail_open | INT |
Default: 1 Whether Content Gateway permits or blocks requests when Filtering Service is unavailable.
|
| wtg.config.fail_open_analytic_ scan | INT |
Default: 1 Specifies how Content Gateway behaves should analytic scanning become non- functional or exceeds the maximum scan time. Set to:
Note: An alarm is raised whenever analytics scanning becomes non- functional.
|
| wtg.config.fail_open_analytic_ scan_size_exceeded | INT |
Default: 0 How Content Gateway handles files that are not fully scanned because they exceed the Scan Size Limit set in the Forcepoint Security Manager.
|
| wtg.config.archive_depth | INT |
Default: 5 The maximum depth of analysis performed on archive files. |
| wtg.config.max_decompressions | INT |
Default: 10 The maximum number of total decompressions to be performed on archive files (per transaction). The value should not exceed 25. |
| wtg.config.max_subsamples | INT |
Default: 10000 The maximum number of discrete files within an archive file that Content Gateway may decompress and analyze to classify a given transaction. |
| wtg.config.zipbomb_action | INT |
Default: 1 For internal use. Indicates zip bomb analysis status. Do not change the value of this variable. |
| wtg.config.rdnsclients | INT |
Default: 0 Enables (1) or disables (0) logging of clients’ hostnames in the log records via reverse DNS. |
| wtg.config.ip_ranges_not_to_ scan | STRING |
Default: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255 Internal IP address ranges not to scan. By default, the list is the standard private non- routable IP addresses. Address ranges are hyphenated with each range separated by a comma. This is especially helpful in explicit proxy deployments in which a PAC file is not used and you want to exclude the standard internal IP addresses from being scanned. |
| wtg.config.scan_ip_ranges | INT |
Default: 1 Enables (1) or disables (0) bypass of the internal IP address ranges specified in wtg.config. ip_ranges_not_to_scan. See above. |
| wtg.config.feedback.enabled | INT |
Default: 1 Enables (1) or disables (0) analytic/ category feedback to Forcepoint. Set at install time. |
| wtg.config.scan_uncat_block | INT |
Default: 1 Enables (1) or disables (0) the scanning of blocked, uncategorized URLs. |
| wtg.config.filter_unknown_file | INT |
Default: 0 When enabled (1), unknown is sent as a valid file type to Filtering Service. |
| wtg.config.respond_with_303_ on_redirect | INT |
Default: 0 When enabled (1), user requests that are not GET or POST are blocked as expected when scanning is enabled, regardless of the User-agent in use. |