Configuring forensics data storage

In Forcepoint Web Security deployments, threat-related forensic data can include:

  • Information about the source (IP address, device name, and user) attempting to send the data.
  • Information about the target (IP address, URL, and geographic location) to which the data is being sent.
  • Header information associated with the attempt to send the data.
  • A copy of the actual data being sent (such as a text file, spreadsheet, ZIP file).

If you enable storage of forensics data, also specify where the forensics repository (a specialized database) is stored, the maximum size to which the database can grow, and how long to store forensics data.

Steps

  1. Under Incident Data for Forensic Investigation, mark Store forensic data about Threats incidents for further investigation to create the forensics repository.

    If your deployment includes Forcepoint DLP, this new forensics repository is similar to that product’s forensics repository. The smaller repository used by web protection components stores information about only those incidents displayed on the Threats dashboard.

  2. Indicate whether to store forensics details for Blocked requests only, or for All requests (both blocked and permitted).
  3. Specify the Path to the location that will host the forensics repository.
    • The specified directory must already exist.
    • The path can be either local (on the management server) or remote.
    • Make sure that there is enough free space in the selected location for the repository to grow to the maximum size that you specify (below).
  4. Provide credentials for an account with read, write, and delete permissions for the forensics repository directory.
    • Select Use Local System account if neither network access nor special permissions are required to access the directory.
    • Select Use this account to use a domain account, then enter User name, Password, and Domain for the account.

    Click Test Connection to verify that the selected account can access the forensics repository location.

  5. To specify how large the forensics repository can grow, enter a Maximum size in GB (default 20) for the forensics repository.
    • If you are using SQL Server Express, this value cannot be changed.
    • When the maximum size is reached, or records reach the age limit specified for Threats data, records are automatically purged from the repository.
  6. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.