Forcepoint TRITON
The Forcepoint V-Series Content Gateway DSM for JSA supports events for web content from several Forcepoint TRITON solutions, including Web Security, Web Security Gateway, Web Security Gateway Anywhere, and V-Series appliances.
Forcepoint TRITON collects and streams event information to JSA by using the Forcepoint Multiplexer component. Before you configure JSA, you must configure the Forcepoint TRITON solution to provide LEEF formatted syslog events.
Before you can configure Forcepoint TRITON Web Security solutions to forward events to JSA, you must ensure that your deployment contains a Forcepoint Multiplexer.
The Forcepoint Multiplexer is supported on Windows, Linux, and on Forcepoint V-Series appliances.
To configure a Forcepoint Multiplexer on a Forcepoint Triton or V-Series appliance:
Install an instance of Forcepoint Multiplexer for each Forcepoint Policy Server component in your network.
For Microsoft Windows - To install the Forcepoint Multiplexer on Windows, use the TRITON Unified Installer. The Triton Unified Installer is available for download at http://www.myforcepoint.com.
For Linux - To install the Forcepoint Multiplexer on Linux, use the Web Security Linux Installer. The Web Security Linux Installer is available for download at http://www.myforcepoint.com.
For information on adding a Forcepoint Multiplexer to software installations, see your Forcepoint Security Information Event Management (SIEM) Solutions documentation.
Enable the Forcepoint Multiplexer on a V-Series appliance that is configured as a full policy source or user directory and filtering appliance:
Log in to your Forcepoint TRITON Web Security Console or V-Series appliance.
From the Appliance Manager, select Administration >Toolbox >Command Line Utility.
Click the Forcepoint Web Security tab.
From the Command list, select multiplexer, then use the enable command.
Repeat Forcepoint TRITON and Forcepoint TRITON to enable one Multiplexer instance for each Policy Server instance in your network.
If more than one Multiplexer is installed for a Policy Server, only the last installed instance of the Forcepoint Multiplexer is used. The configuration for each Forcepoint Multiplexer instance is stored by its Policy Server.
You can now configure your Forcepoint TRITON appliance to forward syslog events in LEEF format to JSA.
Configuring Syslog for Forcepoint TRITON
To collect events, you must configure syslog forwarding for Forcepoint TRITON.
Log in to your Forcepoint TRITON Web Security Console.
On the Settings tab, select General >SIEM Integration.
Select the Enable SIEM integration for this Policy Server check box.
In the IP address or hostname field, type the IP address of your JSA.
In the Port field, type 514.
From the Transport protocol list, select either the TCP or UDP protocol option.
JSA supports syslog events for TCP and UDP protocols on port 514.
From the SIEM format list, select syslog/LEEF (JSA)
Click OK to cache any changes.
Click Deploy to update your Forcepoint TRITON security components or V-Series appliances.
The Forcepoint Multiplexer connects to Forcepoint Filtering Service and ensures that event log information is provided to JSA.
Syslog Log Source Parameters for Forcepoint TRITON
When you add a Forcepoint TRITON log source on the JSA Console by using the syslog protocol, there are specific parameters you must use.
The following table describes the parameters that require specific values to collect syslog events from Forcepoint TRITON:
Parameter |
Value |
|---|---|
Log Source Name |
Type a name for your log source. |
Log Source Description |
Type a description for your log source. |
Log Source type |
Forcepoint V Series |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier or events from Forcepoint TRITON or V-series appliance. |