KB Article | Forcepoint Support

Notes & Warnings

Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance. 

Resolution

Forcepoint Security Web products use Network Agent to monitor protocol traffic outside of HTTP, HTTPS and FTP or be used as the filtering method in a Stand-Alone environment.

The four sections for this article include:

Note The featured content listed may apply to multiple products and versions. Verify the products and versions stated in the article to ensure you are reviewing the correct featured content for your configuration.

Diagnostic Tools

The following tools can be used to troubleshoot or verify information in a Network Agent environment.

Troubleshooting Forcepoint services using ConsoleClient
This article explains how to use ConsoleClient

How to determine category, disposition, and other information for a URL using WebsensePing
This article explains how to use WebsensePing.

Use Wireshark to troubleshoot Forcepoint URL Filtering
This article explains how to use Wireshark for Packet Captures

Debugging Network Agent
This article gives various instructions for debugging Network Agent.

Network Agent Doesn't Display Any Web Traffic
This article explains how to use the Debug Mode available to Network Agent.
 

Stand-Alone

A Stand-Alone integration is where Network Agent is the primary service in use in a deployment for Filtering Service to communicate and send block pages. This is generally on a Windows server and used in smaller deployments.

Configuration

Network Agent Standalone Topology and Setup
This article explains where Network Agent resides in a deployment's network topology.

Configuration settings for Network Agent filtering 
This article explains the different settings within Network Agent for configuration.

Network Agent and Microsoft Hyper-V or VMware
Hyper-V and Network Agent have issues due to problems with promiscuous mode on a virtual NIC.

Filtering protocol traffic from Citrix users in Stand-Alone mode
This article explains how to properly use Network Agent when integrated with a Citrix environment.

Default bandwidth for network" and "Default bandwidth per protocol" for Network Agent
This article explains the options within Network Agent for bandwidth optimization.

Blocking a Specific Port via Network Agent
This article details the method of creating a specific port protocol filter for Network Agent.

Permitting HTTPS sites when using a Limited Access Filter
This article details what is necessary to add an HTTPS site to a Limited Access Filter, or how to recategorize an HTTPS site to a custom category when SSL Decryption is not available.

Keeping internal traffic from being logged in reports
This article explains how to stop filtering for internal traffic.

Excluding servers or computers from Network Agent filtering
This article explains ho to exclude machine IP addresses or IP address ranges from Network Agent filtering.

Limitations
The majority of limitations for Network Agent stem from Stand-Alone integrations being unable to perform SSL Decryption. 

Network Agent Limitations
This article combines some of the articles below and other information for what Network Agent on its own cannot properly do. Most of the information is related to HTTPS connections.

Network Agent does not detect Gmail Chat
Gmail Chat, GTalk and G-Chat use SSL for communication.

Tor protocol not blocked
Tor uses SSL encryption for communication.

Unable to block UltraSurf
Ultrasurf also uses SSL encryption for communication.

HTTPS sites are not recategorized when the hostname is entered
As SSL Decryption is not performed, a hostname cannot be used for URLs. 

Users are not blocked when changing the URL to HTTPS
With websites that may have HTTPS and HTTP variants, unless the IP is also blocked, users may attempt to circumvent filtering as SSL Decryption is not present.

Monitoring and filtering sites accessed through VPN using a Stand-Alone deployment
As SSL Decryption is not available, and VPNs use encrypted tunnels, Network Agent cannot provide monitoring or filtering for VPN traffic.

Troubleshooting

Troubleshoot Network Agent sizing or load issues
This article goes over how to use ConsoleClient to verify potential load issues. Most commonly, the problem is block pages are not happening and users are not being filtered during certain parts of the day.

Block page does not display for Web Standalone environments
This article goes over troubleshooting why a block page is not working. Note that this does not include HTTPS block pages as that requires SSL Decryption.

Re-registering Filtering Service and Network Agent
This article explains both how to re-register as well as re-install Filtering Service and Network Agent on Windows servers.

Users are not filtered or reports are blank when using Network Agent
This article gives information for troubleshooting logging and filtering issues with Network Agent.

No Bandwidth In Reports
This article explains how to enable advanced logging for Network Agent.

Protocol filtering is not working when PIX/ASA is between NA server and client
This article is specific to deployments that are using a PIX/ASA to communicate to Filtering Service while Network Agent also resides in the environment for protocol traffic.

Network Agent Error: No Gateway Found
This error is specific to Monitoring NICs where an IP has been defined. Forcepoint does not recommend using an IP on a Monitoring NIC.
 

Content Gateway

When Content Gateway is used with an Appliance (V or X series) or Virtual Appliance, Network Agent can also be hosted on the same machine to perform non-standard protocol filtering. When SSL Decryption is active in Content Gateway, Content Gateway takes over the filtering responsibilities for HTTP and HTTPS traffic, and Network Agent limitations for SSL is no longer an issue.

Network Agent Service not starting on appliance after upgrade
This issue is specific to 8.4 or higher after upgrading and requires Tech Support assistance.

Disable Network Agent on Appliances
This article explains how to disable the Network Agent service on Appliances.

Double filtering results in double logging
If Network Agent isn't configured to ignore traffic from proxies or Citrix, double filtering and double logging occurs.

"No monitoring Network Interface Card is configured for the Network Agent" Health Alert
This alert happens if Network Agent isn't properly configured for an Appliance. 

Network Agent module is grayed out in Appliance Manager
This issue happened in versions 7.7-8.2 only. 

Error message: "FTP Error Connection Reset by Peer"
This error happens when the Proxy is not properly configured in Network Agent.

Error "Connection Reset By Peer" when proxied through Content Gateway with Network Agent enabled
This error also happens with the Proxy is not properly configured in Network Agent.

V-Series Appliance Network Agent connection lost
This issue is specific to the N interface having lost connection. 

Tunneled protocols not detected by Websense Content Gateway
There are 3 scenarios on this article. Two are corrected by using Network Agent on the appliance, and one is corrected by enabling SSL Decryption. 
 

Seat Count

Seat Count, also known as Subscription Level, are the number of "seats" available on the purchased Web subscription. Exceeding Seat Count can lead to users not being filtered, or being blocked entirely from the internet. 

Hard Subscription Enforcement Removed
Users filtering through Content Gateway are not affected if seat count is exceeded. 

Finding Subscription Level and Expiration Date
This article explains where to find the amount of purchased seats for a license as well as its expiration date, and how to determine if users are to be allowed to the internet with no filtering or being blocked entirely from the internet if the seat count is exceeded.

How to use DiagClient to verify the subscription count from Filtering Service on an appliance
DiagClient can be used find a seat count for both Content Gateway as well as in Stand-Alone deployments. For Content Gateway, this is useful when determining load issues.

Finding a seat count and IP address list for users
ConsoleClient can also be used to pull information for a seat count. 

Understanding Subscription Tracker results 
This article explains how to read the results from ConsoleClient or DiagClient in regards to seat count.

Article Feedback



Thank you for the feedback and comments.