KB Article | Forcepoint Support

Notes & Warnings

Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance. 

Important When debugging a service, taking the steps to stop the debug by undoing the changes is important so as to not cause the hard drive to fill up with logs. Doing so can result in:

 

  • Total Loss of filtering.
  • Total Loss of logging.
  • Total loss of internet access if failing closed.
  • Instability causing the configuration to break (particularly config.xml) resulting in either applying a backup or reinstallation of the software. 
When in doubt, raise a case with Technical Support for assistance with debugging a Forcepoint product. 

Problem Description

What are the Forcepoint troubleshooting tools for Web?

Resolution

This article goes over the different available tools for Web troubleshooting. Some are Forcepoint specific, others are third party or suggested tools. 

General

General

These general articles are for commonly used links used during troubleshooting that are not specific to any one Forcepoint tool. This section is separated into:
Forcepoint Downloads, Installers and Hotfix Information
This article gives basic instructions for CLI hotfixes, as well as disambiguation of the different fields on a hotfix download page.

Forcepoint System Requirements
This article links to the different system requirements for products by version.

Finding out how a site is categorized
This article gives a brief overview of CSI, Site Lookup, and also how to use the URL Lookup Tool within the Forcepoint Security Manager.

CSI: ACE Insight and Site Lookup Tool
This article gives instructions on how to use the CSI and Site Lookup tools for URL re-categorization requests. 

Test Web Filtering using Testdatabase
This article explains how to use the testdatabasewebsense page. 
 
Testing data throughput for Content Gateway and Cloud
Speed Tests when going through the proxy will not be an accurate result due to to how Content Gateway and Cloud transforms the traffic for scanning.

Test for Antivirus Scanning Exceptions for Forcepoint Products
This article gives information how to run an Eicar Antivirus test file to ensure Antivirus is not scanning the Forcepoint directories.

DNS causing latency with Content Gateway proxy
GRC DNS Benchmark is a DNS troubleshooting tool for latency issues.

Use Wireshark to troubleshoot Forcepoint URL Filtering
This article explains how to use Wireshark Packet Captures on Windows servers for network troubleshooting, as well as how to read them.

Running a packet capture on Content Gateway with tcpdump
This article explains how to get a packet capture on a Content Gateway for network troubleshooting, which can be opened in Wireshark. 

Telerik Fiddler
Fiddler is a third-party tool which can be used similar to Wireshark for troubleshooting. See Telerik's Getting started with Fiddler page for instructions on using the tool. 

PuTTY
PuTTY is used to SSH into a Linux device, such as an appliance or Content Gateway. In version 8.3, key algorithms have changed, see "Couldn't agree a key exchange algorithm" - Error with SSH Tools PuTTY and WinSCP for versions for information.

WinSCP
When files need to be transferred from or to an appliance during troubleshooting, Tech Support may request to use WinSCP due to the dual layer authentication needed to access appliances. In version 8.3, key algorithms have changed, see "Couldn't agree a key exchange algorithm" - Error with SSH Tools PuTTY and WinSCP for versions for information.

Collecting browser debug logs
This article goes over how to create a .HAR file directly in browsers for basic traffic capture for a website. This is mostly used in Hybrid or Cloud cases.
 

ConsoleClient

This is an older but still functioning tool used in Command Prompt, or with root access in an appliance. This section is separated into:
This issue is caused by Troubleshooting Ports being closed on the appliance.
 
This issue is specific to performing Filtering Service lookups with ConsoleClient. 
See the attached PDF from the article for different instructions. This is a general overview of using ConsoleClient.
 
Troubleshooting Transparent Identification Agents with ConsoleClient
This article goes over specifically how to troubleshoot DC Agent, Logon Agent, eDirectory or Radius Agent. 
 
This article goes over the steps for enabling troubleshooting ports and how to pull Quota time for Filtering Service on appliances and on Windows. 
 
This article gives specific information for debugging Network Agent using ConsoleClient. 
 
This article goes over the steps for a WISP  trace, which is used for filtering issues.
 
This article goes over the steps for enabling troubleshooting ports and how to pull the seat count for Filtering Service on appliances. 
 

    DiagClient

    This is a newer tool similar to ConsoleClient that has a GUI. Functionally, the information pulled from DiagClient is the same as from ConsoleClient. DiagClient is most often used for diagnosing User Identification issues. This section is separated into:
    This gives instructions to disable DiagClient in versions 7.8-8.4 that are native to 8.5. To properly use DiagClient, these settings have to be undone temporarily.
     
    The Enablement is not meant to be turned on at all times as this was turned off due to a vulnerability. When finished with DiagClient, undo the changes.

    Usage
    Launching the Visual Diagnostic Tool (DiagClient)
    DiagClient is launched from the DiagClient.bat file located in Websense\Web Security\bin.
     
    Collecting user maps with Websense Visual Diagnostic Tool (DiagClient)
    This article goes over how to collect user maps for DC Agent in DiagClient.

    How to use DiagClient to verify the subscription count from Filtering Service on an appliance
    This article goes over the steps for enabling troubleshooting ports and how to pull the seat count for Filtering Service on appliances.
     

    WebsensePing

    This is an older tool used for category lookups, primarily on Windows servers. 
     
    How to determine category, disposition, and other information for a URL using WebsensePing
    This article explains the basic functions of using WebsensePing.

    Finding the Category of a URL with WebsensePing
    This article is how to use WebsensePing specifically for URL Category lookup. 
     
    Using WebsensePing to show you which Policy applies
    The return information from WebsensePing can be specified using -m 18 to show user name, user IP and which policy was applied. 
     

    TestLogServer

    This tool is used to take the information being sent to the Log Server for filtering troubleshooting, particularly category information for URLs. More importantly, it can help identify DNS issues if the correct category happens with a website IP, but not a URL hostname. This section is separated into:
    Troubleshooting the Tool
    Source IP In Testlogserver Coming Up As 0.0.0.0
    This specific error happens when IP addresses are not logged.

    Usage
    Running TestLogServer
    This article explains how to run TestLogServer in the environment.

    Using TestLogServer with Web Filtering
    This article explains how to use TestLogServer in both Windows and Linux.

    Running TestLogServer without stopping the Log Server service
    Without these steps, TestLogServer will stop logging for the Log Server for the duration of TestLogServer being configured.

    TestLogServer parameters
    This article explains all of the different parameters for TestLogServer, including displaying data for a singe IP address or outputting into a text file.

    Understanding TestLogServer output
    This article gives a description for each of the fields in the output for TestLogServer. 

     

    Logs and Debugs

    There are numerous logs that may exist for Web Security, Content Gateway and Hybrid located in various locations on the server for debugging purposes. Some debugs are available for viewing while others require Technical Support assistance. This section is separated into:

     

    Content Gateway
    Enabling and disabling user Authentication debug output
    This is used for debugging issues with Rule Based Authentication. 

    Enabling Content Gateway debugging and locating relevant log files
    This article explains how to turn on logging and use debug tags for more information. 

    Collecting an extended.log, error.log or messages output from the Content Gateway
    The three files mentioned in this article are the most common Content Gateway logs, aside from the content_gateway.out, that are viewed when troubleshooting with Technical Support.

    Explanation of the WCG Transaction Logs
    This article gives information on how to read the Extended.log and Error.log found in Content Gateway.

    Appliance Configuration Summary
    This summary contains most of the logs necessary for properly troubleshooting Appliance issues. 
     

    Web Security 
    Running the Config Uploader Utility
    This utility works on both Windows and Content Gateways where Web is installed (appliances). Similar to Appliance Configuration Summary, it grabs all available logs for troubleshooting. 

    Debugging the Log Server service
    Log Server can use the -debug tag start parameter in Services.

    Debugging the User Service
    Debugging User Service for its communication with Active Directory can be turned on by swapping file names.

    Debug eDirectory Agent - Verify Identification Accuracy
    This debug is used for eDirectory Agent user identification issues.

    Running a debug trace on Logon Agent
    This debug is specifically for the Logon Agent service on the Windows server.

    Debugging LogonApp.exe for Logon Agent
    This debug is specifically for the executable run on client machines.

    Debugging Network Agent
    This debug article has many different steps to take for troubleshooting Network Agent. 


    Web Cloud Hybrid
    Debugging the Hybrid Sync Service
    This debug for Sync Service is done where Sync Service is in use, meaning either on Windows or an appliance.

    Starting and stopping the Direct Connect Endpoint Services
    This explains how to stop and start the endpoint via command line. The anti-tamper password and administrator access must be available.

    Logs to be collected for Direct Connect and Proxy Connect Endpoint
    This article goes over all of the common files to collect for Web Endpoint issues.

    Article Feedback



    Thank you for the feedback and comments.