KB Article | Forcepoint Support

Problem Description

Using ICAP servers for DLP scanning with Forcepoint Next Generation Firewall (Forcepoint NGFW) has the following limitations:

  • The File Filtering Policy allows you to configure DLP scanning for various protocols. However, DLP scanning is recommended only for outbound file transfers that use the FTP, HTTP, and HTTPS protocols.
  • Forcepoint NGFW currently supports only the "Local" Auth-Scheme with the X-Authenticated-User header. For more information about the X-Authenticated-User header, see https://tools.ietf.org/html/draft-stecher-icap-subid-00#section-3.4.


To integrate a DLP solution that uses the ICAP protocol with Forcepoint NGFW, the DLP solution must provide an ICAP server that:

  • Supports the “204 No Content” response for the Allow action in the File Filtering Policy.
  • Supports X-Authenticated-User headers with the “Local” Auth-Scheme if the DLP solution expects user to be identified in the ICAP transactions.

Forcepoint DLP includes an ICAP server. However, this solution does not currently support X-Authenticated-User headers with the “Local” Auth-Scheme. For this reason, it is not possible to match users with the Forcepoint DLP policy when you use Forcepoint DLP with Forcepoint NGFW.

Article Feedback

Thank you for the feedback and comments.