KB Article | Forcepoint Support

Notes & Warnings

This issue applies only to web security installations that do not use SSL decryption, such as:
  • Web security in standalone mode with Network Agent
  • Filtering Service is integrated with a Cisco PIX/ASA, NetScreen, or SonicWALL firewall without SSL Decryption
In these cases, you must provide the IP address to recategorize an HTTPS site. In versions 8.3 or 8.4, hostnames are recognized when the SNI for the HTTPS site appears in the Client Hello. However, if the SNI does not appear in the Client Hello, you must recategorize the site by IP address using the instructions in this article.

Problem Description

HTTPS sites are not recategorized when the hostname is entered.


If your installation is not using SSL decryption, or if the site SNI is not found in the Client Hello in an 8.3 and higher Network Agent standalone deployment, you must provide the IP address to recategorize an HTTPS site as it will not have visibility for the hostname for recategorization.

Find the site IP address

If you need to find the site IP address, use the ping utility. To ping a site:
  1. Open a command prompt.
    1. In Windows, click the Start button.
    2. In the Search programs and files search box, type cmd, and then press Enter.
  2. In the Command Prompt window, use the nslookup command if you need establish the website's IP address(es). For example: 
    nslookup forcepoint.com
Note: If a site that you need to recategorize uses multiple IPs or an IP range, contact the site owner or site FAQ for the full list of IP addresses.

Recategorize an HTTPS site

To recategorize the HTTPS site:
  1. Open Forcepoint Security Manager.
  2. Click the Web tab.
  3. On the left side of the page, click the Main section.
  4. Click Policy Management, and then click Filter Components.
  5. Click Edit Categories.
  6. Click the category you want to apply to the site.
  7. On the right, in the Recategorized URLs section, click Add URLs.
  8. In the box, enter each IP address associated to the site in the form:
    https://<IP address>:443
    1. Enter each IP address on a single line. IP ranges and CIDR format are not recognized.
    2. Because these are HTTPS sites, you must add port 443 to the end of the address. For example:
  9. Click OK to return to the previous page.
  10. Click Save and Deploy to commit the changes.


Recategorize an IP Range

Using Filter Components for a Custom Category in Forcepoint Security Manager will not allow IP ranges or CIDR notation. The only way to recategorize a range is to use Regular Expressions. For information, please see: Using Regular Expressions.

Whenever possible, avoid using Regular Expressions, as their complexity increases load on the Filtering Service.
Using regular expressions as filtering criteria typically increases CPU usage. Tests have shown that with 100 regular expressions, the average CPU usage on the Filtering Service machine increased dramatically.   In addition, improper regular expressions can have a greater impact.
Forcepoint Technical Support policies prevent technicians from assisting customers in the creation of regular expressions. It is a legal liability to provide customers with regular expressions if they do not work as intended or causes harm to the system. Therefore, regular expressions is a feature that is provided "as is" with no direct support that is intended to enhance the filtering capabilities and is the responsibility of the customers to learn and implement regular expressions and to thoroughly test the regular expression to avoid causing undue harm to the environment as to not overblock or underblock or cause the Filtering Service to max out the CPU utilization.  The information contained here are for informational purposes only, and can cause filtering issues if used inappropriately such as not knowing *exactly* what you're doing. 
Adding Regex Expressions to a proxy can incur a dramatic impact on performance. A handful or few dozen Regex Expressions can cause the proxy to fail due to excessive load. As customer's networks are not generally the same, no rule of thumb is available for using Regex expressions.  Every network should be analyzed individually to ensure an overload condition does not occur.

Keywords:  network agent; ssl decryption; custom category; filtering; policy

Article Feedback

Thank you for the feedback and comments.