KB Article | Forcepoint Support
Support
  1. Home
  2. Knowledgebase

Users are not filtered or reports are blank when using Network Agent

  • Article Number: 000003875
  • Products: Forcepoint URL Filtering, Forcepoint Web Security, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security and Web Filter
  • Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7
  • Last Published Date: August 04, 2020

Problem Description

There are two scenarios where filtering Network Agent may have complications:

  • All services are running, yet users are not filtered and no error messages are displayed. Why are users not being blocked?
  • Users are being filtered correctly and reports only show HTTP traffic generated from the Forcepoint server. Why is HTTP traffic not logged for all users?

Resolution

Network Agent is the component that enables filtering of all protocols (HTTP and non-HTTP) in a Stand-Alone Forcepoint installation. When an integration product passes HTTP/HTTPS traffic to Forcepoint , Network Agent filters non-HTTP protocols, enables bandwidth-based filtering restrictions, and collects enhanced HTTP log data for reporting.

In order for Network Agent to filter and log traffic properly, it must first be positioned to monitor network traffic. In other words, a network span must be enabled, usually on the core switch, to send mirrored traffic to the Network Agent service.

Please refer to the following articles for how to configure Network Agent:

Note After traffic is directed to Forcepoint and users are successfully blocked, ensure that HTTP traffic also logged to the SQL reporting database. Specifically, check for logged HTTP traffic. A configuration setting in Forcepoint Security Manager may log all traffic except HTTP. To test, generate a protocol report on HTTP traffic.

Why is HTTP traffic not logged for all users?

This issue is seen when Filtering Service is receiving lookup requests from an integration, enhanced logging is enabled (Filter and log HTTP requests option), and no span is configured. To confirm:

  1. Open Forcepoint Security Manager.
  2. Navigate to Main > Investigative Reports > Internet User by: > Protocol 
  3. The default report should shows the current days' traffic. HTTP should be the majority of the traffic shown.


If not, then check the ‘Filter and log HTTP requests’ and ‘Filter non-HTTP protocol request’ options.

  1. Open Forcepoint Security Manager.
  2. Navigate to Settings > Network Agent > Global > IP Address > NIC-x (the monitoring NIC) > NIC configuration page.
  3. When integrated with firewall, proxy server, router, or any other non stand-alone Network Agent:
    • If a network span is enabled, then “Filter and log HTTP requests”  should be checked.
    • If a network span is not enabled, then uncheck “Filter and log HTTP requests”.
If enhanced logging is required and Forcepoint is installed in an integrated mode, then a network span must also be enabled to send traffic to the Network Agent service. See Network Agent Standalone Topology and Setup and Configuration settings for Network Agent filtering.

Troubleshooting:

  • Stop Network Agent and look for new HTTP traffic in reports. If HTTP traffic is seen, then the bi-directional span was not really enabled.
  • Install Wireshark and check for HTTP traffic. HTTP traffic should show source IPs of most users in the network. See Use Wireshark to troubleshoot Forcepoint URL Filtering for instructions. 





Keywords:  network agent; logging; span port

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more