KB Article | Forcepoint Support

Notes & Warnings

Note On 8.4+ versions if using the appliance's own proxy to download the master database; if the SSL inspection is not enabled on the proxy settings the download will fail with a Status 502 <Connection reset by peer/104>
Other errors to looks for "'http://download.forcepoint.com/' (marked address invalid)" and "DPM Plugin failed to initialize (disabled). Exception caught: DPMPlugin construction: ssl decryption is disabled"

To check if SSL Inspection is enabled:
  1. Log into the Content Gateway Manager of the affected Appliance.
  2. Navigate to Configure > My Proxy > Basic.
  3. Enable SSL Inspection and select apply. (restart required)

Note If you are using Integrated Windows Authentication (IWA), ensure that a Proxy Authentication bypass has been added for the download.

To check if IWA is enabled:
  1. Log into the Content Gateway Manager of the affected Appliance.
  2. Navigate to Configure > My Proxy > Basic.
  3. Check if Integrated Windows Authentication has been enabled.
If IWA is enabled check the filter.config:
  1. Navigate to Configure > Security > Access Control. The filter.config page is the default first page in this section.
  2. Look for the following entries
    • forcepoint.com
    • websense.com
    • IP range of 169.254.254.1-169.254.254.130
  3. If these entries do not exist please add them to the filter.config. You may add both the Domain and IP ranges if preferred.
    1. Click Edit File.
      • To add the entries as a Domain:
        1. Under Rule Type, select allow
        2. Under Primary Destination Type, select dest_domain.
        3. Under Primary Destination Value, type one of the following depending on version:
          • Version 8.5.x and higher: forcepoint.com
          • Version 8.4 and prior: websense.com
        4. Click Add.
        5. Once added it should appear in the box above the configuration options, now click Apply to enforce the rule.
      • To add the entries as an IP range:
        1. Under Rule Type, select allow
        2. Under Primary Destination Type, select dest_domain.
        3. Under Primary Destination Value, type just a period ( . )
        4. Under Secondary Specifiers, locate Source IP
        5. Type 169.254.254.1-169.254.254.130
        6. Click Add.
        7. Once added it should appear in the box above the configuration options, now click Apply to enforce the rule.
  4. After clicking Apply, click refresh on the filter.config list to verify the entries have been added.
  5. No proxy restarts are required to enable the new filter rules.
For more information on Authentication bypass, see Implement an Authentication Bypass in the Content Gateway.
 

Problem Description

There is a database download failure message being received on the Forcepoint V-Series, X-Series, or Virtual Appliance. 

Also, the Forcepoint Security Manager displays the following image for the status of the download:


User-added image

 

Resolution

In order to resolve the issue, follow the troubleshooting options below.
  1. Manually start the database download
    1. Open the Forcepoint Security Manager, switch to the appliance that is failing.
    2. Click Main > Status > Dashboard > Database Download
    3. Select the Filtering Service IP address and click Update.
A progress screen will show the progress of the database download. Sometimes, it may require a refresh of the screen to see the progress bars moving.
  1. Verify that the Subscription Key is valid
    1. Open the Forcepoint Security Manager (formerly TRITON).
    2. Click Web > Settings > General > Account.
    3. Verify that the subscription key has not expired.
  2. Verify the database download schedule
    1. Open the Forcepoint Security Manager.
    2. Click Settings > General > Database Download
    3. View all options to ensure settings are configured to download daily.
  3. Verify that there is enough disk space on the appliance
    1. Open the Forcepoint Security Manager.
    2. Click Web > Main > Status > Alerts.
    3. Verify that there are no active alerts notifying of low disk space on the appliance.
 
User-added image
 

Note If there is an alert about low disk space, contact Forcepoint Support for assistance in identifying what is taking up disk space.
  1. Check memory and CPU usage
    • Open the Forcepoint security appliance Manager (FSAM), select the appliance and click status > usage  (for versions 8.2 and earlier, open the Appliance Manager and click Status > CPU and Memory)

Note If memory and CPU usage are high, additional Memory and CPU may be allocated to the Websense Web Security module. If the Network Agent module is not being used to filter spanned traffic, then try disabling the network agent module and restarting the appliance.

  1. Check to ensure that the firewall in your environment is not blocking downloads.
  1. Restart the Websense Web Security services.
    1. From the FSAM, select the appliance and click status, use the cogwheel next to "Web services" to stop the services (for versions 8.2 and earlier, open the Appliance Manager, click Module > Websense Web Security > Stop services)
    2. After all services are stopped, click Start Services.
    3. After all services are running again, test by manually downloading the database (Step 1).
​Note Refer to the CLI guide for instructions on starting and stopping services for appliance versions 8.3 and later .
  1. ​Restart the Appliance
    1. From the FSAM, select the appliance and click status, use the cogwheel next to "General" to restart the appliance (for versions 8.2 and earlier, open the Appliance Manager, click Modules > Appliance > Restart Appliance)
    2. After the appliance restarts, test by manually downloading the database (Step 1).
Important When content gateway is used as an integration, traffic flow through proxy module will be impacted.
  1. The appliance needs to be able to download through the C interface
    1. To check connectivity, open the CLI and run the "wget --url https://download.forcepoint.com --module web" from the diagnose mode as shown below (for version 8.2 and earlier, open the Appliance Manager, Click Administration > Toolbox > Command Line Utility > Launch Utility, set the following parameters: "Module: Websense Web Security, "Command: wget", "URL: download.forcepoint.com" and click Run)
The URL should connect and a sample index.html file will download. The following message will display, analyze the output to determine if DNS resolution is successful, if TCP connection is successful.
 
Wget output
  1. If the connection in option 9 fails, then use nslookup, ping, and tracert to further troubleshoot.
    1. Use nslookup to verify the Filtering Service is able to resolve URLs to the IP address
  • Open the CLI and run the command "nslookup --module web --host download.forcepoint.com" from the diagnose mode (for version 8.2 and earlier, open the Appliance Manager and click Administration > Toolbox > Command Line Utility > Launch Utility, select the following parameters: "Module: Websense Web Security", "Command: nslookup", "Host: download.forcepoint.com", "DNS server: <DNS server IP>" and click Run)
Note If an IP address is not returned, check if the configured DNS servers are working, reachable from C interface. To view the DNS server configured under web module, run the command "show interface info" from view mode, refer the "WEB" section in the output. If a DNS server is not configured in "WEB" section, configure one.
  1. Run the ping command to check connectivity using different interfaces
  • Open the CLI and run the command "ping --module web --dest download.forcepoint.com" from the diagnose mode (for version 8.2 and earlier, open the Appliance Manager and click Administration > Toolbox > Command Line Utility > Launch Utility, select the following parameters: "Module: Websense Web Security", "Command: ping -l", "Interface: C", "Destination: download.forcepoint.com" and click Run)
Note If the connection fails, test by entering an IP address as the destination. This eliminates DNS.
  1. Run the traceroute command to show the route taken by the packet
  • Open the CLI and run the command "traceroute --module web --dest download.forcepoint.com" from the diagnose mode (for version 8.2 and earlier, open the Appliance Manager and click Administration > Toolbox > Command Line Utility > Launch Utility, select the following parameters: "Module: Websense Web Security", "Command: tracert", "Destination: download.forcepoint.com" and click Run)
Note If the connection fails, test by entering an IP address as the destination. This eliminates DNS.
 
  1. If Wget is successful, verify if the latest web and app hotfixes are installed, refer Installing hotfixes for appliances on version 8.3 and above.
  2. Proxy the database download through the P1 interface
By default, the Master Database downloads are done through the C interface on the V-Series appliance. If the C interface is unable to access the Internet due to the network infrastructure, then a different route needs to be used. To enable database downloads using the P1 interface, complete the following steps:
  1. Open the Forcepoint Security Manager.
  2. Click Settings > General > Database Download.
  3. Under Proxy Server or Firewall, select the Use proxy server or firewall box.
  4. Type either:
  • ​The physical IP address of the P1 interface
  • The P1 virtual interface 169.254.254.1
Note For either IP, the default proxy port is :8080
  1. Download the Master Database manually (Note will require Forcepoint Support assistance for users with appliances)
    1. Log on to the appliance as the root user.
    2. Type ssh wse to move to the WSE container.
    3. Type cd/opt/Websense and press Enter.
    4. Type ./WebsenseAdmin stop and press Enter to stop all services.
    5. Type cd /opt/Websense/bin and press Enter.
    6. Type mv *.p12 /tmp -f and press Enter.
    7. Type mv *.xfr /tmp -f and press Enter.
    8. Type mv *.idx /tmp -f and press Enter.
    9. Type mv journal.dat /tmp -f and press Enter.
    10. Type rm -f -r Websense and press Enter.
    11. Type rm -f -r supplemental.db and press Enter.
    12. Type cd/opt/Websense and press Enter.
    13. Type ./WebsenseAdmin start and press Enter to start all services.
  2. Contact Forcepoint Technical Support for further assistance.



Keywords:
masterdb; filtering; ddsdom; database download; categories; download.forcepoint.com; proxy download; p1; database download failure; master database issue; appliance database issue; triton manager proxy issue

Article Feedback



Thank you for the feedback and comments.