TABLE OF CONTENTS

• Overview
• ForcePoint Proxy Configuration
• Verification
  • Using the GUI
  • Using the CCE SERVER

Overview

Forcepoint Web Protection Solutions allow Internet activity logging data and, as of v8.5.4, audit log data to be passed to a third-party SIEM product, like ADR AI SIEM.

Use web protection reporting tools or SIEM integration to report on Internet activity when alerts reveal a potential issue.

Forcepoint Proxy Configuration

1. Log in to the Forcepoint Proxy server.
2. Navigate through SETTINGS > GENERAL > SIEM INTEGRATION to activate.
3. Provide the <CCE IP address> or Hostname of the machine hosting the SIEM product, then further provide the communication Port(514) to use for sending SIEM data.
4. Specify the transport Protocol (TCP/UDP) to use when sending data to the SIEM product.
5. Click OK to cache your data. Changes are not implemented until you click on Save and Deploy (THIS OPTION IS ON THE RIGHT SIDE, TOP).

Verification

Verification can be done either from the GUI or from the CCE server.

Using the GUI

1. Log in to the UI and hover over System.
   
2. Go to Log/Flow Collection Status.
   
3. Inside the Source Device IP, confirm the expected IP address is displayed.
   

Using the CCE SERVER

Log in to the CCE Server with the seceon user and execute the following command.

sudo tcpdump -i any host 514 and host -AAA