Datasheet

Forcepoint ONE

Secure Web Gateway

The Forcepoint ONE Secure Web Gateway (SWG) is one of the three
foundational gateways of the Forcepoint ONE all-in-one cloud platform.
Forcepoint ONE SWG monitors and controls any interaction with any website,
including blocking access to websites based on category and risk score,
blocking download of malware, blocking upload of sensitive data to
personal file sharing accounts, and detecting shadow IT.

Key Benefits Forcepoint ONE SWG Architecture

› 99.99% verified uptime since 2015
The Forcepoint ONE SWG requires the installation of the Forcepoint ONE
› Auto-scaling, over 300 points of presence,
unified agent for Windows or macOS. Because the Forcepoint ONE SWG is
and no-hairpinning architecture minimizes
agent-based, it protects the user, and company data, no matter where the
latency and maximizes throughput
user is located: at home, in the field, or in the office. By design, the unified
› Unified administrator console reduces agent powering the SWG cannot be stopped by the user or uninstalled by
repetitive and redundant configuration
the user without approval from a Forcepoint ONE tenant administrator, thus
management
ensuring its function is not easily bypassed by the user. And because the
› Unified managed device agent for CASB, Forcepoint ONE agent also supports forward proxy CASB and ZTNA for non-
SWG, and ZTNA simplifies deployment browser clients, these capabilities can be enabled with the proper licensing
› Active Directory sync agent accelerates user and do not require additional software downloads or any other actions by the
on-boarding end user.
› Data-in-motion scanning blocks malware and
data exfiltration between users and any web A key issue associated with other vendors’ on-device SWG is performance.
application, no matter where they are located. Forcepoint ONE addresses this issue with a combination of technologies.
› Field Programmable SASE Logic can block First, Forcepoint ONE has a distributed architecture on AWS with over 300
specific HTTP/S request methods resulting in points of presence in major population centers, with each point of presence
granular control of any element in a web page supporting auto-scaling. This means latency is reduced when the on-device
› Leverages the Webroot BrightCloud database agent needs to communicate with the Forcepoint ONE backplane on AWS.
and Forcepoint ONE’s enterprise app But another significant advantage of the Forcepoint ONE SWG is its no-
database for controlling website access hairpinning architect as shown in the figure below.
› Controls website access down to the URL
directory level
› SWG function cannot be bypassed or
disabled by the user
[Link]
 Forcepoint ONE
On-Device SWG Traffic Routing vs. Competitors

1 Query to check browsing policy of a newly seen URL.

Forcepoint ONE Competitor’s Cloud Files needing to be scanned for malware or sensitive data.
1 Infrastructure on AWS Infrastructure

2 4 4 2 Responses to browsing policy queries.

Responses to allow or deny file uploaded or downloaded.

3 All unsanctioned application traffic sent directly between

the user and the unsanctioned application

4 All unsanctioned application traffic sent through

3 competitor’s cloud infrastructure
Unsanctioned
Apps
Forcepoint ONE Competitor’s
On-device SWG On-device SWG

Figure 1: Forcepoint ONE SWG No-Hairpinning Architecture

As shown in the figure, the Forcepoint ONE on-device

SWG, on the left, only needs to communicate with the
Forcepoint ONE backplane on AWS in two situations: when
first attempting to access a website not recently visited to
determine if access is blocked, managed, or unmanaged; and
Figure 2: SWG Connection Policies.
when attempting to upload or download files or other data that
needs to be scanned for malware or sensitive data.

By comparison, the other vendor’s on-device SWG, on SWG Content Policies

the right, must send all web traffic through the vendor’s Lets administrators specify rules for denying a connection,
cloud backplane for traffic inspection and forwarding. This permitting an unmanaged connection, or establishing
hairpinning of all web traffic through the other vendor’s a managed connection (for enforcing DLP and malware
cloud infrastructure can cause up to a 50% loss in effective protection). Criteria for policy enforcement include user group,
throughput, thus causing productivity issues for users in low device posture, location, URL category (predefined or custom),
bandwidth locations. Because file uploads and downloads Webroot BrightCloud reputation score, and Forcepoint ONE
are a small fraction of overall internet traffic for most users, enterprise app risk score. Custom URL categories may include
the Forcepoint ONE SWG can typically support throughput full URL directory path entries letting administrators apply
of about 95% of total available internet bandwidth, while different policies for different directories. This can be used
reducing latency, thus supporting greater user adoption. to block certain Reddit subreddits, as an example. When a
connection is managed, policies can be applied for blocking
download or upload of sensitive data (using Forcepoint
Forcepoint ONE SWG Features
ONE’s integrated DLP) or malware (using CrowdStrike or
Bitdefender).
The following are the Forcepoint ONE SWG core features.

SWG Connection Policies

Lets administrators deny a connection to a range of websites
or allow the connection to bypass the SWG forward proxy and
not be decrypted, and optionally log each connection attempt.
Criteria for policy enforcement include user group, device
posture, domain category (predefined web categories from
Webroot BrightCloud, Forcepoint ONE predefined enterprise
app categories, or custom categories), host app (web browsers
or non-browser applications), and host network (user’s DNS
server IP address or DNS suffix). Supports user privacy by
allowing connections to personal healthcare or financial sites
Figure 3: SWG Content Policies.
to pass unencrypted.
2
SWG Discovery Dashboard Shadow IT discovery
Displays graphical representations of logs of traffic to websites The Forcepoint ONE CASB supports shadow IT discovery
or enterprise apps grouped by Webroot web reputation or for devices behind corporate firewalls. For managed devices
Forcepoint ONE enterprise app trust score, with additional used remotely, the on-device SWG enhances this capability
displays for data uploaded or downloaded per website, and by including data on all web traffic originating from managed
sensitive data uploaded to websites grouped by domain and devices with the SWG capability enabled.
match pattern.
SWG bypass prevention
Users cannot kill the SWG processes on their Windows or
MacOS device, and users cannot uninstall the on-device
agent powering the SWG without assistance from the
Forcepoint ONE tenant administrator.

Forcepoint ONE Platform Features

The Forcepoint ONE SWG additionally supports these

features built into to the Forcepoint ONE platform:

→ Contextual access control. Users cannot browse the

Figure 4: SWG Discovery Dashboard.
internet unless they are authenticated by Forcepoint ONE
and permitted to login based on login policies which
consider user location, device type, device posture, user
Web Dashboard behavior, and user group.
Displays graphical representations of logs of traffic to websites
→ Data loss prevention (DLP). Files and text are scanned
grouped by Webroot web categories, giving the administrator
upon upload or download for sensitive data, reported, and
an overview of what types of websites users are visiting, or
blocked as appropriate.
attempting to visit and getting blocked. Includes additional
data on malware download attempts and sensitive data → Field Programmable SASE Logic (FPSL). Any HTTP/S
upload attempts. request method can be logged and optionally blocked
based on the content in any part of the request method.
→ Malware scanning. Files are scanned during upload
or download for malware, using scanning engines from
CrowdStrike or Bitdefender, and blocked when detected.
→ Unified management console for configuration,
monitoring, and reporting for SWG, CASB, and ZTNA. Lets
administrators reuse DLP match patterns across SWG,
CASB, and ZTNA for private web applications.
→ Unified on-device agent for Windows or macOS with
unique auto-generated and auto-rotated certificates.

Figure 5: Web Dashboard.

→ 99.99% service uptime

3
Forcepoint ONE SWG Features and Benefits

FEATURE BENEFIT

→ 99.99% uptime.
Auto-scaling, distributed architecture on AWS with over 300 POPs worldwide. → Minimal latency: often even faster than
direct application access.

→ Flexible deployment.
Integration with any SAML-compatible IdP. SAML relay or ACS proxy mode.
Optional built-in IdP using Microsoft ADFS. → Denial of service protection when using
SAML relay mode.

→ Leverages your existing Microsoft AD instance to

Active Directory Sync Agent. Synchronizes your current AD users and groups
quickly onboard users and manage the groups they
with Forcepoint ONE users and groups.
are in.

Contextual access control based on user group, device type, location, or time of → Detects and blocks suspicious login attempts.
day, with escalation to Multi-Factor Authentication based on “impossible travel,”
→ Reduces risks associated with stolen passwords.
unauthorized location, or unknown device. Additional layer of access control for
individual websites or applications based on user group, device type, or location. → Segments users based on risk and need to access.

→ Simplifies agent deployment.

Single unified agent for on-device SWG, CASB forward proxy, and ZTNA for
non-web applications. Includes support for deployment through MDM systems → Enhances security.
and uses self-generated auto-rotated certificates.
→ Reduces IT overhead.

Single administrator console for managing all system capabilities across all → Reduces complexity and time to value.
applications, users, and devices. → Increases visibility and control.

DLP and malware scanning for data in motion. Scans file attachments
→ Stops data leakage and spread of malware in transit
downloaded from or uploaded to any web-based app or website for malware or
between users and any web application or website.
sensitive data and logs and blocks the transfer as appropriate.

→ More fine-grained control of app usage.

Field Programmable SASE Logic. Monitors, logs, and optionally blocks any
HTTP/S request method based on any portion of the request method. → Ability to block upload of sensitive data as
message posts.

→ Enforces acceptable use policy.

→ Monitors and controls shadow IT.
Monitors, logs, and controls access to any website from corporate Windows and
Mac endpoints located anywhere with DLP and malware scanning. → Blocks upload of sensitive data to
unsanctioned websites.
→ Blocks download of malware from any website.

→ Reduces traffic through the Forcepoint ONE

No-hairpinning architecture. backplane, which results in near wire-
speed throughput.

→ Constantly updated classification and risk-

Webroot domain classification and reputation scoring supplemented with
scoring databases simplify access and content
Forcepoint ONE enterprise app classification and risk scoring.
policy creation.

→ Allows blocking of only certain directories within a

Custom URL categories allowing URL entries that include full directory path.
website such as specific subreddits within [Link].

→ Allows administrators to see access attempts,

SWG Discovery and Web dashboard. malware download attempts, and sensitive data
upload attempts at a glance.

[Link]/contact
© 2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
[FP-Forcepoint ONE SWG-Datasheet-US-EN] 18Feb2022
4