0% found this document useful (0 votes)

69 views246 pages

Forcepoint Security Portal Help

Uploaded by

ajay chaudhary

Available Formats

Download as PDF, TXT or read online on Scribd

Download as pdf or txt

0% found this document useful (0 votes)

69 views246 pages

Forcepoint Security Portal Help

Uploaded by

ajay chaudhary

Available Formats

Download as PDF, TXT or read online on Scribd

Download as pdf or txt

You are on page 1/ 246

Forcepoint Security Portal Help

Forcepoint Email Security Cloud

2019
©2019 Forcepoint
Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of
their respective owner.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation
and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not be liable for any error or
for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The
information in this documentation is subject to change without notice.

Last modified: October 24, 2019

Contents
Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Initial steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Logging on and portal security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Locking down your firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Privacy statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Idle timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Customizable landing page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Portal navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2 Account Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
My Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Adding a contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Password settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Password expiration limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
User lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Forgotten passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Two-factor authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Terms of use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Custom file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Downloading and uploading groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Licenses page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
License information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Accepting licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Important rules for configuring accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 3 Working with LDAP Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
What is LDAP?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Forcepoint Security Portal Help 1

Contents

How the service works with LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Planning for your first synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deciding what to synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Basic steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Cloud-based tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Configure directory synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Set up authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Client tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View and manage user data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View and print reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
View recent synchronizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Restore directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Troubleshoot synchronization failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Turn off directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4 Configuring Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
File sandboxing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
What does a file sandboxing transaction look like? . . . . . . . . . . . . . . . . . . . . 44
File sandbox reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
DNS records and service IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Adding or modifying an alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Downloading and uploading aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Blacklists and whitelists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Personal Email Subscriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Subscriptions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Text and Language tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Bulk Upload tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Email notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Adding notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Editing notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configure block and notification pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Editing block and notification pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Image whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Email connectivity testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
URL Sandboxing utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 5 Defining Email Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
General policy information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

2 Forcepoint Cloud Protection Solutions

About this guide

This guide is intended for IT administrators who are responsible for setting up and
operating Forcepoint Email Security Cloud accounts.
It relates to all Forcepoint Email Security Cloud services, although the functionality
available to you depends on licensing.
The layout of the Security Portal screens is similar for all services. Wherever possible
this guide indicates where a feature or functionality is specific to a particular service.

2  Forcepoint Cloud Protection Solutions

Getting Started

Initial steps

Take the following steps to get started with Forcepoint Email Security Cloud.
1. Request an evaluation.
2. Register for the service.
3. Log on to the Security Portal.
4. Add inbound and outbound connections.
5. Add domains.
6. Set up outbound email routing.
7. Set up inbound email routing.
8. Restrict connections to your mail servers.
9. Set up users and groups.
It is likely that you have already completed these steps. If not please see the
Forcepoint Email Security Cloud Getting Started Guide.

Logging on and portal security

Note
To use the Security Portal, your browser must be Javascript-enabled.

To access the Security Portal, visit https://admin.forcepoint.net/portal.

The logon process uses cookies where possible. For the best user experience, we
recommend that you accept cookies from the Security Portal. If your web browser is
unable to, or is configured not to accept cookies from the Security Portal, an
additional screen appears during logon reminding you of the benefits of securing your
session.
If the Security Portal cannot use cookies to secure the session, it falls back to ensuring
that all requests for the session come from the same IP address. This may cause
problems for you if your company has several load-balanced web proxies, because the
Security Portal interprets requests coming from several sources as a security breach.
Companies with a single web proxy or a cooperating web proxy farm should not be
affected.
To avoid problems, we recommend enabling cookies on your web browsers.

Forcepoint Security Portal Help  3

Getting Started

Locking down your firewalls

Customizable landing page

By default, administrators logging onto the portal are taken to the Account > Licenses
page. To change your landing page:
1. Navigate to the page you would like to use as your portal landing page.
2. Click the arrow next to your logon account name in the banner at the top of the
page.
3. Select Set Landing Page.
Note that some pages have been deliberately excluded from supporting this option.

4  Forcepoint Cloud Protection Solutions

Getting Started

Security Portal navigation

The Security Portal interface can be divided into the following main areas:

1. Banner
2. Toolbar
3. Content pane
The banner shows:
● Any Alerts that are available for your account.
● A Cloud Service Status option that provides a link to the Cloud Operations
customer dashboard. Use this link if you are experiencing any kind of pervasive
service problem to determine what might be happening and see what steps are
being taken to correct the issues.
● Your current logon account. When you’re ready to end your administrative
session, click the arrow next to the administrator name and select Log Off.
● The Help menu, from which you can access assistance for the page you are
currently viewing, further product information, and Forcepoint Technical Support
resources.
The Help menu also includes the Support PIN. You must authenticate yourself
with this PIN when calling Forcepoint Technical Support.

Forcepoint Security Portal Help  5

Getting Started

Each PIN is unique per user, and is generated when a user logs on. The PIN is then
valid for 24 hours after logon. After a 24-hour period has expired, a new PIN is
generated at the next logon.

Important
In order to preserve and maintain the security of your data, support representatives
will not be able to provide customer support without an accurate, up-to-date PIN.

The toolbar indicates which part of the Security Portal is currently active:
● Dashboard provides access to the Forcepoint Email Security Cloud dashboards.
● Reporting gives access to all reporting options, including email reports, account
service reports, and your saved reports.
● Email contains all configuration settings relating to Forcepoint Email Security
Cloud, including account-wide email settings, policy management, and the
Message Center.
● Account provides access to configuration options that apply to all cloud services.
This includes administrator management, directory synchronization, licenses, and
groups.
When you select an item in the toolbar, a navigation pane drops down, containing the
available navigation choices for that item. Click the toolbar item again to close the
navigation pane.
The content pane varies according to the selection you make in the navigation pane.

Dashboard
To view your main email dashboard, go to Dashboard. If you are a cloud web and
email customer, select the Email tab. The dashboard provides a snapshot view of how
your cloud email services are performing.
The panels you see depend on your subscription settings. You may see the following:
● Email Activity Overview - the number of inbound and outbound email requests
processed for your account in the last 7 days.
● Inbound Composition Categories and Outbound Composition Categories
- reports how Forcepoint Email Security Cloud categorized your inbound and
outbound email. Composition categories include:

Spam Messages marked as spam by the Antispam rules.

Valid Messages that pass analysis or that are whitelisted.
Content Messages that triggered a Content Filter rule.
Viruses Messages detected by Antivirus or ThreatSeeker as containing a
virus.
Phishing Messages maliciously designed to acquire information, such as
user names, passwords, or credit card information by
masquerading as a trusted or well-known entity.

6  Forcepoint Cloud Protection Solutions

Getting Started

Commercial Bulk Solicited bulk email, such as newsletters

Backscatter Maliciously generated bounce messages (e.g., non-delivery report/
receipt (NDR); delivery status notification (DSN); and non-
delivery notification (NDN) messages) sent by spammers to
spoofed return addresses
Access Messages to which Notifications and Annotations rules were
applied.
Other Messages flagged for other reasons, such as having a message
loop, encryption, or generating a system or operational error.

● Top 5 Viruses - indicates the top 5 viruses seen in your account along with the
number of email carrying each of these viruses.
● URL Categories in Email - indicates how Forcepoint Email Security Cloud
classified all of the URLs found in your organization’s email.
● Cloud Email Spam Detection Rate - from an email flow of know spam
messages (separate from all subscriber email flow), indicates the percentage of
messages classified as spam by Forcepoint Email Security Cloud analysis. This is
a good indicator of the Forcepoint Email Security Cloud spam detection rate.
You have the option of viewing this data in either a bar graph or pie chart.

Alerts
Click the speech bubble icon in the toolbar to see alerts for your account.
Alerts are the primary means of communicating with customers to keep you fully
informed of service issues. If you suspect that there may be a problem with the
service, log on and check for new alerts. The number of alerts for your account is
displayed with the alert icon.
You may see the following alert types:

Error. Your service has been interrupted, and you must

act on this alert immediately.

Severe. You must act on this alert as soon as possible. If

you do not act by the date given in the alert, it will be
upgraded to Error and you risk interruption of your
service.

Warning. This alerts you to future events that might

affect your service – for example portal outages, or
license expiration.

Information. This might be announcing a new release

or upcoming maintenance work.

Forcepoint Security Portal Help  7

Getting Started

Select an alert summary in the left pane to see more detail, if available, in the right
pane.

8  Forcepoint Cloud Protection Solutions

2 Account Settings

Administrators with account-level privileges can click Account in the cloud portal
toolbar to see the configuration options that apply to the complete account. The exact
options available on the menu depend on the services you are licensed for.
● To change the password for your cloud service administrator account, select My
Account.
● To view the configuration audit database for your account, select Audit Trails.
● Select Contacts to view and modify the contact details of people in your
organization who administer, support, and pay for services. The administrator
contacts can be given logons to the portal and their permissions restricted as
necessary. You can also use this page to modify your password settings, set two-
factor authentication, and display a terms of use page for administrators.
● To set up your own combinations of file types, MIME types, and file extensions
for email attachment blocking, choose Custom file types.
● If you are using Before configuring directory synchronization for your account,
see Planning for your first synchronization.
● Select End Users to search for end users so you can enable or disable their Web
access, delete them, or change their policy assignments. (This option is available
only to accounts enabled for directory synchronization.)
● When you define Groups, they are available in all your policies in all services.
This allows you to define a consistent set of rules across the services for groups of
end users.
This chapter covers the configuration of account-level options. To configure the
majority of email service options, click Email in the toolbar and then select the
appropriate setting type or policy.

Forcepoint Security Portal Help  9

Account Settings

My Account

Use the My Account page if you need to change your password or generate a new one.
Enter and confirm a password, then click Submit when done. The password must
conform to your password policy, as described on the screen.
Optionally, you can also change your password question. Select a question from the
drop-down list, then enter an answer to the question and click Submit.
See Changing passwords, page 17, for more information about passwords.

Contacts

Related topics:
● Adding a contact
● Password settings

Use the Contacts page to define the password policy for administrators in your
account, and to manage the contact list and administrator logons.
The Account Management area displays the current requirements for passwords in
your account, as well as any expiration limit. For more information, see Password
settings, page 14.
The contact information in the Contacts area is created with the details supplied
during enrollment. The initial contact assumes the role of master user, a super
administrator with the highest rights and privileges for your account.
Forcepoint Support uses the contact details defined on this page should they need to
contact you. You can specify multiple contact addresses and numbers for each contact,
plus a call order that specifies the order in which each contact method should be
attempted.

Note
If the contact also has logon privileges, you must enter an email address to enable
them to use the password reset function, if required.
It is your responsibility to administer the logon privileges for the contacts in your
account, and to ensure access to the cloud portal is maintained or protected as
appropriate. You are also responsible for any actions taken by the users of the
administrator logons that you create.

10  Forcepoint Web Security Cloud

Account Settings

Adding a contact
To add a new contact:
1. Click Add.
2. Select the new contact’s Title, and enter the first name and surname. The Full
name field is automatically populated.
3. Select the Contact type from the drop-down list.
4. Optionally, enter further details for the contact, including the job title, department,
and address.
5. Enter a telephone number, email address, or both. It is recommended that you
provide at least one form of contact that Support can use if required.
6. Select a preference for each contact method, to inform Support of the preferred
order in which to attempt each contact method.
7. Click Submit.

Adding logon details

To assign logon privileges to the contact you just created:
1. In the User name field, click the hyperlink in No user name. Click here to add
one. This opens the Add User Name screen.

Note
You can also access this screen by clicking the contact’s logon ID in the User Name
column on the main Contacts screen.

2. By default, the email address is used as the contact’s logon ID. To change this,
edit the User Name field.
3. Enter and confirm a password for the user.
You can type a password for the user and confirm it. Alternatively, if you want to
automatically generate a password that complies with the password policy, click
Create a password for me. The password, which meets the stated password
policy, populates into the Password field.
4. Define when the user’s password should expire. By default this uses the expiration
settings defined as part of your account’s password policy (see Password
expiration limit, page 16).
5. To force the user to change the password when they log on, mark Change
password next log on. This is recommended.
When the user first logs on, a screen is displayed giving them 8 days to select a
password question from the list provided and enter an answer. This password question
and answer is used if the user later forgets their password (see Forgotten passwords,

Forcepoint Security Portal Help  11

Account Settings

page 18). If the user does not set a password question within the 8-day limit, they are
forced to do so at their next logon

Note
If you have enabled two-factor authentication for a user, this page can be used to
reset authentication for users who have been locked out, or who are unable to use
their authenticator app. Click Reset beside the Two-factor authentication label to
require the user to configure authentication again. See Two-factor authentication,
page 19.
This page also displays the date and time of the user’s last successful and
unsuccessful logon, if available.

Configuring permissions
By default, all rights are assigned to the master user (the initial contact established in
your account, with super administrator privileges). When the master user creates a
new user, by default only the View All Reports permission is assigned to that account.
This is the minimum permission a user needs to be able to log on; it grants
permissions over only the Reporting tab on the main menu bar.
We provide flexible users’ rights so you can create a hierarchy of administrators. For
example, much of the functionality accessed from the portal is useful for help desk
agents to aid with problem isolation; but they do not necessarily require control over
policy configuration.
Likewise, you should assign Directory Synchronization privileges to the contact you
set up for the Directory Synchronization Client (see Set up authentication, page 37),
but no-one else should need this privilege.
Permissions are granted at an account and policy level. This lets you create multiple
policies, and administrators can control their own policy but no one else’s.

Note
Visibility for some account and policy permissions depends upon the permission
being assigned to your administrator account. If you do not have a permission, you
cannot view or manage that permission for other users.

To modify an administrator user’s permissions:

1. On the Account > Contacts page, click the name of the user whose permissions
you want to edit in the User Name column of the Contacts table (not the Full
Name column).
2. Click Edit.
3. Under Account Permissions, mark or clear check boxes to add or remove
permissions.
Refer to the list below for more information about each permission set.

12  Forcepoint Web Security Cloud

Account Settings

4. Use the Policy Permissions table to add or remove policy, audit trail, and related
permissions.
■ Refer to the list below for information about each permission set.
■ To refine policy-level permissions, click Advanced.

Note
The Advanced button does not show for contacts with Manage Users permissions,
because they are assumed to have maximum account-level permissions.

5. When you are finished, click Save.

The following are account-level permissions:
● Manage Users: view, create, edit, and remove user logons and permissions
● Directory Synchronization: synchronize an LDAP directory with the cloud
service
● View All Reports: run all reports associated with the licensed services
● Manage edge devices: configure edge devices in the network that connect to the
cloud service (see Managing Network Devices, page 113)
The following email permissions can be assigned at the account or policy level:
● Modify Configuration: modify all options within Account Settings except users’
logons—for this, the user must have Manage Users permissions
● View Configuration: view all configurations within Account Settings without the
ability to make changes
● View Configuration Audit Trail: access and search the policy setup audit trail,
and access the blacklist and whitelist search facility
● Quarantine Administration: use Message Center to search quarantined
messages, plus the ability to perform actions on the messages
● View Quarantine: use Message Center to search quarantined messages, without
the ability to perform any actions on the messages
● View Administrator Audit Trail: access and search the Message Center audit
trail, and access the blacklist and whitelist search facility
● View Quarantined Images: access and search the Message Center for
quarantined images (“View Quarantine” must also be enabled to use this option.)
● View Delivered Messages: same as “View Quarantine,” but the user can view
message logs as well as quarantined email
● Black and White Listing: access, search, and manage all blacklists and whitelists
● View Filtered Reports: view only reports that can be filtered by the specified
policy or policies (not available if View All Reports is selected)

Note
The View Filtered Reports option may not be enabled in your account.

Forcepoint Security Portal Help  13

Account Settings

Note
If users are logged on to the portal when their permissions are changed, the changes
do not take effect until they log off and then log on again.

Password settings

Related topics:
● Password policy
● Password expiration limit
● Changing passwords
● Forgotten passwords
● Two-factor authentication
● Terms of use

Click Account > Contacts > Edit to define password settings for your account. On
this screen, you can define an expiration limit for your users, set the user lockout
option, and set two-factor authentication for all users. If you have more than one
password policy (a policy that defines how “strong” your users’ passwords must be),
you can also choose which policy to use.
If available in your account, you can also use the selected password policy for your
end users. Select Apply password policy to end users authenticating with the
service to impose the same password requirements for any end users who are
registered for the service and using manual authentication, including the minimum
and maximum length and restrictions on using previous passwords. If you have also
defined a Password expiration limit, you can select Remind end users when
passwords should be changed to send an email reminder to end users when they
need to change their passwords.

Note
Password policies for end users is a limited-availability feature and may not be
enabled in your account.

Click Update when you’re finished making your selections.

Note that you can override these settings for individual users on their permissions
settings screen.

14  Forcepoint Web Security Cloud

Account Settings

Password policy

Related topics:
● Password settings
● Password expiration limit
● Changing passwords
● Forgotten passwords
● Two-factor authentication
● Terms of use

A password policy defines how “strong” your users’ passwords are required to be. (A
strong password is a secure password.) The password policy in the cloud portal sets
the minimum length, maximum length, password history, sequence rules, and unique
character rules of a user’s password.
Following are the minimum requirements:

Parameter Default
policy value
Minimum length 8
Maximum length 30
Password history size (number of former passwords to check) 3
Maximum number of characters in sequence 4
Minimum number of unique characters 5

In addition, passwords:
● Cannot contain the user’s logon ID
● Cannot contain common words or keyboard sequences
● Must include uppercase letters
● Must include lowercase letters
● Must include numbers

Forcepoint Security Portal Help  15

Account Settings

Password expiration limit

Related topics:
● Password policy
● Password settings
● Changing passwords
● Forgotten passwords
● Two-factor authentication

We recommend that you require users to change their passwords on a regular basis.
Passwords can be set to automatically expire after a set number of days. You can
override this setting for individual users on their Login details screen (see Adding
logon details, page 11).
1. Navigate to Account > Contacts.
2. Select a Password expiration limit setting. If you select No, passwords will
never expire (not recommended). If you select Yes, a drop-down menu allows you
to set the number of days after which passwords will expire.
From the menu, select one of the following as the expiration period: 30, 60, 90,
120, 180 days, or Custom days. If you select Custom days, a new field appears so
you can enter any number of days you want. Periods longer than 365 days are not
supported.
3. Click Save.

User lockout

Related topics:
● Changing passwords
● Forgotten passwords
● Resetting two-factor authentication for a portal user

If a user enters an incorrect password when attempting to log on, they have a limited
number of further attempts before they are locked out for a period of time. You set up
the number of further attempts and the lockout time period on the main setup screen
for the user.
1. On the Contacts screen, click Edit.
2. From the User lockout drop-down list, select a lockout time period. The options
are 15 minutes, 1 hour, 4 hours, 24 hours, or Forever.
If you select Forever, an administrator with Manage Users permissions must
unlock the user account before the user can log on again.

16  Forcepoint Web Security Cloud

Account Settings

3. Select the number of permitted failed attempts from the drop-down list. This can
be between 3 and 10.
4. Click Update.

Unlocking user accounts

If a user is locked out because they failed to enter the correct password after the
allotted number of attempts, an administrator with Manage Users permissions can
unlock the user account before the lockout time period has ended. If the lockout time
period is set to Forever, the user must be unlocked by an administrator.
1. Select Account > Contacts.
2. In the User Name column of the contact list, click the required user name.
3. Click Edit on the User screen.
4. Click Unlock.
5. Click Submit.

Changing passwords

Related topics:
● Password policy
● Password settings
● Password expiration limit
● Forgotten passwords
● Two-factor authentication

Users are required to change passwords when they expire or when a change is forced
by an administrator. Only administrators with Manage Users permissions can force a
user to change his or her password. To force a change, select the Change Password
next logon box on the user’s contact screen. When users are required to change their
passwords, they see a Change Password screen the next time they log on.
Users can also opt to change their password from Account > My Account, which
displays the same Change Password screen.
If a user creates a password that does not meet the password policy standards, they
receive an error message and are asked to try again. For example:
This password has been used recently. Please try another.

To implement the changed password, users should click Save. They should also make
note of the password for future reference.

Forcepoint Security Portal Help  17

Account Settings

Forgotten passwords

Related topics:
● Password policy
● Password settings
● Password expiration limit
● Changing passwords
● Two-factor authentication

If a user forgets their password, they can click the Forgot your password? link on the
logon screen and follow the instructions to reset the password:
1. The user enters their portal user name and clicks Submit.
2. The cloud service sends an email to the email address listed in the contact details
associated with that user name.

Note
If the email address set up for the user name on the Contacts page is out of date or
invalid, the user must contact their administrator to get their password reset.

3. The user clicks the link in the email to go to a secure page.

4. The user enters the answer to their password question, and clicks Submit.
5. When the question is answered correctly, the user can enter and confirm a new
password. They also have the option to change their password question.

Note
If a user forgets the answer to their password question, they must contact their
administrator to get their password reset.

Should you need to generate a new password for a user, follow these steps:
1. Go to Account > Contacts.
2. In the User Name column of the contact list, click the required user name.
3. Click Edit on the User screen.
4. Click Create a password for me.
5. Make note of the password.
6. Click Submit.

18  Forcepoint Web Security Cloud

Account Settings

Two-factor authentication

Related topics:
● Resetting two-factor authentication for a portal user
● Password policy
● Password settings
● Password expiration limit
● Changing passwords

Two-factor authentication (also known as 2FA) provides an additional level of

security for administrator access to the cloud portal. When this setting is applied, all
portal users are required to enter both their password and a code generated by an
authenticator app.
To enable two-factor authentication for all portal users:
1. Go to the Account > Contacts page.
2. Toggle the Two-factor authentication switch to ON.
3. Click Save.
The next time portal users log on, they will be prompted to set up two-factor
authentication.

Note
Compatible authenticator apps are available for Android, iOS, Blackberry, and
Windows Phone. Desktop and browser-based apps are also available for Microsoft
Windows, Mac OS, and Linux. This feature is validated with the Microsoft
Authenticator app, but alternative apps that use the Time-based One-time Password
Algorithm (TOTP) protocol, such as Google Authenticator, are also supported.

Logging on with two-factor authentication

When two-factor authentication is enabled for your account, all administrators require
an authenticator app to access the portal. This app must be configured before the user
can log on.
When users log on with two-factor authentication for the first time (or after their
account has been reset), a setup wizard guides them through the configuration process.
In the wizard, portal users who do not already have an authenticator app are given
instructions for downloading Microsoft Authenticator.
During the setup process, portal users are prompted to:
1. Select a supported authenticator app.
2. Set up the app by scanning a QR code shown on the screen or by manually
entering a secret key.

Forcepoint Security Portal Help  19

Account Settings

3. Enter the 6-digit code shown on the authenticator app.

Once setup has been completed successfully, users are logged on to the portal.
Each time users subsequently log on with their password, they are also prompted to
enter the code displayed on their authenticator app. Users have 3 attempts to enter a
valid code before being asked to re-enter their password.

Resetting two-factor authentication for a portal user

For portal users who have been locked out, or who cannot use their authenticator app
(for example, users who have lost their phone), an administrator with the appropriate
permissions can reset the user’s two-factor authentication status. This requires the user
to complete the setup process again.
To reset a user’s two-factor authentication status:
1. Go to the Account page.
2. Click the username of the user whose account needs to be reset to open the User
page. Under Log On Details, the current two-factor authentication status for the
user is shown, including the date and time that setup was completed.
3. Click Reset to reset the user’s authentication status.
The user will be prompted to repeat the two-factor authentication setup process when
next logging on.

Related topics:
● Email: Configure block and notification pages
●

The Terms of use option allows you to display a page that requires administrators to
agree to your company’s terms of use before logging on to the portal. If enabled, this
setting applies to all portal administrators. Administrators must agree to the terms of
use each time they log on.
Your “Agree to Terms of Use” block page should be customized to include details of
(or provide a link to) your terms.
See Configure block and notification pages, page 58 for details of how to customize
block pages.
To enable the terms of use acceptance page for all portal users:
1. Go to the Account > Contacts page.
2. Toggle the Terms of use switch to ON.
3. Click Save.

20  Forcepoint Web Security Cloud

Account Settings

The next time portal administrators log on, they will be prompted to either accept your
terms of use, or log off.

Note
By default, a generic “Agree to Terms of Use” block page is provided. Before
enabling this feature, ensure you customize this page to include details of (or a link
to) your company’s terms of use. See Configure block and notification pages, page
58 for details of how to customize block pages.

Custom file types

The cloud service provides a number of file formats and file types to enable you to
manage messages containing attachments. File types allow you to quarantine
attachments by specific formats, for example GIF files or HTML documents. File
formats are more generic: for example, the Sound format includes anything related to
sound files, including RealAudio, Windows Media Audio, MPEG Audio, and MIDI
files.
If the available file formats and types do not meet your requirements, you can set up
custom file types containing one or more file types and MIME types. You can then use
the custom file types to quarantine or park messages with the attachments you specify.
For more information, see Creating custom file types, page 109.

Directory Synchronization

Related topics:
● Working with LDAP Directories
● What is LDAP?
● How the service works with LDAP
● Basic steps

Click Account > Directory Synchronization when you want to configure your
account for directory synchronization. See Configure directory synchronization, page
35, for details on this screen and other LDAP considerations.

Forcepoint Security Portal Help  21

Account Settings

End Users

Related topics:
● End Users tab
● Managing registered users

To view and manage user data, click Account > End Users. (This option is only
available if you have directory synchronization enabled.) The resulting screen has 3
columns.

Column Description
Criteria to use Check the boxes on the left to indicate what search criteria to use.
Search Criteria Narrow down the search by entering or selecting precise data in
the middle column. Under source, you can choose whether to
search synchronized users or portal-managed users.
Show in Results Check the boxes on the right to indicate what information to
include in the results.

Forcepoint Security Portal Help  25

Account Settings

this subscription to use the service. Each time you log on, you are taken to the licenses
screen to remind you that a subscription requires accepting.

Note
To ensure continuity of service, you should accept any pending licenses as soon as
possible. This requires Modify Configuration permissions.

If your license expires before you have a chance to renew it, you receive a grace
period. During that period, please order a new subscription as soon as possible.

Important rules for configuring accounts

● Your account can enforce multiple policies on your email and web traffic.
● It is good practice to keep the number of policies to a minimum, because if a
global change is required, you must make it across all policies.
● To prevent accidental changes, many configuration options are grayed out until
you click the appropriate edit box.
● Each service has its own configuration screen accessed by clicking the appropriate
tab on the main policy setup screen. Regardless of the services that you are
licensed to use, you see all tabs. If you click the tab for a service that you are not
licensed to use, you are informed of such.
● Where multiple email addresses, domains, or user names are entered into a screen,
they should be separated by commas.
● You can click Help at any time to access online help information.
● All changes are made in real time and usually only take a few minutes to
propagate across the cloud infrastructure.
● Forcepoint Email Security Cloud analyzes inbound and outbound email including
both inbound and outbound spam. Analyzing outbound spam helps detect email
that might be being sent by a botnet or otherwise compromised system at your
site.
● Most settings in the policy screens are specified separately for inbound and
outbound policy application. It is often not appropriate to set these identically for
each direction. For example if a virus is detected in outbound email, then you
probably do not want to send a notification to the intended recipient, whereas you
might for an inbound email.
● Each Forcepoint Email Security Cloud policy applies to a domain or set of
domains and specifies settings that the cloud email service uses to determine how
to process your email.
● If you need to route email for different domains to different servers, you need to
create a separate policy for each set of domains. Each policy includes its own
routing table.
To access an email policy, go to the Email > Policy Management > Policies page.

26  Forcepoint Web Security Cloud

Account Settings

On the Policies page, you are presented with a choice of service-specific policies.

Forcepoint Security Portal Help  27

Account Settings

28  Forcepoint Web Security Cloud

3 Working with LDAP
Directories

Related topics:
● Maintenance
● Configure directory synchronization

The cloud service allows you to make use of existing LDAP directories, such as
Active Directory or Lotus Domino, so you don’t have to re-create user accounts and
groups for your email and web services or manage users and groups in two places.
The cloud service synchronizes with LDAP directories via a client-resident
application known as the Directory Synchronization Client. Changes made to a
directory, such as deleting a former employee or adding a new one, are picked up by
the service on the next scheduled update. If you have more than one LDAP directory,
the client can merge them together before synchronizing the data with the service.

Important
The cloud service supports only one instance of the Directory Synchronization
Client for each account. Using multiple synchronization configurations, or even
using multiple installations of the Directory Synchronization Client, can cause data
on the cloud service to be overwritten.

For Forcepoint Email Security Cloud, you can synchronize primary and secondary
email addresses and groups into the portal, improve spam detection, and improve the
quality of reporting (less spam in the report). Directory synchronization makes it
easier to manage groups as well.

Forcepoint Security Portal Help  29

Working with LDAP Directories

What is LDAP?

Deciding what to synchronize

Related topics:
● What is LDAP?
● How the service works with LDAP
● Basic steps
● Cloud-based tasks
● Client tasks
● Set up authentication

You do not need to synchronize all of the groups and users in your LDAP-compliant
directory. Instead, synchronize only groups that are useful to the cloud service.
Consider this Active Directory (AD) example:

If you are going to set up a policy for members of a US Telesales department that
gives them special permission to access certain websites, you should synchronize the
“US Telesales” group. There is no need to sync the “London” group if you are not
going to set up geographical policies in the cloud service, even if the London users are
going to be using the service.
Sometimes when users are synchronized to the cloud service, they are members of
multiple AD groups, but only a subset of those groups is synchronized. This is not a
problem: the cloud service is designed to accept users with group references that are
not on the service.

Forcepoint Security Portal Help  33

Working with LDAP Directories

You specify which groups to synchronize using an LDAP search facility on the
Directory Synchronization Client. There is great flexibility in selecting the appropriate
data to synchronize. For example, you can use the membership of an LDAP group
attribute to select the users you want, even though you may not select that group in the
group synchronization setup itself.

Note
If you add or change a group name in Active Directory or move a group from one
organizational unit (OU) to another, be sure to add the new name to the group
inclusion list on the Directory Synchronization Client before the next
synchronization. Otherwise, the group is deleted from the portal.

Regardless of how many groups you synchronize, user detail must be sent as part of a
separate user synchronization. When you synchronize a group, you transfer
information about the group but not about its contents. User synchronizations include
details of the group(s) to which users belong. When you apply a web policy or an
email policy to a synchronized group, that policy is applied to all synchronized users
who are members of that group.
Please refer to the Directory Synchronization Client Administrator’s Guide in the
Technical Library for more information on using the LDAP search feature to target
only those users and groups that are required.

Basic steps

Although the steps for your use case may vary, the basic steps for setting up directory
synchronization follow:

In the cloud
1. Configure directory synchronization, page 35, for your account.
2. Set up authentication, page 37, for the client machine. The client should have its
own username and password to gain access to the cloud service.

On the client
1. Download the Directory Synchronization Client (see Client tasks, page 38) and
install it on a network client machine. Download the client administrator’s guide
as well. This contains valuable information on helping you integrate your
directory service with the cloud service.
2. Configure the client. Use the username and password established in the Contacts
section of the portal to authenticate.

34  Forcepoint Web Security Cloud

Working with LDAP Directories

Report Description
Synchronization History The history log provides a connection history for the
Log specified period, up to 1000 rows.
Synchronization Time The time summary provides a list of the 20 longest
Summary synchronization times.

See Service reports, page 199, for more information.

View recent synchronizations

1. Select Account > Directory Synchronization.
The Recent Synchronizations section shows your recent synchronization history.

Column Description
Heading
Date The date and time that the synchronization was performed in
coordinated universal time (UTC). Format YYYY-MM-DD
HH:MM:SS.
Status An indication of whether the synchronization completed or failed.
Possible HTTP response codes include:
● 200 OK - Completed successfully.
● >400 - Synchronization failed
■ 403 Error text - The client synchronization failed for reasons
given in the error text. For example:
■ 403 Groups contain circular references
■ 403 Transaction failed
■ 403 Attempt to overwrite cloud-managed group.
■ 403 Email address exists in another account
● 503 Service Unavailable.
Type The type of record that was synchronized: Users, Groups, Addresses,
or Test. Test indicates that the client connected to the cloud service to
verify its settings, but did not synchronize.
Additions The number of new records added during the synchronization. If the
synchronization is not yet complete, “In progress” is displayed.
Deletions The number of records deleted during the synchronization.

2. Click the timestamp in the date column to view details about a specific
synchronization.
In the resulting screen, you can see the time that the connection started and ended
in the local time zone of the client machine. (This lets you see how long the
synchronization took). You can view the IP address of the source connection, the
username of the client initiating the synchronization, and the number of records
amended, added, or deleted. You can also see reporting and logging information.

40  Forcepoint Web Security Cloud

Working with LDAP Directories

Restore directories
If necessary, you can undo the last directory synchronization and restore the system to
its state before the synchronization.

Important
It is not possible to undo the restore, so changes you made in the cloud between the
last synchronization and the restore operation may be lost. You are warned of the
potential impact and asked to confirm the action.

1. Select Account > Directory Synchronization.

2. Click Restore.
3. Click Restore to restore your directory to the current backup version or click
Cancel to cancel.
4. Confirm your action when prompted, “Are you sure?”

Troubleshoot synchronization failures

Should a synchronization fail to complete, a record is saved by the cloud service along
with your details, date/time stamps, and an error message. You can access this
information by selecting Account > Directory Synchronization. See View recent
synchronizations, page 40, for more information. You can also view it in the
Synchronization History log, available under Account > Reports > Services.
In the status column, any response code greater than 400 indicates a failed
synchronization.

HTTP Response Code Explanation Recommended Action

403 Groups contain circular An attempt has been made to The list of groups forming the cycle
references synchronize a hierarchy of are listed in the response code. Check
groups that contain one or more these groups and fix the memberships
circular references. For to break the cycle.
example, GroupA is a member
of GroupB, but GroupB is a
member of GroupA.
403 Transaction failed Further explanation is added to Resolve the issue detailed in the full
the response code to explain the response code.
problem. This is usually due to
some uniqueness constraint
failing--for example, if 2 users
have the same email address or
LDAP domain name.
403 Attempt to overwrite An attempt has been made to On the Configure Directory
portal managed group. synchronize a group with the Synchronization screen, check the
same name as a cloud-managed Overwrite Groups box to allow
group, and the Overwrite Portal overwriting, or rename the duplicate
Groups option is off. groups to remove the conflict.

Forcepoint Security Portal Help  41

Working with LDAP Directories

HTTP Response Code Explanation Recommended Action

403 Email address exists in An email address in the LDAP Remove this email user from your
another account directory already exists in directory if it is your error. If it is a
another account. valid address that you own, contact
Customer Services to have the
address removed from the other
account.
503 Service unavailable. ● The cloud service is heavily ● No action. The client
loaded, so a synchronization automatically re-tries later.
is not currently possible. ● Enable synchronization by
● Synchronization is not selecting Account > Directory
enabled on the account Synchronization > Edit >
● Your account has exceeded Enabled.
its daily synchronization ● Retry tomorrow (or when next
limit scheduled).

Partially transmitted and temporarily stored data remains in the cloud service for a few
days as a possible debugging aid. This data is not used when you try to synchronize
again.

Turn off directory synchronization

You can turn off directory synchronization any time and revert to managing all users,
groups, and email addresses in the portal. To do so:
1. Cancel any scheduled synchronizations on the client machine. For more
information, see the section “Removing the synchronization schedule” in the
Directory Synchronization Client Administrator’s Guide.
2. Log on to the portal.
3. Navigate to the Account > Directory Synchronization page and click Edit.
4. Clear the Enable directory synchronization check box.
5. Click Save.

Important
Ensure that a synchronization is not under way when you disable directory
synchronization. If a synchronization is running, you may end up with an
incomplete set of data: for example, your groups might have synchronized
successfully, but your users might not.

When you turn off directory synchronization, Group and user IDs on previously
synchronized items are retained, so you can easily re-enable synchronization at a later
date.
Please note that changes made manually in the cloud to data items that were
previously synchronized are lost if you later re-synchronize. When you re-enable
synchronization, you are indicating that it is now the LDAP directory that holds the
master data, and a full re-synchronization is performed.

42  Forcepoint Web Security Cloud

4 Configuring Email Settings

Related topics:
● File sandboxing
● Aliases
● DNS records and service IP addresses
● Blacklists and whitelists
● Personal Email Subscriptions
● Email notifications
● Configure block and notification pages
● Image whitelist
● Defining Email Policies

Use the Email > Settings options to configure account-level settings for Forcepoint
Email Security Cloud, including aliases, blacklist and whitelists, and end user email
reports (Personal Email Subscriptions) for your account.

File sandboxing

Related topics:
● What does a file sandboxing transaction look like?
● URL Sandboxing tab
● URL Sandboxing utility

Note
You must have the Forcepoint Advanced Malware Detection for Email module to
use this feature.

Forcepoint Security Portal Help  43

Configuring Email Settings

Use the Email > Settings > File Sandboxing page to send suspicious files received in
email messages to a cloud-hosted sandbox for analysis. The sandbox activates the file,
observes the behavior, and compiles a report. If the file is malicious, the message is
either quarantined, or an email alert is sent to the administrators that you specify,
containing summary information and a link to the report.
A file that qualifies for sandboxing:
■ Is not classified as “malicious” by virus scanning or Forcepoint ThreatSeeker
Intelligence
■ Fits the Security Labs profile for suspicious files
■ Is a supported file type for sandboxing.

Note
Because the file was not detected as malicious, it was not blocked and has been
delivered to the email recipient.

1. File analysis is disabled by default. Select On to send qualified files to the cloud-
hosted sandbox for analysis.
2. Select the analysis mode you wish to use:
■ Monitor only performs the file analysis; however, because the file was not
originally detected as malicious, it is not blocked and is delivered to the email
recipient regardless of the analysis results.
■ Enforce holds any messages with attachments sent for analysis, and then
quarantines those messages found to contain malicious attachments.
3. Specify the email address of at least one person in your organization who will
receive notifications.
Notifications are sent only for monitor mode. If you have selected the Enforce
mode, you may still want to enter an email address in case a message pending
analysis is released from quarantine with no further processing before analysis is
complete. In this case, a notification will be sent if the attachment is found to be
malicious.
The specified person does not have to be a Forcepoint Email Security Cloud
administrator. If you specify multiple email addresses, ensure you enter one
address per line.
4. Select the file types you want to submit for analysis from the File types to scan
list.
5. Click Save.

What does a file sandboxing transaction look like?

1. The cloud service receives an email message for an end user that explicitly or
implicitly includes a file.

44  Forcepoint Cloud Protection Solutions

Configuring Email Settings

2. The message is not classified as malicious, and virus scanning or Forcepoint

ThreatSeeker Intelligence does not find the attachment(s) to be malicious.
However, the attached file matches the configured file types to be sent to the
sandbox in the cloud for analysis.
3. If monitor mode is selected, the message with the attached file is delivered to the
email recipient. If enforcement is selected, the message is held, pending analysis.
4. The sandbox analyzes the file, which may take as long as 5 to 10 minutes, but is
typically much quicker.
5. If the file is found to be malicious, the cloud service sends a malicious file
detection message to the configured alert recipient(s). The alert email includes a
link to the report.
If enforcement mode is in use, the message is quarantined.
6. Upon receipt of the message, administrators should:
a. Access and evaluate the report for the file
b. Assess the impact of the intrusion in their network
c. Plan and begin remediation
7. Separately, the file sandbox updates Forcepoint ThreatSeeker Intelligence with
information about the file and the source email message.
8. ThreatSeeker Intelligence updates its rules and other security components.
9. The next time someone receives an email message containing this file, they and
the organization are protected by their Forcepoint Email Security Cloud
deployment.

File sandbox reports

Reports are available in the Report Center package (Report Catalog/Report Builder).
If the Report Center package is not enabled for your account, contact Technical
Support to have it enabled.
Custom file sandbox reports can be constructed in the Report Builder. See Using the
Report Builder.
Two predefined file sandbox reports are available in the Report Catalog.
● Summary of File Sandboxing Results by Status
● Detailed File Sandboxing Report
See Email predefined reports.

Forcepoint Security Portal Help  45

Configuring Email Settings

DNS records and service IP addresses

MX record DNS entries

Forcepoint Email Security Cloud uses customer-specific DNS records to route email
from the service to your email gateway, and from your email gateway back to the
service. You can view your customer-specific DNS records by selecting Email >
Settings > DNS Records & Service IPs. The records are listed under MX Record
DNS entries.

CNAME records
The CNAME Records section lists the DNS CNAME records you must publish in
order to enable DKIM signing for outbound messages (see DKIM Signing, page 100).
The domains listed on this page include a code that is unique to your account.
Prior to enabling a DKIM signing rule, you must create CNAME records in each
domain you wish to use as the DKIM signing domain (note that the same DKIM
signing domain can be used for all sender domains that are sub-domains of the signing
domain).
The public/private key pairs used for DKIM signing are managed by Forcepoint, and
are rotated periodically, with a period of validity overlap to allow the successful
signing of delayed messages. Two CNAME records must be published for each of
your signing domains, enabling a DNS lookup to validate signed messages.
In the DNS records for your signing domain, map the host subdomains listed in the
table to the corresponding out.mailcontrol.com domain. For example:

Type Host Points to

CNAME fpkeyNNN-1._domainkey fpkeyNNN-1._domainkey.out.mailcontrol.com
CNAME fpkeyNNN-2._domainkey fpkeyNNN-2._domainkey.out.mailcontrol.com

Note
Keys are automatically rotated after six months. Forcepoint will publish the TXT
record for the secondary key (fpkeyNNN-2) six months after the creation of the
fpkeyNNN-1 record. Customers are required to add both CNAME entries at the
outset, so that key rotation can occur without further action needed.
Note that NNN in the examples above represents a number unique to your account.

Use the CNAME Record check function on the Antispoofing tab to ensure that your
CNAME records have been published correctly. See Enabling a DKIM signing rule,
page 101.

46  Forcepoint Cloud Protection Solutions

Configuring Email Settings

Service IP addresses
Because Forcepoint Email Security Cloud is a hosted service, we are responsible for
managing system capacity. For this reason, we may occasionally choose to alter the
route of your email within our service. To enable us to do this seamlessly without
requiring you to make further changes, you must allow SMTP connections from all
the IP ranges listed under Service IP Addresses on this page. To access the Security
Portal, ensure that ports 80 and 443 are also permitted for these IP ranges.

Aliases

Related topics:
● Adding or modifying an alias
● Downloading and uploading aliases

Forcepoint Email Security Cloud can rewrite email addresses as email enters and
leaves your system. Aliases must be to and from domains associated with your
Forcepoint Email Security Cloud policies. Aliases let you rewrite email addresses
both inbound from the Internet and outbound to the Internet. When an alias has been
applied, email passes through the policy for the new address. Addresses in the SMTP
envelope and in those header fields defined in the standard Internet message format
(as defined in RFC 2822) are rewritten.
● An alias can apply both inbound and outbound. In this case, there is a one-to-one
mapping of an internal address to an external address and vice-versa. This is often
called masquerading an address.
● An outbound-only alias is also a one-to-one mapping.
● An inbound-only alias can be a one-to-one or a one-to-many mapping (a
distribution list). To specify a distribution list, separate email addresses with
commas.
● If an alias is neither inbound nor outbound, it is a disabled record.
To view the aliases that have been configured for your system, select Email >
Settings > Aliases.
To search for all aliases in the system, enter an asterisk in the Email address field,
check both the Inbound and Outbound check boxes, then click Search.
To narrow the list to specific entries, enter search criteria in the Email address field,
such as “*john*”. Wildcards are supported.

Forcepoint Security Portal Help  47

Configuring Email Settings

Adding or modifying an alias

Related topics:
● Aliases
● Downloading and uploading aliases

1. Select Email > Settings > Aliases > Add Alias.

2. Enter the internal and external addresses for which you want to create an alias.
3. Specify whether the alias applies inbound or outbound mail, or both.
4. Click Submit to save your changes.

Downloading and uploading aliases

Related topics:
● Aliases
● Adding or modifying an alias

You can download the complete alias list as a comma-separated values (CSV) file.
You can then edit this using a simple text editor or a spreadsheet application such as
Microsoft Excel. If you are intending to upload aliases, be very careful not to change
the format of the file. The first line of the file is a header line - it must always be
exactly:
Inbound,Outbound,External,Internal

Subsequent lines follow this format:

yes,no,[email protected],[email protected]

All values must be separated by commas and enclosed in double-quotes if they

contain commas.
During the alias upload, Forcepoint Email Security Cloud performs a complete syntax
check before it imports the aliases to the system configuration. If it finds any errors, it
reports them and abandons the file import.

Blacklists and whitelists

Related topics:
● Adding an entry to a whitelist or blacklist

48  Forcepoint Cloud Protection Solutions

Configuring Email Settings

1. Select Email > Settings > Black & White Lists to see which email addresses
have been black- or whitelisted for your account.
2. Enter search criteria into the fields provided, then click Search.

Field Description
Address Enter a specific address for which to search, or use wildcards to expand
Pattern your search. Enter an asterisk (*) to search for all addresses that have been
black- or whitelisted.
Action Select the type of search you want to perform. You can search for Accept
actions (whitelist), Reject actions (blacklist), or both.
Minimum Indicate a policy threshold for your search. You can specify an interest in
policies addresses that are black or whitelisted in at least nn policies.
contained in

The resulting screen shows black- or whitelisted addresses that appear in the specified
number of policies for your account.
To manage blacklists and whitelists for your policies or end users, go to the Antispam
tab for the policy. See Adding an entry to a whitelist or blacklist, page 93 for more
information.

Personal Email Subscriptions

Related topics:
● Subscriptions tab
● Settings tab
● Text and Language tab
● Bulk Upload tab
● Requesting a message report
● Understanding the report

To configure the content of email message reports sent to end users, select Email >
Messages > Personal Email Subscriptions. The personal email subscription gives
end users a summary of the messages that they have received and sent.
You can choose to subscribe your end users to personal email message reports via the
portal. Users receive a single report in the format that you configure, and the report
contains a link that a user must click to receive the report on a weekly basis.
Otherwise, to receive a report, users must request it via a website. They can also
subscribe to the report for automatic delivery. For information on the contents of the
report and the request process, see End-User Self Service, page 147.
On the Personal Email Subscriptions page, there are 4 tabs:

Forcepoint Security Portal Help  49

Allow end users to modify report content

Check this box if you want to allow end users to customize the content to include in
their message reports and the order of that content. When this is checked, end users
are given access to a customization page on their report. Any changes they make
override your settings here.

Allow delivery of empty reports

Check this box if you want to send reports to end users even when there is no content
to include in the report. If you do not check the box, the report is not sent if there is
nothing to go into it.

List previously released messages

This box is checked by default. Check the box if you want to include in the report all
messages that have already been released from quarantine, either by an administrator
or the end user. Clear the box to remove all previously-released messages from the
report.

Subscribe users from future user directory synchronizations

Note
This option may not be available in your account. To enable the option, contact
Support.

If you are synchronizing your end users with the cloud service using the Directory
Synchronization Client, you can check the Subscribe users from future user
directory synchronizations box to subscribe new end users to the personal email
reports rather than asking them to subscribe themselves. After you have checked this

Forcepoint Security Portal Help  53

Configuring Email Settings

box, whenever there is an update of users in the directory and the update is
synchronized to Forcepoint Email Security Cloud, the new users are automatically
subscribed to the report.
Optionally, you can click Subscribe current users to subscribe all of your
synchronized end users currently in the cloud.
The subscribed end users get a report in the format defined on this page. The report
includes a link that, when clicked, subscribes the end user to the report on a weekly
basis.

Text and Language tab

Related topics:
● Personal Email Subscriptions
● Subscriptions tab
● Settings tab
● Bulk Upload tab

When a report is requested or scheduled for delivery, Forcepoint Email Security Cloud
sends an email message that includes the personal email subscription report. To edit
the text that appears in the email message, select Email > Messages > Personal
Email Subscriptions, then go to the Text and Language tab.
Click Add to select a language for which you want to customize the text. Then follow
the steps described below.
On the resulting screen:
1. From the Language drop-down menu, select the language you wish to use.
2. To specify customized email subject lines:
■ Clear the Use the default value boxes.
■ Supply a subject line for normal circumstances, one that you would like to
appear when a user’s report subscription is about to expire, and one to appear
after it has expired.
3. Click Submit.
If you do not have any report content selected, an error results. Return to the
Personal Email Subscriptions page, click Edit, check some boxes under Report
content and try again. If the submission is accepted, Edit Source buttons appear.
4. Click Edit Source to customize the message text that appears at the top or bottom
of the message. This allows you to edit the HTML source code for the message.
5. Type in the text editor’s entry field.
You can also include predefined keywords in the text (for example,
_TOTAL_RECEIVED_). When the report is generated, keywords are substituted
with data, such as the total number of messages received.

54  Forcepoint Cloud Protection Solutions

Configuring Email Settings

To view the keywords that are available for substitution, click View available
keyword substitutions. Click a keyword to paste it into the cursor position in the
active field.
6. Click Submit.
7. To view how the message looks to users, click View Report.
To put your customizations into effect, click Enable this customization, then click
Submit. If you do not click Enable this customization, the text set for the default
account is used. Click Edit to go back and edit the check boxes for email subject and
Enable this customization.
Choose another language to edit if desired and customize the message for that
language in the same way. Be sure to enable it before you submit it if you want it to
take effect.
New languages that you add appear on the Text and Language tab page with a check if
enabled. You can click on the link to the language, such as “en-us - English (US)” to
edit the email message text for that language.

Bulk Upload tab

Related topics:
● Personal Email Subscriptions
● Subscriptions tab
● Settings tab
● Text and Language tab

To upload multiple email aliases in CSV format, do the following:

1. Go to Email > Messages > Personal Email Subscriptions.
2. Open the Bulk Upload tab.
3. Browse to the CSV file that you wish to upload.
4. Click Upload.
Note that the uploaded CSV file updates existing subscriptions, adds any new
subscriptions, and deletes existing subscriptions that are not in the CSV file. You can
also download and edit current subscriptions from this page.
If you want to include the time zone for the report subscriptions in the bulk upload,
you can download a list of all the supported time zones.

Forcepoint Security Portal Help  55

Configuring Email Settings

Email notifications

Related topics:
● Adding notifications
● Editing notifications

Notification messages can be sent when email is quarantined for any reason. Use the
Email > Policy Management > Notification Email screen to view, edit, and delete
notification messages.
Click Add Notification on the Notification Email screen to create a new notification
message, or click the name of an existing notification message to edit the message
contents and properties (See Adding notifications, page 56, or Editing notifications,
page 58, for more information.) On this page, you can also set the time zone to use for
dates that are included in notifications and park attachment annotations by clicking on
the link next to Time Zone.
You can set up separate notification messages for different types of policy breaches
and notifications to be sent to the intended recipient of an inbound email, the
postmaster, and to other addresses of your choice within policies. You can also notify
senders of outbound email but only if the outbound email is being sent from an
address within your organization, not from an external address. Note that you cannot
notify recipients of outbound messages.
Use the General and Content Filter policy tabs (navigate to Policy Management >
Policies and click a policy name) to configure when notification messages are sent
and which notification messages are used in each policy. (See General tab, page 68,
and Content Filter tab, page 103, for more information.)

Note
By default, Forcepoint Email Security Cloud does not send a notification when
email is quarantined as spam. A quarantine-notify disposition is available, but its use
is not recommended.

Adding notifications

Related topics:
● Email notifications
● Editing advanced encryption settings

Click Add Notification on the Notification Email screen to write and configure a
custom notification message from scratch, rather than using the default message.

56  Forcepoint Cloud Protection Solutions

Configuring Email Settings

1. Define a name and description for the notification message.

2. Select Copy configuration from existing notification to use an existing
notification as a template for creating this one. Selecting this option copies the
following data from the specified message:
■ Subject line prefix
■ Message body
■ Domain variations
3. Enter a subject line prefix (optional).
Note that if you type _SENDER_ as part of the subject line prefix, this variable is
replaced with the envelope sender address when the notification is generated.
4. If you want to change the character set used in the message (UTF-8 by default),
select Change character set and select from the drop-down menu.
5. Enter the text for the notification in the message body field.
To view and use supported variables and tokens in notification messages, click
Variables/tokens in the top toolbar.

Variables/tokens Description
_msgurl_ Generates a partial URL that gives access to the
message held in quarantine. Embed it using the
syntax ....
_NOTIFIED_RECIPIENTS_ Generates a string if the intended recipients have
been notified.
_RECIPIENTS_ The intended recipients of the message.
_DATE_ Displays the date Forcepoint Email Security Cloud
received the email that generated the notification.
The date is based on the time zone set on the
Notification Email screen.
_DISPOSITION_ What happened to the message causing the
notification. This usually takes the value
“quarantined.”
_NOTIFIED_ADMIN_ Generates a string if the specified postmaster has
been notified.
_MESSAGEID_ The ID as specified in the message headers.
_ENDIF_ End of a _IF_QUARANTINE_ or _IF_ENCRYPT_
block
_IF_ENCRYPT_ Place this at the beginning of a section that is relevant
only if the message has been encrypted. The section
must end with _ENDIF_.
_NOTIFIED_SENDER_ Generates a string if the originator has been notified.
_ADMIN_MAIL_ The postmaster address for the policy.
_DOMAIN_ The domain associated with the currently active
policy.

Forcepoint Security Portal Help  57

Configuring Email Settings

Variables/tokens Description
_IF_QUARANTINE_ Place this at the beginning of a section that is relevant
only if the message has been quarantined. The
section must end with _ENDIF_.
_SENDER_ The message originator.
_SUBJECT_ The subject of the message.

6. If you want to edit a separate plain text version of the notification message, select
Edit a separate plain text version.
7. If you want to send a separate version of this message to specific domains when
this notification is enabled, select Send variations of this message for specific
domains. The Add Domain Variation screen appears.
a. Select or enter the intended domain in the Domain field.
b. Specify a Subject line prefix (optional).
c. Enter the text for the notification in the message body field.
d. Click Save.
e. If you want to add additional variations for other domains, you can repeat
this process by selecting Add variation (the button will be disabled when
all domains have a variation assigned to them).
8. Click Save Changes when done.

Editing notifications

Related topics:
● Email notifications
● Adding notifications

Click the name of a notification message on the Notification Email page to edit the
contents of the notification, the character set used, and variations of the message for
specific domains.
For information about configuration options, see Adding notifications, page 56.

Configure block and notification pages

Related topics:
● Editing block and notification pages

58  Forcepoint Cloud Protection Solutions

Configuring Email Settings

Use the Email > Policy Management > Block & Notification Pages page to view
and edit block and notification pages.
When an email policy denies access to a resource or needs to inform the user of an
event, it can serve any configured notification page. There is a standard set of pages
included with your email product, and you can either modify these to suit your needs,
or add your own pages. You can then refer to the notification pages from any of your
policies.
Standard block and notification pages include:
Phishing (See Phishing, page 80)
Phishing Attack Blocked – This page provides information about phishing
emails, including a definition of phishing, a description of common tactics, and an
example of a phishing email message. You can either modify this to suit your
needs, or add your own page. The page is then used if a user clicks a link in an
email that is classified as part of a phishing attack.
URL Sandboxing (See URL Sandboxing tab, page 84)
Analysis Declined – This page displays when the user elects to not analyze a
suspicious link. (See Prompt for Analysis, below.) The default page title is
Analysis Declined.
Malicious Threat Detected – This page displays when a suspicious link is
determined to be malicious and is blocked. The default page title is Access
Denied.
Prompt for Analysis – This page displays when a user clicks on a suspicious link
in an email. This page notifies the user and gives the user the option to analyze the
link. (The other standard notification pages handle the possible outcomes.) The
default page title is Suspicious Link.
URL Verified – This page displays when an analyzed link is determined to be
safe. The default page title is URL Verified.
Uncategorized URL – This page displays when the link submitted for analysis
cannot be categorized. The default page title is Access Denied.
Unreachable URL – This page displays when a link cannot be reached. The
default page title is Unable to Analyze.
Unsupported Protocol – This page displays when the protocol is not supported
for analysis. The default page title is Unable to Analyze.
The pages are grouped for ease of navigation. Click a down arrow next to a group
name to see a list of all the pages within that group. To see all available pages, click
All.

Note
If you edit a page in the HTML view and then click Basic Editing to return to the
basic editor, you will lose any changes made in the HTML view.

8. To see how the page appears to end users, click Preview. The page appears in a
separate window.
9. Click Save when done.
If you want to discard customizations made to a standard page, click Revert to
Default. This removes all changes that have been made to the page in your account,
and reverts the page to the original one supplied in Forcepoint Email Security Cloud.

Image whitelist

Select Email > Settings > Image White List to view and edit the list of images that
are not analyzed by Forcepoint Email Security Cloud.

Note
You must have the Forcepoint Email Security Image Analysis Module to use this
feature.

Sandboxed URL Shows the sandboxed URL entered.

Original URL Shows the original URL before sandboxing.
Block Policy Shows if the recipient is allowed to see unclassified URLs. Also
Flags shows if suspicious URLs are masked for the recipient.
Policy Name Shows the name of the policy that owns the recipient domain.
Recipient Shows the email address of the recipient of the message
containing this URL.

An administrator in the account that did not sandbox the URL only sees:
● Sandboxed URL
● Original URL
● Block Policy Flags
● Recipient email address

Forcepoint Security Portal Help  65

Configuring Email Settings

66  Forcepoint Cloud Protection Solutions

5 Defining Email Policies

Related topics:
● General tab
● Domains tab
● Connections tab
● Antivirus tab
● URL Sandboxing tab
● Antispam tab
● Antispoofing tab
● Content Filter tab
● Encryption tab

To configure an email policy, select Email > Policy Management > Policies, then
click the name of the policy to configure. If you have not previously configured a
policy, click the policy named DEFAULT. You can rename the default policy to
something more meaningful to your organization, especially if you plan to create
multiple policies.
Notice that each policy has multiple tabs to configure:
● General tab
● Domains tab
● Connections tab
● Antivirus tab
● URL Sandboxing tab
● Antispam tab
● Antispoofing tab
● Content Filter tab
● Encryption tab
Click the link to learn how to configure each one of these settings. Standard account-
level settings are shown in Standard Email Configuration.

Forcepoint Security Portal Help  67

Defining Email Policies

Use the Policy Management > Notification Email screen to configure notification
messages sent when email is quarantined (see Email notifications, page 56 for more
information).

General tab

The General tab lets you perform general functions on your email account. There are
2 functional areas on this screen:
● General policy information
● Notifications and Annotations
To change a policy name or postmaster address for a policy, click Edit under the
general policy information.
To enable notifications or annotations for inbound mail, click Edit in the Inbound box.
To enable notifications or annotations for outbound mail, click Edit in the Outbound
box.
On the resulting screen, use the check boxes to indicate whether you want to notify
senders, recipients, or others, and whether you want to annotate messages. You can
only notify senders of outbound email if the outbound email is being sent from an
address within your organization, not from an external address. Note that you cannot
notify recipients of outbound messages.

General policy information

To change a policy name or postmaster address for a policy, click Edit in the top
section of the General tab.
Complete the fields as follows:

Field Description
Policy Name Enter a name for the policy.
Postmaster Enter an email address for the postmaster. The postmaster address is
used as the address from which system notifications are sent. Your
users may occasionally reply to these notifications, so this should be an
email address that is monitored by your IT staff or administrative
contact.

Click Submit when you’re done.

Notifications
Notification messages can be sent when email is quarantined for any reason. Use the
Policy Management > Notification email screen to view, edit, and delete notification
messages. For more information, see Email notifications, page 56.

68  Forcepoint Cloud Protection Solutions

Defining Email Policies

In a policy, you can set up different notifications to be sent for inbound and outbound
messages.
To define the notifications used in a policy:
1. On the General tab, click Edit under either Inbound or Outbound.
2. Specify who receives a notification message when an email is quarantined. You
can select the recipient (for inbound messages only), the sender (for outbound
messages only), the administrator, or others. If you select Others, enter the email
address(es), separated by commas.
3. For each option that you specify in step 2, select a notification message from the
drop-down list.
4. Click Submit.

Annotations

Related topics:
● Editing an annotation
● Report this email as spam

Annotations are added to messages as they pass through Forcepoint Email Security
Cloud. By default, they are set up for entire policies; however, you can also set up
more specific annotations.
Examples of annotations that you might add to inbound messages are, “Click here to
report this message as spam,” and “This message has been analyzed for malware by
Forcepoint Email Security Cloud.”
For inbound email, you can create annotations specific to each domain in your policy.
For outbound email, you can create annotations specific to an arbitrary list of sender
domains, sender email addresses, or groups.
If you have the Forcepoint Email Security Encryption Module, you can also add
specific annotations for decrypted messages. These annotations are created from the
Encryption tab; see Editing advanced encryption settings, page 135.

Editing an annotation

Forcepoint Security Portal Help  69

Defining Email Policies

1. On the General tab of a policy, click one of the annotation links (taking care to
choose an Inbound or Outbound annotation).

Note
If you are adding an annotation for a decrypted message on the Encryption tab,
click Edit, then click the annotation link.

2. On the resulting screen, click the annotation name of interest, or click

*.* [default] to view the default annotation.
3. Indicate where you want annotations to be placed in each message by selecting
Top or Bottom from the Position drop-down list.
4. Choose a default character set from the drop-down list.
5. Click Edit HTML. For best results, use the most recent version of Internet
Explorer available.
6. Make whatever changes you wish to the annotation. The limit is 4 KB.
If you want to embed a message in the annotation, use the substitution tag
_MESSAGE_. When the _MESSAGE_ tag is present, Forcepoint Email Security
Cloud ignores the “Top” or “Bottom” setting and wraps the annotation around the
message text. You can use this tag to add annotations to the top and bottom of
messages at the same time.
7. Click Submit to save your changes.
8. Click Edit Plain Text.
9. Repeat your text changes. Plain text messages also have a 4 KB limit.
10. Click Submit.
11. Repeat for each annotation that you want to edit.

Connections tab

74  Forcepoint Cloud Protection Solutions

Defining Email Policies

Select the Connections tab on the policy to view or change connections for the policy.
Your policy must have at least one default inbound connection and one outbound
connection in order to be active on the system.
The Inbound Mail Routing Rules section of the tab specifies rules that route inbound
mail from Forcepoint Email Security Cloud to particular email servers depending on
the recipients. The rules are applied in the order listed; you can change the order by
dragging the priority numbers up and down the list, then clicking Save Order.
To add a new inbound mail routing rule, click Add New Rule, then see Configuring
inbound mail routing rules, page 75.
You can check which of your mail routing rules, if any, applies to a particular email
address by clicking mail routing test utility. See Testing mail routing, page 77.
The Default Inbound Routes section defines where the service sends email that is not
matched by an inbound routing rule after processing messages received from the
Internet - these are the connections to your email servers.
The Outbound box specifies from which connections the service is prepared to accept
email for your domains (for onward delivery to the Internet).
Note that the service always attempts to deliver or receive email messages over a TLS
connection if the sending or receiving MTA supports it. If opportunistic TLS is not
available, the data transfer is made via plain text, rather than encrypted text. In either
case, the data transfer is successfully accomplished. If you wish to use mandatory
TLS, see Transport Layer Security, page 123.

Configuring inbound mail routing rules

Related topics:
● Testing mail routing

Click Add New Rule on the Connections tab to add an inbound routing rule that
applies to specified users, groups, domains, or content types. This enables you to route
mail to different mail hosts for certain groups of users in your network, useful if, for
example, your organization has multiple mail servers for different locations or
subsidiaries.
If a message is sent to a user who is in more than one group covered by your inbound
routing rules, the first rule in the list that matches the user will be applied. A message
sent to multiple users who have different routing rules will be split into multiple
copies and routed as configured for each individual user.
If you set up a content type rule, the rule is applied to messages that are encrypted with
PGP. You can apply that rule to all PGP-encrypted messages, or choose to apply it to
messages for specific users, groups, or domains.
Before it can be enabled for mail routing, a rule must be checked to ensure the
following:

Forcepoint Security Portal Help  75

Defining Email Policies

● Forcepoint Email Security Cloud can connect to the specified inbound mail hosts.
● The mail hosts accept messages for all domains explicitly specified in the rule.
This is required for the rule to be valid.
● The mail hosts accept messages for the domains contained in all email addresses
explicitly specified in the rule. This is required for the rule to be valid.
● The mail hosts accept messages for at least one domain within the policy.

Note
If a group includes a domain that the mail hosts do not accept messages for, some
mail may not be delivered. We recommend that you check your groups for domains
not accepted by your mail hosts, and that you recheck your inbound mail routing
rules if you change or resynchronize your groups in the portal.

The mail host checking takes place as you configure the inbound rule.
1. Enter a Rule Name. This is required.
2. In the Apply To field, enter one or more recipients for the rule to apply to. These
can be individual email addresses, groups configured in Forcepoint Email
Security Cloud, or domain names. You can enter multiple recipients, separated by
commas.
This field is required unless you are creating a rule that routes by content type and
select PGP Encrypted only as described below.
To edit an existing recipient, click the item. Press Enter to save your changes as a
new entry in the Apply To list. To discard your changes, press Esc.
To remove an item from the Apply To list, click the Delete icon next to the item.
3. To apply the rule only to confidential messages encrypted with PGP, mark PGP
Encrypted only.
If you select this option, the Apply To field is no longer mandatory.
4. Optionally, select a Security value: Unenforced, Encrypt, Encrypt+CN, Verify, or
Verify+CN. See Encryption tab, page 122 for further information.
5. If you are enforcing security, select an Encryption Strength: 128 or 256.
6. Click Add Mail Host to add a receiving mail server to the rule.
You can add up to 10 mail hosts to a rule. If Forcepoint Email Security Cloud
cannot deliver inbound email to the first mail host in the list, it tries the other
servers in order until the message is delivered. To change the order of the mail
hosts, click an order number and drag it up or down the list.
7. Enter a Host Name (for example mail.mycompany.com) for the server. If the host
name cannot be resolved on the Internet, enter an IP Address for the server as
well. Click the button to confirm.
Forcepoint Email Security Cloud checks the mail host and sets the Status to
Passed or Failed.

76  Forcepoint Cloud Protection Solutions

Defining Email Policies

If the route check failed, click Failed to open a popup window that displays details
of the failure. Filter the results of the check to view domains that are required or
optional for the rule, and those that passed or failed.
In this window, you can recheck all the domains in the rule, or just the domains
that failed. You can also choose to Ignore Failed domains, which changes the
mail host’s Status to Passed. Be aware that if you ignore failed domains, some
messages may be undelivered.
You can edit the server settings by clicking the pencil button.
8. To enable the rule for use, mark Enabled.

Note
At least one mail host in the list must pass the check for the rule to be saved as
enabled. If the check fails, you can still save the rule, but you must first clear the
Enabled check box.
If you make changes to the rule, for example changing the recipients it applies to or
editing the Security settings, each mail host must be rechecked. Click the Check all
mail hosts button to run the check again.

9. Once you have finished configuring your rule, click Save.

Testing mail routing

Related topics:
● Configuring inbound mail routing rules

The mail routing test utility enables you to check which inbound mail routing rules
apply to specific email addresses.
Enter one or more email addresses, separated by commas. If you have defined mail
routing rules that apply to PGP-encrypted messages, you can select Show rules for
PGP emails to these addresses to include those rules in your test. Then click Test
Addresses.
The Test Results section contains a line for each entered email address, displaying
which groups the address is a member of, and which inbound routing rule or rules, if
any, applies to the address. Click on a rule name to see and edit the rule details.

Adding inbound and outbound routes

To add an inbound route:
1. On the Connections tab, click Add under Default Inbound Routes.
2. In the Server field, enter a fully qualified host name or an IP address.

Forcepoint Security Portal Help  77

Defining Email Policies

If you enter an IP address you are asked to give this connection a name. The name
you give your IP address connection is not important and can just be “inbound” or
whatever you feel is appropriate.
If you enter an invalid IP address such as one from the reserved, private range, an
error results.
3. Enter a Preference value to specify the order in which connections should be
used. (Connections with preference value 1 are used before all other connections.)
4. Optionally, choose a Security value: Unenforced, Encrypt, Encrypt+CN, Verify,
or Verify+CN. See Encryption tab, page 122 for further information.
5. If you have selected a Security value, select an Encryption Strength: 128 or 256.
6. Click Submit.
To add an outbound route:
1. On the Connections tab, click Add under Outbound Routes.
2. In the Server section, either:
■ Select Server name or IP address, and enter a fully qualified host name or an
IP address.
If you enter an IP address you are asked to give this connection a name. The
name you give your IP address connection is not important and can just be
“outbound” or whatever you feel is appropriate.
If you enter an invalid IP address such as one from the reserved, private range,
an error results.
Or:
■ If your organization is using Microsoft Office 365 for email, select Office
365.
Or:
■ If your organization is using Google Apps for email, select Google Apps.

Note
If you select Office 365 or Google Apps, you must configure the outbound mail
gateway in your Office 365 or Google Apps account to point to your customer-
specific DNS records. These are the records ending in “out.mailcontrol.com” on the
DNS records and service IP addresses page.

3. Optionally, choose a Security value: Unenforced, Encrypt, Encrypt+CN, Verify,

or Verify+CN. See Encryption tab, page 122 for further information.

Note
If you have selected Office 365 or Google Apps in the Server section, you cannot
set encryption options as part of the connection. To enforce encryption on your
outbound route, configure your Office 365 or Google Apps account.

78  Forcepoint Cloud Protection Solutions

Defining Email Policies

Note
If you have the Email Security Encryption Module, all outbound connection routes
must have a security value of Verify+CN. See Advanced encryption, page 132 for
further information.

4. If you have selected a Security value, select an Encryption Strength: 128 or 256.
5. Click Submit.

Disaster recovery
Forcepoint Email Security Cloud provides a number of features that can help in the
event of a major disaster or a failure of your Internet connectivity or email server.

Specifying secondary routes

If Forcepoint Email Security Cloud cannot deliver inbound email to the primary
connection specified it looks to see if a secondary connection is configured. This can
be to a backup email server or a disaster recovery site.

Email queuing
If Forcepoint Email Security Cloud cannot deliver email to any of the specified
inbound connections, it queues all email for up to seven days and attempts to deliver
queued email to each route approximately every thirty minutes. The queue operates on
a first-in first-out basis, so the oldest email is delivered first when a connection
becomes available.

Connectivity test
For an inbound connection, click Test to carry out a connectivity test to its destination
from your Forcepoint Email Security Cloud clusters.
The connectivity test shows you the response Forcepoint Email Security Cloud
received from the email server, plus information about the time taken to reach that
destination. You can run this test from various clusters in order to troubleshoot local
connectivity issues.

Antivirus tab

Related topics:
● Editing inbound or outbound rules

Select the Antivirus tab on the policy to set up rules for antivirus protection.

Forcepoint Security Portal Help  79

Defining Email Policies

Listed are the inbound and outbound antivirus rules that have been set for this policy.
To edit the inbound or outbound rules, click Edit in either the Inbound Rules or
Outbound Rules box.

Editing inbound or outbound rules

Related topics:
● Antivirus exceptions

The majority of the antivirus functionality is the same for inbound and outbound
email. Field descriptions are provided below.

Virus
Check this box if you want viruses to be quarantined when detected. Viruses are
software programs capable of reproducing themselves and usually capable of causing
great harm to files or other programs on the computer.

Phishing
This option is applicable to inbound email only. Define whether suspected phishing
messages should be quarantined, or allowed with suspicious URLs replaced by a link
to a block page that you specify.
To set up block pages for phishing messages, see Configure block and notification
pages, page 58.
To bypass phishing checks for certain users, domains, or groups, click Phishing
Exceptions. See Antivirus exceptions, page 82.

Content
Filter active HTML content
This ThreatSeeker Intelligence feature automatically analyzes HTML inside messages
and disables any potential dangerous content (by disabling specific HTML tags). You
can define how strictly the system applies this security feature. Available settings are:

Setting Description
Low Disable embedded scripts (<SCRIPT> and <OBJECT> tags) and disable
unknown HTML tags that are deemed to be potentially dangerous.
Medium As Low but also disable “Web bugs” (URLs that are referred to inside a
message, excluding links to images) and HTML styles that contain code.

80  Forcepoint Cloud Protection Solutions

Defining Email Policies

Setting Description
High As Low but disable all “Web bugs” and all HTML styles.
Very high Extremely strict: as High, but this also disables all hypertext links to
protect against a number of known vulnerabilities in common email
clients.

The recommended setting is Medium; setting the level higher than this may cause
messages to display too poorly for general users.
Block potentially malicious macros
This feature looks for potentially malicious macros in common Microsoft Office
document formats. By changing the sensitivity, you can control how suspicious
Forcepoint ThreatSeeker Intelligence is when it carries out its analysis. We
recommend setting this to High initially. You may need to amend this setting if you
find that a lot of documents just over the threshold are being quarantined. Documents
containing known viruses are quarantined by the antivirus engines, regardless of this
setting.
Strict checks on message structure
This feature runs a set of structural checks on email messages to determine whether
they conform to an accepted structure. For example, one of the attachment checks
would quarantine a MIME attachment with a filename that ends in a period but has no
file extension (such as “attachment1.”). Messages with a malformed message
structure can be a potential attack vector.
This option is disabled by default. We recommend leaving it disabled unless you are
running an old mail client that may be vulnerable to malformed email messages, or if
you are performing penetration testing on your messages. Enabling this feature may
result in false positives.

Encrypted Messages
An encrypted email message must be decrypted before it can be analyzed for viruses.
Since the cloud service does not have access to the necessary decryption key, it cannot
analyze an encrypted message. Similarly, the contents of a password-protected archive
file attachment such as ZIP or RAR cannot be analyzed, because the password is
unknown. To protect against the possibility of virus infection, Forcepoint Email
Security Cloud allows such messages to be quarantined. Administrators can open
quarantined messages later in a secure environment.
Select the Quarantine all messages containing encrypted archive files checkbox to
quarantine emails with password-protected archive files attached (such as ZIP or RAR
files).
Select the Quarantine all encrypted messages checkbox to quarantine encrypted
email messages (such as those using PGP or S/MIME encryption). This setting also
quarantines emails with password-protected PDF files or Microsoft Office files (such
as DOC or DOCX) attached.

Forcepoint Security Portal Help  81

Defining Email Policies

Executables
To protect against the possibility of virus infection, Forcepoint Email Security Cloud
allows you to quarantine messages whose contents appear to contain scripts or
executables, or with attachments with potentially dangerous file extensions.
Administrators can view quarantined messages later in a secure environment.
Select Quarantine messages containing scripts and executables to quarantine
emails containing scripts and executable file attachments (such as EXE or BAT files).
Select Deliver all containing scripts and executables to allow email messages
containing scripts and executable files.
To allow executables for certain users, domains, or groups, click Executable
Exceptions. See Antivirus exceptions, page 82.

Warning
Forcepoint Email Security Cloud uses commercial antivirus (AV) engines to identify
known viruses, and its own ThreatSeeker Intelligence technology to identify viruses
for which AV vendors have not yet released a patch. However, even with multiple
layers of protection, it is impossible to predict the types of exploit that may become
available to malicious actors. We recommend that, where possible, email containing
executable attachments be quarantined. If this is not appropriate for all users, best
practice is to enforce this policy globally and use the Executable Exceptions option
for specific users.

Quarantining messages containing scripts and executables

If you choose to block scripts and executables, messages containing any file whose
contents appear to be executable are blocked, along with those with the following
potentially dangerous file extensions: A6P, AC, ACR, ACTION, AIR, APK, APP,
APPLESCRIPT, AWK, BAS, BAT, BIN, CGI, CHM, CMD, COM, CPL, CSH, DEK,
DLD, DLL, DRV, DS, EBM, ELF, ESH, EXE, EZS, FKY, FRS, FXP, GADGET, GPE,
GPU, HLP, HMS, HTA, ICD, IIM, INF, INS, INX, IPA, IPF, ISU, JAR, JS, JSE, JSX,
KIX, KSH, LIB, LNK, MCR, MEL, MEM, MPX, MRC, MS, MSC, MSI, MSP, MST,
MXE, OBS, OCX, PAF, PCD, PEX, PIF, PL, PLSC, PM, PRC, PRG, PVD, PWC,
PYC, PYO, PY, QPX, RBX, RGS, ROX, RPJ, SCAR, SCPT, SCR, SCRIPT, SCT,
SEED, SH, SHB, SHS, SPR, SYS, THM, TLB, TMS, U3P, UDF, VB, VBE, VBS,
VBSCRIPT, VCARD, VDO, VXD, WCM, WIDGET, WORKFLOW, WPK, WS,
WSC, WSF, WSH, XAP, XQT.

Antivirus exceptions

82  Forcepoint Cloud Protection Solutions

Defining Email Policies

● Phishing Exceptions
● Executable Exceptions

Phishing Exceptions
Click Phishing Exceptions to override the phishing settings for named users, groups,
or domains. Click the appropriate policy in the Apply to column of the Phishing
Exceptions screen. You can then change the way phishing messages are handled for
specific users, groups, or domains. For example, you can allow URLs to be replaced
in messages for certain groups (such as marketing), and quarantine messages for other
groups.
To create an exception:
1. Click Add phishing exception.
2. Choose an email address, domain name, or group from the list. In most cases,
particularly if you are synchronizing LDAP directories, you will make exceptions
based on group names, such as Dev. If you are making a user exception, be sure to
enter the user’s email address, not LDAP user name.
3. Define whether suspected phishing messages should be quarantined, or allowed
with suspicious URLs replaced by a link to a block page that you specify.
4. Click Submit.

Executable Exceptions
Click Executable Exceptions to override the executable settings for named users,
groups, or domains.
Click the appropriate policy in the Apply to column of the Executable Exceptions
screen. You can then change the way executables are handled for specific users,
groups, or domains. For example, you can deselect “Quarantine messages containing
scripts and executables” for developers receiving internal mail.
To create an exception:
1. Click Add executable attachment exception.
2. Choose an email address, domain name, or group from the list. In most cases,
particularly if you are synchronizing LDAP directories, you will make exceptions
based on group names, such as Dev. If you are making a user exception, be sure to
enter the user’s email address, not LDAP user name.
3. Clear the Quarantine messages containing scripts and executables box.
4. Click Submit.

Forcepoint Security Portal Help  83

Defining Email Policies

URL Sandboxing tab

Related topics:
● URL sandboxing exceptions
● URL Sandboxing utility
● File sandboxing

Use the URL Sandboxing tab in a policy to inspect uncategorized URLs in email by
tagging them for additional real-time advanced security analysis. Doing so helps
protect end users from accessing malicious websites.

Note
If a website is uncategorized, URL sandboxing changes (“wraps”) the URL in the
email delivered to users. To add an exception for specific URLs to prevent them
from being sandboxed, add a sandboxing exception. See URL sandboxing
exceptions, page 86.

With URL sandboxing, if users click on a link within an email and that link or
elements associated with that link are suspicious, they receive a warning that “The
link may not be safe.” The notification includes:
● The domain they are trying to access.
● The reasons the link is considered suspicious: for example, the sender email
address may be unknown to our service or the sending mail server may have a
suspicious reputation.
● The option to analyze the page further.
If they answer No to Analyze the page?, the suspicious link is not analyzed. They can
then close the notification window. For their protection, they cannot access the page.
If they answer Yes, the page is analyzed using Forcepoint Email Security Cloud real-
time advanced security analysis. They then receive one of the following messages.
The notification messages can be customized. See Configure block and notification
pages.

Notification Description
The link appears No malicious threats found. The notification lists the URL and
to be safe category or categories of the page. Users can proceed to view the
page if they choose to do so.
Access denied Malicious threats detected in the page. The notification lists any
matched categories along with the sites suspected of being infected
with a malicious link. Users cannot access the page.

84  Forcepoint Cloud Protection Solutions

Defining Email Policies

Notification Description
Access denied Users may also receive an Access denied notification if their
organization does not permit them to browse uncategorized web
pages.
Unable to access The web server may be down or the link may be incorrect. They may
page want to try again later, or contact their administrator for more
information.
Unable to analyze The page could not be analyzed because its protocol is not
URL supported. Supported protocols are HTTP, HTTPS and FTP. If you
have selected the Allow the recipient to follow links with an
unsupported protocol option, the user can proceed to view the page
if they wish; otherwise, the user cannot access the page.

Important
Websites that rely on cookies are not supported. When analyzed, URLs that resolve
to sites that rely on cookies may return an error or an incorrectly rendered page. See
the article Embedded URL sent for analysis fails with an error or incorrectly
rendered page in the Knowledge Base.
Administrators can retrieve the original URL in the Cloud Portal using the URL
Sandboxing Utility located in Email > Toolbox.
Any administrator or end user can check any URL for malicious content by going to
the online Advanced Classification Engine (ACE) CSI Insight page (https://
csi.forcepoint.com) and entering the URL.
If a user must access a link that gets an error (or is otherwise blocked by the URL
sandbox), the user should work with Technical Support to resolve the issue.
Forcepoint Email Security on-premises administrators need to contact Technical
Support with the sandboxed URL and request the original URL.

To modify rules for URL sandboxing:

1. Click Edit.
2. Under Default settings, select Analyze suspicious URLs.
3. To allow the user to click through to the site after looking at the category of the
Web page, select Allow the recipient to follow links to unclassified URLs.
4. Links cannot be analyzed if Forcepoint Email Security Cloud does not recognize
the network protocol used. Supported protocols are HTTP, HTTPS and FTP. To
allow the user to click through to the site if it cannot be analyzed, select Allow the
recipient to follow links with an unsupported protocol.
5. If required, enter customized text to display in email messages instead of
suspicious URLs, such as “Danger, do not click!”.
6. Under Policy-wide settings, enter any trusted domains that you do not want to be
inspected in email messages. Use this list with caution: if a site on the list is
compromised, Forcepoint Email Security Cloud does not analyze the site and
cannot detect the security problem.

Forcepoint Security Portal Help  85

Defining Email Policies

7. Define whether to analyze suspicious URLs contained in signed messages.

Note
The options to whitelist domains and analyze suspicious URLs in signed messages
apply to all users and groups in a policy, and cannot be over-ridden by exceptions.

8. Click Submit.

URL sandboxing exceptions

Related topics:
● URL Sandboxing tab
● URL Sandboxing utility

It is possible to tailor some URL sandboxing settings in Forcepoint Email Security

Cloud for individual users or groups of users. These settings override the settings
made on the URL Sandboxing tab for the policy.
1. On the URL Sandboxing tab, click URL sandboxing exceptions. This brings you
to a list of URL sandboxing exceptions if you have created any.
2. Click Add Exception.
3. Enter the domain(s) or end-user email address(es), or select a group to which this
policy applies. In most cases, particularly if you are synchronizing LDAP
directories, you will make exceptions based on group names, such as Dev. If you
are making a user exception, be sure to enter the user’s email address, not LDAP
user name.
4. Define the URL sandboxing settings for these users or groups. For details of the
settings, see URL Sandboxing tab, page 84.
5. Click Submit.

Antispam tab

Related topics:
● Antispam exceptions
● Commercial bulk email detection
● Adding an entry to a whitelist or blacklist
● Uploading a whitelist or blacklist

86  Forcepoint Cloud Protection Solutions

Defining Email Policies

Select the Antispam tab on the policy to view or modify rules for spam protection,
and to configure settings to detect commercial bulk mail in inbound messages.
By design, email is checked for spam under the following conditions:
● Email is inbound from the Internet.
● The email message is not stopped by some other rule, for example it contains a
virus or a barred attachment type.
● The Antispam service is enabled for the policy (i.e., you are licensed for the
service).
All such email is assigned a spam score (unless it is blocked by system-wide rules that
identify bulk spam). This is visible in the message header and message tracking
results. The higher the spam score, the more likely it is to be spam. Many rules are
used to generate the spam score, including analysis of the words within the message,
where it came from, its headers, and comparisons with other spam and non-spam
email.

Spam Options
Check Filter for Spam if you want inbound email filtered for spam.
There must be at least one spam rule defined. By default two rules are set up:
1. Quarantine all email with a spam score greater than 6.
2. Discard any email with a spam score greater than 15.
You can define multiple rules for different spam thresholds and associate actions with
each of these. For example, you can create a rule that forces all email with a spam
score greater than 6.0 to be forwarded to an administrator, all email with a score
greater than 7.0 to be quarantined, and all email with a score over 10.0 to be discarded.
Lower values detect more spam at the risk of false positives - email wrongly detected
as spam. Higher values reduce the risk of false positives but could miss some spam.
Forcepoint Email Security Cloud aims to ensure that no false positives occur with
spam scores over 6.0. This is the recommended default setting for quarantining email.
To define spam rules:
1. From the first Spam scoring more than drop-down list, select a spam threshold.
2. From the second Spam scoring more than drop-down list, select an action for
that threshold.

Forcepoint Security Portal Help  87

Defining Email Policies

The following actions are available:

Action Description
Quarantine-Notify Messages are quarantined as above and a notification is sent to an
email address. This is not recommended, because you are simply
replacing one email with another. It is included for those that wish
to use notifications during an evaluation phase rather than the more
widely used “tag” option.
Quarantine Messages are kept in quarantine for up to 30 days. This is the normal
setting used for messages identified as spam. Note that no
notifications are sent for this action.
Forward Messages are forwarded to one or more email addresses in a comma-
separated list. You can use this setting to forward all spam to a single
account for management purposes.
Tag subject Message subjects are tagged with a prefix that you’ve assigned (in
the Tag subject prefix box under Existing Rules).
Bounce Messages are bounced back to the sender.
Discard Messages are discarded. This is often used to discard messages with
a very high spam score.

3. Click Add Rule>> to create a rule based on these parameters.

Depending on the action you select, you may be prompted for additional
information first, such as the email address to which to forward the message.
A list of existing rules is displayed. You can also delete rules here.

Keep a copy of clean messages

By default, Forcepoint Email Security Cloud does not keep a copy of any messages
unless they are quarantined, in which case they are held for 30 days before being
automatically deleted. Checking Keep a copy of clean messages allows Forcepoint
Email Security Cloud to keep a private copy of clean email messages, for a short
period, separate from the quarantine area, to aid in the process of spam tuning when
the “Report this email as Spam” link is used (see Report this email as spam, page 70,
for more details). If Forcepoint Email Security Cloud has the original message
available, our operations staff and future automated systems can analyze it.

Commercial bulk email detection

The service offers a way to configure your settings to detect inbound commercial bulk
email messages and to perform certain actions on them, such as quarantining, or
tagging the message subject so that users can easily identify commercial email.
To enable commercial bulk email detection, do the following:
1. Under Commercial Bulk Email Detection, select Analyze for commercial bulk
email.
2. Select the action you’d like performed when commercial bulk email is detected:

88  Forcepoint Cloud Protection Solutions

Defining Email Policies

■ Take no action. No action is taken on the commercial bulk email detected.

■ Tag the message subject. The subject of detected commercial bulk email
messages are tagged with “COMMERCIAL:” or a custom tag that you enter.
■ Quarantine the message. Commercial bulk email messages are kept in
quarantine for up to 30 days. Note that no notifications are sent for this
disposition.
3. Select the sensitivity level of the feature:
■ Normal detects email that comes from known commercial bulk email
sources.
■ High detects email that comes from known commercial bulk email sources or
email that contains commercial content.
4. Click Submit when you are finished.
Note that the subject tag that you select will also be used in all antispam exceptions.

Note
If you wish to run a report that shows the number of commercial bulk email
messages you have received, these messages will only be counted if you have
selected Analyze for commercial bulk email.

Whitelists and blacklists

Here you can configure whitelists and blacklists that override your spam filtering
settings, affecting inbound messages for the whole policy.
● Whitelist entries can include the sender’s email address, domain, or IP address.
Whitelists define addresses that are permitted to send mail to you without spam
filtering being applied.
● Blacklist entries can also include the sender’s email address, domain, or IP
address. Blacklists define addresses from which you do not want to receive email.

Notes
Whitelists always take priority over blacklists. If you add an address to both the
whitelist and the blacklist, messages from that sender address are allowed.
Whitelists and blacklists are processed in the following order. The first match found
is applied:
● Policy IP address whitelists
● Policy IP address blacklists
● Per-user email address/domain whitelists (see Antispam exceptions, page 91)
● Policy email address/domain whitelists
● Per-user email address/domain blacklists (see Antispam exceptions, page 91)
● Policy email address/domain blacklists
If Forcepoint Technical Support has enabled a custom antispam rule for your
account, this may override any whitelisted addresses you have configured.

Forcepoint Security Portal Help  89

Defining Email Policies

If you enable whitelisting, you can also configure the following options:
● Apply whitelist matching even if the message has a spoofed email addresses.
If the service detects a message is spoofed, whitelisting is not applied by default.
However, you may wish to allow some messages that are legitimately spoofed, for
example a message from an email distribution list that appears to come from a
specific person. Select this option if you want to allow spoofed addresses through
even if the address appears in your whitelist.
● Do not apply whitelist matching on From: headers. An email message has two
addresses associated with it: the envelope sender, and the From: header. The
envelope sender is used by mail servers to check where the message originates
and where to respond (for example, if there is an error or the message bounces);
the From: header is what the message recipient sees. The envelope sender and the
From: header often match, but not always. There are a number of legitimate
reasons why an envelope sender might not match the From: header, for example if
the message comes from a mailing list, or from an organization that has
implemented a specific address for bounced messages.
Email spammers can take advantage of this, by changing the From: header on a
spam email to be a domain that you recognize, while the envelope sender is
related to a domain under their control.
By default, the service performs email address/domain whitelisting on both the
From: header and the envelope sender. If you select this option, whitelist matching
applies only to the envelope sender.
To populate your whitelists and blacklists, click the links in Whitelist these addresses
or Blacklist these addresses. See Adding an entry to a whitelist or blacklist, page 93
for more information.
Use Forward messages with more than [N] recipients from specified domains to
forward messages with more than the specified number of recipients from the
specified domains.
When this rule is triggered, the intended recipients do not receive the message.
Example: To forward messages from example.com sent to more than 5 recipients,
enable the option, specify 5 for the number of recipients, specify a forwarding address,
and specify example.com for the domain. You can specify additional domains, if
desired.

Note
The Forward messages option is a limited-availability feature, and may not be
available in your account.

End user permissions

Forcepoint Email Security Cloud antispam provides a range of end-user self-service
options. These are all initiated using the Forcepoint Email Security Cloud personal
email report (see End-User Self Service, page 147).

90  Forcepoint Cloud Protection Solutions

Defining Email Policies

You can enable or disable the ability for users to populate and manage their own
individual blacklist and whitelist, and the option to release a copy of quarantined spam
to themselves. These settings can be set for the policy, and can also be set for
individual users, groups, or domains, using Antispam Exceptions. See Antispam
exceptions, page 91.

Note
A user can never prevent an email containing a virus from being quarantined and,
regardless of these settings, can never release one.

Whitelists always take priority over blacklists. If you have blacklisted an email
address for the policy, a user can whitelist it and, assuming it has no other issues, such
as containing a virus or contravening a Content rule, it is delivered. To prevent a user
receiving certain types of email, we recommend that you configure a content filtering
policy. See Content Filter tab, page 103).

Spam detection methods

For information about the methods that Forcepoint Email Security Cloud uses to
identify spam, see the article Detecting spam in the Forcepoint Knowledge Base.

Antispam exceptions

Related topics:
● Antispam tab
● Adding an entry to a whitelist or blacklist
● Uploading whitelist and blacklist exceptions in bulk

It is possible to tailor some antispam settings in the Forcepoint Email Security Cloud
service for individual users, groups, or domains. Antispam exceptions can control the
following settings:
● Spam Options and Commercial Bulk Email Detection: define per user, group, or
domain rules for spam and commercial message filtering
● White & Blacklists: enable or disable per-user, group, or domain whitelists and
blacklists
● End-Users settings: control user permissions for populating whitelist and
blacklists, and releasing quarantined messages.
To add an antispam exception:
1. Click Antispam Exceptions.
2. Click Add.

Forcepoint Security Portal Help  91

Defining Email Policies

3. Enter end-user email addresses, domains, or select the user groups to which the
exception applies.

Tip
If you are making a user exception, be sure to enter the user's email address, not
LDAP user name.

■ Allow users to send themselves copies of their spam email

4. Click Save. Your exception settings will override those in the main policy, and
changes to these settings in the main policy will not be inherited.
When the Synchronize... setting is applied, your settings will be overwritten by
those in the main policy, and updates to the settings in the main policy are
automatically applied to the exception.
Once you have saved the exception, you can re-open it to modify the spam and
commercial bulk email, and white and blacklist settings, if required.
To modify these settings:
1. On the Antispam Exceptions page, click the entry for the exception you want to
edit.
2. To set Spam Options and Commercial Bulk Email Detection settings that differ
from those in the main policy, clear the Synchronize... checkbox. Configure your
own spam and commercial email settings, as appropriate, and click Save. Changes
to these settings will not be inherited from the main policy.
When the Synchronize... setting is applied, your rules will be overwritten by
those in the main policy, and updates to the settings in the main policy are
automatically applied to the exception.
3. Use the White & Blacklist settings to define whether per-user, domain, or group-
specific whitelists and blacklists are used in addition to policy-wide whitelists and
blacklists:
■ Select Whitelist these addresses to enable per-user, domain, or group
whitelists. Clear this checkbox to ignore these whitelists, and only apply
whitelists defined for the main policy.
■ Select Blacklist these addresses to enable per-user, domain, or group
blacklists. Clear this checkbox to ignore these blacklists, and only apply
blacklists defined for the main policy.
You can modify exception whitelist and blacklist addresses by clicking the links in
Whitelist these addresses and Blacklist these addresses. Exception whitelists
and blacklists can be uploaded in bulk via CSV files.

Note
Policy-wide whitelists and blacklists, if enabled, are always applied. Updates to the
whitelists and blacklists in the main policy are automatically applied.

4. Click Save.

92  Forcepoint Cloud Protection Solutions

Defining Email Policies

Synchronization settings for spam options and end-user settings can be modified in
bulk for all exceptions using the Modify All button on the Antispam Exceptions
page.
Whitelist and blacklists can be imported for your account via CSV files, using the
Bulk Operations options on the Antispam Exceptions page. See Uploading whitelist
and blacklist exceptions in bulk, page 94 for more information.

Adding an entry to a whitelist or blacklist

1. On the Antispam tab, click the link in Whitelist these addresses or Blacklist
these addresses. A list of currently whitelisted or blacklisted addresses appears.
You can sort the list in ascending or descending order by address or description.
You may need to click Next to see all of the addresses in the list. You can narrow
the list by adding search criteria and clicking Search.
2. Click Add to add a new entry to the list.
3. In the Address field, enter an email address, domain name, or IP address.
Asterisk (*) is supported as a wildcard at the beginning or end of an email address
or domain name. (Note: wildcards are not supported for IP addresses).
Some examples of wildcard usage are given in the following table.

*acme.co.uk Covers all email addresses at acme.co.uk and any sub-domain

of acme.co.uk
*@acme.co.uk Covers all email addresses at acme.co.uk but none at any sub-
domain
*.acme.co.uk Covers any address at any sub-domain but excludes the main
domain
*@acme* Covers all email addresses at any domain or sub-domain
beginning with ‘acme’
*acme* Covers all email addresses containing ‘acme’

4. Enter a description if desired.

5. Click Submit.

Uploading a whitelist or blacklist

If you have permission to modify configurations, you can populate a whitelist or
blacklist in a policy or exception by uploading an address list in a comma-separated
value (CSV) file.
The header of the file must be this string exactly, “Address, Description” and every
line must contain the following 2 fields separated by a comma:
● An email address or domain name (wildcards permitted), or an IP address
(wildcard not permitted).
● A description (free text, up to 255 characters).

Forcepoint Security Portal Help  93

Defining Email Policies

The fields can be quoted or not. If a field contains a comma, it must be quoted. If 1
field is quoted, the rest of the line must be quoted. If a field contains a quotation mark,
this character must be surrounded by additional quotation marks. If a line contains
only 1 field, it is interpreted as the email address and the description is omitted. If a
line contains more than 2 fields, the file is rejected and an error message is displayed.
For example:
Address, Description
“[email protected]”, “Description of address1, containing
comma”
[email protected], Description of address1 without comma
“[email protected]”, “Description of address1, containing
““quotes””
“domain2.com”, “Description of domain2”

To upload the file:

1. Click the link, Upload addresses from a CSV file.
2. Browse to the name of the file to upload.
3. Select an action:

Action Description
Append to current list Elements imported from the file are added to the existing
elements. The resulting list is a union of all elements.
If any of the entries in the file is already included in the list,
it is not added again and a warning message is displayed.
This does not stop the processing of the file.
Replace current list Elements already existing in the list are deleted and
replaced by the elements in the file. You are asked to
confirm this action.

4. Click Upload. Note that large files take a while to transfer to the server. If the file
is empty, too large, or cannot be opened, an error results. An error also results if
any of the elements are invalid.
You can also download the current addresses into a CSV file for viewing in a
spreadsheet, or you can delete entries from the whitelist or blacklist by checking the
box next to the address and clicking Delete.

Uploading whitelist and blacklist exceptions in bulk

You can upload whitelist and blacklist exception information in bulk if you have the
blacklist or whitelist exceptions for all of your users and groups in a single file.
The file must be in comma-separated value (CSV) format, and the header of the file
must be this string exactly: “Apply To, Address, Description”. Every line must contain
3 fields separated by commas:

94  Forcepoint Cloud Protection Solutions

Defining Email Policies

● An email address, domain name, or group that the whitelist or blacklist address
applies to (no wildcards permitted).
● An email address or domain name (wildcards permitted).
● An optional description (free text, up to 255 characters).
The fields can be quoted or not. If a field contains a comma, it must be quoted. If 1
field is quoted, the rest of the line must be quoted. If a field contains a quotation mark,
this character must be surrounded by additional quotation marks. If a line contains
more than 3 fields, the file is rejected and an error message is displayed.
For example:
Apply To, Address, Description
“UK Sales”, “[email protected]”, “Description of
address1, containing comma”
[email protected], [email protected], Description of
address1 without comma
“example.com”, “domain2.com”, “Description of domain2”
“Marketing”, “[email protected]”, “description of
address2”, “this field is not processed”

To upload the file:

1. On the Antispam Exceptions page, do one of the following:
■ To upload a bulk whitelist, click the link Upload addresses from a CSV file
under Whitelist Bulk Operations.
■ To upload a bulk blacklist, click the link Upload addresses from a CSV file
under Blacklist Bulk Operations.
2. Browse to the name of the file to upload.
3. Select an action:

Action Description
Append to current list Elements imported from the file are added to the existing
elements. The resulting list is a union of all elements.
Replace current list Elements already existing in the list are deleted and
replaced by the elements in the file. You are asked to
confirm this action.

4. Click Upload. Note that large files take a while to transfer to the server. If the file
is empty, too large, or cannot be opened, an error results. An error also results if
any of the elements are invalid.
You can also download the current blacklist and whitelist into a CSV file for viewing
and editing in a spreadsheet.
Note that if no exceptions are created, the default spam policy will apply.

Forcepoint Security Portal Help  95

Defining Email Policies

Antispoofing tab

Related topics:
● Spoofed Message Detection
● Internal Executive Spoofing
● DKIM Signing
● Antispoofing Checks

Use the Antispoofing tab to configure inbound and outbound spoofing protection for
the policy.
Inbound spoofing controls are used to detect when incoming messages are from
forged sender addresses, or when fake messages appear to come from named
executives in your organization (known as spear phishing). For inbound antispoofing
controls, see:
● Spoofed Message Detection, page 96
● Internal Executive Spoofing, page 99
Outbound spoofing controls help you to provide better protection for message
recipients against messages that forge your domains, by adding a DKIM signature to
validate your outbound messages, and applying strict outbound message authenticity
checks. For outbound antispoofing controls, see:
● DKIM Signing, page 100
● Antispoofing Checks, page 102

Spoofed Message Detection

Spoofed message detection is used to filter incoming messages where the sender’s
address has been forged. The service can detect messages that spoof internal domains
or external domains.
● Messages that spoof internal domains are from forged addresses that appear to
come from users within your organization. Internal domain validation uses Sender
Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)
authentication, as well as checking the sender’s IP address against those
configured as outbound routes in the policy.
● Messages that spoof external domains are from forged addresses that appear to
come from legitimate external organizations. External domain validation uses
Domain-based Message Authentication, Reporting and Conformance (DMARC)
authentication.

96  Forcepoint Cloud Protection Solutions

Defining Email Policies

Filter messages that spoof internal domains

Select Filter inbound messages that spoof your internal domains to detect spoofed
incoming messages that appear to be sent from domains within the policy to recipient
domains within the policy. A sender address is considered to be authentic if any of the
following conditions are true:
● The IP address of the sending message transfer agent (MTA) matches any of the
outbound connections configured in the policy.
● The Mail From sending address passes Sender Policy Framework (SPF)
authenticity checks.
● The Mail From sending address passes DomainKeys Identified Mail (DKIM)
authenticity checks.
Select “From” address header validation to check that the sender address the
message recipient sees (in the “From:” field) matches domains defined in your
policies. (By default, the From: address is ignored and authenticity checks are
performed only on the envelope sender address if it matches one of your policies.) If
you select this option, one of the following happens:
● If the envelope sender and recipient address both match domains in your policy,
the cloud service performs message authenticity checks on the envelope sender
only.
● If the envelope sender address does not match a domain in your policy, but the
From: address and recipient domain do match, the cloud service performs
message authenticity checks on the From: address instead of the envelope sender
address.

Tip
The envelope sender address is used by mail servers to check where the message
originates and where to respond (for example, if there is an error or the message
bounces) and often matches the From: address, but not always. For example, the
message might come from a mailing list, or from an organization authenticated to
send messages on your company’s behalf.

From the drop-down menu, select the action to perform when spoofed internal
messages are detected:
● Quarantine. This is the default option. Spoofed messages are kept in quarantine
for up to 30 days.
● Discard. Spoofed messages are discarded.
● Tag subject with. The subject line of detected spoofed messages are tagged with
“SPOOFED:” or a custom tag that you enter.
Messages detected as spoofing internal domains will be logged as “Spoofed”.
By default, if authentication checks fail to complete, the message is considered
spoofed and the selected action is applied. To specify an alternative action when
authentication checks fail to complete, select Apply alternative action when spoofed

Forcepoint Security Portal Help  97

Defining Email Policies

message checks fail to complete. Available options depend upon the action selected
for spoofed messages:
● When the Action is Quarantine or Tag Subject, the alternative option is Tag
Subject.
● When the Action is Discard, the alternative options are Quarantine and Tag
Subject.
Select Allow spoofing from these sources to apply a whitelist of allowed domains or
IP addresses. Messages originating from these domains or IP addresses are allowed to
spoof addresses from domains in this policy. This may be useful if, for example, you
use a third-party provider who is allowed to send email messages to your users that
appear to come from an internal address.
To add whitelisted spoofing sources for a policy:
1. Select Allow spoofing from these sources, and click the these sources link.
2. In the panel that appears:
■ Select the Domains tab to add allowed sender domain names, for example
“forcepoint.com”.
■ Select the IP Addresses tab to add allowed sender IP addresses, either as a list
of individual addresses, or address blocks in CIDR notation (for example,
10.10.10.8/30). List entries are separated by a line break.
3. Click Add to enter a new domain or list of IP addresses. You can add multiple
domains or addresses, and you can add a combination of domain names and/or IP
addresses if required.
4. For IP addresses or ranges, enter a short description/name to identify the IP
addresses.
5. When you are finished, click Save.

Filter messages that spoof external domains

Select Filter inbound messages that spoof external domains using DMARC to
detect spoofed incoming messages that appear to be sent from legitimate external
domains, but which fail DMARC validation checks. This option validates both the
Mail From sending address and the From address. DMARC is built on SPF and DKIM
validation, and allows the owner of a domain to publish a policy (via DNS TXT
records) that defines how the receiver should deal with spoofed messages.
From the drop-down menu, select the action to perform when spoofed messages are
detected:
● Use DMARC policy. This is the default option. Spoofed messages will be
quarantined or rejected, depending upon the domain owner’s policy.
● Quarantine. Spoofed messages are kept in quarantine for up to 30 days.
● Discard. Spoofed messages are discarded.
● Tag subject with. The subject line of detected spoofed messages are tagged with
“SPOOFED:” or a custom tag that you enter.

98  Forcepoint Cloud Protection Solutions

Defining Email Policies

Messages detected as spoofing external domains will be logged as “Spoofed-

External”.
By default, if authentication checks fail to complete, the message is considered
spoofed and the selected action is applied. To specify an alternative action when
authentication checks fail to complete, select Apply alternative action when spoofed
message checks fail to complete. Available options depend upon the action selected
for spoofed messages:
● When the Action is Use DMARC policy, Quarantine, or Tag Subject, the
alternative option is Tag Subject.
● When the Action is Discard, the alternative options are Quarantine and Tag
Subject.

Internal Executive Spoofing

CNAME record, see DNS records and service IP addresses, page 46.
Once you have published the CNAME record, click Recheck to perform the
check again.
To disable a rule, toggle the State switch to OFF, then click Save.

Editing a DKIM signing rule

Click the name of the rule in the DKIM Signing table to edit the sender domains/
subdomains or signing domain for the rule, or to make changes to the granular sender/
recipient options.
For more information on the configuration options for DKIM signing, see Adding a
DKIM signing rule, page 100.
To delete a rule, click the rule name in the DKIM Signing table to open the Edit
DKIM Signing Rule page. Click Delete to remove the rule.

Antispoofing Checks
The strict outbound message authenticity check performs additional tests on outbound
messages processed by the policy. With the option enabled, the service checks that
outbound messages originate from an IP address in the policy, or have a valid DKIM
signature. Messages that fail the test are quarantined, providing additional protection
to prevent your domains being spoofed by a third party.
Select Enable strict outbound message authenticity checks to apply strict checks to
all outbound messages for the policy.
With this option enabled, outbound messages must either:
● Originate from an IP address defined as an Outbound Route on the Connections
tab of the policy, OR:
● Have a valid DKIM signature applied by your email provider. (Required for
customers that use a hosted service provider such as Microsoft Office 365 or
Google Apps.)
Messages that do not meet these criteria will be quarantined as “Spoofed”.

Note
Do not enable this option if your policy is used to process messages that legitimately
spoof your domains. For example:
● If your users are likely to send mail from the networks of other companies (for example,
consultancy firms whose employees visit other customer sites).
● If your organization uses mailshot companies who are authorized to send email on your
behalf.

102  Forcepoint Cloud Protection Solutions

Defining Email Policies

Allowed signing domains

Where DKIM needs to be used to validate the authenticity of a message (for example,
for messages originating from Office 365 or Google Apps), the service checks that the
signing domain matches the domain of the message content “From:” header. By
default, if the domains do not match, the message will be considered spoofed.
Click Allowed Signing Domains to specify one or more additional DKIM signing
domains that will be accepted to validate outbound messages from your hosted
provider for sender domains in the policy.
In the panel that appears, add one or more signing domains, and click Save. Messages
with a valid DKIM signature from a domain you have added will be treated as
authentic.

Content Filter tab

Related topics:
● Editing content rules

Content filtering rules are typically different for inbound and outbound email, because
the email usage policy that you want to enforce more than likely specifies different
sets of rules for email entering the organization than it does for email leaving the
organization.
Select the Content Filter tab on the policy to view or modify rules for filtering
content.

Editing content rules

Click Edit in the Inbound Attachment Rule or Outbound Attachment Rule box to
edit the content rules for your policy.

Forcepoint Security Portal Help  103

Defining Email Policies

The majority of the content filtering functionality is the same for inbound and
outbound email.

Section Field
Attachments ● Masking attachments
● Quarantining messages with specific file types
● Parking attachments
● Attachment exceptions
● Image analysis and quarantining
● Securing suspicious attachments
Message Size ● Message Size
Content Filtering ● Filtering using lexical rules
● Quarantining messages where analysis does not
complete

Attachments
The following actions are available for email attachments:
● Masking attachments
● Quarantining messages with specific file types
● Image analysis and quarantining
● Parking attachments
● Securing suspicious attachments
● Attachment exceptions

Masking attachments

Related topics:
● Inverting the quarantine action
● Image analysis and quarantining
● Attachment exceptions
● Parking attachments
● Message Size
● Filtering using lexical rules

Masking an attachment renames attachments with the specified extensions. The

renaming replaces the last character of the extension with an underscore ‘_’. For

104  Forcepoint Cloud Protection Solutions

Defining Email Policies

example, if you mask “EML” attachments, a file named “test_email.eml” is renamed

“test_email.em_”.
This stops the attachment being automatically associated with its appropriate
executable in Windows and therefore avoids dangerous actions being triggered
automatically.
We recommend that you mask “EML” attachments, because these can cause email
clients such as Outlook and Outlook Express to execute code automatically.
Click the link on Mask attachments with these extensions to specify which
attachments to mask.

Inverting the mask action

You can invert masking by extension. This enables you to specify that all extensions
except those specified are subject to the Mask action. If you want to do this, select the
radio button Mask all extensions except these.

Quarantining messages with specific file types

Related topics:
● Masking attachments
● Attachment exceptions
● Parking attachments
● Image analysis and quarantining
● Creating custom file types
● Message Size
● Filtering using lexical rules

You can quarantine messages containing attachments matching file types that you
specify.
File types are grouped together into file formats. For example, if you select the Sound
format, this quarantines anything related to sound files, including RealAudio,
Windows Media Audio, MPEG Audio, and MIDI files.
You can expand a file format to select or remove specific file types from the
quarantine list. For example, you can select the Standard Graphics format to block all
standard image attachments, but then choose to clear the JPEG file type within that
format to allow JPEGs to be delivered.
If the available file types do not meet your requirements, you can set up custom file
types containing one or more file extensions and MIME types. For more information,
see Creating custom file types, page 109. The custom file types you create are

Forcepoint Security Portal Help  105

Defining Email Policies

available for all policies, and appear as part of a default custom file format on the
same page as the supplied file formats.

Note
Options on the Antivirus tab are the most effective way to block unsafe executables.
For more information, see Executables, page 82.

To quarantine attachments:
1. On the Content Filter tab, click the link in Quarantine messages containing files
with these types.
The page displays the file formats and types currently being quarantined.
2. Click Edit.
3. Check the boxes for file formats you wish to quarantine.
4. To select particular file types within a file format, click the + icon to expand the
format.
If you have selected the file format, all of the subsidiary file types are also
selected. You can select or clear as many file type options as you wish. The
information next to each file format tells you how many are currently selected
from that format.
5. Click Submit.

Inverting the quarantine action

Inverting the quarantine action enables you to specify that all file types except those
selected are quarantined. If you want to do this, select that do not match the selected
file types from the drop-down list.

Image analysis and quarantining

If you have the Forcepoint Email Security Image Analysis Module, you can choose to
quarantine messages that have images attached to prevent potentially pornographic
images from entering your organization. Messages are quarantined if they contain an
image attachment considered to be inappropriate. This can be set up for inbound
messages, outbound messages, or both.
To quarantine images, select Quarantine messages containing inappropriate
images, and define how strictly the system applies this security feature by selecting a
sensitivity level. By changing the sensitivity, you can control how suspicious the
image scanner is when it carries out its analysis.
It is difficult to impose absolute thresholds on what constitutes an “inappropriate”
image, as perceptions can vary. Therefore depending on the sensitivity level you
select, you may see a proportion of messages containing acceptable images being
quarantined. If there are images that you don’t want to be analyzed and quarantined,
perhaps because they are repeatedly blocked, you can add them to the image whitelist.
See Image whitelist, page 62, and Managing quarantined images, page 146.

106  Forcepoint Cloud Protection Solutions

Defining Email Policies

If a message includes an image attachment that Forcepoint Email Security Cloud

cannot analyze, perhaps because it is too large, you can select Quarantine messages
with images that could not be analyzed to quarantine that message for further
analysis.

Attachment exceptions
You can override some of the attachment settings for users, groups, or domains. To do
this:
1. Click Attachment Exceptions for either inbound outbound attachments.
2. Click Add Exception.
3. In the Domain or address list field, enter the address(es), domain(s), or select the
appropriate group(s) to which this configuration applies. In most cases,
particularly if you are synchronizing LDAP directories, you will make exceptions
based on group names, such as Dev. If you are making a user exception, be sure to
enter the user’s email address, not LDAP user name.
4. Make whatever changes you want to the policy for this user, group, or domain.
5. Click Submit.
To edit an existing attachment exception, click the appropriate policy in the Apply to
column of the Attachment Exceptions page.

Parking attachments

Related topics:
● Masking attachments
● Image analysis and quarantining
● Park attachments by file type
● Unknown attachment types
● Filtering using lexical rules

Use the Policy > Content Filter > Park Attachment Rules page to park large
message attachments on the Forcepoint Email Security Cloud system. The file is
removed from the message and stored. An annotation is added to the message
including the filename, its size, and a Web link from where the file can be retrieved
over a secure HTTP (HTTPS) connection. The wording of the annotations is
completely configurable.
To create a park attachment rule:
1. Click Add Rule.
2. Define whether the rule should be initially enabled or disabled.
3. Enter a Rule name.

Forcepoint Security Portal Help  107

Defining Email Policies

4. Select an Attachment size and a Message size from the drop-down lists. For
example, you might choose to park any attachment with a size of 2MB or larger in
messages that are 3MB or larger in size.
You can also select Ignore for either of these options, for example if you want all
attachments larger than a certain size to be parked regardless of the message size.
5. Choose how long the parked message should be stored for. The default is 7 days.
6. Define whether the system should keep a copy of the original message.
7. Under Apply To, define who the rule affects. By default, the rule applies to all the
senders (for an outbound rule) or recipients (for an inbound rule) in the policy.
Alternatively you can apply the rule to only the senders or recipients that you
specify. Enter the domains, addresses, or groups to include, separated by commas.
8. To excludes certain sender and recipients from your rule, select Exclude these
senders and recipients, then list the domains, addresses, or groups to exclude,
separated by commas. For example, you can specify that a rule does not apply if
an email is from [email protected] or is sent to
[email protected]. You can enter up to 65,535 characters.
9. Under Annotations, you can edit the annotation that appears in the original
message sent to the recipient. A default annotation like the one below is included.
The attachment attach1-2100.txt (2.1 MB) was parked. It can be
retrieved from here.
In addition, you can include the following variables:

Variables/tokens Description
_RECIPIENTS_ The intended recipients of the message.
_DATE_ The date Forcepoint Email Security Cloud received
the email that generated the annotation. This date is
based on the time zone set on the Notification Email
screen.
_SENDER_ The message originator.
_SUBJECT_ The subject line of the message that is being
annotated.
_ATTACH_TYPE_ The file type of the attachment parked.
_NAME_ The name of the attachment parked.
_RETRIEVE_END_ Used in HTML annotations surrounding some text
that displays as a link. For example, “It can be
retrieved
from_RETRIEVE_START_here_RETRIEVE
END.”
_RETRIEVE_START_ Used in HTML annotations surrounding some text
that displays as a link. For example, “It can be
retrieved from
_RETRIEVE_START_here_RETRIEVE_END.”

108  Forcepoint Cloud Protection Solutions

Defining Email Policies

Variables/tokens Description
_RETRIEVE_LINK_ Used to include a link to download the attachment.
For example, “It can be retrieved from
_RETRIEVE_LINK_.”
_SIZE_ The size of the attachment parked.

Click on Variables/tokens to select these variables from the drop-down list.

10. Under Notification Options, select who should be notified about the parked
attachment. In all cases, you have the option to include the original message with
the notification.
11. Click Submit when done.
After a rule has been created and enabled, you have the option to add parking by file
format or type. See Park attachments by file type, page 109.

Park attachments by file type

You can add parking by file format or type to an existing, enabled park attachments
rule.
You can combine attachment and message size checks with file types. For example,
you can specify a rule that parks all video files larger than 5 MB.
To park attachments by file type:
1. From the Park Attachment Rules window, click the name of the rule you want to
edit.
2. Select the Park attachments by file type check box to enable parking by file
type.
3. Click the link in Park attachments by file type Choose file types to specify file
types for parking.
4. Check the boxes for file formats you wish to park. To select particular file types
within a file format, click the + icon to expand the file format.
5. Click Save.

Creating custom file types

You can set up custom file types to meet your organization’s needs. For example, you
might want to block a file extension not covered by the supplied file types, or create a
type that groups a number of specific extensions.
You can also use custom file types to set up attachment blocking for MIME types.
To create a custom file type:
1. Go to Account > Custom File Types.
2. Click Add.

Forcepoint Security Portal Help  109

Defining Email Policies

3. In the Extensions field, enter the file extensions to include in the custom type,
separated by commas. For example, to block particular types of image file, you
might enter JPG, GIF, PNG.
4. Enter any MIME types in the format content type/content subtype. For example,
video/mpeg or text/csv.
5. Enter a description for your custom file type. This description appears in the
Custom File Type list when you are selecting file types and formats for
attachment quarantine.
6. Click Submit.

Unknown attachment types

If a message includes an attachment type that Forcepoint Email Security Cloud cannot
identify, you can choose to quarantine that message for further analysis. This can be
set up for inbound messages, outbound messages, or both.
To quarantine unknown attachment types:
1. On the Content Filter tab, click Edit for either inbound or outbound rules.
2. Select Quarantine messages containing files of unknown type.
3. Click Submit.

Securing suspicious attachments

Note
Securing suspicious attachments is a limited-availability feature, and may not be
available in your account.

Even when analysis does not find malicious content in an attachment, some attributes
of an attachment can make it suspicious. Such attributes include sender and domain
reputation, attachment file type, attachment size, the spam score of the message, and
other attributes.
When a suspicious attachment is identified, you can choose to place the attachment in
a password protected zip file that is delivered to the recipient along with a report that
includes the message details, a preview of the attachment content, and a link to
retrieve the password to the secured zip file. When the Retrieve Password link is
clicked, a separate email is sent to the recipient that includes the password. Note that
only an original recipient can receive the password. If a message with secured file
attachments is forwarded, recipients of the forwarded message must ask the original
recipient for the password.
If you choose to secure suspicious file attachments, it’s very important that you
prepare users to receive them and to take appropriate action. Users should know that:
1. The email security service analyzes email attachments for malicious content.
When found, the attachment is not delivered.

110  Forcepoint Cloud Protection Solutions

Defining Email Policies

2. The email security service also looks for suspicious file attachments. An
attachment can be suspicious for several reasons including the reputation of the
sender or sending domain, attachment file type, attachment size, the spam score of
the message, and other attributes.
3. When a suspicious attachment is found:
■ The attachment is placed in a password protected zip file and delivered, along
with the original message, to the intended recipients.
■ A Secured Attachment Report is also attached to the original message. The
report includes the message details, a preview of the attachment content, and
support for retrieving the password for the secured zip file.
4. Recipients should carefully examine the Secured Attachment Report to help
determine if the attachment is safe.
5. Opening a suspicious attachment could lead to the computer being compromised
or infected. Recipients should open the attachment only if they’re sure that it’s
safe. If in doubt, contact the IT team for assistance.
6. If a user receives a forwarded copy of a message with the secured zip file, they
need to ask to original recipient for the password. Only the original recipients can
retrieve the password.
To secure suspicious attachments:
1. In the Inbound Content Filter section of the Content Filter tab, select Secure
suspicious attachments.
2. Click Customize settings to:
a. Review and customize the message that is inserted into the original message
(annotates the message).
b. Add or remove sender addresses or domains to exclude from the secure
attachment rule.
c. Click Save or Cancel to return to the Content Filter page.
3. Click Save to save your settings.

Message Size

Related topics:
● Masking attachments
● Attachment exceptions
● Parking attachments
● Filtering using lexical rules

There are 3 predefined actions available for application to 3 configurable message size
thresholds:

Forcepoint Security Portal Help  111

Defining Email Policies

1. You can set a global limit above which email should be discarded. By default this
cannot exceed 50 MB. (This is applicable only to inbound email.)

Note
When an email is discarded because it exceeds the maximum allowable size,
Forcepoint Email Security Cloud does not issue a notification (see Email
notifications, page 56 for more details). A failed delivery code is returned to the
sending email server.

2. You can quarantine email above a specified size.

3. You can defer email above a specified size for delivery within a configurable time
window. Deferral of large email is useful when you have Internet bandwidth
capacity limitations and the user impact of delivering large email is noticeable
during the main working day.

Filtering using lexical rules

Related topics:
● Managing dictionaries
● Creating a lexical rule in advanced mode
● Creating a lexical rule in simple mode
● Creating a compliance rule
● Phrase score and lexical rule thresholds

The lexical rules feature provides a powerful content filtering capability to mitigate
the risks associated with email. A lexical rule compares words in a dictionary to those
in an email and performs an action when there is a match.
You can use this feature to analyze messages for profanity and other undesirable
content entering or leaving your organization. This might be profanity or
inappropriate words but could also include company confidential information, or
communications that could cause loss of business, or loss of reputation.

Note
We do not recommend using this feature to attempt to block spam, because
generating ad-hoc rules is both time-consuming and prone to the introduction of
false positives.

To set up lexical filtering rules, select the Content Filter tab of your policy, then click
the link under Inbound or Outbound content: Filter using these lexical rules.
From this screen you can do the following:

112  Forcepoint Cloud Protection Solutions

Defining Email Policies

● To add new lexical rules, click one of the buttons under Add Lexical Rule.
● To edit an existing rule, click the rule you want to edit.

Phrase score and lexical rule thresholds

Related topics:
● Filtering using lexical rules
● Creating a lexical rule in simple mode
● Creating a lexical rule in advanced mode

Each word or phrase in a dictionary is assigned a score that is used to determine the
disposition in a lexical rule. Typically a higher score indicates a worse contravention
of the rule. For example, a higher score would be assigned to the most obscene words
in a list of profane words.
A lexical rule specifies a set of thresholds and actions on each. When a message is
compared to the phrases, it accumulates scores for each of the phrases on which it
matches. The scores for the phrases within each dictionary are totaled. The greatest
threshold that is breached causes an action to be taken on the message.

Creating a lexical rule in simple mode

Related topics:
● Filtering using lexical rules
● Creating a lexical rule in advanced mode

The simple mode for entering lexical rules enables you to set up a single action to take
when a message matches a phrase from the list you specify. If you want to set up
lexical rules to match against system or custom dictionaries, or want to include
multiple actions depending on the number of phrases matched, see Creating a lexical
rule in advanced mode, page 115.
1. On the main Lexical Rules screen, click Add Simple Rule.
2. Enter a name for the rule and a description if desired.
3. In the Apply To field, enter the domain(s) or individual email address(es) or select
the group to which this rule applies. Note that these must be domains or email
addresses associated with your account: for an outbound rule, this would apply to
senders, and for an inbound rule it would apply to recipients. If you do not enter
any information in this field, the rule applies to everyone.
4. Select the Exclude certain senders/recipients checkbox to specify domains,
email addresses, or groups to exclude from the rule. The Excluded recipients and
Excluded senders fields appear.

Forcepoint Security Portal Help  113

Defining Email Policies

In the exclude fields, enter any domains or individual email addresses, or select
the group to be excluded from this rule. If you do not enter any exclusion
information, nobody is excluded from the rule.

Note
For inbound and outbound lexical rules, you can create a list that excludes certain
senders and a list that excludes certain recipients. For example, you can specify that
a lexical rule does not apply if an email is from [email protected] or is sent
to [email protected]. In all exclusion lists, you can enter up to 65,535
characters, consisting of domains, addresses, or groups, separated by commas.

Important
If the service detects an email’s sender address is spoofed, lexical rule exclusions are
not applied.

5. In the Phrases field, enter one or more phrases for the rule to match against.
6. Select an Action from the drop-down list. The following actions are available:
■ Quarantine the message.
Optionally:
○ Elect to notify recipients, the postmaster, and/or others, with the selected
notification messages.
○ Elect to give end users, in their Personal Email Subscription report, the
option to view or release messages that trigger the rule.
■ Encrypt the message (optionally notify the sender and/or others). This option
is only available for outbound lexical rules, and if you have the Email
Security Encryption Module (see Advanced encryption, page 132).
■ Forward message to a specific address.
■ Tag the subject, deliver it, and send a blind carbon copy to another address.
■ Blind carbon copy the message to another address.
■ Tag the subject with a specified phrase and deliver the message.
■ Deliver the message without any tags and keep a copy for checking.

Note
There is a quota for the number of messages that can be retained with the Keep Copy
action. When you select Keep Copy or manage a lexical rule that uses Keep Copy,
the used and available quota is displayed. If you exceed this quota, messages
matching the Keep Copy criteria are logged in the Message Center, but you cannot
read the message contents. To free space, delete some messages in the Message
Center and then contact Support to have the lexical rule(s) using Keep Copy
checked and re-enabled.

7. Define whether the rule should match against the message headers, or the whole
message body and subject.

114  Forcepoint Cloud Protection Solutions

Defining Email Policies

8. Click Submit.

Creating a lexical rule in advanced mode

Related topics:
● Filtering using lexical rules
● Creating a lexical rule in simple mode
● Managing dictionaries
● Advanced dictionary configuration
● Creating a compliance rule
● Phrase score and lexical rule thresholds

The advanced mode for entering lexical rules enables you to match against system or
custom dictionaries, and include multiple actions depending on the number of phrases
matched. (If you want to specify a single action to take when a message matches a
phrase from a list, see Creating a lexical rule in simple mode, page 113.)
From this page, you can access the Dictionaries page to create or edit your custom
dictionaries.

Note
You can also access the dictionaries page by navigating to Email > Settings >
Dictionaries. Dictionaries can include simple phrases, complex multi-word
searches, or regular expressions. For more information, see Managing dictionaries,
page 118.

To add a lexical rule in advanced mode:

1. On the main Lexical Rules screen, click Add Advanced Rule. (To edit an existing
rule, click the rule that you want to edit).
2. Enter a name for the rule and a description if desired.
Note that the new rule is enabled by default. You can change this later if required.
3. From the Dictionary drop down box, select the dictionary you want to use for this
rule.
4. In the Include recipients or senders field, enter the domain(s) or individual email
address(es) or select the group to which this rule applies. Note that these must be
domains or email addresses associated with your account: for an outbound rule,
this would apply to senders, and for an inbound rule it would apply to recipients.
If you do not enter any information in this field, the rule applies to everyone.

Forcepoint Security Portal Help  115

Defining Email Policies

5. In the Excluded recipients and Excluded senders fields, enter any domains or
individual email addresses, or select the group to be excluded from this rule. If
you do not enter any exclusion information, nobody is excluded from the rule.

Note
For inbound and outbound lexical rules, you can create a list that excludes certain
senders and one that excludes certain recipients. For example, you can specify that a
lexical rule does not apply if an email is from [email protected] or is sent to
[email protected]. In all exclusion lists, you can enter up to 65,535
characters consisting of domains, addresses, or groups, separated by commas.

6. Click Submit.
The rule details are displayed. You can click Edit to change any of the details
entered in the steps above, or to disable the rule.
7. Click Add... to tell Forcepoint Email Security Cloud what to do when a message
matches entries in the dictionary. The Lexical Rule Action screen appears.
8. Specify a threshold, an action, and any notification options related to the selected
action, then click Add to save your changes. The rule is triggered when the
combined value of all matched words in the message is greater than or equal to
this threshold.
There are 7 different actions that can be performed on the email. You can therefore
configure up to 7 different thresholds, each with a separate action:
● Quarantine message (optionally notify sender, recipients, and/or others with the
selected notification messages).

Note
Once an email message is quarantined, no further actions can be performed on that
message. Therefore, if you set a quarantine action at a certain threshold, any other
action set at a higher threshold will fail.

● Encrypt the message (optionally notify the sender and/or others). This option is
only available for outbound lexical rules, and if you have the Email Security
Encryption Module (see Advanced encryption, page 132).
● Forward message to a specific address.
● Tag the subject with a specified phrase and deliver the message.
● Blind carbon copy the message to another address.
● Tag the subject, deliver it, and send a blind carbon copy to another address.

116  Forcepoint Cloud Protection Solutions

Defining Email Policies

● Deliver the message without any tags and keep a copy for checking.

For quarantined messages, you can also define whether end users can view or release
any messages caught by this lexical rule from their personal email report.
In the example above, inbound email is checked against a dictionary of offensive
phrases to protect the intended recipient. Those that score 1.5 or above are
quarantined. Email that scores 5 or above is likely to have matched multiple words or
matched against words that have been allocated a higher score.
To help you choose an appropriate threshold for the actions you require, click Show
dictionary statistics to display a statistical analysis of the selected dictionary. On the
left side is a graphical representation of the distribution of scores in the dictionary. On
the right side are a few statistics that may help you to choose a threshold.

Note
There is a limit on the number of regular expressions you can include in lexical rules
for each policy. If your dictionaries include a large number of regular expressions, it
might restrict the ability of the service to process your email. A warning appears
when you are nearing this limit, and once you exceed the limit, you cannot save the
lexical rule.

Creating a compliance rule

Related topics:
● Filtering using lexical rules
● Phrase score and lexical rule thresholds

Forcepoint Email Security Cloud includes dictionaries for 2 compliance standards:

● PCI Compliance isolates email messages that contain payment card information
● State Data Privacy Laws (SDPL) compliance isolates email messages that contain
Social Security numbers
When you add a compliance rule, the dictionary, threshold score, and action are
predefined. If you need to edit any of the default settings, you can do so after the rule
has been created.

Forcepoint Security Portal Help  117

Defining Email Policies

1. On the main Lexical Rules screen, click Add Predefined Compliance.

2. Select the compliance rule type you want to use.
3. To edit the rule’s default settings, click the rule name.
From the resulting screen, you can edit the rule name, description, and the groups
or users included in or excluded from the rule. You can also define different
thresholds.

Quarantining messages where analysis does not complete

Related topics:
● Filtering using lexical rules
● Phrase score and lexical rule thresholds

If lexical rule processing does not complete for a message, you can specify that it is
quarantined immediately. This might occur if you have set up a large amount of
lexical rules and regular expressions.
If you choose to quarantine a message of this type, you can examine it in the Message
Center by searching for messages labeled Lexical Rule, with the sub-reason Analysis
Failure. For more information, see Message Center, page 137.
You can select different settings for inbound and outbound messages.
1. On the Content Filter tab, click Edit under either Inbound or Outbound.
2. Check the Quarantine message if content analysis does not complete box. If
the box is not checked, any messages with incomplete lexical rule analysis are
allowed through for further processing.
3. Click Submit.

Managing dictionaries

Related topics:
● Excluding phrases from a dictionary
● Advanced dictionary configuration
● Phrase score and lexical rule thresholds
● Importing language packs
● Creating a lexical rule in advanced mode

Dictionaries are used to define phrases that are used in lexical rules, used for inbound
and outbound email content filtering. (See Content Filter tab, page 103).

118  Forcepoint Cloud Protection Solutions

Defining Email Policies

Forcepoint Email Security Cloud defines two types of dictionary: those that are
predefined and your custom dictionaries. The former are maintained by Forcepoint
and include common profanities; dictionaries relating to categories such as finance,
gambling, and shopping; and compliance rules for payment card information and
Social Security numbers. You can exclude phrases from these lists (see Excluding
phrases from a dictionary, page 121) but you cannot include additional words or
phrases; if you need to add phrases, system dictionaries can be embedded inside your
own dictionaries.
Once defined, a phrase is available for use with both inbound and outbound lexical
rules across all policies.
You can add 3 types of phrase to a custom dictionary:
● A simple string, for example “project rhine”.
● A complex multi-word search. This option searches on different variations of the
phrase you define; for example if you enter “confidential email”, a lexical rule
might match the exact phrase or any instances of the words “confidential” and
“email” appearing close to each other in a message. See Advanced dictionary
configuration, page 121 for more examples.
● A regular expression. See Including regular expressions, page 120.
Assign each phrase that you add a score. This is used to determine the disposition in a
lexical rule: typically a higher score indicates a worse contravention of the rule. When
the rule is used analyze a message, the scores of all matching phrases are summed and
the total is measured against the lexical rule threshold value.
Phrases can have positive values (meaning they increase the likelihood of the rule
being triggered), negative values (meaning they decrease this likelihood), or a zero
value (meaning they have no effect on the total value).
You can also select the following options instead of a numerical score:
● Always trap this phrase – assigns a score of +20 to the phrase, making it likely
that a message will exceed your configured threshold.
● Always let through – assigns a score of -20 to the phrase, making it unlikely that
a message will exceed your configured threshold.
● Ignore this phrase – assigns a score of 0 to the phrase, meaning that the phrase
will not influence whether a message exceeds your configured threshold.
For instructions on how to configure lexical rules and threshold values for your
policies, see Creating a lexical rule in advanced mode, page 115.
To add a new dictionary:
1. On the Dictionaries screen, click Add Custom Dictionary. (To view the contents
of an existing dictionary or to edit a custom dictionary, click the dictionary name.)
2. Enter a name for the dictionary and a description if desired; then click Add. (If
you are editing an existing name or description, click Submit.)
3. To include an existing dictionary:
a. Click Attach dictionary.

Forcepoint Security Portal Help  119

Defining Email Policies

b. Select an existing dictionary from the drop-down list, then click Submit.

Including simple phrases in a custom dictionary

1. Click Attach phrase.
2. In Search type, select Simple substring search.
3. Enter the phrase to add in the Phrase field, assign it a score, and indicate which
parts of the message you want to apply it to.
4. Click Submit.

Including complex searches

1. Click Attach phrase.
2. In Search type, select Complex multi-word search.
3. Enter the phrase to add in the Phrase field.
4. Assign a score to the phrase, and indicate which parts of the message you want to
apply it to.
5. Click Submit.

Including regular expressions

Regular expressions (RegEx) are a powerful way of matching a sequence of simple
characters. Using regular expressions in your dictionaries enables you to specify
precise phrase matching for your email.

Note
Regular expressions are not case-sensitive.
There is a limit on the number of regular expressions that can be included in lexical
rules for each policy. If your dictionaries include a large number of regular
expressions, it might restrict the ability of the service to process your email. Lexical
rules that include a large number of regular expressions cannot be saved.

For syntax and some examples, see Standard Regular Expression Strings, page 221.
1. Click Attach phrase.
2. Click Regex view.
3. Enter the regular expression in the Regex field.
4. Enter a description for the regular expression. This description appears in the
dictionary items list with “regex” next to it to signify that a regular expression was
defined.
5. Assign a score to the phrase, and indicate which parts of the message you want to
apply it to.
6. In the Test against field, enter some text that can test whether your regular
expression is well-formed and meets your requirements, then click Test regex.

120  Forcepoint Cloud Protection Solutions

Defining Email Policies

7. When you are happy with the regular expression, click Submit.

Note
To return to the simple substring search or complex multi-word search options, click
Simple phrase view.

Excluding phrases from a dictionary

You can exclude words or phrases from both system and custom dictionaries.
1. On the Dictionaries screen, click the dictionary name.
2. Under Dictionary Items, select the phrase you want to exclude.
3. Select a phrase exclusion option. If you choose to exclude the phrase within
specific policies, select the policy or policies to apply the exclusion to.
You can select multiple items from each list by holding down the Ctrl key and
clicking the items. To make selection easier, you can expand the list to appear in a
larger window by repeatedly clicking on the Grow list link.
4. Click Submit.
The excluded phrase appears in the dictionary with a line through it.

Advanced dictionary configuration

Related topics:
● Managing dictionaries
● Phrase score and lexical rule thresholds

There are a number of techniques you can use for more advanced content filtering:
● If a pair of words must appear close to each other in the message, separate them
with the NEAR keyword, for example, dear NEAR sir. By default, NEAR allows
up to 8 words between the two phrases. To control the number of words allowed
(the nearness), specify it inside square brackets after the NEAR keyword, for
example, dear NEAR[2] sir.
● If the phrase consists of a set of words, on which any one can be matched, you can
use the OR keyword. However, a better way of dealing with this situation is to
create a separate phrase for each word. For example, you can use bow OR bough
but, more simply, you can create two phrases, one for bow and one for bough.

Forcepoint Security Portal Help  121

Defining Email Policies

Importing language packs

Related topics:
● Managing dictionaries
● Advanced dictionary configuration

By default, you have access to the English language dictionaries. You can add other
language dictionaries if you wish. Dictionaries are provided for the following
languages:
● Dutch
● French
● German
● Italian
● Japanese
● Korean
● Portuguese
● Russian
● Spanish
● Traditional Chinese
● Simplified Chinese
To import an additional language pack or remove existing packs:
1. On the Dictionaries screen, click Manage Language Packs.
2. Select the language packs you want to use.
3. Click Save.

Note
You cannot remove a language pack that is being used by a lexical rule. You must
first remove all dictionaries in that language from your lexical rules.

Note
Inbound TLS settings apply to all inbound connections. If you have multiple MTAs
receiving email from Forcepoint Email Security Cloud, all must be configured to use
TLS.

Configuring third-party TLS connections

Related topics:
● Configuring TLS for a connection or route
● Configuring TLS on your connections
● Testing an outbound connection
● When TLS fails

You must add the connections to and from the businesses with whom you wish to
communicate using TLS. To do so:
1. Select the Encryption tab.
2. Click Add in the Secure Transport section.
3. In the Domain/Server field, enter the IP address or fully qualified domain name
of the business with whom you are establishing connection. For outbound
connections, enter the recipient’s domain. For inbound connections, enter a server
name or IP address. Do not specify a server that is part of your MX records.
Click Check SMTP Connectivity to confirm that you can connect to the domain
name or IP address.
4. Select a direction for the connection: Inbound or Outbound.

Forcepoint Security Portal Help  125

Defining Email Policies

5. Select a security level:

Security Level Description

Unenforced Forcepoint Email Security Cloud does not attempt to use TLS
for this connection.
Encrypt Delivery of a message fails (inbound or outbound) if the MTA
with which it is communicating cannot use TLS to force an
encrypted connection at the encryption strength configured for
this connection or route. No certificate is required.
Encrypt + CN As Encrypt but a certificate must also be presented on which
the common name matches the MTA with which Forcepoint
Email Security Cloud is communicating.
Verify As Encrypt but the certificate must be from a trusted certificate
authority (CA).
Verify + CN As Encrypt + CN but the certificate presented must be from a
trusted CA.

We recommend that you use Verify + CN, but you may opt to use Encrypt + CN if
you want to use a self-signed certificate rather than paying for use of one from a
CA. This may be acceptable for the connections between your MTA and
Forcepoint Email Security Cloud.
6. Select a encryption strength:

Encryption Description
Strength
128 An encryption algorithm that supports a 128 bit key must be
negotiated between Forcepoint Email Security Cloud and the
MTA with which it is communicating.
256 An encryption algorithm that supports a 256 bit key must be
negotiated between Forcepoint Email Security Cloud and the
MTA with which it is communicating.

Note
You must ensure that the MTA supports the policy configured for its connections
(certificate and encryption strength) and it must support an algorithm also supported
by Forcepoint Email Security Cloud.

7. To enable the connection for TLS immediately, check Enabled.

8. Click Save
For outbound connections, we recommend that you check the TLS status of the server
before enabling it. If you route mail to domains that do not support TLS, it will result
in the non-delivery of your messages. For more information, see Testing an outbound
connection, page 127.

126  Forcepoint Cloud Protection Solutions

Defining Email Policies

The companies with whom you want to communicate using TLS must ensure that
their MTAs support one of the encryption algorithms supported by Forcepoint Email
Security Cloud and the encryption strength that you configure in the policy. They must
also be able to present a certificate appropriate to the policy that you configure.

Note
The third-party MTA must support the required configuration on the inbound and
outbound connections or email delivery fails.

Testing an outbound connection

Related topics:
● Configuring TLS for a connection or route
● Configuring TLS on your connections
● Configuring third-party TLS connections
● When TLS fails

You can test an outbound TLS connection, because Forcepoint Email Security Cloud
is responsible for initiating the connection.
1. Click a connection you have added to the Secure Transport section of the
Encryption tab, then click Check TLS status of server. This brings up a test
message using TLS. (Alternatively, click Check in the TLS Status column on the
Encryption tab.)
2. Modify the test parameters if desired: the email address, the encryption strength,
the security level.
3. From the drop-down list, select a service cluster from which to perform the test.
4. Click Send. The test results appear.
The response indicates whether or not Forcepoint Email Security Cloud was able to
deliver the email in accordance with the configured policy. Note that if the service
finds 2 MX records, it sends 3 messages. Check that all have arrived.
If the TLS check fails, check that the mail transfer agent (MTA) supports the settings
in the policy.

Forcepoint Security Portal Help  127

Defining Email Policies

When TLS fails

Related topics:
● Configuring TLS for a connection or route
● Configuring TLS on your connections
● Configuring third-party TLS connections
● Testing an outbound connection

Forcepoint Email Security Cloud does not deliver a message in the clear if the policy
dictates that it should use TLS. If TLS cannot be used when dictated by the policy,
Forcepoint Email Security Cloud rejects the message. The report that is returned to the
sender is dependent upon their email server.

Condition Action when TLS cannot be Message Center reporting

started for the log entry
You try to send email to the The service rejects the email with a TLS (not verified) - message
service from a connection permanent error. Your email server rejected
specified as secure. should send a non-delivery
notification to the sender.
The service tries to send email The service rejects the email with a Email is shown as “clean”
to a third-party domain reason “cannot start TLS”. Your because it was accepted from
specified in the secure transport email server should send a non- the customer, but the log
policy. delivery notification to the sender. indicates that onward delivery
failed.
A third party tries to send email The service rejects the email with a TLS (not verified) - message
to the service from a connection permanent error. The third party’s rejected
specified in the secure transport email server should send a non-
policy. delivery notification to the sender.
The service tries to send an The service rejects the email with a Email is shown as “clean”
email to you through a reason “cannot start TLS”. The third because it was accepted from
connection specified as secure. party’s email server should send a the third party, but the log
non-delivery notification to the indicates that delivery failed.
sender.

Adding an encryption rule

There are 2 types of encryption rule available in Forcepoint Email Security Cloud:
Standard encryption is typically used to enforce encryption policy when the
recipient’s MTA does not support TLS. This functionality relies on a TLS connection
with you to secure communications between your MTA and Forcepoint Email
Security Cloud. Recipients require a manually-generated password to access the
encrypted email.
Advanced encryption uses identity-based encryption (IBE) to protect data without the
need for certificates. Protection is provided by a key server that controls the mapping

128  Forcepoint Cloud Protection Solutions

Defining Email Policies

of identities to decryption keys. The recipient of an encrypted email authenticates

against the key server to receive the decrypted version of the message.
To enable advanced encryption, you must have the Email Security Encryption
Module, and you must set the security on your outbound connection routes to
Verify+CN. See Connections tab, page 74.

Standard encryption

Related topics:
● Password specification
● Notifications
● Accessing email
● Combining standard encryption with content filtering rules
● Advanced encryption

Standard encryption comprises rules that, when matched, trigger the standard
functionality process. This process is as follows:
1. Sender sends email that triggers the rule.
2. The email is saved to the Encryption service quarantine store.
3. The recipient is sent an email notification containing an encrypted link that when
clicked allows access to the Encryption service quarantine store by HTTPS.
4. The sender is sent one or more notifications, depending on the number of
recipients. Each notification contains a password that is required by a recipient to
access the email. The sender needs to notify the recipient(s) of their password.
The criteria for the “parking” rules can include:
● Sender addresses
● Recipient addresses
● Messages marked as “sensitive” in the email headers
● Messages including a pre-defined prefix (trigger word) in the subject line.
To set up standard encryption, click Add in the Encryption section of the Encryption
tab.
1. Enter a name for the encryption rule, and select Standard Encryption as the
encryption type.
2. Define the password generation criteria (see Password specification, page 130).
3. Optionally, enter one or more senders or recipients for the rule to apply to. These
can be individual email addresses, groups configured in Forcepoint Email
Security Cloud, or domain names. You can enter multiple senders or recipients,
separated by commas.

Forcepoint Security Portal Help  129

Defining Email Policies

To edit an existing sender or recipient, click the item. Press Enter to save your
changes as a new entry in the sender or recipient list. To discard your changes,
press Esc.
To remove an item from a sender or recipient list, click the Delete icon next to the
item.
4. If you are including subject criteria in the encryption rule, select whether the
message should match any of the criteria, or all of the criteria you select to trigger
the rule.
5. To include messages with a sensitivity setting in the email headers for encryption,
mark The message contains a sensitivity header, and select an option from the
drop-down list. If you want the rule to match against all sensitivity headers, select
Any.
6. To define a trigger word that appears at the beginning of the subject line for
messages to be encrypted, mark The subject starts with box, and enter the trigger
word.

Note
A trigger word is not case sensitive and MUST be followed by a space.

7. If required, edit the notifications sent to sender and recipient (see Notifications,
page 131).
8. Click Submit.
When an outbound email meets all of the specified criteria, the email is subjected to
the standard encryption process.

MIME details
You can choose to include (default) or exclude the MIME details when a parked,
standard encryption message is retrieved and delivered to the recipient (end user). The
setting you select applies to all policies.
To change the setting, in the Encryption section click the Standard encryption
preferences link, move the slider to the desired setting, and click Save.

Password specification
The password can be automatically generated by the system or specified in the subject
of the email.
Automatic password generation: This occurs if Allow sender to specify a
password is not checked.
If Allow sender to specify a password is checked, the user must include the
password in the subject line of the email. There are two options for inclusion:
1. If the rule specifies a trigger word, the password follows this in the subject line.

130  Forcepoint Cloud Protection Solutions

Defining Email Policies

2. If the rule does not specify a trigger word, you must add a prefix that is used to
identify the password in the subject prefix field. Note this is different from the
trigger in that it is not a criterion for rule execution.
The password must consist of alphanumeric characters only. Both the prefix and
password must be followed by a space and the password must be enclosed in
parentheses ( ). Both are stripped from the email by Forcepoint Email Security Cloud.
For example, to trigger standard encryption with a specified password from a message
with the following subject:
Forcepoint Email Security Cloud test of standard encryption

You would augment the message subject as follows:

ENCRYPT (xyz987) Forcepoint Email Security Cloud test of
standard encryption

Note
The subject prefix field is available only when the Where the subject begins with
box is not checked.

Notifications
When an email is “parked,” the sender and recipient(s) are notified by email. The
notification sent to the recipient(s) includes a link to the cloud service portal from
where the message can be retrieved. The notification(s) sent to the sender includes a
password that the sender must communicate to the recipient(s). The recipient(s) needs
this password in order to retrieve the message. To set up notifications, open the
standard encryption rule (click the name of the rule in the Encryption section of the
Encryption tab), then edit the Sender or Recipient text under Notifications.
Both sender and recipient notifications can be fully customized on a per-rule basis, in
both plain text and HTML format.

Accessing email
To access a parked message, the recipient clicks the link, accesses the cloud service
portal using HTTPS, and is prompted to enter a password.

Once recipients enter a password, a message is shown. They can access each part of
the message and download any attachments. The message itself can be downloaded
and viewed by an email client that supports a MIME type message/rfc822.

Forcepoint Security Portal Help  131

Defining Email Policies

Combining standard encryption with content filtering rules

To guard against end users inadvertently sending unsecured sensitive data outside
your organization, you can set up a lexical rule that triggers standard encryption for
any message that matches against that rule.
For example, from the Content Filter tab set up a predefined PCI compliance rule
(see Creating a compliance rule, page 117), and then edit it to include the Tag subject
action at a threshold you choose. Tag the subject line with a phrase such as “Encrypt”.
Next, click Add in the Encryption section of the Encryption tab. In the The subject
starts with field, enter the phrase you chose to tag the subject line.
When the standard encryption rule is set up, this ensures that a message matching
against the compliance rule is parked for secure HTTPS retrieval by the recipient, with
notifications going to the sender and recipient as configured in the encryption rule.

Advanced encryption

Related topics:
● Editing advanced encryption settings

If you have the Email Security Encryption Module, you can send messages that use
identity-based encryption, with no need for users to manually exchange passwords.
You can also customize the email notification that the recipient sees before decrypting
the message.
● Prerequisites for advanced encryption
● How advanced encryption works
● Adding an advanced encryption rule

Prerequisites for advanced encryption

To use advanced encryption, you must have a TLS certificate on the server designated
as an outbound connection. This certificate must meet the following requirements:
● The certificate is issued by a supported certificate authority. For a list of supported
CAs, see the knowledge base article What are the trusted Certificate Authorities?
● Wildcard certificates are supported.
● Subject Alternative Name (SAN) certificates are not fully supported. Only the
name listed as the Common Name (CN) will be recognized. Any names defined as
SANs will be ignored.
● The Subject CN of the certificate must match the outbound connection’s fully-
qualified domain name (FQDN).
In addition, note the following requirements for your TLS connection:
● The sending IP address must resolve to the outbound connection’s FQDN.

132  Forcepoint Cloud Protection Solutions

Defining Email Policies

● The outbound connection’s FQDN must resolve to the sending IP address.

● Your MTA’s sending HELO string must match the outbound connection’s FQDN.
For more information about TLS, see Transport Layer Security, page 123.

How advanced encryption works

When an advanced encryption rule is matched, the following process takes place:
1. Sender sends email that triggers the rule.
2. The email is encrypted by Forcepoint Email Security Cloud using identity-based
encryption, and sent on to the recipient’s MTA for delivery.
3. The recipient is sent an email notification containing an HTML attachment. When
opened in a browser, the attachment displays a button that the recipient clicks to
access to the secure encryption network via HTTPS. The recipient must register
their email address and a password with the secure encryption network if this is
the first time they have received an encrypted message via Forcepoint Email
Security Cloud. The recipient then uses this password to access all subsequent
encrypted messages sent to their email address.
4. If the recipient replies to the encrypted message, the message is decrypted by
Forcepoint Email Security Cloud and then analyzed in the same way as other
inbound mail before delivery.
There are 3 ways to use advanced encryption:
● Content-based. Set up lexical rules so that a message will automatically be
encrypted if it contains certain phrases. See Creating a lexical rule in advanced
mode, page 115.
Note that if a message triggers a lexical rule with a Quarantine action and a rule
with an Encrypt action, the Quarantine action will take precedence and the
message will be quarantined without encryption.
If a message triggers a rule with the Encrypt action and a rule with either Forward,
Tag Subject, BCC, or BCC and Tag Subject, the Encrypt action will take
precedence and the other action(s) will not be applied.
If a message triggers lexical rules with the Encrypt and Keep Copy actions, both
actions will be applied.
● Sender/recipient-based. Set up an advanced encryption rule that encrypts a
message sent from or to specific users.
● Subject and content-based. Set up an advanced encryption rule that encrypts a
message with a certain trigger word in the subject header, a particular sensitivity
header, or specific phrases in the message headers or body.
You can combine these methods to configure the encryption policy that you require.
Advanced encryption integrates with other aspects of your email policy as follows:
● If you have set up attachment parking, an attachment that meets the parking
criteria will be parked before the message is encrypted. The decrypted message
will contain a link to retrieve the attachment. See Parking attachments, page 107.

Forcepoint Security Portal Help  133

Defining Email Policies

● If you have outbound aliases, the aliases will be applied before the message is
encrypted. The resulting encrypted message will always show the external
address.

Adding an advanced encryption rule

To set up sender/recipient-based or subject and content-based advanced encryption,
click Add in the Encryption section of the Encryption tab.
1. Enter a name for the encryption rule, and ensure Advanced Encryption is
selected as the encryption type.
2. To notify the message sender when a message has been encrypted, mark Notify
sender. You can also notify others by entering a comma-separated list of email
addresses.
3. Optionally, enter one or more senders or recipients for the rule to apply to.
Recipients can be either specifically included in or excluded from the rule.
You can enter individual email addresses, groups configured in Forcepoint Email
Security Cloud, or domain names. You can enter multiple senders or recipients,
separated by commas.
To edit an existing sender or recipient, click the item. Press Enter to save your
changes as a new entry in the sender or recipient list. To discard your changes,
press Esc.
To remove an item from a sender or recipient list, click the Delete icon next to the
item.
4. If you are including subject criteria, content criteria, or both in the encryption rule,
select whether the message should match any of the criteria, or all of the criteria
you select to trigger the rule.
5. To include messages with a sensitivity setting in the email headers for encryption,
mark The message contains a sensitivity header, and select an option from the
drop-down list. If you want the rule to match against all sensitivity headers, select
Any.
6. To define a trigger word that appears in the subject line for messages to be
encrypted, mark The subject box, and select whether the trigger word is at the
start of the subject or is contained anywhere in the subject line. Then enter the
trigger word.

Note
A trigger word is not case sensitive and MUST be followed by a space.

7. To specify phrases that trigger encryption if contained in a message, mark The

message contains any of the following phrases, and select whether the phrases
appear in the message body or headers.
Enter each phrase on a new line, by pressing Enter after each phrase. The phrases
are not case sensitive.
8. Click Submit.

134  Forcepoint Cloud Protection Solutions

Defining Email Policies

Editing advanced encryption settings

Use the Advanced Encryption Settings area of the Encryption tab to fine-tune the
content of the email notification template delivered to recipients. For example, you
might want to include your organization name, and a contact method in case the
recipient has trouble accessing the message.
A Forcepoint logo appears in the email notification by default. You can replace this
logo with a custom version, for example the logo of your organization. The logo must
be hosted at a URL that will be accessible by all encrypted message recipients, such as
your company website.
You can also add annotations to the decrypted message, and define the action to take
on messages that have already been encrypted before being sent through Forcepoint
Email Security Cloud.
1. Under Advanced Encryption Settings, click Edit.
2. To include an annotation at the end of the decrypted message, select Add
annotations to the inbound decrypted message.
Click the annotations link to edit the annotation (see Editing an annotation, page
69).
3. Select Quarantine messages that are already encrypted if you want to
quarantine outbound messages that have been encrypted using a different method,
for example S/MIME.
If you do not select this option, outbound messages that have been encrypted
using a different method are processed without adding advanced encryption.
4. To replace the Forcepoint logo in the notification template, select Use custom
logo, and enter the URL where the custom logo is located.
5. Select Add custom text to encrypted message template to include your own text
in the email notification sent to recipients.
Enter the text in the field below the check box. Note that HTML tags are not
supported. The text appears in the email notification in addition to the standard
text that explains how to access the encrypted message.
6. If required, specify the language in which to display the standard text of the email
notification. The following languages are available:
■ Czech
■ Dutch
■ English
■ French
■ German
■ Greek
■ Italian
■ Polish
■ Portuguese (Brazilian)
■ Portuguese

Forcepoint Security Portal Help  135

ThreatSeeker Intelligence
Format Messages that deliberately attempt to expose vulnerabilities in
email software with unusually formatted headers or body.
Dangerous Messages that contain potentially dangerous content.
content
Greylisted Messages that contain executable content that is temporarily
quarantined awaiting confirmation that it is safe for automatic
release.
Potential viruses Messages that contain potential viruses, identified by Forcepoint
ThreatSeeker Intelligence but not yet identified by one of the
commercial antivirus analyzers used within the Forcepoint Email
Security Cloud service.
Confirmed Messages that contain a virus, identified by Forcepoint
viruses ThreatSeeker Intelligence and subsequently confirmed by one
of the commercial antivirus analyzers.
File Sandboxing Messages that have been analyzed by the File Sandbox. You can
refine this further by selecting a File Sandboxing status from the
drop-down list: choose from All, Clean, Malicious attachment(s),
Malicious and pending further analysis, and Pending analysis.

Antispam
Spam Unsolicited bulk messages. You can select a maximum and
minimum spam score range to narrow this search further.
Blacklisted Messages that have been blacklisted by the default or per-user
policy.
Whitelisted Messages that have been whitelisted by the default or per-user
policy.
Bulk Outbound messages that have been classified as bulk messages.
Commercial Inbound messages that have been classified as commercial bulk
bulk email email by the default or per-user policy.

Content Filter
Too large Messages that exceed any size limits defined by the policy.
Extension Delivered messages that contain an attachment whose file
masked extension was masked as specified in the content filtering policy.
You can restrict searches to one or more specific extensions by
listing them in the associated field, separated by commas.
Blocked Messages that have been quarantined due to their file type being
attachment specified in the content filtering policy. You can restrict searches
to one or more specific extensions by listing them in the associated
field, separated by commas.

140  Forcepoint Cloud Protection Solutions

Message Center

Lexical rule Messages that have contravened a lexical rule in the content
filtering policy. You can restrict searches to specific sub-
reasons—either messages caught by the lexical filter or messages
that have experienced analysis failure—by selecting the relevant
option from the drop-down list.
Blocked images Messages that contain an image attachment that has been analyzed
and is considered inappropriate. Messages with this status may
also have been quarantined because the image could not be
analyzed, for example because it was too large. This option only
appears if you are licensed for the Forcepoint Email Security
Image Analysis Module.
Copy kept Messages marked as available for delivery, but with a copy kept
for review by administrators. If you have exceeded your quota for
this type of message, the message delivery is logged, but you
cannot view the content. To free quota space, delete some
messages. Note that messages with this status may also have been
caught by the lexical filter and quarantined for other reasons.

Encryption
TLS Messages that policy dictates should be delivered using TLS
whose delivery failed because the sender attempted to send them
in the clear.
Ad hoc Messages that triggered a standard encryption policy rule.
Advanced Messages that triggered an advanced encryption policy rule. This
option only appears if you have enabled advanced encryption.

Understanding your results

The query is hidden once a search has returned results. To show the query again, click
Show Query near the top left of the page. The search results are explained below:

Field Description
From The sender of the email.
To The recipient of the email. If there is more than one recipient, the number
of recipients is shown and, if you hover your mouse over the area, a popup
appears listing up to 10 recipients. Open the message to see all the
recipients.
Subject The subject of the email. If the subject is long, it is truncated by ellipses
(…). If you hover your cursor over the area, a pop-up appears. Click the
subject to view a detailed log for the message.
Date / Time The date and time of the email in your local time zone. If you hover your
cursor over the area, a pop-up shows you the time in UTC.
Spam Score The score assigned by Forcepoint Email Security Cloud.

Forcepoint Security Portal Help  141

Message Center

Field Description
Issue The issues applicable to the email. If you hover your cursor over the area,
a pop-up gives more information on the issues.
Action The action(s) applied to the message. If you click the Action link for a
message, you can view other actions that may have been applied to the
message. Possible actions are listed below this table.

Possible Actions
● Accepted - The email was accepted and delivered.
● Quarantined - The email was quarantined for the reason described by the issue.
● Released - The email was quarantined, but a copy of the email has since been
released to the recipients.
● Release-pending - The email was quarantined and a copy of the email has been
requested to be released to the recipients.
● Release-failed - The email was quarantined and a release action was requested
but it has failed.
● Forwarded - The email was quarantined, but a copy has since been forward to a
specified email address.
● Forward-pending - The email was quarantined and a copy has been requested to
be forwarded to a specified email address.
● Forward-failed - The email was quarantined and a forward action was requested
but it has failed.
● Multiple - The email was quarantined and has had multiple actions performed on
it; to see a description of these actions, hover your mouse over the multiple text
and a pop-up appears. Multiple actions might include “released” and “forwarded”.
● Deleted - The email was quarantined and has now been deleted. It still appears in
the search results, but the message itself has been deleted from the system.
Clicking the message reveals the message log, rather than the message itself.
● Discarded - Forcepoint Email Security Cloud discarded the message but did not
report this to the sending email server which believes the message was delivered.
● Rejected - Forcepoint Email Security Cloud rejected the message and reported
this to the sending email server.

Reviewed and Not Reviewed Messages

Messages that have been reviewed are displayed differently from those that have not
been reviewed. Reviewed messages appear in a slightly lighter shading and have an
open envelope icon by them. Messages that are not reviewed have a darker shading
and a closed envelope icon next to them. Messages can also be partially reviewed by
end users from their personal email subscription report. These messages are shown as
a partially opened envelope icon.

142  Forcepoint Cloud Protection Solutions

Message Center

Downloading CSV results

You can download a comma-separated values (CSV) file of results from your query
for use by other programs such as Excel to generate graphs or analyze the results in
greater detail. The CSV download includes all instances of the messages per recipient.

Note
CSV downloads are limited to 50,000 lines.

Performing actions on the results

If you have permission, you may perform actions on the messages. The message
center allows you to review, release, forward, and delete one or more messages.
To select a message, select the checkbox next to the envelope icon for that message.
To select all messages on the page, click Select All in the header bar of the search
results. Messages on other pages of the result set are not affected.
Having selected a set of messages, you can select the required action from the action
bar drop-down list and click Go. When the operation is complete, the “Action”
column for the message is updated; and if the message was previously marked as “Not
Reviewed.” its status changes to “Reviewed.” If any errors occur during the action,
they are displayed at the top of the page.
You can also perform actions on a message from the message’s details page. For more
information, see Viewing message details.
The available actions are explained below.

Action Description
Release Releases a copy of the message to continue processing.
Release (no further Releases a copy of the message directly to the intended
processing) recipient, bypassing any further rules that you have set up
for your inbound or outbound mail. We recommend that
you review the message carefully before selecting this
action.
Forward To Forwards a copy of the message to the email address you
specify. Note that this sends the message for further
processing before delivery.
Forward (no further Forwards a copy of the message to the email address you
processing) specify, bypassing any further rules that you have set up
for your inbound or outbound mail.
Mark as Reviewed Indicates this message has been reviewed.
Mark as Not Reviewed Use this to indicate that you have not yet read this
message.
Delete Message Deletes the message from the message center.

Forcepoint Security Portal Help  143

Message Center

Release and forward actions

Release and forward actions performed on a message via the Message Center are
executed asynchronously by a separate process. All other actions execute
immediately. For example, if a release action is requested, the message is marked as
release-pending until the request is completed. It is then be marked as released. If the
release fails it is marked as release-failed. Similar action states apply to forward
actions. This functionality can be applied to multiple messages.
In order to view pending or failed requests, it is possible to search for these states via
the Search drop-down list. Possible action states are as follows:
● Released
● Release-pending
● Release-failed
● Forwarded
● Forward-pending
● Forward-failed

Note
Actions can be performed only on messages that are in quarantine and have not been
marked as deleted.

Action limitations
You cannot request a new forward action on a specific message until the previous
forward action has completed. Similarly, you cannot request a release action for a
specific message until the previous release action has completed.
In order to check for successful completion of an action, you must perform a fresh
search.

Message actions page

A Message Actions page displays the actions applied to an individual message. This
is accessed by clicking the Action for a message on the Message Center Results
screen.
The Message Actions screen shows general information about the message and details
of actions that have been applied to the message and the order in which they were
applied.

Viewing message details

Click a message subject to view details for that message.

144  Forcepoint Cloud Protection Solutions

Message Center

This page explains why a quarantined message was blocked or if a message was
classified as commercial bulk email and includes the message headers, message text,
and details of any attachments. If the message has been analyzed by the File Sandbox
and found to be suspicious, the page includes a link to the File Sandbox report. From
this page you can perform the actions described in Performing actions on the results.
To download the quarantined message, click Download Message. (Administrators
must have the View Quarantine policy permission to download quarantined
messages.)

Important
Quarantined messages may contain malicious content. Exercise caution when
downloading and viewing message contents.

If you want to release or forward a message from this page, clicking Release or
Forward to sends the message for any further processing before delivery. If you want
to bypass any other processing rules that you have set up and deliver the message
directly to its recipient, check the No further processing box before releasing or
forwarding. We recommend that you review the message carefully before doing this.
For quarantined messages, you can also choose to whitelist or blacklist the sender’s
email address or domain. When you do this, the black- or whitelisted item becomes a
per-user antispam policy within the email policy that applies to the intended message
recipient. For more information, see Antispam exceptions, page 91.

Viewing logs
Click View log to see full details of the message processing and results. The log
appears at the bottom of the message details page.
For a quarantined message, the log details provide the exact reasons for the
quarantine. For example:
● For messages quarantined due to a virus, the log lists the virus name.
● For blocked attachments, the log includes the file type or class that matched
against the attachment.
● For blocked images, the log includes a thumbnail of the image. See Managing
quarantined images, page 146.
● For lexical rule failures, the log lists the phrase that triggered the quarantine.
● For spoofed messages, the log details the outcome of the spoofing detection
checks used to validate the message. The log entry may include the following
items:
■ DMARC: pass or fail, based on DKIM and SPF checks
■ DKIM: checks the digital signature of the sender’s domain
■ SPF: checks the SPF record for the envelope sender address
■ SPF_HELO: checks the SPF record for the SMTP HELO name

Forcepoint Security Portal Help  145

Message Center

■ SPF_P2: checks the SPF record for the content sender (“from”) address.
If email is classified as commercial bulk email, the message details page may also
contain log lines indicating the action taken:
● Commercial bulk message subject tag added for <recipient>.
● Commercial bulk message quarantined for <recipient>.
● Commercial bulk message detected and allowed due to policy settings for
<recipient>.

Note
You cannot view logs for discarded messages.

Managing quarantined images

Note
You must have the Email Security Image Analysis Module to use this feature.

If a message has been quarantined due to an inappropriate image attachment, a

thumbnail of the image appears under Blocked Images at the end of the message log
details. Note that you must have the “View Quarantine Images” permission to access
these images.
If you consider a quarantined image to be acceptable, you can add it to the image
whitelist by clicking Add to white list under the thumbnail. If the image is already in
the whitelist and you wish to remove it, click Remove from white list.

Note
We recommend that you only add images to the whitelist that are likely to cause the
repeated quarantining of messages.

The image whitelist can contain a maximum of 200 images; if you have already
reached this limit, the Add to white list option is greyed out.
For more information on the image whitelist, see Image whitelist, page 62.

146  Forcepoint Cloud Protection Solutions

7 End-User Self Service

Related topics:
● Requesting a message report
● Understanding the report
● Accessing quarantined email
● Changing subscription details
● Consolidating email report data

Forcepoint Email Security Cloud allows end users to review personal lists of
suspicious and clean email based on criteria that the user chooses, see details about
each message, and decide whether to release a message, whitelist it, or blacklist it. The
service does this by providing a personal email report. As an administrator, you can
configure what the report contains, how it is sorted, and whether or not you want end
users to be able to customize certain aspects of the report. You also specify the default
language, time zone, and schedule for the report. This is all done by clicking Email >
Messages > Personal Email Subscriptions. (See Personal Email Subscriptions, page
49 for specifics.)
You can choose to subscribe your end users to the personal email report via the cloud
portal. In this case, users receive a single report in the format that you configure as
described above, and the report contains a link that a user must click to receive the
report on a weekly basis.
Otherwise, end users are not set up to receive the message report by default. To
receive a personal email report, users must request it from a cloud service website.
The Forcepoint Email Security Cloud End User’s Guide and the Forcepoint Email
Security Cloud End User’s Quick Start Guide provide instructions for your users.

Requesting a message report

Users can request a personal email report by going to the following website and
entering their email address.
www.websense.com/content/messagereport.aspx

Forcepoint Security Portal Help  147

End-User Self Service

The report is emailed to the email address entered. This normally takes no longer than
a few seconds depending on the amount of data included.

Understanding the report

148  Forcepoint Cloud Protection Solutions

End-User Self Service

Information included on the personal email report

Section Contents
A The date range for which the report was processed
B Your email address. Note that if you have consolidated message report data from
multiple email accounts into one report, you will see all the email addresses
included in that subscription.
C The number of suspicious and clean messages that were processed for you
during the period
D An option to change the number of days shown in the report
E A link to receive this report by email on a regular basis
F The ability to select all quarantined and/or spam message and take actions on
them, such as delete or release
G A link to change your report subscription
H A link to manage your personal whitelist and blacklist
I A list of your email arranged in the following order (list depends on user and
account configuration):
● Suspicious messages you received or sent
● Clean messages you received or sent
If you area viewing the online version of your report, you can change the order
of the messages by clicking a column heading link. For example, you can sort
by the From or To column, the Date/Time column, or the Status column.
J An indication of whether a message has been received or sent.

K The actions you can take action on a message. (Select a message by clicking in
the check box on the left.) Options include:
● Details - Access details about the message
● Release - Release the message from quarantine. (Inbound messages only.
This is not possible for all messages, such as those containing known
viruses.) If the message to be released was originally sent to a distribution
list address that is included in a consolidated report, you are given the option
to release the message to the whole list or a specific email address.
● Whitelist - Send this message or domain to your personal whitelist. This
tells the cloud-based service to always allow messages from this sender or
domain.
● Blacklist - Send this message or domain to your personal blacklist. This
tells the cloud-based service to never allow messages from this sender or
domain.

Information included on the message summary line

Information included on the message summary section:
● An indication of whether the message was inbound or outbound
● The message sender

Forcepoint Security Portal Help  149

End-User Self Service

● The message recipient

● The time and date that Forcepoint Email Security Cloud logged the email
● The status of the email - what action Forcepoint Email Security Cloud took on the
email
● The subject line of the message

Default information included

The first time a user requests a personal email report, it contains a maximum of 50
lines and covers the period of the last 7 days.

Accessing quarantined email

If users want to view the content of a particular quarantined message, they select the
message (by clicking in the check box on the left), then click Details. They then have
options of what to do with the message.
The details of a message may look something like this:

In this example a message was quarantined because it exceeded the maximum size
specified in the policy. (The message is over 1 GB.) Note that the user can add the
sender or sending domain to the antispam whitelist or blacklist. These lists bypass
antispam processing; they do not bypass the policy’s message size restrictions. If the
antispam whitelist and blacklist options are not enabled on the policy, the buttons do
not display.

150  Forcepoint Cloud Protection Solutions

End-User Self Service

In some cases, users may be allowed to release a message or send a copy to

themselves. If the email was quarantined because it contains a virus or offensive
words, however, they would not be able to release a copy regardless of how the
administrator has configured the service.
To view a list of quarantined messages, end users can sort on the Status column in
their report, then scroll to the quarantined section.
When looking at the online version of their report, users can take action on all of the
messages in their quarantine at once. To do so, they click Quarantined, then select an
action to take from the drop-down list.

If, in the report, the user clicks a link to a message that was accepted, only the message
log entries are shown, because the message is no longer available to Forcepoint Email
Security Cloud.

Changing subscription details

If you have selected the Allow end users to modify report content option when
setting up your Personal Email Subscriptions, end users can configure the system to
send themselves message reports at any time interval. To define subscription details,
they click the link Change Subscription.

Forcepoint Security Portal Help  151

End-User Self Service

On the Change Subscription screen, users can specify the following subscription:
● Manage Accounts
■ Do they want to consolidate the report data for multiple aliases or email
accounts into one report? (See Consolidating email report data, page 153.)
● Report Options
■ What time period do they want reported: the last 1, 2, 7, 14, or 30 days?
■ How often should the report be delivered: daily, weekdays, weekly, biweekly,
or monthly?
■ How many rows do they want on each page in the report: 20, 50, 100, 200, or
500?
■ What sections do they want included in the report: quarantined suspicious
messages received or sent, non-quarantined suspicious messages received or
sent, clean messages received or sent?
■ In what order do they want the information about quarantined and non-
quarantined messages to appear: status, date/time, subject, from, or to?
Ascending or descending?

Note
Subscriptions to the message report lapse after 93 days. 62 days after subscribing,
each time users receive a report, they are reminded that they should renew their
subscription.

■ What time zone should the report assume?

■ In what language do they want the report delivered? 14 languages are
supported:
○ Czech
○ Dutch
○ English (U.K. and U.S.)
○ French
○ German
○ Greek
○ Italian
○ Polish
○ Portuguese (Brazilian)
○ Romanian
○ Slovak
○ Spanish
○ Swedish
Regardless of the settings for the scheduled report, users can request a report by
following the process outlined in Requesting a message report, page 147.

152  Forcepoint Cloud Protection Solutions

End-User Self Service

Consolidating email report data

End users who are allowed to modify settings in their personal email report can
consolidate data from their other email accounts or aliases into one report. They can
also consolidate another person’s email addresses, such as an assistant consolidating a
manager’s addresses into one report. Reviewing and managing one report versus
several reports may help save time.
Note that if LDAP synchronization is enabled for the account, all aliases associated
with an end user will be automatically listed on the Change Subscription screen under
Manage subscription addresses. The end user can then add one or more of them into
one consolidated report.
End users who want to consolidate addresses can do the following:
● From the personal email report, click Change Subscription.
● Under Manage Accounts, check the box for the email address or addresses to be
added if a list is given, or enter the email address. The address must be from one
of the domains owned by your company. For example, company xyz might have
these domains: xyz.com, xyz.co.uk, or xyz.com.au.
● Click Add Address.
● To add a new email address, the end user must receive approval from the owner of
that address. Clicking Add Address sends an email request for approval to the
address owner. Until the owner approves the request, the email is marked
“pending approval by owner.” If the owner approves the request, the requestor is
notified by email and the “pending” status is removed. The owner may choose to
decline the request in which case the user may not add the email address to their
personal email report.
● To remove an address from the report, clear the check box next to the email
address that they want to remove. Clearing the box reveals a “Remove” link. End
users who click on this link are asked to confirm they want to remove the address.
Note that after they have created a consolidated personal email report, end users who
then order a message report, or are set up to automatically receive a report, receive the
consolidated report. If the end user wishes to receive reports from more than one
subscription (for example, an individual and a consolidated subscription), you, the
administrator, must create these subscriptions in the Security Portal portal.

Forcepoint Security Portal Help  153

End-User Self Service

154  Forcepoint Cloud Protection Solutions

8 Email Reporting Tools

Related topics:
● Email Report Center
● Legacy Email Reporting
● Service reports
● Account Reports

Email protection reporting provides many tools for profiling and investigating email
security and usage. On the toolbar, select Reporting to see all available reporting
options.
Reporting allows you to:
● Monitor service performance
● Monitor traffic volumes and patterns for capacity planning purposes
● Enforce your email acceptable use policy
● Isolate and resolve problems
Reporting tools include:
● The Email Dashboard charts provide threat, risk, usage, and system
information. For most charts, the time period, chart style, and set of results shown
can be customized. You can also select columns or sections on a chart to drill
down to the relevant report in the Report Builder.
● The Report Center menu–Report Catalog, Report Builder, Message Details, and
Scheduler–offers a set of predefined reports, the ability to create custom reports, a
method for digging into message details, and a facility for report scheduling.
● The Legacy Email Reports menu includes reports that were available before
Report Center was released, and remain available to support existing customers.
This section allows you to generate a set of standard reports, organized by
Address, Content, Inbound, Outbound, Virus, Volumes, and Spam. See Legacy
Email Reporting, page 165.

Forcepoint Security Portal Help  155

Email Reporting Tools

Email Report Center

Related topics:
● Using the Report Catalog
● Using the Report Builder
● Viewing detailed reports
● Scheduling reports
● Email predefined reports
● Email report attributes
● Email report metrics

The Report Catalog contains a number of predefined reports that cover common
scenarios, available in bar chart, trend chart, and tabular formats. You can copy any
predefined report to apply your own filters to create a custom report, and share your
reports with other administrators. See Using the Report Catalog.
Use Report Builder to create multi-level, flexible reports that allow you to analyze
information from different perspectives and gain insight into your organization’s
email message trends. If a high-level summary shows areas of potential concern, you
can drill down to find more details. See Using the Report Builder.

Viewing detailed reports

You can use Report Builder reports as a starting point for accessing more detailed
information about email activity, either by drilling down into a particular aspect of a
report, or by using the Message Details option to see further information about a
report item.

Drilling into report items

To drill down into a report item:
1. Mark the check box next to each item for which you want more information.
You can select multiple items and change your selections, even after the popup
window appears.
2. In the popup window, select an available attribute from the Drill Into By the drop-
down list.
3. The new report loads. Note that as you have moved down a level in the report, the
items you selected in step 1 are now in the Filters field, while the Grouping field
contains the other report attributes, including the one you selected in step 2.
You can edit the content of the Grouping and Filters fields, and view the report in
different formats, in exactly the same way as for the previous report.

156  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Email Reporting Tools

Message Size reports

Report Name Description

Large Messages Details of the largest messages processed through
the service in the last 7 days.
Total Message Size Total size of all messages processed for your
account in the last 7 days.

Security reports

Report Name Description

Detailed File Sandboxing Report Details of analysis performed on files attached to
messages that were sent to the File Sandbox in the
last 7 days. Report includes date/time, sender,
recipient address, Subject, and result of analysis
(Status). Status can be:
● No threat detected – Sandbox analysis did not
detect any malicious behavior.
● Malicious – Sandbox analysis detected
potentially damaging, malicious behavior.
● Pending analysis – The file has been
submitted to the sandbox and is queued for
analysis.
This report is available to subscribers of the
Advanced Malware Detection for Email module.
Emails Containing Viruses Messages containing viruses detected in the last 7
days, using all techniques including ThreatSeeker
Intelligence.
Inbound Virus Percentage Percentage of inbound messages containing
viruses in the last 7 days.
Outbound Virus Percentage Percentage of outbound messages containing
viruses in the last 7 days.
Sandboxed URLs Messages containing URLs that were sandboxed
in the last 7 days.
Summary of File Sandboxing Results Summary of File Sandboxing by number of
by Status messages processed for each Status in the last 7
days. Status can be:
● No threat detected – Sandbox analysis did not
detect any malicious behavior.
● Malicious – Sandbox analysis detected
potentially damaging, malicious behavior.
● Pending analysis – The file has been
submitted to the sandbox and is queued for
analysis.
This report is available to subscribers of the
Advanced Malware Detection for Email module.

164  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Report Name Description

Top Inbound Virus Sources Most frequently-seen domains for inbound viruses
in the last 7 days.
Top Virus Sources Common source domains of viruses in the last 7
days.
Top Viruses Top 20 most commonly-detected viruses in the last
7 days.

Spam reports

Report Name Description

Inbound Commercial Bulk Email Details of inbound messages detected as
Statistics commercial bulk email in the last 7 days.
Inbound Spam Percentage Percentage of inbound messages detected as spam
in the last 7 days.
Inbound Spam Statistics Details of inbound messages detected as spam in
the last 7 days.
Outbound Spam Percentage Percentage of outbound messages detected as spam
in the last 7 days.
Outbound Spam Statistics Details of outbound messages detected as spam in
the last 7 days.

TLS reports

Report Name Description

Mandatory TLS Delivery Failures Details of messages in the last 7 days that could
not be delivered because a TLS connection was
not available.

Legacy Email Reporting

The Legacy Email Reporting menu provides reports that were available before the
Report Center was released, and remain available to support existing customers. Use
this menu to generate a set of standard reports organized by Address, Content,
Inbound, Outbound, Virus, Volumes, and Spam. These reports can be generated using
a range of filters, and can be downloaded as PDF or XLS files.
To access legacy email reporting features, go to Reporting > Legacy Email Reports.
For more information on these reports, refer to Categorized reports, page 167. To see
what a specific email report contains, see Email report list, page 170.

Forcepoint Security Portal Help  165

Email Reporting Tools

All reports are generated in real time. Most include charts and tables that are presented
in an easy to read, printable format.

Note
For larger accounts, where a lot of data is to be retrieved, the reports may take some
time to generate. As soon as the relevant data has been retrieved it is displayed
while the remainder of the report is being compiled.

Commonly-used report criteria can be saved for easy access. For more information,
see Saving reports, page 168. Saved reports can be scheduled for regular delivery to
one or more recipients as described in Scheduling categorized reports, page 168.

Reporting periods
Reports can be generated for periods of hours to years. When accessing a report, you
can drill down from within the report to a shorter time period. For example, an email
volumes report for 7 days returns a table of volumes by day and a corresponding bar
chart. By clicking a link on the relevant day on the table or chart, the report drills
down and provides an hourly table and chart for that day. This allows not only the
creation of management reports, but also reactive tracking of day-to-day issues.
You can select the reporting period from the drop-down list or you can click more to
select absolute From and To dates and times. The available dates and times are
dependent on the type of report and the availability of the data.

Downloading report results

On each report, you have the option to download the data as a PDF or CSV file.

Note
You can also download charts as image files or in PDF format. To download a chart,
right-click the chart and select the format to download (PDF, PNG, or JPEG).

Downloading a CSV file

You can download the statistics for the majority of reports as a comma-separated
values (CSV) file. This allows you to import it into a third-party application, such as
Microsoft Excel, for viewing and manipulation. On each table of results, click
Download CSV to begin the download.

Note
For some email reports, the totals in the CSV file might be higher than the totals in
the report on screen. This is because the generated reports contain 1 line per email
message, whereas the CSV version contains 1 line per recipient which means that a
single email message might appear several times.

166  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Downloading a PDF file

Report results can be output to Portable Document Format (PDF) for easy distribution
or printing. The PDF report is generated by clicking the Download PDF button on a
table of results.

Categorized reports

Related topics:
● Saving reports
● Scheduling categorized reports
● Email report list

To access an email report:

1. Go to Reporting > Email Reporting.
2. Select a report category from the navigation pane.
3. Select a report from the Show drop-down list.
The reports you see depend on your subscriptions.
Initially you can access only the Selection tab to enter selection criteria. Once you
have generated a report, you can click the Chart and Table tabs to view the results in
chart or table form.
For most reports, you can select filtering criteria that restricts the report results. Next
to each of the filtering criteria is a note describing in more detail how to use that
option.

Note
If your account is enabled for filtered reporting, you may only be able to view reports
that filter on certain policies. See Configuring permissions, page 12.

When you select a report, you are shown a list of the time periods for which the report
is available. Alternatively you can select a specific time period (from and to) for the
report by clicking more next to the period list.
To make selection from some criteria lists easier, you can expand the list to appear in a
larger window by repeatedly clicking on the Grow list link.
Once you have decided on the report and the appropriate criteria, click Generate
report. You may receive feedback at this point advising that the report might take
some time to generate. Typically this is due to the amount of data that must be
searched. You can often avoid this by adding more criteria to narrow the search. Click
Back if you want to cancel the report.

Forcepoint Security Portal Help  167

Email Reporting Tools

Report results
Most report results are displayed in chart and table format in the relevant screen. Note
that not all reports are available in both formats.

Drilling down
Many of the reports contain links to more detailed reports. For example, for time-
based reports, clicking the chart column or data table entry for a day generally
displays the hourly report for that day, using any filtering criteria that applied to the
original report.
Some reports allow you to drill down into the data in a more flexible way. If this is the
case, there is a drop-down list above the chart and data table listing the available
views. Select the view required from the list and then click the chart or table to display
the new report.

Saving reports

Related topics:
● Scheduling categorized reports

You can choose to save any categorized report. Use this option to identify the reports
you generate most frequently and want to be able to locate quickly.
To see the list of reports that you have saved, select Reporting > Account Reports >
Saved Reports.
To save a report:
1. Select the email report you want.
2. Use the Selection screen to enter your report criteria as described in Categorized
reports, page 167.
3. Click Save report.
4. Enter a name for the report, and click Save.
The Saved Reports list is displayed, and the report you entered is now listed.
As well as accessing the report from this screen, you now have the option to delete the
saved report or schedule it for regular delivery.

Scheduling categorized reports

168  Forcepoint Cloud Protection Solutions

Email Reporting Tools

You can run reports as they are needed, or you can define a schedule for running one
or more saved reports.
Reports generated by scheduled jobs are distributed to one or more recipients via
email. The reports can be in HTML, PDF, or CSV format. There is a limit on the
number of reports you can schedule for delivery: the Saved Reports list displays the
remaining number you can schedule in addition to any existing deliveries.

Note
You cannot schedule reports that have defined start and end dates, or that span
periods of less than 24 hours.

To schedule a report:
1. Select Reporting > Account Reports > Saved Reports.
2. You can schedule an existing saved report by clicking the report you want to
schedule on the Saved Reports list. If you do this, skip to step 5 below.
Otherwise, to create a new report for scheduling, click the Generate a new report
link. The page that appears includes only reports that are eligible for scheduling.
3. Create and save your report as described in Saving reports, page 168.
4. On the Saved Reports list, click the name of your new report.
5. Click Schedule email report.
6. Enter the email address of the report recipient. Multiple email addresses should be
separated by commas or spaces.
If you enter an address with a domain not registered to the account, a warning
appears when you save the schedule. Click OK on the warning to accept the
address.
7. Enter a subject for the report email, and the text you want to appear in the body of
the email.
8. Select the report format.
9. Set one of the following delivery periods for your reports:
■ daily
■ weekdays
■ weekly
■ every other week (biweekly)
■ monthly (the default option)
If you want to stop the a scheduled report temporarily, select suspend delivery.
10. Click Save.
You are returned to the Saved Reports list. Reports that have been scheduled display
the recipient list in the Email to column. Click an item in this column to open the
schedule, where you have the option to edit or delete the report delivery.

Forcepoint Security Portal Help  169

Email Reporting Tools

Email report list

The tables below show the email reports that are available. Note that some reports
appear in more than one report category.

Note
You may not see all of the reports listed here, depending on the features enabled in
your account.

● Address reports
● Content reports
● Inbound reports
● Outbound reports
● Spam reports
● Virus reports
● Volume reports

Address reports

Report Available Formats Description

Periods
Outbound Senders Daily Table Senders of email originating
CSV Link from your mail servers. Note that
this can include senders of email
PDF Link that was auto-forwarded by your
mail system and was originally
from outside your organization.
Top Sources of Minutes Chart The most frequently seen IP
Viruses Hourly Table addresses by volume of inbound
viruses.
CSV Link
PDF Link
Top Recipients Minutes Chart The most frequent recipients by
Hourly Table volume of messages regardless
of direction
Daily CSV Link
PDF Link
Top Senders Minutes Chart The most frequent originators by
Hourly Table volume of messages regardless
of direction
Daily CSV Link
PDF Link
Top Inbound Minutes Chart The most frequent recipients by
Recipients Hourly Table volume of inbound messages
Daily CSV Link
PDF Link

170  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Report Available Formats Description

Periods
Outbound Minutes Chart The total volume of outbound
Volumes Hourly Table messages
Daily CSV Link
Monthly PDF Link
Outbound Senders Daily Table Senders of email originating
CSV Link from your mail servers. Note
that this can include senders of
PDF Link email that was auto-forwarded
by your mail system and was
originally from outside your
organization.
Top Outbound Minutes Chart The most frequent recipients
Recipients Hourly Table by volume of outbound
messages
Daily CSV Link
PDF Link
Top Outbound Minutes Chart The most frequent originators
Senders Hourly Table by volume of outbound
messages
Daily CSV Link
PDF Link
Encrypted Minutes Chart The total number of encrypted
Messages Hourly Table messages sent in the selected
time period
Daily CSV Link
Monthly PDF Link
Encrypted Minutes Chart The most popular domains for
Messages by Hourly Table sending encrypted messages in
Domain the selected time period
Daily CSV Link
Monthly PDF Link
Encrypted Minutes Chart The most used policies for
Messages by Hourly Table sending encrypted messages in
Policy the selected time period
Daily CSV Link
Monthly PDF Link
Encrypted Minutes Chart The most frequently-used
Messages by Hourly Table encryption rules for sending
Encryption Rule encrypted messages in the
Daily CSV Link
selected time period
Monthly PDF Link
Opportunistic TLS Hourly Chart Shows the number of delivered
Daily Table messages that used, or did not
use, opportunistic TLS
CSV Link
PDF Link

174  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Spam reports

Report Available Formats Description

Periods
Inbound Spam Minutes Chart The total number of inbound
Volumes Hourly Table email messages detected as
spam
Daily CSV Link
Monthly PDF Link
Outbound Spam Minutes Chart The total number of outbound
Volumes Hourly Table email messages detected as
spam
Daily CSV Link
Monthly PDF Link
Inbound Spam Hourly Chart The percentage of inbound
Percentage Daily Table email detected as spam
Monthly CSV Link
PDF Link
Outbound Spam Hourly Chart The percentage of outbound
Percentage Daily Table email detected as spam
Monthly CSV Link
PDF Link
Inbound Spam Hourly Chart Estimates the bandwidth saved
Bandwidth Saved Daily Table for your company due to the
filtering of inbound spam. The
Monthly CSV Link estimate is based on the
PDF Link number of inbound messages
for your account in the selected
time period, the approximate
number of blocked messages
for your account, and the
average size of spam messages
as calculated from the overall
spam data for all Forcepoint
Email Security Cloud
accounts.
Spam False Hourly Chart The number of false positives
Positives and Daily Table and false negatives generated
Negatives during spam message
Monthly CSV Link
processing.
PDF Link
Inbound Minutes Chart The total number of inbound
Commercial Bulk Hourly Table email messages detected as
Email Volumes commercial bulk email
Daily CSV Link
Monthly PDF Link

Forcepoint Security Portal Help  175

Email Reporting Tools

Report Available Formats Description

Periods
Top Spamtraps Hourly Chart The most frequently used
Table spamtraps
CSV Link
PDF Link
Top Senders to Hourly Chart The most frequent senders, by
Spamtraps Table volume, of email messages
sent to spamtraps
CSV Link
PDF Link
Top Sources to Hourly Chart The most frequently seen IP
Spamtraps Table addresses associated with
messages sent to spamtraps
CSV Link
PDF Link

Virus reports

Report Available Formats Description

Periods
Most Common Hourly Chart The most commonly-detected
Viruses Daily Table viruses
Monthly List
CSV Link
PDF Link
Zero-day viruses Hourly Chart Recent viruses caught by
caught by Daily Table Forcepoint ThreatSeeker
ThreatSeeker Intelligence before any virus
Monthly Text
signature updates within your
CSV Link account
PDF Link
Largest windows Hourly Chart Recent viruses caught by
of exposure closed Daily Table Forcepoint ThreatSeeker
by ThreatSeeker Intelligence by largest window
Monthly CSV Link of exposure in your account
PDF Link
Virus Volumes Minutes Chart The total number of email
Hourly Table detected as containing viruses
by all techniques including
Daily CSV Link Forcepoint ThreatSeeker
Monthly PDF Link Intelligence
Inbound Virus Hourly Chart The percentage of inbound
Percentage Daily Table email detected as containing
viruses by all techniques
Monthly CSV Link including Forcepoint
PDF Link ThreatSeeker Intelligence.

176  Forcepoint Cloud Protection Solutions

Email Reporting Tools

Report Available Formats Description

Periods
Outbound Virus Hourly Chart The percentage of outbound
Percentage Daily Table email detected as containing
viruses by all techniques
Monthly CSV Link including Forcepoint
PDF Link ThreatSeeker Intelligence.
Top Sources of Hourly Chart The most frequently seen IP
Viruses Table addresses, by volume,
associated with inbound
CSV Link viruses
PDF Link
Sandboxed URLs Hourly Chart The number of messages
Daily Table containing sandboxed URLs.
Monthly CSV Link
PDF Link
Clicked Hourly Chart The number of times
Sandboxed URLs Daily Table sandboxed links were clicked
in messages, and the action the
Monthly CSV Link user took after clicking.
PDF Link
Targeted Phishing Hourly Chart Phishing topics that are part of
Attacks Daily Table a targeted attack, directed
multiple recipients, listed by
Monthly CSV Link number of recipients.
PDF Link
Top Phishing Hourly Chart The most frequently seen
Attacks Daily Table phishing topics by number of
recipients.
Monthly CSV Link
PDF Link
Top Repeat Hourly Chart The end users who have most
Phishing Victims Daily Table frequently clicked a link in a
phishing email.
Monthly CSV Link
PDF Link
Top Phishing Hourly Table The end users who have most
Recipients Daily CSV Link frequently received phishing
email messages.
Monthly PDF Link
Phishing Topic Hourly Table A list of phishing topics for
Details Daily CSV Link specified recipients.
Monthly PDF Link
Phishing Hourly Table A list of recipients for
Recipient Details Daily CSV Link specified phishing topics.
Monthly PDF Link

Forcepoint Security Portal Help  177

Use the Reporting > Report Center > Report Catalog page to access predefined
reports for common scenarios.
The Report Catalog includes the following elements:
● The Toolbar, at the top, contains buttons for returning to the previous page,
creating new reports and folders, copying, sharing, and deleting items. Hover the
mouse over a button to see a description of its function.
● The folder list, in the left-hand pane, contains the following top-level folders:
■ The Favorites folder enables you to easily locate your most frequently-used
reports. You can mark a report or report folder as a favorite in the following
ways:
○ Click the star to the left of the report or folder name in the Report Catalog.
The star turns yellow when selected.
○ Click the star to the right of the report name in the Report Builder or
Transaction View. You do not need to save your changes.
To remove a report from Favorites, click the star again to turn it gray.
When viewing the Favorites folder, note that you are essentially viewing a list
of shortcuts to the reports. Choose View in folder from a favorite report’s
drop-down menu to see the report in its original folder.
■ My Reports contains all of the reports and folders that you create.
■ Standard Reports contains the predefined reports provided in the cloud
service. If you have more than one service, separate subfolders contain the
predefined reports for each service.
For information about email protection predefined reports, see Email
predefined reports, page 162.
■ Shared by Others contains items that have been shared for use by all
administrators in your account. Each folder has the user name of another
administrator, and contains the reports shared by that administrator.
If a folder contains one or more subfolders, click the arrow to see those subfolders
in the left-hand page. Click a folder name to see its contents in the right-hand
pane.

182  Forcepoint Web Security Cloud

Report Center

● The table in the right-hand pane displays the contents of the folder you select in
the folder list. This can be one or more subfolders, or a list of reports. To see a
description of a particular report, hover the mouse over the report name.
From this pane, you can perform actions on one or more reports and folders, such
as copying, renaming, and deleting folders, or editing, running, or sharing a
report. The actions available to you depend on the permissions configured. For
example, you cannot delete reports in the Standard Reports folder. See Managing
reports, page 183, and Managing folders, page 186.
● The Search field, in the top right corner, enables you to search for specific words
or phrases in report titles. Search results list the report name, its location, and if
applicable, the report owner and the last time it was edited. You can manage a
report directly from the search results list. For example you can run it, or if you
have suitable permissions, share or delete it.

Managing reports
The Report Catalog offers the options to run, edit, share, copy, schedule, and delete
reports. You can also access the Report Builder to create and save new reports.
The actions available to you depend on the permissions configured – for example, you
cannot delete reports in the Standard Reports folder.
Select a link below for further instructions.
● Run a report
● Add a new report
● Copy a report
● Edit an existing report
● Share a report
● Schedule a report
● Delete a report

Run a report
1. In the left-hand pane, navigate through the folder structure and select the
subfolder containing the report you want. The reports appear in the table on the
right of the screen.
2. Click the report you want to run. Alternatively, click the down arrow next to the
report, and select Run from the menu.
3. The results are displayed in the Report Builder. See Viewing report results and
Viewing detailed reports.

Add a new report

1. In the toolbar, click the New Report button, and select whether you want to use
the Report Builder or Transaction View.

Forcepoint Security Portal Help  183

Report Center

2. Define attributes (for a grouped report), filters, and date ranges for your report as
described in Creating a report.
3. To save your new report to the Report Catalog, click the Save button in the
toolbar.
4. Enter a name and optionally a description for the report. The name can be a
maximum of 200 characters, and the description a maximum of 400 characters.
5. Select the folder to store the report in. By default this is the My Reports folder; if
you have created subfolders, you can use the Folder drop-down to choose one of
those.
6. Click Save Report.

Copy a report
1. Navigate through the Report Catalog to find the report you want to copy. This can
be a standard report, one created by you, or a report shared by someone else.
2. Click the down arrow next to the report you want, and select Copy from the menu.

Note
To copy multiple reports, mark the check box to the left of each report, then click the
Copy button in the toolbar.

3. If you are copying a standard or shared report, select the folder where you want to
store the copied report. By default this is the My Reports folder; if you have
created subfolders, you can use the Folder drop-down to choose one of those.
If you are copying one of your own reports, it is automatically saved to the same
folder as the original. You can move it to a different location later if required; see
Move items between folders.
4. Click Copy.
The report is saved to the selected location. If you are copying a report that you
own, “Copy” is appended to the report name. You can now rename the report by
clicking its down arrow and selecting Rename from the menu. You can also edit it
as required.

Edit an existing report

1. Navigate through the Report Catalog to find the report you want to edit. This can
be a standard report, one created by you, or a report shared by someone else.
2. Click the down arrow next to the report you want, and select Edit before running
from the menu.
This opens the Report Builder or Transaction View, depending on whether you are
editing a grouped or a transaction report.
3. Edit the attributes, filters, and date range of the report as required, then click the
Update Report button in the toolbar.

184  Forcepoint Web Security Cloud

Report Center

4. If you are editing a report that you created, or a shared report for which you have
editing permissions, you can save your changes by clicking the Save button in the
toolbar. The report is saved with the same name and in the same location,
overwriting the previous version.
If you are editing a standard report, or a shared report for which you do not have
editing permissions, click the Save As button in the toolbar to save the edited
report to one of your folders.

Share a report
1. In My Reports, click the down arrow next to the report you want, and select
Sharing from the menu. Alternatively, mark the check box next to one or more
reports, and click the Share button in the toolbar.

Note
You can also share a report after running it in the Report Builder.

2. In the popup window, select one of these options:

■ Not shared means you are the only person who can access the report. Select it
if you want to remove sharing from a report.
■ View only allows others to run the report, but not save any changes to it.
■ Allow editing enables others to both run and save changes to the report.
3. Click OK.
The report now has the sharing icon next to it in the report list. Hover the mouse
over the icon to see the sharing permissions allocated to the report.

Note
If a shared report is set to automatically detect the time zone, a user accessing the
report will always get the report in their local time zone.

Schedule a report
In My Reports, click the down arrow next to the report you want, and select Schedule
from the menu. Alternatively, mark the check box next to one or more reports, and
click the Schedule button in the toolbar. You can select a maximum of 5 reports for
each scheduling job.

Note
You can also share a report after running it in the Report Builder.

The Add Job scheduler window opens. For more information, see Scheduling reports.

Forcepoint Security Portal Help  185

Report Center

Delete a report
1. In My Reports, click the down arrow next to the report you want to delete, and
select Delete from the menu. Alternatively, mark the check box next to one or
more reports, and click the Delete button in the toolbar.
2. In the popup window, click Delete to confirm.

Managing folders
The Report Catalog offers the options to create, copy, share, delete, and move items
between folders. The actions available to you depend on the permissions configured.
For example, you can only move and share your own folders.
Select a link below for further instructions.
● Create a new folder
● Copy a folder
● Move items between folders
● Share a folder
● Delete a folder

Create a new folder

You can create new folders only within the My Reports folder, up to a maximum of 4
levels of subfolders. Folder names can have a maximum of 200 characters.
To create a new folder:
1. Navigate to the location in My Reports where you want to place the new folder.
2. Click the Add Folder button in the toolbar.
3. Enter the new folder name, then click Add.
You can rename the folder later, if required, by clicking its down arrow and selecting
Rename from the menu.

Copy a folder
When you copy a folder, you also copy all of the contents in that folder, including
subfolders and their contents.
To copy a folder:
1. Navigate through the Report Catalog to find the folder you want to copy. This can
be a folder containing standard reports, one created by you, or a folder shared by
someone else.

186  Forcepoint Web Security Cloud

Report Center

2. Click the down arrow next to the folder you want, and select Copy from the menu.

Note
To copy multiple folders, mark the check box to the left of each folder, then click the
Copy button in the toolbar.

3. If you are copying a standard or shared folder, select the location where you want
to store the copied folder. By default this is the My Reports folder; if you have
created further subfolders, you can use the Folder drop-down to choose one of
those.
If you are copying one of your own folders, it is automatically saved to the same
location as the original.
4. Click Copy.
The folder is saved to the selected location. If you are copying a folder that you
own, “Copy” is appended to the folder name. You can now rename the folder by
clicking its down arrow and selecting Rename from the menu. You can also edit
the reports in the folder as required.

Move items between folders

If you have several folders under My Reports, you can easily move reports and folders
around using drag-and-drop:
1. Select the items that you want to move.
2. Drag the items to the destination folder, in either the left-hand or right-hand pane.
Note that a “Move items” popup appears as you start the drag: this turns green
when hovering over a valid location, or red when over a folder where you cannot
drop the report – for example, in Standard Reports.
3. A success message appears once you have moved the items to a valid location.

Report Center

■ To specify a particular date range, select the From radio button and use the
calendars to choose the required dates. Date ranges include the whole 24-hour
period, unless you mark Specify start and end time to enable and edit the
times for the report as well as the dates.
Note that reports are run using your local time zone unless you specify otherwise.
Click Done when you are finished.
4. Click the Update Report button to generate the report.

Note
The Update Report button turns yellow when you enter or change valid report
content, signifying that you can generate a report with the selected criteria.

Viewing report results

Your report results are initially shown as a table, with a column for the grouping and
filters you selected, and a column for each of the selected metrics. Report results use
your local time zone.
Use the arrows next to each first-level attribute to expand or collapse the second-level
attribute content below it.
Use the options in the toolbar to define how you display and navigate through report
results:

Select the number of rows to see on each page.

The default is 100 rows; you can also select 50,
150, or 200 rows.

Use the arrow keys to page through longer

reports, and quickly jump to specific pages.

View the report results as one of the following:

● column chart
● bar chart
● pie chart
● line chart
● area chart
Hover the mouse over an item in a chart to see
more information, for example a percentage or
a number of hits.
All of these charts are available for a single-
level grouping report. For grouping reports
with 2 attributes, only column and bar charts
are available.

Each item in the report has a check box. Select one or more check boxes to open a
popup window that enables you to:
● Drill down into more detailed information. See Drilling into report items.

Forcepoint Security Portal Help  191

Report Center

● Show only the report items you have selected

● Filter out the report items you have selected
● View individual transactions for the items you have selected.
● Cancel any selections you have made.

Viewing detailed reports

You can use grouping reports as a starting point for accessing more detailed
information, either by drilling down into a particular aspect of a report, or using
Transaction View (web), Incident Manager (web), or Message Center (email) to see
further information about a report item.

Drilling into report items

To drill down into a report item:
1. Mark the check box next to each item you want to drill down into.
You can select multiple items and change your selections, even after the popup
window appears.
2. In the popup window, select an available attribute from the Drill Into By the drop-
down list.
3. The new report loads. Note that as you have moved down a level in the report, the
items you selected in step 1 are now in the Filters field, while the Grouping field
contains the other report attributes, including the one you selected in step 2.
You can edit the content of the Grouping and Filters fields, and view the report in
different formats, in exactly the same way as for the previous report.
4. To drill down a further level, repeat steps 1-3 above.

Exporting a report
You can export your report results as either a PDF or CSV file.
To export a CSV file, click the Export to CSV button in the top right corner.
To export a PDF:
1. Click the Export to PDF button in the top right corner.
2. On the popup window that appears, enter a name, and optionally a description, for
the report.
3. Choose a page size and orientation for the PDF.
4. Click Export.

192  Forcepoint Web Security Cloud

Report Center

Scheduling reports

The Reporting > Report Center > Scheduler page lists the scheduled jobs created
for reports. The list gives basic information about the job, such as how frequently it
runs and which administrator owns it. From this page, you can add and delete
scheduled jobs, and edit the content and frequency of jobs.
The list provides the following information for each job.

Column Description
Job Name The name assigned when the job was created.
Recurrence The recurrence pattern (Once, Daily, Weekly, Monthly) set
for this job. For daily, weekly, and monthly reports, the
recurrence includes further options for the days the report is
run.
Starting The defined start date for the job.
Ending The end date for the job. If no end date is set, the column
displays Never.
Owner The user name of the administrator who scheduled the job.

Use the options on the page to manage the jobs:

2. Define whether the report should display in Letter or A4 size.

3. Define whether the report should be password-protected for secure delivery. If
you select Password protected, enter and confirm a password that the report
recipient must use to view the report contents.
4. Edit the custom Subject and Body text for this job’s distribution email, if
required.
A list of reports in the scheduled job is included in the email message by default.
If you remove this and then want to reinstate it at a later time, click Insert Report
List.
You can revert to the default text at any time by clicking Reset Email.
5. Click Finish to save and implement the job definition, and display the Scheduler
page.

196  Forcepoint Web Security Cloud

10 Account Reports

Related topics:
● Account Summary report
● Service reports
● Downloading report results
● Saving reports
● Scheduling reports

Go to Reporting > Account Reports to see the account-level reports available to you.
● For cloud email, the account summary report provides a summary of the email
traffic that has been processed for your account during a defined time period.
● If you have directory synchronization enabled for your account, you can generate
synchronization statistics for the service.
● With cloud email, you can report on the end users who are subscribed to Personal
Email Subscriptions.
All reports are generated in real time using the cloud manager. Most include charts
and tables that are presented in an easy to read, printable format.

Commonly-used report criteria can be saved for easy access. For more information,
see Saving reports, page 202. Saved reports can be scheduled for regular delivery to
one or more recipients as described in Scheduling reports, page 202.

Forcepoint Security Portal Help  197

2. From the Show drop-down list, select a report to show:

3. From the during drop-down list, select the time period for the report. Click more
to select a specific date or time.

Note
The ‘last 6 full hours’ period does not include a synchronization just performed. You
must wait for the hour to pass for it to appear in this report. You can view the very
latest synchronization history in the Manage Directory Synchronization page on the
Setup tab.

4. Click Generate report. Following is a sample Synchronization History Log:

You can download the report to a CSV or PDF file. You can also print the report.

Subscriptions report
The Personal Email Subscriptions report lists the end users who are subscribed to
personal email subscriptions for the criteria you specify.
1. Select Reporting > Account Reports > Services.
2. From the Show drop-down list, select Personal Email Subscriptions -
Subscriptions.
3. From the during drop-down list, select the time period for the report. Click more
to select a specific date or time.
4. Select the policy or policies for the report.

200  Forcepoint Web Security Cloud

Account Reports

5. Select the domain(s) for the report.

Note
You can use the Shift and/or Ctrl keys to select multiple domains and policies.

6. Click Generate report.

Note
You can see the expiration date of each subscription, as well as subscriber and
recipient addresses, in the report that is generated. The latter may be useful for
consolidated end user message reports (one report for multiple email accounts).

Downloading report results

On each report, you have the option to download the data as a PDF or CSV file.

Note
You can also download charts as image files or in PDF format. To download a chart,
right-click the chart and select the format to download (PDF, PNG, or JPEG).

Downloading a CSV file

Downloading a PDF file

Report results can be output to Portable Document Format (PDF) for easy distribution
or printing. The PDF report is generated by clicking the Download PDF button on a
table of results.

Forcepoint Security Portal Help  201

Account Reports

Saving reports

202  Forcepoint Web Security Cloud

Account Reports

1. Select Reporting > Account Reports > Saved Reports.

2. You can schedule an existing saved report by clicking the report you want to
schedule on the Saved Reports list. If you do this, skip to step 5 below.
Otherwise, to create a new report for scheduling, click the Generate a new report
link. The page that appears includes only reports that are eligible for scheduling.
3. Create and save your report as described in Saving reports, page 202.
4. On the Saved Reports list, click the name of your new report.
5. Click Schedule email report.
6. Enter the email address of the report recipient. Multiple email addresses should be
separated by commas or spaces.
If you enter an address with a domain not registered to the account, a warning
appears when you save the schedule. Click OK on the warning to accept the
address.
7. Enter a subject for the report email, and the text you want to appear in the body of
the email.
8. Select the report format.
9. Set one of the following delivery periods for your reports:
■ daily
■ weekdays
■ weekly
■ every other week (biweekly)
■ monthly (the default option)
If you want to stop the a scheduled report temporarily, select suspend delivery.
10. Click Save.
You are returned to the Saved Reports list. Reports that have been scheduled display
the recipient list in the Email to column. Click an item in this column to open the
schedule, where you have the option to edit or delete the report delivery.

Forcepoint Security Portal Help  203

Account Reports

204  Forcepoint Web Security Cloud

11 Audit Trails

The following audit trails are available:

● Configuration audit trail lets you examine the configuration audit database for
your account. This gives you visibility into all of the configuration changes that
have been made on the account. Access it from the Account > Settings > Audit
Trail page.
● Administrator audit trail lets you examine the quarantine audit database for your
account. This gives you visibility into the actions taken by administrators in the
Message Center. Access it from the Email > Messages > Administrator Audit
Trail page.

Configuration audit trail

Use the Account > Settings > Audit Trail page to find information about
administrator actions and configuration changes.
To run the default search, which shows results for all users, actions, descriptions, and
SQL queries that have occurred so far today, click View Results without making any
changes on the page.
To perform a more targeted search, use the fields and selectors on the screen to specify
the type or range of data that you want to see. You can enter:
● All or part of an administrative User name, or * (default) to specify any user
● An Action type, like “Login” or “Delete,” or All (default) to specify all actions
● All or part of a Description of the action that occurred, like an IP address or
policy number, or * (default) to specify any description text
● All or part of the specific SQL query used to perform the action, or * (default) to
specify any SQL query
● A Date range (today’s date, by default) for the query
By default, when you enter a string in any field, the search looks for an exact match.
To configure the search to look for any string that contains the value you specify,
precede your entry with an asterisk (*) character (for example, *DELETE or *admin).
When you click View Results, any audit trail information that matches your search
parameters is displayed in a table. All results include the date and time that the action

Forcepoint Security Portal Help  205

Audit Trails

occurred, a description of the action, the action type, and the user who performed the
action. If the action resulted in a change to the configuration database, the SQL query
used to make the change is also displayed.
Paging controls are displayed just above the results table. Use the controls to
configure how many results to display on the page, and to move through the results.
Click the back arrow above the table to return to the Audit Trail page where you can
enter new search parameters.
Click Export to CSV on either the Audit Trail page or the Search Results page to
export the results of your audit trail search to a file named audit_trail.csv. You can
open the file, save the file with the default name, or save the file with a new name.

Administrator audit trail

The administrator audit trail provides visibility into actions performed by an

administrator in the Message Center. To access it, choose Email > Messages >
Administrator Audit Trail. You can base searches on message sender, recipient,
subject, who performed the action, and the action itself, within a defined date range.

206  Forcepoint Web Security Cloud

212  Forcepoint Cloud Protection Solutions

A Checklists for Setting up
LDAP in Various Use Cases

Whether you are a new or existing customer, you should plan your approach before
performing your first synchronization. This section provides checklists for setting up
directory synchronization in various use cases. Find yours to determine the best course
of action.
● New Web and/or email customers
● New and existing email customers
● Existing Web and/or email customers
● Considerations for existing customers

New Web and/or email customers

For new web and/or email customers, see the following:

● Synchronizing users/groups with a single Web policy and exceptions, page 213
● Synchronizing users/groups with more than one policy, and planning to manage
policy assignment through an LDAP directory, page 214

Synchronizing users/groups with a single Web policy and exceptions

 Plan the cloud data structure: users and groups (See Groups, page 23), policies
(See Defining Web Policies, page 141) and exceptions. (See Exceptions, page
179.)
 Review the existing LDAP/Active Directory data structure and decide whether
restructuring of LDAP is necessary to match the proposed cloud data structure
more closely.
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract groups and users to a local file (ensure NTLM ID is included). (See
the Directory Synchronization Client Administrator’s Guide for instructions.)
Review the results and modify the search as necessary to ensure it returns
expected results.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/
logon used for the Directory Synchronization Client to log onto the portal.

Forcepoint Security Portal Help  213

 Decide whether email will be sent after new users are synchronized from LDAP.
 Now you are ready! In the cloud manager, enable Directory Synchronization.
(See Configure directory synchronization, page 35.)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and
using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of additions.This is visible in the
Synchronization page and also from the notification email messages.
 Log onto the cloud manager. Using Account > End Users, check that users’
policies and groups are as expected. Check the groups list to ensure as expected.
(See View and manage user data, page 39.)
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory
Synchronization Client. They should match. (See View recent synchronizations,
page 40.)
 If you are planning to set up exceptions based on group membership, do this
now in the cloud manager. (See Exceptions, page 179.)
 The system is now live. If you are unhappy with the user/groups data you have
synchronized then you can use Restore to undo the synchronization data, and try
again. (See Restore directories, page 41.)
 If everything appears to be working, set up a schedule time in the Directory
Synchronization Client for the background task to run. Close the client tool.

Synchronizing users/groups with more than one policy, and planning to

manage policy assignment through an LDAP directory
 Plan the cloud data structure: users and groups (See Groups, page 23), policies
(See Defining Web Policies, page 141) and exceptions. (See Exceptions, page
179.) Create an extra policy or policies as required.
 Review the existing LDAP/Active Directory data structure and decide whether
restructuring of LDAP is necessary to match the proposed cloud data structure
more closely.
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract groups and users to a local file (ensure NTLM ID is included). (See
the Directory Synchronization Client Administrator’s Guide for instructions.)
Review the results and modify the search as necessary to ensure it returns
expected results.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/
logon used for the Directory Synchronization Client logs into the cloud manager.
 Decide whether email will be sent after new users are synchronized from LDAP.
 Now you are ready! In the cloud manager, enable Directory Synchronization.
(See Configure directory synchronization, page 35.)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and

214  Forcepoint Web Security Cloud

using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of additions. This is visible in the
Synchronization page and also from the notification email messages.
 Log onto the cloud manager. Using Account > End Users, check that users’
policies and groups are as expected. Check the groups list to ensure as expected.
(See View and manage user data, page 39.)
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory
Synchronization Client. They should match.
 Go to each policy in turn, and set up the group/policy assignments. This moves
users to the appropriate policies.
 Go to the Directory Synchronization configuration page and check that the
default policy setting is correct.
 Return to the Account > End Users page and check that users are in the correct
policies.
 If you are planning to set up exceptions based on group membership, do this
now in the cloud manager. (See Exceptions, page 179.)
 The system is now live. If you are unhappy with the user/groups data you have
synchronized then you can use Restore to undo the synchronization data, and try
again. (See Restore directories, page 41.)
 If everything appears to be working, set up a schedule time in the Directory
Synchronization Client for the background task to run. Close the client tool.

New and existing email customers

For Forcepoint Email Security Cloud customers, see the following:

● Synchronizing email addresses to provide a “whitelist” of valid email addresses
● Synchronizing users/groups to provide per-user/per-group exceptions to email
policies

Synchronizing email addresses to provide a “whitelist” of valid email

addresses
 Review the existing LDAP/Active Directory data structure and decide how to
search for all relevant email addresses.
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract email addresses to a local file. (See the Directory Synchronization
Client Administrator’s Guide for instructions.) Review the results and modify
the search as necessary to ensure it returns expected results.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/

Forcepoint Security Portal Help  215

logon used for the Directory Synchronization Client logs onto the cloud
manager.
 In the cloud manager, enable Directory Synchronization. (See Configure
directory synchronization, page 35.) Make sure “Reject mail for unknown users”
is not enabled. (Turn this on only when you are sure the mail list is synchronized
and correct)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and
using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of email address additions.This is visible in the
Synchronization page and also from the notification email messages.
 Go to the cloud manager, Configure Directory Synchronization page and
download a CSV file of email addresses. (See Configure directory
synchronization, page 35.) Check if these are correct, perhaps by comparing
them against a known list from Active Directory.
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory
Synchronization Client. They should match. (See View recent synchronizations,
page 40.)
 If everything appears to be working, go to the Configure Directory
Synchronization page again and select Reject mail for unknown users. Email
address filtering is now live.
 Set up a schedule time in the Directory Synchronization Client for the
background task to run. Close the client tool. If there is a problem with the first
scheduled synchronization, you can restore the directory to its previous version.
(See Restore directories, page 41.)

Synchronizing users/groups to provide per-user/per-group exceptions to

email policies
 Plan the cloud data structure: users and groups (Groups, page 23), policies
(Defining Email Policies, page 67) and exceptions.
 Review the existing LDAP/Active Directory data structure and decide whether
restructuring of LDAP is necessary to match the proposed cloud data structure
more closely.
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract groups and users to a local file (ensure NTLM ID is included). (See
the Directory Synchronization Client Administrator’s Guide for instructions.)
Review the results and modify the search as necessary to ensure it returns
expected results.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/
logon used for the Directory Synchronization Client to log onto the cloud
manager.
 Decide whether email will be sent after new users are synchronized from LDAP.

216  Forcepoint Web Security Cloud

 Now you are ready! In the cloud manager, enable Directory Synchronization.
(See Configure directory synchronization, page 35.)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and
using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of additions.This is visible in the
Synchronization page and also from the notification email messages.
 Log onto the cloud manager. Using Account > End Users, check that users’
policies and groups are as expected. Check the groups list to ensure as expected.
(See View and manage user data, page 39.)
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory
Synchronization Client. They should match. (See View recent synchronizations,
page 40.)
 If you are planning to set up per-user/per-group configurations for Antispam,
Antivirus or Content Filter in email policies then do it now. Use the per-user
link on each of these tabs to configure custom rules for each user or group. (You
can enter user or group names into the per-user dialogs.) Refer to Configuring
Email Settings, page 43 for more information on per-user configuration options.
 The system is now live. If you are unhappy with the user/groups data you have
synchronized then you can use Restore to undo the synchronization data, and try
again. (See Restore directories, page 41.)
 If everything appears to be working, set up a schedule time in the Directory
Synchronization Client for the background task to run. Close the client tool.

Existing Web and/or email customers

For existing cloud web and/or email customers, see the following:
● Wanting to manage users/groups from an LDAP directory, page 217
● Wanting to manage users/groups from an LDAP directory but Web policy
assignment from the portal, page 219

Wanting to manage users/groups from an LDAP directory

 Review the existing cloud data structure, specifically the structure of users,
groups, and policies. Go to Account > End Users and Account > Groups to
view groups and users. (See Groups, page 23). Make sure the structure is still as
you require. This is a good opportunity to review and amend the structure.
Review the exceptions in the policy. (See Defining Web Policies, page 141) and
exceptions. (See Exceptions, page 179.)
 Review the existing LDAP/Active Directory data structure and decide whether
restructuring of LDAP is necessary to match the cloud data more closely.

Forcepoint Security Portal Help  217

 Modify cloud and/or LDAP data to match each other as closely as possible. You
might do this by creating new LDAP groups with the same name and members
as the cloud groups
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract groups and users to a local file. (See the Directory Synchronization
Client Administrator’s Guide for instructions.) Compare the results against the
cloud data, old CSV files, and/or expectations. Modify the search as necessary to
ensure it returns expected results.
 Decide whether to allow overwriting of groups of the same names. In the cloud
manager, set Overwrite groups as necessary. (See Configure directory
synchronization for information.) If you allow overwriting, LDAP groups then
take over existing groups but retaining their structure in policies and exceptions.
If you do not overwrite groups, make sure that all groups being synchronized
from LDAP have different names than those in the cloud, then change any
group-based notification in the cloud manager to the new LDAP names as
required.
 If you have more than one Web policy, go to each policy and assign groups to it
 Then on the Configure Directory Synchronization screen, assign users to a
default policy and for User policy assignment, select Follow group
membership. With this setting, as users are moved to a different LDAP group,
their policy assignment changes in step.
 Decide whether email will be sent after new users are synchronized from LDAP.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/
logon used for the Directory Synchronization Client logs into the cloud manager.
 Now you are ready! In the cloud manager, enable Directory Synchronization.
(See Configure directory synchronization, page 35.)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and
using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of additions.This is visible in the
Synchronization page and also from the notification email messages.
 Log onto the cloud manager. Using Account > End Users, check that users’
policies and groups are as expected. Check the groups list to ensure as expected.
(See View and manage user data, page 39.)
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory
Synchronization Client. They should match. (See View recent synchronizations,
page 40.)
 The system is now live. If you are unhappy with the user/groups data you have
synchronized then you can use Restore to undo the synchronization data, and try
again. (See Restore directories, page 41.)
 If everything appears to be working, set up a schedule time in the Directory
Synchronization Client for the background task to run. Close the client tool.

218  Forcepoint Web Security Cloud

Wanting to manage users/groups from an LDAP directory but Web policy
assignment from the portal
 Review the existing cloud data structure, specifically the structure of users,
groups, and policies. Go to Account > End Users and Account > Groups to
view groups and users. (See Groups, page 23). Make sure the structure is still as
you require. This is a good opportunity to review and amend the structure.
 Review the existing LDAP/Active Directory data structure and decide whether
restructuring of LDAP is necessary to match the cloud data more closely.
 Modify cloud and/or LDAP data to match each other as closely as possible.
 Download the client and install it on the target client machine.
 Configure the Directory Synchronization Client to search the LDAP directory
and extract groups, users, and email addresses to a local file. (See the Directory
Synchronization Client Administrator’s Guide for instructions.) Compare the
results against the cloud data, old CSV files, and/or expectations. Modify the
search as necessary to ensure it returns expected results.
 Decide whether to allow overwriting of groups of the same names. In the cloud
manager, set Overwrite groups as necessary. (See Configure directory
synchronization for information.) If you allow overwriting, LDAP groups then
take over existing groups but retaining their structure in policies and exceptions.
If you do not overwrite groups, make sure that all groups being synchronized
from LDAP have different names than those in the portal, then change any
group-based notification on the portal to the new LDAP names as required.
 If you have more than one web policy, go to each policy and assign groups to it.
 Then on the Configure Directory Synchronization screen, assign users to a
default policy and for User policy assignment, select Fixed. With this setting,
new web users are assigned to the web policy when first synchronized into the
service. After that you must manage all movement of users between policies in
the cloud manager using the Manage Users page. (Group membership is
ignored.)
 Decide whether email will be sent after new users are synchronized from LDAP.
 In the cloud manager, set up a contact with Directory Synchronization
permissions. (See Set up authentication, page 37.) This will be the username/
logon used for the Directory Synchronization Client logs into the cloud manager.
 Now you are ready! In the cloud manager, enable Directory Synchronization.
(See Configure directory synchronization, page 35.)
 In the Directory Synchronization Client, set up portal settings in the
configuration established above, changing the output type to portal (not file) and
using the contact with Directory Synchronization permissions created above.
(See the Directory Synchronization Client Administrator’s Guide.)
 During a slow period, select Replace on the client. Data is synchronized to the
cloud manager. Note the number of additions.This is visible in the
Synchronization page and also from the notification email messages.
 Log onto the cloud manager. Using Account > End Users, check that users’
policies and groups are as expected. Check the groups list to ensure as expected.
(See View and manage user data, page 39.)
 On the Directory Synchronization page, view Recent Synchronizations and
compare the totals of additions against those noted in the Directory

Forcepoint Security Portal Help  219

Synchronization Client. They should match. (See View recent synchronizations,
page 40.)
 The system is now live. If you are unhappy with the user/groups data you have
synchronized then you can use Restore to undo the synchronization data, and try
again. (See Restore directories, page 41.)
 If everything appears to be working, set up a schedule time in the Directory
Synchronization Client for the background task to run. Close the client tool.

Considerations for existing customers

If you have already set up users, groups, passwords, policies, and exceptions in the
cloud manager and you want to switch to LDAP synchronization, consider the
following:
● You can minimize the impact by carefully matching your LDAP group names and
membership to the existing setup. Matching LDAP group names and membership
to those already in the cloud service allows existing policy selections and settings
to be maintained, as well as existing usernames/passwords where applicable.
● You are responsible for avoiding ambiguous configurations, for example, users
belonging to multiple groups which are assigned to different policies. It is up to
you to set up groups in the LDAP directories in such a way that ambiguities don't
occur. (When there are ambiguities, the service selects the closest group-to-policy
assignment for each individual user, taking the first group in alphabetical order
where there are multiple assignments at the same hierarchical level.)
● Existing users can retain their passwords and whether you manage users through
the portal, LDAP synchronization, or both is completely transparent to them.

220  Forcepoint Web Security Cloud

B Standard Regular
Expression Strings

Regular expressions (RegEx) are a powerful way of matching a sequence of simple

characters. You can use regular expressions in Forcepoint Email Security Cloud to
create dictionary entries for lexical rules (see Filtering using lexical rules, <L-
Link>page 112).
You can enclose a range of characters in square brackets to match against all of those
characters. For example:

Expression Description
[] may also be used on a range of characters separated by a – character.
[0-9] matches any digit.
[a-z] matches any alpha character
[a-z0-9] matches any alphanumeric character
^ is the “not” character, so [^0-9] matches against any character that is
not a digit.

Although you can use ranges to specify a group of characters, you can also use the
following shortcuts:

Expression Description
. matches against any character
\d matches against a digit [0-9]
\D matches against a non-digit [^0-9]
\s matches against a whitespace character (such as a tab, space, or line
feed character)
\S matches against a non-whitespace character
\w matches against an alphanumeric character [a-zA-Z_0-9]
\W matches against a non-alphanumeric character
\xhh matches against a control character (for the hexadecimal character hh)
\uhhhh matches against a Unicode character (for the hexadecimal character
hhhh)

Forcepoint Security Portal Help  221

Note
As the backslash character is used to denote a specific search expression, if you want
to match against this character, you must enter a double backslash (\\).

To match against occurrences of a character or expression, you can use the following:

Expression Description
* matches against zero or more occurrences of the previous character or
expression
+ matches against one or more occurrences of the previous character or
expression
? matches zero or one occurrences of the previous character or expression
{n} matches n occurrences of the previous character or expression
{n,m} matches from n to m occurrences of the previous character or
expression
{n,} matches at least n occurrences of the previous character or expression

You can provide text to replace all or part of your search string. To do this, you need to
group together matches by enclosing them in parentheses so they can be referenced in
the replacement. To reference a matched parameter, use $n where n is the parameter
starting from 1.

Regular expression examples

Example 1: IP address
The following regular expression matches against any IP address:
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

You can test this regex with any phrase including a standard IP address, for example
192.23.44.1.

Example 2: Dates
The following regular expression matches against dates in the format DD-MMM-
YYYY:
\b\d\d?-\w\w\w-\d\d\d\d\b

To test this regex, enter a sentence similar to “The project completes on 14-Feb-2009”.

222  Forcepoint Cloud Protection Solutions

Example 3: Social Security Numbers
The following regular expression matches against Social Security numbers in UK
format:
\b\w{2}\d{6}\w\b
You can test this regex with any Social Security number in the format XY123456Z.

Forcepoint Security Portal Help  223

224  Forcepoint Cloud Protection Solutions
C Supported File Types

This appendix provides a list of all the file formats and types supported for email
attachment blocking and parking.

File format File type

Compressed and Encoded Formats Serialized Object Format (SOF)
Disk Doubler
ZIP Archive
PAK/ARC Archive
cpio archive (CRC Header)
cpio archive (CHR Header)
SUN PEX Binary Archive
UU encoded
StuffIt (MAC)
WANG Office GDL Header
OLE Compound Document
SHAR
Unix Compress
GZ Compress
TAR
BinHex
SMTP
MIME
Compactor / Compact Pro
PGP Secret Keyring
PGP Public Keyring
PGP Encrypted Data
PGP Signed Data
PGP Signed and Encrypted Data

Forcepoint Security Portal Help  225

File format File type
PGP Signature Certificate
PGP Compressed Data
ASCII-armored PGP Public Keyring
ASCII-armored PGP encoded
MacBinary
Apple Single
Apple Double
Microsoft Outlook
Microsoft Outlook PST
RAR
RAR5
IBM Lotus Notes Database NSF/NTF
OpenPGP Message Format (with new packet
format)
LHA Archive
IBM Lotus representation of Domino design
elements in XML format
Legato Extender Native Message ONM
Transport Neutral Encapsulation Format (TNEF)
Legato EMailXtender Archives Format (EMX)
7 Zip Format (7z)
Microsoft Cabinet File (CAB)
Group Wise File Surf email (GWFS)
Archive by Robert Jung (ARJ)
Microsoft Outlook Restricted Permission Message
(RPMSG)
Microsoft Outlook for Macintosh (OLM)
Web ARChive (WARC)
ICHITARO compressed
B1 archive
EDB
Internet Calendaring and Scheduling
(iCalendar)
XZ archive
Database Formats MORE Database MAC
Filemaker MAC

226  Forcepoint Cloud Protection Solutions

File format File type
SmartWare II (DB)
Microsoft Works for MAC
Microsoft Works for DOS
Microsoft Works for Windows
Reflex
Borland Reflex 2
Paradox
dBase
Ability DB
Microsoft Access
Microsoft Access 95
Microsoft Access 97
Microsoft Access 2000
Desktop Publishing Formats PageMaker for Macintosh
PageMaker for Windows
FrameMaker
Maker Markup Language
Quark Xpress MAC
Microsoft Publisher
Executable Formats MS-DOS Batch File
SDOS/Windows Program
DOS/Windows Object Library
Unix Executable (PDP-11/pre-System V VAX)
Unix Executable (Basic-16)
Unix Executable (x86)
Unix Executable (iAPX 286)
Unix Executable (MC680x0)
Unix Executable (3B20)
Unix Executable (WE32000)
Unix Executable (VAX)
Unix Executable (Bell 5.0)
Unix Object Module (VAX Demand)
Unix Object Module (old MS 8086)
Unix Object Module (Z8000)
DOS/Windows Object Module

Forcepoint Security Portal Help  227

File format File type
PC (.COM)
MSDOS Device Driver
ELF Relocatable
ELF Executable
ELF Dynamic Library
Java Class format (CLASS)
High-End Graphics Corel Draw
Computer Graphics Metafile (CGM)
Lotus PIC
PostScript
Windows Metafile (no header)
Freehand MAC
HP Graphics Language
AutoCAD DXF
OS/2 PM Metafile
Lasergraphics Language
AutoShade Rendering
GEM VDI
HP Printer Control Language
VRML
QuickDraw 3D Metafile
Corel CMX
AutoDesk Drawing (DWG)
AutoDesk WHIP
Micrografx Designer
Simple Vector Format (SVF)
Enhanced Metafile
Microsoft Office Drawing
DeVice Independent file (DVI)
Harvard Graphics Chart
Harvard Graphics Symbol File
Harvard Graphics Configuration File
Harvard Graphics Palette
Intergraph Standard File Format (ISFF) V7 DGN
(non-OLE)

228  Forcepoint Cloud Protection Solutions

File format File type
MicroStation V8 DGN (OLE)
CADAM Drawing
CADAM Drawing Overlay
NURSTOR Drawing
HP Graphics Language (Plotter)
CATIA Formats (CAT*)
ODF Drawing
Other Formats SmartWare II (Other)
Microsoft Works for MAC
Framework
Framework II
WordPerfect auxiliary file
Windows Help File
Ability Other
NeWS bitmap font
SUN vfont Definition
Windows Group
TrueType Font
Program Information File (PIF)
Windows C++ Object Storage
FTP Session Data
Netscape Bookmark File
Office 2007 document
Unknown binary
Advanced Systems Format (ASF)
Yahoo! Messenger chat log (YCHAT)
MATLAB file format (MAT, FIG)
SEG-Y Seismic Data format (SGY, SEGY)
Microsoft Windows NT Event Log (EVT)
Microsoft Windows Vista Event Log (EVTX)
Presentations PowerPoint PC
PowerPoint MAC
PowerPoint 95
PowerPoint 97
Persuasion

Forcepoint Security Portal Help  229

File format File type
Applix Graphics
Lotus Freelance for DOS
Lotus Freelance for Windows
Lotus Freelance for OS/2
Lotus Freelance 96
Lotus Freelance 97
Corel Presentations
Harvard Graphics
Microsoft PowerPoint 2000
Microsoft Visio
Microsoft Visio 2013
Microsoft Visio 2013 macro
Microsoft Visio 2013 stencil
Microsoft Visio 2013 stencil macro
Microsoft Visio 2013 template
Microsoft Visio 2013 template macro
Microsoft PPT 2007 XML
Microsoft PPT Macro 2007 XML
ODF Presentation
Apple iWork Keynote format
Scheduling/Planning Microsoft Project
PlanPerfect
Microsoft Project 4
Microsoft Project 4.1
Microsoft Project 98
Microsoft Project 2000
Sound Microsoft Wave
MIDI
NeXT/Sun Audio Data
RIFF MIDI
Audio Interchange File Format (AIFF)
Amiga MOD
Amiga IFF (8SVX) Sound
Creative Voice (VOC)
MPEG Audio

230  Forcepoint Cloud Protection Solutions

File format File type
Real Audio
Window Media Audio Format (WMA)
Conifer Wavpack
Sony Wave64
Xiph Ogg Vorbis
Spreadsheets Multiplan (PC)
Multiplan (Mac)
SYLK
Symphony
Uniplex Ucalc
Data Interchange Format (DIF)
Enable Spreadsheet
Supercalc
UltraCalc
SmartWare II (Spreadsheet)
Microsoft Works for MAC
Microsoft Works for Windows
Quattro Pro for DOS
Quattro Pro for Windows
Ability Spreadsheet
CSV (Comma Separated Values)
PeachCalc
Lotus 1-2-3
Lotus 1-2-3 Formatting
Lotus 1-2-3 97
Microsoft Excel
Microsoft Excel 95
Microsoft Excel 97
Lotus 1-2-3 Release 9
Applix Spreadsheets
Microsoft Excel 2000
Microsoft Excel 2007 XML
Microsoft Excel Macro 2007 XML
ODF Spreadsheet
Microsoft Excel Binary 2007

Forcepoint Security Portal Help  231

File format File type
Quattro Pro 9+ for Windows
Apple iWork Numbers format
Apple iWork 2013 Numbers
Standard Graphics Windows Bitmap
Encapsulated PostScript
CCITT G3 1D
Graphics Interchange Format (GIF87a)
Graphics Interchange Format (GIF89a)
GEM Bit Image
Sun Raster
MacPaint
PC Paintbrush Graphics (PCX)
QuickDraw Picture
Lotus Ami Pro Draw
Targa
TIFF
Windows Metafile
WordPerfect Graphics
JPEG Interchange Format
Windows Icon Format
Windows Cursor
Ability Image
Curses Screen Image
DCX FAX Format (PCX images
Lotus Notes Bitmap
Portable Network Graphics (PNG)
Windows Animated Cursor
Windows Palette
RIFF Device Independent Bitmap
OLE DIB object
SGI Image
MS Windows Device Independent Bitmap
Portable Bitmap Utilities ASCII Format
Portable Bitmap Utilities Binary Format
Portable Greymap Utilities ASCII Format

232  Forcepoint Cloud Protection Solutions

File format File type
Portable Greymap Utilities Binary Format
Portable Pixmap Utilities ASCII Format
Portable Pixmap Utilities Binary Format
X Bitmap Format
X Pixmap Format
FPX Format
PCD Format
Microsoft Document Imaging Format
PaperPort image file (MAX)
Text EBCDIC Text
HTML
Text
Vector Graphics Windows Draw (Micrografx)
Videos Video for Windows (AVI)
RIFF Multimedia Movie
MPEG Movie
QuickTime Movie
AutoDesk Animator FLIC
AutoDesk Animator Pro FLIC
Lotus ScreenCam
Macromedia Director
Window Media Video Format (WMV)
MPEG-PS container with CDXA stream (MPG)
ISO/IEC MPEG-4
Word Processing Multiplus (AES)
APPLIX ASTERIX
Convergent Technologies DEF Comm. Format
Word Connection
COMET TOP
CEOwrite
DSA101 (Honeywell Bull)
DCA-RFT (IBM Revisable Form)
CDA / DDIF
DG Common Data Stream (CDS)
Vistaword

Forcepoint Security Portal Help  233

File format File type
DECdx
Enable Word Processing
HP Word PC
IBM 1403 Line Printer
DCF Script
DCA-FFT (IBM Final Form)
Interleaf
Display Write
Lotus Ami Pro
Lotus Ami Pro Style Sheet
Lyrix Word Processing
MASS-11
Microsoft Word for Macintosh
Microsoft Word for Windows
MultiMate
MultiMate Footnote File
MultiMate Advantage
MultiMate Advantage Footnote File
MultiMate Advantage II
MultiMate Advantage II Footnote File
Rich Text Format (RTF)
Microsoft Word for PC
Microsoft Word for PC Style Sheet
Microsoft Word for PC Glossary
Microsoft Word for PC Driver
Microsoft Word for PC Miscellaneous File
NBI Async Archive Format
Navy DIF
NBI Net Archive Format
NIOS TOP
OLIDIF (Olivetti)
Office Writer
CPT
Philips Script
PRIMEWORD

234  Forcepoint Cloud Protection Solutions

File format File type
Q-One V1.93J
Q-One V2.0
SAMNA Word
SmartWare II (WP)
Targon Word
Uniplex
Microsoft Word UNIX
WANG PC
WordERA
WANG WPS
WordPerfect MAC
WordPerfect
WordPerfect VAX
WordPerfect Macro
WordPerfect Spelling Dictionary
WordPerfect Thesaurus
WordPerfect Resource File
WordPerfect Driver
WordPerfect Configuration File
WordPerfect Hyphenation Dictionary
WordPerfect Miscellaneous File
WordMARC
WordStar
WANG WITA
Xerox 860
Xerox Writer
Microsoft Works for MAC
Microsoft Works for DOS
Microsoft Works for Windows
MacWrite
MacWrite II
Maker Interchange Format (MIF)
Windows Write
Volkswriter
Ability WP

Forcepoint Security Portal Help  235

File format File type
XYWrite / Nota Bene
IBM Writing Assistant
WordStar 2000
WriteNow MAC
Q & A for DOS
Q & A for Windows
WPS-PLUS
DCS
Lotus Notes CDF
ODA / ODIF
ALIS
Envoy
Portable Document Format
USENET
SGML
ACT
Applix Words
XML
Unicode
Lotus Word Pro 96
Lotus Word Pro 97
Microsoft Word 95
Microsoft Word 97
Microsoft Pocket Word
Microsoft Word 2000
Folio Flat File
HWP(Arae-Ah Hangul)
ICHITARO V4-10
Verity XML
Oasys format
Microsoft Word 2003 XML
Microsoft Excel 2003 XML
Microsoft Visio 2003 XML
StarOffice Text XML
StarOffice Spreadsheet XML

236  Forcepoint Cloud Protection Solutions

File format File type
StarOffice Presentation XML
XHTML
SWF
Microsoft Word 2007 XML
Microsoft Word Macro 2007 XML
Microsoft XML Paper Specification(XPS)
ODF Text
Yahoo! Instant Messenger History
Founder Chinese E-paper Basic (ceb)
MHT format
Microsoft Office Groove Format
Apple iWork Pages format
Apple iWork 2013 Pages
Windows Journal format (JNT)
PKCS #12
VCF file

Forcepoint Security Portal Help  237

238  Forcepoint Cloud Protection Solutions

TLMRecsPrem2 4 1 1UserGuide
100% (1)
TLMRecsPrem2 4 1 1UserGuide
212 pages
Exam Kaspersky
No ratings yet
Exam Kaspersky
9 pages
Mitel Connect System Admin Guide PDF
No ratings yet
Mitel Connect System Admin Guide PDF
804 pages
Mac Address Vendor Lookup
No ratings yet
Mac Address Vendor Lookup
503 pages
Cloud Web Help
No ratings yet
Cloud Web Help
306 pages
Cloud Web Help
No ratings yet
Cloud Web Help
306 pages
Palo Alto Networks Administrators Guide
No ratings yet
Palo Alto Networks Administrators Guide
274 pages
Frontline Users Guide
No ratings yet
Frontline Users Guide
166 pages
Suite Talk Web Services Platform Guide
No ratings yet
Suite Talk Web Services Platform Guide
193 pages
Zimbra NE Admin Guide 8.7.0
No ratings yet
Zimbra NE Admin Guide 8.7.0
402 pages
Stealthwatch-Study Guide
No ratings yet
Stealthwatch-Study Guide
356 pages
EnterpriseReporter 2.6.0 ConfigurationManagerUserGuide EN PDF
No ratings yet
EnterpriseReporter 2.6.0 ConfigurationManagerUserGuide EN PDF
147 pages
Mcafee Enterprise Security Manager 11.1.x Product Guide 7-6-2022
No ratings yet
Mcafee Enterprise Security Manager 11.1.x Product Guide 7-6-2022
319 pages
Ref360_February2022_Reference360_en
No ratings yet
Ref360_February2022_Reference360_en
231 pages
Laravel Help
No ratings yet
Laravel Help
181 pages
NIOS AdminGuide 5.0r1 PDF
No ratings yet
NIOS AdminGuide 5.0r1 PDF
788 pages
User Guide Pointv70
No ratings yet
User Guide Pointv70
537 pages
Finder Database Admin
100% (1)
Finder Database Admin
490 pages
Mcafee Application and Change Control 8.3.x - Windows Product Guide 6-13-2022
No ratings yet
Mcafee Application and Change Control 8.3.x - Windows Product Guide 6-13-2022
271 pages
SonicOS 6.5 Investigate
No ratings yet
SonicOS 6.5 Investigate
130 pages
Zimbra Os Admin Guide
No ratings yet
Zimbra Os Admin Guide
180 pages
Zimbra OS Admin Guide
No ratings yet
Zimbra OS Admin Guide
188 pages
UTM 5.3 005 - Eng PDF
No ratings yet
UTM 5.3 005 - Eng PDF
217 pages
l4 Offline
No ratings yet
l4 Offline
310 pages
Tutorial Install Zimbra WebMail Admin Server English
100% (2)
Tutorial Install Zimbra WebMail Admin Server English
274 pages
Cisco Nexus Dashboard User Guide, Release 2.3.x
No ratings yet
Cisco Nexus Dashboard User Guide, Release 2.3.x
158 pages
Zimbra NE Admin Guide
No ratings yet
Zimbra NE Admin Guide
300 pages
(McAfee) McAfee Epolicy Orchestrator 5.10.0 Product Guide 5-3-2020
No ratings yet
(McAfee) McAfee Epolicy Orchestrator 5.10.0 Product Guide 5-3-2020
271 pages
Ws FTP 70 Manual
No ratings yet
Ws FTP 70 Manual
102 pages
Zimbra OS Admin Guide 7.1
No ratings yet
Zimbra OS Admin Guide 7.1
220 pages
Carbon
No ratings yet
Carbon
64 pages
Csts 250 CB
No ratings yet
Csts 250 CB
110 pages
SDI April2023 Taskflows en
No ratings yet
SDI April2023 Taskflows en
98 pages
Mcafee Epolicy Orchestrator Cloud Product Guide 2-17-2023
No ratings yet
Mcafee Epolicy Orchestrator Cloud Product Guide 2-17-2023
91 pages
110-00026 05 User Guide, Microphazir 4.2
No ratings yet
110-00026 05 User Guide, Microphazir 4.2
90 pages
Using HomeSite+ (English)
No ratings yet
Using HomeSite+ (English)
334 pages
QNAD 71MR1 AdminGuide
No ratings yet
QNAD 71MR1 AdminGuide
296 pages
Sams Asp Dotnet Evolution Isbn0672326477
No ratings yet
Sams Asp Dotnet Evolution Isbn0672326477
374 pages
Getting Started Guide MAN
No ratings yet
Getting Started Guide MAN
133 pages
Adminguide-8 8 11
No ratings yet
Adminguide-8 8 11
618 pages
ActivClient Administration Guide
No ratings yet
ActivClient Administration Guide
276 pages
Zimbra NE Admin Guide 6.0.4
No ratings yet
Zimbra NE Admin Guide 6.0.4
304 pages
Emr Na c02256363 2
No ratings yet
Emr Na c02256363 2
358 pages
Zimbra NE Admin Guide 8.0.5
No ratings yet
Zimbra NE Admin Guide 8.0.5
350 pages
ZCA Administration Guide
No ratings yet
ZCA Administration Guide
78 pages
zen_quickstart
No ratings yet
zen_quickstart
126 pages
Mcafee Epolicy Orchestrator 5.10.0 Product Guide
No ratings yet
Mcafee Epolicy Orchestrator 5.10.0 Product Guide
470 pages
Purchasing Guide
No ratings yet
Purchasing Guide
206 pages
QRadar 71MR2 AdminGuide
No ratings yet
QRadar 71MR2 AdminGuide
316 pages
Trellix Logon Collector 3.0 Administration Guide 8-23-2023
No ratings yet
Trellix Logon Collector 3.0 Administration Guide 8-23-2023
110 pages
Mcafee Database Security 4.7.x Product Guide 1-12-2024
No ratings yet
Mcafee Database Security 4.7.x Product Guide 1-12-2024
213 pages
HTC Evo Ug
No ratings yet
HTC Evo Ug
197 pages
MNE 4.16.2 AdministrationGuide
No ratings yet
MNE 4.16.2 AdministrationGuide
338 pages
CDI July2021 Taskflows en
No ratings yet
CDI July2021 Taskflows en
113 pages
Magaya Cargo System User Manual
No ratings yet
Magaya Cargo System User Manual
283 pages
Release
No ratings yet
Release
80 pages
One Touch For Windows SDK .NET Developer Guide
100% (1)
One Touch For Windows SDK .NET Developer Guide
134 pages
Forcepoint Email Security in Azure Release Notes v8.5
No ratings yet
Forcepoint Email Security in Azure Release Notes v8.5
4 pages
Forcepoint Email Security Configuration Information v8.5
No ratings yet
Forcepoint Email Security Configuration Information v8.5
64 pages
Managing Forcepoint Email Security Cloud
No ratings yet
Managing Forcepoint Email Security Cloud
6 pages
Email Security 4
No ratings yet
Email Security 4
9 pages
Zoc English
No ratings yet
Zoc English
151 pages
Cover Letter and Resume - Ikhwanul Asikin
No ratings yet
Cover Letter and Resume - Ikhwanul Asikin
5 pages
TETRA1
No ratings yet
TETRA1
62 pages
How To Connect Elastix To Mypbx Via Sip Trunking en
No ratings yet
How To Connect Elastix To Mypbx Via Sip Trunking en
21 pages
Essay-Social Media
No ratings yet
Essay-Social Media
2 pages
Pert 65q Vce
No ratings yet
Pert 65q Vce
6 pages
CCS 212 Web Design and Publishing NOTES
No ratings yet
CCS 212 Web Design and Publishing NOTES
69 pages
IT1404: Internet and World Wide Web: University of Colombo School of Computing
No ratings yet
IT1404: Internet and World Wide Web: University of Colombo School of Computing
11 pages
Magtek Excella Guide Public
No ratings yet
Magtek Excella Guide Public
8 pages
PFE Khelifi
No ratings yet
PFE Khelifi
56 pages
Fortinet Single SignOn
No ratings yet
Fortinet Single SignOn
17 pages
E-Democracy From Theory To Success?
No ratings yet
E-Democracy From Theory To Success?
25 pages
Web Strategy Introduction PDF
No ratings yet
Web Strategy Introduction PDF
2 pages
Xaa
No ratings yet
Xaa
19 pages
Unit 6 - Session 1: Not Again!
No ratings yet
Unit 6 - Session 1: Not Again!
12 pages
AHAD
No ratings yet
AHAD
6 pages
Sales and Distribution Management Course Code: MKTE006
No ratings yet
Sales and Distribution Management Course Code: MKTE006
10 pages
Mobile Banking Technology Options (2007)
No ratings yet
Mobile Banking Technology Options (2007)
53 pages
SQL PCM600
No ratings yet
SQL PCM600
4 pages
An Assessment of The ZRP in Fighting Cybercrime A Case Study of CID Department Zimbabwe
100% (2)
An Assessment of The ZRP in Fighting Cybercrime A Case Study of CID Department Zimbabwe
12 pages
IoT & Compressed Air Management Systems
No ratings yet
IoT & Compressed Air Management Systems
42 pages
Module For EDI Install and Users Guide
No ratings yet
Module For EDI Install and Users Guide
439 pages
Cahier de Charges E-Learning
100% (1)
Cahier de Charges E-Learning
83 pages
Wifi Gratuit 2014 France
No ratings yet
Wifi Gratuit 2014 France
6 pages
UN48J5500AFXZA Fast Track Manual Rev. 61715cr
No ratings yet
UN48J5500AFXZA Fast Track Manual Rev. 61715cr
8 pages
Bài Tập Nhóm Môn Digital Marketing (Lớp Thực Hành) - 23052024
No ratings yet
Bài Tập Nhóm Môn Digital Marketing (Lớp Thực Hành) - 23052024
11 pages
EDU - DATASHEET - Vsphere Install Configure Manage V6.5
No ratings yet
EDU - DATASHEET - Vsphere Install Configure Manage V6.5
4 pages
Debug 1214
No ratings yet
Debug 1214
5 pages