Forcepoint TRITON

The Forcepoint V-Series Content Gateway DSM for IBM® QRadar® supports events for web content from several Forcepoint TRITON solutions, including Web Security, Web Security Gateway, Web Security Gateway Anywhere, and V-Series appliances.

About this task

Forcepoint TRITON collects and streams event information to QRadar by using the Forcepoint Multiplexer component. Before you configure QRadar, you must configure the Forcepoint TRITON solution to provide LEEF formatted syslog events.

Before you can configure Forcepoint TRITON Web Security solutions to forward events to QRadar, you must ensure that your deployment contains a Forcepoint Multiplexer.

The Forcepoint Multiplexer is supported on Windows, Linux®, and on Forcepoint V-Series appliances.

To configure a Forcepoint Multiplexer on a Forcepoint Triton or V-Series appliance:

Procedure

  1. Install an instance of Forcepoint Multiplexer for each Forcepoint Policy Server component in your network.
    • For Microsoft Windows - To install the Forcepoint Multiplexer on Windows, use the TRITON Unified Installer. The Triton Unified Installer is available for download at http://www.myforcepoint.com.
    • For Linux - To install the Forcepoint Multiplexer on Linux, use the Web Security Linux Installer. The Web Security Linux Installer is available for download at http://www.myforcepoint.com.

    For information on adding a Forcepoint Multiplexer to software installations, see your Forcepoint Security Information Event Management (SIEM) Solutions documentation.

  2. Enable the Forcepoint Multiplexer on a V-Series appliance that is configured as a full policy source or user directory and filtering appliance:
    1. Log in to your Forcepoint TRITON Web Security Console or V-Series appliance.
  3. From the Appliance Manager, select Administration > Toolbox > Command Line Utility.
  4. Click the Forcepoint Web Security tab.
  5. From the Command list, select multiplexer, then use the enable command.
  6. Repeat Forcepoint TRITON and Forcepoint TRITON to enable one Multiplexer instance for each Policy Server instance in your network.

    If more than one Multiplexer is installed for a Policy Server, only the last installed instance of the Forcepoint Multiplexer is used. The configuration for each Forcepoint Multiplexer instance is stored by its Policy Server.

What to do next

You can now configure your Forcepoint TRITON appliance to forward syslog events in LEEF format to QRadar.