TTechclick ⚡ XP 0% All lessons
Forcepoint · Data Loss Prevention · Network & EmailInteractive · L1 / L2 / L3

Forcepoint DLP for Email & Network — Data in Motion, the Protector, SMTP & ICAP

Network DLP is about stopping sensitive data on the way out — email, web and file transfers crossing your perimeter. This lesson maps the Protector and its DLP server, shows when it can only watch versus when it can block, and walks the two real enforcement paths: email as a true MTA and web via a proxy over ICAP.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Forcepoint Network DLP (2026): how the Protector inspects data in motion, passive SPAN/TAP monitoring vs inline enforcement, email DLP in explicit MTA mode with the Next Hop Smart Host, the encryption gateway, the 1-week quarantine release, and web blocking over ICAP on port 1344.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Data in motion

The Protector's two faces — passive vs inline.

 2

Email the MTA way

Explicit MTA mode, Smart Host, fail-open vs close.

 3

Encrypt & release

Encryption gateway, quarantine, 1-week release.

 4

Web over ICAP

Proxy as client, Protector as server, port 1344.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Which component does the deep content analysis?

Answered in Data in motion.

2. Can the Protector block web uploads on its own?

Answered in Web over ICAP.

3. What is the Next Hop MTA also called?

Answered in Email the MTA way.

Most engineers think…

Most people assume that if a DLP policy 'shows hits' on the network, it is also stopping the leak. That assumption gets data out the door and gets you caught in an interview.

Forcepoint Network DLP is built around the Protector — a soft appliance that only intercepts traffic — paired with a DLP server that does the actual content analysis. How you wire and run the Protector decides everything: off a SPAN/mirror or TAP it can only watch and report; inline it can block, quarantine or terminate. And email and web are not equal — email can be blocked natively in MTA mode, but web can only be monitored unless a proxy enforces the Protector's verdict over ICAP.

① Data in motion & the Protector's two faces

Data in motion is sensitive content crossing the network at egress — email, web uploads, FTP and other file transfers — inspected before it leaves the perimeter. Forcepoint catches it with the Protector, a soft appliance that intercepts traffic, paired with a DLP server that performs the deep content analysis. The channels it understands are SMTP, HTTP/S, FTP and plain text.

Passive vs inline — the call that decides everything

In monitoring (passive) mode the Protector sits off a switch SPAN/mirror port or a network TAP: one Network interface carries management and has an IP, while Monitoring interfaces have no IP and just receive mirrored traffic. It can detect and report a loss but cannot block it. In inline mode the Protector sits directly in the traffic path, so it can block, quarantine or terminate. You enable each role per module at Settings ▸ Deployment ▸ System Modules.

Legendpipeline stagestage nameflow / arrowsdiagram titlestage detail
Figure 1 — Data in motion — intercept, analyse, decide, act, report
The Protector intercepts; the DLP server analyses; the action plan decides what leaves and what does not.Data in motion — intercept, analyse, decide, act, reportInterceptProtector on the wireAnalyseDLP server runs policyDecideverdict + action planActpermit/block/encryptReportincident + forensics
The Protector intercepts; the DLP server analyses; the action plan decides what leaves and what does not.
Figure 2 — Passive monitoring vs inline enforcement
How you wire the Protector decides whether it can only watch or can actually stop a leak.Passive monitoring vs inline enforcementPassive (monitor)Off a SPAN/mirror port or TAPMonitoring interfaces have no IPDetect and report onlyCannot block any channelInline (enforce)Directly in the traffic pathActs as a real MTA for SMTPBlock, quarantine or terminateWeb still needs a proxy via ICAP
How you wire the Protector decides whether it can only watch or can actually stop a leak.
Split the Protector from the DLP server

In an interview, separate the Protector (intercepts traffic on the wire) from the DLP server (does the deep content analysis and produces the verdict). The wiring choice — SPAN/TAP vs inline — is what decides whether it can block at all.

Quick check · Q1 of 10 · Understand

The Protector relies on which component for the deep content analysis?

Correct: b. The Protector intercepts traffic on the wire, but it is the paired DLP server that runs the policy and performs the deep content analysis to produce a verdict.
👉 So far: Data in motion = email/web/FTP at egress. The Protector intercepts; the DLP server analyses. Passive (SPAN/TAP) only monitors; inline can block, quarantine or terminate.

② Email DLP the MTA way

Email is special: the Protector can monitor or block it natively. Blocking uses explicit MTA mode, where the Protector runs as a real mail relay sitting inline in the mail flow. It receives SMTP, hands message bodies and attachments to the DLP server for policy analysis, then either delivers, blocks, quarantines, or redirects for encryption based on the action plan. Clean mail is forwarded to the Next Hop MTA (Smart Host) — the downstream mail server, set by IP or hostname plus port.

The MTA tab settings to name

On the MTA tab you set the SMTP HELO name, the Next Hop MTA, the Maximum message size (default 33 MB), permitted relay networks (address + subnet), and the critical on-error behaviour: Permit traffic (fail-open — mail flows even if analysis fails) or Block traffic (fail-close). You can also add a footer and delivery-failure notices. TLS on the explicit MTA path is available via a TLS-enabled Postfix build.

Figure 3 — Email in explicit MTA mode
The Protector relays mail inline, analyses it, then forwards clean mail to the Next Hop Smart Host.Email in explicit MTA modeReceive SMTPProtector accepts inbound mail inlineAnalyseDLP server checks body + attachmentsDecidedeliver, block, quarantine or encryptForwardclean mail to Next Hop MTA (Smart Host)
The Protector relays mail inline, analyses it, then forwards clean mail to the Next Hop Smart Host.
🛡️
Protector
tap to flip

A soft appliance that intercepts SMTP/HTTP-S/FTP/plain text. Passive off a SPAN/TAP it only monitors; inline it can block, quarantine or terminate.

📧
Explicit MTA mode
tap to flip

The Protector runs as a real mail relay so it can block, quarantine or encrypt email, then forwards clean mail to the Next Hop Smart Host.

🔁
ICAP
tap to flip

A protocol letting a proxy (the client) hand content to the Protector (the server) on port 1344 and enforce the returned block/allow verdict.

🔐
Encryption gateway
tap to flip

A redirection gateway the Protector routes mail to when a subject Encryption Flag or X-header is present, instead of delivering directly.

Forgetting the on-error fail mode

On the MTA tab, 'Permit traffic' on error is fail-open (mail keeps flowing if analysis breaks) and 'Block traffic' is fail-close. Picking the wrong one either leaks data during an outage or blocks all mail — decide it deliberately, do not leave it on a default.

Quick check · Q2 of 10 · Remember

In explicit MTA mode, where does the Protector forward clean mail?

Correct: c. After analysis, clean mail is relayed to the Next Hop MTA — also called the Smart Host — the downstream mail server set by IP/hostname and port on the MTA tab.
👉 So far: Email blocks via explicit MTA mode: the Protector runs as a real relay, analyses, then forwards clean mail to the Next Hop MTA (Smart Host). Max message size default 33 MB; on-error = permit (fail-open) or block (fail-close).

③ Encryption, quarantine & the release window

Not every match should be blocked outright — sometimes the right action is to encrypt and send. On the Encryption & Bypass tab you enable a redirection (encryption) gateway by IP and port. Mail is routed there when the Subject contains an Encryption Flag or a named X-header is present — added when a user clicks Encrypt in Outlook or when policy requires it. A matching Bypass flag or X-header skips analysis entirely.

Quarantine and the 1-week release

Blocked SMTP incidents — from the Protector or the Email Security module — are held in quarantine and can be released within one week before they expire. Release happens via the Incident Details report or by replying to the notification, and is routed through the release gateway configured at Settings ▸ General ▸ Remediation. Turning on Validate user before releasing limits release to the actual recipients.

Figure 4 — What happens to a flagged email
One action plan, several outcomes — each routed to the right gateway or workflow.What happens to a flagged emailAction planon a matchDeliver cleanBlockQuarantineEncrypt (gateway)Release (1 week)Notify user
One action plan, several outcomes — each routed to the right gateway or workflow.
Quick check · Q3 of 10 · Understand

A user clicks 'Encrypt' in Outlook. How does the Protector know to route that mail to the encryption gateway?

Correct: d. On the Encryption & Bypass tab, mail is redirected to the encryption gateway when the subject contains an Encryption Flag or a configured X-header is present — exactly what the Outlook Encrypt button adds.
👉 So far: Flagged mail is redirected to the encryption gateway by a subject Encryption Flag or X-header; a Bypass flag skips analysis. Blocked SMTP incidents can be released within one week via the remediation/release gateway.

④ Web DLP over ICAP

Here is the catch that trips people up: the Protector can only monitor web on its own — it sees a copy and reports, but it cannot stop an upload by itself. To block outbound web data you bring in a proxy and the ICAP protocol. The Protector acts as the ICAP server; a third-party (or Forcepoint Web/SWG) proxy is the ICAP client that sends content for inspection and enforces the returned block/allow verdict.

The default ICAP port is 1344. For each outbound HTTP/HTTPS request (and buffered FTP), the proxy passes the content to the Protector, the DLP server evaluates policy, and the proxy permits or blocks the upload. The ICAP config has General, HTTP and FTP tabs. The interview line: web blocking is the proxy enforcing the Protector's verdict — no proxy, no block.

Figure 5 — Blocking a web upload over ICAP
The proxy hands content to the Protector, gets a verdict, and enforces it — the Protector alone can only watch.Blocking a web upload over ICAPUploaduser posts a fileICAP reqproxy to Protector:1344AnalyseDLP server scores itVerdictblock / allowEnforceproxy applies it
The proxy hands content to the Protector, gets a verdict, and enforces it — the Protector alone can only watch.

Priya at a Pune fintech BPO faces this

Analysts can still upload spreadsheets of customer PAN/Aadhaar data to personal cloud drives, even though the 'block PII upload' policy shows hits in the reports.

Likely cause

The Protector is wired to a SPAN port (passive) and has no ICAP service bound, so it logs web incidents but cannot block them; the corporate proxy has no ICAP client configured.

Diagnosis

In Forcepoint Security Manager, Settings ▸ Deployment ▸ System Modules shows the Protector in Monitoring mode with no ICAP service; the proxy has no ICAP client target.

Settings ▸ Deployment ▸ System Modules + proxy ICAP client config
Fix

Enable the Protector's ICAP server and point the corporate proxy (ICAP client) at it on port 1344, with the PII policy set to block. Web uploads now flow proxy ▸ Protector ▸ DLP verdict ▸ block.

Verify

Re-attempt an upload of a test PAN file: the proxy denies it and an Incident Details entry shows 'blocked' via the ICAP channel.

Prove the block, do not assume it

A policy 'showing hits' is not the same as blocking. Re-test with a real sample upload and read the Incident Details report — it shows the channel (ICAP) and a 'blocked' action. If it only says detected, you are still on a SPAN port with no proxy enforcement.

▶ Watch a PII upload get blocked over ICAP

How a single web upload is inspected and stopped end-to-end. Press Play for the healthy block path, then Break it to see the classic failure.

① UploadA user tries to upload a customer PAN spreadsheet to a personal cloud drive through the corporate web proxy.
② ICAP requestThe proxy, acting as ICAP client, sends the file content to the Protector's ICAP server on port 1344.
③ AnalyseThe DLP server runs the PII policy on the content and finds real PAN/Aadhaar data — a true match.
④ Verdict + blockThe Protector returns a block verdict; the proxy denies the upload and an incident is raised with full forensics.
Press Play to step through the healthy ICAP block path. Then press Break it.
Quick check · Q4 of 10 · Apply

You need to BLOCK outbound web uploads of PII. The Protector is on a SPAN port. What must you do?

Correct: a. On a SPAN port the Protector can only monitor web. Blocking requires a proxy acting as ICAP client that enforces the Protector's (ICAP server) verdict on port 1344.
👉 So far: Web can only be monitored by the Protector alone. To block, a proxy (ICAP client) enforces the Protector's (ICAP server) verdict on port 1344 for HTTP/HTTPS and buffered FTP.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which two channels can the Protector block natively, without a separate proxy?

Correct: b. Email can be monitored or blocked natively using explicit MTA mode. Web can only be monitored by the Protector alone — blocking web requires a proxy over ICAP.
Q6 · Apply

Your Protector is connected to a switch SPAN/mirror port. What can it do?

Correct: c. A SPAN/mirror or TAP gives the Protector a copy of traffic, so it is passive: it can detect and report loss but cannot block, quarantine or terminate.
Q7 · Remember

What is the default maximum message size on the MTA tab?

Correct: a. The MTA tab's Maximum message size defaults to 33 MB, alongside the SMTP HELO name, Next Hop MTA, relay networks and the on-error behaviour.
Q8 · Analyze

On the MTA tab, on-error behaviour is set to 'Permit traffic'. During a DLP server outage, what happens to mail?

Correct: d. 'Permit traffic' on error is fail-open: if analysis cannot complete, mail is delivered anyway. 'Block traffic' is fail-close. The choice is a deliberate risk decision.
Q9 · Understand

A blocked SMTP incident sat in quarantine for ten days. Can a recipient still release it?

Correct: b. Blocked SMTP incidents can be released within one week via the Incident Details report or by replying to the notification. After seven days the message expires and cannot be released.
Q10 · Evaluate

An interviewer asks the cleanest way to block outbound web uploads with Forcepoint Network DLP. Best answer?

Correct: c. The Protector can only monitor web alone. Web blocking is achieved by a proxy (ICAP client) enforcing the Protector's (ICAP server) block/allow verdict on the default ICAP port 1344.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can Forcepoint block email on its own but needs help to block the web? Then compare with the expert version.

Expert version: Because email and web use different enforcement paths. For email the Protector can run as a real mail relay in explicit MTA mode — it sits inline in the mail flow, analyses each message, and can deliver, block, quarantine or redirect to the encryption gateway itself, then forward clean mail to the Next Hop Smart Host. For web the Protector natively only sees a mirrored copy, so it can detect but not stop an upload; blocking requires a proxy acting as an ICAP client that enforces the Protector's (ICAP server) verdict on port 1344. Same DLP server and policy behind both — different way of getting the verdict onto the wire.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Data in motion
Sensitive data crossing the network at egress — email, web and FTP — inspected before it leaves the perimeter.
Protector
Soft appliance that intercepts SMTP/HTTP-S/FTP/plain text for monitoring or inline enforcement, paired with a DLP server for analysis.
SPAN/mirror port
Switch port that copies traffic to the Protector for passive monitoring — detect and report, but no blocking.
Network TAP
Hardware that duplicates wire traffic so the Protector can passively inspect a copy without being inline.
Explicit MTA mode
The Protector runs as a real mail relay inline in the mail flow, so it can block, quarantine or encrypt email.
Next Hop MTA / Smart Host
The downstream mail server the Protector forwards clean email to after analysis, set by IP/hostname and port.
Encryption (redirection) gateway
Server the Protector routes flagged mail to when a subject Encryption Flag or X-header is present.
Quarantine / release
Holding a policy-breaching email pending release (within one week) via the remediation/release gateway, or expiry.
ICAP
Protocol on default port 1344 where the proxy (client) hands content to the Protector (server) for a block/allow verdict.

📚 Sources

  1. Forcepoint Help — When to use the Protector (passive vs inline, channels analysed). help.forcepoint.com/dlp
  2. Forcepoint Help — Set up SMTP in MTA mode / Protector SMTP service: MTA tab. help.forcepoint.com
  3. Forcepoint Help — Protector SMTP service: Encryption & Bypass tab. help.forcepoint.com
  4. Forcepoint Help — Releasing incidents (Remediation / release gateway, 1-week window). help.forcepoint.com
  5. Forcepoint Help — Configuring ICAP / configure the Protector for ICAP (port 1344). help.forcepoint.com
  6. Forcepoint — Data Loss Prevention product & Network DLP guide. forcepoint.com

What's next?

Got data in motion? Next, go deep on the classifiers behind the verdict — regex, dictionaries, EDM, IDM, machine learning and OCR — and why fingerprinting is what makes a block trustworthy.

Next · All interview lessons → Practice on exam.techclick.in →