Overview

This guide explains how to integrate OneFirewall Alliance (OFA) Threat Feeds with ForcePoint Web Security / URL Filtering. You can enforce threat intelligence feeds for the following categories:
  • ✅ Malicious IPs
  • ✅ Malicious URLs
This integration enables real-time enforcement of security policies based on live threat data provided by OneFirewall Alliance.

Supported ForcePoint Versions

OneFirewall threat feeds are compatible with Forcepoint Web Security / URL Filtering Version 8.5.x

Prerequisites

  • ✅ A valid OneFirewall Alliance account.
  • ✅ Forcepoint running 8.5.x.
  • ✅ Ability to operate in the console.
  • ✅ Internet access from the gateway to reach OneFirewall’s feed URLs.
  • ✅ HTTPS inspection must allow outbound connections to threat feed URLs (if required by policy).

Step 1: Generate API Token

  1. Log into your OneFirewall Alliance dashboard.
  2. Go to the API Access section.
  3. Click Generate JWT Token.
  4. Save the token securely — this will be used to authenticate feed requests.

Step 2: Configure IP Address List and URL List

For each threat type, follow these general steps:

Configure the External Feeds

Install Docker & Docker Compose

# On Debian/Ubuntu
sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker

# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/$(curl -s https://api.github.com/repos/docker/compose/releases/latest | jq -r '.tag_name')/docker-compose-$(uname -s)-$(uname -m)" \
  -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Prepare Your Deployment Directory

mkdir -p ~/wcf-agent-forcepoint
cd ~/wcf-agent-forcepoint
  1. Download the WCF Agent Docker image into this folder.
  2. Obtain your config.json from OneFirewall’s Install Agent page.
  3. Place config.json in ~/wcf-agent/onefirewall/config.

Create docker-compose.yml

version: '3'
services:
  onefirewall-wcf-agent-forcepoint-websec:
    image: app.onefirewall.com/onefirewall-wcf-agent-urls:v4
    restart: always
    environment:
      - IS_TEST=False
    volumes:
      - ./storage/logs:/var/tmp/
      - ./storage/data:/opt/onefirewall/data/
      - ./onefirewall/config:/opt/onefirewall/config/:ro
Contact OneFirewall support team with access to download WCF Agent binary image

Launch the Agent

docker compose up -d
docker-compose logs -f onefirewall-wcf-agent-forcepoint-websec

Notes

  • OneFirewall uses JWT-based Bearer Authentication.
  • Feeds are auto-refreshable and optimized for ForcePoint Web Security / URL filtering integration.
  • All feed types can be used simultaneously in different rules or combined policies.