Skip to content

Capabilities

EnforceGate vX is sold in three editions — Lite, Pro, and Enterprise. The capabilities below describe everything that ships today in the Lite edition; the only edition currently generally available. See editions for the full feature mapping.

Core features (every edition)

All three editions of EnforceGate vX include the following core capabilities:

  • Highly scalable: A single EnforceGate vX engine supports policy sets of up to 150 million rules — large category-based filtering corpora, multi-million-entry threat-intel domain feeds, and combined allow / deny lists all run on one engine without sharding. See sizing for the cgroup-memory recommendations across the supported range.
  • URL filtering: Allow or deny both clear-text (HTTP) and encrypted (HTTPS) web traffic based on multiple criteria, including the requested URI, hostname, SNI, user-agent, client IP/MAC, and other request attributes.
  • Network Access Control: Permit or deny access to web resources based on identity principals (users, groups), client posture, or network origin.
  • SSL/TLS inspection: Three runtime modes (off / peek / bump) selectable per deployment — from plain CONNECT-tunnelling through SNI-only visibility to full HTTPS decryption. See SSL inspection for the activation model and the binding acknowledgement gate.
  • Captive portal: Block, warn and AUP verdicts redirect the visitor's browser to an in-product landing page (protected by an encrypted redirect token) that explains the verdict in the visitor's language and (when the policy allows) offers a "Proceed anyway" CTA recorded in the engine's session store.
  • Configurable default policy: The shipped baseline permits every request that no policy explicitly denies; a single drop-in policy can flip this to default-deny for environments where strict allowlisting (whitelisting) is preferred.

Edition-gated features

The features below are gated by edition. Lite is the only edition shipping today; Pro and Enterprise add capabilities on top. See Editions for the full feature mapping, bundled support tier, and the schedule.

Feature Lite Pro Enterprise
Captive portal — block / warn / aup pages
Captive portal — Active Directory user/group identity
Captive portal — RADIUS user/group identity
Operator Web UI
Operator SSO / SAML federation
Bundled support tier Direct Direct Premium

The captive portal itself is in every edition — visitors always get the block / warn / aup verdict pages in their language. What the Pro and Enterprise editions add is identity attached to those pages: Pro lets operators write rules based on the visitor's Active Directory user or group; Enterprise extends that to RADIUS.

Architecture features

  • Hardware-anchored release signing: Every released image is signed by a hardware-key-held ECC P-256 key using cosign. The release private key never exists as a file on disk. See architecture.
  • In-image integrity check: Bundled binaries are SHA-256-verified against a build-time manifest at every boot, and continuously re-hashed by a long-running watcher.
  • Read-only root filesystem: The container's root filesystem is mounted read-only at runtime.
  • Immutable host OS (appliance only): The virtual appliance's host operating system mounts its root filesystem read-only and applies updates as atomic, rollback-capable snapshots — a second layer of immutability underneath the container's own read-only root.
  • Seamless updates: Both the host operating system (on the appliance) and the EnforceGate components upgrade in place with only a few minutes of downtime. Even yearly release transitions are delivered as in-place upgrades — no reinstall required, operator state (configuration, license activation, policy history, audit log) is preserved end-to-end.
  • Mutual peer authentication: The engine and connectors exchange a shared key over the proprietary Defendr binary protocol. Defendr sessions are upgraded to TLS with SHA-256 message integrity.
  • Operator CLIs: egctl for engine status and management — an interactive Cisco / Junos-style modal REPL reached via egctl --cli, plus bash / Unix-style flat one-shots (egctl <verb>) for scripts and automation. egpolicy compiles and loads policies into the engine's DuckDB store. Both ship inside every standalone image and are reachable from the host via eghost cli (the recommended wrapper) or docker exec.
  • Toolbox container: A companion toolbox container ships alongside the engine with a bash and Python environment plus the standard EnforceGate CLI tooling pre-installed. Operators use it to write custom scripts against the deployment — the canonical use case is category-based filtering: downloading and refreshing category lists (adult content, gambling, social media, threat-intel feeds, etc.) on a cron and reloading the engine when the underlying lists change. Other common uses are periodic exports of policy snapshots and integrations with ticketing or SIEM tooling. See Toolbox for the operator-side guide.

SSL/TLS inspection

By default, HTTPS traffic flows through the proxy as an opaque tunnel — the engine sees the destination hostname (via SNI) but cannot read the URL, headers or content. SSL/TLS inspection terminates the client's TLS session, decrypts the request, evaluates it against policy, then re-encrypts to the origin — giving the engine the same visibility into HTTPS that it has into plain HTTP.

Because decrypting traffic that the user's browser believed was end-to-end private has direct legal consequences — employee-privacy law, GDPR, sector-specific telecom and banking rules, and the operational cost of distributing a custom CA to every client trust store all vary by jurisdiction and deployment context — EnforceGate vX ships with inspection disabled by default. Operators must explicitly opt in and acknowledge the binding conditions before any decryption takes place. See SSL inspection for the activation workflow.

Captive portal pathway

The captive portal is an open Python application fronted by a TLS terminator that publishes HTTPS on :443 and an HTTP→HTTPS redirect on :80. The portal:

  • Renders the verdict pages (block, warn, aup) in English, French, German and Italian.
  • Decrypts the encrypted payload the engine attaches to the redirect URL, verifies authenticity, and surfaces the explanation to the visitor.
  • Forwards the visitor's "Proceed anyway" click to the engine's Control API server-side, so the browser never speaks directly to the engine.
  • Exposes a self-service CA install page (/ca + /ca.crt) for unmanaged devices (BYOD, guests, hot-desk machines) when bump mode is active.

The portal's TLS leaf is signed by the bump CA — so operators distribute one CA (the bump CA) to client trust stores and every TLS hop in the deployment chains to it.

Threats protection

The following advanced security capabilities are available for separate purchase and integrate with an existing EnforceGate vX installation:

  • Traffic analysis: AI/ML-driven anomaly detection over historical session data.
  • Live threats protection: Real-time threat intelligence feed for proactive zero-day defence.