Check Point Integration

Check Point Integration

Applies to

Web Filter v7.6

Web Security v7.6

In this topic

Overview

Supported Check Point product versions

How Websense filtering works with Check Point products

Distributed environments

Client computers and Check Point products

Communicating with Websense software

Installing Web Filter or Web Security to integrate with Check Point

Initial setup

Upgrade

Migrating between Check Point versions

Related topics:

Configuring Check Point Products to Work with Web Filter or Web Security

Configuring Check Point Secure Communication

Troubleshooting Check Point Integration

Overview

This section of the Websense Technical Library provides information specific to integrating Websense Web Filter or Web Security with Check Point® products. Refer to Web Filter or Web Security (software-based) as your primary source of installation information. Only additional or alternative steps required to integrate Web Filter or Web Security with Check Point prodcuts are provided here.

Supported Check Point product versions

Websense Web Security and Websense Web Filter are compatible with the following Check Point products:

FireWall-1 Feature Pack 1 or greater

FireWall-1 NG AI

FireWall-1 NGX

How Websense filtering works with Check Point products

An integration with a Check Point product works with Websense components as follows:

Filtering Service: Interacts with the Check Point product and Network Agent to filter Internet requests.

Network Agent: Manages Internet protocols that are not managed by the Check Point product.

 

Important  Do not install Network Agent on the Check Point machine.

Check Point products provide network security and a framework for content filtering. Websense software communicates with the Check Point product via URL Filtering Protocol (UFP). Websense software is implemented as a UFP Server, and communicates with the Check Point product over TCP sockets. By default, Websense software listens on port 18182 for messages from the Check Point product.

To begin filtering:

Client computers must point to the machine running the Check Point product as their default gateway. Typical networks implement this configuration for security reasons unrelated to filtering.

The Check Point product must be configured to use a rule to analyze all HTTP requests, as well as FTP requests issued by a browser that proxies to the Check Point product. The rule must use the URI Specifications for HTTP.

 

Note  If Websense software must download the Master Database through a proxy server or firewall that requires authentication for any HTTP traffic, the proxy server or firewall must be configured to accept clear text or basic authentication.

When Websense software is integrated with a Check Point product, you define policies within TRITON - Web Security (the configuration interface for Websense software). These policies identify which of the Websense categories are blocked or permitted during different times and days. Within the Check Point product, you typically define a rule that directs the firewall to reject requests for sites in Websense categories whose action is set to block, limit by quota, or confirm. If a client selects an option to view a site with quota time on a block page, Websense software tells the Check Point product to permit the site.

When the Check Point product receives an Internet request for either an HTTP site or an FTP site requested by a browser that uses the firewall as a proxy, it queries Websense Filtering Service to determine if the site should be blocked or permitted.

Filtering Service checks the policy assigned to the client. Each policy designates specific time periods and lists the category filters that are in effect during those periods.

After Filtering Service determines which categories are blocked for that client, it checks the Websense Master Database to locate the category for the requested URL:

If the site is assigned to a blocked category, the client receives a block page instead of the requested site.

If the site is assigned to a permitted category, Filtering Service notifies the Check Point product that the site is not blocked, and the client is allowed to see the site.

Distributed environments

When the SmartCenter™ server (FireWall-1 Management Server in FireWall-1) is separated from the Enforcement Module (FireWall-1 Module in FireWall-1), modify your Rule Base to allow the SmartCenter Server to communicate with Websense Filtering Service during setup. This allows the Check Point product to load the Websense dictionary, which contains the categories Blocked and Not Blocked.

All other communication is between Filtering Service and the Enforcement Module. See Check Point documentation for instructions on modifying the Rule Base.

 

Note  It is a best practice to install Websense components on a different machine than the Check Point product. If you choose to install Websense software and the Check Point product on the same machine, see the Websense Knowledge Base for configuration instructions. Search the Websense Knowledge Base (at www.websense.com/SupportPortal/) for the terms Installing Websense software on Check Point Firewall-1.

Client computers and Check Point products

Check Point products process HTTP requests transparently, so no Internet browser changes are required on client computers. You can have clients proxy to the firewall to enable user authentication within that firewall, or to enable filtering of FTP requests from a browser. See Check Point product documentation for instructions on handling FTP requests.

If clients use the firewall as a proxy, browsers on client computers must be configured to support proxy-based connections.

Communicating with Websense software

Depending on which Check Point product is running, Websense software may communicate with the firewall through a secure connection or a clear connection.

A secure connection requires that communication between the Check Point product and the Websense UFP Server is authenticated before any data is exchanged.

A clear connection allows Websense software and the Check Point product to transfer data without restrictions.

The connection options for each supported Check Point product version are similar, but have some slight differences.

FireWall-1 NGX or FireWall-1 NG with Application Intelligence (AI): clear connection is the default. An authenticated connection can be established, but is not recommended because of performance issues. In addition, a clear connection is required to use the Enhanced UFP Performance feature described in the next section.

FireWall-1 NG Feature Pack 1 or later: clear connection is the default, but a Secure Internal Communication (SIC) trust connection can be configured within both Check Point and Websense software.

See Configuring Check Point Products to Work with Web Filter or Web Security for the appropriate procedures to establish secure or clear communication with the Websense software.

Enhanced UFP performance

The enhanced UFP performance feature increases the amount of traffic that Websense software and the Check Point product can filter while reducing CPU load.

Configuring enhanced UFP performance requires the proper settings in both Websense software and the Check Point product. See Configuring enhanced UFP performance for detailed configuration procedures.

 

Note  To use enhanced UFP performance, Websense software and the Check Point product must be configured for clear communication.

Installing Web Filter or Web Security to integrate with Check Point

Refer to Installing Web Security components for complete installation instructions. When installing Filtering Service, follow the installation instructions until prompted to select an integration option.

On the Integration Option screen, select Integrated with another application or device.

On the Select Integration screen, select Check Point.

If Network Agent is included in this installation, a warning advises against installing Network Agent on the same machine as the firewall. An exception allows Websense software and the firewall to be installed on an appliance with separate virtual processors to accommodate both products.

Select Yes, install Network Agent only if the machine has separate virtual processors.

Follow the remaining screens in the Websense installer to complete the installation.

See Configuring Check Point Products to Work with Web Filter or Web Security for information on configuring the firewall integration with Websense software.

Initial setup

If Filtering Service is installed on a multihomed machine, or on the machine that is running the Check Point product (not recommended), identify Filtering Service by its IP address in your network so that Websense block messages can be sent to users.

See Identifying Filtering Service by IP address for instructions.

Upgrade

Before upgrading Websense software, make sure your Check Point product is supported by the new version. See Supported Check Point product versions.

Follow the instructions in Upgrading Web Security or Web Filter to 7.6.0.

Update the Check Point dictionary with new Websense settings, and update the Websense Resource Object in SmartCenter before you begin filtering with the new version of Websense software.

For more information, see Configuring Check Point Products to Work with Web Filter or Web Security.

Migrating between Check Point versions

If you plan to upgrade your Check Point product (from FireWall-1 NG to FireWall-1 NGX, for example), do so after upgrading the Websense software.

Important  Do not make any additional modifications to your Websense software until after you have upgraded your firewall product.

See Upgrading Web Security or Web Filter to 7.6.0 for instructions on upgrading Websense software.

See Check Point documentation for information on upgrading the Check Point software.

See Configuring Check Point Products to Work with Web Filter or Web Securityfor the necessary configuration procedures to ensure that your new version of the Check Point product can communicate with Websense software.

Check Point Integration