Configuring Check Point Secure Communication

Configuring Check Point Secure Communication

Applies to

Web Filter v7.6

Web Security v7.6

In this topic

Overview

Establishing Secure Internal Communication

Restoring Clear Communication

Overview

Secure Internal Communication (SIC) may be needed when you integrate a Check Point product with Websense software. Following are instructions for enabling this communication method, as well as instructions for disabling this communication method (see Restoring Clear Communication).

Establishing Secure Internal Communication

If Websense software is integrated with a FireWall-1 NG version, you can configure both programs to use Secure Internal Communication (SIC). A secure connection requires that communication between the Check Point product and the Websense UFP Server be authenticated before any data is exchanged.

 

Note  The use of SIC with Websense software creates performance problems and is not recommended for networks with more than 100 users.

After installing Filtering Service, establish an SIC trust between the Check Point product and Websense software:

Configure the OPSEC Application object for the Websense UFP Server within the Check Point product to use Secure Internal Communication. See Configuring the Check Point product to use SIC.

Configure Websense software to use Secure Internal Communication. See Configuring Websense software to use SIC.

Update the OPSEC Application object within the Check Point product to receive secure communications from Websense software. See Updating the OPSEC Application object.

Prerequisites

The following must be completed before you begin to configure the Check Point product to communicate with Websense software, as described in Chapter 2 of this Supplement.

Both the Check Point product and Websense software must already be installed and running.

In the Check Point product, create the following objects:

An object for the firewall. Consult Check Point product documentation for instructions.

Network Objects that represent your network topology (as needed for your filtering goals) must exist. Consult Check Point product documentation for instructions.

You must create the OPSEC Application object for the Websense UFP Server before Websense software can establish SIC. If you have not already done this, see the procedures in Creating an OPSEC application object.

 

Note  Do not perform the procedures in this section if you are using an earlier version of FireWall-1 (before FireWall-1 NG Feature Pack 1).

Configuring the Check Point product to use SIC

1.	Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.

2.	Double-click the OPSEC Application object you created for the Websense UFP Server in Creating an OPSEC application object.

The OPSEC Application Properties dialog box for this object appears.

3.	If clear communication (for early version compatibility mode) is enabled, disable it:

a.	Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.

b.	Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)

4.	Click Communication.

The Communication dialog box appears.

5.	Enter and confirm an Activation Key (password) for communication between Websense Filtering Service and the Check Point product. (Make a note of this password for later use.)

6.	Click Initialize.

The Trust state field must show Initialized but trust not established.

7.	Click Close to return to the OPSEC Application Properties dialog box.

8.

Click OK.

9.	Close the Servers and OPSEC Applications dialog box.

10.	Select Policy > Install to install the policy on the firewall. See the Check Point product documentation for more information.

Configuring Websense software to use SIC

Use this procedure to obtain a SIC certificate from the Check Point product, and configure Websense software to use it. After you complete this procedure, Websense software sends this certificate each time it communicates with the Check Point product.

1.	Open a command prompt on the Websense Filtering Service machine and navigate to the directory containing the Check Point integration files (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).

2.	Enter the following command:

opsec_pull_cert –h <host> -n <object> -p <password> -o <path>

The table below explains the variables for this command.

 

Variable	Description
<host>	The IP address or machine name of the computer on which the SmartCenter Server (Management Server in earlier versions) is installed. This IP address may be the same machine as the Enforcement (FireWall) Module or a different machine.
<object>	The name of the OPSEC Application object created for the Websense UFP Server.
<password>	The activation key that you entered for the named OPSEC Application object. See Configuring the Check Point product to use SIC.
<path>	Path to the output certificate file, opsec.p12. This variable must be expressed as a complete path. If the OPSECDIR variable already exists, the default path is $OPSECDIR/opsec.p12. If the OPSECDIR variable does not exist, the opsec.p12 file is created in the same folder as the opsec_pull_cert.exe file (Websense\bin or Websense/bin/FW1).

This command contacts the firewall and downloads the Secure Internal Communication certificate that authorizes Websense software to communicate with the Check Point product, and saves the certificate in a file, opsec.p12.

The command line displays information similar to the following example:

opsec_pull_cert –h 10.201.254.245 –n Websense_UFP –p firewall –o "C:\Program Files\Websense\bin\opsec.p12"
The full entity sic name is:
CN=Websense_UFP,0=fw1_server..dwz26v
Certificate was created successfully and written to "opsec.p12".

3.	Write down the SIC name displayed by the opsec_pull_cert command.

In the example above, the SIC name is:

CN=Websense_UFP,0=fw1_server..dwz26v

4.	Open the ufp.conf file, located by default in the C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin directory.

The default file contains the following syntax:

ufp_server port 18182

#ufp_server auth_port 18182

#opsec_sic_policy_file ufp_sic.conf

#opsec_sic_name "place_holder_for_opsec_SIC_name"

#opsec_sslca_file opsec.p12

The first line is used for clear communication.

The remaining lines are used for SIC. If the file does not contain the lines for SIC shown above, enter them.

5.	To enable secure communication, comment out the first line and remove the comment symbol (#) from the remaining four lines.

#ufp_server port 18182

ufp_server auth_port 18182

opsec_sic_policy_file ufp_sic.conf

opsec_sic_name "place_holder_for_opsec_SIC_name"

opsec_sslca_file opsec.p12

6.	On the opsec_sic_name line, replace the placeholder with the SIC name recorded in Step 3.

The name must be enclosed in quotation marks. For example:

opsec_sic_name "CN=Websense_UFP,0=fw1_server..dwz26v"

The completed file:

#ufp_server port 18182

ufp_server auth_port 18182

opsec_sic_policy_file ufp_sic.conf

opsec_sic_name "CN=Websense_UFP,0=fw1_server..dwz26v"

opsec_sslca_file opsec.p12

7.	Save and close the file.

8.	Stop and restart the Websense UFP Server:

Windows: Use the Windows Services dialog box.

Linux: Use the ./WebsenseAdmin restart command.

See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.

Stopping and restarting the UFP Server

Filtering Service must be running for the Websense UFP Server to function. When the Filtering Service is stopped, the UFP Server is automatically shut down. The UFP Server must be restarted manually. If the UFP Server is started first, it automatically starts the Filtering Service. Stopping or starting the UFP Server while the Filtering Service is running has no effect on the Filtering Service.

Updating the OPSEC Application object

After Websense software has been configured to use SIC, update the OPSEC Application object created for the Websense UFP Server.

1.	Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.

2.	Double-click on the OPSEC Application object you created for the Websense UFP Server in Creating an OPSEC application object.

The OPSEC Application Properties dialog box for this object appears.

3.	Click Communication.

4.	Verify that the Trust state field shows Trust established.

5.	Click Close to return to the OPSEC Application Properties dialog box.

6.

Click OK.

7.	Close the Servers and OPSEC Applications dialog box.

8.	Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.

9.	Open the OPSEC Application object created for the Websense UFP Server again.

10.	Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.

11.	Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)

12.	Click Get Dictionary.

Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured through TRITON - Web Security.

See TRITON - Web Security Help for more information.

 

Important  Before continuing, make sure the Use early versions compatibility mode check box is not selected.

13.

Click OK.

14.	Close the Servers and OPSEC Applications dialog box.

15.	Select Policy > Install to install the policy on the firewall. See Check Point product documentation for additional information.

The SIC trust is established now between Websense software and the Check Point product. Continue with the configuration in Creating Resource Objects.

Restoring Clear Communication

To restore clear communication (early versions compatibility mode) on a system configured for Secure Internal Communication (SIC):

1.	On the Websense Filtering Service machine, navigate to the directory where the Check Point integration files are installed (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).

2.	Open the ufp.conf file in any text editor.

When the Check Point product is configured for SIC, this file contains the following syntax:

#ufp_server port 18182

ufp_server auth_port 18182

opsec_sic_policy_file ufp_sic.conf

opsec_sic_name "place_holder_for_opsec_SIC_name"

opsec_sslca_file opsec.p12

When SIC is fully configured, the contents of the quotation marks in line 4 are replaced with an actual opsec_SIC_name, such as CN=Websense_UFP,0=fw1_server..dwz26v

3.	To restore clear communication, remove the comment symbol (#) from the first line, and comment out the remaining lines:

ufp_server port 18182

#ufp_server auth_port 18182

#opsec_sic_policy_file ufp_sic.conf

#opsec_sic_name "place_holder_for_opsec_SIC_name"

#opsec_sslca_file opsec.p12

4.	Save the file.

5.	Stop and start the Websense UFP Server:

Windows: Use the Windows Services dialog box.

Linux: Use the ./WebsenseAdmin restart command.

See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.

6.	Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.

7.	Double-click on the OPSEC Application object for the Websense UFP Server.

The OPSEC Application Properties dialog box for this object appears.

8.	Click Communication.

The Communication dialog box appears.

9.	Click Reset to revoke the SIC certificate and stop SIC.

A confirmation dialog box is displayed.

10.	Click Yes to continue.

11.	Click Close to return to the OPSEC Application Properties dialog box.

12.	Go to the UFP Options tab.

13.	Check the Use early versions compatibility mode option (Backwards Compatibility in earlier versions of FireWall-1 NG).

14.	Select Clear (opsec).

15.	Click Get Dictionary.

Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured via TRITON - Web Security.

16.

Click OK.

17.	Close the OPSEC Applications dialog box.

18.	Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.

Configuring Check Point Secure Communication