Configuring Check Point Secure CommunicationSecure Internal Communication (SIC) may be needed when you integrate a Check Point product with Websense software. Following are instructions for enabling this communication method, as well as instructions for disabling this communication method (see Restoring Clear Communication).If Websense software is integrated with a FireWall-1 NG version, you can configure both programs to use Secure Internal Communication (SIC). A secure connection requires that communication between the Check Point product and the Websense UFP Server be authenticated before any data is exchanged.
The use of SIC with Websense software creates performance problems and is not recommended for networks with more than 100 users.After installing Filtering Service, establish an SIC trust between the Check Point product and Websense software:
Configure the OPSEC Application object for the Websense UFP Server within the Check Point product to use Secure Internal Communication. See Configuring the Check Point product to use SIC.
Update the OPSEC Application object within the Check Point product to receive secure communications from Websense software. See Updating the OPSEC Application object.The following must be completed before you begin to configure the Check Point product to communicate with Websense software, as described in Chapter 2 of this Supplement.
Network Objects that represent your network topology (as needed for your filtering goals) must exist. Consult Check Point product documentation for instructions.
You must create the OPSEC Application object for the Websense UFP Server before Websense software can establish SIC. If you have not already done this, see the procedures in Creating an OPSEC application object.
Do not perform the procedures in this section if you are using an earlier version of FireWall-1 (before FireWall-1 NG Feature Pack 1).
1.
2. The OPSEC Application Properties dialog box for this object appears.
a. Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.
b. Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)
4. Click Communication.
5. Enter and confirm an Activation Key (password) for communication between Websense Filtering Service and the Check Point product. (Make a note of this password for later use.)
6. Click Initialize.
7. Click Close to return to the OPSEC Application Properties dialog box.
8. Click OK.
10. Select Policy > Install to install the policy on the firewall. See the Check Point product documentation for more information.Use this procedure to obtain a SIC certificate from the Check Point product, and configure Websense software to use it. After you complete this procedure, Websense software sends this certificate each time it communicates with the Check Point product.
1. Open a command prompt on the Websense Filtering Service machine and navigate to the directory containing the Check Point integration files (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).
The IP address or machine name of the computer on which the SmartCenter Server (Management Server in earlier versions) is installed. This IP address may be the same machine as the Enforcement (FireWall) Module or a different machine. The name of the OPSEC Application object created for the Websense UFP Server. The activation key that you entered for the named OPSEC Application object. See Configuring the Check Point product to use SIC. Path to the output certificate file, opsec.p12. This variable must be expressed as a complete path.
If the OPSECDIR variable does not exist, the opsec.p12 file is created in the same folder as the opsec_pull_cert.exe file (Websense\bin or
Websense/bin/FW1).This command contacts the firewall and downloads the Secure Internal Communication certificate that authorizes Websense software to communicate with the Check Point product, and saves the certificate in a file, opsec.p12.opsec_pull_cert –h 10.201.254.245 –n Websense_UFP –p firewall –o "C:\Program Files\Websense\bin\opsec.p12"
The full entity sic name is:
CN=Websense_UFP,0=fw1_server..dwz26v
Certificate was created successfully and written to "opsec.p12".
3. Write down the SIC name displayed by the opsec_pull_cert command.
4. Open the ufp.conf file, located by default in the C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin directory.The remaining lines are used for SIC. If the file does not contain the lines for SIC shown above, enter them.
5. To enable secure communication, comment out the first line and remove the comment symbol (#) from the remaining four lines.
Windows: Use the Windows Services dialog box.
Linux: Use the ./WebsenseAdmin restart command.See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.Filtering Service must be running for the Websense UFP Server to function. When the Filtering Service is stopped, the UFP Server is automatically shut down. The UFP Server must be restarted manually. If the UFP Server is started first, it automatically starts the Filtering Service. Stopping or starting the UFP Server while the Filtering Service is running has no effect on the Filtering Service.After Websense software has been configured to use SIC, update the OPSEC Application object created for the Websense UFP Server.
1.
2. The OPSEC Application Properties dialog box for this object appears.
3. Click Communication.
4.
5. Click Close to return to the OPSEC Application Properties dialog box.
6. Click OK.
8. Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.
10. Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.
11. Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)
12. Click Get Dictionary.Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured through TRITON - Web Security.
13. Click OK.
15. Select Policy > Install to install the policy on the firewall. See Check Point product documentation for additional information.The SIC trust is established now between Websense software and the Check Point product. Continue with the configuration in Creating Resource Objects.To restore clear communication (early versions compatibility mode) on a system configured for Secure Internal Communication (SIC):
1. On the Websense Filtering Service machine, navigate to the directory where the Check Point integration files are installed (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).
2. Open the ufp.conf file in any text editor.When SIC is fully configured, the contents of the quotation marks in line 4 are replaced with an actual opsec_SIC_name, such as CN=Websense_UFP,0=fw1_server..dwz26v
3. To restore clear communication, remove the comment symbol (#) from the first line, and comment out the remaining lines:
Windows: Use the Windows Services dialog box.
Linux: Use the ./WebsenseAdmin restart command.See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.
6. The OPSEC Application Properties dialog box for this object appears.
8. Click Communication.
9. Click Reset to revoke the SIC certificate and stop SIC.
10. Click Yes to continue.
11.
12. Go to the UFP Options tab.
13. Check the Use early versions compatibility mode option (Backwards Compatibility in earlier versions of FireWall-1 NG).
14. Select Clear (opsec).
15. Click Get Dictionary.Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured via TRITON - Web Security.
16. Click OK.
18. Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.