Configuring Check Point Products to Work with Web Filter or Web Security

Configuring Check Point Products to Work with Web Filter or Web Security

Applies to

Web Filter v7.6

Web Security v7.6

In this topic

Overview

Creating a network object

Creating an OPSEC application object

Creating Resource Objects

Defining rules

Configuring enhanced UFP performance

Overview

In addition to defining Websense filtering policies and assigning them to the appropriate clients, you must set up the Check Point product with the necessary objects and rules. In describing these objects and rules, this chapter assumes that you are familiar with general Check Point product concepts.

The following tasks must be completed before you begin to configure the Check Point product to communicate with Websense software:

Both the Check Point product and either Websense Web Security or Websense Web Filter must be installed and running.

In the Check Point product, create:

An object for the firewall itself, if it does not already exist (it typically is created by default upon installation of the Check Point product).

Objects that represent your network topology (as needed for filtering).

See Check Point product documentation for more information on objects.

Configuring FireWall-1 NG, FireWall-1 NG with AI, and FireWall-1 NGX for Websense content filtering involves the following procedures:

Create a network object for the machine running Websense Filtering Service. See Creating a network object.

Create an OPSEC™ application object for the Websense UFP Server. See Creating an OPSEC application object.

Create URI resource objects for the dictionary categories that Websense software sends to the Check Point product. See Creating Resource Objects.

When creating the URI resource objects, you can configure both Websense software and the Check Point product to use Secure Internal Communication (SIC), rather than the default clear communication. See Establishing Secure Internal Communication.

To return to clear communication, see Restoring Clear Communication.

Define rules that govern how the Check Point product behaves when it receives a response from Websense software. See Defining rules.

Optionally, you can configure the Check Point product for enhanced UFP performance. This applies only to FireWall-1 NG with Application Intelligence and FireWall-1 NGX. Make sure that you have configured the Check Point product for Websense content filtering before this procedure. See Configuring enhanced UFP performance.

 

Note  The procedures and illustrations in this chapter are based on FireWall-1 NGX. If FireWall-1 NG or FireWall-1 NG with Application Intelligence (AI) is running, you may notice slight differences in screens and field names.

Creating a network object

1.	Open a Check Point SmartConsole, such as SmartDashboard™ (Policy Editor in earlier versions). See your Check Point product documentation for detailed instructions on using SmartConsole.

2.	If you have not already done so, create a network object (Manage > Network Objects > New > Node > Host) for the machine running Filtering Service.

This object is required only if Websense software runs on a separate machine behind the firewall, as recommended.

3.	Select General Properties in the left column. The following dialog box appears.

 

4.	Complete the items in the page:

 

Field	Description
Name	Enter a descriptive name for the network object representing the machine on which Filtering Service is running, such as Websense (make a note of this name for later use). Note: If your DNS is configured to resolve machines within your network, enter the Filtering Service machine's host name here. Then, for IP Address, you can click Get address to resolve the host name to its IP address automatically.
IP Address	Enter the IP address of the machine running Filtering Service. Note: If you entered a host name for Name, you can click Get address to find the machine's IP address automatically. See the description for Name, above, for more information.
Comment	Enter a description for this object.
Color	Select a color for displaying this object in SmartDashboard.

5.

Click OK.

Creating an OPSEC application object

After you create the network object for the machine running Filtering Service, you must create an OPSEC application object for the Websense UFP Server. The UFP server was installed with the other components when you chose Check Point as your integration product during installation.

1.	Open SmartDashBoard, if it is not already open.

2.	Select Manage > Servers and OPSEC Applications.

3.	Click New, and then select OPSEC Application from the drop-down list.

4.	Select the General tab in the OPSEC Application Properties dialog box.

5.	Complete the items on the tab:

 

Field	Description
Name	Enter a descriptive name, such as Websense_ufp (make a note of this name for later use).
Comment	Enter a description for this object.
Color	Select a color for displaying this object in SmartDashboard.
Host	Select the network object created in the previous section. This object identifies the machine running Filtering Service. If you have not yet created this object, click New to create it. See Creating a network object for instructions.
Vendor	Select Websense.
Product	This value is not used in creating an object and does not need to be changed.
Version	This value is not used in creating an object and does not need to be changed.
Server Entities	UFP is checked automatically when you select Websense as the Vendor, and.cannot be changed.

6.	Select the UFP Options tab.

7.	Check the Use early versions compatibility mode option (Backwards Compatibility in earlier versions).

If Secure Internal Communication (SIC) is used, go to Establishing Secure Internal Communication to complete this section.

If SIC is not used, select Clear (opsec).

8.	Click Get Dictionary.

Websense software provides the Check Point product with a dictionary containing these categories: Blocked and Not Blocked. The full set of Websense categories is configured via TRITON - Web Security. See TRITON - Web Security Help for more information.

9.

Click OK.

10.	Close the OPSEC Applications dialog box.

11.	Select Policy > Install to install the policy on the firewall.

See the Check Point product documentation for more information.

Creating Resource Objects

Create a Resource Object to define a Uniform Resource Identifier (URI) that uses the HTTP protocol. This URI identifies the Websense dictionary category Blocked.

1.	Open SmartDashboard and select Manage > Resources.

The Resources dialog box appears.

2.	Click New, and choose URI from the submenu to display the URI Resource Properties dialog box.

3.	Select the General tab, and complete the items in the tab.

 

Field	Description
Name	Enter a name for this URI Resource Object, such as Blocked_Sites.
Comment	Enter a description for this object.
Color	Select a color for this object's icon.
Use this resource to	Select Enforce URI capabilities. This option enables all other functionality of the URI resource, such as configuring CVP checking on the CVP tab. All basic parameters defining schemes, hosts, paths, and methods apply. The URL is checked for these parameters.
Connection Methods	Mark both the Transparent and the Proxy check boxes.
Exception Track	Select the desired method for tracking exceptions. See the Check Point product documentation for more information.
URI Match Specification Type	Select UFP.

 

4.	Select the Match tab, and complete the items in the tab.

 

Field	Description
UFP server	Select the OPSEC Application object that was created for the Websense UFP Server in Creating an OPSEC application object.
UFP caching control	Select a caching option. No caching is the recommended setting for most networks.
Categories	Mark the Blocked check box.
Ignore UFP server after connection failure	Mark this check box to permit full HTTP and FTP access if Websense Filtering Service is not running or cannot be contacted. Dependent fields allow you to set the number of times the Check Point product tries to contact Websense software before ignoring it, and the length of time the Check Point product ignores Websense software before attempting to reconnect. Clear this check box to block all HTTP and FTP access when Filtering Service is not running.

5.

Click OK.

6.	Close the Resources dialog box.

7.	Select Policy > Install to install the policy on the firewall.

See Check Point product documentation for more information.

Defining rules

This section describes a content filtering scenario and its configuration. It includes information about the objects and rules that are needed to implement the suggested configuration.

 

Note  The configuration described in this section assumes that all clients have a default route set to the firewall and do not proxy to the firewall. This configuration also assumes that the recommended network configuration is being used: Websense software is running on a separate machine, behind the firewall, and caching is disabled.

In this scenario, the Check Point product denies access to any site that Websense software indicates is blocked, and allows access to any site that Websense software indicates is not blocked. The actual sites blocked may vary according to the computer making the request.

Use TRITON - Web Security to define policies that block the appropriate categories, and assign them to the desired computers or directory objects.

For example, you might modify the Default policy to use a category filter that blocks access to all categories except the Travel, and Business and Economy categories. This policy is applied to most computers.

A separate, more liberal policy could be defined for managers, which blocks only those categories considered a liability risk, such as Adult Material and Gambling. This policy, called Management, would be assigned to the computers used by top managers.

After the Websense policies are configured, you define rules in the Check Point product to prevent access to any site that Websense software indicates is blocked.

To set up this configuration in the Check Point product, you must create one URI Resource Object and one Network Object, and define two rules.

Create a URI Resource Object for the Blocked category as described in Creating Resource Objects.

In this example, the URI Resource Object is called Blocked_Sites because Websense software is configured to block sites that are not required for business purposes.

Create a Network Object that encompasses all machines on the internal network. This example assumes that everyone in the company is on the internal network. For this example, the Network Object is called Internal_Network.

Add the rules to the Security Rules Base. The sequence of the rules is important, because the Check Point product evaluates the rules sequentially, from top to bottom.

RULE 1: Blocks access to undesirable Web sites. Add the new rule at an appropriate location in the Rule Base:

 

Name	(NGX only) Enter a descriptive name for the rule, such as Websense Block
Source	Add Internal_Network
Destination	Any (default)
Service	Add with Resource In the Service with Resource dialog box, select HTTP. Under Resource, select Blocked_Sites from the drop-down menu. This object was created in Creating Resource Objects.
Action	Reject
Track	None
Install On	Policy Targets
Time	Any (default)
Comment	(NGX only) Enter a more detailed description of the rule.

RULE 2: The second rule allows access to all other Web sites. Add the second rule after Rule 1.

 

Name	(NGX only) Enter a descriptive name for the rule, such as Websense Allow
Source	Add Internal_Network
Destination	Any (default)
Service	Add/HTTP
Action	Accept
Track	None
Install On	Policy Targets
Time	Any (default)
Comment	(NGX only) Enter a more detailed description of the rule.

The following illustrations provide examples of Security Rule Base after the rules are defined.

After defining the rules described above, Verify and Install the policy from the Policy menu. See Check Point product documentation for more information.

 

Important  For normal operation, set Track to None in the Websense rules. This disables logging in the Check Point product. When logging is enabled for these rules, the log files become very large, and adversely impact performance. Configure other options in the Track field only when you are testing and troubleshooting.

When the Check Point product receives an HTTP request, it sends Websense software the address of the requested site, as well as the IP address of the computer requesting the site.

For example, the CNN Web site is requested by a top manager. Websense software categorizes the site as News and Media. Websense software indicates that the site is Not Blocked under the Management policy that you defined in TRITON - Web Security. The Check Point product allows the site according to Rule 2.

If the CNN site was requested from an accounting clerk's computer, Websense software indicates that the site is Blocked because that computer is governed by the Websense Default policy, which blocks the News and Media category. The Check Point product denies the request according to Rule 1, and a Block Page is displayed on the clerk's computer.

Any time a computer requests a site not categorized by the Websense Master Database, Websense software indicates that the site is not in the database. The Check Point product allows access to the site according to Rule 2.

Configuring enhanced UFP performance

Enhanced UFP performance improves the performance of the UFP Server by increasing the amount of traffic that Websense software and the Check Point product can filter while reducing CPU load.

Configuring enhanced UFP performance requires the proper settings in Websense Web Security or Websense Web Filter, and in the Check Point product. In order to use enhanced UFP Performance, clear communication is required between Websense software and the Check Point product.

 

Note  Before performing the following procedures, make sure you have configured the Check Point product for content filtering with Websense software, as described earlier in this chapter.

Websense configuration

Before configuring the Check Point product for enhanced UFP performance, open the ufp.conf file and make sure Websense software is configured for clear communication:

1.	On the Websense Filtering Service machine, navigate to the directory where the Check Point integration files are installed. The default directories are:

Windows: C:\Program Files or Program Files (x86)\Websense\Web Security\bin

Linux: /opt/Websense/bin

2.	Open the ufp.conf file in any text editor.

The file must contain the following line to be configured for clear communication:

ufp_server port 18182

Additional lines that appear in this file are used for Secure Internal Communication, and must be commented out using the comment symbol (#):

#ufp_server auth_port 18182

#opsec_sic_policy_file ufp_sic.conf

#opsec_sic_name "place_holder_for_opsec_SIC_name"

#opsec_sslca_file opsec.p12

3.	Edit the file, if necessary, to match the commands in the previous step.

4.	Save and close the ufp.conf file.

5.	Stop and restart the Websense UFP Server:

Windows: Use the Windows Services dialog box.

Linux: Use the ./WebsenseAdmin restart command.

See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.

Check Point product configuration

To configure for enhanced UFP performance in the Check Point product:

Configure the OPSEC Application object for the Websense UFP Server to operate in early versions compatibility mode (previously known as backwards compatibility mode) for clear communication.

Clear communication is the default for FireWall-1 NG with AI and FireWall-1 NGX. See Early versions compatibility mode.

Configure the URI Resource Object that identifies the Websense dictionary category Blocked for enhanced UFP performance. See Enhanced UFP performance.

Early versions compatibility mode

Follow these steps to configure the previously created OPSEC Application object for the Websense UFP Server to operate in early versions compatibility mode (clear communication) for enhanced UFP performance.

1.	Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.

2.	Double-click on the OPSEC Application object you created for the Websense UFP Server in Creating an OPSEC application object.

The OPSEC Application Properties dialog box for this object appears.

3.	Select the UFP Options tab.

4.	Select Use early versions compatibility mode (Backwards Compatibility in earlier versions).

5.	Select Clear (opsec).

6.

Click OK.

7.	Close the Servers and OPSEC Applications dialog box.

8.	Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.

Enhanced UFP performance

To configure the previously created URI Resource Object that identifies the Websense dictionary category Blocked for enhanced UFP performance:

1.	Open the SmartDashboard, and select Manage > Resources.

The Resources dialog box appears.

2.	Double-click on the Resource Object you created for the Websense dictionary category Blocked in Creating Resource Objects.

The URI Resource Properties dialog box for this resource appears.

3.	In the General tab, select Enhance UFP performance.

4.	Select the Match tab.

5.	Reselect the OPSEC Application object for the Websense UFP Server in the UFP server field. In this example, the object is named Websense_ufp.

6.	Clear and then mark the Blocked category, and click OK.

7.	Close the Resources dialog box.

8.	Select Policy > Install to install the policy on the firewall. See the Check Point product documentation for more information.

Configuring Check Point Products to Work with Web Filter or Web Security