Websense software creates Websense.log and
ufpserver.log files when errors occur. These files are located in the Websense
bin directory, (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default.)
In addition to the subscription and access problems discussed in the Websense , a rule in the firewall could be blocking the download. Create a rule in the Check Point product at the top of the rule base that allows all traffic (outbound) from the Websense Filtering Service machine. If this test succeeds, move the rule down systematically until the problematic rule is found.
The Get Dictionary process occurs between the Check Point SmartCenter Server and Websense Filtering Service. If the SmartCenter Server is not installed on the same machine as the Check Point Enforcement Module, you may need to configure the Check Point product to allow communication between the machines running the SmartCenter Server and Filtering Service. See
Distributed environments for more information.
If the FW1_ufp Service defined in the Check Point product uses a different port than Filtering Service filtering port (default 18182), Websense software cannot communicate with the Check Point product. As a result, the Check Point product cannot retrieve the Websense dictionary entries.
If the Websense dictionary does not load, check your communication settings. The method of communication selected in the OPSEC Application object must be consistent with that defined in the
ufp.conf file (SIC or clear communication).
For example, if you have selected early version compatibility mode in the OPSEC Application Properties dialog box (see
Early versions compatibility mode), the first line in the
ufp.conf file must be:
Although it is enabled by default, some environments need to disable the Accept Outgoing Packet Originating from Gateway setting in the Check Point product's policy properties. Since the firewall cannot send any traffic in this environment, it cannot request the dictionary.
When you click Get Dictionary in the
Match tab of the URI Definition dialog box, FireWall-1 NG (Feature Pack 1 or later) contacts Websense Filtering Service via SIC trust to retrieve a list of categories for use in Check Point rules. If the SIC trust was not configured correctly, this contact fails and no categories can be retrieved.
Users who have configured FireWall-1 NG with AI for enhanced UFP performance may not be able to filter Internet requests. This is a Check Point licensing issue and not a configuration problem. A license from an older version of NG cannot work with the newer version of NG with AI. Contact Check Point to update your license for your version of FireWall-1 NG with AI.
The FTP request is sent as ftp://. The Check Point product then sends the packet to the Websense software with an
http:// header. Websense software performs a lookup against HTTP categories instead of performing a protocol lookup, and the FTP request is blocked or permitted according to the category assigned to the HTTP version of the same URL.