Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Configuring CheckPoint secure communication
Configuring CheckPoint secure communication
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Filter and Web Security, v7.7.x
*
Establishing Secure Internal Communication
*
Restoring Clear Communication
ISecure Internal Communication (SIC) may be needed when you integrate a Check Point product with Websense software. Following are instructions for enabling and disabling this communication method.
Establishing Secure Internal Communication
If Websense software is integrated with a FireWall-1 NG version, you can configure both programs to use Secure Internal Communication (SIC). A secure connection requires that communication between the Check Point product and the Websense UFP Server be authenticated before any data is exchanged.
 
* 
Note 
The use of SIC with Websense software creates performance problems and is not recommended for networks with more than 100 users.
After installing Filtering Service, establish an SIC trust between the Check Point product and Websense software:
*
Configure the OPSEC Application object for the Websense UFP Server within the Check Point product to use Secure Internal Communication. See Configuring the Check Point product to use SIC.
*
Configure Websense software to use Secure Internal Communication. See Configuring Websense software to use SIC.
*
Update the OPSEC Application object within the Check Point product to receive secure communications from Websense software. See Updating the OPSEC Application object.
Prerequisites
The following must be completed before you begin to configure the Check Point product to communicate with Websense software, as described in Chapter 2 of this Supplement.
*
Both the Check Point product and Websense software must already be installed and running.
*
In the Check Point product, create the following objects:
*
An object for the firewall. Consult Check Point product documentation for instructions.
*
Network Objects that represent your network topology (as needed for your filtering goals) must exist. Consult Check Point product documentation for instructions.
*
You must create the OPSEC Application object for the Websense UFP Server before Websense software can establish SIC. If you have not already done this, see the procedures in Creating an OPSEC application object.
 
* 
Note 
Do not perform the procedures in this section if you are using an earlier version of FireWall-1 (before FireWall-1 NG Feature Pack 1).
Configuring the Check Point product to use SIC
1.
Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.
2.
Double-click the OPSEC Application object you created for the Websense UFP Server in Creating an OPSEC application object.
The OPSEC Application Properties dialog box for this object appears.
3.
If clear communication (for early version compatibility mode) is enabled, disable it:
a.
Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.
b.
Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)
4.
Click Communication.
The Communication dialog box appears.
5.
Enter and confirm an Activation Key (password) for communication between Websense Filtering Service and the Check Point product. (Make a note of this password for later use.)
6.
Click Initialize.
The Trust state field must show Initialized but trust not established.
7.
Click Close to return to the OPSEC Application Properties dialog box, then click OK.
8.
Close the Servers and OPSEC Applications dialog box.
9.
Select Policy > Install to install the policy on the firewall. See the Check Point product documentation for more information.
Configuring Websense software to use SIC
Use this procedure to obtain a SIC certificate from the Check Point product, and configure Websense software to use it. After you complete this procedure, Websense software sends this certificate each time it communicates with the Check Point product.
1.
Open a command prompt on the Websense Filtering Service machine and navigate to the directory containing the Check Point integration files (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).
2.
Enter the following command:
opsec_pull_cert –h <host> -n <object> -p <password> -o <path>
The table below explains the variables for this command.
 
Variable
Description
<host>
The IP address or machine name of the computer on which the SmartCenter Server (Management Server in earlier versions) is installed. This IP address may be the same machine as the Enforcement (FireWall) Module or a different machine.
<object>
The name of the OPSEC Application object created for the Websense UFP Server.
<password>
The activation key that you entered for the named OPSEC Application object. See Configuring the Check Point product to use SIC.
<path>
Path to the output certificate file, opsec.p12. This variable must be expressed as a complete path.
*
If the OPSECDIR variable already exists, the default path is $OPSECDIR/opsec.p12.
*
If the OPSECDIR variable does not exist, the opsec.p12 file is created in the same folder as the opsec_pull_cert.exe file (Websense\bin or
Websense/bin/FW1).
This command contacts the firewall and downloads the Secure Internal Communication certificate that authorizes Websense software to communicate with the Check Point product, and saves the certificate in a file, opsec.p12.
The command line displays information similar to the following example:
opsec_pull_cert –h 10.201.254.245 –n Websense_UFP –p firewall –o "C:\Program Files\Websense\bin\opsec.p12"
The full entity sic name is:
CN=Websense_UFP,0=fw1_server..dwz26v
Certificate was created successfully and written to "opsec.p12".
3.
Write down the SIC name displayed by the opsec_pull_cert command.
In the example above, the SIC name is:
CN=Websense_UFP,0=fw1_server..dwz26v
4.
Open the ufp.conf file, located by default in the C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin directory.
The default file contains the following syntax:
ufp_server port 18182
#ufp_server auth_port 18182
#opsec_sic_policy_file ufp_sic.conf
#opsec_sic_name "place_holder_for_opsec_SIC_name"
#opsec_sslca_file opsec.p12
The first line is used for clear communication.
The remaining lines are used for SIC. If the file does not contain the lines for SIC shown above, enter them.
5.
To enable secure communication, comment out the first line and remove the comment symbol (#) from the remaining four lines.
#ufp_server port 18182
ufp_server auth_port 18182
opsec_sic_policy_file ufp_sic.conf
opsec_sic_name "place_holder_for_opsec_SIC_name"
opsec_sslca_file opsec.p12
6.
On the opsec_sic_name line, replace the placeholder with the SIC name recorded in Step 3.
The name must be enclosed in quotation marks. For example:
opsec_sic_name "CN=Websense_UFP,0=fw1_server..dwz26v"
The completed file:
#ufp_server port 18182
ufp_server auth_port 18182
opsec_sic_policy_file ufp_sic.conf
opsec_sic_name "CN=Websense_UFP,0=fw1_server..dwz26v"
opsec_sslca_file opsec.p12
7.
Save and close the file.
8.
Stop and restart the Websense UFP Server:
*
Windows: Use the Windows Services dialog box.
*
Linux: Use the ./WebsenseAdmin restart command.
See Starting and stopping Web Security services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.
Stopping and restarting the UFP Server
Filtering Service must be running for the Websense UFP Server to function. When the Filtering Service is stopped, the UFP Server is automatically shut down. The UFP Server must be restarted manually. If the UFP Server is started first, it automatically starts the Filtering Service. Stopping or starting the UFP Server while the Filtering Service is running has no effect on the Filtering Service.
Updating the OPSEC Application object
After Websense software has been configured to use SIC, update the OPSEC Application object created for the Websense UFP Server.
1.
Open the SmartDashboard and select Manage > Servers and OPSEC Applications.
2.
Double-click on the OPSEC Application object you created for the Websense UFP Server in Creating an OPSEC application object.
The OPSEC Application Properties dialog box for this object appears.
3.
Click Communication.
4.
Verify that the Trust state field shows Trust established.
5.
Click Close to return to the OPSEC Application Properties dialog box, then click OK.
6.
Close the Servers and OPSEC Applications dialog box.
7.
Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.
8.
Open the OPSEC Application object created for the Websense UFP Server again.
9.
Go to the UFP Options tab of the OPSEC Application Properties dialog box for this object.
10.
Make sure the Use early versions compatibility mode check box is not selected. (This field was called Use backwards compatibility mode in earlier versions.)
11.
Click Get Dictionary.
Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured through TRITON - Web Security.
See the TRITON - Web Security Help for more information.
 
* 
Important 
Before continuing, make sure the Use early versions compatibility mode check box is not selected.
12.
Click OK.
13.
Close the Servers and OPSEC Applications dialog box.
14.
Select Policy > Install to install the policy on the firewall. See Check Point product documentation for additional information.
The SIC trust is established now between Websense software and the Check Point product. Continue with the configuration in Creating Resource Objects.
Restoring Clear Communication
To restore clear communication (early versions compatibility mode) on a system configured for Secure Internal Communication (SIC):
1.
On the Websense Filtering Service machine, navigate to the directory where the Check Point integration files are installed (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default).
2.
Open the ufp.conf file in any text editor.
When the Check Point product is configured for SIC, this file contains the following syntax:
#ufp_server port 18182
ufp_server auth_port 18182
opsec_sic_policy_file ufp_sic.conf
opsec_sic_name "place_holder_for_opsec_SIC_name"
opsec_sslca_file opsec.p12
When SIC is fully configured, the contents of the quotation marks in line 4 are replaced with an actual opsec_SIC_name, such as:
CN=Websense_UFP,0=fw1_server..dwz26v
3.
To restore clear communication, remove the comment symbol (#) from the first line, and comment out the remaining lines:
ufp_server port 18182
#ufp_server auth_port 18182
#opsec_sic_policy_file ufp_sic.conf
#opsec_sic_name "place_holder_for_opsec_SIC_name"
#opsec_sslca_file opsec.p12
4.
Save the file.
5.
Stop and start the Websense UFP Server:
*
Windows: Use the Windows Services dialog box.
*
Linux: Use the ./WebsenseAdmin restart command.
See Starting and stopping Web Security services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.
6.
Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.
7.
Double-click on the OPSEC Application object for the Websense UFP Server.
The OPSEC Application Properties dialog box for this object appears.
8.
Click Communication.
The Communication dialog box appears.
9.
Click Reset to revoke the SIC certificate and stop SIC.
A confirmation dialog box is displayed.
10.
Click Yes to continue.
11.
Click Close to return to the OPSEC Application Properties dialog box.
12.
Go to the UFP Options tab.
13.
Check the Use early versions compatibility mode option (Backwards Compatibility in earlier versions of FireWall-1 NG).
14.
Select Clear (opsec).
15.
Click Get Dictionary.
Websense software provides the Check Point product with a dictionary of 2 categories: Blocked and Not Blocked. The full set of Websense categories is configured via TRITON - Web Security.
16.
Click OK.
17.
Close the OPSEC Applications dialog box.
18.
Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Configuring CheckPoint secure communication
Copyright 2016 Forcepoint LLC. All rights reserved.