Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Getting started with a Check Point integration
Getting started with a Check Point integration
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Filter and Web Security, v7.7.x
*
Distributed environments
*
Client computers and Check Point products
*
Communicating with Websense software
*
Installing Web Filter or Web Security to integrate with Check Point
*
Upgrading Web Filter or Web Security when integrated with Check Point
*
Migrating between Check Point versions
Websense Web Filter and Web Security are compatible with the following Check Point products:
*
Check Point NGX and NGX 65
*
Check Point UTM-1 (VPN-1) Edge
Websense Web Filter or Web Security integration with Check Point works as follows:
*
Websense Filtering Service interacts with the Check Point product and Network Agent to filter Internet requests.
*
Websense Network Agent manages Internet protocols that are not managed by the Check Point product.
 
* 
Important 
Do not install Network Agent on the Check Point machine.
Check Point products provide network security and a framework for content filtering. Websense software communicates with the Check Point product via URL Filtering Protocol (UFP). Websense software is implemented as a UFP Server, and communicates with the Check Point product over TCP sockets. By default, Websense software listens on port 18182 for messages from the Check Point product.
To begin filtering:
*
Client computers must point to the machine running the Check Point product as their default gateway. Typical networks implement this configuration for security reasons unrelated to filtering.
*
The Check Point product must be configured to use a rule to analyze all HTTP requests, as well as FTP requests issued by a browser that proxies to the Check Point product. The rule must use the URI Specifications for HTTP.
 
* 
Note 
If Websense software must download the Master Database through a proxy server or firewall that requires authentication for any HTTP traffic, the proxy server or firewall must be configured to accept clear text or basic authentication.
When Websense software is integrated with a Check Point product, you define policies within TRITON - Web Security (the configuration interface for Websense software). These policies identify which of the Websense categories are blocked or permitted during different times and days. Within the Check Point product, you typically define a rule that directs the firewall to reject requests for sites in Websense categories whose action is set to block, limit by quota, or confirm. If a client selects an option to view a site with quota time on a block page, Websense software tells the Check Point product to permit the site.
When the Check Point product receives an Internet request for either an HTTP site or an FTP site requested by a browser that uses the firewall as a proxy, it queries Websense Filtering Service to determine if the site should be blocked or permitted.
Filtering Service checks the policy assigned to the client. Each policy designates specific time periods and lists the category filters that are in effect during those periods.
After Filtering Service determines which categories are blocked for that client, it checks the Websense Master Database to locate the category for the requested URL:
*
If the site is assigned to a blocked category, the client receives a block page instead of the requested site.
*
If the site is assigned to a permitted category, Filtering Service notifies the Check Point product that the site is not blocked, and the client is allowed to see the site.
Distributed environments
When the SmartCenter™ server is separated from the Enforcement Module, modify your Rule Base to allow the SmartCenter Server to communicate with Websense Filtering Service during setup. This allows the Check Point product to load the Websense dictionary, which contains the categories Blocked and Not Blocked.
All other communication is between Filtering Service and the Enforcement Module. See Check Point documentation for instructions on modifying the Rule Base.
Client computers and Check Point products
Check Point products process HTTP requests transparently, so no Internet browser changes are required on client computers. You can have clients proxy to the firewall to enable user authentication within that firewall, or to enable filtering of FTP requests from a browser. See Check Point product documentation for instructions on handling FTP requests.
If clients use the firewall as a proxy, browsers on client computers must be configured to support proxy-based connections.
Communicating with Websense software
Depending on which Check Point product is running, Websense software may communicate with the firewall through a secure connection or a clear connection.
*
A secure connection requires that communication between the Check Point product and the Websense UFP Server is authenticated before any data is exchanged.
*
A clear connection allows Websense software and the Check Point product to transfer data without restrictions.
The connection options for each supported Check Point product version are similar, but have some slight differences.
*
FireWall-1 NGX or FireWall-1 NG with Application Intelligence (AI): clear connection is the default. An authenticated connection can be established, but is not recommended because of performance issues. In addition, a clear connection is required to use the Enhanced UFP Performance feature described in the next section.
*
FireWall-1 NG Feature Pack 1 or later: clear connection is the default, but a Secure Internal Communication (SIC) trust connection can be configured within both Check Point and Websense software.
See Configuring Check Point products to work with Web Security solutions for the appropriate procedures to establish secure or clear communication with the Websense software.
Enhanced UFP performance
The enhanced UFP performance feature increases the amount of traffic that Websense software and the Check Point product can filter while reducing CPU load.
Configuring enhanced UFP performance requires the proper settings in both Websense software and the Check Point product. See Configuring enhanced UFP performance for detailed configuration procedures.
 
* 
Note 
To use enhanced UFP performance, Websense software and the Check Point product must be configured for clear communication.
Installing Web Filter or Web Security to integrate with Check Point
Refer to Installing Web Security components for complete installation instructions. When installing Filtering Service, follow the installation instructions until prompted to select an integration option.
*
On the Integration Option screen, select Integrated with another application or device.
*
On the Select Integration screen, select Check Point.
*
If Network Agent is included in this installation, a warning advises against installing Network Agent on the same machine as the firewall. An exception allows Websense software and the firewall to be installed on an appliance with separate virtual processors to accommodate both products.
*
Select Yes, install Network Agent only if the machine has separate virtual processors.
*
Follow the remaining screens in the Websense installer to complete the installation.
*
See Configuring Check Point products to work with Web Security solutions for information on configuring the firewall integration with Websense software.
If Filtering Service is installed on a multihomed machine, identify Filtering Service by its IP address in your network so that Websense block messages can be sent to users.
See Identifying Filtering Service by IP address for instructions.
Upgrading Web Filter or Web Security when integrated with Check Point
Before upgrading Websense software, make sure your Check Point product is supported by the new version.
Follow the instructions in Upgrading Websense Web Security Solutions.
Update the Check Point dictionary with new Websense settings, and update the Websense Resource Object in SmartCenter before you begin filtering with the new version of Websense software.
For more information, see Configuring Check Point products to work with Web Security solutions.
Migrating between Check Point versions
If you plan to upgrade your Check Point product (from FireWall-1 NG to NGX, for example), do so after upgrading the Websense software.
* 
Important 
Do not make any additional modifications to your Websense software until after you have upgraded your firewall product.
See Upgrading Websense Web Security Solutions for instructions on upgrading Websense software.
See Check Point documentation for information on upgrading the Check Point software.
See Configuring Check Point products to work with Web Security solutions for the necessary configuration procedures to ensure that your new version of the Check Point product can communicate with Websense software.

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Getting started with a Check Point integration
Copyright 2016 Forcepoint LLC. All rights reserved.