Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Troubleshooting Check Point integration
Troubleshooting Check Point integration
Deployment and Installation Center | Web Security Solutions | Version 7.7.x
 
Applies to:                                         
In this topic                                       
*
Web Filter and Web Security, v7.7.x
*
Where can I find download and error messages?
*
The Master Database does not download
*
Websense dictionary does not load in the Check Point product
*
FTP requests are not being blocked as expected
Where can I find download and error messages?
Websense software creates Websense.log and ufpserver.log files when errors occur. These files are located in the Websense bin directory, (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default.)
These log files record error messages and other messages pertaining to database downloads. Websense.log is located only on the machine running Policy Server.
The Master Database does not download
In addition to the subscription and access problems discussed in the Websense , a rule in the firewall could be blocking the download. Create a rule in the Check Point product at the top of the rule base that allows all traffic (outbound) from the Websense Filtering Service machine. If this test succeeds, move the rule down systematically until the problematic rule is found.
Websense dictionary does not load in the Check Point product
The Get Dictionary process occurs between the Check Point SmartCenter Server and Websense Filtering Service. If the SmartCenter Server is not installed on the same machine as the Check Point Enforcement Module, you may need to configure the Check Point product to allow communication between the machines running the SmartCenter Server and Filtering Service. See Distributed environments for more information.
Three causes are listed below as to why the dictionary might not load within the Check Point product.
Port mismatch
If the FW1_ufp Service defined in the Check Point product uses a different port than Filtering Service filtering port (default 18182), Websense software cannot communicate with the Check Point product. As a result, the Check Point product cannot retrieve the Websense dictionary entries.
Check for mismatched port entries in the following locations:
*
Check the FW1_ufp Service definition in the Check Point product.
1.
From the Check Point client, select Manage > Services.
2.
Select FW1_ufp from the list of services, then click Edit.
The TCP Services Properties dialog box appears.
3.
Make sure the port number displayed is the same as the port number defined for the filtering port when you installed Filtering Service.
*
Open the ufp.conf file in a text editor. The file is located by default in the C:\Program Files or Program Files (x86)\Websense\Web Security\bin\FW1 or /opt/Websense/bin/FW1 directory. Check the port value to make sure it matches the port setting for the FW1_ufp Service in the Check Point product.
*
In the Check Point product, the filtering port specified in the fwopsec.conf file must match the port number set for the FW1_ufp Service and the port defined in the Websense ufp.conf file.
 
* 
Note 
If the SmartCenter Server and the Enforcement Module are installed on separate machines, both contain an fwopsec.conf file. You must reconcile the filtering port number in each of these files.
Communication mismatch
If the Websense dictionary does not load, check your communication settings. The method of communication selected in the OPSEC Application object must be consistent with that defined in the ufp.conf file (SIC or clear communication).
For example, if you have selected early version compatibility mode in the OPSEC Application Properties dialog box (see Early versions compatibility mode), the first line in the ufp.conf file must be:
ufp_server port 18182
If you have selected SIC, the first line in the ufp.conf file must be:
ufp_server auth_port 18182
Policy properties
Although it is enabled by default, some environments need to disable the Accept Outgoing Packet Originating from Gateway setting in the Check Point product's policy properties. Since the firewall cannot send any traffic in this environment, it cannot request the dictionary.
To enable the dictionary request, add the following rule to the Rule Base anywhere before the cleanup rule:
Source
Check Point product workstation object
Destination
Any, or the Filtering Service workstation object
Service
FW1_ufp
Action
Accept
Track
Long (or any desired setting)
Install On
SRC (Required)
Time
Any
FTP requests are not being blocked as expected
Websense software cannot block FTP requests when the Check Point product is configured to act as a proxy server.
The FTP request is sent as ftp://. The Check Point product then sends the packet to the Websense software with an http:// header. Websense software performs a lookup against HTTP categories instead of performing a protocol lookup, and the FTP request is blocked or permitted according to the category assigned to the HTTP version of the same URL.
It is recommended that you use the capability of the Check Point product to block the FTP protocol.
1.
In the Check Point product, create a rule that blocks on the FTP service. See Check Point product documentation for more information.
2.
Place this rule above the Websense rule.
3.
Save the policy.
Users receive the Check Point block page instead of the Websense block page.
 
* 
Note 
In this case, it is not necessary to set the FTP protocol to be blocked in TRITON - Web Security.
 

Go to the table of contents Go to the previous page Go to the next page
Integrating Web Security with Check Point > Troubleshooting Check Point integration
Copyright 2016 Forcepoint LLC. All rights reserved.