Configuring Check Point Products to Work with Web Filter or Web SecurityIn addition to defining Websense filtering policies and assigning them to the appropriate clients, you must set up the Check Point product with the necessary objects and rules. In describing these objects and rules, this chapter assumes that you are familiar with general Check Point product concepts.The following tasks must be completed before you begin to configure the Check Point product to communicate with Websense software:
Both the Check Point product and either Websense Web Security or Websense Web Filter must be installed and running.
An object for the firewall itself, if it does not already exist (it typically is created by default upon installation of the Check Point product).Configuring FireWall-1 NG, FireWall-1 NG with AI, and FireWall-1 NGX for Websense content filtering involves the following procedures:
Create URI resource objects for the dictionary categories that Websense software sends to the Check Point product. See Creating Resource Objects.
When creating the URI resource objects, you can configure both Websense software and the Check Point product to use Secure Internal Communication (SIC), rather than the default clear communication. See Establishing Secure Internal Communication.
Define rules that govern how the Check Point product behaves when it receives a response from Websense software. See Defining rules.
Optionally, you can configure the Check Point product for enhanced UFP performance. This applies only to FireWall-1 NG with Application Intelligence and FireWall-1 NGX. Make sure that you have configured the Check Point product for Websense content filtering before this procedure. See Configuring enhanced UFP performance.
The procedures and illustrations in this chapter are based on FireWall-1 NGX. If FireWall-1 NG or FireWall-1 NG with Application Intelligence (AI) is running, you may notice slight differences in screens and field names.
1. Open a Check Point SmartConsole, such as SmartDashboard™ (Policy Editor in earlier versions). See your Check Point product documentation for detailed instructions on using SmartConsole.
2. If you have not already done so, create a network object (Manage > Network Objects > New > Node > Host) for the machine running Filtering Service.This object is required only if Websense software runs on a separate machine behind the firewall, as recommended.
3. Select General Properties in the left column. The following dialog box appears.
Enter a descriptive name for the network object representing the machine on which Filtering Service is running, such as Websense (make a note of this name for later use).Note: If your DNS is configured to resolve machines within your network, enter the Filtering Service machine's host name here. Then, for IP Address, you can click Get address to resolve the host name to its IP address automatically. Note: If you entered a host name for Name, you can click Get address to find the machine's IP address automatically. See the description for Name, above, for more information.
5. Click OK.After you create the network object for the machine running Filtering Service, you must create an OPSEC application object for the Websense UFP Server. The UFP server was installed with the other components when you chose Check Point as your integration product during installation.
2. Select Manage > Servers and OPSEC Applications.
3.
4. Select the General tab in the OPSEC Application Properties dialog box.
Enter a descriptive name, such as Websense_ufp (make a note of this name for later use). Select the network object created in the previous section. This object identifies the machine running Filtering Service.If you have not yet created this object, click New to create it. See Creating a network object for instructions. Select Websense. This value is not used in creating an object and does not need to be changed. This value is not used in creating an object and does not need to be changed. UFP is checked automatically when you select Websense as the Vendor, and.cannot be changed.
6. Select the UFP Options tab.
7. Check the Use early versions compatibility mode option (Backwards Compatibility in earlier versions).
If Secure Internal Communication (SIC) is used, go to Establishing Secure Internal Communication to complete this section.
If SIC is not used, select Clear (opsec).
8. Click Get Dictionary.Websense software provides the Check Point product with a dictionary containing these categories: Blocked and Not Blocked. The full set of Websense categories is configured via TRITON - Web Security. See TRITON - Web Security Help for more information.
9. Click OK.
11. Select Policy > Install to install the policy on the firewall.Create a Resource Object to define a Uniform Resource Identifier (URI) that uses the HTTP protocol. This URI identifies the Websense dictionary category Blocked.
1. Open SmartDashboard and select Manage > Resources.
2.
3. Select the General tab, and complete the items in the tab.
Enter a name for this URI Resource Object, such as Blocked_Sites. Use this resource to Select Enforce URI capabilities.This option enables all other functionality of the URI resource, such as configuring CVP checking on the CVP tab.All basic parameters defining schemes, hosts, paths, and methods apply. The URL is checked for these parameters. Connection Methods Exception Track Select the desired method for tracking exceptions. See the Check Point product documentation for more information. Select UFP.
4. Select the Match tab, and complete the items in the tab.
Select the OPSEC Application object that was created for the Websense UFP Server in Creating an OPSEC application object. UFP caching control No caching is the recommended setting for most networks. Mark the Blocked check box.
Mark this check box to permit full HTTP and FTP access if Websense Filtering Service is not running or cannot be contacted.Dependent fields allow you to set the number of times the Check Point product tries to contact Websense software before ignoring it, and the length of time the Check Point product ignores Websense software before attempting to reconnect.
Clear this check box to block all HTTP and FTP access when Filtering Service is not running.
5. Click OK.
7. Select Policy > Install to install the policy on the firewall.This section describes a content filtering scenario and its configuration. It includes information about the objects and rules that are needed to implement the suggested configuration.
The configuration described in this section assumes that all clients have a default route set to the firewall and do not proxy to the firewall.This configuration also assumes that the recommended network configuration is being used: Websense software is running on a separate machine, behind the firewall, and caching is disabled.In this scenario, the Check Point product denies access to any site that Websense software indicates is blocked, and allows access to any site that Websense software indicates is not blocked. The actual sites blocked may vary according to the computer making the request.Use TRITON - Web Security to define policies that block the appropriate categories, and assign them to the desired computers or directory objects.For example, you might modify the Default policy to use a category filter that blocks access to all categories except the Travel, and Business and Economy categories. This policy is applied to most computers.A separate, more liberal policy could be defined for managers, which blocks only those categories considered a liability risk, such as Adult Material and Gambling. This policy, called Management, would be assigned to the computers used by top managers.After the Websense policies are configured, you define rules in the Check Point product to prevent access to any site that Websense software indicates is blocked.To set up this configuration in the Check Point product, you must create one URI Resource Object and one Network Object, and define two rules.In this example, the URI Resource Object is called Blocked_Sites because Websense software is configured to block sites that are not required for business purposes.
Create a Network Object that encompasses all machines on the internal network. This example assumes that everyone in the company is on the internal network. For this example, the Network Object is called Internal_Network.
Add the rules to the Security Rules Base. The sequence of the rules is important, because the Check Point product evaluates the rules sequentially, from top to bottom.RULE 1: Blocks access to undesirable Web sites. Add the new rule at an appropriate location in the Rule Base:
(NGX only) Enter a descriptive name for the rule, such as Websense Block In the Service with Resource dialog box, select HTTP. Under Resource, select Blocked_Sites from the drop-down menu. This object was created in Creating Resource Objects. RULE 2: The second rule allows access to all other Web sites. Add the second rule after Rule 1.
(NGX only) Enter a descriptive name for the rule, such as Websense Allow After defining the rules described above, Verify and Install the policy from the Policy menu. See Check Point product documentation for more information.
For normal operation, set Track to None in the Websense rules. This disables logging in the Check Point product.When logging is enabled for these rules, the log files become very large, and adversely impact performance. Configure other options in the Track field only when you are testing and troubleshooting.When the Check Point product receives an HTTP request, it sends Websense software the address of the requested site, as well as the IP address of the computer requesting the site.For example, the CNN Web site is requested by a top manager. Websense software categorizes the site as News and Media. Websense software indicates that the site is Not Blocked under the Management policy that you defined in TRITON - Web Security. The Check Point product allows the site according to Rule 2.If the CNN site was requested from an accounting clerk's computer, Websense software indicates that the site is Blocked because that computer is governed by the Websense Default policy, which blocks the News and Media category. The Check Point product denies the request according to Rule 1, and a Block Page is displayed on the clerk's computer.Any time a computer requests a site not categorized by the Websense Master Database, Websense software indicates that the site is not in the database. The Check Point product allows access to the site according to Rule 2.Enhanced UFP performance improves the performance of the UFP Server by increasing the amount of traffic that Websense software and the Check Point product can filter while reducing CPU load.Configuring enhanced UFP performance requires the proper settings in Websense Web Security or Websense Web Filter, and in the Check Point product. In order to use enhanced UFP Performance, clear communication is required between Websense software and the Check Point product.
Before performing the following procedures, make sure you have configured the Check Point product for content filtering with Websense software, as described earlier in this chapter.Before configuring the Check Point product for enhanced UFP performance, open the ufp.conf file and make sure Websense software is configured for clear communication:
1. On the Websense Filtering Service machine, navigate to the directory where the Check Point integration files are installed. The default directories are:
Windows: C:\Program Files or Program Files (x86)\Websense\Web Security\bin
Linux: /opt/Websense/bin
2. Open the ufp.conf file in any text editor.Additional lines that appear in this file are used for Secure Internal Communication, and must be commented out using the comment symbol (#):
4. Save and close the ufp.conf file.
Windows: Use the Windows Services dialog box.
Linux: Use the ./WebsenseAdmin restart command.See Starting or Stopping Web Security Services for instructions on stopping and restarting Websense services. See also Stopping and restarting the UFP Server.
Configure the OPSEC Application object for the Websense UFP Server to operate in early versions compatibility mode (previously known as backwards compatibility mode) for clear communication.Clear communication is the default for FireWall-1 NG with AI and FireWall-1 NGX. See Early versions compatibility mode.
Configure the URI Resource Object that identifies the Websense dictionary category Blocked for enhanced UFP performance. See Enhanced UFP performance.Follow these steps to configure the previously created OPSEC Application object for the Websense UFP Server to operate in early versions compatibility mode (clear communication) for enhanced UFP performance.
1.
2. The OPSEC Application Properties dialog box for this object appears.
3.
4.
5. Select Clear (opsec).
6. Click OK.
8. Select Policy > Install to install the policy on the firewall. See Check Point product documentation for more information.To configure the previously created URI Resource Object that identifies the Websense dictionary category Blocked for enhanced UFP performance:
1. Open the SmartDashboard, and select Manage > Resources.
2.
3.
4. Select the Match tab.
5. Reselect the OPSEC Application object for the Websense UFP Server in the UFP server field. In this example, the object is named Websense_ufp.
6.
8. Select Policy > Install to install the policy on the firewall. See the Check Point product documentation for more information.