Troubleshooting Check Point Integration

Troubleshooting Check Point Integration

Applies to

Web Filter v7.6

Web Security v7.6

In this topic

Where can I find download and error messages?

The Master Database does not download

Websense dictionary does not load in the Check Point product

No filtering occurs after enabling enhanced UFP performance

FTP requests are not being blocked as expected

Where can I find download and error messages?

Websense software creates Websense.log and ufpserver.log files when errors occur. These files are located in the Websense bin directory, (C:\Program Files or Program Files (x86)\Websense\Web Security\bin or /opt/Websense/bin, by default.)

These log files record error messages and other messages pertaining to database downloads. Websense.log is located only on the machine running Policy Server.

The Master Database does not download

In addition to the subscription and access problems discussed in the Websense , a rule in the firewall could be blocking the download. Create a rule in the Check Point product at the top of the rule base that allows all traffic (outbound) from the Websense Filtering Service machine. If this test succeeds, move the rule down systematically until the problematic rule is found.

Websense dictionary does not load in the Check Point product

The Get Dictionary process occurs between the Check Point SmartCenter Server and Websense Filtering Service. If the SmartCenter Server is not installed on the same machine as the Check Point Enforcement Module, you may need to configure the Check Point product to allow communication between the machines running the SmartCenter Server and Filtering Service. See Distributed environments for more information.

Three causes are listed below as to why the dictionary might not load within the Check Point product.

Port mismatch

If the FW1_ufp Service defined in the Check Point product uses a different port than Filtering Service filtering port (default 18182), Websense software cannot communicate with the Check Point product. As a result, the Check Point product cannot retrieve the Websense dictionary entries.

Check for mismatched port entries in the following locations:

Check the FW1_ufp Service definition in the Check Point product.

1.	From the Check Point client, choose Manage > Services.

2.	Select FW1_ufp from the list of services.

3.	Click Edit.

The TCP Services Properties dialog box appears.

4.	Make sure the port number displayed is the same as the port number defined for the filtering port when you installed Filtering Service.

Open the ufp.conf file in a text editor. The file is located by default in the C:\Program Files or Program Files (x86)\Websense\Web Security\bin\FW1 or /opt/Websense/bin/FW1 directory. Check the port value to make sure it matches the port setting for the FW1_ufp Service in the Check Point product.

In the Check Point product, the filtering port specified in the fwopsec.conf file must match the port number set for the FW1_ufp Service and the port defined in the Websense ufp.conf file.

 

Note  If the SmartCenter Server and the Enforcement Module are installed on separate machines, both contain an fwopsec.conf file. You must reconcile the filtering port number in each of these files.

Communication mismatch

If the Websense dictionary does not load, check your communication settings. The method of communication selected in the OPSEC Application object must be consistent with that defined in the ufp.conf file (SIC or clear communication).

For example, if you have selected early version compatibility mode in the OPSEC Application Properties dialog box (see Early versions compatibility mode), the first line in the ufp.conf file must be:

ufp_server port 18182

If you have selected SIC, the first line in the ufp.conf file must be:

ufp_server auth_port 18182

Policy properties

Although it is enabled by default, some environments need to disable the Accept Outgoing Packet Originating from Gateway setting in the Check Point product's policy properties. Since the firewall cannot send any traffic in this environment, it cannot request the dictionary.

To enable the dictionary request, add the following rule to the Rule Base anywhere before the cleanup rule:

Source	Check Point product workstation object
Destination	Any, or the Filtering Service workstation object
Service	FW1_ufp
Action	Accept
Track	Long (or any desired setting)
Install On	SRC (Required)
Time	Any

SIC trust configuration in FireWall-1 NG

When you click Get Dictionary in the Match tab of the URI Definition dialog box, FireWall-1 NG (Feature Pack 1 or later) contacts Websense Filtering Service via SIC trust to retrieve a list of categories for use in Check Point rules. If the SIC trust was not configured correctly, this contact fails and no categories can be retrieved.

To set up the SIC trust, see Establishing Secure Internal Communication.

If you established the SIC trust, but still cannot get the dictionary, you can re-establish the trust.

1.	Open the SmartDashboard, and select Manage > Servers and OPSEC Applications.

The Servers and OPSEC Applications dialog box appears.

2.	Select the Websense UFP Server object in the list, and click Edit.

The OPSEC Application Properties dialog box appears.

3.	Click Communication.

The Communications dialog box appears.

4.	Click Reset to remove the SIC trust initialized previously, then click Yes in the confirmation dialog box that appears.

5.	Click Close in the Communications dialog box.

6.	Click OK to close the OPSEC Application Properties dialog box.

7.	Click Close to close the Servers and OPSEC Applications dialog box.

8.	Select Policy > Install to install the policy on the firewall.

9.	Create the SIC trust again as described under Establishing Secure Internal Communication.

 

Note  Do not create a new OPSEC Application object for the Websense UFP Server; edit the object that already exists.

No filtering occurs after enabling enhanced UFP performance

Users who have configured FireWall-1 NG with AI for enhanced UFP performance may not be able to filter Internet requests. This is a Check Point licensing issue and not a configuration problem. A license from an older version of NG cannot work with the newer version of NG with AI. Contact Check Point to update your license for your version of FireWall-1 NG with AI.

FTP requests are not being blocked as expected

Websense software cannot block FTP requests when the Check Point product is configured to act as a proxy server.

The FTP request is sent as ftp://. The Check Point product then sends the packet to the Websense software with an http:// header. Websense software performs a lookup against HTTP categories instead of performing a protocol lookup, and the FTP request is blocked or permitted according to the category assigned to the HTTP version of the same URL.

It is recommended that you use the capability of the Check Point product to block the FTP protocol.

1.	In the Check Point product, create a rule that blocks on the FTP service. See Check Point product documentation for more information.

2.	Place this rule above the Websense rule.

3.	Save the policy.

Users receive the Check Point block page instead of the Websense block page.

 

Note  In this case, it is not necessary to set the FTP protocol to be blocked in TRITON - Web Security.

Troubleshooting Check Point Integration