Enabling Application & URL Filtering on Checkpoint and disabling URL filtering on Websense

For App & URL filtering (Or URLF per se), you should be able to enforce the filtering once it is installed and action is configured in the rule for logging or inform or other. Key its status in the rule line must have it stated yes for install. Before that make sure a DNS has been configured in the environment. The installation is in found General Properties > Network Security tab, which you enable the URL Filtering. Thereafter you can start creating the rule and necessary objects for the rules...

URL filtering can still work as in the filtering in legacy and likewise it also need to be enabled. For legacy URL Filtering on Security Gateway versions earlier than R75.20, you will do it on the Firewall tab, double-click the required Security Gateway network object. Go into Other > More Settings  and enable Legacy URL Filtering. This is its working in summary

When a URL request arrives at a local machine, the machine checks the Network Exceptions List to determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the address is sent to the Web Filter engine.

The URL is allowed or blocked based on URL request information in the predefined database and/or the Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is accepted.

But be wary of the legacy setting as below

During installation of the Web Filter engine, no default database is installed; therefore, the Web Filtering policy is not enforced until a signature update is performed. The first update may take a long time, depending on your environment. Subsequent updates should take significantly less time, as only incremental information is downloaded

https://sc1.checkpoint.com/documents/R77/CP_R77_ApplicationControlURLFiltering_WebAdminGuide/73834.htm#o103281

In CP, for URL filtering, the main flow is to go to the local cache to see if the data is already there. If the category data is not in the cache, it checks the local database for the URL category. And specifically for application control and URL filtering, if the URL is suspected to be a widget or the category data is not in the cache, the CP gateway will access the Check Point Online Web Service too provided it is online accessible.

But do note, the below for App & URL filtering

in some cases, the category data in the Application and URL Filtering Database for a URL is not applicable for your organization. You can use the override categorization option to update the category and risk definitions of a URL. This definition overrides the information in the Application and URL Filtering Database and the responses received from the Check Point Online Web Service. The Rule Base will use the newly specified categorization when matching rules with URLs.

You can find reference online in https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm

Thanks for the feedback.

If I want only test machine (machine A) to go through CP URLF and rest of the the traffic passing through the firewall should continue going the usual route to Websense for URL filtering, how can I achieve that?

I've already set unrestricted access for test machine A on Websense.

I'm getting this two errors:

Update failed. Gateway can not access internet ('https://secur eupdates.checkpoint.com/appi/v 3_1_0/gw/Version'). Check connectivity and proxy settings.

Internal error occurred, could not connect to 'cws.checkpoint.com:80'. Check proxy configuration on the gateway.

I checked firewall rules, and its in place to allow the update

kindly see this "Troubleshooting" section as it seems to be the similar case to your error, the update failed because the DNS server is likely not configured yet  https://integratingit.wordpress.com/2013/05/27/configuring-check-point-application-control/

also check out this as likely it is connectivity issue

Check the following:

Check DNS configuration on the Security Gateway (if a Proxy Server is used to access the Internet, and that Proxy Server has configured DNS settings, then DNS settings on the Security Gateway are not necessary).

Check Proxy configuration on the Security Gateway.

Connectivity from the Security Gateway:

[Expert@GW]# curl_cli http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short 

This link should always be available and should always return a "true" value:
<?xml version="1.0" encoding="UTF-8"?><response><allSystemsOK>true</allSystemsOK></response>

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64162

Tried this yesterday and It didn't work.

DNS is configured on the security management server that manages the gateway cluster I'm enabling APCL & URLF on. So I believe, security gateway doesn't requires DNS settings. Correct me if I'm wrong.

As in prev post if there is a proxy already existing with DNS configure then your gateway to configure DNS is not necessary. But for any device to interpret the cws.checkpoint.com still needs to be done. if curl did not work then DNS likely failed, more errors possible in
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74040