Link to home
Create AccountLog in
Avatar of Bhailu Mistry
Bhailu Mistry

asked on

Enabling Application & URL Filtering on Checkpoint and disabling URL filtering on Websense

We're using Websense for URL filtering and moving to Checkpoint advanced blade for filtering. I'm planning to enable Application and URL filtering on a Checkpoint security gateway and disable URL filtering on Websense server. I have a procedure on setting up the required URL filtering policies and creating required applications/Sites for monitoring.

My question is, would enabling Application and URL filtering on Checkpoint start filtering the URL? or does it require a special rule on firewall? There is already a rule in place for outbound internet traffic.

I guess as firewall is hit first, enabling URLF should start filtering internet traffic before it reaches Websense server.

Please advise.
Thanks in advance
Avatar of btan
btan

For App & URL filtering (Or URLF per se), you should be able to enforce the filtering once it is installed and action is configured in the rule for logging or inform or other. Key its status in the rule line must have it stated yes for install. Before that make sure a DNS has been configured in the environment. The installation is in found General Properties > Network Security tab, which you enable the URL Filtering. Thereafter you can start creating the rule and necessary objects for the rules...

URL filtering can still work as in the filtering in legacy and likewise it also need to be enabled. For legacy URL Filtering on Security Gateway versions earlier than R75.20, you will do it on the Firewall tab, double-click the required Security Gateway network object. Go into Other > More Settings  and enable Legacy URL Filtering. This is its working in summary
When a URL request arrives at a local machine, the machine checks the Network Exceptions List to determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the address is sent to the Web Filter engine.

The URL is allowed or blocked based on URL request information in the predefined database and/or the Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is accepted.
But be wary of the legacy setting as below
During installation of the Web Filter engine, no default database is installed; therefore, the Web Filtering policy is not enforced until a signature update is performed. The first update may take a long time, depending on your environment. Subsequent updates should take significantly less time, as only incremental information is downloaded
https://sc1.checkpoint.com/documents/R77/CP_R77_ApplicationControlURLFiltering_WebAdminGuide/73834.htm#o103281

In CP, for URL filtering, the main flow is to go to the local cache to see if the data is already there. If the category data is not in the cache, it checks the local database for the URL category. And specifically for application control and URL filtering, if the URL is suspected to be a widget or the category data is not in the cache, the CP gateway will access the Check Point Online Web Service too provided it is online accessible.

But do note, the below for App & URL filtering
in some cases, the category data in the Application and URL Filtering Database for a URL is not applicable for your organization. You can use the override categorization option to update the category and risk definitions of a URL. This definition overrides the information in the Application and URL Filtering Database and the responses received from the Check Point Online Web Service. The Rule Base will use the newly specified categorization when matching rules with URLs.
You can find reference online in https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm
Avatar of Bhailu Mistry

ASKER

Thanks for the feedback.

If I want only test machine (machine A) to go through CP URLF and rest of the the traffic passing through the firewall should continue going the usual route to Websense for URL filtering, how can I achieve that?

I've already set unrestricted access for test machine A on Websense.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I'm getting this two errors:

Update failed. Gateway can not access internet ('https://secur eupdates.checkpoint.com/appi/v 3_1_0/gw/Version'). Check connectivity and proxy settings.

Internal error occurred, could not connect to 'cws.checkpoint.com:80'. Check proxy configuration on the gateway.

I checked firewall rules, and its in place to allow the update
kindly see this "Troubleshooting" section as it seems to be the similar case to your error, the update failed because the DNS server is likely not configured yet  https://integratingit.wordpress.com/2013/05/27/configuring-check-point-application-control/

also check out this as likely it is connectivity issue
Check the following:

Check DNS configuration on the Security Gateway (if a Proxy Server is used to access the Internet, and that Proxy Server has configured DNS settings, then DNS settings on the Security Gateway are not necessary).

Check Proxy configuration on the Security Gateway.

Connectivity from the Security Gateway:

[Expert@GW]# curl_cli http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short 

This link should always be available and should always return a "true" value:
<?xml version="1.0" encoding="UTF-8"?><response><allSystemsOK>true</allSystemsOK></response>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64162
Tried this yesterday and It didn't work.

DNS is configured on the security management server that manages the gateway cluster I'm enabling APCL & URLF on. So I believe, security gateway doesn't requires DNS settings. Correct me if I'm wrong.
As in prev post if there is a proxy already existing with DNS configure then your gateway to configure DNS is not necessary. But for any device to interpret the cws.checkpoint.com still needs to be done. if curl did not work then DNS likely failed, more errors possible in
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74040