Enabling Application & URL Filtering on Checkpoint and disabling URL filtering on Websense

We're using Websense for URL filtering and moving to Checkpoint advanced blade for filtering. I'm planning to enable Application and URL filtering on a Checkpoint security gateway and disable URL filtering on Websense server. I have a procedure on setting up the required URL filtering policies and creating required applications/Sites for monitoring.

My question is, would enabling Application and URL filtering on Checkpoint start filtering the URL? or does it require a special rule on firewall? There is already a rule in place for outbound internet traffic.

I guess as firewall is hit first, enabling URLF should start filtering internet traffic before it reaches Websense server.

Please advise.
Thanks in advance
Bhailu MistryAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
For App & URL filtering (Or URLF per se), you should be able to enforce the filtering once it is installed and action is configured in the rule for logging or inform or other. Key its status in the rule line must have it stated yes for install. Before that make sure a DNS has been configured in the environment. The installation is in found General Properties > Network Security tab, which you enable the URL Filtering. Thereafter you can start creating the rule and necessary objects for the rules...

URL filtering can still work as in the filtering in legacy and likewise it also need to be enabled. For legacy URL Filtering on Security Gateway versions earlier than R75.20, you will do it on the Firewall tab, double-click the required Security Gateway network object. Go into Other > More Settings  and enable Legacy URL Filtering. This is its working in summary
When a URL request arrives at a local machine, the machine checks the Network Exceptions List to determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the address is sent to the Web Filter engine.

The URL is allowed or blocked based on URL request information in the predefined database and/or the Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is accepted.
But be wary of the legacy setting as below
During installation of the Web Filter engine, no default database is installed; therefore, the Web Filtering policy is not enforced until a signature update is performed. The first update may take a long time, depending on your environment. Subsequent updates should take significantly less time, as only incremental information is downloaded
https://sc1.checkpoint.com/documents/R77/CP_R77_ApplicationControlURLFiltering_WebAdminGuide/73834.htm#o103281

In CP, for URL filtering, the main flow is to go to the local cache to see if the data is already there. If the category data is not in the cache, it checks the local database for the URL category. And specifically for application control and URL filtering, if the URL is suspected to be a widget or the category data is not in the cache, the CP gateway will access the Check Point Online Web Service too provided it is online accessible.

But do note, the below for App & URL filtering
in some cases, the category data in the Application and URL Filtering Database for a URL is not applicable for your organization. You can use the override categorization option to update the category and risk definitions of a URL. This definition overrides the information in the Application and URL Filtering Database and the responses received from the Check Point Online Web Service. The Rule Base will use the newly specified categorization when matching rules with URLs.
You can find reference online in https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm
Bhailu MistryAuthor Commented:
Thanks for the feedback.

If I want only test machine (machine A) to go through CP URLF and rest of the the traffic passing through the firewall should continue going the usual route to Websense for URL filtering, how can I achieve that?

I've already set unrestricted access for test machine A on Websense.
btanExec ConsultantCommented:
For the URL filtering policy apply in the rule, the first rule is likely to be the source as machA (traffic originates) to dest (traffic going to) for the specific categories you allow or will want to block. Second rule having the Any to Any for Any Recognized in the "Applications/Sites".  See this ref for more info on the config https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/60902.htm

For Legacy URL filtering ( earlier than R75.20 ), you need to check out the Advanced > Network Exceptions to create a list of the networks connections through which traffic should not be inspected or in order to enforce URL Filtering on all Web traffic. Network Exceptions works according to a source and destination Rule Base and does not use the URL Filtering engine. See this for more details https://sc1.checkpoint.com/documents/R76/CP_R76_AppControl_WebAdmin/73834.htm

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Bhailu MistryAuthor Commented:
I'm getting this two errors:

Update failed. Gateway can not access internet ('https://secur eupdates.checkpoint.com/appi/v 3_1_0/gw/Version'). Check connectivity and proxy settings.

Internal error occurred, could not connect to 'cws.checkpoint.com:80'. Check proxy configuration on the gateway.

I checked firewall rules, and its in place to allow the update
btanExec ConsultantCommented:
kindly see this "Troubleshooting" section as it seems to be the similar case to your error, the update failed because the DNS server is likely not configured yet  https://integratingit.wordpress.com/2013/05/27/configuring-check-point-application-control/

also check out this as likely it is connectivity issue
Check the following:

Check DNS configuration on the Security Gateway (if a Proxy Server is used to access the Internet, and that Proxy Server has configured DNS settings, then DNS settings on the Security Gateway are not necessary).

Check Proxy configuration on the Security Gateway.

Connectivity from the Security Gateway:

[Expert@GW]# curl_cli http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short 

This link should always be available and should always return a "true" value:
<?xml version="1.0" encoding="UTF-8"?><response><allSystemsOK>true</allSystemsOK></response>
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64162
Bhailu MistryAuthor Commented:
Tried this yesterday and It didn't work.

DNS is configured on the security management server that manages the gateway cluster I'm enabling APCL & URLF on. So I believe, security gateway doesn't requires DNS settings. Correct me if I'm wrong.
btanExec ConsultantCommented:
As in prev post if there is a proxy already existing with DNS configure then your gateway to configure DNS is not necessary. But for any device to interpret the cws.checkpoint.com still needs to be done. if curl did not work then DNS likely failed, more errors possible in
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74040
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.