[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Firewall-1 and Websense Version 4.X
All; Over the past few days we have seen a variety of posts on this list covering the subject of Websense and Checkpoint Firewall-1. We thought that a general post that covers the topics outlined in the previous emails would be of benefit to the list and sharing information about the cause of these issues and what is being done by both Websense and Check Point to address them. Websense and FW-1 V4.X Quick Background: ----------------- Version 4.X of Websense uses the new URL Filtering Protocol (UFP) enhancements that allow us to have more control over the decision making process of filtering, logging, and redirecting. Unlike in our V3 version of Websense, this new version of the (UFP) protocol mandates that we compile our code with the OPSEC libraries that Checkpoint provides to us. UFP Issues: ------------ Any version of Firewall-1 that uses the new OPSEC libraries may have an issue whereas you will see messages: "Cannot connect to UFP Server". This is a bug in the UFP libraries that we need to compile with in order to use the new UFP enhancements. Check Point has confirmed this to be a bug in the UFP libraries and is working on the fix for release V4.1 SP3. Performance problems with HTTP Security Server: ----------------------------------------------- When you add a resource to the rulebase in Firewall-1 you invoke the HTTP Security Server to handle the HTTP traffic. This part of the Firewall hands of the resource based traffic to the invoked rule and send it over the UFP to the OPSEC partner. We have seen issues whereas in large environments the Firewall will become bogged down with requests. You will notice that a spawned fw.exe and/or the in.ahhptd process will take a lot of the Firewalls resources, while the Websense processes do not. There are a couple ways to help this. #1) Use multiple instances of the HTTP security server from the fwauthd.conf (each security server can only handle 1024 File Descriptors. Adding more has helped us in many larger installations). #2) UFP Caching. With the newest versions of Firewall-1, their is a set of new options when adding a UFP Server called "UFP Caching". This is included in versions 4.1 SP2 and above. Websense is supporting this in our newest upcoming release, Websense Enterprise v4.2.4, Firewall-1 Edition, which is currently in beta. With this feature the Firewall will cache responses from the OPSEC vendor and alleviates the need for the HTTP security server to pass the traffic to Websense. Although still in beta, we are seeing great results in our load testing with this feature. #3) Websense Technical Support ------------------------------ Websense Technical Support has recognized our increase in call volume which has had a direct effect on overall service to our customers. Websense Technical Support is committed to offering the best level of service and support possible. We have identified resource allocation improvements along with restructuring Technical Support to improve our level of responsiveness and overall customer service experience. Among the new improvments the customer will see are : * Call routing to specific teams based on product platform and expertise * Decreases in hold time * Faster response on call-backs * More detailed online Knowledge Base Thanks --------------------- Dan Hubbard Websense Inc. San Diego, CA ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|