Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 and Websense Version 4.X

To: "Dan Hubbard" <[email protected]>, <[email protected]>
Subject: RE: [FW1] Firewall-1 and Websense Version 4.X
From: "Marc Jacquard" <[email protected]>
Date: Thu, 14 Dec 2000 08:26:54 -1000
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]

Dan,

I just wanted to let you know that when I called, all I got was an answering
machine.  Then I did not receive a call back.  I had to send email to even
get a response from your company.  That does not sound like improved service
to me.

I just wanted to let you know that I am less than impressed with the
support.  Many others have expressed deep dis-satisfaction on this list with
the support they receive from your company.

Best regards,

Marc Jacquard
SR. Systems Engineer (CCSA)
Fujitsu America, INC.
Hilo Office
email: [email protected]
Telephone:Pager:-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Dan
Hubbard
Sent: Thursday, December 14, 2000 5:18 AM
To: [email protected]
Subject: [FW1] Firewall-1 and Websense Version 4.X



All;

Over the past few days we have seen a variety of posts on this list covering
the subject of Websense and Checkpoint Firewall-1. We thought that a general
post that covers the topics outlined in the previous emails would be of
benefit
to the list and  sharing information about the cause of these issues and
what
is being done by both Websense and Check Point to address them.

Websense and FW-1 V4.X

Quick Background:
-----------------

Version 4.X of Websense uses the new URL Filtering Protocol (UFP)
enhancements
that allow us to have more control over the decision making process of
filtering, logging, and redirecting. Unlike in our V3 version of Websense,
this
new version of the (UFP) protocol mandates that we compile our code with the
OPSEC libraries that Checkpoint provides to us.

UFP Issues:
------------

Any version of Firewall-1 that uses the new OPSEC libraries may have an
issue
whereas you will see messages: "Cannot connect to UFP Server". This is a
bug in
the UFP libraries that we need to compile with in order to use the new UFP
enhancements.

Check Point has confirmed this to be a bug in the UFP libraries and is
working
on the fix for release V4.1 SP3.

Performance problems with HTTP Security Server:
-----------------------------------------------

When you add a resource to the rulebase in Firewall-1 you invoke the HTTP
Security Server to handle the HTTP traffic. This part of the Firewall hands
of
the resource based traffic to the invoked rule and send it over the UFP to
the
OPSEC partner.

We have seen issues whereas in large environments the Firewall will become
bogged down with requests. You will notice that a spawned fw.exe and/or the
in.ahhptd process will take a lot of the Firewalls resources, while the
Websense processes do not.

There are a couple ways to help this.

#1) Use multiple instances of the HTTP security server from the fwauthd.conf
(each security server can only handle 1024 File Descriptors. Adding more has
helped us in many larger installations).

#2) UFP Caching. With the newest versions of Firewall-1, their is a set of
new
options when adding a UFP Server called "UFP Caching". This is included in
versions 4.1 SP2 and above. Websense is supporting this in our newest
upcoming
release, Websense Enterprise v4.2.4, Firewall-1 Edition, which is currently
in
beta.

With this feature the Firewall will cache responses from the OPSEC vendor
and
alleviates the need for the HTTP security server to pass the traffic to
Websense. Although still in beta, we are seeing great results in our load
testing with this feature.

#3) Websense Technical Support
------------------------------
Websense Technical Support has recognized our increase in call volume which
has
had a direct effect on overall service to our customers. Websense Technical
Support is committed to offering the best level of service and support
possible. We have identified resource allocation improvements along with
restructuring Technical Support to improve our level of responsiveness and
overall customer service experience.

Among the new improvments the customer will see are :

* Call routing to specific teams based on product platform and expertise
* Decreases in hold time
* Faster response on call-backs
* More detailed online Knowledge Base

Thanks


---------------------
Dan Hubbard
Websense Inc.
San Diego, CA


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Firewall-1 and Websense Version 4.X
  - From: Dan Hubbard <[email protected]>

Prev by Date: RE: Round 2 RE: [FW1] oh so frustrating IKE VPN problem
Next by Date: Re: [FW1] Nokia IP330 & IPX
Previous by thread: [FW1] Firewall-1 and Websense Version 4.X
Next by thread: [FW1] FTP problem
Index(es):
- Date
- Thread