Thanks to OPSEC. Your insight was the key to solving our mystery.
Jim Previti
Network Management Supervisor
Fiserv, Inc.
701 Market Street
Philadelphia, PA 19106
215-413-4963
[EMAIL PROTECTED]
10/18/2002 08:38 PM
Please respond to FW-1-MAILINGLIST
To: [EMAIL PROTECTED]@FiservMail
cc: (bcc: James J. Previti/Telecom/Philadelphia/Fiserv)
Subject: Re: [FW-1] Websense
Sorry Egonle,
It's not in the current UFP protocol to send HTTPS to us. If your users
have their browsers proxied to the FireWall, it can send us FTP, but that's
as far as it currently goes. As far as filtering other HTTP ports... I
believe it is possible depending on the version of FW-1 that you're running.
Phoneboy has a quick article about that here at
http://www.phoneboy.com/faq/0135.html
-----Original Message-----
From: egonle [mailto:egonle@;NETSCAPE.NET]
Sent: Friday, October 18, 2002 2:16 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Websense
Hi,
is there also a way to use the Websense-UFP protocol to filter HTTPS (not
http) requests? How about filtering http access to webservers which use port
81,85,8080 or anything else?
If yes, how can this be done?
Regards,
Egonle
[EMAIL PROTECTED] wrote:
>Jim,
>
>Remember that when you implement a HTTP Resource rule, such as the one used
>to integrate with Websense, the FireWall shifts to using the HTTP Security
>Server to handle the requests. One primary thing about the HTTP Security
>Server is that it ignores any NAT rules you might have and alters the
>request so that the source IP address is the external IP of the FireWall
>itself. If you've set your rules to deny any requests destined for the
>external IP, then the return HTTP requests will be blocked. So, your
>stealth rule needs to follow after the HTTP rules in order to get this to
>work. You may also need to check your routing as well since this is a high
>availability situation.
>
>-----Original Message-----
>From: Previti, James [mailto:James.Previti@;FISERV.COM]
>Sent: Wednesday, October 16, 2002 8:26 AM
>To: [EMAIL PROTECTED]
>Subject: [FW-1] Websense
>
>
>We have a Checkpoint Firewall1 fail-over pair (v4.1sp5a) we are trying to
>integrate with Websense (v4.4) to filter Web traffic. The Checkpoint
>platform
>is Nokia IP440 and the Websense platform is Windows 2000. After following
>the
>documentation and setting up Websense and the corresponding firewall obects
>and
>rules and testing, we found that the firewall is passing traffic to the web
>but
>no access can be established. If anyone has seen similar behavior I would
>like
>to hera about it.
>
>Thanks,
>
>Jim Previti
>Network Management Supervisor
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now!
http://channels.netscape.com/ns/browsers/download.jsp
Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [FW-1] Websense</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Sorry Egonle,</FONT>
</P>
<P><FONT SIZE=2>It's not in the current UFP protocol to send HTTPS to us. If
your users have their browsers proxied to the FireWall, it can send us FTP, but that's
as far as it currently goes. As far as filtering other HTTP ports... I
believe it is possible depending on the version of FW-1 that you're running. Phoneboy
has a quick article about that here at <A HREF="http://www.phoneboy.com/faq/0135.html";
TARGET="_blank">http://www.phoneboy.com/faq/0135.html</A></FONT></P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: egonle [<A
HREF="mailto:egonle@;NETSCAPE.NET">mailto:egonle@;NETSCAPE.NET</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, October 18, 2002 2:16 PM</FONT>
<BR><FONT SIZE=2>To: [EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>Subject: Re: [FW-1] Websense</FONT>
</P>
<BR>
<P><FONT SIZE=2>Hi,</FONT>
</P>
<P><FONT SIZE=2>is there also a way to use the Websense-UFP protocol to filter HTTPS
(not http) requests? How about filtering http access to webservers which use port
81,85,8080 or anything else?</FONT></P>
<P><FONT SIZE=2>If yes, how can this be done?</FONT>
</P>
<BR>
<P><FONT SIZE=2>Regards,</FONT>
<BR><FONT SIZE=2>Egonle</FONT>
</P>
<P><FONT SIZE=2>[EMAIL PROTECTED] wrote:</FONT>
</P>
<P><FONT SIZE=2>>Jim,</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Remember that when you implement a HTTP Resource rule, such as
the one used</FONT>
<BR><FONT SIZE=2>>to integrate with Websense, the FireWall shifts to using the HTTP
Security</FONT>
<BR><FONT SIZE=2>>Server to handle the requests. One primary thing about the
HTTP Security</FONT>
<BR><FONT SIZE=2>>Server is that it ignores any NAT rules you might have and alters
the</FONT>
<BR><FONT SIZE=2>>request so that the source IP address is the external IP of the
FireWall</FONT>
<BR><FONT SIZE=2>>itself. If you've set your rules to deny any requests
destined for the</FONT>
<BR><FONT SIZE=2>>external IP, then the return HTTP requests will be blocked.
So, your</FONT>
<BR><FONT SIZE=2>>stealth rule needs to follow after the HTTP rules in order to get
this to</FONT>
<BR><FONT SIZE=2>>work. You may also need to check your routing as well since
this is a high</FONT>
<BR><FONT SIZE=2>>availability situation.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>-----Original Message-----</FONT>
<BR><FONT SIZE=2>>From: Previti, James [<A
HREF="mailto:James.Previti@;FISERV.COM">mailto:James.Previti@;FISERV.COM</A>]</FONT>
<BR><FONT SIZE=2>>Sent: Wednesday, October 16, 2002 8:26 AM</FONT>
<BR><FONT SIZE=2>>To: [EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>>Subject: [FW-1] Websense</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>We have a Checkpoint Firewall1 fail-over pair (v4.1sp5a) we are
trying to</FONT>
<BR><FONT SIZE=2>>integrate with Websense (v4.4) to filter Web traffic. The
Checkpoint</FONT>
<BR><FONT SIZE=2>>platform</FONT>
<BR><FONT SIZE=2>>is Nokia IP440 and the Websense platform is Windows 2000.
After following</FONT>
<BR><FONT SIZE=2>>the</FONT>
<BR><FONT SIZE=2>>documentation and setting up Websense and the corresponding
firewall obects</FONT>
<BR><FONT SIZE=2>>and</FONT>
<BR><FONT SIZE=2>>rules and testing, we found that the firewall is passing traffic
to the web</FONT>
<BR><FONT SIZE=2>>but</FONT>
<BR><FONT SIZE=2>>no access can be established. If anyone has seen similar
behavior I would</FONT>
<BR><FONT SIZE=2>>like</FONT>
<BR><FONT SIZE=2>>to hera about it.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Thanks,</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Jim Previti</FONT>
<BR><FONT SIZE=2>>Network Management Supervisor</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>=================================================</FONT>
<BR><FONT SIZE=2>>To set vacation, Out Of Office, or away messages,</FONT>
<BR><FONT SIZE=2>>send an email to [EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>>in the BODY of the email add:</FONT>
<BR><FONT SIZE=2>>set fw-1-mailinglist nomail</FONT>
<BR><FONT SIZE=2>>=================================================</FONT>
<BR><FONT SIZE=2>>To unsubscribe from this mailing list,</FONT>
<BR><FONT SIZE=2>>please see the instructions at</FONT>
<BR><FONT SIZE=2>><A HREF="http://www.checkpoint.com/services/mailing.html";
TARGET="_blank">http://www.checkpoint.com/services/mailing.html</A></FONT>
<BR><FONT SIZE=2>>=================================================</FONT>
<BR><FONT SIZE=2>>If you have any questions on how to change your</FONT>
<BR><FONT SIZE=2>>subscription options, email</FONT>
<BR><FONT SIZE=2>>[EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>>=================================================</FONT>
<BR><FONT SIZE=2>></FONT>
</P>
<P><FONT
SIZE=2>__________________________________________________________________</FONT>
<BR><FONT SIZE=2>The NEW Netscape 7.0 browser is now available. Upgrade now! <A
HREF="http://channels.netscape.com/ns/browsers/download.jsp";
TARGET="_blank">http://channels.netscape.com/ns/browsers/download.jsp</A></FONT>
</P>
<P><FONT SIZE=2>Get your own FREE, personal Netscape Mail account today at <A
HREF="http://webmail.netscape.com/";
TARGET="_blank">http://webmail.netscape.com/</A></FONT>
</P>
<P><FONT SIZE=2>=================================================</FONT>
<BR><FONT SIZE=2>To set vacation, Out Of Office, or away messages,</FONT>
<BR><FONT SIZE=2>send an email to [EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>in the BODY of the email add:</FONT>
<BR><FONT SIZE=2>set fw-1-mailinglist nomail</FONT>
<BR><FONT SIZE=2>=================================================</FONT>
<BR><FONT SIZE=2>To unsubscribe from this mailing list,</FONT>
<BR><FONT SIZE=2>please see the instructions at</FONT>
<BR><FONT SIZE=2><A HREF="http://www.checkpoint.com/services/mailing.html";
TARGET="_blank">http://www.checkpoint.com/services/mailing.html</A></FONT>
<BR><FONT SIZE=2>=================================================</FONT>
<BR><FONT SIZE=2>If you have any questions on how to change your</FONT>
<BR><FONT SIZE=2>subscription options, email</FONT>
<BR><FONT SIZE=2>[EMAIL PROTECTED]</FONT>
<BR><FONT SIZE=2>=================================================</FONT>
</P>
</BODY>
</HTML>
