Dear Websense / FW sufferer's... Since there exsist this unfixable checkpoint security server problem within checkpoint software.... Has anyone implemented a Cisco Caching 5X0 engine and websense combination for content checking and URL filtering. Marketing folks tell me that this combo will not suffer the fate of Sluggish websense performance, since this works independently of the FW! I would appreciate some feedback and willing to exchange my own experiences. yours Truly... [EMAIL PROTECTED] [FW1] Firewall-1 with UFP version of Websense: SOMEBODY FIX IT! Forum: [FW1] Is fw-1 V4 in.httpd just a dog or is it me? Date: Feb 23, 13:06 From: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > I'm doing client auth and websense, therefore fw-1 is proxying all http for > my internal users (Except those browsing from the DMZ). During heavy > utilization times, users browsing from the DMZ still get great response, but > users in the internal network get terrible response - 15 to 20 seconds to load > just about any site. Websense/UFP with Checkpoint is your problem. Websense will assure you the problem is Firewall-1's httpd handler. Firewall-1 will assure you its not. All I can tell you is that there is a long and well-documented history that shows that people who use websense locally on their Firewall-1 systems will get lousy response times on certain types of documents. We use websense to block "naughty" or "criminal" sites. (As defined by a committee composed of our HR and Auditing department staff). We rely entirely on the judgement of Websense, and encourage our users who have issues to appeal to Websense, who is VERY responsive to changing its database to comply to its own rules. Because of this, once we know that a site is not a "violator" of these rules, we are willing to let Websense not check it. For instance, we know that Novell's technical support database does not have a porn section. (If it does, please don't tell my users! 8-) Since firewall-1 is unwilling or unable to fix this problem, what we do locally is have a "first rule" on the web site that says: any -- known good -- http -- allow -- log excempted users -- web-sense categories -- http -- allow -- log normal users -- web-sense "bad" categories -- http -- block -- log So all of our users who want to do web stuff with "known good" sites, do so without ever hitting the websense rule. We haven't been able to nail down what type of sites cause problems. One theory I've heard is that its only sites using "newer" html commands. Not sure, but from our experience, almost every site where you have to log in to a secure site will die on you. Almost every site where you searching a documents database (such as our tax sites, our petrol database sites, novell's tech support site, microsoft's tech support site) will die on you. We actually get fairly good response time from most sites even with Websense, but those sites where there are going to be problems become VERY big problems, and on a server with limited memory, I'm sure that would have a profound impact on ALL your traffic. (We run on a 512MB of RAM 200 MHz Pentium -- during times when someone was loading a "troubled" site, memory usage routinely went to 100% when we were at 256MB, which made response time suck, across the board. Moving to 512MB helped that significantly. We try to identify trouble sites and move them to our "known good" group proactively, but frankly it comes mostly from our users. We found that by putting the "troubled" site in our group "known good sites", and bypassing websense by checking that rule first, our response times went in some cases from 5-20 minutes (and in other cases NO response) to less than 10 seconds, and we almost never get "global slow-down". I still wish Checkpoint would issue a patch or resolution. If anyone has got anything out of them that fixes this problem, PLEASE let me know! Websense has washed their hands and referred the problem to Checkpoint. In case anyone from Checkpoint actually pays attention to this mailing list, my Tracking Number on this problem is TT24961. I've given up calling about it. It seemed to do no good. I am a Gold Support Customer. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
