topic Re: EndPoint Security URL Filtering in Endpoint

EndPoint Security URL Filtering

Juan_Concepcion — Thu, 29 Mar 2018 22:17:41 GMT

URL Filtering for Endpoint Security. Presently this is how it's accomplished which is daunting and unmanageable when is this slated to be fixed:

Note: This procedure needs to be repeated after every URL filtering policy change.

Configuring URL Filtering - One-computer deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security clients:

Install an R75.40 Security Gateway (R75.40 only). Can be a Virtual Machine.
Connect with SmartDashboard to the Security Management Server.
Open the R75.40 Security Gateway object properties.
Enable the URL Filtering blade - click on OK.
Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules.
Install the security policy on the R75.40 Security Gateway.
Connect to the command line on the Security Management Server.
Log in to the Expert mode.
Run one of these commands to fetch the URL Filtering into the Endpoint policy:
- [Expert@HostName:0]# eps_policy_fetcher fetchlocal -g <Name of Security Gateway object>
  For example, eps_policy_fetcher fetchlocal -g GW1
- [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/<Name of Security Gateway object>/FW1
  For example, eps_policy_fetcher fetchlocal -d $FWDIR/state/GW1/FW1/
Connect with SmartEndpoint GUI to the Endpoint Security Server.
Go to the Policy tab.
In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.
Example:

Configuring URL Filtering - Distributed deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security clients:

Connect with SmartDashboard to the Security Management Server.
Open the R75.40 Security Gateway object properties.
Note: Install an R75.40 Security Gateway (R75.40 only). Can be a Virtual Machine.
Enable the URL Filtering blade - click on OK.
Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules.
Install the security policy on the R75.40 Security Gateway.
Copy all the files from the $FWDIR/state/<Name of Security Gateway object>/FW1/ directory on the Security Management Server to the $FWDIR/state/__tmp/FW1/directory on the Endpoint Security Management Server.
Important Note: If you copy these files via a Windows-based computer, then after transferring them to the Endpoint Security Management Server, it is necessary to run the following command:
dos2unix $FWDIR/state/__tmp/FW1/*
Connect to the command line on the Endpoint Management Server.
Log in to the Expert mode.
Run the following command to fetch the URL Filtering into the Endpoint policy:
[Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/__tmp/FW1
Connect with SmartEndpoint GUI to the Endpoint Security Server.
Go to the Policy tab.
In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

Re: EndPoint Security URL Filtering

PhoneBoy — Fri, 30 Mar 2018 22:53:15 GMT

One comment: the R75.40 gateway object needs to exist, but the R75.40 gateway itself need not be installed.

This just provides an acceptable target to compile the policy that is pushed to the Endpoint clients.

Either way, this does mean that you need to account for this dummy gateway object in your licensing (managed gateways).

If you exceed your licensed managed gateways as a result, your account team should be able to assist.

Re: EndPoint Security URL Filtering

Juan_Concepcion — Fri, 30 Mar 2018 23:03:07 GMT

Still requires cli process also correct??

Thanks,

Juan Concepcion

Re: EndPoint Security URL Filtering

PhoneBoy — Fri, 30 Mar 2018 23:04:07 GMT

Yes, the rest of the process is still required.

Re: EndPoint Security URL Filtering

Steve_Lander — Mon, 02 Apr 2018 15:22:57 GMT

We have tried configuring and enabling the Endpoint URL Filtering policy using that SK article and also speaking with TAC, but it pretty much broke a lot of websites. As of now we have it disabled until this blade gets updated.

Has anyone been successful in enabling their URL Filtering policy?

I would also like to know when an updated release of the Endpoint URL Filtering will be.

Thank You

Re: EndPoint Security URL Filtering

Juan_Concepcion — Wed, 04 Apr 2018 20:00:33 GMT

Customer I was working with decided to route all traffic through gateway when folks were connected via VPN from a company asset.

Re: EndPoint Security URL Filtering

Gaurav_Pandya — Sun, 08 Apr 2018 10:10:44 GMT

Yes correct. To be affective of any feature like URL filtering, App control etc.. for remote VPN users, Traffic should route through Gateway.

Re: EndPoint Security URL Filtering

Ricardo_Sanchez — Mon, 05 Nov 2018 18:43:13 GMT

I was able to configure as the process distribuited deployment and it works!! My schema it's Security Management-Network Gateway and Endpoint Management-Dummygateway. The only one issue I have is the licensing because of the dummy gateway. Does someone know how to solve it? Or it's mandatory to acquire a new license for this?

Re: EndPoint Security URL Filtering

PhoneBoy — Mon, 05 Nov 2018 19:02:33 GMT

A license is required for managing the dummy gateway, yes.

Your local office should be able to provide this at no cost.

Re: EndPoint Security URL Filtering

Ricardo_Sanchez — Mon, 05 Nov 2018 19:09:27 GMT

Do you know if that should include the URL-Filtering license needed? Considering that it's just for install policies in dummy gateway and update database of URLs blocked on Endpoints.

Re: EndPoint Security URL Filtering

Lior_Arzi — Mon, 05 Nov 2018 19:14:51 GMT

For the dummy gateway, you can get the license for free. just contact your account manager/SE and they can provide it to you with no cost for this specific purpose.

but notice that the EP URLF itself is not part of the EP complete package and require a separate license.

Re: EndPoint Security URL Filtering

Ricardo_Sanchez — Mon, 05 Nov 2018 19:28:05 GMT

Thanks a lot for your help, I will check internally with the pre-sales department for contacting the account manager/SE.

Re: EndPoint Security URL Filtering

Niraj_Shah — Tue, 13 Nov 2018 19:17:01 GMT

Hi,

Running R80.20 MGMT, R8020 GW and R8020EP

I am not sure if this is supported based on the SK and that I need to go back to R77.30.03 for GW and EP along with MGMT

I have created the dummy object in the R8020 MGMT for a R75.40 GW and everything works except for installation of policy as it is giving a error for not having a SIC. Since it is a dummy object, and not a GW setup, with could have us setup SIC during installation. What is the process or am I missing something?

The rest seems start forward except the create of the object or set up a R75.40 GW server itself.

Re: EndPoint Security URL Filtering

PhoneBoy — Tue, 13 Nov 2018 22:04:51 GMT

You have to have to install a R75.40 gateway somewhere for this purpose.

It can be a VM and doesn't have to actually pass traffic.

That's indicated here: Installing and Configuring Endpoint Security URL Filtering

Re: EndPoint Security URL Filtering

Niraj_Shah — Tue, 13 Nov 2018 22:57:24 GMT

That is what I thought having read the Endpoint URL doc and SK article but your comment above made me second guess. Thanks for the clarification that it does need to be installed to push policy and fetch from.

***

One comment: the R75.40 gateway object needs to exist, but the R75.40 gateway itself need not be installed.
This just provides an acceptable target to compile the policy that is pushed to the Endpoint clients.

Either way, this does mean that you need to account for this dummy gateway object in your licensing (managed gateways).
If you exceed your licensed managed gateways as a result, your account team should be able to assist.

***

Re: EndPoint Security URL Filtering

PhoneBoy — Wed, 14 Nov 2018 13:54:40 GMT

My previous understanding was incorrect.

Apologies for the confusion.

Re: EndPoint Security URL Filtering

Eric_Oakeson — Fri, 30 Nov 2018 14:56:21 GMT

Great news Ricardo! What versions did you use for your successful deployment?

Re: EndPoint Security URL Filtering

Ricardo_Sanchez — Fri, 30 Nov 2018 18:14:15 GMT

I have Security Management R77.30.03, one dummy Security Gateway R75.40 version and endpoints E80.80 if I'm not wrong. I don't remember that exact version.

Re: EndPoint Security URL Filtering

Eric_Oakeson — Fri, 30 Nov 2018 19:15:31 GMT

Awesome thanks Ricardo! Would you mind shooting me an email at eoakeson@checkpoint.com so I can discuss some details with you?

Re: EndPoint Security URL Filtering

Ricardo_Sanchez — Fri, 30 Nov 2018 23:51:57 GMT

Sure!

Best regards.