cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

EndPoint Security URL Filtering

URL Filtering for Endpoint Security.  Presently this is how it's accomplished which is daunting and unmanageable when is this slated to be fixed:

Note: This procedure needs to be repeated after every URL filtering policy change.

Configuring URL Filtering - One-computer deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security clients:

  1. Install an R75.40 Security Gateway (R75.40 only). Can be a Virtual Machine.
  2. Connect with SmartDashboard to the Security Management Server.

  3. Open the R75.40 Security Gateway object properties.

  4. Enable the URL Filtering blade - click on OK.

  5. Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules.

  6. Install the security policy on the R75.40 Security Gateway.

  7. Connect to the command line on the Security Management Server.

  8. Log in to the Expert mode.

  9. Run one of these commands to fetch the URL Filtering into the Endpoint policy:

    • [Expert@HostName:0]# eps_policy_fetcher fetchlocal -g <Name of Security Gateway object>

      For example, eps_policy_fetcher fetchlocal -g GW1
    • [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/<Name of Security Gateway object>/FW1

      For example, eps_policy_fetcher fetchlocal -d $FWDIR/state/GW1/FW1/
  10. Connect with SmartEndpoint GUI to the Endpoint Security Server.

  11. Go to the Policy tab.

  12. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

    Example:

 

Configuring URL Filtering - Distributed deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security clients:

  1. Connect with SmartDashboard to the Security Management Server.

  2. Open the R75.40 Security Gateway object properties.

    Note: Install an R75.40 Security Gateway (R75.40 only). Can be a Virtual Machine.
  3. Enable the URL Filtering blade - click on OK.

  4. Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules.

  5. Install the security policy on the R75.40 Security Gateway.

  6. Copy all the files from the $FWDIR/state/<Name of Security Gateway object>/FW1/ directory on the Security Management Server to the $FWDIR/state/__tmp/FW1/directory on the Endpoint Security Management Server.

    Important Note: If you copy these files via a Windows-based computer, then after transferring them to the Endpoint Security Management Server, it is necessary to run the following command:
    dos2unix $FWDIR/state/__tmp/FW1/*

  7. Connect to the command line on the Endpoint Management Server.

  8. Log in to the Expert mode.

  9. Run the following command to fetch the URL Filtering into the Endpoint policy:

    [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/__tmp/FW1
  10. Connect with SmartEndpoint GUI to the Endpoint Security Server.

  11. Go to the Policy tab.

  12. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

19 Replies
Admin
Admin

Re: EndPoint Security URL Filtering

One comment: the R75.40 gateway object needs to exist, but the R75.40 gateway itself need not be installed.

This just provides an acceptable target to compile the policy that is pushed to the Endpoint clients.

Either way, this does mean that you need to account for this dummy gateway object in your licensing (managed gateways).

If you exceed your licensed managed gateways as a result, your account team should be able to assist.

0 Kudos

Re: EndPoint Security URL Filtering

Still requires cli process also correct??

Thanks,

Juan Concepcion

0 Kudos
Admin
Admin

Re: EndPoint Security URL Filtering

Yes, the rest of the process is still required.

0 Kudos
Employee
Employee

Re: EndPoint Security URL Filtering

Hi,

Running R80.20 MGMT, R8020 GW and R8020EP

I am not sure if this is supported based on the SK and that I need to go back to R77.30.03 for GW and EP along with MGMT

I have created the dummy object in the R8020 MGMT for a R75.40 GW and everything works except for installation of policy as it is giving a error for not having a SIC. Since it is a dummy object, and not a GW setup, with could have us setup SIC during installation. What is the process or am I missing something?

The rest seems start forward except the create of the object or set up a R75.40 GW server itself.  

0 Kudos
Admin
Admin

Re: EndPoint Security URL Filtering

You have to have to install a R75.40 gateway somewhere for this purpose.

It can be a VM and doesn't have to actually pass traffic.

That's indicated here: Installing and Configuring Endpoint Security URL Filtering  

0 Kudos
Employee
Employee

Re: EndPoint Security URL Filtering

That is what I thought having read the Endpoint URL doc and SK article but your comment above made me second guess. Thanks for the clarification that it does need to be installed to push policy and fetch from. 

***

One comment: the R75.40 gateway object needs to exist, but the R75.40 gateway itself need not be installed.

This just provides an acceptable target to compile the policy that is pushed to the Endpoint clients.

 

Either way, this does mean that you need to account for this dummy gateway object in your licensing (managed gateways).

If you exceed your licensed managed gateways as a result, your account team should be able to assist.

***

0 Kudos
Admin
Admin

Re: EndPoint Security URL Filtering

My previous understanding was incorrect.

Apologies for the confusion. 

0 Kudos

Re: EndPoint Security URL Filtering

We have tried configuring and enabling the Endpoint URL Filtering policy using that SK article and also speaking with TAC, but it pretty much broke a lot of websites.  As of now we have it disabled until this blade gets updated.

Has anyone been successful in enabling their URL Filtering policy?

I would also like to know when an updated release of the Endpoint URL Filtering will be.  

Thank You

0 Kudos

Re: EndPoint Security URL Filtering

Customer I was working with decided to route all traffic through gateway when folks were connected via VPN from a company asset.

0 Kudos

Re: EndPoint Security URL Filtering

Yes correct. To be affective of any feature like URL filtering, App control etc.. for remote VPN users, Traffic should route through Gateway. 

Re: EndPoint Security URL Filtering

I was able to configure as the process distribuited deployment and it works!! My schema it's Security Management-Network Gateway and Endpoint Management-Dummygateway. The only one issue I have is the licensing because of the dummy gateway. Does someone know how to solve it? Or it's mandatory to acquire a new license for this?

0 Kudos
Admin
Admin

Re: EndPoint Security URL Filtering

A license is required for managing the dummy gateway, yes.

Your local office should be able to provide this at no cost.

0 Kudos

Re: EndPoint Security URL Filtering

Do you know if that should include the URL-Filtering license needed? Considering that it's just for install policies in dummy gateway and update database of URLs blocked on Endpoints.

0 Kudos
Employee+
Employee+

Re: EndPoint Security URL Filtering

For the dummy gateway, you can get the license for free. just contact your account manager/SE and they can provide it to you with no cost for this specific purpose.

but notice that the EP URLF itself is not part of the EP complete package and require a separate license.

0 Kudos

Re: EndPoint Security URL Filtering

Thanks a lot for your help, I will check internally with the pre-sales department for contacting the account manager/SE.

0 Kudos
Employee+
Employee+

Re: EndPoint Security URL Filtering

Great news Ricardo! What versions did you use for your successful deployment?

0 Kudos

Re: EndPoint Security URL Filtering

I have Security Management R77.30.03, one dummy Security Gateway R75.40 version and endpoints E80.80 if I'm not wrong. I don't remember that exact version.

0 Kudos
Employee+
Employee+

Re: EndPoint Security URL Filtering

Awesome thanks Ricardo! Would you mind shooting me an email at eoakeson@checkpoint.com so I can discuss some details with you?

0 Kudos

Re: EndPoint Security URL Filtering

Sure!

Best regards.

0 Kudos