Support Center > Search Results > SecureKnowledge Details
Installing and Configuring Endpoint Security URL Filtering
Solution

To use the Endpoint Security URL Filtering Software Blade, you must have a Network Security Management Server and Endpoint Security Management Server in one of these deployments:

  • One-computer deployment: Network Security Management Server and Endpoint Security Management Server are installed on the same computer.
  • Distributed deployment: Network Security Management Server and Endpoint Security Management Server are installed on different computers, and the URL Filtering R75.40 Gateway is managed by the Network Security Management Server.

Note: Install a R75.40 Security Gateway. Can be a Virtual Machine.

Configuring URL Filtering in R80.20 and above

Configuring the R75.40 Security Gateway Object

  1. Connect via SmartConsole to the Endpoint Security Management Server.
  2. Add the R75.40 Security Gateway object by selecting "New" and then "Gateway...". (Follow the wizard to add the Security Gateway object)

  3. Double-click on the created Security Gateway object, and under the "Network Security" section, select "Application Control" and "URL Filtering". Install policy on the Security Gateway afterwards.



    Note: If you are using only one network interface on the Security Gateway, you need to disable Anti-Spoofing before installing policy. Otherwise, policy installation will fail.
  4. Open the Security Gateway object, select 'Network Management > Edit > Modify...', and uncheck "Perform Anti-Spoofing based on interface topology". Click "OK".

Configuring URL Filtering policy

  1. In SmartConsole, click Security Policies.
  2. Right-click a layer in the Access Control Policy section and select "Edit Policy". The Policy window opens.

  3. In “Policy Types", uncheck “Threat Prevention".
  4. In the Access Control section, click the "+" sign, and select "New Layer...". The Layer Editor window opens and shows the "General" view. Note: URL Filtering requires 2 layers, the First for Network and the Second for URL Filtering.
  5. Enable "Application & URL Filtering" on the Layer.
    1.     Enter a name for the Layer (We recommend the name Application).
    2.     In the Blades section, select "Applications & URL Filtering" only.
    3.     Click "OK" and the Layer Editor window closes.
    4.     Click "OK" and the Policy window closes.
  6. Configure the URL Filtering policy layer, as needed, and install the policy.
    Notes:
    • It is required to configure at least one more rule to the default policy.
    • For any additional rules, except "Clean up", containing "Services and Applications" set Destination as Internet.



Important

  1. In "Security Policy", right-click on any policy under "Access Control" and then click "Edit Policy".
  2. In "Policy" window, click the  icon in the first layer and click on "Edit layer".
  3. In "Layer Editor" window, click on "Advanced".
  4. In "Implicit Cleanup Action" section, select "Drop". Click Ok.
  5. Open "Layer Editor" for the second layer (same as step 2).
  6. Click on "Advanced" and select "Accept" in "Implicit Cleanup Action" section. Click Ok.
  7. Install the policy again.

Note: If the policy installation fails with the following error, make sure that you performed the steps above.

 

For One-computer deployment: (Deploying URL Filtering to Endpoints)

  1. Connect to the command line on the Security Management Server.

  2. Login to the Expert mode.

  3. Run this command to fetch the URL Filtering into the Endpoint policy:

    • [Expert@HostName:0]# eps_policy_fetcher fetchlocal -g <Name of Security Gateway object>

      For example, eps_policy_fetcher fetchlocal -g GW1

    Note: Do not mind the "No such file or directory" messages.

  4. Connect with SmartEndpoint GUI to the Endpoint Security Server.

  5. Go to the Policy tab.

  6. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

    Example:

Note: The "Deploying URL Filtering to Endpoints" steps needs to be repeated after every URL Filtering policy change.

 

For Distributed deployment: (Deploying URL Filtering to Endpoints)

  1. On the Management Security Server, copy all the files from the $FWDIR/state/<Name of Security Gateway object>/FW1/ folder.

  2. Copy the files to the $FWDIR/state/__tmp/FW1/ folder on the Endpoint Security Management server. If the FW1 folder does not exist on the Endpoint Security Management server, just create it and then copy the files. (Refer to the Appendix section.)

    Important note: If you copy these files via a Windows-based computer, then after transferring them to the Endpoint Security Management Server, it is necessary to run the following command:

    [Expert@HostName:0]# dos2unix $FWDIR/state/__tmp/FW1/*
  3. Open SSH to the Endpoint Security Server and switch to Expert mode.

  4. Run the following command to fetch the URL Filtering into the Endpoint policy:

    [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/<Name of Security Gateway object>/FW1

    For example, eps_policy_fetcher fetchlocal -d $FWDIR/state/GW1/FW1/

  5. Note: Do not mind the "No such file or directory" messages.

  6. Connect with SmartEndpoint to the Endpoint Security Server.

  7. Go to the Policy tab.

  8. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

Note: This "Deploying URL Filtering to Endpoints" steps needs to be repeated after every URL Filtering policy change.


For R77.30.02 and R77.30.03

 

Configuring URL Filtering - One-computer deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security Client:

  1. Connect with SmartDashboard to the Security Management Server.

  2. Open the Security Gateway object properties.

    Note: Install an R75.40 Security Gateway (See Note below) . Can be a Virtual Machine.
  3. Enable the URL Filtering blade on the Security Gateway and click OK.

  4. Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules. 

  5. Install the security policy on the Security Gateway.

  6. Connect to the command line on the Security Management Server.

  7. Log in to the Expert mode.

  8. Run one of these commands to fetch the URL Filtering into the Endpoint policy:

    • [Expert@HostName:0]# eps_policy_fetcher fetchlocal -g <Name of Security Gateway object>

      For example, eps_policy_fetcher fetchlocal -g GW1
    • [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/<Name of Security Gateway object>/FW1

      For example, eps_policy_fetcher fetchlocal -d $FWDIR/state/GW1/FW1/
  9. Connect with SmartEndpoint GUI to the Endpoint Security Server.

  10. Go to the Policy tab.

  11. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

    Example:



Configuring URL Filtering - Distributed deployment

To prepare to deploy the URL Filtering blade as part of Endpoint Security clients:

  1. Connect with SmartDashboard to the Security Management Server.

  2. Open the Security Gateway object properties.

    Note: Install an R75.40 Security Gateway (See Note below). Can be a Virtual Machine.
  3. Enable the URL Filtering blade - click on OK.

  4. Go to the Application & URL Filtering tab - in the left tree, click on Policy - define the relevant rules.

  5. Install the security policy on the Security Gateway.

  6. Copy all the files from the $FWDIR/state/<Name of Security Gateway object>/FW1/ directory on the Security Management Server to the $FWDIR/state/__tmp/FW1/ directory on the Endpoint Security Management Server.

    Important Note: If you copy these files via a Windows-based computer, then after transferring them to the Endpoint Security Management Server, it is necessary to run the following command:
    dos2unix $FWDIR/state/__tmp/FW1/*

  7. Connect to the command line on the Endpoint Management Server.

  8. Log in to the Expert mode.

  9. Run the following command to fetch the URL Filtering into the Endpoint policy:

    [Expert@HostName:0]# eps_policy_fetcher fetchlocal -d $FWDIR/state/__tmp/FW1
  10. Connect with SmartEndpoint GUI to the Endpoint Security Server.

  11. Go to the Policy tab.

  12. In the URL Filtering rule, make sure that there is an indication that the Security Gateway policy is available for endpoints.

 

Note: The procedure from step 6 for either One-computer, or Distributed, deployment needs to be repeated after every URL filtering policy change.

 

For additional information, refer to URL Filtering with Endpoint Security R77.30.0x Administration Guide


Appendix

The following message can be printed to the output, when importing the policy (in a distributed deployment):

eps_policy_fetcher: DecodeFwSet : buffer length checksum failed

eps_policy_fetcher: fw_read_confobj: failed to decode objects Installing Security Policy Meduza-ruleset on all.all@megadeth

eps_policy_fetcher: Unable to open '/dev/fw0': Unknown error 4294967295

eps_policy_fetcher: "Included Rules", line 17: ERROR: Cannot use <::Log>: Not in Scope
eps_policy_fetcher: Failed to Load Security Policy: Unknown error 4294967295

eps_policy_fetcher: Fetching Security Policy Failed

 

It can indicate a possible file corruption that occurred in the copying process, due to the use of some Windows-based file transfer tool (such as WinScp).

To avoid this, try to copy the files, using scp, directly between the two machines.

 On the Endpoint Security Management Server, run the following command:

scp -rp <sec_mgmt_server_user>@<sec_mgmt_server_host>:$FWDIR/state/<Name of Security Gateway object>/FW1/* $FWDIR/state/__tmp/FW1

 (You will be prompted to enter sec_mgmt_server_password, and then the files will be copied.)

For example: scp -rp admin@10.10.10.10:$FWDIR/state/GW1/FW1/* $FWDIR/state/__tmp/FW1

The $FWDIR path is different for R77.X and R80.XX

For R80.20 use:

scp -rp admin@10.10.10.10:/opt/CPsuite-R80.20/fw1/state/GW1/FW1/* $FWDIR/state/__tmp/FW1

 

The below is an acceptable output for the command. The policy should still apply and work:

eps_policy_fetcher: Unable to open '/dev/fw0': Unknown error 4294967295

eps_policy_fetcher: Starting EPS policy distribution.

eps_policy_fetcher: Finished EPS policy distribution.

eps_policy_fetcher: Fetching Security Policy Succeeded

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment