How does the URL database download work?

In case anyone wants to know:

What ports do I need to open to allow this traffic through our firewalls?

Port 443/SSL

How is my subscription authorized when making the connection?

The BigIP passes the license ID / subscription ID)

I'm assuming the BigIP does a site validation when connecting to download.websense.com, does anyone have more information about what is going on during this connection?

This is the interesting part. The connection between the BigIP and the websense site is confirmed with the use of SSL pinning. SSL Pinning is a mechanism to ensure that the Big IP host checks the F5/Websense server's certificate against a know copy of that certificate. This check requires an exact match to the one originally supplied on the BigIP. The pinning mechanism guards against processes that inspect SSL traffic by breaking the encryption, thus resisting impersonation by man in the middle efforts. Were you able to successfully decrypt the tunnel, the actual data is compressed and also encrypted.

Lastly, how does the BigIP validate the downloaded db?

There is a PFM module that decrypts, decompresses, validates and imports the updates.

Does anyone know what the updates file extension is?