topic Re: Https inspection query on Cloudguard IaaS in Firewall and Security Management

Https inspection query on Cloudguard IaaS

avi3383 — Thu, 22 Apr 2021 15:59:16 GMT

Hi,

We have deployed autoscale security gateway on AWS cloud only for Northbound traffic to protect web application hosted in AWS customer account.

All application are publicly published and can be access from Internet.

Below is the traffic flow:

User access web application from internet--->traffic came to route53 and resolved in load balancer Ip adddress--->>when external load received the traffic and do the Ssl termination and sent the traffic to target group---->>Target Group is Cloudguard IaaS firewall----->Internal LB--->application hosted server.

My query is here that when External load balancer doing the ssl termination and sent the decrypted to Cloudguard IaaS.

Is it require to do https inspection on Cloudguard IaaS for received decrypted traffic from external LB?

If I am not doing https inspection because received traffic from external LB is already decrypted. Will my enabled blade on firewall do inspect of these traffic.

Please guide me to do correct deployment

Re: Https inspection query on Cloudguard IaaS

PhoneBoy — Mon, 26 Apr 2021 04:33:45 GMT

If the gateway is seeing only unencrypted traffic, then you don't need to run HTTPS Inspection at all.

Re: Https inspection query on Cloudguard IaaS

avi3383 — Mon, 26 Apr 2021 05:19:43 GMT

Thanks for your response.

is there any way to identify unencrypted traffic logs? Please guide.

Re: Https inspection query on Cloudguard IaaS

PhoneBoy — Mon, 26 Apr 2021 05:44:32 GMT

The traffic will be HTTP traffic if it's coming from the load balancer.
Whatever blades you have activated with appropriate policies will apply to the traffic.
This should be clearly visible in the Logs and Monitoring (or SmartView).

Re: Https inspection query on Cloudguard IaaS

avi3383 — Mon, 26 Apr 2021 06:43:46 GMT

Can you confirm below logs are http logs...these are coming from LB and Https termination are enabled on LB.

Re: Https inspection query on Cloudguard IaaS

PhoneBoy — Mon, 26 Apr 2021 06:51:16 GMT

If it were straight HTTP, the service would say...HTTP.
There are a lot of things in those logs that say TLS, which is most likely encrypted.
There are things that say TCP also, which is probably not encrypted.
To confirm what it is, you'd probably have to run a tcpdump to see what the actual traffic looks like.

Note that HTTPS Inspection is generally only done with HTTPS traffic on one of the standard ports.
It doesn't work with TLS traffic in general.