topic HTTPS inspection of internal private IP traffic in Firewall and Security Management

HTTPS inspection of internal private IP traffic

Michael_Horne — Tue, 04 May 2021 09:44:50 GMT

Hello All,

We have an issue where internal HTTPS applications are being inspected using HTTPS interception

My understanding was that for outbound inspection only applications accessed through an interface marked as "External" etc would be intercepted. I remember reading this a long time ago in some Checkpoint documentation, but I am failing to find this reference again.

I am interested in locating a reference document for HTTPS inspection where I hope to fins a description of what traffic is HTTPS inspection applied to.

I is strange as this issue with Internal applications being using HTTPS interception exists only on one security gateway and none of the other Security gateway clusters are showing this behaviour. The HTTPS inspection policy only has "Bypass" rules with the generic "inspection" rule for everything else at the end of the policy.

Many thanks,

Michael

Re: HTTPS inspection of internal private IP traffic

_Val_ — Tue, 04 May 2021 10:24:55 GMT

Your understanding is incorrect. Any traffic matching your HTTPS inspection rulebase will be inspected.

Now, you are most probably referring to "Internet" object used as destination by default for outbound HTTPSi rules. Mind you, Internet object is interpreted by GW as everything but internal IP addresses defined by topology. In many cases that would include DMZ networks that are NAT-ed, or any other internal addresses that do not appear in the GW topology.

If you are using ANY and not Internet object, then any HTTPSi traffic crossing GW will be inspected.

The solution here is very simple: put bypass rules for any traffic you do not want to inspect, and also use exclusively web services in HTTPSi rulebase.

There is a few discussions in the community for that matter, including HTTPSi best practice techtalk, with video recording.

Re: HTTPS inspection of internal private IP traffic

Michael_Horne — Tue, 04 May 2021 11:58:05 GMT

Hello,

Thank you for the feedback. I should be asking instead not why 1 gateway is inspecting the internal applications, but why the other 19+ gateways are not, as they are all sharing the same default HTTPS inspection rule with the Internet object as destination.

I guess the crucial part is "internal IP addresses defined by topology", but since all the 20 gateways are accessing the application over an interface with a standard Topology definition "Internet (External)", I am still confused as to the behaviour. All gateways (except the one where the application is hosted), should all not have the internal IPs in the topology.

Investigations continue ...

Re: HTTPS inspection of internal private IP traffic

_Val_ — Tue, 04 May 2021 12:22:37 GMT

Let's be more pragmatic. How does your inspection policy look like?

Re: HTTPS inspection of internal private IP traffic

Michael_Horne — Mon, 10 May 2021 09:44:40 GMT

The information you gave was helpful as it seems that the issue was with the topology for the relevant interface.

I changed the external facing interface from the "red" Internet (External) topology setting to the "green" Internet (External) topology setting and reports back from the end users confirm they no longer have issues with the applications.

I Topology

The interesting question is what is the difference between these tow topology settings as both are Internet (External).

Regards,

Michael