topic Outbound HTTPS Inspection through 3rd Proxy in Firewall and Security Management

Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Tue, 20 Jul 2021 13:59:39 GMT

Dear mates,

I need a help with outbound HTTPS Inspection.

In my company we use 3rd party Proxy server for users Internet access. Inside and outside interfaces for this Proxy is located on ClusterXL. So i need to implement HTTPS inspection. I need to know which user go to one or the other Internet site/service. This need to know which user try to open Internet resources with viruses or threat. I try to apply HTTPS Inspection policy between Users and Proxy. It doesn't work. After that i try to apply HTTPS Inspection policy between Proxy and Internet. It works. But i faced with new problem. This Proxy server used by Linux users and another services which cannot work with HTTPS Inspection properly.

Why i am looking for solution where HTTPS Inspection policy should be between Users and Proxy server, because it is very scalable solution. In this implementation i can add or remove some networks for HTTPS Inspection. For example i can add Windows users networks and exclude Linux users or some one.

So i started to find solution about HTTPS Inspection and Proxy server. And i found that the Checkpoint HTTPS Inspection cannot work with NTLM and Kerberos authentication.

So my quesstion is. How can i implement HTTPS Inspection with 3rd party Proxy server, where i need to know which user go to one or the other Internet site/service?

P.S. in my company we cannot use Checkpoint as HTTP/HTTPS Proxy by internal position of the company.

P.P.S. Sorry for my English, it is not my native language.

Re: Outbound HTTPS Inspection through 3rd Proxy

PhoneBoy — Tue, 20 Jul 2021 20:32:28 GMT

A simple network diagram would be helpful.
When you say “it doesn’t work” what precisely do you mean?
Can you describe the behavior in detail?

Also, for “HTTPS Inspection cannot work with NTLM and Kerberos authentication” I’m pretty sure we can work with Kerberos since that is something Identity Awareness supports.

Also, please mention version/JHF in use.

Re: Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Wed, 21 Jul 2021 18:38:23 GMT

When i say “it doesn’t work” i mean it doesn't Inspect the traffic going from User to Proxy. I think it is Bypassed, but i didn't see it in the Smart Log. Also i check this traffic with fw ctl zdebug + drop, the traffic was not dropped.

Simple Network diagram

IP addresses was changed.

Simple Network Diagram.JPG in attached

Version of Checkpoint GW

Checkpoint Appliance 15600

GAIA OS R80.30

JHF 228

Details

So, desire of Security Team in my company is view the unecrypted traffic going from User to Internet for prevent Threats and viruses with Anti-Virus Blade and use the Application Control Blade to the fullest. But, position of our Security Team is using Proxy server for Internet access. At first, i created HTTPS rules for Proxy like:

HTTPS Inspection from Proxy to Internet.JPG in attached

And this rules works fine. Proxy traffic will Inspected, but i faced with 2 problems:

I didn't see wich user get some viruses, because i see only IP address of Proxy Server
This Proxy server used by other clients, like Linux users and Developers, whose software is not support HTTPS Inspection and i cannot bypassed it.

After that i created another HTTPS rules like:

HTTPS Inspection from User to Proxy.JPG in attached

Where Pent_Windows is host with IP 10.10.10.10

But this rule is not working, i mean the traffic is not Inspected. Also i coudn't see Bypass in Smart Log.

My question is, how can i make the rule work when i Inspect the traffic going from User to Proxy?

In our company we use tcp/80 and tcp/3128 for Proxy.

Thank you in advance.

Re: Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Wed, 21 Jul 2021 18:40:37 GMT

I cannot reply on below your question, i don't understand why. But i added all you requested information below my Post.

Re: Outbound HTTPS Inspection through 3rd Proxy

Wolfgang — Wed, 21 Jul 2021 19:03:04 GMT

@Tim_Gadjiev_S If you want to see the original IP addresses of your clients in the connections from proxy to internet, your proxy has to add the „x-forwarded-for header“.

But from my experience with such a configuration the best is to do the inspection between clients and proxy and not between proxy and internet. Are you really sure your source and destination IPs in the https inspection rule are correct. Any NAT maybe?

And best for https inspection will be to go with version R80.40.

Re: Outbound HTTPS Inspection through 3rd Proxy

PhoneBoy — Wed, 21 Jul 2021 22:47:06 GMT

You're inspecting the traffic twice, if I'm understanding your rules correctly.
You should only do this once, and best to do it from the users to the proxy.
You also can't HTTPS Inspect non-web traffic (e.g. that NTLM traffic).
If you want to add identities to the logs (or do additional filtering based on it), then you will need to configure Identity Awareness.

Also 100% agree with @Wolfgang, you should be using at least R80.40 if not R81.

Re: Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Thu, 22 Jul 2021 00:10:10 GMT

Thank you for reply. If i remember the X-forwarded-for spoted my internal IP addresses in the header. It's not secure. And yes you are right, i NATed external Proxy IP address on the ClusterXL. If i remeber Checkpoint Traffic Flow, the Access Rule is triggered first, then NAT, after that HTTPS Inspection, my mistake. So if i understood, i need to change HTTPS rules from Hide IP of Proxy to the NAT IP Proxy, or need to add zero NAT rule from Users to Proxy. Thank you.

Re: Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Thu, 22 Jul 2021 00:22:07 GMT

Thank you for reply. No i didn't inspect traffic twise. I didn't combine the HTTPS rules. At first time i tried HTTPS rules like Proxy-to Internet, after that i changed this rules on User-to Proxy. You absolutely right, i can't Inspect NTLM. But NTLM and HTTPS traffic is separatly TCP flows. I thinked the Checkpoint could bypass NTLM TCP flow after that it can Inspect next flow - HTTPS. Thank you for your recommendation about R80.40. I planning to upgrade from R80.30 kernel 2.6 to R80.40 kernel 3.10. Another good opportunity to do it 🙂

Re: Outbound HTTPS Inspection through 3rd Proxy

Tim_Gadjiev_S — Thu, 22 Jul 2021 12:05:36 GMT

Dear Wolfang. You are right, it is NAT issue. I added zero NAT from users to Proxy and all working fine.