topic Re: inbound https inspection workin partially only? in Firewall and Security Management

inbound https inspection workin partially only?

mp2012 — Wed, 26 Oct 2022 11:22:54 GMT

Hello,

I see following behaviour:

https inspection inbound to a webserver --> uploading eicar av test file --> prevented : fine
https inspection inbound to a exchange server --> uploading eicar av test file (just a mail via web ui) --> not detected
both got rules with dest server cert imported, both log as inspected traffic

any ideas?

That is on 81.10 IPS/AV/antibot.

kind regards,

Re: inbound https inspection workin partially only?

PhoneBoy — Wed, 26 Oct 2022 16:10:12 GMT

Can you confirm HTTPS Inspection was done on the entire communication?
Also, is Mobile Access Blade involved with Exchange?

Re: inbound https inspection workin partially only?

mp2012 — Thu, 27 Oct 2022 04:22:58 GMT

Hello,

I tested the less complex scenario via Client/Browser accessing the outlook web app, so only one destination fqdn and ip address (the VIP) is involved.

mobile aacess blade not involved.

kind regards,

mp2012

Re: inbound https inspection workin partially only?

PhoneBoy — Thu, 27 Oct 2022 16:35:59 GMT

Please confirm yes or no that you are using Mobile Access Blade because your answer is unclear on this fact.
Also, you say the VIP is used, does that mean you are using NAT to expose your Exchange server via the Cluster IP?

In the past, we've had EICAR not flagged in specific circumstances:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44781&partition=Advanced&product=Anti-Virus
It might be worth a TAC case.

Re: inbound https inspection workin partially only?

mp2012 — Thu, 27 Oct 2022 17:36:23 GMT

Hello,

sorry misunderstood. So yes, Mobile Access Blade is enabled and active on this gateway.

Complete communication path that is:

external client --> perimeter gw with https inspection rule --> Load Balancer VIP rev.proxy --> reverse proxy servers --> Load Balancer VIP exchange --> exchange servers

maybe goin to remove the rev.proxy setup if we're satisfied withe the https decryption setup.

Same setup works on sharepoint, but surprisingly its blocked as "Trojan.Win32.Mitaka.TC.a"

kind regards,

mp2012

Re: inbound https inspection workin partially only?

PhoneBoy — Thu, 27 Oct 2022 17:54:37 GMT

If you're using Mobile Access Blade, HTTPS Inspection isn't relevant as the connection is terminating on the gateway anyway.
It also change the inspection flow a bit and what blades are supported.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104577&partition=Basic&product=Mobile

AV should be supported, though, which means EICAR should be flagged.
What version/JHF is the gateway?

Re: inbound https inspection workin partially only?

mp2012 — Thu, 27 Oct 2022 18:33:41 GMT

Hi,

I mean Mobile Access Blade is enabled on this gateway, but not used in this scenario (thats why i mentioned ist as "not involved" in my initial post).

GW running 81.10 Take66.

Re: inbound https inspection workin partially only?

PhoneBoy — Thu, 27 Oct 2022 19:19:22 GMT

Ok.
I think your best bet here is to involve the TAC.
Under certain conditions that may not be relevant anymore, EICAR was not flagged as malicious.
I don't think these conditions apply anymore, though, as they are for older versions running Traditional AV.