topic Re: HTTPS Inspection policy in Firewall and Security Management

HTTPS Inspection policy

EvilGenius — Thu, 15 Jun 2023 10:57:43 GMT

I want HTTPS inspection policy to be implemented on this NAT rule that is configured to NAT a traffic towards a BWAPP server. I also want a specific certificate to be used for the inspection but I am unable to do so. Inspite of configuring a HTTPS inspection policy for the NAT policy it is not being implemented.

Re: HTTPS Inspection policy

G_W_Albrecht — Thu, 15 Jun 2023 12:25:09 GMT

First screenshot: Original Dest GW, Transl. Dest BWAPP server ??? I see no original source...

Re: HTTPS Inspection policy

EvilGenius — Thu, 15 Jun 2023 12:51:20 GMT

Original Source is Any, Just couldn't get it into the Screenshot, CCSE CCTE CCSM SMB Specialist admirer

HTTPS Inspection

EvilGenius — Thu, 15 Jun 2023 12:54:52 GMT

I configured a HTTPS Inspection policy which uses a self assigned certificate but through the log the traffic is only being inspected and not allowed. Every packet is being dropped, similarly as it can be noticed in the screenshot provided below I believe the Action should be allowed/blocked but only HTTPS inspect is displayed.

Re: HTTPS Inspection policy

G_W_Albrecht — Thu, 15 Jun 2023 12:56:21 GMT

So why is the GW Source in screenshot 2 ? Translated Source is Original == Any, so how should that https rule match here ?

Re: HTTPS Inspection policy

Ruan_Kotze — Thu, 15 Jun 2023 12:58:20 GMT

Use the column picker to add the "Certificates" column. You can then select the correct certificate for inbound inspection.

This assumes you imported the proper server certificate first though.

Re: HTTPS Inspection policy

PhoneBoy — Thu, 15 Jun 2023 13:11:16 GMT

I merged the other thread you created on this configuration since it stems from the same misconfiguration, most likely.

The decision to perform HTTPS Inspection needs to happens before Access Rules or NAT are applied.
Which means your HTTPS Inspection rules should be created accordingly.
I assume based on your configuration that you're trying to forward connections that occur to the firewall's external IP to the host ACFW-CHKP-BWAPP.
The "certificate' column in the rule would be where you'd configure the private key to use when connecting to ACFW-CHKP-BWAPP.
This means your HTTPS Inspection rule should have "any" as the source (not the gateway as shown).

I suspect this will also fix the issue with the NAT rule.

Re: HTTPS Inspection policy

EvilGenius — Fri, 16 Jun 2023 04:44:46 GMT

Thank you for the wonderful support everyone. Now I am successfully able to implement https inspection on the desired traffic interface but the traffic is only being inspected and all the normal traffic from that rule are getting blocked after inspection. Is there something else that I have to look into? It's only been a while since I have been using Checkpoint firewall so I am baffled with some features. The requirement was to inspect HTTPS traffic from performance subnet to lan subnet.

I have also included a certificate that is going to be used for the inspection but while passing traffic through the policy all the traffics are only being inspected and dropped which can be noticed in the log.

Re: HTTPS Inspection policy

PhoneBoy — Fri, 16 Jun 2023 19:07:27 GMT

HTTPS Inspection policy only decrypts the appropriate traffic.
You must still have an Access Policy rule that permits the relevant traffic.
What precise rule is being matched per the traffic logs?

Re: HTTPS Inspection policy

EvilGenius — Fri, 16 Jun 2023 19:26:36 GMT

The Access Policy rule that is being matched with the HTTPS inspection policy is presented below:

and the HTTPS inspection configured for this Access policy is:

Similarly the log generated:

Re: HTTPS Inspection policy

PhoneBoy — Fri, 16 Jun 2023 20:31:16 GMT

Just to confirm, the source LAN is internal, correct?
I suspect you're going to need a TAC case to get to the bottom of this: https://help.checkpoint.com

Re: HTTPS Inspection policy

EvilGenius — Sat, 17 Jun 2023 08:22:25 GMT

Yes, the source is internal but is from different interfaces and subnets.