topic Re: Http parsing error in Firewall and Security Management

Http parsing error

Max91 — Mon, 08 Apr 2024 13:19:41 GMT

Hello everyone,

In our network environment, we have two firewalls. We attempted to enable SSL inspection on both firewalls, but encountered an error message: “HTTP parsing error.” Notably, both firewalls utilize the same self-signed certificate for outbound inspection. Surprisingly, when we enable HTTPS inspection on only one of the firewalls, everything functions correctly.

Checkpoint firewall is second device in architecture.

the issue is happened on different sites, for example ssllabs.com, apple.com.

some sites work correctly for example udemy.com with inspection enabled.

What steps should we take to troubleshoot this issue?

Thank you

Re: Http parsing error

Lesley — Tue, 09 Apr 2024 08:10:27 GMT

On the problematic firewall could you check if you can access the internet from this gateway?

https://support.checkpoint.com/results/sk/sk108202

Check:

(Part 2 - 3) Best Practices: Internet connection

Also I am not sure if 2 Check Point firewalls in the same traffic flow is good with both HTTPS inspection.

Documentation states: HTTPS Inspection can be enabled on a single Security Gateway at first, and then expanded to additional Security Gateways.

Does not mention if they can be inline, so worth checking. Maybe someone else knows that here.

Re: Http parsing error

G_W_Albrecht — Tue, 09 Apr 2024 10:49:26 GMT

Can you give a sketch of the network topology ?

Re: Http parsing error

Max91 — Tue, 09 Apr 2024 11:38:24 GMT

Hey,

In this scenario, client access to the internet through two firewalls. The first one is a LAN firewall (not Checkpoint) that performs LAN segmentation and forwards traffic to the second firewall, which is a WAN firewall that perfom a accses to internet (Checkpoint).

Thank you

Re: Http parsing error

Max91 — Tue, 09 Apr 2024 11:43:28 GMT

Hey,

The first fw is not Checkpoint

If I activate ssl decryption on one of them everything works fine, the problems start when on both of them try to opens tls traffic.

All Firewalls have access to the internet

Re: Http parsing error

Lesley — Tue, 09 Apr 2024 11:57:20 GMT

Ah first fw is not Check Point that changes is. It still can be config error. Start with the SK's below:

https://support.checkpoint.com/results/sk/sk108202

https://support.checkpoint.com/results/sk/sk65123

https://support.checkpoint.com/results/sk/sk64521

https://support.checkpoint.com/results/sk/sk112214

Re: Http parsing error

G_W_Albrecht — Tue, 09 Apr 2024 12:28:52 GMT

Sorry, no offense meant - but i just read your issue to my tech support collegues and we had a big laugh together 🤣

It is no wonder that this does not work; and what could be achieved by 2 times SSL inspection ? I would suggest to enable SSL inspection on CP GW only.

Re: Http parsing error

Max91 — Tue, 09 Apr 2024 13:29:48 GMT

Firewall vendors may employ a variety of for detecting threats within encrypted traffic, such as signature-based detection, behavior analysis, machine learning algorithms, heuristics, anomaly detection, or sandboxing. Each technique has its strengths and weaknesses, and vendors may prioritize different approaches based on their research, development, and expertise

This is in addition to the constraints that exist in the organization due to a complex topology

In addition, I don't see any problem with ssl decryption by different vendorim, in other environment there are both firewalls, and proxy's, and products for ssl visabilty, which decrypt tls one after the other without any problem.

Re: Http parsing error

Lesley — Tue, 09 Apr 2024 13:53:45 GMT

Double https inspection makes certificate management complex. It is done via MITM and client needs to trust the certificate from gateway. In this case 2. In this case the first firewall will be the client from Check Point point of view. Due that the first gateway sets up the connection on it's own (if inspected).

client <-> first firewall (MITM HTTPS inspection) <-> Check Point (MITM HTTPS inspection) <-> Web server

The Check Point will be inspecting traffic initiated from the first firewall. The first firewall starts the traffic because it is doing MITM for the client. I am getting headache only thinking about this scenario.