topic Re: Gaia Portal (WebUI) over HTTP in Firewall and Security Management

Gaia Portal (WebUI) over HTTP

kevin-p — Tue, 25 Jun 2024 01:46:28 GMT

Hi Everyone,

I am currently going through an ISO/SOC2 recertification audit and the auditors have asked to see the configuration on the gateway that only allows access to the WebUI over tcp/443(HTTPS) and doesnt allow access on tcp/80(HTTP) however I cannot find where this is configured.

Doing some investigation and opening a case with TAC, I have confirmed that the gateway does infact allow traffic on port 80 however there is a kernel level redirect which redirects the traffic to HTTPS. I was able to find a similar post(https://community.checkpoint.com/t5/Security-Gateways/Gaia-Web-GUI-http-to-https-redirection/td-p/184801) in regards to the HTTPS redirect, however I cannot find anything in the R81.20 Admin Guide or any CheckPoint docs that mentions this being configured by default.

TAC suggested that I follow sk165937 to disable the connection to gateway on TCP Port 80 and add a SAM rule to block port 80 so it shows a drop in the logs but this seems excessive seeing as there is already the kernel redirect and all I need to do is provide documentation that it is a default configuration.

If anyone has any doc that would help me out, it would be appreciated!

Thanks!

Re: Gaia Portal (WebUI) over HTTP

the_rock — Tue, 25 Jun 2024 12:46:39 GMT

Personally, I had never heard or seen document that states that, its been that way for who knows how long. Personally, if I were you, I would ask your SE to check on it internally, if one even exists.

Andy

Re: Gaia Portal (WebUI) over HTTP

PhoneBoy — Tue, 25 Jun 2024 16:36:20 GMT

The feature that does this redirect is called Multiportal and has been there since R75.
I believe the documentation you are looking for that it's a default is: https://support.checkpoint.com/results/sk/sk66030

Re: Gaia Portal (WebUI) over HTTP

the_rock — Tue, 25 Jun 2024 16:43:47 GMT

Is this related to redirect part though? 80 -> 443?

Andy

Re: Gaia Portal (WebUI) over HTTP

PhoneBoy — Tue, 25 Jun 2024 17:09:59 GMT

Yes, this is part of what Multiportal does.

Re: Gaia Portal (WebUI) over HTTP

the_rock — Tue, 25 Jun 2024 17:24:06 GMT

I get that part, but I think this port 80 -> port 443 redirect used to happen way before multiportal came along?

Andy

Re: Gaia Portal (WebUI) over HTTP

PhoneBoy — Tue, 25 Jun 2024 18:39:16 GMT

I believe so, yes.
Previously, I believe it was done as part of the underlying Apache configuration.
When Multiportal was introduced in R75, it was moved there.

Re: Gaia Portal (WebUI) over HTTP

the_rock — Tue, 25 Jun 2024 18:41:11 GMT

Ah, good ol' Apache 🙂

Now it all makes sense.

Andy