topic Re: Https Inspection Internet Object in Firewall and Security Management

Https Inspection Internet Object

bob111 — Sun, 01 Sep 2024 12:01:57 GMT

Hey guys,
In the https inspection policy there is an object called internet, I can guess from the name what it means but what is it actually? Is it like any? Also I saw somewhere that said that using the internet object determines weather the traffic is considered inbound or outbound which sounds weird, is that true?

Re: Https Inspection Internet Object

bob111 — Sun, 01 Sep 2024 12:11:11 GMT

Also, is there a difference between the inbound and outbound, or does it just depend on the certificate you should put in the certificate column of a certain rule

Re: Https Inspection Internet Object

AkosBakos — Sun, 01 Sep 2024 12:18:11 GMT

Hi @bob111

The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.

https://community.checkpoint.com/t5/Management/quot-Internet-quot-object-Internet/m-p/21030#M16513

Re: Https Inspection Internet Object

AkosBakos — Sun, 01 Sep 2024 12:19:50 GMT

Hi @bob111

And the official SK: https://support.checkpoint.com/results/sk/sk64543

"Internet" means "include all traffic from Internal directed to External or DMZ according to gateway topology".

Re: Https Inspection Internet Object

bob111 — Sun, 01 Sep 2024 13:21:34 GMT

Thanks! Do you know when traffic is considered outbound or inbound in https inspection? Is it just according to the certificate you put in a rule?

Re: Https Inspection Internet Object

AkosBakos — Sun, 01 Sep 2024 15:08:12 GMT

Hi,

I don’t think that the cert influances the direction of the traffic.

Re: Https Inspection Internet Object

the_rock — Sun, 01 Sep 2024 15:31:15 GMT

Internet object strictly means ONLY external ip addresses. Unlike any, which means both internal/external.

Personally, I use Internet object for urlf ordered layer, though can be used in any layer where urlf blade is enabled in policy layer settings.

Makes sense?

Andy

Re: Https Inspection Internet Object

bob111 — Mon, 02 Sep 2024 07:35:49 GMT

Thanks for the reply! I understand but what is considered external to the firewall?
From what I gathered about the https inspection feature, inbound and outbound inspection behave in a different way - inbound uses the server certificate of the internal server and outbound uses the outbound ca certificate on the firewall to decrypt and encrypt the tls connection. This is from the checkpoint docs:

Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
Inbound HTTPS Inspection - To protect internal servers from malicious requests that arrive from the Internet or an external network.

but when does the firewall treat the traffic as inbound and when as outbound? that is what I don't understand.

Re: Https Inspection Internet Object

the_rock — Mon, 02 Sep 2024 19:10:07 GMT

What is considered external to the firewall? Simple answer...ANYTHING out on the Internet, when it comes to OUTBOUND https inspection.

Andy

Re: Https Inspection Internet Object

bob111 — Tue, 03 Sep 2024 08:40:46 GMT

But what do you mean when it comes to outbound https inspection? I am on an air-gaped environment without any connection to the internet.
I don't understand when traffic is "inbound inspected" or "outbound inspected".
Appreciate the help:)

Re: Https Inspection Internet Object

AkosBakos — Tue, 03 Sep 2024 08:48:51 GMT

Hi @bob111

I think the key is here the "External". You can set an interface as external anytime, it not depent ont hte IP of the interface, The IF with private IP can be an external interface,

Think about it, there are internal FW-s without public internet access, but they have external interface too. 🙂

Akos

Re: Https Inspection Internet Object

bob111 — Tue, 03 Sep 2024 10:47:09 GMT

Of course I understand that I have externel interfaces on my air gaped firewall😅, my question was about https inspection - since outbound and inbound work differently with how they encrypt and decrypt the tls session (inbound -server certificate , outbound - ca cert on firewall), I don't really understand when is traffic categorized for outbound and when for inbound, is it when to reach the destination the traffic exists from an interface that is set as external?

Re: Https Inspection Internet Object

AkosBakos — Tue, 03 Sep 2024 11:10:57 GMT

Hi @bob111

The policy methodology is the same as the access control policy.

The direction depends on the topology. In a nutshell: if the routing routes to external IF that is external.

SRC	DST	direction
Internet	internal network	inbound
internal network	Internet	outbound

The flow is described here

Outbound connections are HTTPS connections that arrive from an internal client and connect to an external server.

Outbound connection flow

An HTTPS request (from an internal client to an external server) arrives at the Security GatewayClosed.
The Security Gateway inspects the HTTPS request.
The Security Gateway determines whether the HTTPS request matches an existing HTTPS InspectionClosed ruleClosed:
1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
The Security Gateway validates the HTTPS certificate from the external server.
The Security Gateway uses the Online Certificate Status Protocol (OCSP) standard.
The Security Gateway creates a new certificate for the connection to the external server.
The Security Gateway decrypts the HTTPS connection.
The Security Gateway inspects the decrypted HTTPS connection.
If the Security PolicyClosed allows this traffic, the Security Gateway encrypts the HTTPS connection.
The Security Gateway sends the HTTPS request to the external server.

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Inbound connection flow

An HTTPS request (from an external client to an internal server) arrives at the Security Gateway.
The Security Gateway inspects the HTTPS request.
The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule:
1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
The Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client.
The Security Gateway creates a new HTTPS connection with the internal server.
The Security Gateway decrypts the HTTPS connection.
The Security Gateway inspects the decrypted HTTPS connection.
If the Security Policy allows this traffic, the Security Gateway encrypts the HTTPS connection and sends it to the internal server.

Akos

Re: Https Inspection Internet Object

the_rock — Tue, 03 Sep 2024 11:52:13 GMT

Just watch this video, but instead of proxy, imagine its inspection, its literally SAME principle.

Andy

https://www.youtube.com/watch?v=RXXRguaHZs0

Re: Https Inspection Internet Object

the_rock — Tue, 03 Sep 2024 11:58:38 GMT

Yes sir, PERFECT explanation.

Re: Https Inspection Internet Object

Timothy_Hall — Tue, 03 Sep 2024 13:12:44 GMT

One notable exception for matching object Internet as a destination would be traffic being encrypted into a VPN by the gateway itself and leaving on an External interface; this tunneled traffic will not match object Internet for a destination. IKE/IPSec traffic just transiting the gateway to the outside (i.e. another device is doing the actual encrypt/decrypt) will still match object Internet for the destination.

Re: Https Inspection Internet Object

PhoneBoy — Tue, 03 Sep 2024 14:38:30 GMT

Inbound HTTPS Inspection rules require specific configuration, namely a server-specific certificate configured in the relevant rule in your HTTPS Inspection policy.
All of the following rules are Outbound rules:

Server-specific certificates must be explicitly configured in SmartDashboard (not SmartConsole)...at least until R82.

Re: Https Inspection Internet Object

AkosBakos — Fri, 06 Sep 2024 10:55:51 GMT

And one more:

https://community.checkpoint.com/t5/Management/Properly-defining-the-Internet-within-a-security-policy/td-p/10561