topic Re: TLS1.3 inspection in Firewall and Security Management

TLS1.3 inspection

iko — Sun, 15 Aug 2021 11:46:27 GMT

Hi again,

I managed now to enable TLS1.3 on my R81 Security Gateway.

But the HTTPS Inspection doesn't work in case of TLS1.3 traffic:

Even I have disabled my bypass rule:

Just to be sure you have all in infos her my simple rulebase:

Is there any special rule I need to add to catch TLS1.3 traffic?

Thanks, Iko

Re: TLS1.3 inspection

PhoneBoy — Sun, 15 Aug 2021 15:56:35 GMT

First of all, disabling your bypass rule can cause performance issues.

Is USFW enabled? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk167052&partition=Basic&product=Quantum

Re: TLS1.3 inspection

iko — Sun, 15 Aug 2021 18:04:37 GMT

can you tell me how to verify if usfw is enabled?

Re: TLS1.3 inspection

PhoneBoy — Sun, 15 Aug 2021 20:15:52 GMT

cpprod_util FwIsUsermode
cpprod_util FwIsUsfwMachine

Both commands should return 1.
What precise appliance are you doing this on?

Re: TLS1.3 inspection

iko — Sun, 15 Aug 2021 21:33:53 GMT

I run a R81 Security Gateway with Mgmt-Gateway on same VM

Product version Check Point Gaia R81
OS build 392
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
0
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
0

Re: TLS1.3 inspection

PhoneBoy — Mon, 16 Aug 2021 01:33:55 GMT

What are the precise specifications (RAM, cores) on the VM?
Note that HTTPS Inspection for TLS 1.3 traffic requires three things:

Being on R81 or above, which you are.
Enabling TLSIO, which you clearly did here.
Enabling User Space Firewall, which is only enabled by default for specific appliances.

The two commands indicate USFW is not enabled.
To enable them, issue the following two commands and reboot:

cpprod_util FwIsUsermode 1
cpprod_util FwIsUsfwMachine 1

Once you've done this, HTTPS Inspection of TLS 1.3 should work.

Re: TLS1.3 inspection

iko — Mon, 16 Aug 2021 10:42:02 GMT

doesn't work for some reason:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode 1
Unknown/Unsupported command 1
0 [Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine 1
Unknown/Unsupported command 1

Re: TLS1.3 inspection

_Val_ — Mon, 16 Aug 2021 10:50:28 GMT

Should be:

FwSetUsermode, FwSetUsfwMachine

Re: TLS1.3 inspection

iko — Mon, 16 Aug 2021 10:56:56 GMT

Thanks _Val_, this worked:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
1
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
1

Thank you both _Val_ and PhoneBoy

Iko

Re: TLS1.3 inspection

iko — Mon, 16 Aug 2021 11:09:57 GMT

unfortunately, I had to remove the "accept as solution" because the TLS1.3 inspection still has some problem.

In the log I can see that the inspection works, but the client browser shows a "Secure Connection failed" message now.

Is there anything else I am missing?

Re: TLS1.3 inspection

_Val_ — Mon, 16 Aug 2021 11:17:26 GMT

Root certificate installed as trusted probably? 🙂

Re: TLS1.3 inspection

iko — Mon, 16 Aug 2021 11:37:32 GMT

I analyzed the traces, it looks like the firewall is striping off the supported_versions extension in the outgoing ClientHello now.

Re: TLS1.3 inspection

iko — Mon, 16 Aug 2021 12:12:42 GMT

my bad, i didnt reboot.

now HTTPS requests workd again on client, but traffic is bypassed from interception again. but only TLS1.3 traffic

Re: TLS1.3 inspection

PhoneBoy — Mon, 16 Aug 2021 23:10:18 GMT

What's the log card say on the bypassed log?

Re: TLS1.3 inspection

iko — Tue, 17 Aug 2021 12:03:42 GMT

One request on the client always brings up 3 log entrys:

is this the log card?

Just for clarification: The accessed webserver is TLS1.3 only.

First log entry gets accepted. I think this is the first ClientHello sent without supported_versions extension, which makes it an TLS1.2 request. This is not what the webserver expects, so he replies with some version_alert. So the Firewall sends the ClientHello again, this time with supported_versions extension included (TLS1.3) -> This is what log entries 2 & 3 are about.

I just wonder why the bypass entry comes second!? Wouldn't it make more sense if the decision to intercept or not, is made already before the first request is sent. or is the order not really accurate, since this all happens in very short time?

just my thoughts ...

Re: TLS1.3 inspection

PhoneBoy — Tue, 17 Aug 2021 13:44:19 GMT

The order may not entirely be accurate here, but the Internal System Error would explain why it is bypassing.
You’ll need to use this SK to debug what’s happening: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112066

Re: TLS1.3 inspection

Alex_Lewis — Wed, 08 Dec 2021 00:16:51 GMT

I have tried these commands multiple times and after a reboot, the values are back to 0

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

Also, I tried enabling TLSIO by adding fwtls_enable_tlsio=1 to $FWDIR/boot/modules/fwkern.conf; fw ctl get int fwtls_enable_tlsio shows it is 0 after reboot, If I try to set on the fly with fw ctl set int fwtls_enable_tlsio 1, I get the error "Set operation failed: failed to get parameter fwtls_enable_tlsio".

Re: TLS1.3 inspection

Ilya_Yusupov — Wed, 08 Dec 2021 08:24:24 GMT

Hi @Alex_Lewis ,

Can you share on which version and platform you are trying to convert to USFW?

Thanks,

Ilya

Re: TLS1.3 inspection

Alex_Lewis — Wed, 08 Dec 2021 13:07:30 GMT

2 gateway HA cluster running R81 Take 36 on Open Platform

Re: TLS1.3 inspection

Ilya_Yusupov — Wed, 08 Dec 2021 17:23:10 GMT

in general if it's open platform so it should be USFW by default.

can you share which type to you have? how many CPU's it has?