topic Problem with HTTPS Inspection in Firewall and Security Management

Problem with HTTPS Inspection

iko — Sat, 07 Aug 2021 17:43:00 GMT

Hi all,

I am new to Checkpoint, and I am having a hard time with the configuration of HTTPS Inspection.

Here my simple setup: I have a Security Gateway (R81) and Security Management Server installed on a VM with 2 interfaces (internal with hide NAT, and external). I have created the outbound certificate, and deployed it to the client, and enabled HTTPS Inspection.

Here are the HTTPS Inspection policies I use:

Browsing from the client works as expected, but browser still show the original certificate, not the one replaced from the gateway. Also the logs don't show anything:

In another post having the same problem, someone says "to enable https interception in the protocol tab", but I cannot find this option in any GUI. Is this what I am missing?

Anything else what I have possibly missed? Any help is highly appreciated.

Thank you, Iko

Re: Problem with HTTPS Inspection

Timothy_Hall — Sun, 08 Aug 2021 14:03:41 GMT

I assume you have enabled HTTPS Inspection on the gateway/cluster object itself under HTTPS Inspection...Step 3. Make sure that box is checked as you may have accidentally canceled out of that screen.

For object "Internet" to be applied properly in your HTTPS Inspection policy, you need to ensure that your network topology is completely and correctly defined under Network Management on your gateway/cluster object, specifically that the external interface is properly defined.

You may need to enable URLF to ensure the SNI category can be properly determined, but that may not matter here since you have "Any" set.

Re: Problem with HTTPS Inspection

iko — Sun, 08 Aug 2021 14:51:42 GMT

Thanks for your time and help.

You assume right, HTTPS Inspection is enabled:

My topology looks all right I think:

internalexternal

I also replaced the "Internet" object with "any" in my inspection policy, but doesn't change anything.

And I enabled URLF on the gateway and added URLF in category (in inspection rule).

Still no inspection happens.

Any other ideas left?

Re: Problem with HTTPS Inspection

Timothy_Hall — Tue, 10 Aug 2021 22:09:14 GMT

If you run ps -ef | grep wstlsd are there any wstlsd processes running? If they are, please provide the log card for an accepted HTTPS connection that should have been inspected. Either your Internet traffic is not traversing the firewall the way you think, or possibly the web traffic is using QUIC instead of HTTPS. If there are no wstlsd process you have something still wrong in your config.

What code level and JHFA are you running, and have you tried other browser types to initiate traffic?

Edit: Corrected daemon name from wstld to wstlsd.

Re: Problem with HTTPS Inspection

iko — Sun, 08 Aug 2021 17:26:02 GMT

No there are no wstld processes running.

Internet traffic is definitely passing the firewall. Behind the firewall is another VM using host only adapter, which is directly connected to the internal interface. here some logs:

From these logs I would say it is using HTTPS (not QUIC). btw, the client is internet explorer which is afaik not using QUIC at all.

does the output below answer your question regarding code level and JHFA?

if not, how can i provide you the information?

Thanks, Iko

Re: Problem with HTTPS Inspection

iko — Sun, 08 Aug 2021 17:39:12 GMT

i installed now chrome, to doublecheck, the problem is not the used protocol

my rulebase doesnt even allow QUIC, but HTTPS works like a charm. just not intercepted 😞

Re: Problem with HTTPS Inspection

Timothy_Hall — Sun, 08 Aug 2021 19:37:52 GMT

Sounds like you are in a virtual environment, if the firewall itself is a VM how many cores are allocated? It needs to be at least 2 cores and 4GB of RAM (R81 minimum requirements), and it wouldn't surprise me if HTTPS Inspection would fail to operate unless there were at least 4 total cores (1/3 CoreXL split with dedicated functions per core so that 3 wstlsd process could be started in that case, as opposed to a 2-core setup with a 2/2 split and overlapping core functions).

While HTTPS Inspection is not itself a licensed feature, I assume you have a valid license installed otherwise? cplic print

Try disabling HTTPS Inspection on the gateway object, publish and reinstall, then enable it again, publish and reinstall. If it still doesn't work it will probably be time for a TAC case so they can run a debug and figure out why your firewall is essentially refusing to perform HTTPS Inspection.

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 08:45:52 GMT

2 Cores with 4 GB RAM is what i am using at the moment. Changed it to 4 cores now.

I am using a trial license:

gw-a7234c> cplic print
Host Expiration Features

=====================================================================
Check Point product trial period will expire in 13 days.
Until then, you will be able to use the complete Check Point Product Suite.
Please obtain a permanent license from Check Point User Center at:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
======================================================================

I disabled HTTP Inspection, published, reinstalled and re-enabled, published, reinstalled, but still no HTTPS inspection ongoing.

Am I allowed to open a TAC case with my trial license?

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 08:44:37 GMT

I don't see a way to open a TAC request with my trial license.

Re: Problem with HTTPS Inspection

Timothy_Hall — Mon, 09 Aug 2021 13:16:38 GMT

Sorry can't help you with opening a TAC case, try hitting up your Check Point SE.

Re: Problem with HTTPS Inspection

the_rock — Mon, 09 Aug 2021 13:31:19 GMT

If that process is not running, something is definitely wrong. I remember once I had similar issue with the customer and it turned out to be a setting that was inadvertently changed in GUidbedit tool itself. Do you remember changing anything there at all? I will try to see if I can find what setting it was...

Re: Problem with HTTPS Inspection

the_rock — Mon, 09 Aug 2021 13:37:12 GMT

Got it...here is what I found in my notes (if you can check on this)

Make sure all SmartConsole connections are completely closed.
GuiDBedit > Other > ssl_inspection > general_confs_obj
The 'trusted_ca_certs_group' should refer to 'Recommended' from the same ssl_inspection table, so this must have been deleted on accident.
Simply right-click on the parameter > Edit, then in the Table drop-down select ssl_inspection and in the Object drop-down select Recommended
Save, close and then open SmartConsole and install policy

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 15:23:30 GMT

Hi the_rock, thanks for your advice. But I never changed anything with GuiDBedit.

The system I use is a fresh installation, and I just tried to setup HTTPS inspection in SmartConsole.

Anyway I verified it, the entry still exists

Any other advice?

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 17:10:06 GMT

in the meantime I will try my luck with a new installation ...

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 18:26:20 GMT

new installation has the exact same problem -> no wstld processes -> no https inspection 😭

Re: Problem with HTTPS Inspection

the_rock — Mon, 09 Aug 2021 18:43:15 GMT

That sucks...did you use same management server? Message me privately, I want to help you...we can do remote session when convenient.

Re: Problem with HTTPS Inspection

iko — Mon, 09 Aug 2021 21:09:39 GMT

I have a standalone gw and mgmt server on one virtual host. so I reinstalled everything from scratch today.

pm sent 😉 thank you

Re: Problem with HTTPS Inspection

the_rock — Tue, 10 Aug 2021 21:35:47 GMT

Just an update for this post...we did remote sesison and determined that wstlsd process was running, so no issues with firewall or https inspection and what was missing was simply a rule in policy to block a test site category, so we simply blocked gambling as a test from LAN and were able to see blocked page with the right cert.

Re: Problem with HTTPS Inspection

iko — Tue, 10 Aug 2021 21:55:51 GMT

just a note to point it out: there was a typo 🙂

the process is called wstlsd

and that was running 😉

Re: Problem with HTTPS Inspection

Timothy_Hall — Tue, 10 Aug 2021 22:11:08 GMT

Thanks, I corrected it in my prior post. I had a bit of a panic attack wondering if I had made the same mistake when mentioning that daemon in my book, but it was spelled correctly there. 😀