https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/100144#M7814 <P>First of all Https Inspection is turned on and activated on the FW.</P><P>We are trying to create a Load balancer for our internal Kubernetes Cluster, the Kubernetes Cluster has internal and external DNS.</P><P>The FW rule is a follow:</P><TABLE><TBODY><TR><TD width="85"><P>Source</P></TD><TD width="274"><P>Dest</P></TD><TD width="265"><P>NAT ip</P></TD><TD width="151"><P>service</P></TD><TD width="161"><P>Action</P></TD></TR><TR><TD width="85"><P>Any</P></TD><TD width="274"><P>Logical SRV Public ip 85.x.x.x DNS:Api.Contoso.Com</P></TD><TD width="265"><P>Nat ip internal web servers10.x.x.101-102 DNS inside: Admin.K8s.local.Com</P></TD><TD width="151"><P>Https</P></TD><TD width="161"><P>Allow</P></TD></TR></TBODY></TABLE><P>As you see, if you from internet know the internal DNS names, (Admin.K8s.local.Com) and from a laptop update the host file like this: 85.241.20.85&nbsp; Admin.K8s.local.Com, this rule above will not stop you, you receive a CA error. The Logical Server Object should had an option to use URL and not public ip only.</P><P>The problem is, if you do as described over, you reach out to Kubernetes Admin page,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 26 Oct 2020 12:53:57 GMT geirh 2020-10-26T12:53:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/99659#M7788 <P>Hi&nbsp;</P><P>We have created a&nbsp;Logical Servers objects to Load Balance to our back-end web servers. Everything works fine, however it is easy to&nbsp;manipulate with local host file if you know the internal web servers DNS name.</P><P>The Logical server is setup with an public ip and DNS name and do NAT to internal back-end web servers, however if you knew the DNS name for internal web server and manipulate the local host file where you put in the public ip and the name for internal web server you will be routed trough the Logical Server, there will be CA error but it works.</P><P>Here is the guide we followed:&nbsp;<A href="https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide/205222" target="_blank">https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide/205222</A>&nbsp;</P><P>We have tried to block using Https Inspection for incoming traffic,&nbsp; but this tool is useless and we also expected that R80.40 had higher TLS value (TLS 1.0 as min.??) and stronger Chipers since Https Inspection takes over as front end web server for security.</P><P>The Https Inscetion rule should have blocked incoming traffic if the Web browser presented wrong SNI.</P><P>Applications &amp; URL filters does not work either together with Logical server Objects, we receives some Layer error.</P><P>Please advise.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Oct 2020 06:26:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/99659#M7788 geirh 2020-10-21T06:26:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/99671#M7789 <P>I would suggest to involve TAC asap to get the issue resolved ! But honestly - why did you have to manipulate the local host file at all ? It should be very hard to manipulate the local host file in a secured production evironment...</P> Wed, 21 Oct 2020 07:11:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/99671#M7789 G_W_Albrecht 2020-10-21T07:11:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/100022#M7804 <P>Manipulate the host file on what machine precisely?<BR />Are you sure that HTTPS Inspection is actually activating in this case?</P> Sat, 24 Oct 2020 05:56:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/100022#M7804 PhoneBoy 2020-10-24T05:56:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/100144#M7814 <P>First of all Https Inspection is turned on and activated on the FW.</P><P>We are trying to create a Load balancer for our internal Kubernetes Cluster, the Kubernetes Cluster has internal and external DNS.</P><P>The FW rule is a follow:</P><TABLE><TBODY><TR><TD width="85"><P>Source</P></TD><TD width="274"><P>Dest</P></TD><TD width="265"><P>NAT ip</P></TD><TD width="151"><P>service</P></TD><TD width="161"><P>Action</P></TD></TR><TR><TD width="85"><P>Any</P></TD><TD width="274"><P>Logical SRV Public ip 85.x.x.x DNS:Api.Contoso.Com</P></TD><TD width="265"><P>Nat ip internal web servers10.x.x.101-102 DNS inside: Admin.K8s.local.Com</P></TD><TD width="151"><P>Https</P></TD><TD width="161"><P>Allow</P></TD></TR></TBODY></TABLE><P>As you see, if you from internet know the internal DNS names, (Admin.K8s.local.Com) and from a laptop update the host file like this: 85.241.20.85&nbsp; Admin.K8s.local.Com, this rule above will not stop you, you receive a CA error. The Logical Server Object should had an option to use URL and not public ip only.</P><P>The problem is, if you do as described over, you reach out to Kubernetes Admin page,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 26 Oct 2020 12:53:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Logical-Servers-Object-easy-to-manipulate-with-local-host-file/m-p/100144#M7814 geirh 2020-10-26T12:53:57Z