topic Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings in Firewall and Security Management

Difference between HTTPS Inspection and Categorize HTTPS websites settings

Jon_Louis_Fern1 — Mon, 30 Apr 2018 03:25:46 GMT

Hi Checkmates,

I would like to ask what is the difference in the behavior, pros and cons of or when will you use the following:

1. HTTPS Inspection

2. In Application & Url Filtering Settings under Url Filtering -> Categorize HTTPS websites.

because in the " Categorize HTTPS websites" settings it says that you can allow HTTPS (SSL traffic) URL's without activating HTTPS Inspection.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

PhoneBoy — Mon, 30 Apr 2018 04:24:14 GMT

HTTPS Inspection allows you to see all the traffic as if it was unencrypted, allowing you to do full threat prevention and content inspection.

Unfortunately, there are some situations where HTTPS Inspection does not work, namely:

Certificate pinning
Client certificate authentication
Different ciphers used for TLS than are supported in HTTPS Inspection
Where TLS 1.3 is required

Categorize HTTPS Sites will allow you to categorize HTTPS connections based on the certificate DN, which is sent in the clear.

It, however, does not currently support SNI, which many sites use, particularly anything with a wildcard certificate.

You also cannot see the full URI or any of the content (as we are not decrypting it), allowing for limited threat prevention capabilities.

There are several threads that discuss both of these topics in more detail.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Jon_Louis_Fern1 — Mon, 30 Apr 2018 05:17:08 GMT

Thank You sir Dameon for the reply.

Do you mean that if i will do HTTPS inspection i need both HTTPS inspection rules and check the "Categorize HTTPS websites" in url settings?

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

PhoneBoy — Mon, 30 Apr 2018 05:28:01 GMT

If you can do HTTPS Inspection, you don't need Categorize HTTPS sites.

The options are mutually exclusive.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Gaurav_Pandya — Mon, 30 Apr 2018 12:18:17 GMT

Hi,

Here I want to share my recent experience.

We have enabled & configured URL Filtering blade on the firewall. After checking logs, came to know that only http traffic is categorized. For https traffic, categorization is not happening and result is not as per the configuration.

We don't want to enable https inspection. So finally we have enabled "Categorized https Websites" and it started working as expected.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Vladimir — Mon, 30 Apr 2018 13:03:56 GMT

Dameon,

Would any of these limitations be addressed in R80.20?

Doe the use of acceleration card help to address any of these limitations?

If the answers to above questions are "No", is there an ARTG on the use of the external SSL/TLS decryption solutions with Check Point that are known to work well and to remove these limitations (i.e. Gigamon, SSL Visibility Appliance | Symantec , Ixia or F5)?

Thank you,

Vladimir

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Paul_Collins — Mon, 30 Apr 2018 13:14:13 GMT

Interesting. So if you block the category gambling, for example, and then go to a https gambling website ( i.e. https://ladbrokes.com ) does the usercheck screen display correctly ? I find that unless https inspection is on, this will not show the block/user check pages ?

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Gaurav_Pandya — Mon, 30 Apr 2018 14:29:59 GMT

Hi Paul,

Yes it is working correctly without https inspection ON.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

PhoneBoy — Mon, 30 Apr 2018 16:28:59 GMT

There is a coming hotfix on top of R80.10 (and presumably included in R80.20) that is expected addresses the issues with SNI.

For HTTPS Inspection in R80.20, there a couple things:

Improved cipher support
Support of outbound HTTPS Inspection with a Gemalto SafeNet HSM Appliance
Support for use of both HTTPS Inspection and Categorize HTTPS Websites concurrently (at the moment, they do not work together).

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Vladimir — Mon, 30 Apr 2018 16:44:25 GMT

TLS 1.3?

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

PhoneBoy — Mon, 30 Apr 2018 17:06:14 GMT

We are definitely looking at how to address TLS 1.3, though not listed in the EA notes.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Shehan_Wickrama — Tue, 01 May 2018 04:45:00 GMT

Hey Paul,

For me, visiting the website (HTTPS CATEGORIZATION IS ENABLED) did not show the user check / block message but after enabling SSL Inspection the block message appeared.

This behavior is tested on a SMB Appliance.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

PhoneBoy — Tue, 01 May 2018 05:23:01 GMT

Pretty sure this is expected behavior on all versions.

It's certainly my experience on R77.20/R77.30.

Gaurav Pandya‌ what version did this work for you?

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Gaurav_Pandya — Tue, 01 May 2018 10:04:00 GMT

It is R77.30

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Shehan_Wickrama — Thu, 03 May 2018 11:08:34 GMT

No, not with SMB 1450. I had to open a TAC Case for this.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

RickLin — Sat, 05 May 2018 09:14:21 GMT

Hi Paul

Indeed , User Check Block web page will not function well when Https Inspection is off.

When we try to key-in the URL in "ladbrokes.com" is different from "https://ladbrokes.com" to User Check Block Page function.

"ladbrokes.com" will display User Check Block Page correctly.

Because it is http redirect.

"https://ladbrokes.com" will not display User Check Block Page correctly.

Because it is https redirect. So need to enable Https Inspection function.

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Paul_Collins — Tue, 08 May 2018 12:12:35 GMT

Hi Rick & others

Thanks for the advice. It does seem that the 'categorise https sites' option is pretty useless then without https inspection.

I do wonder how Forcepoint (ex Websense) and other dedicated filtering companies manage to filter and show block pages without having ssl decrypt enabled.

Does it make any difference if we configure the Checkpoint gateway as a web proxy ? Does it work then ?

If this is fixed in a hotfix or R80.20 then that will be very welcome news

Cheers

Paul

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

RickLin — Tue, 08 May 2018 12:49:50 GMT

Hi Paul

I ever talk with my colleague.

He is familiar with both CheckPoint and WebSense(ForcePoint).

WebSense also need to enable https inspection function to be able to show https block page correctly. (Even work in proxy mode)

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Paul_Collins — Tue, 08 May 2018 12:55:52 GMT

Hi Rick

I have Websense showing the block page for https websites without SSL decrypt enabled. Be interested in your colleague's findings

Thanks

Paul

Re: Difference between HTTPS Inspection and Categorize HTTPS websites settings

Albert_Wilkes — Wed, 11 Jul 2018 12:10:05 GMT

Another disadvantage of categorization vs. inspection is the fact that categorization wouldn't be able to differentiate between two services that run under the same hostname, e.g. dropbox and wetransfer uploads could not be differentiated from downloads as the only part that's visible to the CP is the hostname, not the full URL.

As the hostname is identical for both the upload and the download, the CP could not tell it apart.

To confirm, using any of the following would either block or allow WeTransfer as a whole, not just e.g. up- or download when using categorization only instead of inspection.

In this respect you'd need to at least enable inspection for the sites you're interested in differentiating (e.g. into up- and download) for logging or controlling purposes while bypassing all others.