R80.x - Performance Tuning Tip - SNI vs. https inspection

HeikoAnkenbrand — Sat, 21 Dec 2019 20:04:37 GMT

R80.20+ with enabled HTTPS inspection

If the https inspection is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS or also VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)

More read here: R80.x Security Gateway Architecture (Content Inspection)

Tip 1 - Enable https inspection on the gateway for R80.30

> Gateway & Service > [Gateway] > HTTPS Inspection

> Now creat https rules and configure all blades

R80.20+ without enabled HTTPS inspection (use SNI)

If the https inspection is bypassed by https inspection rule, SNI is used to recognize the virtual URL for application control and url filtering.

SNI is investigated during TLS Handshake it inspect the ‘Client Hello’ SNI field and
the server name in ‘Server Hello’. The subject field content is compared with the server name. If subject contains a Wildcard the content of subject alt name field is inspected: A valid certificate would include the server name here.

For more informations about URL Filtering see sk92743.
More read here: URL Filtering using SNI for HTTPS websites.pdf

Tip 2 - Enable SNI without https inspection in R80.30 for “Application Control & URL Filtering Settings”

> Gateway & Service > [Gateway] > HTTPS Inspection

> Creat HTTPS bypass rule

> Management & Settings > Blades > Application Control > Advanced Settings

Tip 3 - Performance view SNI vs. HTTPS inspection

From a performance view, it is more effective to use the SNI function if you only use URL filtering and application control.

Chapter

More interesting articles:
- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

PhoneBoy — Fri, 20 Dec 2019 19:04:04 GMT

Hi, one error here: in R80.30x , HTTPS Inspection must be enabled for SNI Verification to take place.
I believe you can leave a bypass rule as the only rule and it should still work.
Believe this limitation will be removed in R80.40.

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

HeikoAnkenbrand — Sat, 21 Dec 2019 20:01:31 GMT

Yes, you're right. 👍

I have already written it for R80.40 EA. I have now changed it to R80.30.

R80.40 settings follow if it is GA:-)

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

Kyu_Jung — Wed, 08 Jan 2020 06:48:53 GMT

It works as described in this article.

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

Andrejs__Андрей — Fri, 08 May 2020 07:44:07 GMT

for Tip2...

you can enable bypass also via cli:
fw ctl set int bypass_on_enhanced_ssl_inspection 1

regards,
--
ak.

topic Re: R80.x - Performance Tuning Tip - SNI vs. https inspection in General Topics

R80.x - Performance Tuning Tip - SNI vs. https inspection

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection

Re: R80.x - Performance Tuning Tip - SNI vs. https inspection