topic Re: Inbound HTTPS Inspection - Custom client certificate required in General Topics

Inbound HTTPS Inspection - Custom client certificate required

FedericoMeiners — Wed, 21 Oct 2020 12:54:19 GMT

Hi Everyone!

We have a use case where we need to deploy inbound HTTPS Inspection to a specific web service that uses a non standard port.

Gateways and management are both running R80.40.

Initially we are seeing a Bypass with the following error "Internal system error in HTTPS Inspection (Error Code: 2)"

One of the possible causes is that the root certificate is not trusted, however the customer is using the same cert in other inbound inspection rules without issues.

While troubleshooting we found that the backend application requires the client to send a specific certificate.
Since we are doing a Man-in-the-middle (MITM) for inspection it's obvious that the connection between the Gateway and the server will have the Check Point self signed certificate, not the one required by the application.

I know that this use case can be solved with an ADC such as F5, Netscaler, A10.

Questions:

- Can we do it with Check Point? I didn't find a proper way of using specific client certificates (Not server certs) for specific connections within the admin guides or SKs.

- Can "Internal system error in HTTPS Inspection (Error Code: 2)" be related to this issue? An HTTPS debug is not possible for the moment due to maintenance window requirements.

Thanks!

Re: Inbound HTTPS Inspection - Custom client certificate required

_Val_ — Wed, 21 Oct 2020 14:06:10 GMT

AFAIK, we do not have such functionality available. Try raising and RFE with your local Check Point team. Meanwhile, you will have to create a bypass rule for this application to work

Re: Inbound HTTPS Inspection - Custom client certificate required

FedericoMeiners — Wed, 21 Oct 2020 16:25:32 GMT

Valeri,

Thanks for the quick response! Just wanted to be sure of my assumptions.

It would be nice feature however it's not the job of a NGFW 🙂

Will work on the RFE with my local SE.

Thanks!

Federico

Re: Inbound HTTPS Inspection - Custom client certificate required

Martin_Stolz — Wed, 06 Oct 2021 22:32:41 GMT

I know this thread is maybe already outdated,
but i'm very interested in case there was a response to the RFE.

I do have a similar requirement.
* HTTPS inbound inspection should be used to inspect traffic.
* Server requires certificate based client authentication

My quick check:

Server tcpdump:
- Server Hello, Certificate, Certificate Request, Server Hello Done

Server Application Log:
- HTTPS client connection from host {FW-IP} failed due to the SSL error:
(sec.core-114) SSL connection error (peer did not return a certificate).

The behavior is, that this connection will time out.
Firewall log doesn't show Error Code-2
(what is in my experience mostly missing CA cert in list of Trusted CA or failed OCSP/CRL check)

Our competitor PA offers for such cases an interesting "nonProxy / forwarding mode".
As they have the private key and key exchange is RSA (not PFS),
then the firewall can simply copy and decrypt the https traffic for inspection. (PA is not MITM)
SSL Inbound Inspection (paloaltonetworks.com)

Does Check Point support such a mode?
@FedericoMeiners: Did you raised an RFE?

Thanks,

Ciao Martin

Re: Inbound HTTPS Inspection - Custom client certificate required

PhoneBoy — Wed, 06 Oct 2021 22:55:12 GMT

I believe as part of our NDR offering we have something that can do this.
The feature is called Cooperative Inspection.
Note that NDR sensors run a different image and are managed differently from regular Check Point gateways.