topic Re: How to Integrate Firewalls and SSL Decryption in General Topics

How to Integrate Firewalls and SSL Decryption

ykpark — Tue, 13 Dec 2022 01:04:22 GMT

Dear all,

We are going to change the configuration according to the customer's request.
SSL encryption and decryption is performed using F5, not Checkpoint Firewall, and 3rd party APT solution is integrated and operated.

Customers want to use Checkpoint's Prevention and Emulation feature instead of their existing APT solution.

As in the goal configuration diagram, the decryption traffic is again controlled by the checkpoint firewall to control the threat traffic.

Can you tell me what problems are expected if I configure it according to the target configuration diagram?

I'd like to know if anyone has experience with a similar configuration like this.

I need your advice.

Thanks

Outbound traffic flow :

1.encrypted traffic

2.Decryption traffic from F5 SSL

3.Detection and blocking by checkpoint threat prevention policy

4.Encrypted traffic from F5 SSL

Re: How to Integrate Firewalls and SSL Decryption

PhoneBoy — Tue, 13 Dec 2022 01:24:42 GMT

Usually, when the Check Point gateway isn’t doing the SSL Decrypt/Encrypt, you have boxes doing that on the inside and outside versus routing the encrypt and decrypt through the same box.
This creates the possibility of “double inspection” on the same flow, which will be dropped by the gateway unless the F5 can change the traffic on the outbound after re-encrypting so it looks different to the Check Point device.
However, you’re also doubling the amount of traffic the gateway is passing as well, which can have sizing implications.

The vast majority of customers just use our HTTPS Inspection instead of using an external SSL decrypt/reencrypt.

Re: How to Integrate Firewalls and SSL Decryption

the_rock — Tue, 13 Dec 2022 01:40:04 GMT

To add to @PhoneBoy comment, I spoke to customers in last 2-3 years who actually abandoned 3rd party vendors they were using specifically for ssl decryption (ie Bluecoat), as it was getting expensive and they went with CP https inspection, as it makes more sense, since you can use it as a blade on already existing firewall/cluster. I will say though, in all honesty, I was not a big fan of it back in R77.xx days, but it has come a long way since R80, for sure.

Re: How to Integrate Firewalls and SSL Decryption

Chris_Atkinson — Tue, 13 Dec 2022 02:20:56 GMT

Can you share some additional detail as to the configuration...

Is the F5 proposed to be deployed as L2, L3 or using ICAP, doing NAT etc?

Further to @PhoneBoy earlier comments refer sk172204.

Re: How to Integrate Firewalls and SSL Decryption

ykpark — Tue, 13 Dec 2022 01:59:24 GMT

Can I use cloud emulation when integrating with ICAP? The firewall is NGTX.
I think it's the best way if this feature is provided.

Re: How to Integrate Firewalls and SSL Decryption

Chris_Atkinson — Tue, 13 Dec 2022 02:26:57 GMT

Please refer to the ICAP portion of the Threat Prevention admin guide:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/ICAP_Server.htm?tocpath=ICAP%7CThe%20Security%20Gateway%20as%20an%20ICAP%20Server%7C_____0

Re: How to Integrate Firewalls and SSL Decryption

PhoneBoy — Tue, 13 Dec 2022 03:10:51 GMT

You can, yes, but it has some limitations in this mode.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk123412&partition=Basic&product=Threat

Re: How to Integrate Firewalls and SSL Decryption

Jim_Holmes — Tue, 13 Dec 2022 22:00:17 GMT

If you are using F5 for load balancing, offload the TSL termination to the F5. I have several TLS-heavy customers that do this. I also see more and more dumping F5/Bluecoat/etc. as @the_rock said, it's becoming too expensive, vs. moving up a gateway model.

Re: How to Integrate Firewalls and SSL Decryption

ykpark — Fri, 16 Dec 2022 02:38:37 GMT

I am trying to integrate with ICAP in my current configuration.
I think interworking with ICAP is a better way than processing the same traffic twice. Do you agree with me?

Are there many references to enabling and using ICAP on a firewall?

And what are the considerations when activating ICAP?

Re: How to Integrate Firewalls and SSL Decryption

Chris_Atkinson — Fri, 16 Dec 2022 02:58:00 GMT

The relevant ICAP reference material is already linked above.

I'm otherwise not familiar enough with the capabilities of the F5 to advise.

But as @PhoneBoy explained we would commonly expect the Firewall to be the meat in the sandwich between an ingress and egress F5 performing encrypt/decrypt functions, if this can be performed logically on the one appliance such that the Firewall doesn't see what it thinks is the same traffic twice then great.