topic Re: Https inspection Validation error in General Topics

Https inspection Validation error

Sukru_isik — Fri, 28 Dec 2018 09:33:24 GMT

Hello ,

I have checkpoint with version R80.20.

I have enabled https inspection and using Sophos endpoint agent.

Agents are managed on cloud side. When we want to install agent , we are taking a log like below and we couldnt install it.

I have written exception url like "*.sophos.com" on inspection rules, but it is not working.

(When I disable https inspection completely, the agents are installed succesfully.)

How can I solve this problem?

Re: Https inspection Validation error

Alex_Weldon — Fri, 28 Dec 2018 15:09:01 GMT

It looks like you already have the Sophos IP addresses defined - Try creating an HTTPS bypass using the Objects representing the Sophos IP range rather than the regex bypass.

Re: Https inspection Validation error

Sukru_isik — Fri, 28 Dec 2018 15:24:11 GMT

I dont know IP adresses. The application is on amazon public cloud. And IP adresses are always changing so I have to write url exception.

Re: Https inspection Validation error

Alex_Weldon — Fri, 28 Dec 2018 16:54:38 GMT

What are your options set to under HTTPS Validation?

Re: Https inspection Validation error

PhoneBoy — Fri, 28 Dec 2018 19:55:18 GMT

The error message is pretty clear: whatever is signing the certificate is not a trusted CA.

The Security Gateway maintains a certificate store of CAs.

Whatever CA signed the site certificate, it needs to be added here:

Re: Https inspection Validation error

Sukru_isik — Sat, 29 Dec 2018 14:50:41 GMT

the configuration is below:

Re: Https inspection Validation error

Sukru_isik — Sat, 29 Dec 2018 14:59:54 GMT

I import certificate manually(exported it to *.cer file from browser).

And then try again but I am taking same error.

Re: Https inspection Validation error

PhoneBoy — Sat, 29 Dec 2018 17:26:33 GMT

That's a different error from the above.

In any case I recommend opening a TAC case so we can troubleshoot what's happening.

Re: Https inspection Validation error

RickHoppe — Sat, 29 Dec 2018 20:31:22 GMT

In cases like this I always check SSL Labs to see what they have to say: https://www.ssllabs.com/ssltest/analyze.html?d=mcs%2dcloudstation%2dus%2deast%2d2.prod.hydra.sophos.com&latest

My advise would be to also contact your support contacts at Sophos as there is clearly a trust issue with this certificate.

Re: Https inspection Validation error

MartinZ — Thu, 13 Jun 2019 14:35:05 GMT

I had this issue and noticed there was a root CA update waiting to be applied. After applying the update all was good:

Ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64521

Re: Https inspection Validation error

McGlio — Fri, 15 Nov 2019 17:44:40 GMT

I've found a workaround for those who use Sophos like antivirus.
You will not find on the internet the CA used from Sophos for Antivirus update/installation, but if you install a client using an outside connection on your Windows computer, for example doing hotspot with your mobile, you could find the .crt file of the root CA used in the path C:\Program Files (x86)\Sophos\CloudInstaller\Management Certs

Re: Https inspection Validation error

Jf821 — Tue, 18 Feb 2020 16:57:46 GMT

I have run into exactly the same issue. Having real problems working round it.

Found all the sophos CA's in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\mcsep\Sophos\Certificates\Management Communications System. I have uploaded them.

But.....

Now checkpoint complains it cant get the CRLs. Without saying where its looking for them, for the life of me I cant find any reference if you can upload a CRL into checkpoint (the sophos CRL files are in the same folder as the certs.

No mater what URLs I add into the SSL bypass rule it does not work.

This has proving to be a real puzzle.

Re: Https inspection Validation error

PhoneBoy — Tue, 18 Feb 2020 18:36:39 GMT

CRLs are typically downloaded via HTTP (not HTTPS).
The exact location it's looking should be specified in the Sophos certificate itself.

Re: Https inspection Validation error

FedericoMeiners — Tue, 18 Feb 2020 19:00:34 GMT

Hello,

In one of our customers we always had Sophos install/update issues with HTTPS Inspection enabled with all versions except with R80.40

R80.40 worked out of the box with a bypass rule for Sophos services.

Re: Https inspection Validation error

Jf821 — Wed, 19 Feb 2020 11:13:34 GMT

So I think I'm getting to what the issue is, but I don't understand why it happens

If I debug wstlsd It can correctly read all the cert information.

When I debug the kernal to see the ssli rule processing I see the following:

@;89466575;18Feb2020 17:31:38.369043;[cpu_0];[fw4_1];ws_get_server_ssl_certificate_cn_field: _found = ffffffff8063931c, *_found = 0;

@;89466575;18Feb2020 17:31:38.369049;[cpu_0];[fw4_1];https_inspection_handle_ssl: setting the 'IS_SSL' flag on connection ffffc2001d216bf8;

@;89466575;18Feb2020 17:31:38.369053;[cpu_0];[fw4_1];https_inspection_handle_ssl: Rulebase was matched on syn packet without category column (matched_with_opt: 0);

@;89466575;18Feb2020 17:31:38.369056;[cpu_0];[fw4_1];https_inspection_handle_ssl: domain is missing, handshake will be done without rulebase execution;

@;89466575;18Feb2020 17:31:38.369067;[cpu_0];[fw4_1];fwconn_key_lookup_app_opaque: conn <dir 0, aa.aa.aa.aaa:64187 -> bb.bb.bb.bb:443 IPP 6> found in connections table (id=4);

@;89466575;18Feb2020 17:31:38.369072;[cpu_0];[fw4_1];https_inspection_handle_ssl: setting the 'SSL_TUNNEL_INSPECTED' flag on connection ffffc2001d216bf8;

For some reason, it cant read the CN of the cert, resulting in it dropping to the bottom of the rule set and hitting my inspection rule. This would explain why I can write an IP based rule it works, but when I write a rule based on a URL it never triggers. This is on R80.20

I have raised a support ticket, as why this is happening is beyond me.

Re: Https inspection Validation error

PhoneBoy — Thu, 20 Feb 2020 02:30:00 GMT

Agree, a support ticket is warranted here.
Apologies this message got flagged as spam a couple times. 🙄

Re: Https inspection Validation error

Jf821 — Fri, 06 Mar 2020 17:31:04 GMT

Support has confirmed this a known issue, but it's wider than just sophos.

It would appear that any ssl certificate that the gateway sees as not trusted, cant be bypassed based on common name of the certificate. The only way to bypass in this situation is based on IP address.

Re: Https inspection Validation error

Jf821 — Thu, 19 Mar 2020 16:27:56 GMT

While R&D appear to confirm there is an issue, as it stand currently, they will not fix it, why they wont fix the bug I cant currently get to the bottom of, despite there being multiple Sophos customers with exactly the same issue.

To me it's a clear bug, there should no reason why I cant write a rule based on the CN of cert, when the gateway does not trust the cert.

Thus the only option you have if your gateway does not trust a cert is to by pass using IP address. Which is a complete pain, as sophos change all their ips on a regular basis,

Re: Https inspection Validation error

Benedikt_Weissl — Thu, 19 Mar 2020 16:33:50 GMT

Maybe the improved https inspection mechanism in r80.30 would help here, for R80.20 have a look at the sk104717 "Improvements in HTTPS Inspection Bypass mechanism - Probe Bypass".

Re: Https inspection Validation error

PhoneBoy — Thu, 19 Mar 2020 23:43:27 GMT

Can you PM me the ticket number you had with TAC?