https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5893#M688 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you for the reply. I needed some time to test it and found that SMTP over TLS signature doesn't work for me. I found in the 'More Info' section of 'SMTP over TLS' description that HTTPS Inspection is mandatory for detection but I cannot enable it due to policy reasons.</P><P>So no luck in SMTP, no luck in LDAP, no luck in HTTPS because I'm still on R77.</P><P>Anyway, thanks for the suggestions. Any other ideas appreciated.</P></BODY></HTML> Tue, 05 Sep 2017 13:44:42 GMT Pawel_ 2017-09-05T13:44:42Z https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5891#M686 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'd like to detect and/or enforce that people use encryption when they pass data between systems. For example people say that for SMTP, tcp/25, they use STARTTLS. Is there any way to verify/enforce that STARTTLS is in fact used? I don't want to inspect the content of encrypted traffic, just want to ensure that people encrypt data.</P><P>The same question is about STARTTLS for LDAP on tcp/389 or detecting/enforcing the use of HTTPS on non-standard ports.</P><P></P><P>Thanks,</P><P>Pawel</P></BODY></HTML> Thu, 31 Aug 2017 09:16:49 GMT https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5891#M686 Pawel_ 2017-08-31T09:16:49Z https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5892#M687 <HTML><HEAD></HEAD><BODY><P>There are application signatures for SMTP over TLS.</P><P>It would make sense you could create a rule allowing that application and BLOCK regular smtp.</P><P>I don't believe we have a similar&nbsp;one for LDAP.</P><P>For HTTPS, there is an application signature you can enable in R80.10 (it's disabled in the default https service).</P><P>If you want to enforce HTTPS on other ports, create a new TCP service:</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/58383_pastedImage_1.png" style="width: auto; height: auto;" /><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/58384_pastedImage_2.png" style="width: auto; height: auto;" /></P><P></P><P>A rule using this service would have to be used in a layer that has Application Control enabled.</P></BODY></HTML> Fri, 01 Sep 2017 19:40:53 GMT https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5892#M687 PhoneBoy 2017-09-01T19:40:53Z https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5893#M688 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you for the reply. I needed some time to test it and found that SMTP over TLS signature doesn't work for me. I found in the 'More Info' section of 'SMTP over TLS' description that HTTPS Inspection is mandatory for detection but I cannot enable it due to policy reasons.</P><P>So no luck in SMTP, no luck in LDAP, no luck in HTTPS because I'm still on R77.</P><P>Anyway, thanks for the suggestions. Any other ideas appreciated.</P></BODY></HTML> Tue, 05 Sep 2017 13:44:42 GMT https://community.checkpoint.com/t5/General-Topics/Detect-or-and-enforce-SSL-STARTTLS/m-p/5893#M688 Pawel_ 2017-09-05T13:44:42Z