topic Re: HTTPS Inspection on SMB in Spark Firewall (SMB)

HTTPS Inspection on SMB

HristoGrigorov — Tue, 27 Nov 2018 18:46:28 GMT

So, how is it at the moment for those of you using it?

Last time I tried it, users just could not reach some of the sites. I recall some peculiar SSL error in the logs.

Re: HTTPS Inspection on SMB

PhoneBoy — Wed, 28 Nov 2018 05:20:36 GMT

It would help if you could provide information you saw in the logs, describe the behaviors you saw in more detail, etc.

Also is the appliance locally managed or centrally managed?

Re: HTTPS Inspection on SMB

HristoGrigorov — Wed, 28 Nov 2018 06:05:40 GMT

Can't quite remember what it was exactly other than I set everything to bypass (even cleanup rule) and there was a log message with something like "empty_ssl_response". I may try it again during next weekend and get more details.

It is centrally managed 1470.

But I have not opened this thread to discuss particular problem, more like to get your feedback. There are related discussions here on CheckMates but they are more about R80.xx gateways.

Re: HTTPS Inspection on SMB

PhoneBoy — Wed, 28 Nov 2018 07:15:20 GMT

Empty SSL Connection most likely means you haven't installed the necessary CA key into the trusted root store on your browser.

See: A log with an "empty_ssl_conn" entry in the HTTPS Validation field appears in SmartView Tracker

And yes, I totally understand wanting to get feedback.

HTTPS Inspection in general has been discussed in numerous threads for non-SMB appliances.

Most of the issues would be similar for SMB appliances, I would expect.

Re: HTTPS Inspection on SMB

Pedro_Espindola — Wed, 28 Nov 2018 15:19:55 GMT

I had some performance issues at first due to memory leak, but it was fixed and all works well. Here is what I did:

Enable probe bypass mechanism as described in sk104717
Enable P384 support as described in sk110883

In locally managed appliances I still have to configure many exceptions for pages that might fail to load. For some unknown reason, pages that fail in locally managed SMBs work well in centrally managed.

Re: HTTPS Inspection on SMB

HristoGrigorov — Wed, 28 Nov 2018 17:39:30 GMT

Thanx mate, very valuable info.

Didn't know SK104717 is applicable for SMB as well. But now that you mentioned it, I checked and there is indeed enhanced_ssl_inspection parameter in the kernel. Did you implement all SK steps or only part of them ?

It doesn't look like I have to do anything for SK110883 because starting from R77.20.80 it is already integrated?

Re: HTTPS Inspection on SMB

PhoneBoy — Wed, 28 Nov 2018 19:12:42 GMT

I believe you still have to perform the ckp_regedit steps in the SK from expert mode.

Re: HTTPS Inspection on SMB

HristoGrigorov — Thu, 29 Nov 2018 04:29:13 GMT

I ran these commands and rebooted appliance. Hopefully that is enough.

cp $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data.BAK

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_EC_P384 1

Re: HTTPS Inspection on SMB

HristoGrigorov — Thu, 29 Nov 2018 04:46:08 GMT

Question... Are Linux update repositories included in "known software update services" list ? Because it does not look like they are.

Re: HTTPS Inspection on SMB

PhoneBoy — Thu, 29 Nov 2018 04:57:50 GMT

No, they're not.

The list is here: Check Point or Windows signatures update fails when HTTPS Inspection enabled on Security Gateway

Re: HTTPS Inspection on SMB

HristoGrigorov — Thu, 29 Nov 2018 05:08:34 GMT

Thanx, I'll bypass them for now.

Re: HTTPS Inspection on SMB

HristoGrigorov — Fri, 21 Dec 2018 05:02:37 GMT

I am using HTTPS Inspection with success so far but I faced strange problem. When I try to access certain Web sites (varna-airport.bg for example) I am getting ERR_CONNECTION_TIMED_OUT from browsers. And indeed telnet to port 443 on that host gives same error.

If I bypass this site by destination IP or URL it does not work. But if I bypass it by source IP then it works fine.

There is nothing relevant in the logs. Have any of you faced similar problem and how did solve it ?

Re: HTTPS Inspection on SMB

PhoneBoy — Fri, 21 Dec 2018 22:30:25 GMT

If you do a tcpdump on the outside interface when you attempt to access this site, what do you see?

My guess is that the TLS negotiation might be failing.

The fact there is no logs about this is problematic and might be worth a TAC case.

Re: HTTPS Inspection on SMB

Pedro_Espindola — Sat, 22 Dec 2018 18:08:14 GMT

Could it be a redirect which is sending you to another IP which is not bypassed?

As Dameon said, capture with TCPDUMP and look for redirect codes or TLS errors.

I don't see why it would timeout, though. Normally there should be other kinds of error.

Re: HTTPS Inspection on SMB

HristoGrigorov — Mon, 24 Dec 2018 05:27:57 GMT

Thanx for your comments. I disabled enhanced_ssl_inspection and it started to work again.

Re: HTTPS Inspection on SMB

Pedro_Espindola — Thu, 27 Dec 2018 14:26:01 GMT

So it works better for you with probe bypass off?

For me it seems to work better when I turn it off.

Re: HTTPS Inspection on SMB

HristoGrigorov — Thu, 27 Dec 2018 15:40:08 GMT

Yes, seems to work better when it is off. Otherwise some sites just time out and users are not happy about it.

Re: HTTPS Inspection on SMB

HristoGrigorov — Thu, 17 Jan 2019 17:01:00 GMT

A friendly reminder guys...

If you need to bypass site by IP address, make sure relevant row in the HTTPS Inspecton policy is on the top before any other inspection rules. Otherwise it won't have effect. Logical but easy to miss

Re: HTTPS Inspection on SMB

Pedro_Espindola — Thu, 17 Jan 2019 18:47:26 GMT

Talking about rule order, I am unable to rearrange SSL inspection exception rules in locally managed appliances. I drag and drop, but they go back to the order they were created.

How about you?

Re: HTTPS Inspection on SMB

HristoGrigorov — Fri, 18 Jan 2019 03:52:51 GMT

I do not have locally managed one so cannot say. But may be as a workaround you can export configuration in cli rearrange rules and then import it again?