topic Re: SMB HTTPS logging & other issues in Spark Firewall (SMB)

SMB HTTPS logging & other issues

n7564773 — Fri, 17 Mar 2023 21:40:28 GMT

Hello,

I'm seeing some very odd (to me) behaviour with a locally-managed 1450 appliance. I've just re-flashed it using the USB method so that it has a clean install of R77.20.87 (990173120). Although I did re-import my config after.

To begin with, I see no HTTPS logs whatsoever in the Security log. All my blades/rules have all logging enabled. I even turned on implied rule logging for a time to see if it helped but it didn't really. I saw a bunch more DNS requests and my WebUI activity.

For me to see any HTTPS logs I put a rule at the top of the rulebase disabling all access for the specific host, and then I see some generic HTTPS info at least.

For a long time now, even when HTTPS logs were working, I never get any category or URL information. Is "HTTPS Categorization" mode supposed to be able to do anything these days? I know there are SK articles about CA fixes, etc., but I wasn't sure if they would fix my issues.

I've dabbled with enabling SSL inspection but it doesn't suit my purposes right now.

There definitely seems to be an issue with my HTTPS and especially it's logging.

Thanks for your help

Re: SMB HTTPS logging & other issues

n7564773 — Fri, 17 Mar 2023 22:15:35 GMT

I don't see any VPN traffic either, until it's dropped traffic using the rule I mentioned above. I don't see any allowed Wireguard or OVPN traffic. But I see all of the dropped attempts.

I have licenses for all of the blades, active until 2024, if that matters.

Thanks...

Re: SMB HTTPS logging & other issues

PhoneBoy — Fri, 17 Mar 2023 23:11:06 GMT

Your only option on the 1450 is to enable HTTPS Inspection.

HTTPS Categorization in R77.20 uses the CN of the certificate to categorize websites.
R77.20 does not support SNI-based categorization that is available in newer SMB appliances running R80.20.x or R81.10.x.
1400 Series Appliances are End of Engineering Support, meaning no further software updates are planned aside from bugfixes.

Re: SMB HTTPS logging & other issues

n7564773 — Fri, 17 Mar 2023 23:29:58 GMT

That makes sense, but what about the other logging behaviour? I don't see any VPN traffic whatsoever, not even encrypted packets crossing. I only see details of these packets when I put a rule at the top of the rulebase denying the traffic.

Re: SMB HTTPS logging & other issues

PhoneBoy — Sat, 18 Mar 2023 00:55:48 GMT

What is this setting?

And, also (on the same screen):

Note this is from 1590 running R81.10.xx but I believe R77.20.xx has the same settings.

Re: SMB HTTPS logging & other issues

the_rock — Sat, 18 Mar 2023 02:27:20 GMT

Is all the logging enabled as per screenshot @PhoneBoy sent?

Andy

Re: SMB HTTPS logging & other issues

Chris_Atkinson — Sat, 18 Mar 2023 02:38:31 GMT

Note for reference a newer R77.20.87 build 990173127 is available for 700 / 1400 appliances (per sk176148 contact Check Point Support to get it).

Re: SMB HTTPS logging & other issues

the_rock — Sat, 18 Mar 2023 03:06:42 GMT

Good advice, that can only help!

Re: SMB HTTPS logging & other issues

n7564773 — Sat, 18 Mar 2023 16:03:57 GMT

Thanks. Looks like a lot of good fixes in that, specifically for HTTPS. My certs expired and so I don't have access to open a request to get it anymore, so I'll have to sort something out.

Re: SMB HTTPS logging & other issues

n7564773 — Sat, 18 Mar 2023 16:05:12 GMT

Hi,

Yes I have all of the expected logging settings enabled, which is why this is so perplexing. Anywhere a log can be enabled, it is.

Maybe it's an issue with how I have service/application groups nested in the rules. I'll try separating them out.

Thanks,

Nathan

Re: SMB HTTPS logging & other issues

n7564773 — Mon, 20 Mar 2023 16:10:25 GMT

I was able to get the mentioned fix installed. Doesn't appear to be any fix for my logging issues.

Am I not supposed to see logs for encrypted traffic? I realize I won't see what's inside, but shouldn't I still see reference that encrypted data is traversing my interfaces? I see it in packet captures.

Re: SMB HTTPS logging & other issues

the_rock — Mon, 20 Mar 2023 16:16:21 GMT

Im fairly positive you should be able to see it. Do you not see any of those at all? Did it ever work?

Re: SMB HTTPS logging & other issues

G_W_Albrecht — Mon, 20 Mar 2023 16:18:04 GMT

As @PhoneBoy posted: Your only option on the 1450 is to enable HTTPS Inspection.

Re: SMB HTTPS logging & other issues

n7564773 — Mon, 20 Mar 2023 16:20:46 GMT

To re-clarify: I'm talking about all encrypted traffic. I don't see any logs whatsoever showing VPN encrypted traffic.

Re: SMB HTTPS logging & other issues

the_rock — Mon, 20 Mar 2023 16:23:02 GMT

Just my personal opinion, but I could be mistaken, though, I dont see logically why you would need https inspection on for this to work. I dealt with God knows how many clients who did NOT have inspection on their firewall and this worked without any issues.

Re: SMB HTTPS logging & other issues

Chris_Atkinson — Tue, 21 Mar 2023 04:21:48 GMT

Further to @PhoneBoy earlier post you have your policy/rules set to log in the following section correct?

Re: SMB HTTPS logging & other issues

n7564773 — Tue, 21 Mar 2023 13:11:41 GMT

Correct. All rules are set to log. Implied rule logging is enabled. Global "log all" settings are set to YES. It's as if as soon as any encrypted traffic his an 'allow' rule, logging goes away for that connection. If I put a 'deny' rule for any of this traffic, I start seeing logs again.

Re: SMB HTTPS logging & other issues

Chris_Atkinson — Tue, 21 Mar 2023 14:33:57 GMT

As an example for OpenVPN (UDP/1194) I would only expect to see an entry for the start of the long lived connection/session. Are you not seeing this or are you expecting something more here?

Re: SMB HTTPS logging & other issues

the_rock — Tue, 21 Mar 2023 15:07:41 GMT

I know, for example, on Fortigates, you have an option like below, but Im fairly positive that is not there on SMB appliances (I dont have access to one to confirm):

Re: SMB HTTPS logging & other issues

n7564773 — Tue, 21 Mar 2023 14:57:39 GMT

Hi Chris,

I don't see any reference to the connection whatsoever. Someone unfamiliar with my environment would have no idea the connection was even taking place. I don't want to add more confusion to this discussion, but I think there is a bigger issue with my logging. Many other small things don't get log entries either, but the biggest issue is the encrypted traffic. I thought maybe I messed with some CLI global settings, which is why I factory reset the device with a new image on USB, but that didn't seem to help.