https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/405#M103 <HTML><HEAD></HEAD><BODY><P>中部G大神這樣子虧南部R大神對嗎?</P><P>北部N大神要不要出來講一下你做https inspection的經驗談? 不是英文字加數字的那一家喔?</P></BODY></HTML> Sun, 06 May 2018 08:34:18 GMT Danny_Yang 2018-05-06T08:34:18Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/400#M98 <HTML><HEAD></HEAD><BODY><P>Symption:</P><P>1. HTTPS Inspection enable.</P><P>2. The page cannot display.</P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65338_untitled.png" /></P><P></P><P>Solution:</P><P>1. Install Jumbo hotfix &gt; 221</P><P>2. Turn on function</P><UL><LI>To prefer / propose ECDSA cipher suites:<UL><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1</STRONG></EM></LI><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1</STRONG></EM></LI></UL></LI><LI>To prefer / propose ECDHE cipher suites<UL><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1</STRONG></EM></LI><LI><EM><STRONG>[Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1</STRONG></EM></LI></UL></LI><LI><P>Enable the support for P384 curve on Security Gateway / <EM>each</EM> cluster member:</P><EM><STRONG>[Expert@HostName:0]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1</STRONG></EM></LI></UL><P>3. cpstop; cpstart on Gateway / Cluster.</P><P></P><P></P><P>Reference:</P><DIV class="">Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled</DIV><DIV><TABLE><TBODY><TR><TD valign="top">Solution ID</TD><TD valign="top">sk110883</TD></TR></TBODY></TABLE></DIV><P></P><DIV>Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used</DIV><DIV><TABLE><TBODY><TR><TD valign="top">Solution ID</TD><TD valign="top">sk112954</TD></TR></TBODY></TABLE></DIV></BODY></HTML> Fri, 04 May 2018 03:46:30 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/400#M98 George_Liu 2018-05-04T03:46:30Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/401#M99 <HTML><HEAD></HEAD><BODY><P>請小心, ECDHE很吃CPU,這也是一般專做加解密器最喜歡打NGFW的一點,即使是它們來做,一樣也要吃不少CPU負載喔。</P></BODY></HTML> Fri, 04 May 2018 07:39:21 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/401#M99 Neville_Kuo 2018-05-04T07:39:21Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/402#M100 <HTML><HEAD></HEAD><BODY><DIV style="border: 0px; font-weight: inherit; font-size: 14px;"><DIV class="" style="border: 0px; font-weight: inherit; margin: 20px 0px;"><P style="border: 0px; font-weight: inherit;">呼應這篇分享的主題，順便分享我的經驗</P><P style="border: 0px; font-weight: inherit;">去年我就幫客戶做過這個設定</P><P style="border: 0px; font-weight: inherit;">因為他們有開https inspection 功能</P><P style="border: 0px; font-weight: inherit;">某天客戶打電話給我說無法存取 <A href="https://unity3d.com" rel="nofollow" style="color: #6d6e71; border: 0px; font-weight: inherit; padding: 0px calc(12px + 0.35ex) 0px 0px;">https://unity3d.com</A>&nbsp;這個網站</P><P style="border: 0px; font-weight: inherit;">我照著KB先在公司環境先做一遍，驗證可以生效</P><P style="border: 0px; font-weight: inherit;">再花時間幫客戶環境做(因為是Gateway 做，需要選擇可以重啟服務或重開的時間點做)</P><P style="border: 0px; font-weight: inherit;">結果出乎意料的是，不幹活！</P><P style="border: 0px; font-weight: inherit;">&nbsp;</P><P style="border: 0px; font-weight: inherit;">查了老半天，以為是設定有誤，又做了幾次，結果都還是一樣。</P><P style="border: 0px; font-weight: inherit;">&nbsp;</P><P style="border: 0px; font-weight: inherit;">結果最後無奈走上開SR一途，不過這次要幫TAC說一下話，開SR的好處</P><P style="border: 0px; font-weight: inherit;">因為TAC很快就解決我的問題，看來之前TAC也有幫其他客戶處理類似的經驗，才能這麼快抓到問題</P><P style="border: 0px; font-weight: inherit;">&nbsp;</P><P style="border: 0px; font-weight: inherit;">TAC協助導引我去開GuiDBEdit</P><P style="border: 0px; font-weight: inherit;">GuiDBEdit &gt; Other &gt; ssl_inspection &gt; general_confs_obj &gt; ssl_max_ver was set to TLS 1.1.</P><P style="border: 0px; font-weight: inherit;">Switched it to TLS 1.2 and Pushed Policy</P><P style="border: 0px; font-weight: inherit;"></P><P style="border: 0px; font-weight: inherit;"><IMG __jive_id="65353" class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/65353_pastedImage_1.png" /></P><P style="border: 0px; font-weight: inherit;">&nbsp;</P><P style="border: 0px; font-weight: inherit;">以上分享</P><P style="border: 0px; font-weight: inherit;">希望各位之後遇到一樣狀況，可以先來這邊看看</P><P style="border: 0px; font-weight: inherit;">分享我以前走過的路，讓各位不用重新再走過一次..</P></DIV></DIV></BODY></HTML> Fri, 04 May 2018 10:45:12 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/402#M100 RickLin 2018-05-04T10:45:12Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/403#M101 <HTML><HEAD></HEAD><BODY><P>我們身處貧困區，常常攪和在泥沼裡，客戶要馬兒好，也要馬兒不吃草，重點是 ettoday 不能看，上班不能享受，這就不叫工作。(說的人是 MIS 主管兼特助)</P></BODY></HTML> Fri, 04 May 2018 10:57:03 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/403#M101 George_Liu 2018-05-04T10:57:03Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/404#M102 <HTML><HEAD></HEAD><BODY><P>我們落後者，只能看到領先者的背影，神人 Rick.</P><P>好多年前，我們還不知道在那裡打滾吃土。</P></BODY></HTML> Fri, 04 May 2018 10:57:54 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/404#M102 George_Liu 2018-05-04T10:57:54Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/405#M103 <HTML><HEAD></HEAD><BODY><P>中部G大神這樣子虧南部R大神對嗎?</P><P>北部N大神要不要出來講一下你做https inspection的經驗談? 不是英文字加數字的那一家喔?</P></BODY></HTML> Sun, 06 May 2018 08:34:18 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/405#M103 Danny_Yang 2018-05-06T08:34:18Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/406#M104 <HTML><HEAD></HEAD><BODY><P>Rick說得沒錯，如果能有相對正確的目的以及期望，活用TAC的幫助其實可以節省時間，事半功倍!</P></BODY></HTML> Sun, 06 May 2018 08:36:07 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/406#M104 Danny_Yang 2018-05-06T08:36:07Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/407#M105 <HTML><HEAD></HEAD><BODY><P>我自己是覺得沒事不要找自己麻煩會比較好,可以的話請客戶先用Categorize https sites試試看,就沒有灑憑證的問題,效果還不錯,只是有些企業彼此之間Intranet的站台要手動開白名單。</P><P>如果怕https inspection有誤判行為,可以用以下參數測試:</P><P>Enhanced HTTPS Inspection Bypass</P><P>1.&nbsp; In the $FWDIR/boot/modules/fwkern.conf file on the gateway, add:</P><P>enhanced_ssl_inspection=1 <BR />2.&nbsp; Reboot.</P><P>Enhanced HTTPS Inspection Bypass lets the gateway bypass traffic to servers that require client certificate authentication and bypass non-browser applications.</P><P>特別像SSL pinning一類的東西應該可以解掉。</P><P></P><P>HTTPS inspection開下去會多很多Troubleshooting的功,何況我們都在客戶端POC時吃過虧,實在是不建議。</P></BODY></HTML> Sun, 06 May 2018 08:51:08 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/407#M105 Neville_Kuo 2018-05-06T08:51:08Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/408#M106 <HTML><HEAD></HEAD><BODY><P>我才不是什麼大神</P></BODY></HTML> Sun, 06 May 2018 08:55:05 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/408#M106 Neville_Kuo 2018-05-06T08:55:05Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/409#M107 <HTML><HEAD></HEAD><BODY><P>那我可以尊稱你為北瀚洋嗎?</P></BODY></HTML> Sun, 06 May 2018 08:59:47 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/409#M107 Danny_Yang 2018-05-06T08:59:47Z https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/410#M108 <HTML><HEAD></HEAD><BODY><P>我也不是大神</P><P>通常大神都不太發言的，隱形的..</P></BODY></HTML> Sun, 06 May 2018 09:19:15 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/HTTPS-Inspection-ettoday/m-p/410#M108 RickLin 2018-05-06T09:19:15Z