Be Your Own TAC EMEA September 2024: Video, Slides...

PhoneBoy · ‎2024-09-24

Is CPM or CPD involved in policy installation and how?

Yes, you can find more details about this in sk101226.

Logging space is aways a problem. However I am never sure what logs I can and cannot delete.

In $FWDIR/log on the management, the two main Network/Threat Prevention logs have an extension of .log (Security Logs) and .adtlog (Audit Logs). The other files are necessary to work with these log files in SmartView/SmartConsole. The files should have a date/time stamp in their name.

Today we run kernel if move to user mode, would that improve the performance in general? why?

Some features do require being in USFW mode (HTTPS Inspection for TLS 1.3/2.0 come to mind). Performance should be similar in either mode.

Do you have any links to the HTTPS Inspection sessions?

We recently did a Deep Dive on the enhancements coming in R82: https://community.checkpoint.com/t5/Management/Deep-Dive-on-the-latest-R82-TLS-Inspection-Enhancemen...

In regard of HTTPS inspection, Cloudflare recently enforces the use of ECH (Encrypted hello) is there some info how our gateways handles this traffic i.e. is able to inspect that message thats important to classify the target app/url

Server Name Indication (SNI) has historically been "in the clear" (thus why we verify the SNI before using it for a Security Policy decision). With Encrypted SNI, the only way to see the site would either be the CN of the certificate or full HTTPS Inspection.

What is the recommendation: user space firewall or kernel space firewall?

Unless you have a specific reason to change it, use the default setting. More details about USFW in sk167052.

Can you reach HCP page ( if not mistaken, it's https://<gateway-ip>/hcp) with default settings?

This should be allowed through implied rules.

Is there a command for disabling HTTPS Inspection on the fly for a certain IP?

No, you need to add a bypass rule to HTTPSi policy and apply it

Doesn't fw monitor also captures packets?

fw monitor can create a capture file in snoop format with the -o filename option. This file can be read in Wireshark (see sk39510).

HCP on Maestro security group run the tests in all the SGM or just in the one that is running?

asg diag should be used on Maestro.

If I have a rule dropping all traffic from a country, should that traffic be dropped before IPS inspections?

Yes

Which process the data center object uses ? which process need to be checked to ensure DC object working correctly ?

It is not a single process, please look for sk115657 for the details.

How to troubleshoot memory increasing over the time ?

Refer to sk35496.

Hello! what is the good way to check which blade causes the problem with traffic using CLI?

You need to start with the Security Logs. Based on what's shown there, then you can drill down.

Should you use NAT64?

There are some limitations with it, it all depends on the use case.

If user connect to endpoint VPN, he get assigned to xyz ip address from remote address subnet, how we can check what subnet/pool configured on firewall?

Look into sk33422.

CPVIEW.Advanced.NAT.Pool-IPv4 doesn't work on a vs. There is an alternative way to see the counters?

You can look into NAT tables per VS

Can fast_accel option can this be useful for elephant flows?

In some instances, yes.
HyperFlow (present in R81.20 and above) only works for connections in Medium Path.
R82 should have some additional improvements.

What if a host starts uploading a big file to cloud and the upload gets interrupted by the gateway somewhere in the middle where no immediate logs are visible? (lately happened to us)

It might be that one of the advanced blades interferes. You need to look into logs, before anything else.

Which protections does fast_accel exclude?

fast_accel moves specified traffic into the Accelerated Path, which does not support IPS and other Threat Prevention blades.

Is site-to-site IPsec traffic accelerated at all, or does that go into slow path?

VPN Encryption/Decryption is handled in SecureXL.

Any good way to find out which ips signature that affects performance most?

Please see sk43733.

Link to easy debug script please?

See sk173024

A simple policy using simple TCP service should go through fast path, right? Is that still the case if it is placed below policies using app control or url filtering?

Not always, but it depends on the rulebase construction. For more details, see: Unified Policy Column-Based Rule Matching

It's R81.20 more optimized performance wise for older appliances or it can be a problem for appliances with fewer cores?

Depends on the features in use. Additional performance improvements are coming in R82.

When my gateway has 98% slowpath for traffic, is this always the cause of a poorly optimized ACL or are there other factors that could cause this, such as hardware constraints etc?

This is usually related to the policy.

Do we need to enable any blade in order to use DataCenter objects?

Identity Awareness.

https inspection, we have the issue sometimes that an https exception rule will not work unless its at the top of the rule base. How many https inspection bypass rules can you have in a policy?

Bypass rules should always be placed at the top of the rulebase. You can have as many as desired.

Now i usually disable QUIC for best practice, in R82 do you think we can start enable it again with the new https inspection?

HTTPS Inspection will support QUIC in R82.

Firewall_Daemon · ‎2024-09-24

Great session - Thank you very much!

gabo · ‎2024-09-25

Thank you very Much, Great Session Mr. Dameon

AlexandruD · ‎2024-09-25

ECH use in TLS 1.3 prevents the possibility of performing HTTPS inspection altogether.

PhoneBoy · ‎2024-09-25

If we're terminating the TLS connection on the gateway itself (which happens with HTTPS Inspection), we should be able to see it.
Having said that, I'll confirm with R&D,

StephS · ‎2024-10-07

Hi @PhoneBoy, did you get a reply from R&D regarding ECH usage in TLS 1.3?

I think if the TLS connection is terminated on the gateway, everything should be fine. But HTTPS Bypass rules won't work as they rely on the SNI which can't be seen with ECH when the connection is not decrypted, right?

PhoneBoy · ‎2024-10-07

SNI information is actually in the clear, which is why we actually verify the requested SNI as part of the process.
If the SNI is encrypted (i.e. because of ECH), then we obviously won't be able to see it (e.g. as part of bypass rules).

Jimmy_Noel · ‎2024-09-26

(if i am allowed to add our experience:)
regarding: "https inspection, we heve the issue sometimes that an https exception rule will not work unless its at the top of the rule base.":
we had similar problems. (we are on r81.10)
conclusion: put your bypass-rules with ip- and domain-destinations on top,
put your bypass-rules with appl- and url(customapplication)-destinations near the bottom of your https-policy.
because: if a bypass-rule with appl/url-destination could match, cp has to inspect the connection anyway at first.
if it sees the connection should have been bypassed, it will send a tcp-reset, so the client will reinit/retry the connection. some client-programs have problems with that.

PhoneBoy · ‎2024-09-27

Appreciate you offering your experience, and agree this is best practice.

Timothy_Hall · ‎2025-01-26

Great job Dameon! Looking forward to presenting Part Deux of the "Be Your Own TAC" series at CPX 2025 Las Vegas!

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

PhoneBoy · ‎2025-01-27

Looking forward to it, too. 🙂