cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Nickel

CheckPoint TLS 1.3 support: When?

Jump to solution

  I just finished reading the Gartner 2019 "Magic Quadrant for Network Firewalls", courtesy of CheckPoint Marketing.

  One of the specific "Cautions" they called out for CheckPoint is the lack of TLS 1.3 support, something apparently both Fortinet and Palo Alto already have.  BTW: Fortinet and Palo Alto both scored higher and more to the right than CheckPoint in the Leaders quadrant, Palo Alto significantly so.

  Does anyone have any knowledge of the timeline for support of TLS 1.3, especially in regards to Threat Prevention / HTTPS inspection?  The only info I can find from the Community is a post that's over a year old: https://community.checkpoint.com/t5/General-Management-Topics/Impact-of-upcoming-ESNI-with-TLS-1-3-o..., where Phoneboy said it was to early to say.

  Any updates on the topic?

2 Solutions

Accepted Solutions
Highlighted
Employee
Employee

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Hi @LCarrau808,

While support for TLS 1.3 in HTTPS Inspection is planned for next year, the Gateway is fully capable of downgrading TLS sessions to TLS 1.2. Because of this, inspection is expected to fail only in cases where websites don't support TLS 1.2 (or below).

TLS 1.2 is supported everywhere and considered secure, so websites and browsers aren't expected to disable it anytime soon. If you see an error screen, it may be because of something else.

Thanks,
Dor

View solution in original post

Highlighted

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Hi @Dale_Lobb,

Active Streaming (CPAS)  -  Check Point Active Streaming active streaming allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.).

General overview:

  • CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)
  • An application is register to CPAS when a connection start and supply callbacks for event handler and read handler.
  • On each packet, CPAS send the application the packet data with cpas_read, allow the application to change the data as it like, and send the data forward with cpas_write.
  • CPAS server side stack negotiates the TLS version with the web server. If the highest version of TLS 1.3 is used by the web server, CPAS will try to negotiate a lower TLS version for example TLS 1.2 or TLS 1.1 if the Web server supports this.
 

69676_pastedImage_1.png

Active Streaming – https content step by step:

Packets of SSL handshake are passed to the SSL engine to exchange keys. When the connection and the SSL handshake is fully established, an hook will be register for this connection to handle the decrypt / encrypt of the packets. When a packet arrive to CPAS, a trap will be sent and the SSL engine will receive the encrypted packet, decode the packet and return it to CPAS. The packet will enter the receive queue and the application will be able to work on it, once he done he will send it to the write queue. The packet will pass to the SSL engine for encryption and pass to the other side (Client, Server).

More read here:

R80.x - Security Gateway Architecture (Content Inspection)

View solution in original post

Tags (1)
6 Replies
Highlighted
Admin
Admin

Re: CheckPoint TLS 1.3 support: When?

Jump to solution
Keep in mind that the majority of sites (around 85%) don't even support TLS 1.3 yet.
It's planned for next year.
0 Kudos
Highlighted

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Hello @PhoneBoy .

Is there a way to configure a Bypass only to websites with TLS 1.3 or a way to prevent the Error Screen on Browsers?

Thanks in advanced.

 

Lanello

0 Kudos
Highlighted
Admin
Admin

Re: CheckPoint TLS 1.3 support: When?

Jump to solution
Possible that this will work better in R80.30.
But as far as I know, you can't just bypass a site that has TLS 1.3 unless you happen to know what IP it has.
0 Kudos
Highlighted
Employee
Employee

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Hi @LCarrau808,

While support for TLS 1.3 in HTTPS Inspection is planned for next year, the Gateway is fully capable of downgrading TLS sessions to TLS 1.2. Because of this, inspection is expected to fail only in cases where websites don't support TLS 1.2 (or below).

TLS 1.2 is supported everywhere and considered secure, so websites and browsers aren't expected to disable it anytime soon. If you see an error screen, it may be because of something else.

Thanks,
Dor

View solution in original post

Highlighted

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Hi @Dale_Lobb,

Active Streaming (CPAS)  -  Check Point Active Streaming active streaming allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.).

General overview:

  • CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)
  • An application is register to CPAS when a connection start and supply callbacks for event handler and read handler.
  • On each packet, CPAS send the application the packet data with cpas_read, allow the application to change the data as it like, and send the data forward with cpas_write.
  • CPAS server side stack negotiates the TLS version with the web server. If the highest version of TLS 1.3 is used by the web server, CPAS will try to negotiate a lower TLS version for example TLS 1.2 or TLS 1.1 if the Web server supports this.
 

69676_pastedImage_1.png

Active Streaming – https content step by step:

Packets of SSL handshake are passed to the SSL engine to exchange keys. When the connection and the SSL handshake is fully established, an hook will be register for this connection to handle the decrypt / encrypt of the packets. When a packet arrive to CPAS, a trap will be sent and the SSL engine will receive the encrypted packet, decode the packet and return it to CPAS. The packet will enter the receive queue and the application will be able to work on it, once he done he will send it to the write queue. The packet will pass to the SSL engine for encryption and pass to the other side (Client, Server).

More read here:

R80.x - Security Gateway Architecture (Content Inspection)

View solution in original post

Tags (1)
Highlighted

Re: CheckPoint TLS 1.3 support: When?

Jump to solution

Nice information @HeikoAnkenbrand.

0 Kudos