This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
efraim
Explorer
‎2020-05-16 07:07 PM

HTTPS inspection doesn't work on R80.10

Hello,

I have enabled HTTPS inspection on a SA machine running R80.10
Afterwards, I have created an outbound CA certificate, exported it, enabled, hit OK and installed policy.

Web traffic (https) is not being inspected for some reason even though everything was set correctly (it worked before on the same test environment).
I have tried to install the latest jumbo hotfix but it doesn't work. The client site gets the regular certificate of the server. 

How should I debug it using clish?

I have tried to debug CPAS and WS and I'm able to see this in the kernel debug:
{ssl_insp} fw_https_inspection_set_conn_opq: [ERROR]: failed to set the https_inspection_conn_opq on the connection
Some of the debug is not properly formatted in notepad++, how should I open it? 

Thank you 


debug.7z
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-05-18 05:23 PM

Recommend getting the TAC involved.
That said, if you're serious about using HTTPS Inspection it's highly recommended you upgrade to at least R80.30 which includes SNI support as well as improved HTTPS Inspection performance.
0 Kudos
efraim
Explorer
‎2020-05-20 12:34 PM
In response to PhoneBoy

Thank you! 

As far as I am aware, in previous version (let's say R77.30/R80.10) we are able to see the exact URL the user is trying to access.

So basically I'm trying to understand what State-of-the-Art SSL Inspection (R80.30) acts differently compared to previous versions.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-20 04:27 PM
In response to efraim

First of all, R80.30 supports newer TLS ciphers and has an enhanced TLS engine that's faster (translating to better performance).
Second, we actually validate the SNI the client presents (i.e. check with the server to see that the SNI matches what the certificate says).
There's also a CLI tool to configure preferred ciphers (possible before, but wasn't as easy).
SNI can also be used for places where HTTPS Inspection isn't used for a specific HTTPS connection, allowing for more reliable bypass rules as well as App Control/URL Filtering categorization.

In R80.40, the HTTPS Inspection policy moves to SmartConsole and you get the ability to use Updatable Objects in the policy.
We include a specific Updatable Object of applications that are known not to work with HTTPS Inspection that can be used.
There is also support for HTTP/2.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events