This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
quatloo
Explorer
‎2020-07-29 02:36 PM

HTTPS proxy

Hello,

I am trying to configure my Check Point R80.30 OpenServer gateway to proxy inbound HTTPS connections to a back-end webserver.

My goal is to have the Check Point gateway present/allow inbound TLS 1.1, 1.2 & 1.3 HTTPS connections and then connect to the back-end webserver which only supports TLS 1.0.


I would also like to have a one-to-one IP address mapping (rather than a one-to-many). Basically I would just like to continue using the NAT rules I already have in place.


It would look like this (in this example, the 10.x.x.x addresses would be publicly routable, Internet-facing):

Remote HTTPS client --> Check Point-GW 10.1.1.1 (TLS 1.1,2,3) --> 1.1.1.1 (TLS 1.0)

Remote HTTPS client --> Check Point-GW 10.1.1.2 (TLS 1.1,2,3) --> 1.1.1.2 (TLS 1.0)

Etc.


Currently I am using HTTPS inspection, which will present various TLS/cipher combinations, which is great, but it isn't functionally doing exactly what I need. While it will present the different TLS versions, ultimately, it will only accept and pass the TLS versions supported by the back-end webserver.

It appears as if the connection from the Check Point gateway to the back-end web server isn't a separate, negotiated TLS connection.

I can accomplish my goal with a Netscaler but I would prefer to use Check Point, as it would be administratively tidier to manage given my Netscaler architecture.

Perhaps I'm trying to use the wrong tool for the job, but I thought Check Point should be able to do something like this.

Thanks for any advise you can provide!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-07-30 10:32 AM

Generally, we tend to duplicate what the backend server allows/does as closely as possible.
Not sure if you can disable that functionality, but it sounds like expected behavior.

0 Kudos
quatloo
Explorer
‎2020-07-30 11:41 AM
In response to PhoneBoy

Thanks for the reply.  Yes, that was my assumption as well.  It 's just so close to what I need, it's frustrating.  It could be seen as a bandaid, but it would allow for a consistent front-facing set of TLS/ciphers, regardless of the back-end server's capabilities.  Interesting, a Netscaler does this by default, and I expect that that too is by design.

0 Kudos
FedericoMeiners
Advisor
‎2020-07-30 08:20 PM

I don't think that you can achieve this with a firewall.

Netscaler / F5 / Load Balancers can do this because they don't apply just NAT, they use a full proxy architecture. Basically the connection actually ends on this device, and this device initiate a new connection to the back end server.

Using this method you can do whatever you want with that connection.

Here's an example of how this architecture works.

Full proxy.png

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
MartinTzvetanov
Advisor
‎2020-07-31 04:43 AM

Reverse proxy is what you need (F5/Netscaler/A10/nginx). CheckPoint provides some kind of functionalities of http/s proxy, which means you enter CP's address in the proxy setting of your browser.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events