Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

How effective is the Checkpoint firewall with no https inspection ?

Hi There

I was reading the other day about IPS, threat prevention, app control etc.

As more and more traffic these days is now encrypted, how effective is the firewall without running https inspection?

Also, I have a question around the inspection, if we did http inspection using the cert on the client, what happens to pc's and clients that do not have the certificate, would they get blocked or would they just be allowed through with no inspection?

Cheers

0 Kudos
Reply
9 Replies
Highlighted
Ambassador
Ambassador

If you are not passing traffic decrypted to the firewall and want to use the advance prevention blades, you are missing a lot of capabilities.  Even app and URL filtering work better with it on.  If you are only using it as a firewall, it will be fine as a stateful firewall.   

In regards to clients with the gateway cert vs those that don't, you would need to build HTTPS rules that include the IPs for the users you want to inspect and a bypass rule to not inspect the ones that do not have the cert.

0 Kudos
Reply
Highlighted
Participant

Hi,

So what happens if we do not create a bypass rule? will that traffic get dropped ?

0 Kudos
Reply
Highlighted
Ambassador
Ambassador

The user will get a page that says that there was a certificate error and cannot proceed.  What is the problem you are faced with?  Getting the certificate out to visitors or contractors?

0 Kudos
Reply
Highlighted
Participant

What about things like servers, Linux, iot devices etc that can not have a cert imported? will they get blocked ?

0 Kudos
Reply
Highlighted
Ambassador
Ambassador

In a proper network design, those should be in different IP spaces, so you can build a bypass rule for that IP space.

 
 

2020-10-19 12_03_55-10.0.2.22 - SmartConsole.png

0 Kudos
Reply
Highlighted
Admin
Admin

I think there is explanation required. Here we go, @carl_t :

For outbound inspection, your Security Gateway will terminate outgoing connection and open a secondary one. On the client side, GW will present a "fake" server certificate issued by your CA, according to your configurations.

If you are using a self-signed CA, all clients should have that root CA cert installed as trusted root. For all devices/clients where it cannot be done, you should set up a bypass rule, or expect traffic issues.

These cases usually include applications (mostly mobile) where certificate pinning is in place. List of known applications can be found in sk112214. On most of the Linux machines you can and should install the new root CA as trusted root. For small polulation of the device where you cannot do that, make sure the bypass HTTPSi rule includes only required sites as Destination, and only those iot devices or other problematic ones as Source, to minimize your security exposure. 

Highlighted
Participant

So what are we saying then, if we have inspection enabled and no cert on the endpoint, the connection will fail then?

Also, what if we have a DMZ and traffic coming in from the public internet to some servers, Is it normal to do inspection on that? if so would the firewall need a public cert?

Lastly, If we do not have inspection, does this limit the gateways ability to do IPS, app control, AV, antibot etc?

Cheers

0 Kudos
Reply
Highlighted
Admin
Admin

@carl_t 

No, it will not fail in your scenario. There is a second case, called Inbound HTTPS Inspection. If clients are on Internet, and the servers are in your secured perimeter, you "borrow" the actual server certificate with its private key to use on the GW. Clients do not see the substitution.

The goals, however, are different in both cases:

  1. Inbound inspection protects your DMZ server from malicious activities of the client
  2. Outbound inspection is to protect your clients inside your security perimeter.

Both cases are thoroughly documented in the admin guides and also discussed multiple times on CheckMates. For example, you are welcome to look into one of our TechTalks for the matter

 

Now, to the last question. According to public sources, HTTPS traffic now covers 95 to 99 percent of all web traffic. Without HTTPS Inspection, your advanced security blades are basically ineffective when it comes to analysis of web related flows. And all ATP inter-communications: C&C, module drops, exfiltration, etc. - are encrypted.

Which renders your FW practically useless, doesn't it?

Highlighted
Explorer

Our customer uses a cloud based WAF to protect inbound HTTPS traffic. Would you still recommend that this sanitised traffic be inspected by the IPS blade? Is there a possibility that the Cloud WAF may miss some malicious traffic that the Check Point IPS blade will catch and drop?

0 Kudos
Reply