This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ykpark
Contributor
‎2022-12-12 05:04 PM

How to Integrate Firewalls and SSL Decryption

 

Dear all,

We are going to change the configuration according to the customer's request.
SSL encryption and decryption is performed using F5, not Checkpoint Firewall, and 3rd party APT solution is integrated and operated.

Customers want to use Checkpoint's Prevention and Emulation feature instead of their existing APT solution.

As in the goal configuration diagram, the decryption traffic is again controlled by the checkpoint firewall to control the threat traffic.

Can you tell me what problems are expected if I configure it according to the target configuration diagram?

I'd like to know if anyone has experience with a similar configuration like this.

I need your advice.

Thanks 

 

Outbound traffic flow :

1.encrypted traffic

2.Decryption traffic from F5 SSL

3.Detection and blocking by checkpoint threat prevention policy

4.Encrypted traffic from F5 SSL

 

Diagram.PNG

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2022-12-12 05:24 PM

Usually, when the Check Point gateway isn’t doing the SSL Decrypt/Encrypt, you have boxes doing that on the inside and outside versus routing the encrypt and decrypt through the same box.
This creates the possibility of “double inspection” on the same flow, which will be dropped by the gateway unless the F5 can change the traffic on the outbound after re-encrypting so it looks different to the Check Point device.
However, you’re also doubling the amount of traffic the gateway is passing as well, which can have sizing implications.

The vast majority of customers just use our HTTPS Inspection instead of using an external SSL decrypt/reencrypt.

0 Kudos
the_rock
Legend
Legend
‎2022-12-12 05:40 PM

To add to @PhoneBoy comment, I spoke to customers in last 2-3 years who actually abandoned 3rd party vendors they were using specifically for ssl decryption (ie Bluecoat), as it was getting expensive and they went with CP https inspection, as it makes more sense, since you can use it as a blade on already existing firewall/cluster. I will say though, in all honesty, I was not a big fan of it back in R77.xx days, but it has come a long way since R80, for sure.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-12 05:54 PM

Can you share some additional detail as to the configuration...

Is the F5 proposed to be deployed as L2, L3 or using ICAP, doing NAT etc?

Further to @PhoneBoy earlier comments refer sk172204.

CCSM R77/R80/ELITE
0 Kudos
ykpark
Contributor
‎2022-12-12 05:59 PM
In response to Chris_Atkinson

Can I use cloud emulation when integrating with ICAP?  The firewall is NGTX.
I think it's the best way if this feature is provided.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-12 06:26 PM
In response to ykpark

Please refer to the ICAP portion of the Threat Prevention admin guide:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/... 

CCSM R77/R80/ELITE
PhoneBoy
Admin
Admin
‎2022-12-12 07:10 PM
In response to ykpark

You can, yes, but it has some limitations in this mode.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ykpark
Contributor
‎2022-12-15 06:38 PM
In response to Chris_Atkinson

I am trying to integrate with ICAP in my current configuration.
I think interworking with ICAP is a better way than processing the same traffic twice. Do you agree with me?

Are there many references to enabling and using ICAP on a firewall?

And what are the considerations when activating ICAP?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-15 06:58 PM
In response to ykpark

The relevant ICAP reference material is already linked above.

I'm otherwise not familiar enough with the capabilities of the F5 to advise.

But as @PhoneBoy  explained we would commonly expect the Firewall to be the meat in the sandwich between an ingress and egress F5 performing encrypt/decrypt functions, if this can be performed logically on the one appliance such that the Firewall doesn't see what it thinks is the same traffic twice then great.

CCSM R77/R80/ELITE
0 Kudos
Jim_Holmes
Employee Alumnus
Employee Alumnus
‎2022-12-13 02:00 PM

If you are using F5 for load balancing, offload the TSL termination to the F5. I have several TLS-heavy customers that do this. I also see more and more dumping F5/Bluecoat/etc. as @the_rock said, it's becoming too expensive, vs. moving up a gateway model.

Aka, Chillyjim

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events