Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FedericoMeiners
Advisor

Inbound HTTPS Inspection - Custom client certificate required

Jump to solution

Hi Everyone!

We have a use case where we need to deploy inbound HTTPS Inspection to a specific web service that uses a non standard port.

Gateways and management are both running R80.40.

Initially we are seeing a Bypass with the following error "Internal system error in HTTPS Inspection (Error Code: 2)"

One of the possible causes is that the root certificate is not trusted, however the customer is using the same cert in other inbound inspection rules without issues.

While troubleshooting we found that the backend application requires the client to send a specific certificate.
Since we are doing a Man-in-the-middle (MITM) for inspection it's obvious that the connection between the Gateway and the server will have the Check Point self signed certificate, not the one required by the application.

SSl.png

I know that this use case can be solved with an ADC such as F5, Netscaler, A10.

Questions:

- Can we do it with Check Point? I didn't find a proper way of using specific client certificates (Not server certs) for specific connections within the admin guides or SKs.

- Can "Internal system error in HTTPS Inspection (Error Code: 2)" be related to this issue? An HTTPS debug is not possible for the moment due to maintenance window requirements.

Thanks!

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

AFAIK, we do not have such functionality available. Try raising and RFE with your local Check Point team. Meanwhile, you will have to create a bypass rule for this application to work

View solution in original post

4 Replies
_Val_
Admin
Admin

AFAIK, we do not have such functionality available. Try raising and RFE with your local Check Point team. Meanwhile, you will have to create a bypass rule for this application to work

View solution in original post

FedericoMeiners
Advisor

Valeri,

Thanks for the quick response! Just wanted to be sure of my assumptions.

It would be nice feature however it's not the job of a NGFW 🙂

Will work on the RFE with my local SE.

Thanks!

Federico

 

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Martin_Stolz
Participant

I know this thread is maybe already outdated,
but i'm very interested in case there was a response to the RFE.

I do have a similar requirement.
* HTTPS inbound inspection should be used to inspect traffic.
* Server requires certificate based client authentication

My quick check: 

Server tcpdump:
- Server Hello, Certificate, Certificate Request, Server Hello Done

Server Application Log:

- HTTPS client connection from host {FW-IP} failed due to the SSL error:
   (sec.core-114) SSL connection error (peer did not return a certificate).

The behavior is, that this connection will time out.
Firewall log doesn't show Error Code-2
(what is in my experience mostly missing CA cert in list of Trusted CA or failed OCSP/CRL check)

Our competitor PA offers for such cases an interesting "nonProxy / forwarding mode".
As they have the private key and key exchange is RSA (not PFS),
then the firewall can simply copy and decrypt the https traffic for inspection. (PA is not MITM)
SSL Inbound Inspection (paloaltonetworks.com)

Does Check Point support such a mode?
@FedericoMeiners: Did you raised an RFE? 

 

Thanks,

Ciao Martin

0 Kudos
PhoneBoy
Admin
Admin

I believe as part of our NDR offering we have something that can do this.
The feature is called Cooperative Inspection.
Note that NDR sensors run a different image and are managed differently from regular Check Point gateways.

0 Kudos