This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2020-12-01 01:01 PM

Planning to implement https inspection on our internet firewalls but have some concerns

So i just came across this post which is over a year old-

https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/td-p/58647

And op posts a lot of complaints regarding the inspection as a lot of the production traffic is affected regardless of whether you bypass it or not in the rule base, so i am also concerned about this as well and we do have a lot of users who will definitely get affected if i enable the https inspection as i have tried enabling it once in the past and it already started causing issues (vpn users not being able to authenticate being one of them which was a major issue and had to immediately disable https inspection when that happened) although at that time i felt that it was because the firewalls did not have all the necessary certificates installed for both outbound and inbound inspection which is something i need to look at now as well but i still feel as though there will be issues even if i do install all necessary certificates so please fellow checkpoint gurus advise on how to proceed.

By the way our gateways are on R80.20 take 118.

 

Thank You.

0 Kudos
3 Replies
FedericoMeiners
Advisor
‎2020-12-01 04:51 PM

Think that I know the author of that post 😁

A couple of clarifications first

- HTTPS Inspection is an intrusive technology in every vendor - I tried Fortinet, PAN, Sophos, Cisco and every each of them has issues. This is due to the fact that to perform Inspection you have to create a Man In the Middle (MITM) situation which may lead to security issues with certain applications and even browsers.

- Inbound and Outbound HTTPS Inspection are two completely different things and shall be approached as different endeavors.

- HTTPS Inspection is something that you have to deploy in your company, no matter the cost.

After stating my points the purpose of my mentioned post is to give advises to properly deploy HTTPS Inspection with less impact as possible. My advise would be to carefully read how to deploy HTTPS Inspection, even try it on a lab first.

Once you did that start deploying Outbound HTTPS Inspection gradually: Know who the problematic/sensitive users are in your company, start by adding certain subnets or even hosts (/32).

The best advise that I could give you is that a certain part of the network being inspected is better than none. I have customers were we managed to achieve 100% traffic visibility while others are in a 60/70%

Last but no least, upgrade at least to R80.40 since there are tons of improvements there regarding HTTPS Inspection (TLS Inspection).

Regards,

Fede

____________
https://www.linkedin.com/in/federicomeiners/
_Val_
Admin
Admin
‎2020-12-02 12:36 AM
In response to FedericoMeiners

In addition to what @FedericoMeiners said, please take a look here: https://community.checkpoint.com/t5/Next-Generation-Firewall/HTTPS-Inspection-Best-Practices-TechTal...

It is one year old, but most parts are very relevant. Also, we have run series of HTTPS Inspection Best Practices Live events this year, and all the materials are also posted in the community. You can look them up.

0 Kudos
kb1
Collaborator
‎2020-12-02 10:11 AM
In response to FedericoMeiners

thanks for the advice

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 18 Apr 2024 @ 11:00 AM (CDT)

    CP Tips and Tricks 2024 #7: Cloud WAF Security
    Virtual

    Thu 18 Apr 2024 @ 11:00 AM (CDT)

    Central US: Network Security Troubleshooting - Part 3 - ClusterXL
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events