Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kb1
Collaborator

Planning to implement https inspection on our internet firewalls but have some concerns

So i just came across this post which is over a year old-

https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/td-p/58647

And op posts a lot of complaints regarding the inspection as a lot of the production traffic is affected regardless of whether you bypass it or not in the rule base, so i am also concerned about this as well and we do have a lot of users who will definitely get affected if i enable the https inspection as i have tried enabling it once in the past and it already started causing issues (vpn users not being able to authenticate being one of them which was a major issue and had to immediately disable https inspection when that happened) although at that time i felt that it was because the firewalls did not have all the necessary certificates installed for both outbound and inbound inspection which is something i need to look at now as well but i still feel as though there will be issues even if i do install all necessary certificates so please fellow checkpoint gurus advise on how to proceed.

By the way our gateways are on R80.20 take 118.

 

Thank You.

0 Kudos
3 Replies
FedericoMeiners
Advisor

Think that I know the author of that post 😁

A couple of clarifications first

- HTTPS Inspection is an intrusive technology in every vendor - I tried Fortinet, PAN, Sophos, Cisco and every each of them has issues. This is due to the fact that to perform Inspection you have to create a Man In the Middle (MITM) situation which may lead to security issues with certain applications and even browsers.

- Inbound and Outbound HTTPS Inspection are two completely different things and shall be approached as different endeavors.

- HTTPS Inspection is something that you have to deploy in your company, no matter the cost.

After stating my points the purpose of my mentioned post is to give advises to properly deploy HTTPS Inspection with less impact as possible. My advise would be to carefully read how to deploy HTTPS Inspection, even try it on a lab first.

Once you did that start deploying Outbound HTTPS Inspection gradually: Know who the problematic/sensitive users are in your company, start by adding certain subnets or even hosts (/32).

The best advise that I could give you is that a certain part of the network being inspected is better than none. I have customers were we managed to achieve 100% traffic visibility while others are in a 60/70%

Last but no least, upgrade at least to R80.40 since there are tons of improvements there regarding HTTPS Inspection (TLS Inspection).

Regards,

Fede

____________
https://www.linkedin.com/in/federicomeiners/
_Val_
Admin
Admin

In addition to what @FedericoMeiners said, please take a look here: https://community.checkpoint.com/t5/Next-Generation-Firewall/HTTPS-Inspection-Best-Practices-TechTal...

It is one year old, but most parts are very relevant. Also, we have run series of HTTPS Inspection Best Practices Live events this year, and all the materials are also posted in the community. You can look them up.

0 Kudos
kb1
Collaborator

thanks for the advice