Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn
Collaborator

Protocol type None on TCP service with port 443

Hi All,

Does Check Point handle a TCP service on well-known ports like 443 with protocol type None differently than TCP services on another port with protocol type None?

Case:

A 44K chassis on R80.20SP Take 304 (VSX gateway) has a virtual system configured to protect a datacenter in which a storage setup is installed. The firewall handles a large volume of traffic in a continues stream and some of the traffic is on port 443.

We found out we do not get the throughput we expect so we created a service on TCP 443 with protocol type None. The virtual system is Firewall Only, so no IPS, AV, AB or AC. There is no NAT or VPN involved and. The port might be 443, but HTTPS inspection is not configured on the gateway. With a custom service on 443 with protocol type None we hoped the throughput would increase because Check Point forwards this flow to SecureXL. But this is not the case. We can see the cores for firewall workers increasing and not the Multi-Queue cores.

When we do the same on port 444 (custom TCP service with protocol type None) and reconfigure the storage to work on 444 and not 443, we have a very good throughput.

In the end we enabled Fast Accel on the virtual system and created a rule for this trusted traffic and then we have a very good throughput on port 443 using the custom TCP service with Protocol type None. And we see the load on the Multi-Queue cores increasing telling us the traffic is handled by SecureXL.

So my question is. Is Check Point trying to inspect this traffic even if the protocol type is set to None and no scanning blades are enabled?

Regards,

Martijn

 

5 Replies
_Val_
Admin
Admin

Did you define a custom service, and the traffic is matched to the rule where this service is used? Or are you use ANY for services?

0 Kudos
Martijn
Collaborator

Hi Val,

I used the custom service in a rule and we are seeing that rule being hit and the logs show the correct custom service.
But without Fast Accel it looks like Check Point does handle this traffic differently than on another customer service port.

Customer would like to know if we can explain this.

Regards,
Martijn 

PhoneBoy
Admin
Admin

It could very well be there is some protocol inspection going on with port 443 that is done at the firewall level, even if it is matching a protocol with a service of type None.
Using fastaccel is definitely a way to make sure this doesn't happen. 

0 Kudos
Daniel_
Collaborator


So my question is. Is Check Point trying to inspect this traffic even if the protocol type is set to None and no scanning blades are enabled?

AFAIK some of the inspection settings are working inside firewall blade. But most of them should be irrelevant of TLS encryption

2021-09-20 09_24_09-Inspection Settings.png

0 Kudos
Martijn
Collaborator

Hi Daniel,

We have checked the Inspection Settings but the relevant ones are not activated.

And even if they are, why do they apply on a custom service on port 443 and not on a service on port 444?

Regards,
Martijn