Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gianlucheck
Participant
Jump to solution

Proxy HTTP/HTTPS - two sessions

I have to configure the Checkpoint as Proxy HTTP/HTTPS with Application Control.

I know that the Proxy open 2 connections, one to client and one to server.

For client side I have to configure one policy:

source: client, destination: gw internal interface  (proxy ip) , service: tcp_8080

For server side I have to configure the following polcy?

source: gw external interface, destination: internet, service: http/https?

In short the connection between GW and Internet has the client source Ip or the external interface source IP ?

 

Thanks

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

 

Active Streaming – https:

With PSL, connection that is encrypted with SSL (TLS) was not supported, the reason for this is that the encryption keys are known only to the Client and Server since they are the one that initiated the connection (preformed the SSL handshake), because of this we couldn’t get the data out of the packet and the application couldn’t scan it for malicious information. CPAS plays the rule of “man in the middle”, because of this, it can intercept the SSL handshake and change the keys so he will be able to understand the encryption. The Client preform an SSL handshake with the gateway (thinking it is the Server) while the Server preform SSL handshake with the gateway (thinking he is the Client). The gateway have both keys and he’s able to open the encryption, check the packet and re-encrypt the packet with the corresponding keys. In order to encrypt / decrypt the SSL connection, CPAS add another layer before the application queue. The new layer will send the packet to the SSL engine for decryption/encryption and then resume the normal flow.

Active Streaming – https content step by step:

Packets of SSL handshake are passed to the SSL engine to exchange keys. When the connection and the SSL handshake is fully established, an hook will be register for this connection to handle the decrypt / encrypt of the packets. When a packet arrive to CPAS, a trap will be sent and the SSL engine will receive the encrypted packet, decode the packet and return it to CPAS. The packet will enter the receive queue and the application will be able to work on it, once he done he will send it to the write queue. The packet will pass to the SSL engine for encryption and pass to the other side (Client, Server).

69676_pastedImage_1 (1).png

More read here:

R80.x - Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
You do not need to create rules for outbound connections originating from the firewall itself.
HeikoAnkenbrand
Champion Champion
Champion

 

Active Streaming – https:

With PSL, connection that is encrypted with SSL (TLS) was not supported, the reason for this is that the encryption keys are known only to the Client and Server since they are the one that initiated the connection (preformed the SSL handshake), because of this we couldn’t get the data out of the packet and the application couldn’t scan it for malicious information. CPAS plays the rule of “man in the middle”, because of this, it can intercept the SSL handshake and change the keys so he will be able to understand the encryption. The Client preform an SSL handshake with the gateway (thinking it is the Server) while the Server preform SSL handshake with the gateway (thinking he is the Client). The gateway have both keys and he’s able to open the encryption, check the packet and re-encrypt the packet with the corresponding keys. In order to encrypt / decrypt the SSL connection, CPAS add another layer before the application queue. The new layer will send the packet to the SSL engine for decryption/encryption and then resume the normal flow.

Active Streaming – https content step by step:

Packets of SSL handshake are passed to the SSL engine to exchange keys. When the connection and the SSL handshake is fully established, an hook will be register for this connection to handle the decrypt / encrypt of the packets. When a packet arrive to CPAS, a trap will be sent and the SSL engine will receive the encrypted packet, decode the packet and return it to CPAS. The packet will enter the receive queue and the application will be able to work on it, once he done he will send it to the write queue. The packet will pass to the SSL engine for encryption and pass to the other side (Client, Server).

69676_pastedImage_1 (1).png

More read here:

R80.x - Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Chris_Atkinson
Employee Employee
Employee

For proxy configuration & additional information please see sk110013 / sk92482.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events