Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
I am thinking of using the SSL visibility appliance SSL Visibility Appliance | Symantec with a checkpoint cluster running in router mode, Cluster XL with multiple feature IPS, application control, Url filterning etc.
To do that I need to create a couple of extra ports in bridge mode so the checkpoint gateways will collect the decrypted traffic for the IPS, application control, URL filtering while the FW, router and NAT capabilities stay at the existent L3 ports.
I think this is a reasonable design to get a consistent SSL decryption performance. Has anybody experience with bridge ports and the SSL visibility appliance + checkpoint gateway?
I am concerned about packets passing twice through the checkpoint gateway. How does the checkpoint gateway handle it ? I guess that secureXL will accelerate the decrypted traffic, right?
Luis,I am very interested if you'll succeed at making it work.
I was contemplating similar approach, but was somewhat deterred by the premise that CP should perform HTTPS inspection by itself in order to recognize applications.
It is reasonable to expect IPS benefiting from external SSL processing though.
Hi Luis, did you get this done or have any more lessons-learned to share with us? I heard rumors they're only supporting it when Checkpoint runs in L2 mode with no NAT but unsure if this is true. Will have to ask Symantec about that but would be glad if you could share any updates on your planned project.
In regards of what Vladimir said, I think there's still a chance the app recognition might work.
I have configured the SSL Visibility to decrypt the traffic for the Check Point DDOS appliance, It worked great for the inbound traffic for https inspection for some sites to protect it, some collegues have tested it connected to a Check Point Firewall to allow the IPS blade to inspect traffic. This week I'm going to build an small lab with my SSL appliance and test some blades that need ssl inspection.
John, we are still going through the research stage. But this are the conclusions:
- the SSL visibility appliance only works at L2
- if your firewall is running in L3 with multiple security features such as IPS, application control, etc you need split the functionality of your checkpoint in two: a L3 firewall (VSX or physical hardware) running NATs and routing and a second firewall (VSX or physical harware) running the rest of the security features.
Thanks Pablo, let us know how it goes.
Hello Luis I tested this configuration, it worked quite well.
In my lab I tested the outbound inspection.
I configured the firewall to have the Lan interface connected to the ssl visibility and the other port the switch interface, I created a certificate on the SSL Visibility and I installed on the clients.
The policy is quite simple, just any traffic need to have the action decryp and resign certificate.