This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jnra
Contributor
‎2023-01-23 12:04 AM
Jump to solution

Maestro HTTPS Inspection

We have a single gateway acting as a perimeter firewall and a maestro setup with 1 security group. Both are being managed by a Single SMS. Our testing aims to access Facebook but block Facebook-Posting. This requires HTTPS inspection and we enabled it on both gateway and maestro.

Behind the gateway we have a test PC and it is working properly. Facebook posting is blocked, However, on the test PC behind Maestro, it's not working. Please see attached images for reference. 

Anyone experienced this before? Thanks in advance. 

 

Preview file
53 KB
Preview file
95 KB
Preview file
156 KB
0 Kudos
1 Solution

Accepted Solutions
jnra
Contributor
‎2023-01-24 07:01 PM
Jump to solution

Thank you everyone. the issue was resolved after blocking Quic and Quic Protocol. 

View solution in original post

9 Replies
MartinTzvetanov
Advisor
‎2023-01-23 06:22 AM
Jump to solution

Maestro logs say Unreached OSCP, which for me means the certificate is not recognized which means GW behind Maestro doesn't decrypt the traffic. Dig in this direction.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-23 04:28 PM
Jump to solution

Did you check: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
jnra
Contributor
‎2023-01-23 05:03 PM
In response to PhoneBoy
Jump to solution

Yes. I tried getting the current value with fw ctl get command but I'm getting an error. Will update you once I get to work on our setup later. 

0 Kudos
jnra
Contributor
‎2023-01-23 05:22 PM
In response to jnra
Jump to solution

I performed sk178625 and change the value of appi_urlf_ssl_cn_perform_hold_for_cert_validation from 0 to 1 but still I encountered the same issue. I still get lots of "Unreached OCSP" https validation. 

I have opened a TAC case for this concern as well. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-01-24 04:48 AM
In response to jnra
Jump to solution

Do you have Layer 4 distribution enabled?  It is by default...

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
jnra
Contributor
‎2023-01-24 05:06 PM
In response to Timothy_Hall
Jump to solution

Yes. L4 mode was enabled. I also tried setting the interfaces distribution mode manually by setting external interface as network and internal interface as user. 

0 Kudos
emmap
Employee
Employee
‎2023-01-24 05:56 PM
Jump to solution

Is the connection being HTTPS Inspected on both the Maestro SG and the perimeter gateway? Double inspection is not supported, so either just do it on the perimeter gateway or make sure that you exclude the Maestro IPs and the networks behind the Maestro from inspection on the perimeter gateway,

0 Kudos
jnra
Contributor
‎2023-01-24 06:03 PM
In response to emmap
Jump to solution

On my initial setup, Maestro SG is behind perimeter firewall. Currently, I have  a direct internet connection for Maestro SG.

0 Kudos
jnra
Contributor
‎2023-01-24 07:01 PM
Jump to solution

Thank you everyone. the issue was resolved after blocking Quic and Quic Protocol. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events