This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2021-12-23 01:05 AM

HTTPS Inspection Lite and log query for FQDNs in extended log entries

Hello Community,

does anyone know how to query for FQDNs in Smart Console log pane when logs are written as extended logs and HTTPS Inspection Lite (Categorize HTTPS Sites) in R80.40+ is used?

Details:

  • Only HTTPSi Lite is used (full inspection not allowed)
  • Gateway cannot see full URL in HTTPS connections by design (full inspection would be needed)
  • Gateway can see FQDN by looking at the TLS handshake (working fine from R80.40 on and some backports if I remember correctly)
  • Following info is visible in log card when extended logs are enabled (see screenshot):
    • yellow: Server Name Indication (SNI) field in TLS Client Hello. That's what the client was actual asking for.
    • green: matching from server certificate of TLS Server Hello when checking against SNI. I double checked it: it is not (always) the CN field. In this case, the server shows a cert with CN = cp801-prod.do.dsp.mp.microsoft.com (not matching) and SAN: DNS:cp801-prod.do.dsp.mp.microsoft.com (not matching), DNS:*.prod.do.dsp.mp.microsoft.com (matching). I had expected to see the matching wildcard here in the log card, but the developers decided to show the matching SNI again.
    • red: reverse lookup of the destination ip address done by Smart Console client (this is not what I'm interested in)

Question summary: How to query for yellow or green field in a log query in Smart Console log pane (or SmartView)?

 

There is a field available called "tls_server_host_name" and while this sound promising, it does not work.

Any ideas?

Reason for the question:

The customer wants to replace another vendors solution with Check Point gateways. The other vendors solutions allows for searching for these FQDNs in logs and now Check Point has to provide the same feature somehow.

PS: Not sure why inline image does not work, so I attached the screenshot to the post.

Preview file
75 KB
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-12-28 12:24 PM

Not every field in the log card is indexed.
My guess is those fields are not indexed.
A free text search (not on a specific field) might pull them up.

0 Kudos
Tobias_Moritz
Advisor
‎2022-01-03 12:02 AM
In response to PhoneBoy

Daemon, thank you for your reply and I wish you a happy new year 🙂

A free text search does not pull them up.

Any idea, what we can do here? Can we add these fields to be indexed?

Is the field called "tls_server_host_name" the right one (yellow or green) and the search is just not working because field is not indexed, or is it the wrong field name?

It's hard to tell the customer, that search for FQDNs in logs is not possible, when information is available in logs and existing competitor solution can do it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events