Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tobias_Moritz
Advisor

HTTPS Inspection Lite and log query for FQDNs in extended log entries

Hello Community,

does anyone know how to query for FQDNs in Smart Console log pane when logs are written as extended logs and HTTPS Inspection Lite (Categorize HTTPS Sites) in R80.40+ is used?

Details:

  • Only HTTPSi Lite is used (full inspection not allowed)
  • Gateway cannot see full URL in HTTPS connections by design (full inspection would be needed)
  • Gateway can see FQDN by looking at the TLS handshake (working fine from R80.40 on and some backports if I remember correctly)
  • Following info is visible in log card when extended logs are enabled (see screenshot):
    • yellow: Server Name Indication (SNI) field in TLS Client Hello. That's what the client was actual asking for.
    • green: matching from server certificate of TLS Server Hello when checking against SNI. I double checked it: it is not (always) the CN field. In this case, the server shows a cert with CN = cp801-prod.do.dsp.mp.microsoft.com (not matching) and SAN: DNS:cp801-prod.do.dsp.mp.microsoft.com (not matching), DNS:*.prod.do.dsp.mp.microsoft.com (matching). I had expected to see the matching wildcard here in the log card, but the developers decided to show the matching SNI again.
    • red: reverse lookup of the destination ip address done by Smart Console client (this is not what I'm interested in)

Question summary: How to query for yellow or green field in a log query in Smart Console log pane (or SmartView)?

 

There is a field available called "tls_server_host_name" and while this sound promising, it does not work.

Any ideas?

Reason for the question:

The customer wants to replace another vendors solution with Check Point gateways. The other vendors solutions allows for searching for these FQDNs in logs and now Check Point has to provide the same feature somehow.

PS: Not sure why inline image does not work, so I attached the screenshot to the post.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Not every field in the log card is indexed.
My guess is those fields are not indexed.
A free text search (not on a specific field) might pull them up.

0 Kudos
Tobias_Moritz
Advisor

Daemon, thank you for your reply and I wish you a happy new year 🙂

A free text search does not pull them up.

Any idea, what we can do here? Can we add these fields to be indexed?

Is the field called "tls_server_host_name" the right one (yellow or green) and the search is just not working because field is not indexed, or is it the wrong field name?

It's hard to tell the customer, that search for FQDNs in logs is not possible, when information is available in logs and existing competitor solution can do it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events