Hello Community,

does anyone know how to query for FQDNs in Smart Console log pane when logs are written as extended logs and HTTPS Inspection Lite (Categorize HTTPS Sites) in R80.40+ is used?

Details:

• Only HTTPSi Lite is used (full inspection not allowed)
• Gateway cannot see full URL in HTTPS connections by design (full inspection would be needed)
• Gateway can see FQDN by looking at the TLS handshake (working fine from R80.40 on and some backports if I remember correctly)
• Following info is visible in log card when extended logs are enabled (see screenshot):
  • yellow: Server Name Indication (SNI) field in TLS Client Hello. That's what the client was actual asking for.
  • green: matching from server certificate of TLS Server Hello when checking against SNI. I double checked it: it is not (always) the CN field. In this case, the server shows a cert with CN = cp801-prod.do.dsp.mp.microsoft.com (not matching) and SAN: DNS:cp801-prod.do.dsp.mp.microsoft.com (not matching), DNS:*.prod.do.dsp.mp.microsoft.com (matching). I had expected to see the matching wildcard here in the log card, but the developers decided to show the matching SNI again.
  • red: reverse lookup of the destination ip address done by Smart Console client (this is not what I'm interested in)

Question summary: How to query for yellow or green field in a log query in Smart Console log pane (or SmartView)?

There is a field available called "tls_server_host_name" and while this sound promising, it does not work.

Any ideas?

Reason for the question:

The customer wants to replace another vendors solution with Check Point gateways. The other vendors solutions allows for searching for these FQDNs in logs and now Check Point has to provide the same feature somehow.

PS: Not sure why inline image does not work, so I attached the screenshot to the post.