Solved: Inbound https inspection only

Chandhrasekar_S · ‎2019-07-10

Hello,

I wanted to turn on Inbound https inspection only and not outbound. Is there a way to do this?

Going through documentation it says when you enable https inspection on the gateways, it creates an outbound CA certificate as well which means outbound https inspection is enabled as well.

Thanks,

Chandru

PhoneBoy · ‎2021-06-03

I suspect what you're doing in this case won't work without another IP address.
You can try creating a NAT rule to redirect traffic to the external IP on port 443 to the relevant server on the backend.
If there is more than one IP involved on the backend, this definitely won't work.

View solution in original post

Nick_Doropoulos · ‎2019-07-10

Hi Chandhrasekar_S,

I don't know what version your gateway is but I believe you can still follow the guide for R80.10 as below:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_NexGenSecurityGateway_Guide/...

I would focus on this section:

To enable inbound HTTPS traffic inspection:

From the SmartConsole Gateways & Servers view, edit the Security Gateway object.
Click HTTPS Inspection > Step 3.
Select Enable HTTPS Inspection.
Import server certificates for servers behind the organization Security Gateways.
Define an HTTPS inspection policy:
- Create rules
- Add a server certificate to the Certificate column of each rule.

Let us know if that answers your question.

Chandhrasekar_S · ‎2019-07-10

Hi Nick,

We are running R80.10 gateways. Under HTTPS Inspection

Step1 : Outbound CA certificate creation

Step2: Deploy outbound certificate in your organization (Which is we distributing the CA certificate to all the internal systems )

Its only in Step3: you enable HTTPS inspection, hence my question is it not possible to enable https inspection for inbound traffic only.

Nick_Doropoulos · ‎2019-07-10

Hello,

I can see the confusion but as far as I'm aware, it's still the same box that you have to tick in order to enable HTTPS inspection regardless of direction.

The main difference is that instead of exporting the outbound certificate etc you will need to import the server's certificate in the section shown below:

To my knowledge, you would need to import a certificate as I don't think you have the option to generate an inbound one on the gateway in the same way that you can for outbound certificates.

Chandhrasekar_S · ‎2019-07-10

Thanks Nick. Yes I am aware of importing the internal server SSL certificates etc for configuring https inbound inspection.

I believe we need to delete the default https inspection rule, in order to stop the outbound https inspection

PhoneBoy · ‎2019-07-14

You're correct.
While you may have to configure an outbound certificate as part of the process, if there is no outbound HTTPS Inspection rule, you won't get outbound HTTPS Inspection.

Kevin · ‎2021-01-07

Bear with me as I try to resurrect this thread.

We're using the Checkpoint outbound SSL/DLP inspection and that works well. We tried once to configure the inbound SSL inspection for the sake of IPS/Malware control but were not successful - unfortunately, it's been a while and details on that are somewhat sketchy.

Did anyone run into complications by configuring the inbound SSL inspection? Any one-off site issues? Any special cipher issues (as in, some supported/some not)? Anything else I need to know before trying this again? We on r80.40 and plan to upgrade to r81 1Q.

Thanks in advance.

KA

johnnyringo · ‎2021-06-02

I'm also looking to do only inbound (from Internet) HTTPS inspection. Currently on R80.40, but plan to upgrade to R81 later this year.

The step in the documentation of "Create Rules" is pretty friggin' vague. We have multiple hostnames an only one external IP address, so I need the ability to route each SNI hostname to a different internal IP. Using NGINX configuration as an example:

server { 
  listen        443 ssl http2;
  server_name   web1.mydomain.com;
  location / { 
    proxy_pass          https://10.20.30.44:443;
    proxy_set_header    Host $host;
    proxy_http_version  1.1;
  }
  ssl_certificate     web1_mydomain_com.cer;
  ssl_certificate_key web1_mydomain_com.key;
  ssl_ciphers         ECDH+AESGCM:ECDH+AES128+SHA:RSA+AES128+SHA;
  ssl_prefer_server_ciphers on;
}

server { 
  listen        443 ssl http2;
  server_name   web2.mydomain.com;
  location / { 
    proxy_pass          https://10.20.30.65:443;
    proxy_set_header    Host $host;
    proxy_http_version  1.1;
  }
  ssl_certificate     web2_mydomain_com.cer;
  ssl_certificate_key web2_mydomain_com.key;
  ssl_ciphers         ECDH+AESGCM:ECDH+AES128+SHA:RSA+AES128+SHA;
  ssl_prefer_server_ciphers on;
}

What would this look like in CheckPoint's HTTPS inspection rules? I see fields for source, destination, services, and certificate, but no "translated destination" or "translated services" equivalent to the way you'd see in a NAT rule.

PhoneBoy · ‎2021-06-02

It would look like the answer I gave in this thread: https://community.checkpoint.com/t5/Security-Gateways/Is-there-SNI-support-for-inbound-HTTPS-inspect...

johnnyringo · ‎2021-06-02

Right, that shows how to match hostnames with server certificates, but doesn't address how to actually route the requests to the backend web server after inspection. Here's my screenshot in R80.40:

When I got to the website, I do get the correct certificate, but the CheckPoint's GAIA portal is displayed. This heavily implies the CheckPoint is just fowarding the traffic to itself, since I have the Platform portal set to "accessible only through internal interfaces"

PhoneBoy · ‎2021-06-03

I suspect what you're doing in this case won't work without another IP address.
You can try creating a NAT rule to redirect traffic to the external IP on port 443 to the relevant server on the backend.
If there is more than one IP involved on the backend, this definitely won't work.

johnnyringo · ‎2021-06-03

OK, so basically another HTTPS proxy will need to do the conversion between hostname and IP address/port. That's actually fine: I didn't mention it for the sake of simplicity, but this is a cloud deployment where we terminate the site on external load balancers and they do that very well with a minimal cost.

So, I just have each hostname hit a different external port on the CheckPoint cluster, and make some NAT rules to route to the corresponding internal web server:

Then write an inspection rule for those ports. No need to configure hostname, since that's already being done on the external load balancer. Likewise, a self-signed cert is fine since it doesn't perform backend server cert validation.

The one thing that got me: the firewall policy must explicitly allow the CheckPoint's internal interface to talk to the backend web server. This makes sense in hindsight since CheckPoints usually need an explicit rule when they initiate a connection, just was confusing to troubleshoot since the CheckPoint was reverting to bypass after a few seconds, giving the appearance that the inspection was slow or unreliable.

I would think that NATing port 443 on the external interface would break the SSL VPN features, so that may not be a viable solution for everyone.

Are you a member of CheckMates?

Inbound https inspection only