Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
iko
Contributor

Problem with HTTPS Inspection

Jump to solution

Hi all,

I am new to Checkpoint, and I am having a hard time with the configuration of HTTPS Inspection.

Here my simple setup: I have a Security Gateway (R81) and Security Management Server installed on a VM with 2 interfaces (internal with hide NAT, and external). I have created the outbound certificate, and deployed it to the client, and enabled HTTPS Inspection.

Here are the HTTPS Inspection policies I use:

1.png

Browsing from the client works as expected, but browser still show the original certificate, not the one replaced from the gateway. Also the logs don't show anything:

2.png

In another post having the same problem, someone says "to enable https interception in the protocol tab", but I cannot find this option in any GUI. Is this what I am missing?

Anything else what I have possibly missed? Any help is highly appreciated.

Thank you, Iko

0 Kudos
1 Solution

Accepted Solutions
the_rock
Champion
Champion

Just an update for this post...we did remote sesison and determined that wstlsd process was running, so no issues with firewall or https inspection and what was missing was simply a rule in policy to block a test site category, so we simply blocked gambling as a test from LAN and were able to see blocked page with the right cert.

View solution in original post

21 Replies
Timothy_Hall
Champion
Champion

I assume you have enabled HTTPS Inspection on the gateway/cluster object itself under HTTPS Inspection...Step 3.  Make sure that box is checked as you may have accidentally canceled out of that screen.

For object "Internet" to be applied properly in your HTTPS Inspection policy, you need to ensure that your network topology is completely and correctly defined under Network Management on your gateway/cluster object, specifically that the external interface is properly defined.

You may need to enable URLF to ensure the SNI category can be properly determined, but that may not matter here since you have "Any" set.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
iko
Contributor

Thanks for your time and help.

You assume right, HTTPS Inspection is enabled:

3.png

My topology looks all right I think:

4.png

internalinternalexternalexternal

I also replaced the "Internet" object with "any" in my inspection policy, but doesn't change anything.

And I enabled URLF on the gateway and added URLF in category (in inspection rule).

Still no inspection happens.

Any other ideas left?

0 Kudos
Timothy_Hall
Champion
Champion

If you run ps -ef | grep wstlsd are there any wstlsd processes running?  If they are, please provide the log card for an accepted HTTPS connection that should have been inspected.  Either your Internet traffic is not traversing the firewall the way you think, or possibly the web traffic is using QUIC instead of HTTPS.  If there are no wstlsd process you have something still wrong in your config.

What code level and JHFA are you running, and have you tried other browser types to initiate traffic?

Edit: Corrected daemon name from wstld to wstlsd.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
iko
Contributor

No there are no wstld processes running.

Internet traffic is definitely passing the firewall. Behind the firewall is another VM using host only adapter, which is directly connected to the internal interface. here some logs:

7.png

From these logs I would say it is using HTTPS (not QUIC). btw, the client is internet explorer which is afaik not using QUIC at all.

does the output below answer your question regarding code level and JHFA?

8.png if not, how can i provide you the information?

Thanks, Iko

0 Kudos
iko
Contributor

i installed now chrome, to doublecheck, the problem is not the used protocol

9.png

my rulebase doesnt even allow QUIC, but HTTPS works like a charm. just not intercepted 😞

0 Kudos
Timothy_Hall
Champion
Champion

Sounds like you are in a virtual environment, if the firewall itself is a VM how many cores are allocated?  It needs to be at least 2 cores and 4GB of RAM (R81 minimum requirements), and it wouldn't surprise me if HTTPS Inspection would fail to operate unless there were at least 4 total cores (1/3 CoreXL split with dedicated functions per core so that 3 wstlsd process could be started in that case, as opposed to a 2-core setup with a 2/2 split and overlapping core functions).

While HTTPS Inspection is not itself a licensed feature, I assume you have a valid license installed otherwise?  cplic print

Try disabling HTTPS Inspection on the gateway object, publish and reinstall, then enable it again, publish and reinstall.  If it still doesn't work it will probably be time for a TAC case so they can run a debug and figure out why your firewall is essentially refusing to perform HTTPS Inspection.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
iko
Contributor

2 Cores with 4 GB RAM is what i am using at the moment. Changed it to 4 cores now.

I am using a trial license:

gw-a7234c> cplic print
Host Expiration Features

=====================================================================
Check Point product trial period will expire in 13 days.
Until then, you will be able to use the complete Check Point Product Suite.
Please obtain a permanent license from Check Point User Center at:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
======================================================================

 

I disabled HTTP Inspection, published, reinstalled and re-enabled, published, reinstalled, but still no HTTPS inspection ongoing.

 

Am I allowed to open a TAC case with my trial license?

 

 

 

0 Kudos
iko
Contributor

I don't see a way to open a TAC request with my trial license.

0 Kudos
Timothy_Hall
Champion
Champion

Sorry can't help you with opening a TAC case, try hitting up your Check Point SE.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
PhoneBoy
Admin
Admin

For a standalone VM, I recommend at least 16GB.
8GB is the absolute minimum.

0 Kudos
the_rock
Champion
Champion

If that process is not running, something is definitely wrong. I remember once I had similar issue with the customer and it turned out to be a setting that was inadvertently changed in GUidbedit tool itself. Do you remember changing anything there at all? I will try to see if I can find what setting it was...

the_rock
Champion
Champion

Got it...here is what I found in my notes (if you can check on this)

 

Make sure all SmartConsole connections are completely closed.
GuiDBedit > Other > ssl_inspection > general_confs_obj
The 'trusted_ca_certs_group' should refer to 'Recommended' from the same ssl_inspection table, so this must have been deleted on accident.
Simply right-click on the parameter > Edit, then in the Table drop-down select ssl_inspection and in the Object drop-down select Recommended
Save, close and then open SmartConsole and install policy

iko
Contributor

Hi the_rock, thanks for your advice. But I never changed anything with GuiDBedit.

The system I use is a fresh installation, and I just tried to setup HTTPS inspection in SmartConsole.

Anyway I verified it, the entry still exists

10.png

Any other advice?

0 Kudos
iko
Contributor

in the meantime I will try my luck with a new installation ...

0 Kudos
iko
Contributor

new installation has the exact same problem -> no wstld processes -> no https inspection 😭

0 Kudos
the_rock
Champion
Champion

That sucks...did you use same management server? Message me privately, I want to help you...we can do remote session when convenient.

iko
Contributor

I have a standalone gw and mgmt server on one virtual host. so I reinstalled everything from scratch today.

pm sent 😉 thank you

the_rock
Champion
Champion

Just an update for this post...we did remote sesison and determined that wstlsd process was running, so no issues with firewall or https inspection and what was missing was simply a rule in policy to block a test site category, so we simply blocked gambling as a test from LAN and were able to see blocked page with the right cert.

iko
Contributor

just a note to point it out: there was a typo 🙂

the process is called wstlsd

and that was running 😉

Timothy_Hall
Champion
Champion

Thanks, I corrected it in my prior post.  I had a bit of a panic attack wondering if I had made the same mistake when mentioning that daemon in my book, but it was spelled correctly there.  😀

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
(1)
the_rock
Champion
Champion

No points taken for spelling mistakes...I never met any IT person who was good speller, no offense : ))