This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-10-20 01:58 PM
Jump to solution

R80.20 - SNI vs. enabled HTTPS Interception

R80.20+  with enabled HTTPS interception:

If the https interception is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) 

More read here: R80.x Security Gateway Architecture (Content Inspection) 

 

R80.20+ without enabled HTTPS interception (SNI is used):

If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

More read here: URL Filtering using SNI for HTTPS websites.pdf 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-10-22 12:07 PM
In response to Til_Hall
Jump to solution

Yes! SNI works without enabled HTTPS decryption. If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-10-21 07:42 AM
Jump to solution

Hi, just to make a small correction to the above, there are customer-specifix hotfixes for SNI support on R80.10 and R80.20.
Note that with customer-specific fixes you won't necessarily be able to use recent jumbo hotfixes.
R80.30 has this integrated, enabled by default, and we actually verify the SNI requested by the client.
It is by far the better option.
Til_Hall
Explorer
‎2019-10-22 11:57 AM
Jump to solution

I'm a little bit confused!

Can SNI be used without enabled HTTPS encryption?

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-10-22 12:07 PM
In response to Til_Hall
Jump to solution

Yes! SNI works without enabled HTTPS decryption. If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2019-10-24 06:33 PM
In response to HeikoAnkenbrand
Jump to solution

Only with JHF117 or above installed.
Otherwise, SNI is NOT used for App Control/URL Filtering.
0 Kudos
Andreas_Mang
Contributor
‎2019-10-29 02:32 AM
In response to PhoneBoy
Jump to solution

is this on the roadmap for R80.20SP as well? Any target JHF?
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-06-03 06:20 AM
In response to Andreas_Mang
Jump to solution

R80.20SP JHF Take 191 GA or above.

CCSM R77/R80/ELITE
Andreas_Mang
Contributor
‎2019-10-29 02:35 AM
In response to PhoneBoy
Jump to solution

is this on the roadmap for R80.20SP as well? Any target JHF?

PhoneBoy
Admin
Admin
‎2019-10-31 07:59 AM
In response to Andreas_Mang
Jump to solution

It's planned for the near term, yes, but not familiar with the exact JHF it is planned.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events