Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
iko
Contributor

TLS1.3 inspection

Hi again,

I managed now to enable TLS1.3 on my R81 Security Gateway.

But the HTTPS Inspection doesn't work in case of TLS1.3 traffic:

13.png Even I have disabled my bypass rule:

14.png

Just to be sure you have all in infos her my simple rulebase:

15.png

Is there any special rule I need to add to catch TLS1.3 traffic?

Thanks, Iko

21 Replies
PhoneBoy
Admin
Admin

First of all, disabling your bypass rule can cause performance issues.

Is USFW enabled? https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

iko
Contributor

can you tell me how to verify if usfw is enabled?

0 Kudos
PhoneBoy
Admin
Admin

cpprod_util FwIsUsermode 
cpprod_util FwIsUsfwMachine 

Both commands should return 1.
What precise appliance are you doing this on?

iko
Contributor

I run a R81 Security Gateway with Mgmt-Gateway on same VM

Product version Check Point Gaia R81
OS build 392
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
0
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
0

0 Kudos
PhoneBoy
Admin
Admin

What are the precise specifications (RAM, cores) on the VM?
Note that HTTPS Inspection for TLS 1.3 traffic requires three things:

The two commands indicate USFW is not enabled.
To enable them, issue the following two commands and reboot:

cpprod_util FwIsUsermode 1
cpprod_util FwIsUsfwMachine  1

Once you've done this, HTTPS Inspection of TLS 1.3 should work.

iko
Contributor

doesn't work for some reason:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode 1
Unknown/Unsupported command 1
0 [Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine 1
Unknown/Unsupported command 1
 

0 Kudos
_Val_
Admin
Admin

Should be: 

FwSetUsermode, FwSetUsfwMachine 

iko
Contributor

Thanks _Val_, this worked:

[Expert@gw-a7234c:0]# cpprod_util FwIsUsermode
1
[Expert@gw-a7234c:0]# cpprod_util FwIsUsfwMachine
1

Thank you both _Val_ and PhoneBoy

Iko

0 Kudos
iko
Contributor

unfortunately, I had to remove the "accept as solution" because the TLS1.3 inspection still has some problem.

In the log I can see that the inspection works, but the client browser shows a "Secure Connection failed" message now.

Is there anything else I am missing?

 

0 Kudos
_Val_
Admin
Admin

Root certificate installed as trusted probably? 🙂

0 Kudos
iko
Contributor

I analyzed the traces, it looks like the firewall is striping off the supported_versions extension in the outgoing ClientHello now.

0 Kudos
iko
Contributor

my bad, i didnt reboot.

now HTTPS requests workd again on client, but traffic is bypassed from interception again. but only TLS1.3 traffic

16.png

0 Kudos
PhoneBoy
Admin
Admin

What's the log card say on the bypassed log?

0 Kudos
iko
Contributor

One request on the client always brings up 3 log entrys:

17.png

is this the log card?

18.png

Just for clarification: The accessed webserver is TLS1.3 only.

First log entry gets accepted. I think this is the first ClientHello sent without supported_versions extension, which makes it an TLS1.2 request. This is not what the webserver expects, so he replies with some version_alert. So the Firewall sends the ClientHello again, this time with supported_versions extension included (TLS1.3) -> This is what log entries 2 & 3 are about.

I just wonder why the bypass entry comes second!? Wouldn't it make more sense if the decision to intercept or not, is made already before the first request is sent. or is the order not really accurate, since this all happens in very short time?

just my thoughts ...

0 Kudos
PhoneBoy
Admin
Admin

The order may not entirely be accurate here, but the Internal System Error would explain why it is bypassing.
You’ll need to use this SK to debug what’s happening: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Alex_Lewis
Contributor

I have tried these commands multiple times and after a reboot, the values are back to 0

cpprod_util FwSetUsermode 1
cpprod_util FwSetUsfwMachine 1

Also, I tried enabling TLSIO by adding fwtls_enable_tlsio=1 to $FWDIR/boot/modules/fwkern.conf; fw ctl get int fwtls_enable_tlsio shows it is 0 after reboot, If I try to set on the fly with fw ctl set int fwtls_enable_tlsio 1, I get the error "Set operation failed: failed to get parameter fwtls_enable_tlsio". 

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @Alex_Lewis ,

 

Can you share on which version and platform you are trying to convert to USFW?

 

Thanks,

Ilya 

0 Kudos
Alex_Lewis
Contributor

2 gateway HA cluster running R81 Take 36 on Open Platform

0 Kudos
Ilya_Yusupov
Employee
Employee

in general if it's open platform so it should be USFW by default.

can you share which type to you have? how many CPU's it has?

0 Kudos
Alex_Lewis
Contributor

Dell PowerEdge R430, 16 cpus, 32GB ram

0 Kudos
Ilya_Yusupov
Employee
Employee

Hi @Alex_Lewis ,

 

according to our hcl this type is not supported

https://www.checkpoint.com/support-services/hcl/

Thanks,

Ilya