This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ascoyne
Contributor
‎2023-02-28 02:33 AM

HTTPS Inspection of remote user VPN traffic

We have HTTPS Inspection enabled on our R81.10 FW and it collects HTTPS inspection for all internet traffic that originates from the LAN, but for our remote users that use Remote Access VPN we see no HTTPS Inspection logs.

I have a feeling it is probably just a setting we don't have the correct set to allow inspection of Remote Access VPN.

Any ideas?

Labels
0 Kudos
11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-02-28 03:33 AM

In the default configuration, internet access for Remote Access VPN clients is only inspected by local endpoint SW. But it is possible to use Hub Mode if the need arises to achieve this: sk101239: Route all traffic from Remote Access clients, including internet traffic, through Security...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
ascoyne
Contributor
‎2023-03-01 08:07 AM
In response to G_W_Albrecht

Thank you.  We don't have Hub Mode enabled so that's something we need to look into.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-28 10:51 AM

Have you confirmed it's actually performing HTTPS Inspection on your Remote Access clients?

In any case, for inspecting HTTPS Traffic for Remote Access, it's far better to use either Harmony Browse or Harmony Connect Internet Access.

0 Kudos
ascoyne
Contributor
‎2023-03-01 08:08 AM
In response to PhoneBoy

I have confirmed out Remote Access client subnet is part of the HTTPS Inspection policy.  I will look into the other products, thank you.

0 Kudos
the_rock
Legend
Legend
‎2023-02-28 10:53 AM

You definitely got valid responses. Btw, are vpn users going through the fw once they connect or is it split VPN tunnel? Because, keep in mind, if its split vpn, outbound https inspection will NOT apply, because their Internet traffic would go via their respected ISP providers.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-28 12:05 PM
In response to the_rock

Not using Hub mode, so traffic to the internet does not pass the GW.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
ascoyne
Contributor
‎2023-03-01 08:10 AM

Thank you all for your help in steering me in the right direction.

We have a decision to make about HTTPS Inspection and remote access.  Either, 

a) We change to Hub Mode which allows HTTPS Inspection for VPN traffic, but we will lose split tunnelling 

b) Leave it as it is and not have HTTPS Inspection for VPN users, but retain VPN split tunnelling

 

PhoneBoy
Admin
Admin
‎2023-03-01 11:47 AM
In response to ascoyne

You actually have a third option here: Harmony Connect.
Internet-bound traffic can be subject to Threat Prevention (including HTTPS Inspection) without being routed on-premise.
It's a different service at extra cost and requires a second VPN client (which can run concurrently with your existing client).
However, it is another option. 

0 Kudos
the_rock
Legend
Legend
‎2023-03-01 03:04 PM
In response to ascoyne

What @PhoneBoy told you makes 100% most sense and he perfectly explained why. So, if you think abot it, barebone VPN client is NOT and EDR solution at all, because it simply does just VPN, thats it. With harmony endpoint (Yes, I know, its more money and the whole thing, I get it), BUT, its an amazing product and its full EDR that actually lets you implement https inspection from the portal itself where you would create rules for users. We have customers doing this and they love it.

I will say though, just my honest feedback to you, sometimes adding exceptions for threat prevention blade can be pain, but TAC is usually good at fixing those fairly quickly.

Hope that helps in your decision making. At least, you have choices : - )

0 Kudos
ascoyne
Contributor
‎2023-03-02 12:58 AM
In response to the_rock

Thank you all for taking the time to respond to my original message.  All your feedback has been beneficial, and we now have options moving forward.  The Checkmates forum is brilliant.

the_rock
Legend
Legend
‎2023-03-02 03:28 AM
In response to ascoyne

Glad we could help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events