Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Platinum

HTTPS Inspection on SMB

So, how is it at the moment for those of you using it?

Last time I tried it, users just could not reach some of the sites. I recall some peculiar SSL error in the logs. 

20 Replies
Highlighted
Admin
Admin

It would help if you could provide information you saw in the logs, describe the behaviors you saw in more detail, etc.

Also is the appliance locally managed or centrally managed?

0 Kudos
Highlighted
Platinum

Can't quite remember what it was exactly other than I set everything to bypass (even cleanup rule) and there was a log message with something like "empty_ssl_response". I may try it again during next weekend and get more details. 

It is centrally managed 1470.

But I have not opened this thread to discuss particular problem, more like to get your feedback. There are related discussions here on CheckMates but they are more about R80.xx gateways.

0 Kudos
Highlighted
Admin
Admin

Empty SSL Connection most likely means you haven't installed the necessary CA key into the trusted root store on your browser.

See: A log with an "empty_ssl_conn" entry in the HTTPS Validation field appears in SmartView Tracker 

And yes, I totally understand wanting to get feedback.

HTTPS Inspection in general has been discussed in numerous threads for non-SMB appliances.

Most of the issues would be similar for SMB appliances, I would expect. 

0 Kudos
Highlighted

I had some performance issues at first due to memory leak, but it was fixed and all works well. Here is what I did:

  • Enable probe bypass mechanism as described in sk104717
  • Enable P384 support as described in sk110883

In locally managed appliances I still have to configure many exceptions for pages that might fail to load. For some unknown reason, pages that fail in locally managed SMBs work well in centrally managed.

0 Kudos
Highlighted
Platinum

Thanx mate, very valuable info.

Didn't know SK104717 is applicable for SMB as well. But now that you mentioned it, I checked and there is indeed enhanced_ssl_inspection parameter in the kernel. Did you implement all SK steps or only part of them ?

It doesn't look like I have to do anything for SK110883 because starting from R77.20.80 it is already integrated?

0 Kudos
Highlighted
Admin
Admin

I believe you still have to perform the ckp_regedit steps in the SK from expert mode.

0 Kudos
Highlighted
Platinum

I ran these commands and rebooted appliance. Hopefully that is enough.

cp $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data.BAK

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_EC_P384 1

0 Kudos
Highlighted
Platinum

Question... Are Linux update repositories included in "known software update services" list ? Because it does not look like they are.

0 Kudos
Highlighted
Admin
Admin

0 Kudos
Highlighted
Platinum

Thanx, I'll bypass them for now.

0 Kudos
Highlighted
Platinum

I am using HTTPS Inspection with success so far but I faced strange problem. When I try to access certain Web sites (varna-airport.bg for example) I am getting ERR_CONNECTION_TIMED_OUT from browsers. And indeed telnet to port 443 on that host gives same error.

If I bypass this site by destination IP or URL it does not work. But if I bypass it by source IP then it works fine. 

There is nothing relevant in the logs. Have any of you faced similar problem and how did solve it ? 

0 Kudos
Highlighted
Admin
Admin

If you do a tcpdump on the outside interface when you attempt to access this site, what do you see?

My guess is that the TLS negotiation might be failing.

The fact there is no logs about this is problematic and might be worth a TAC case.

0 Kudos
Highlighted

Could it be a redirect which is sending you to another IP which is not bypassed?

As Dameon said, capture with TCPDUMP and look for redirect codes or TLS errors.

I don't see why it would timeout, though. Normally there should be other kinds of error.

0 Kudos
Highlighted
Platinum

Thanx for your comments. I disabled enhanced_ssl_inspection and it started to work again. 

0 Kudos
Highlighted

So it works better for you with probe bypass off?

For me it seems to work better when I turn it off.

0 Kudos
Highlighted
Platinum

Yes, seems to work better when it is off. Otherwise some sites just time out and users are not happy about it. 

Highlighted
Platinum

A friendly reminder guys...

If you need to bypass site by IP address, make sure relevant row in the HTTPS Inspecton policy is on the top before any other inspection rules. Otherwise it won't have effect. Logical but easy to miss Smiley Happy 

0 Kudos
Highlighted

Talking about rule order, I am unable to rearrange SSL inspection exception rules in locally managed appliances. I drag and drop, but they go back to the order they were created.

How about you?

0 Kudos
Highlighted
Platinum

I do not have locally managed one so cannot say. But may be as a workaround you can export configuration in cli rearrange rules and then import it again? 

0 Kudos
Highlighted

Yes, I did this, it is easy to fix, but really annoying anyway. Every time I have to add an IP based exception I have to delete and add all the rules again via CLI so the new one stays above the application based rules.