This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-27 10:46 AM

HTTPS Inspection on SMB

So, how is it at the moment for those of you using it?

Last time I tried it, users just could not reach some of the sites. I recall some peculiar SSL error in the logs. 

20 Replies
PhoneBoy
Admin
Admin
‎2018-11-27 09:20 PM

It would help if you could provide information you saw in the logs, describe the behaviors you saw in more detail, etc.

Also is the appliance locally managed or centrally managed?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-27 10:05 PM
In response to PhoneBoy

Can't quite remember what it was exactly other than I set everything to bypass (even cleanup rule) and there was a log message with something like "empty_ssl_response". I may try it again during next weekend and get more details. 

It is centrally managed 1470.

But I have not opened this thread to discuss particular problem, more like to get your feedback. There are related discussions here on CheckMates but they are more about R80.xx gateways.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-27 11:15 PM
In response to HristoGrigorov

Empty SSL Connection most likely means you haven't installed the necessary CA key into the trusted root store on your browser.

See: A log with an "empty_ssl_conn" entry in the HTTPS Validation field appears in SmartView Tracker 

And yes, I totally understand wanting to get feedback.

HTTPS Inspection in general has been discussed in numerous threads for non-SMB appliances.

Most of the issues would be similar for SMB appliances, I would expect. 

0 Kudos
Pedro_Espindola
Advisor
‎2018-11-28 07:19 AM

I had some performance issues at first due to memory leak, but it was fixed and all works well. Here is what I did:

  • Enable probe bypass mechanism as described in sk104717
  • Enable P384 support as described in sk110883

In locally managed appliances I still have to configure many exceptions for pages that might fail to load. For some unknown reason, pages that fail in locally managed SMBs work well in centrally managed.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-28 09:39 AM
In response to Pedro_Espindola

Thanx mate, very valuable info.

Didn't know SK104717 is applicable for SMB as well. But now that you mentioned it, I checked and there is indeed enhanced_ssl_inspection parameter in the kernel. Did you implement all SK steps or only part of them ?

It doesn't look like I have to do anything for SK110883 because starting from R77.20.80 it is already integrated?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-28 11:12 AM
In response to HristoGrigorov

I believe you still have to perform the ckp_regedit steps in the SK from expert mode.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-28 08:29 PM
In response to PhoneBoy

I ran these commands and rebooted appliance. Hopefully that is enough.

cp $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data.BAK

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_EC_P384 1

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-28 08:46 PM

Question... Are Linux update repositories included in "known software update services" list ? Because it does not look like they are.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-28 08:57 PM
In response to HristoGrigorov

No, they're not.

The list is here: Check Point or Windows signatures update fails when HTTPS Inspection enabled on Security Gateway 

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-11-28 09:08 PM
In response to PhoneBoy

Thanx, I'll bypass them for now.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-12-20 09:02 PM

I am using HTTPS Inspection with success so far but I faced strange problem. When I try to access certain Web sites (varna-airport.bg for example) I am getting ERR_CONNECTION_TIMED_OUT from browsers. And indeed telnet to port 443 on that host gives same error.

If I bypass this site by destination IP or URL it does not work. But if I bypass it by source IP then it works fine. 

There is nothing relevant in the logs. Have any of you faced similar problem and how did solve it ? 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-21 02:30 PM
In response to HristoGrigorov

If you do a tcpdump on the outside interface when you attempt to access this site, what do you see?

My guess is that the TLS negotiation might be failing.

The fact there is no logs about this is problematic and might be worth a TAC case.

0 Kudos
Pedro_Espindola
Advisor
‎2018-12-22 10:08 AM
In response to HristoGrigorov

Could it be a redirect which is sending you to another IP which is not bypassed?

As Dameon said, capture with TCPDUMP and look for redirect codes or TLS errors.

I don't see why it would timeout, though. Normally there should be other kinds of error.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-12-23 09:27 PM

Thanx for your comments. I disabled enhanced_ssl_inspection and it started to work again. 

0 Kudos
Pedro_Espindola
Advisor
‎2018-12-27 06:26 AM
In response to HristoGrigorov

So it works better for you with probe bypass off?

For me it seems to work better when I turn it off.

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2018-12-27 07:40 AM
In response to Pedro_Espindola

Yes, seems to work better when it is off. Otherwise some sites just time out and users are not happy about it. 

HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-17 09:01 AM

A friendly reminder guys...

If you need to bypass site by IP address, make sure relevant row in the HTTPS Inspecton policy is on the top before any other inspection rules. Otherwise it won't have effect. Logical but easy to miss Smiley Happy 

0 Kudos
Pedro_Espindola
Advisor
‎2019-01-17 10:47 AM
In response to HristoGrigorov

Talking about rule order, I am unable to rearrange SSL inspection exception rules in locally managed appliances. I drag and drop, but they go back to the order they were created.

How about you?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2019-01-17 07:52 PM
In response to Pedro_Espindola

I do not have locally managed one so cannot say. But may be as a workaround you can export configuration in cli rearrange rules and then import it again? 

0 Kudos
Pedro_Espindola
Advisor
‎2019-01-18 08:38 AM
In response to HristoGrigorov

Yes, I did this, it is easy to fix, but really annoying anyway. Every time I have to add an IP based exception I have to delete and add all the rules again via CLI so the new one stays above the application based rules.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events