Re: HTTPS Inspection on SMB

HristoGrigorov · ‎2018-11-27

So, how is it at the moment for those of you using it?

Last time I tried it, users just could not reach some of the sites. I recall some peculiar SSL error in the logs.

PhoneBoy · ‎2018-11-27

It would help if you could provide information you saw in the logs, describe the behaviors you saw in more detail, etc.

Also is the appliance locally managed or centrally managed?

HristoGrigorov · ‎2018-11-27

Can't quite remember what it was exactly other than I set everything to bypass (even cleanup rule) and there was a log message with something like "empty_ssl_response". I may try it again during next weekend and get more details.

It is centrally managed 1470.

But I have not opened this thread to discuss particular problem, more like to get your feedback. There are related discussions here on CheckMates but they are more about R80.xx gateways.

PhoneBoy · ‎2018-11-27

Empty SSL Connection most likely means you haven't installed the necessary CA key into the trusted root store on your browser.

See: A log with an "empty_ssl_conn" entry in the HTTPS Validation field appears in SmartView Tracker

And yes, I totally understand wanting to get feedback.

HTTPS Inspection in general has been discussed in numerous threads for non-SMB appliances.

Most of the issues would be similar for SMB appliances, I would expect.

Pedro_Espindola · ‎2018-11-28

I had some performance issues at first due to memory leak, but it was fixed and all works well. Here is what I did:

Enable probe bypass mechanism as described in sk104717
Enable P384 support as described in sk110883

In locally managed appliances I still have to configure many exceptions for pages that might fail to load. For some unknown reason, pages that fail in locally managed SMBs work well in centrally managed.

HristoGrigorov · ‎2018-11-28

Thanx mate, very valuable info.

Didn't know SK104717 is applicable for SMB as well. But now that you mentioned it, I checked and there is indeed enhanced_ssl_inspection parameter in the kernel. Did you implement all SK steps or only part of them ?

It doesn't look like I have to do anything for SK110883 because starting from R77.20.80 it is already integrated?

PhoneBoy · ‎2018-11-28

I believe you still have to perform the ckp_regedit steps in the SK from expert mode.

HristoGrigorov · ‎2018-11-28

I ran these commands and rebooted appliance. Hopefully that is enough.

cp $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data.BAK

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDHE 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_ACCEPT_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_PROPOSE_ECDSA 1

ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 CPTLS_EC_P384 1

HristoGrigorov · ‎2018-11-28

Question... Are Linux update repositories included in "known software update services" list ? Because it does not look like they are.

PhoneBoy · ‎2018-11-28

No, they're not.

The list is here: Check Point or Windows signatures update fails when HTTPS Inspection enabled on Security Gateway

HristoGrigorov · ‎2018-11-28

Thanx, I'll bypass them for now.

HristoGrigorov · ‎2018-12-20

I am using HTTPS Inspection with success so far but I faced strange problem. When I try to access certain Web sites (varna-airport.bg for example) I am getting ERR_CONNECTION_TIMED_OUT from browsers. And indeed telnet to port 443 on that host gives same error.

If I bypass this site by destination IP or URL it does not work. But if I bypass it by source IP then it works fine.

There is nothing relevant in the logs. Have any of you faced similar problem and how did solve it ?

PhoneBoy · ‎2018-12-21

If you do a tcpdump on the outside interface when you attempt to access this site, what do you see?

My guess is that the TLS negotiation might be failing.

The fact there is no logs about this is problematic and might be worth a TAC case.

Pedro_Espindola · ‎2018-12-22

Could it be a redirect which is sending you to another IP which is not bypassed?

As Dameon said, capture with TCPDUMP and look for redirect codes or TLS errors.

I don't see why it would timeout, though. Normally there should be other kinds of error.

HristoGrigorov · ‎2018-12-23

Thanx for your comments. I disabled enhanced_ssl_inspection and it started to work again.

Pedro_Espindola · ‎2018-12-27

So it works better for you with probe bypass off?

For me it seems to work better when I turn it off.

HristoGrigorov · ‎2018-12-27

Yes, seems to work better when it is off. Otherwise some sites just time out and users are not happy about it.

HristoGrigorov · ‎2019-01-17

A friendly reminder guys...

If you need to bypass site by IP address, make sure relevant row in the HTTPS Inspecton policy is on the top before any other inspection rules. Otherwise it won't have effect. Logical but easy to miss

Pedro_Espindola · ‎2019-01-17

Talking about rule order, I am unable to rearrange SSL inspection exception rules in locally managed appliances. I drag and drop, but they go back to the order they were created.

How about you?

HristoGrigorov · ‎2019-01-17

I do not have locally managed one so cannot say. But may be as a workaround you can export configuration in cli rearrange rules and then import it again?

Pedro_Espindola · ‎2019-01-18

Yes, I did this, it is easy to fix, but really annoying anyway. Every time I have to add an IP based exception I have to delete and add all the rules again via CLI so the new one stays above the application based rules.

Are you a member of CheckMates?

HTTPS Inspection on SMB