Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
n7564773
Participant

SMB HTTPS logging & other issues

Hello,

 

I'm seeing some very odd (to me) behaviour with a locally-managed 1450 appliance. I've just re-flashed it using the USB method so that it has a clean install of R77.20.87 (990173120). Although I did re-import my config after.

 

To begin with, I see no HTTPS logs whatsoever in the Security log. All my blades/rules have all logging enabled. I even turned on implied rule logging for a time to see if it helped but it didn't really. I saw a bunch more DNS requests and my WebUI activity. 

For me to see any HTTPS logs I put a rule at the top of the rulebase disabling all access for the specific host, and then I see some generic HTTPS info at least.

For a long time now, even when HTTPS logs were working, I never get any category or URL information. Is "HTTPS Categorization" mode supposed to be able to do anything these days? I know there are SK articles about CA fixes, etc., but I wasn't sure if they would fix my issues.

I've dabbled with enabling SSL inspection but it doesn't suit my purposes right now.

There definitely seems to be an issue with my HTTPS and especially it's logging. 

 

Thanks for your help

 

 

0 Kudos
26 Replies
n7564773
Participant

I don't see any VPN traffic either, until it's dropped traffic using the rule I mentioned above. I don't see any allowed Wireguard or OVPN traffic. But I see all of the dropped attempts.

 

I have licenses for all of the blades, active until 2024, if that matters.

 

Thanks...

0 Kudos
PhoneBoy
Admin
Admin

What is this setting?

image.png

And, also (on the same screen):

image.pngNote this is from 1590 running R81.10.xx but I believe R77.20.xx has the same settings.

0 Kudos
n7564773
Participant

Hi,

 

Yes I have all of the expected logging settings enabled, which is why this is so perplexing. Anywhere a log can be enabled, it is.

 

Maybe it's an issue with how I have service/application groups nested in the rules. I'll try separating them out.

 

Thanks,

Nathan

0 Kudos
PhoneBoy
Admin
Admin

Your only option on the 1450 is to enable HTTPS Inspection. 

HTTPS Categorization in R77.20 uses the CN of the certificate to categorize websites.
R77.20 does not support SNI-based categorization that is available in newer SMB appliances running R80.20.x or R81.10.x.
1400 Series Appliances are End of Engineering Support, meaning no further software updates are planned aside from bugfixes.

0 Kudos
n7564773
Participant

That makes sense, but what about the other logging behaviour? I don't see any VPN traffic whatsoever, not even encrypted packets crossing. I only see details of these packets when I put a rule at the top of the rulebase denying the traffic.

0 Kudos
the_rock
Legend
Legend

Is all the logging enabled as per screenshot @PhoneBoy sent?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Note for reference a newer R77.20.87 build 990173127 is available for 700 / 1400 appliances (per sk176148 contact Check Point Support to get it).

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Good advice, that can only help!

0 Kudos
n7564773
Participant

Thanks. Looks like a lot of good fixes in that, specifically for HTTPS. My certs expired and so I don't have access to open a request to get it anymore, so I'll have to sort something out.

0 Kudos
n7564773
Participant

I was able to get the mentioned fix installed. Doesn't appear to be any fix for my logging issues.

 

Am I not supposed to see logs for encrypted traffic? I realize I won't see what's inside, but shouldn't I still see reference that encrypted data is traversing my interfaces? I see it in packet captures.

0 Kudos
the_rock
Legend
Legend

Im fairly positive you should be able to see it. Do you not see any of those at all? Did it ever work?

0 Kudos
G_W_Albrecht
Legend
Legend

As @PhoneBoy  posted: Your only option on the 1450 is to enable HTTPS Inspection. 

CCSE CCTE CCSM SMB Specialist
0 Kudos
n7564773
Participant

To re-clarify: I'm talking about all encrypted traffic. I don't see any logs whatsoever showing VPN encrypted traffic.

 

the_rock
Legend
Legend

Just my personal opinion, but I could be mistaken, though, I dont see logically why you would need https inspection on for this to work. I dealt with God knows how many clients who did NOT have inspection on their firewall and this worked without any issues.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Further to @PhoneBoy earlier post you have your policy/rules set to log in the following section correct?

VPN log.png

CCSM R77/R80/ELITE
0 Kudos
n7564773
Participant

Correct. All rules are set to log. Implied rule logging is enabled. Global "log all" settings are set to YES. It's as if as soon as any encrypted traffic his an 'allow' rule, logging goes away for that connection. If I put a 'deny' rule for any of this traffic, I start seeing logs again.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As an example for OpenVPN (UDP/1194) I would only expect to see an entry for the start of the long lived connection/session. Are you not seeing this or are you expecting something more here?

CCSM R77/R80/ELITE
0 Kudos
n7564773
Participant

Hi Chris,

 

I don't see any reference to the connection whatsoever. Someone unfamiliar with my environment would have no idea the connection was even taking place. I don't want to add more confusion to this discussion, but I think there is a bigger issue with my logging. Many other small things don't get log entries either, but the biggest issue is the encrypted traffic. I thought maybe I messed with some CLI global settings, which is why I factory reset the device with a new image on USB, but that didn't seem to help.

0 Kudos
the_rock
Legend
Legend

I know, for example, on Fortigates, you have an option like below, but Im fairly positive that is not there on SMB appliances (I dont have access to one to confirm):

 

Screenshot_1.png

0 Kudos
n7564773
Participant

I haven't found any reference to a setting like this, or in the advanced settings. Maybe there are other CLI options available outside of the GUI "advanced settings". Not sure.

the_rock
Legend
Legend

If I had access to SMB appliance, I would be able to tell. Sadly, dont believe you can create VM with one of those images. Unlike Fortinet, where anyone can access free online demo appliance to check out all the fw capabilities, that does not exist on CP side, so my apologies mate Im not able to confirm that for you. Maybe someone else can verify.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

There are "Quantum Edge" GAiA embedded images available for ESXi moreover there is also an online Demo 1500 appliance that partner engineers can connect to (contact your SE for more info).

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Thanks Chris, did not know that. Will email couple of SE guys we deal with often and ask about the online demo, it would be useful.

Appreciate the info 🙏

0 Kudos
PhoneBoy
Admin
Admin

Huh, today I learned @Chris_Atkinson 
If you have access to Techpoint, @the_rock, then you can fire it up yourself on demand:

image.png

 

See also the lab guide.

the_rock
Legend
Legend

Thanks @PhoneBoy , will give it a go in a bit and see what happens.

I was hoping there was a free online demo, would be easier, but, o well : - )

0 Kudos
the_rock
Legend
Legend

I will say it again...you are the BEST!! That was super easy, thanks again 👍👍🙌🙌

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events