This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2020-08-11 06:55 AM

Allow only specific site without SSL inspection for a server

Hi,

I have an issue with R80.10 Jumbo 275 on a Security Gateway.

I need that a server has only access to a specific URL (let's say https://www.perdu.com) without SSL inspection.

I've created an APP CTRL Rule allowing only the server to this specific site and a rule to bypass SSL inspection.

Below rule 4, the rule 5 is denying anything else.

Image 004.jpgImage 005.jpg

For some reason I can see that the SSL rule is matched (bypass) but the APP CTRL rule is not matched correctly and the request is Droped when I use SSL. With HTTP it is working fine.

Image 001.jpgImage 002.jpgImage 003.jpg

The Probe Bypass is conifugred that way [Expert@firewall:0]# fw ctl get int enhanced_ssl_inspection
enhanced_ssl_inspection = 1
[Expert@firewall:0]# fw ctl get int bypass_on_enhanced_ssl_inspection
bypass_on_enhanced_ssl_inspection = 0
[Expert@firewall:0]#

I think it has something to do with the fact that I am not doing SSL insepction, and that the gateway can't find the server name.

Any ideas how I can deal witht his config. Of couse I don't want to add the IP addess of the web server as it may change over time

Thank you

0 Kudos
2 Replies
Benedikt_Weissl
Advisor
‎2020-08-11 07:47 AM

Hi,

try a Domain Object in FQDN mode (see sk120633 for details).

0 Kudos
Wolfgang
Authority
Authority
‎2020-08-11 12:41 PM

@DR_74 

Your last log entry shows a hide NAT of the source. Your configured rule for allowing these application/website does only contain your my_server object as source.

If you don‘t use automatic NAT on the my_server Object you have to allow both IPS, the real and the NAT-IP.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events