This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
net-harry
Collaborator
‎2022-02-19 06:07 AM
Jump to solution

Find FQDNs accessed using HTTP and HTTPS through a firewall with URL Filtering and App Control

Hi,

We have identified some servers that currently have full HTTP and HTTPS access to the Internet through our external Check Point security gateways.

In order to restrict the access we need to know what the servers are connecting to on the Internet. The current rule uses the firewall blade (allowing HTTP and HTTPS) and logging gives us the destination IP addresses.

We also want to know the FQDNs accessed. I therefore created an inline layer for a test source IP address (with parent rule allowing HTTP and HTTPS) with Internet as destination and enabled Detailed Log for the rule.

I thought this would help us view the FQDNs, but for most destinations I still only see IP addresses. I also tried enabled Extended Log, but with similar results.

I noticed that for some log entries that are marked as "Content Awareness", I can see the fields "TLS Server Host Name" and "Sni", which seems to give what I am looking for.

Strange thing is that Content Awareness is not even enabled on this gateway. Would someone be able to explain this and recommend how to best detect the FQDNs that are accessed?

We are running R80.20 on the security gateways and R80.40 on the management servers.

Thanks for your help!

Best regards,

Harry

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-02-19 06:59 AM
In response to net-harry
Jump to solution

Please review sk173633 and see if it helps you.

CCSM R77/R80/ELITE

View solution in original post

11 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-02-19 06:15 AM
Jump to solution

Hi Harry

To confirm is this R80.20 JHF T190 or higher?

What blades are enabled for the layer?

CCSM R77/R80/ELITE
0 Kudos
net-harry
Collaborator
‎2022-02-19 06:49 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

We are running R80.20 take 202.

The firewall has the following blades enabled:

[Expert@firewall:0]# enabled_blades
fw urlf appi anti_bot mon

The inline layer has the following blades enabled:

Firewall
Applications & URL Filtering

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-19 06:59 AM
In response to net-harry
Jump to solution

Please review sk173633 and see if it helps you.

CCSM R77/R80/ELITE
net-harry
Collaborator
‎2022-02-19 07:10 AM
In response to Chris_Atkinson
Jump to solution

Thanks for the suggestion! I assume there is no impact to make the change in the sk? In any case we will schedule a maintenance to perform it.

I just noticed another thing that perhaps could explain the missing logs. We also have two ordered layers for the policy. One is called Security and one is called Application. The Security ordered layer only has the Firewall blade enabled. The Application ordered layer only has the Applications & URL Filtering blade enabled. I am adding the new inline layers in the Security ordered layer, since we want to move away from the ordered layers. Is it required that the Security ordered layer has the Applications & URL Filtering blade enabled or is it enough that the inline layer underneath has it? 

0 Kudos
Wolfgang
Authority
Authority
‎2022-02-19 09:24 AM
In response to net-harry
Jump to solution

It will be enough to enable Applications & URL Filtering blade of the inline layer for your use case.

net-harry
Collaborator
‎2022-02-21 02:40 AM
In response to Wolfgang
Jump to solution

Thanks Wolfgang for the confirmation!

In sk173633 it says:

"Important Note - Make sure the policy contains Categories/Apps. Otherwise, the connection might be matched on the SYN packet without the Light SSL flow."

Could someone explain what this note means? In our case the policy has rules with Categories/Apps, but also rules using only the firewall blade. Is there a risk for us to enable up_log_ssl_report_sni?

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-21 04:00 AM
In response to net-harry
Jump to solution

Should be no risk or impact other than the reboot step to apply the setting permanently, even then impact would likely be unnoticed in a clustered environment.

CCSM R77/R80/ELITE
net-harry
Collaborator
‎2022-02-21 04:11 AM
In response to Chris_Atkinson
Jump to solution

Thanks Chris! Is there any other drawback of enabling it? Is there a reason that this is not the default setting?

0 Kudos
Tobias_Moritz
Advisor
‎2022-02-21 02:56 AM
In response to Chris_Atkinson
Jump to solution

Hello @Chris_Atkinson: Do you know how the expected behavior is when this new kernel parameter from sk173633  is set to 0 (default)? I ask because I see these SNI entries in log card of extended log rules matches for some log entries even when this parameter is set to 0. I do not see it for every log entry (of the same rule), though.

R80.40 JHF T139.

# fw ctl get int up_log_ssl_report_sni
up_log_ssl_report_sni = 0

Log Card example:

TLS Server Host Name: r4.res.office365.com
Sni: r4.res.office365.com
Certificate Validity: Trusted

net-harry
Collaborator
‎2022-02-27 01:04 AM
In response to Tobias_Moritz
Jump to solution

Hi @Chris_Atkinson,

We have enabled up_log_ssl_report_sni and we are now able to see the information we were looking for. Thank you very much for your help with this!

Like @Tobias_Moritz, I noticed that we already had TLS Server Host Name and SNI for some records before the change. I also noticed that the information is also available when "Detailed Log" is used (instead of "Extended Log" as mentioned in sk173633).

Would you be able to share some light on this?

Thanks for your help!

Harry

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-27 03:35 PM
In response to net-harry
Jump to solution

Hi Harry, Sorry I don't have the details necessary to explain the behavior as described.

If it's important I'd suggest contacting TAC or your local SE to enquire with RnD on your behalf.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events