This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
oa_munich
Participant
Friday

HTTPS Inspection over IPv6 on R82

Hello all,

As R82 was released, I tried it out on a test gateway. My goal was to try IPv6 prefix delegation, which was introduced in R82 - I successfully received and distributed a prefix.

While trying this out, I encountered a strange issue with HTTPS inspection, when the inspection occurs via IPv6. See attached screenshots.

A client (2001:a61:30b2:bb10:445a:95fe:caf:8ed5) initiates a connection to a website (2606:4700::6813:df4f).

In the screenshot, you can see that the firewall accepts the connection initiated by the firewall itself, i.e. the probe (first screenshot, lowest row). After a noticeable timeout (initial connection at 16:38:22, client connects at 16:38:38 - 15 seconds), the client is permitted to connect, and no inspection takes place.  The log shows that "The probe was unable to establish a TCP connection to the destination". I explicitly permitted the IPv6 address of the firewall to connect anywhere, cp2-ipv6-prefix (2001:a61:30b2:bb10:21c:7fff:fe88:996f).

If IPv6 is disabled, HTTPS inspection is working as expected, there is no generic configuration error, and the issue seems to be related to the way the probe initiates the connection via IPv6.

Any suggestions where to dig to understand why is this happening?

Preview file
61 KB
Preview file
39 KB
6 Replies
PhoneBoy
Admin
Admin
Friday

Do you see the gateway probe the destination via tcpdump or similar?
Guessing it's a bug and a TAC case will likely be necessary.

0 Kudos
oa_munich
Participant
yesterday
In response to PhoneBoy

I ran a packet capture on an upstream router and saw probe packets. Will get TAC to take a look, thanks!

0 Kudos
Ilya_Yusupov
Employee
Employee
11 hours ago

Hi @oa_munich ,

 

Is it happen for all web sites or only for a specific one?

I tried in my lab and it looks fine, i am getting inspection with IPv6.

 

Thanks,

Ilya

0 Kudos
oa_munich
Participant
10 hours ago
In response to Ilya_Yusupov

It happens with a handful websites I've tested with, e.g. fast.com, whatismyip.com and a few more.

Are you assigning IPv6 address through prefix delegation?

0 Kudos
oa_munich
Participant
9 hours ago
In response to Ilya_Yusupov

Maybe a little more context here: I've got a bonded interface with 2 VLANs. VLAN 10 is a connection I am receiving the prefix on, VLAN 100 is the connection where I am distributing it.

Config:

set dhcp6 server enable
set dhcp6 client client-mode prefix-delegation
set dhcp6 prefix-delegation method dhcpv6
add dhcp6 prefix-delegation assign-to bond0.100
set dhcp6 prefix-delegation request-from bond0.10

The address (2001:a61:30b2:bb10:21c:7fff:fe88:996f) is the address seen on the bond0.100 interface, 

show interface bond0.100
...
ipv6-address 2001:a61:30b2:bb10:21c:7fff:fe88:996f/64
...

Clients get their IPv6 addresses on bond0.100.

I tested a little more, this happens on every website which does not get bypassed due to policy. Every "new" site - first time a client tries to open and waits for 15 seconds, then the site gets bypassed, subsequent attempts - the inspection is bypassed immediately.

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to oa_munich

I find this super interesting...may test it some time this week in R82 lab.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events