Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EvilGenius
Explorer

HTTPS Inspection policy

I want HTTPS inspection policy to be implemented on this NAT rule that is configured to NAT a traffic towards a BWAPP server. I also want a specific certificate to be used for the inspection but I am unable to do so. Inspite of configuring a HTTPS inspection policy for the NAT policy it is not being implemented.

Concern_1.png

 

 

Concern_2.png

11 Replies
G_W_Albrecht
Legend Legend
Legend

First screenshot: Original Dest GW, Transl. Dest BWAPP server  ??? I see no original source...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
EvilGenius
Explorer

Original Source is Any, Just couldn't get it into the Screenshot, CCSE CCTE CCSM SMB Specialist admirer 

G_W_Albrecht
Legend Legend
Legend

So why is the GW Source in screenshot 2 ? Translated Source is Original == Any, so how should that https rule match here ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ruan_Kotze
Advisor

Use the column picker to add the "Certificates" column.  You can then select the correct certificate for inbound inspection.

This assumes you imported the proper server certificate first though.

EvilGenius
Explorer

I configured a HTTPS Inspection policy which uses a self assigned certificate but through the log the traffic is only being inspected and not allowed. Every packet is being dropped, similarly as it can be noticed in the screenshot provided below I believe the Action should be allowed/blocked but only HTTPS inspect is displayed.

 

Concern_3.png

PhoneBoy
Admin
Admin

I merged the other thread you created on this configuration since it stems from the same misconfiguration, most likely.

The decision to perform HTTPS Inspection needs to happens before Access Rules or NAT are applied.
Which means your HTTPS Inspection rules should be created accordingly.
I assume based on your configuration that you're trying to forward connections that occur to the firewall's external IP to the host ACFW-CHKP-BWAPP.
The "certificate' column in the rule would be where you'd configure the private key to use when connecting to ACFW-CHKP-BWAPP.
This means your HTTPS Inspection rule should have "any" as the source (not the gateway as shown).

I suspect this will also fix the issue with the NAT rule.

EvilGenius
Explorer

Thank you for the wonderful support everyone. Now I am successfully able to implement https inspection on the desired traffic interface but the traffic is only being inspected and all the normal traffic from that rule are getting blocked after inspection. Is there something else that I have to look into? It's only been a while since I have been using Checkpoint firewall so I am baffled with some features. The requirement was to inspect HTTPS traffic from performance subnet to lan subnet.concern_4.png

concern_5.png

I have also included a certificate that is going to be used for the inspection but while passing traffic through the policy all the traffics are only being inspected and dropped which can be noticed in the log. 

PhoneBoy
Admin
Admin

HTTPS Inspection policy only decrypts the appropriate traffic.
You must still have an Access Policy rule that permits the relevant traffic.
What precise rule is being matched per the traffic logs?

EvilGenius
Explorer

The Access Policy rule that is being matched with the HTTPS inspection policy is presented below: 

concern_5.png

and the HTTPS inspection configured for this Access policy is:

Concern_6.png

Similarly the log generated:

 

Concern_3.png

PhoneBoy
Admin
Admin

Just to confirm, the source LAN is internal, correct?
I suspect you're going to need a TAC case to get to the bottom of this: https://help.checkpoint.com

EvilGenius
Explorer

Yes, the source is internal but is from different interfaces and subnets.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events