Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
VadimVyatkin
Explorer

HTTPS inspection not working correctly

Colleagues, good afternoon. When testing the equipment, we faced the following problem. When HTTPS inspection is enabled, web pages on client machines do not open correctly. Those. may not open completely, or remain empty. Some links don't open at all.
Our equipment: model 6200 / Cluster HA / R 80.40 / Take118 / dedicated management server. We use a self-signed certificate issued by our CA. The number of users at the moment is about 300. However, the same symptoms were observed with a few users.

I would be very grateful for help in finding the reason.

0 Kudos
21 Replies
Alex-
Leader Leader
Leader

There's a bunch to go through to properly create an HTTPS Inspection setup.

The following TechTalk is very interesting to ensure you have a good baseline policy, especially if you're evaluating the solution.

https://community.checkpoint.com/t5/Security-Gateways/HTTPS-Inspection-Best-Practices-TechTalk-Video...

0 Kudos
VadimVyatkin
Explorer

Thank you very much for your reply. The video is very informative. So does the rest of the information.

Unfortunately no solution to our problem has been found yet

 

0 Kudos
Jan_Kleinhans
Advisor

Hello, this could be an issue with take 118. We (and also 5 other Checkpoint customers) have also problems since take 118 that SSL Inspection is very slow.

Regards,

Jan

0 Kudos
VadimVyatkin
Explorer

Hello, the previous Take showed the same picture.

0 Kudos
vNenad
Participant
Participant

I can confirm that we have the same issue with two of our customers after upgrade to Take 118. Did you open a TAC ticket?

0 Kudos
VadimVyatkin
Explorer

With the previous patch, the situation was the same. The transition to 118 did not change anything. We turned to TAC. We are waiting for a decision.

0 Kudos
Vladimir
Champion
Champion

Just to cover the fundamentals, do you have this self-signed cert issued by you CA installed on your clients' machines as a trusted root CA?

Are those Macs or PCs?

What kind of browsers are you using? Some rely on their own certificate repository, instead of Windows.

0 Kudos
VadimVyatkin
Explorer

All inspection settings were made according to the guidelines and best practices. Initially, we used a certificate issued by our CA for Check Point, namely a certificate for a subordinate CA. Accordingly, client machines in the domain trusted him. Clients use Windows OS. The preferred browser is Chrome, but some also use FireFox, which needs to be additionally configured so that it accesses the system certificate store. As a result, the certificates are where they should be, clients trust them. We turn on the inspection and observe strange behavior when opening web pages. Something is opend, something is not, something is partial. In search of reasons, we changed the certificate to a self-signed CheskPoint, extended it to clients, but unfortunately, the picture remained the same. 

One could say that the load for the 6200 is too heavy. 300 users. But according to CPView, the load on the cores is 35 percent on average, there is enough memory.

0 Kudos
Vladimir
Champion
Champion

Is it safe to presume that you have updated the trusted root CA store on Check Point (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... )?

If it is done, can you post the sanitized HTTPS inspection policy for us to take a look at?

Do you, perchance, block QUIC/HTTP3 (UDP on port 443)?

Also, it'll be helpful if you can provide a few sites that you are experiencing issues with.

0 Kudos
Vladimir
Champion
Champion

P.S. Just in case, can you confirm that there is no EDR or AV on the clients that is also performing HTTPS inspection?

Can you check this in the sites that are successfully loading and those that are not and report your findings?

11709250642.PNG

0 Kudos
VadimVyatkin
Explorer

Problems mainly with search engines, large aggregators ...

0 Kudos
VadimVyatkin
Explorer

Yes, CA list is up to date

QUIC is blocked by cleanup rule of firewall

AV does not perform HTTPS inspection

If the site does not load correctly, everything is fine on the security tab.

HTTPS_policy.jpg

ProblemSite.jpg

0 Kudos
Durin
Contributor

Hi there, experiencing same issues.

Did you come across any solution for this issue?

0 Kudos
Jan_Kleinhans
Advisor

Hello,

we have a Hotfix running on Take 125. Our SR was SR#6-0003021978.

Regards,

Jan

0 Kudos
Ed_Eades
Contributor

We recently turned on HTTPS Inspection and used Best Practice setup. We are using a Gateway self-signed cert and have pushed it out to clients. Our HTTPS Inspection policy is applied on a very small sub set of devices and networks for testing purposes before applying it to more enterprise wide. We have also noticed some strange behavior when opening web pages. Some pages may load as expected, some pages do not load, and some pages may only load partially. The partially loading seems to be the most common but all of it is somewhat random in nature and not related to specific sites. When either a page doesn't load or somewhat loads a simple refresh will make the page load. The partial loading does seem to be most present on sites that may have more content delivery images and links present. That is where you may see partial images load. This behavior can be noticed across all web browsers. We are hesitant to push this out to more networks until finding a resolution.

I just came across this article in my research and see some similarities to our setup and experience. We have engaged TAC. In the meantime hoping to see if anyone has additional feedback or possible resolution in their scenario.

Many Thanks.

0 Kudos
_Val_
Admin
Admin

I suggest you ask in a separate post and ask for guidance. There is no need to highjack a someone else's thread.

maad-pul
Contributor

Did you get any PMTR number for this issue? 

0 Kudos
danielnfletcher
Participant

Hi Jan,

 

Did the hotfix solve your issue? 

Thanks

 

 

 

 

 

 

 

 

 

 

 

0 Kudos
Jan_Kleinhans
Advisor

Hello,

 

yes the hotfix resolved our issue. But with take 87 that we are running now we dont't have to install a hotfix anymore.

Regards,

Jan

0 Kudos
SSlater
Employee
Employee

Any Drops, or HTTPS Inspection Logs associated with the traffic that might indicate an error/failure/drop?

Some Examples:

  • Internal system error in HTTPS Inspection (Error Code: 1)
  • Internal system error in HTTPS Inspection (Error Code: 3)
  • Internal system error in HTTPS Inspection due to categorization service timeout
  • Internal system error in HTTPS Inspection process during SSL negotiation

If there's nothing clearly seen here... It may be worth taking a packet capture from the Client PC/Firewall to see how the TCP Handshake is going, How the Server/Client Hellos are working, TLS, etc..

You can compare this to a packet capture of the same site without HTTPS inspection enabled, compare/contrast for better understanding of "where" it is breaking.

Also a side-note that might not apply: Sometimes we can see RAD (Resource Advisor) Timeout/Error for Application Control/URL Filtering causing holdups while the HTTPS inspection is working fine.

0 Kudos
pfinksai
Participant

Import internal CA to client

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events