This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Horne
Advisor
‎2021-05-04 02:44 AM

HTTPS inspection of internal private IP traffic

Hello All,

We have an issue where internal HTTPS applications are being inspected using HTTPS interception

My understanding was that for outbound inspection only applications accessed through an interface marked as "External" etc would be intercepted.  I remember reading this a long time ago in some Checkpoint documentation, but I am failing to find this reference again.

I am interested in locating a reference document for HTTPS inspection where I hope to fins a description of what traffic is HTTPS inspection applied to.

I is strange as this issue with Internal applications being using HTTPS interception exists only on one security gateway and none of the other Security gateway clusters are showing this behaviour.  The HTTPS inspection policy only has "Bypass" rules with the generic "inspection" rule for everything else at the end of the policy.

Many thanks,

Michael

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2021-05-04 03:24 AM

Your understanding is incorrect. Any traffic matching your HTTPS inspection rulebase will be inspected. 

Now, you are most probably referring to "Internet" object used as destination by default for outbound HTTPSi rules. Mind you, Internet object is interpreted by GW as everything but internal IP addresses defined by topology. In many cases that would include DMZ networks that are NAT-ed, or any other internal addresses that do not appear in the GW topology.

If you are using ANY and not Internet object, then any HTTPSi traffic crossing GW will be inspected. 

The solution here is very simple: put bypass rules for any traffic you do not want to inspect, and also use exclusively web services in HTTPSi rulebase.

There is a few discussions in the community for that matter, including HTTPSi best practice techtalk, with video recording.

0 Kudos
Michael_Horne
Advisor
‎2021-05-04 04:58 AM
In response to _Val_

Hello,

Thank you for the feedback.   I should be asking instead not why 1 gateway is inspecting the internal applications, but why the other 19+ gateways are not, as they are all sharing the same default HTTPS inspection rule with the Internet object as destination. 

I guess the crucial part is "internal IP addresses defined by topology", but since all the 20 gateways are accessing the application over an interface with a standard Topology definition "Internet (External)", I am still confused as to the behaviour. All gateways (except the one where the application is hosted), should all not have the internal IPs in the topology.

Investigations continue ...

0 Kudos
_Val_
Admin
Admin
‎2021-05-04 05:22 AM
In response to Michael_Horne

Let's be more pragmatic. How does your inspection policy look like? 

0 Kudos
Michael_Horne
Advisor
‎2021-05-10 02:44 AM
In response to _Val_

The information you gave was helpful as it seems that the issue was with the topology for the relevant interface.

I changed the external facing interface from the "red" Internet (External) topology setting to the "green" Internet (External) topology setting and reports back from the end users confirm they no longer have issues with the applications.

TopologyTopology

The interesting question is what is the difference between these tow topology settings as both are Internet (External).

Regards,

Michael

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events