Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bob111
Contributor

Https Inspection Internet Object

Hey guys,
In the https inspection policy there is an object called internet, I can guess from the name what it means but what is it actually? Is it like any? Also I saw somewhere that said that using the internet object determines weather the traffic is considered inbound or outbound which sounds weird, is that true?

0 Kudos
17 Replies
bob111
Contributor

Also, is there a difference between the inbound and outbound, or does it just depend on the certificate you should put in the certificate column of a certain rule

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @bob111 

The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.

https://community.checkpoint.com/t5/Management/quot-Internet-quot-object-Internet/m-p/21030#M16513

----------------
\m/_(>_<)_\m/
0 Kudos
bob111
Contributor

Thanks! Do you know when traffic is considered outbound or inbound in https inspection? Is it just according to the certificate you put in a rule?

0 Kudos
AkosBakos
Leader Leader
Leader

Hi,

I don’t think that the cert influances the direction of the traffic.

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Leader Leader
Leader

Hi @bob111 

And the official SK: https://support.checkpoint.com/results/sk/sk64543

"Internet" means "include all traffic from Internal directed to External or DMZ according to gateway topology".

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend

Internet object strictly means ONLY external ip addresses. Unlike any, which means both internal/external.

Personally, I use Internet object for urlf ordered layer, though can be used in any layer where urlf blade is enabled in policy layer settings.

Makes sense?

Andy

0 Kudos
bob111
Contributor

Thanks for the reply! I understand but what is considered external to the firewall?
From what I gathered about the https inspection feature, inbound and outbound inspection behave in a different way - inbound uses the server certificate of the internal server and outbound uses the outbound ca certificate on the firewall to decrypt and encrypt the tls connection. This is from the checkpoint docs:

  • Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
  • Inbound HTTPS Inspection - To protect internal servers from malicious requests that arrive from the Internet or an external network.

but when does the firewall treat the traffic as inbound and when as outbound? that is what I don't understand.

 

the_rock
Legend
Legend

What is considered external to the firewall? Simple answer...ANYTHING out on the Internet, when it comes to OUTBOUND https inspection.

Andy

0 Kudos
bob111
Contributor

But what do you mean when it comes to outbound https inspection? I am on an air-gaped environment without any connection to the internet.
I don't understand when traffic is "inbound inspected" or "outbound inspected".
Appreciate the help:)

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @bob111 

I think the key is here the "External". You can set an interface as external anytime, it not depent ont hte IP of the interface, The IF with private IP can be an external interface,

Think about it, there are internal FW-s without public internet access, but they have external interface too. 🙂

Akos

----------------
\m/_(>_<)_\m/
bob111
Contributor

Of course I understand that I have externel interfaces on my air gaped firewall😅, my question was about https inspection - since outbound and inbound work differently with how they encrypt and decrypt the tls session (inbound -server certificate , outbound - ca cert on firewall), I don't really understand when is traffic categorized for outbound and when for inbound, is it when to reach the destination  the traffic exists from an interface that is set as external?

0 Kudos
AkosBakos
Leader Leader
Leader

Hi @bob111 

The policy methodology is the same as the access control policy.

The direction depends on the topology. In a nutshell: if the routing routes to external IF that is external. 

SRC DST  direction
Internet internal network inbound
internal network Internet outbound

 

The flow is described here

Outbound connections are HTTPS connections that arrive from an internal client and connect to an external server.

Outbound connection flow

  1. An HTTPS request (from an internal client to an external server) arrives at the Security GatewayClosed.
  2. The Security Gateway inspects the HTTPS request.
  3. The Security Gateway determines whether the HTTPS request matches an existing HTTPS InspectionClosed ruleClosed:
    1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
    2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
  4. The Security Gateway validates the HTTPS certificate from the external server.
  5. The Security Gateway uses the Online Certificate Status Protocol (OCSP) standard.
  6. The Security Gateway creates a new certificate for the connection to the external server.
  7. The Security Gateway decrypts the HTTPS connection.
  8. The Security Gateway inspects the decrypted HTTPS connection.
  9. If the Security PolicyClosed allows this traffic, the Security Gateway encrypts the HTTPS connection.
  10. The Security Gateway sends the HTTPS request to the external server.


Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Inbound connection flow

  1. An HTTPS request (from an external client to an internal server) arrives at the Security Gateway.
  2. The Security Gateway inspects the HTTPS request.
  3. The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule:
    1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
    2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
  4. The Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client.
  5. The Security Gateway creates a new HTTPS connection with the internal server.
  6. The Security Gateway decrypts the HTTPS connection.
  7. The Security Gateway inspects the decrypted HTTPS connection.
  8. If the Security Policy allows this traffic, the Security Gateway encrypts the HTTPS connection and sends it to the internal server.

 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend

Yes sir, PERFECT explanation.

0 Kudos
Timothy_Hall
Legend Legend
Legend

One notable exception for matching object Internet as a destination would be traffic being encrypted into a VPN by the gateway itself and leaving on an External interface; this tunneled traffic will not match object Internet for a destination.  IKE/IPSec traffic just transiting the gateway to the outside (i.e. another device is doing the actual encrypt/decrypt) will still match object Internet for the destination.  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

Just watch this video, but instead of proxy, imagine its inspection, its literally SAME principle.

Andy

https://www.youtube.com/watch?v=RXXRguaHZs0

0 Kudos
PhoneBoy
Admin
Admin

Inbound HTTPS Inspection rules require specific configuration, namely a server-specific certificate configured in the relevant rule in your HTTPS Inspection policy.
All of the following rules are Outbound rules:

image.png

Server-specific certificates must be explicitly configured in SmartDashboard (not SmartConsole)...at least until R82.

0 Kudos
AkosBakos
Leader Leader
Leader

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events