Hi @bob111 

The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.

https://community.checkpoint.com/t5/Management/quot-Internet-quot-object-Internet/m-p/21030#M16513

Thanks! Do you know when traffic is considered outbound or inbound in https inspection? Is it just according to the certificate you put in a rule?

Hi,

I don’t think that the cert influances the direction of the traffic.

Hi @bob111 

And the official SK: https://support.checkpoint.com/results/sk/sk64543

"Internet" means "include all traffic from Internal directed to External or DMZ according to gateway topology".

Thanks for the reply! I understand but what is considered external to the firewall?
From what I gathered about the https inspection feature, inbound and outbound inspection behave in a different way - inbound uses the server certificate of the internal server and outbound uses the outbound ca certificate on the firewall to decrypt and encrypt the tls connection. This is from the checkpoint docs:

• Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
• Inbound HTTPS Inspection - To protect internal servers from malicious requests that arrive from the Internet or an external network.

but when does the firewall treat the traffic as inbound and when as outbound? that is what I don't understand.

What is considered external to the firewall? Simple answer...ANYTHING out on the Internet, when it comes to OUTBOUND https inspection.

Andy

But what do you mean when it comes to outbound https inspection? I am on an air-gaped environment without any connection to the internet.
I don't understand when traffic is "inbound inspected" or "outbound inspected".
Appreciate the help:)

Hi @bob111 

I think the key is here the "External". You can set an interface as external anytime, it not depent ont hte IP of the interface, The IF with private IP can be an external interface,

Think about it, there are internal FW-s without public internet access, but they have external interface too. 🙂

Akos

Of course I understand that I have externel interfaces on my air gaped firewall😅, my question was about https inspection - since outbound and inbound work differently with how they encrypt and decrypt the tls session (inbound -server certificate , outbound - ca cert on firewall), I don't really understand when is traffic categorized for outbound and when for inbound, is it when to reach the destination  the traffic exists from an interface that is set as external?

Hi @bob111 

The policy methodology is the same as the access control policy.

The direction depends on the topology. In a nutshell: if the routing routes to external IF that is external. 

The flow is described here

Outbound connections are HTTPS connections that arrive from an internal client and connect to an external server.

Outbound connection flow

1. An HTTPS request (from an internal client to an external server) arrives at the Security GatewayClosed.
2. The Security Gateway inspects the HTTPS request.
3. The Security Gateway determines whether the HTTPS request matches an existing HTTPS InspectionClosed ruleClosed:
   1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
   2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
4. The Security Gateway validates the HTTPS certificate from the external server.
5. The Security Gateway uses the Online Certificate Status Protocol (OCSP) standard.
6. The Security Gateway creates a new certificate for the connection to the external server.
7. The Security Gateway decrypts the HTTPS connection.
8. The Security Gateway inspects the decrypted HTTPS connection.
9. If the Security PolicyClosed allows this traffic, the Security Gateway encrypts the HTTPS connection.
10. The Security Gateway sends the HTTPS request to the external server.

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Inbound connection flow

1. An HTTPS request (from an external client to an internal server) arrives at the Security Gateway.
2. The Security Gateway inspects the HTTPS request.
3. The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule:
   1. If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
   2. If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
4. The Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client.
5. The Security Gateway creates a new HTTPS connection with the internal server.
6. The Security Gateway decrypts the HTTPS connection.
7. The Security Gateway inspects the decrypted HTTPS connection.
8. If the Security Policy allows this traffic, the Security Gateway encrypts the HTTPS connection and sends it to the internal server.

Akos

Yes sir, PERFECT explanation.

One notable exception for matching object Internet as a destination would be traffic being encrypted into a VPN by the gateway itself and leaving on an External interface; this tunneled traffic will not match object Internet for a destination.  IKE/IPSec traffic just transiting the gateway to the outside (i.e. another device is doing the actual encrypt/decrypt) will still match object Internet for the destination.  

Just watch this video, but instead of proxy, imagine its inspection, its literally SAME principle.

Andy

https://www.youtube.com/watch?v=RXXRguaHZs0

Inbound HTTPS Inspection rules require specific configuration, namely a server-specific certificate configured in the relevant rule in your HTTPS Inspection policy.
All of the following rules are Outbound rules:

Server-specific certificates must be explicitly configured in SmartDashboard (not SmartConsole)...at least until R82.