- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Https Inspection Internet Object
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Https Inspection Internet Object
Hey guys,
In the https inspection policy there is an object called internet, I can guess from the name what it means but what is it actually? Is it like any? Also I saw somewhere that said that using the internet object determines weather the traffic is considered inbound or outbound which sounds weird, is that true?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, is there a difference between the inbound and outbound, or does it just depend on the certificate you should put in the certificate column of a certain rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bob111
The Internet object in the Application Control & URL Filtering policy actually only applies to traffic that's leaving an interface marked as external.
https://community.checkpoint.com/t5/Management/quot-Internet-quot-object-Internet/m-p/21030#M16513
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Do you know when traffic is considered outbound or inbound in https inspection? Is it just according to the certificate you put in a rule?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I don’t think that the cert influances the direction of the traffic.
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bob111
And the official SK: https://support.checkpoint.com/results/sk/sk64543
"Internet" means "include all traffic from Internal directed to External or DMZ according to gateway topology".
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internet object strictly means ONLY external ip addresses. Unlike any, which means both internal/external.
Personally, I use Internet object for urlf ordered layer, though can be used in any layer where urlf blade is enabled in policy layer settings.
Makes sense?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply! I understand but what is considered external to the firewall?
From what I gathered about the https inspection feature, inbound and outbound inspection behave in a different way - inbound uses the server certificate of the internal server and outbound uses the outbound ca certificate on the firewall to decrypt and encrypt the tls connection. This is from the checkpoint docs:
- Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
- Inbound HTTPS Inspection - To protect internal servers from malicious requests that arrive from the Internet or an external network.
but when does the firewall treat the traffic as inbound and when as outbound? that is what I don't understand.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is considered external to the firewall? Simple answer...ANYTHING out on the Internet, when it comes to OUTBOUND https inspection.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But what do you mean when it comes to outbound https inspection? I am on an air-gaped environment without any connection to the internet.
I don't understand when traffic is "inbound inspected" or "outbound inspected".
Appreciate the help:)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bob111
I think the key is here the "External". You can set an interface as external anytime, it not depent ont hte IP of the interface, The IF with private IP can be an external interface,
Think about it, there are internal FW-s without public internet access, but they have external interface too. 🙂
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course I understand that I have externel interfaces on my air gaped firewall😅, my question was about https inspection - since outbound and inbound work differently with how they encrypt and decrypt the tls session (inbound -server certificate , outbound - ca cert on firewall), I don't really understand when is traffic categorized for outbound and when for inbound, is it when to reach the destination the traffic exists from an interface that is set as external?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bob111
The policy methodology is the same as the access control policy.
The direction depends on the topology. In a nutshell: if the routing routes to external IF that is external.
SRC | DST | direction |
Internet | internal network | inbound |
internal network | Internet | outbound |
The flow is described here
Outbound connections are HTTPS connections that arrive from an internal client and connect to an external server.
Outbound connection flow
- An HTTPS request (from an internal client to an external server) arrives at the Security GatewayClosed.
- The Security Gateway inspects the HTTPS request.
- The Security Gateway determines whether the HTTPS request matches an existing HTTPS InspectionClosed ruleClosed:
- If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
- If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
- The Security Gateway validates the HTTPS certificate from the external server.
- The Security Gateway uses the Online Certificate Status Protocol (OCSP) standard.
- The Security Gateway creates a new certificate for the connection to the external server.
- The Security Gateway decrypts the HTTPS connection.
- The Security Gateway inspects the decrypted HTTPS connection.
- If the Security PolicyClosed allows this traffic, the Security Gateway encrypts the HTTPS connection.
- The Security Gateway sends the HTTPS request to the external server.
Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.
Inbound connection flow
- An HTTPS request (from an external client to an internal server) arrives at the Security Gateway.
- The Security Gateway inspects the HTTPS request.
- The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule:
- If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
- If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
- The Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client.
- The Security Gateway creates a new HTTPS connection with the internal server.
- The Security Gateway decrypts the HTTPS connection.
- The Security Gateway inspects the decrypted HTTPS connection.
- If the Security Policy allows this traffic, the Security Gateway encrypts the HTTPS connection and sends it to the internal server.
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes sir, PERFECT explanation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One notable exception for matching object Internet as a destination would be traffic being encrypted into a VPN by the gateway itself and leaving on an External interface; this tunneled traffic will not match object Internet for a destination. IKE/IPSec traffic just transiting the gateway to the outside (i.e. another device is doing the actual encrypt/decrypt) will still match object Internet for the destination.
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just watch this video, but instead of proxy, imagine its inspection, its literally SAME principle.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inbound HTTPS Inspection rules require specific configuration, namely a server-specific certificate configured in the relevant rule in your HTTPS Inspection policy.
All of the following rules are Outbound rules:
Server-specific certificates must be explicitly configured in SmartDashboard (not SmartConsole)...at least until R82.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And one more:
\m/_(>_<)_\m/
![](/skins/images/7A1782F19EEDD3757E1DDB3CF96B7DC3/responsive_peak/images/icon_anonymous_message.png)