This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Sas
Contributor
2 weeks ago
Jump to solution

Inbound SSH traffic inspected by HTTPS inspection ? What changed ?

Hi guys.

Runing R81_20 T115

Have a strange issue here since 5-6 days ago , or maybe more but we just identified it now maybe.

I have a rule that allows SFTP traffic from certain external hosts towards an FTP server.

Rule 1:
Source : defined Trusted partners IP's.
Destination : FTPS server on DMZ
VPN: Any
Service : ftp , ssh , ssh_version_2
Install on : Main cluster

Rule 2 :

Rule 1:
Source : Internal Network
Destination : FTPS server on DMZ
VPN: Any
Service : ftp, ssh , ssh_version_2
Install on : Main cluster

All was working fine until last week when we noticed an Application on the internal server from the "Internal Network" could not connect to the FTP server ... was timing out.
Testing from a command prompt on this server , we could fine FTP into the server just the application would not...
Application is running as a service user.

I hit my head on the wall and could not understand why...

Just for testing purposes I made an exception on the HTTPS Policy :

Name: Exception
Source : Problematic Server
Destination : FTP Server on DMZ
Services : Any
Category : Any
Action: Bypass
Certificate : Outbound Certificate

Policy applied and booom... my Application could connect again to the FTP server ?????????
Is the SSH traffic inspected by HTTPS Inspection ?
Why did it work until now and now suddenly would not ?

Then today I have a call from an external partner that tells me he can not connect SFTP to the FTP Server ...
I check and see his connection cumming trough but he tells me it times out ?

I add his IP to the Https Bypass "Exception" rule and ... voila .. he can connect again ?

I am a bit confused on why adding his IP to bypass woks and why did it work when I added the App server to the bypass also , when the App is connecting to my FTP server with simple FTP and not SFTP.

Where should I start digging ?

Thanks in advance.

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to George_Sas
Jump to solution

To confirm does your policy conform to sk108202:

Services in the HTTPS Inspection rules

In the HTTPS Inspection rule, in the Services column, we recommend to keep the default service object "HTTPS default services".

If it is necessary to add other services, consult Check Point Support.

Always select specific service objects in the 'Services' column.

If you remove all services from this column, the Security Gateway starts to inspect all TCP traffic. As a result, CPU load increases.

CCSM R77/R80/ELITE

View solution in original post

(1)
8 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
Jump to solution

What does your HTTPS inspection policy look like more generally, specifically the services column?

CCSM R77/R80/ELITE
0 Kudos
George_Sas
Contributor
2 weeks ago
In response to Chris_Atkinson
Jump to solution

It is not just ONE policy on HTTPS inspection.

I Inspect all traffic towards DMZ web servers on specific sites using specific certificates.

Then I have a few bypass some local network traffic towards specific sites.

Then bypass some traffic based on source

And the last rule is Inspect all HTTP / HTTPS traffic from All internal networks towards "Internet" using "Outbound Certificate".

 

 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
2 weeks ago
In response to George_Sas
Jump to solution

To confirm does your policy conform to sk108202:

Services in the HTTPS Inspection rules

In the HTTPS Inspection rule, in the Services column, we recommend to keep the default service object "HTTPS default services".

If it is necessary to add other services, consult Check Point Support.

Always select specific service objects in the 'Services' column.

If you remove all services from this column, the Security Gateway starts to inspect all TCP traffic. As a result, CPU load increases.

CCSM R77/R80/ELITE
(1)
George_Sas
Contributor
2 weeks ago
In response to Chris_Atkinson
Jump to solution

Ok , will try to set it to HTTPS default services to see if it helps.

0 Kudos
George_Sas
Contributor
2 weeks ago
In response to Chris_Atkinson
Jump to solution

That seems to have been the problem !! Thank you !
Changed service to "HTTPS default services" and now all seems to be ok. And yes, CPU level has also fallen down a few notches.

Timothy_Hall
MVP Gold
MVP Gold
2 weeks ago
In response to George_Sas
Jump to solution

As the solution stated, you should NEVER place Service "Any" into an HTTPS Inspection rule with an Action of Inspect.  Not only will this pull huge amounts of traffic into Medium Path Active Streaming that should not be there (increasing CPU substantially), it can also break some things, as you discovered: sk118574: FTP/SSH/SFTP Traffic fails when HTTPS Inspection and Application Control are enabled

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

Hi George,

For those protocols inspection is done through the threat prevention blades.

What is the output of the following command 'cpssh_config istatus'

-Ruan

 

0 Kudos
George_Sas
Contributor
2 weeks ago
In response to Ruan_Kotze
Jump to solution

SSH Inspection is disabled

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events