Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dilian_Chernev
Collaborator
Jump to solution

Is it possible to disable HTTPS inspection from CLI?

Hi mates,

We have enabled the HTTPS inspection for incoming traffic to a server in DMZ.
From time to time, there are DDoS attacks against this site, which leads to memory exhaust of the CP GW (7000 with 32G RAM).
Disabling HTTPS inspection from policy solves the issue, but this is very problematic as GW is hard to response during that time.

So, I am looking for a way to disable HTTPS from CLI, if possible, to speed up the recovery during these DDoS attacks.

Thanks

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.

View solution in original post

14 Replies
G_W_Albrecht
Legend Legend
Legend

Afaik and the Admin guides show, no. Did you already use sk112241: Best Practices - DDoS attacks on Check Point Security Gateway ? You can also open an informative SR# with CP TAC to be sure about the possibilities you have.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Dilian_Chernev
Collaborator

Thanks for the reply 🙂

We have made optimizations recommended in the sk112241, and without HTTPS inspection, the GW handles the traffic pretty well. 

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.

Dilian_Chernev
Collaborator

Thanks for the reply 🙂

Hope R82 will be released soon to see it in action 

0 Kudos
the_rock
Legend
Legend

Gents are correct, no way to do it via cli. Interesting suggestion though!

0 Kudos
SimonDrapeau
Employee
Employee

I was curious to see what our Infinity AI Copilot thought about that ... here's the answer.

SSLi_CLI.JPG

the_rock
Legend
Legend

Guess should use it more often lol

0 Kudos
Lloyd_Braun
Collaborator

That won't work. Seems to be making things up. It is interesting how it inferred that from the instructions on enabling tls v1.3, might have gotten lucky in another scenario.

0 Kudos
PhoneBoy
Admin
Admin

This is technically correct insofar is that:

1. This disables the infrastructure used for HTTPS Inspection in R81 and above
2. Only the CLI is used (yes, it requires a reboot)

However, I suspect this is not what the original poster had in mind and would probably mark this as "not helpful." 🙂

0 Kudos
Lloyd_Braun
Collaborator

really? will the set command modify that kernel parameter and persist through a reboot? like fw ctl set int -f ?

0 Kudos
PhoneBoy
Admin
Admin

Upon further reflection, I suspect what will actually happen is that the old infrastructure (that wasn't TLSIO) will be used instead.
This will limit you to TLS 1.2 as TLSIO is required for TLS 1.3 inspection.
Bottom line: this is probably not the answer you're looking for.

0 Kudos
the_rock
Legend
Legend

I believe fwkern.conf would also need to be updated?

Andy

0 Kudos
PhoneBoy
Admin
Admin

Usually when you're changing kernel variables, yes, fwkern.conf is touched.

0 Kudos
PhoneBoy
Admin
Admin

On a lark, I asked the question to AI Copilot myself earlier.
I got a different answer that referred me to a kernel variable that doesn't exist.
I reported this as an invalid result.

At least fwtls_enable_tlsio is a valid kernel variable.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events