This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dilian_Chernev
Collaborator
‎2024-05-22 06:23 AM
Jump to solution

Is it possible to disable HTTPS inspection from CLI?

Hi mates,

We have enabled the HTTPS inspection for incoming traffic to a server in DMZ.
From time to time, there are DDoS attacks against this site, which leads to memory exhaust of the CP GW (7000 with 32G RAM).
Disabling HTTPS inspection from policy solves the issue, but this is very problematic as GW is hard to response during that time.

So, I am looking for a way to disable HTTPS from CLI, if possible, to speed up the recovery during these DDoS attacks.

Thanks

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-05-22 07:32 AM
Jump to solution

Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.

View solution in original post

14 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-05-22 07:11 AM
Jump to solution

Afaik and the Admin guides show, no. Did you already use sk112241: Best Practices - DDoS attacks on Check Point Security Gateway ? You can also open an informative SR# with CP TAC to be sure about the possibilities you have.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Dilian_Chernev
Collaborator
‎2024-05-22 11:34 PM
In response to G_W_Albrecht
Jump to solution

Thanks for the reply 🙂

We have made optimizations recommended in the sk112241, and without HTTPS inspection, the GW handles the traffic pretty well. 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-22 07:32 AM
Jump to solution

Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.

Dilian_Chernev
Collaborator
‎2024-05-22 11:35 PM
In response to PhoneBoy
Jump to solution

Thanks for the reply 🙂

Hope R82 will be released soon to see it in action 

0 Kudos
the_rock
Legend
Legend
‎2024-05-23 12:12 AM
Jump to solution

Gents are correct, no way to do it via cli. Interesting suggestion though!

0 Kudos
SimonDrapeau
Employee
Employee
‎2024-05-23 11:49 AM
Jump to solution

I was curious to see what our Infinity AI Copilot thought about that ... here's the answer.

SSLi_CLI.JPG

the_rock
Legend
Legend
‎2024-05-23 11:57 AM
In response to SimonDrapeau
Jump to solution

Guess should use it more often lol

0 Kudos
Lloyd_Braun
Collaborator
‎2024-05-23 01:38 PM
In response to SimonDrapeau
Jump to solution

That won't work. Seems to be making things up. It is interesting how it inferred that from the instructions on enabling tls v1.3, might have gotten lucky in another scenario.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-23 01:53 PM
In response to SimonDrapeau
Jump to solution

This is technically correct insofar is that:

1. This disables the infrastructure used for HTTPS Inspection in R81 and above
2. Only the CLI is used (yes, it requires a reboot)

However, I suspect this is not what the original poster had in mind and would probably mark this as "not helpful." 🙂

0 Kudos
Lloyd_Braun
Collaborator
‎2024-05-23 02:01 PM
In response to PhoneBoy
Jump to solution

really? will the set command modify that kernel parameter and persist through a reboot? like fw ctl set int -f ?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-23 02:27 PM
In response to Lloyd_Braun
Jump to solution

Upon further reflection, I suspect what will actually happen is that the old infrastructure (that wasn't TLSIO) will be used instead.
This will limit you to TLS 1.2 as TLSIO is required for TLS 1.3 inspection.
Bottom line: this is probably not the answer you're looking for.

0 Kudos
the_rock
Legend
Legend
‎2024-05-23 08:11 PM
In response to PhoneBoy
Jump to solution

I believe fwkern.conf would also need to be updated?

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-24 07:43 AM
In response to the_rock
Jump to solution

Usually when you're changing kernel variables, yes, fwkern.conf is touched.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-24 12:29 PM
In response to SimonDrapeau
Jump to solution

On a lark, I asked the question to AI Copilot myself earlier.
I got a different answer that referred me to a kernel variable that doesn't exist.
I reported this as an invalid result.

At least fwtls_enable_tlsio is a valid kernel variable.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events