- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Is it possible to disable HTTPS inspection fro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to disable HTTPS inspection from CLI?
Hi mates,
We have enabled the HTTPS inspection for incoming traffic to a server in DMZ.
From time to time, there are DDoS attacks against this site, which leads to memory exhaust of the CP GW (7000 with 32G RAM).
Disabling HTTPS inspection from policy solves the issue, but this is very problematic as GW is hard to response during that time.
So, I am looking for a way to disable HTTPS from CLI, if possible, to speed up the recovery during these DDoS attacks.
Thanks
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Afaik and the Admin guides show, no. Did you already use sk112241: Best Practices - DDoS attacks on Check Point Security Gateway ? You can also open an informative SR# with CP TAC to be sure about the possibilities you have.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply 🙂
We have made optimizations recommended in the sk112241, and without HTTPS inspection, the GW handles the traffic pretty well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.
Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply 🙂
Hope R82 will be released soon to see it in action
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gents are correct, no way to do it via cli. Interesting suggestion though!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was curious to see what our Infinity AI Copilot thought about that ... here's the answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guess should use it more often lol
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That won't work. Seems to be making things up. It is interesting how it inferred that from the instructions on enabling tls v1.3, might have gotten lucky in another scenario.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is technically correct insofar is that:
1. This disables the infrastructure used for HTTPS Inspection in R81 and above
2. Only the CLI is used (yes, it requires a reboot)
However, I suspect this is not what the original poster had in mind and would probably mark this as "not helpful." 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
really? will the set command modify that kernel parameter and persist through a reboot? like fw ctl set int -f ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upon further reflection, I suspect what will actually happen is that the old infrastructure (that wasn't TLSIO) will be used instead.
This will limit you to TLS 1.2 as TLSIO is required for TLS 1.3 inspection.
Bottom line: this is probably not the answer you're looking for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe fwkern.conf would also need to be updated?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually when you're changing kernel variables, yes, fwkern.conf is touched.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a lark, I asked the question to AI Copilot myself earlier.
I got a different answer that referred me to a kernel variable that doesn't exist.
I reported this as an invalid result.
At least fwtls_enable_tlsio is a valid kernel variable.
