Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prabulingam_N1
Advisor

SFTP traffic Inspection via VPN Tunnel

Hello CheckMates,

I have below doubt to be implemented, can anyone shed some ideas on how to achieve.

1) I have CheckPoint ClusterHA deployed and VPN Tunnel is running towards Peer 3rd Party FW.

2) Enabled FW, VPN, IPS, APP/URL, AV, AB blades in CheckPoint.

3) Behind CheckPoint Cluster - we have SFTP Server in VPN Domain

4) Behind Peer 3rd FW - we have Client machine who will access our SFTP server via VPN Tunnel and upload files.

How can I inspect this SFTP traffic in CheckPoint?

Like, if I'm uploading any malware file onto our SFTP Server via VPN Tunnel from 3rdParty Client domain, will CheckPoint FW able to inspect this? (Either IPS or AV)

As per FW chain modules, at external interface of CheckPoint-decrypt happens and then moved to modules like IPS/AV into FW kernel. Then the packet reaches Internal SFTP server.

I cannot use HTTPS inspection Policy as it is not HTTP/S protocol.

Which way I can inspect this traffic which is passing via Tunnel and reaches CheckPoint and then to SFTP Server.

 

Note: Under Threat Profile - under AV setting we see "Protocol-HTTP, FTP, SMTP" - will enabling FTP can work?

Also IPS can only check few of SFTP/FTP Protocols based on signatures only

 

Regards, Prabu

0 Kudos
Reply
20 Replies
Marcel_Gramalla
Contributor

Hi,

we havent't implented this feature yet but it is possible: SSH Deep Packet Inspection (checkpoint.com)

This feature requires R80.40 as per documentation.

 

Regards

Marcel

0 Kudos
Reply
Prabulingam_N1
Advisor

Hello Marcel,

 

Yes , SSH DPI can be used from R80.40 onwards in which AV & Sandblast can check inspection on SCP/FTP traffic which is new..

"SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection"

But any idea how will it show or make the SFTP Traffic inspection? or anyone have tried this SSH DPI in R80.40 having results?

 

Regards, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

@Prabulingam_N1 Please read the guide, you should have all you need there. 
Also, we do have customers using this feature.

0 Kudos
Reply
_Val_
Admin
Admin

R80.40 has SSH Deep Packet inspection feature, which allows decrypting SFTP and SSH for inbound connections. Some details are here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

However, in your case VPN is complicating the issue.

0 Kudos
Reply
Prabulingam_N1
Advisor

Hi Val,

 

Yes since my SFTP traffic from Peer side passes thru Tunnel and reaches CheckPoint - hope once CheckPoint decrypts then it can perform this inspection.

Let me try this once to see if really inspects or not.

 

Regards, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

Most probably not. IPSec VPN tunnel here is an issue

0 Kudos
Reply
Prabulingam_N1
Advisor

Hi Val,

Since on FW chain modules (fw ctl chain) Inbound - Packet gets decrypted by FW, then moves into kernel modules for other blades to check, then goes into inbound towards Internal SFTP server. with this it should work.

Regards, Prabu

 

 

0 Kudos
Reply
_Val_
Admin
Admin

Not that simple, but you can try anyway.

0 Kudos
Reply
Prabulingam_N1
Advisor

Dear Val,

I had setup SSH DPI as per Document.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

But how do I confirm if SFTP traffic gets Inspected or NOT.

No sign of related Logs on this traffic.

 

Regards, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

Did you setup security rules for inspection as well?

0 Kudos
Reply
Prabulingam_N1
Advisor

Dear Val,

I had followed as per SSH DPI mentioned in R80.40 TP Admin guide.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

Enabled AntiVirus & IPS Blade

Also enabled the option in AV Profile settings: "Process All file Types"

Im able to upload Eicar test file into my Internal SFTP Server successfully, and FW did NOT do any inspection.

No rules as such in Policies to Inspect like we have for HTTPS Policy, only enabling SSH DPI via command.

 

You had mentioned some customer had used this feature, can you help me in getting those info.

 

Regards, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

You need inspection rules. Follow Threat Prevention guide I have referenced before. If you have any issue, please reach out to your local Check Point office or open a support request with TAC

0 Kudos
Reply
_Val_
Admin
Admin

0 Kudos
Reply
_Val_
Admin
Admin

Also, what is your output for this? 

cpssh_config istatus

 

0 Kudos
Reply
Prabulingam_N1
Advisor

Hello Val,

 

Below the Output:

[Expert@FWSTDR8040:0]# cpssh_config istatus
SSH Inspection is enabled

[Expert@FWSTDR8040:0]# cpssh_config -q
This is available ID for set/get:
0: Global
1: KeyExchange
2: Cipher
3: Mac
4: Hostkey
[Global] Inspection_Enabled = 1
[Global] Port_fowarding_Enabled = 1
[Global] Inspection_Forced = 1
[Global] Connection_Timeout_Sec = 2000000000
[KeyExchange] diffie-hellman-group-exchange-sha1 = 1
[KeyExchange] diffie-hellman-group-exchange-sha256 = 1
[Cipher] aes128-cbc = 1
[Cipher] aes256-cbc = 1
[Cipher] aes128-gcm@openssh.com = 1
[Cipher] aes256-gcm@openssh.com = 1
[Mac] MD5 = 1
[Mac] SHA1 = 1
[Mac] SHA256 = 1
[Mac] SHA384 = 1
[Mac] SHA512 = 1
[Hostkey] ssh-rsa = 1
[Hostkey] rsa-sha2-256 = 1
[Hostkey] rsa-sha2-512 = 1
[Expert@FWSTDR8040:0]#

 

 

Regads, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

Okay, its seems to be enabled. I have told you from the start, I see VPN being an issue here, but the best cause of action is to run this with TAC

0 Kudos
Reply
Prabulingam_N1
Advisor

dpi.png

Hello Val,

No worries.

I just did and got the result...Cool result in SSH DPI logs..

Traffic passing via VPN Tunnel.

Once FW decrypted, it gets into AV blade and got Prevented for Malware

(Used eicar.com file and uploaded into SFTP server via WinSCP in Client machine)


Regards, Prabu

0 Kudos
Reply
_Val_
Admin
Admin

Great, so what was the issue? Please share with us

0 Kudos
Reply
Prabulingam_N1
Advisor

Hello Val,

 

Performed Transparent method and could not get.

Hence made as "non-transparent inspected SSH server" using only Public key of Server onto FW  - got it.

And enabled the "Process file which contain known Malware" under AV Profile setting & worked.

No additional rule in FW rulebase (VPN Rule between both Encryption domains is enough)

 

Regards, Prabu

_Val_
Admin
Admin

sounds logical, thanks

0 Kudos
Reply