This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bob111
Collaborator
‎2024-04-01 05:58 AM

SSH Inspection

Hello friends!
I am currently looking into implemnting ssh inspection feature for the checkpoint security gateway, and I was unable to find a lot of information or guides on this feature (except the two minimal guides on the checkpoint site) so I would be glad if someone can point me to a more comprehensive guide or document, or maybe answer some of my questions regarding this feature -  the ssh client needs to ssh to the security gateway or to the ssh server (and the session just passes the security gateway)?

Thanks in advance:)

19 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-04-01 06:26 AM

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-01 07:40 AM

The only resource for SSH Deep Packet Inspection is the one @the_rock provided in the formal documentation.  Most people aren't even aware this feature exists since it can't be configured in the SmartConsole GUI.  You may also see references to "RDP Inspection" if you look around in the documentation hard enough; this feature had a very short lifespan and is no longer present.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
bob111
Collaborator
‎2024-04-01 07:59 AM
In response to Timothy_Hall

Thank you very much for the replies! 
What do you mean by "no longer present"?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-01 08:18 AM
In response to bob111

Maybe you can confirm with TAC if they have any other additional info about it.

Andy

Best,
Andy
0 Kudos
ww1m6
Explorer
‎2024-04-07 04:15 AM
In response to Timothy_Hall

Hello @Timothy_Hall, did you mean that ssh inspection is a feature that is no longer present or rdp inspection?

ww1m6
Explorer
‎2024-04-07 05:58 AM
In response to Timothy_Hall

Hi @Timothy_Hall,  The ssh inspection feature had a very short lifespan and is no longer present or the rdp inspection?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-07 06:20 AM
In response to ww1m6

RDP Inspection is no longer present.  See here: Remote Desktop Inspection Still Supported?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2024-04-07 06:42 AM
In response to ww1m6

ssh inspection is still supported, but rdp inspection is not, as per link Tim sent.

Andy

Best,
Andy
0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-04-16 01:43 PM
In response to the_rock

Once ssh inspection is turned on (ion), does that mean all current ssh traffic going thru the gw will break until you add all the public and private keys to the gw?  With 'https inspection', you can bypass traffic you don't want inspected.   

PhoneBoy
Admin
Admin
‎2024-04-16 02:40 PM
In response to Daniel_Kavan

If I'm understanding the documentation correctly, we are only inspecting SSH connections where the public (and private) key is added to the gateway.
However, I haven't tested this.

0 Kudos
ww1m6
Explorer
‎2024-05-12 05:40 AM
In response to PhoneBoy

You need to add the private key to the gateway? The documentation says you only need to add the public key 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 08:14 AM
In response to ww1m6

You can add the private key to improve the user experience, but it's not a requirement.

0 Kudos
ww1m6
Explorer
‎2024-05-13 08:18 AM
In response to PhoneBoy

I understand. I followed  the guide for configuring the ssh inspection but where can I actually see that the ssh traffic to the ssh server that it's key I added to the gateway is being inspected?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-14 10:16 AM
In response to ww1m6

What does cpssh_config istatus tell you?

the_rock
MVP Platinum
MVP Platinum
‎2024-05-14 10:19 AM
In response to PhoneBoy

Man, learn something new from you all the time, I never knew of that command before 🙂

Andy

Best,
Andy
0 Kudos
ww1m6
Explorer
‎2024-05-14 10:24 AM
In response to PhoneBoy

SSH Inspection is enabled

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-14 03:02 PM
In response to ww1m6

Well, that's a start.

The best way to confirm is via telnet to port 22 to the protected server.
This (along with troubleshooting) is listed at the bottom of the documentation linked earlier in this thread.

0 Kudos
ww1m6
Explorer
‎2024-05-15 06:20 AM
In response to PhoneBoy

Yes, I tried it but I did not get the result shown in the documentation. Am I supposed to be able to see the ssh traffic inspected in the logs on the management server? 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-16 07:13 PM
In response to ww1m6

If it's not showing the Check Point specific SSH banner, then it's not doing inspection.
Recommend engaging with TAC for further assistance: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events