Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bob111
Contributor

SSH Inspection

Hello friends!
I am currently looking into implemnting ssh inspection feature for the checkpoint security gateway, and I was unable to find a lot of information or guides on this feature (except the two minimal guides on the checkpoint site) so I would be glad if someone can point me to a more comprehensive guide or document, or maybe answer some of my questions regarding this feature -  the ssh client needs to ssh to the security gateway or to the ssh server (and the session just passes the security gateway)?

Thanks in advance:)

19 Replies
the_rock
Legend
Legend

0 Kudos
Timothy_Hall
Legend Legend
Legend

The only resource for SSH Deep Packet Inspection is the one @the_rock provided in the formal documentation.  Most people aren't even aware this feature exists since it can't be configured in the SmartConsole GUI.  You may also see references to "RDP Inspection" if you look around in the documentation hard enough; this feature had a very short lifespan and is no longer present.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
bob111
Contributor

Thank you very much for the replies! 
What do you mean by "no longer present"?

0 Kudos
the_rock
Legend
Legend

Maybe you can confirm with TAC if they have any other additional info about it.

Andy

0 Kudos
ww1m6
Explorer

Hello @Timothy_Hall, did you mean that ssh inspection is a feature that is no longer present or rdp inspection?

ww1m6
Explorer

Hi @Timothy_Hall,  The ssh inspection feature had a very short lifespan and is no longer present or the rdp inspection?

0 Kudos
Timothy_Hall
Legend Legend
Legend

RDP Inspection is no longer present.  See here: Remote Desktop Inspection Still Supported?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

ssh inspection is still supported, but rdp inspection is not, as per link Tim sent.

Andy

0 Kudos
Daniel_Kavan
Advisor
Advisor

Once ssh inspection is turned on (ion), does that mean all current ssh traffic going thru the gw will break until you add all the public and private keys to the gw?  With 'https inspection', you can bypass traffic you don't want inspected.   

PhoneBoy
Admin
Admin

If I'm understanding the documentation correctly, we are only inspecting SSH connections where the public (and private) key is added to the gateway.
However, I haven't tested this.

0 Kudos
ww1m6
Explorer

You need to add the private key to the gateway? The documentation says you only need to add the public key 

0 Kudos
PhoneBoy
Admin
Admin

You can add the private key to improve the user experience, but it's not a requirement.

0 Kudos
ww1m6
Explorer

I understand. I followed  the guide for configuring the ssh inspection but where can I actually see that the ssh traffic to the ssh server that it's key I added to the gateway is being inspected?

0 Kudos
PhoneBoy
Admin
Admin

What does cpssh_config istatus tell you?

the_rock
Legend
Legend

Man, learn something new from you all the time, I never knew of that command before 🙂

Andy

0 Kudos
ww1m6
Explorer

SSH Inspection is enabled

0 Kudos
PhoneBoy
Admin
Admin

Well, that's a start.

The best way to confirm is via telnet to port 22 to the protected server.
This (along with troubleshooting) is listed at the bottom of the documentation linked earlier in this thread.

0 Kudos
ww1m6
Explorer

Yes, I tried it but I did not get the result shown in the documentation. Am I supposed to be able to see the ssh traffic inspected in the logs on the management server? 

0 Kudos
PhoneBoy
Admin
Admin

If it's not showing the Check Point specific SSH banner, then it's not doing inspection.
Recommend engaging with TAC for further assistance: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events