This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nima_Chogyal
Contributor
a week ago

Ssl inspection and quic

I have ssl inspection enabled and workd great for all the apps and urls i wanted to block. But i just can't block Facebook and Instagram. Tried reading about it and found out that Facebook and Instagram have their own way of trusting certificates through their private repo.and that somehow makes it impossible to block them using ssl inspection. But when I block all quic traffic in the network, ssl inspection is somehow blocking them without a hitch. But the only problem I get blocking quic traffic is that I get the Invalid certificate error for Google and all the other websites I surf. And I also learned that blocking quic protocol is the culprit as Google uses quic protocol for their tcp connection. So is there a workaround for this in checkpoint. 

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a week ago

R82 supports inspection of QUIC traffic, are you using an earlier version?

Also if you're seeing cert/trust errors for _all_ sites there is something amiss.

CCSM R77/R80/ELITE
0 Kudos
Nima_Chogyal
Contributor
a week ago
In response to Chris_Atkinson

The gateways are r81 but the management server is r82. Thinking of upgrading the gateways to r82 and try it out.

0 Kudos
CaseyB
Advisor
a week ago
In response to Nima_Chogyal

Since you are running R81, the guidance has been to block QUIC for HTTPS Inspection to work to its full potential. You mentioned that blocking QUIC causes certificate errors.

Have you verified from the old school SmartDashboard that all of the Trusted CAs are installed / up-to-date? 

0 Kudos
D_TK
Advisor
a week ago
In response to Chris_Atkinson

Hi Chris - I saw at a session at CPX this year that basically said R82 supports the inspection of inbound quic (if i was hosting a site over quic to the public), but still does not inspect quic for outbound (my users to the internet with my trusted cert installed). 

Is that correct, or do i have it wrong - thanks.

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to D_TK

You have it wrong, QUIC is supported for outbound.
It does require USFW, though.

D_TK
Advisor
a week ago
In response to PhoneBoy

Never been so happy to be wrong.  thanks  will have to test it soon.

the_rock
MVP Gold
MVP Gold
a week ago
In response to D_TK

From my cluster lab where I tested this, its backup member, but same on master.

Andy

CoreXL is currently enabled with 6 IPv4 firewall instances.

(1) Change the number of firewall instances
(2) Disable Check Point CoreXL
(3) Change firewall mode

(4) Exit
Enter your choice (1-4) : 3
Firewall is User mode

Important Note: This action might have an effect on GW CoreXL split
Do you want to change to Kernel mode [Requires reboot] (y/n) [n] ? n

(1) Change the number of firewall instances
(2) Disable Check Point CoreXL
(3) Change firewall mode

(4) Exit
Enter your choice (1-4) :

0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago

All I do is add custom group and add *facebook* and *instagram*, install policy, thats it, no need to disable quic, nothing.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago
In response to the_rock

@Nima_Chogyal Screenshots attached.

Andy

Preview file
99 KB
Preview file
92 KB
Preview file
224 KB
Preview file
224 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events