This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_W23
Participant
‎2023-06-19 08:24 AM

Unusual HTTPS request from security gateway logged on Smart Console

Good day,

I have discovered what appears to be an unusual issue on our security gateways (R81.10) that may be related to HTTPS inspection.

When one of our internal devices communicates to a specific external destination (the only destination its allowed to communicate to) over HTTPS. The logs show 3 entries - 1 for the accept, 1 for the HTTPS inspection bypass, but one other uncommon one from the active gateway node to the same destination over HTTPS. The expected outgoing packet is NAT'd as expected, and the packet from the gateway is NAT'd to the VIP address. These packets are all logged with the same time.

The firewall guy at the destination end is seeing traffic from both of the NAT'd IPs indicating that that traffic is actually going out our gateway to the remote end.

We have another internal device that connects to a specific destination out the same interface over https and it too is showing the same additional https packet from the gateway.

Other HTTPS traffic through the same interface does not generate the same extra packet.

Here's an anonymized excerpt from the logs:

TimeBladeActionTypeInterfaceOriginSourceSource User NameDestinationServiceRuleAccess Rule NamePolicy NameDescription
2023-06-19 11:17FirewallAcceptConnectionethXgateway2Node1 (10.1.1.1) 1.1.1.1https7Geo Protection Accept Cleanup RuleStandard 
2023-06-19 11:17HTTPS InspectionHTTPS BypassLog gateway2Node1 (10.1.1.1) 1.1.1.1https  Standard 
2023-06-19 11:17FirewallAcceptConnectionethY.1234gateway2gateway2 (x.x.x.x) 1.1.1.1https0Implied Rule Standard 

 

If anyone has an idea of why this is happening, that would be great. Haven't noticed this behavior in the past.


Thanks!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2023-06-19 10:47 AM

This is part of our SNI verification process and is expected behavior.
See: https://support.checkpoint.com/results/sk/sk163594

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events