Solved: Re: cptls_server_cn_cache table

marcyn · ‎2023-08-09

Hi CheckMates,

A lot of you are the Check Point's trainer.
So it is possible that you could have some doubts regarding cptls_server_cn_cache table... like me.

In CCTE book (CCTE R81.10 - page 241) we can see this:
HTTPS Filtering HTTPS Filtering allows categorization of HTTPS sites without HTTPS inspection (passive HTTPS). It uses a cache table, cptls_ server_ cn_ cache . The cache saves mapping between IP+Port to CN (certificate's Canonical Name) and a flag, if the CN is valid. This table is searched with the IP+Port of a connection to look for a CN.

So I decided to check this out .. and it looks like that's not exactly true.

In this page of CCTE book there is also image that shows how this table looks like.
In this image we can see that first two columns describe Table Key which is IP + Port, then next two describe CN, then 5th column describe "Is CN Valid?", and finally 6th coulm describes ttl (I attach this image in this case - name: ccte_page_241.png).

However I noticed that I don't have such a table without enabling full HTTPS Inspection.
Remember that regarding what we can read from CCTE book this table is used when we want to categorize HTTPS sites without using HTTPS Inspection....

Here, take a look what tables are present in my R81.20 gateway without HTTPS Inspection enabled:
[Expert@CP-GW:0]# fw tab | grep tls
-------- tls_services --------
-------- fwtls_state_map --------
-------- cptls_params_id_map --------
-------- cptls_host_name_cache --------
-------- tls_main --------
[Expert@CP-GW:0]#
As you can see there is no "cptls_server_cn_cache" table.

Now ... if I enable HTTPS Inspection I can see this table:
[Expert@CP-GW:0]# fw tab | grep tls
-------- tls_services --------
-------- fwtls_state_map --------
-------- cptls_params_id_map --------
-------- cptls_server_cn_cache --------
-------- cptls_host_name_cache --------
-------- tls_main --------
[Expert@CP-GW:0]#

In case you wonder - yes I have enabled option to categorize HTTPS sites without HTTPS Inspection in: Manage & Settings > Blades > Application Control & URL Filtering > Advanced Settings > Categorize HTTPS websites

There is more ... table cptls_server_cn_cache looks different as in CCTE book - as you can see on another image that I attach to  (my_cptls_server_cn_cache.png).

If we will take a look at "mine" cptls_server_cn_cache table it looks like this:
[Expert@CP-GW:0]# fw tab -t cptls_server_cn_cache
localhost:
-------- cptls_server_cn_cache --------
dynamic, id 7994, num ents 1, load factor 0.0, attributes: keep, sync, kbuf 2, local sync, expires 86400, , hashsize 16384, limit 45714
<12f4663e, 000001bb, d9817b43, 11be16f0; 0000001f, ab813004, 00000002, 00000000, ffffffff; 86301/86400>

How to read this ?
As you can see here we have 4 (not 2) columns before ";": 12f4663e, 000001bb, d9817b43, 11be16f0;
First one probably is IP, 2nd for sure is port 443, ... what about 3rd and 4th ?
And what about another columns: 0000001f, ab813004, 00000002, 00000000, ffffffff; Is this CN ? How to read this CN ?
Where is "Is CN valid?" ?
Last one is ttl - no doubts.

Have any of you thought about this too?

--
BR
Marcin

YosiHavilo · ‎2023-08-15

before R80_20 jumbo we use only cptls_server_cn_cache

from R80_20 jumbo we change it , and we use it like this :

Https inspection use this table :
cptls_server_cn_cache

categorize HTTPS sites (light ssl) use this table :
cptls_host_name_cache

View solution in original post

_Val_ · ‎2023-08-11

You should have your answers here: https://support.checkpoint.com/results/sk/sk92743

marcyn · ‎2023-08-11

Hi @_Val_

I know this article, unfortunately it gives no answer to my question.
In this article we can find that cptls_server_cn_cache table looks like we have in CCTE R81.10 (page 241) ... but in the real life as I wrote it looks a little bit different.
More ... here in this article we also see that this table is used for categorization without using full HTTPS Inspection.... which is also not true in real life (as I described in this post).

So, to summarize all of the above - it looks like there it simply works not as described in this SK, and as described in CCTE R81.10 book.

Or maybe I need better glasses, or something else ...

If anyone would like to to confirm the above ... it is extremely easy - just disable HTTPS Inspection and see if you have this table on your GW. And if HTTPS Inspection is enabled ... if this table looks like we see on this SK and CCTE R81.10 book. I believe you will confirm my observation.

--
BR
Marcin

_Val_ · ‎2023-08-11

What version of the software are you running? R81.10 or R81.20?

Yes, the table in your case has more attributes. It might be because you are not on R81.10. Try running

fw tab -t cptls_server_cn_cache -f

and see if it becomes more clear

marcyn · ‎2023-08-11

Hi @_Val_

I'm using R81.20 ... but on R81.10 it looks the same 🙂

My question is not only about how this table should look like - but more important for me is that in this SK and CCTE it is clearly indicated that this table is used in case of passive HTTPS inspection (URL categorization without using full HTTPS Inspection) 🙂

I just need to know if this is not true - maybe it was true with old releases but no more ?

You know... if I train people I generally want to be sure that all of what I'm telling them is true 🙂

Structure of this table is also, as you can see, diferrent that we have on SK and CCTE - of course that I know what "-f" gives us here - this is completely something else that I'm asking obout here (I don't want to have more human view here, but to understand basics of this table ... as it looks different as desctibed in SK, CCTE - so what these particulat columns mean exactly).

--
BR
Marcin

_Val_ · ‎2023-08-11

My personal understanding is, the table is used in both cases. However, I see your point. Let me loop some people internally, to make sure all sources of information are up to date and 100% correct.

I will get back to you once I hear from them, most probably the next week.

marcyn · ‎2023-08-11

Hi @_Val_ ,

Great, thank you - this is exacly what I wanted to achieve here - to get in touch with a person who will know who should be asked about this internally 🙂
I will wait to see what you will be able to get.
Thanks

--
BR
Marcin

YosiHavilo · ‎2023-08-15

before R80_20 jumbo we use only cptls_server_cn_cache

from R80_20 jumbo we change it , and we use it like this :

Https inspection use this table :
cptls_server_cn_cache

categorize HTTPS sites (light ssl) use this table :
cptls_host_name_cache

marcyn · ‎2023-08-16

Hi @YosiHavilo

Thank you for this information !

So it looks like I was right - there is an error in CCTE R81.10 book regarding this matter ..... and as far as I see the same "mistake" is in the newest R81.20 as well (at least in instructor slides, page 335 ... so I believe that the same will be in book).

So ... it's a good idea to correct this 🙂

--
BR
m.

_Val_ · ‎2023-08-16

@marcyn It will be fixed in the next courseware update cycle. Relevant teams are notified.

Are you a member of CheckMates?

cptls_server_cn_cache table